Field Notice: FN74246 - Cisco BroadWorks, Secure Shell (SSH) Clients, and Secure File Transfer Protocol (SFTP) Clients Will Fail to Connect to SSH Servers After Upgrade - Software Upgrade Recommended

Available Languages

Updated:March 5, 2025

Document ID:FN74246

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

High

Impact Rating:

High

First Published:

2025-Mar-05

Last Published:

2025-Mar-05

Revision:

1.0

Cisco Bug IDs:

CSCwn59843

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Products Affected

Affected Software Product	Affected Release	Affected Release Number	Comments
Base Software	RI.2024	RI.2024.01, RI.2024.02, RI.2024.03, RI.2024.04, RI.2024.05, RI.2024.06, RI.2024.07, RI.2024.08, RI.2024.09, RI.2024.10, RI.2024.11, RI.2024.12	This Field Notice affects the following applications: BroadWorks Application Server (AS), BroadWorks Execution Server (ES), BroadWorks Media Server (MS), BroadWorks Network Function Manager (NFM), BroadWorks Profile Server (PS)

Defect Information

Defect ID	Headline
CSCwn59843	SSH clients and SFTP will fail to connect to SSH servers after upgrade

Problem Description

When upgrading Cisco BroadWorks servers to releases RI2024.01 to 2024.12, some clients fail to connect to SSH servers if they are configured to use diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 key exchange algorithms with a diffie-hellman key size that is not a multiple of 64.

This affects the following groups of clients:

SFTP clients that are used to push Call Detail Records (CDRs) to remote SFTP servers
SFTP clients that are used to generate Simple Network Management Protocol (SNMP) reports
SFTP clients that are used to push device management files
SSH clients that are used in the software controller and node controller on the Network Function Manager (NFM) that manages Cisco BroadWorks servers
SSH clients that are used in enterprise migration to push files to a new server.

Note: These services are only impacted when trying to connect to servers that use diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 key exchange algorithms with a diffie-hellman key size that is not a multiple of 64.

Background

Cisco determined that the /etc/ssh/moduli file that specifies the moduli used for the diffie-hellman group exchange algorithms may be configured on Cisco BroadWorks nodes without a key size that is a multiple of 64.

Problem Symptom

Cisco BroadWorks customers may experience issues when running CDR reports, SNMP reports, pushing device management files, or pushing files to new BroadWorks servers. Enterprise migrations may fail when attempting to push a file, the node controller might fail to execute the BIND command, and the software controller might fail to apply patches.

The ApacheMinaSshdLog input channel logs may display an error message as shown in the following example:

InvalidAlgorithmParameterException[DH key size must be multiple of 64, and can only range from 512 to 8192 (inclusive). The specific key size 2070 is not supported]

Workaround/Solution

Solution

To resolve this issue, customers must upgrade all Cisco BroadWorks nodes (AS, NS, MS, XS, PS, and NFM servers) to Cisco BroadWorks Release RI.2025.01, which disables diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256.

Workaround

There is no workaround for this issue.

How to Identify Affected Products

To determine if a Cisco BroadWorks node is affected, use an OpenSSH client and connect to each BroadWorks node. Once connected to the Cisco BroadWorks node, inspect the /etc/ssh/moduli file. This file specifies the moduli used for the diffie-hellman group exchange algorithms. The Size column contains a number that corresponds to the diffie-hellman key size minus one. For example, if an entry in /etc/ssh/moduli has a size of 2047, then the key size is 2048, which is a multiple of 64. If any of these entries +1 is not a multiple of 64, then Cisco BroadWorks SFTP and SSH clients might fail to connect to this server if diffie-hellman-group-exchange-sha1 or diffie-hellman-group-exchange-sha256 are negotiated as key-exchange algorithms.

Revision History

Version	Description	Section	Date
1.0	Initial Release	—	2025-MAR-05

For More Information

For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:

Receive Email Notification About New Field Notices

To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)