ASA Connection Error: ‘The First Key-Exchange Algorithm’

KB ID 0001476

Problem

When attempting to connect to a Cisco ASA firewall via SSH you see the following error;

SSH Error Diffie Hellman Group 1

The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.
Do you want to continue with this connection?

Clicking ‘Yes’ will let you connect.

Solution

When connected, execute the following commands;

conf t

ssh key-exchange group dh-group14-sha1

write mem

Fix SSH Error Diffie Hellman Group 1

Problem solved.

Related Articles, References, Credits, or External Links

How Diffie Hellman Works

Author: PeteLong

Share This Post On

6 Comments

  1. You may want to edit this article – the command in the grey field is wrong, but what you have in the putty screenshot is correct

    Post a Reply
    • Ah Typo! Thanks Peter – fixed!

      Post a Reply
  2. I am planning to change “ssh key-exchange group dh-group14-sha1” to “ssh key-exchange group dh-group1-sha1” in the production environment.

    Is there a chance that i may loose connectivity and can not get in remotely ?

    Post a Reply
    • If you concerned open an ASDM connection then execute the command.

      Post a Reply
  3. I’m on a text lab and this is the error message that I have received after configuring the RSA key at 2048 MODULUS.
    This new error message, do we know what causes it? And, what does the line fix really do? Sounds to me like it’s an antidote, but not sure what the illness is.

    Post a Reply
    • Is this a cert secured Tunnel? If so it looks like at least one end cant understand the cert signing algorithm? If so, use the search above, I had a similar problem a few years ago.

      Post a Reply

Leave a Reply to Jose Cardona Cancel reply

Your email address will not be published. Required fields are marked *