Meraki Community

UPDATE:

After upgrading my 9300 to 17.6.5 I had issues with DMI and netconf

Apr 26 05:42:49.816: %DMI-5-SYNC_START: Switch 1 R0/0: dmiauthd: Synchronization of the running configuration to the NETCONF running data store has started.

Apr 26 05:43:02.472: %DMI-3-SYNC_ERR: Switch 1 R0/0: dmiauthd: An attempt to synchronize the running configuration to the NETCONF running data store has failed:

Apr 26 05:43:02.472: %DMI-3-DMI_DEGRADED: Switch 1 R0/0: dmiauthd: The dmi infra is operating in degraded mode. Most synchronizations from IOS to NETCONF datastore will not be performed



CORE(config)#do show platform software yang process state

Confd Status: Started

Process Status State

----------------------------------------------------------

nesd Running Active

syncfd Running Active (degraded)

I opened a case with meraki support and they suggested that I remove my descrimanator.

It solved the netconf error. But now my logs are filled with the Deprecation warning message again.
Any other solution ? Any idea when meraki will stop using ssh-rsa ?

Thanks,

Hello, I have got the same messages, but to supress this messages is not really an solution, isn´t it?

Hello everyone! Hope you're doing great!

I noticed a number of cases in Support and some customers referring to this log suppression workaround solution.

The root cause for this notice in syslog and console logging is just a reminder that SSH with RSA Public Key algorithm will be deprecated therefore, the network administrator should be aware. This is explained here in this Cisco doc [1]

Having this in mind, @redsector has a good point: just suppressing the messages it's not much of a solution. However, the fix could cause other compatibility issues when authenticating users/systems that can't use another algorithm.

That's why we never recommend changing your public key algorithm configs. If you're curious, you can find more details here in this other Cisco doc (valid for other IOS XE releases) [2].

Having said that, you may want to do it at your own risk.

Solution: change the publickey algorithm settings

Step 1. check if you have x509v3-ssh-rsa 

Switch#sh run | inc ip ssh

ip ssh version 2

ip ssh server algorithm authentication publickey password keyboard

ip ssh server algorithm publickey x509v3-ssh-rsa

Step 2. enter config mode and remove public key x509v3-ssh-rsa

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#default ip ssh server algorithm publickey

Switch(config)#end

Once more: <disclaimer> Asses your public keys and users/systems before doing this. Use this at your own risk. It's safer and easier to implement log suppression workaround solution </disclaimer>.

Workaround: suppress just that kind of message

Switch#config-transaction

admin connected from 127.0.0.1 using console on Router

Switch(config)#logging discriminator DROP-ME msg-body drops meraki-user|Public-key

Switch(config)#end

More about the suppression syntax can be found here [3]. If this syntax doesn't work well for you, try building your own until you find one that works fine. Small syntax variance is common.

Hope this information is useful. And again, we recommend implementing the workaround since it's more compatible. Change public key settings at your own risk.

Reference:

[1] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/17_xe/syslogs/17-5-x/b-system-message-guide-router...

[2] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/xe-3s/sec-usr-ssh-xe-3s-...

[3] https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/esm/command/esm-cr-book/esm-cr-a1.html#wp188878744...