SSH communication
ych
Posts: 46
After upgrading the biamp audio processor system, I was unable to establish SSH communication with the nx3200-c controller. I used putty to test the ssh connection of biamp and found it to be normal. I have upgraded the controller to the latest version: master 1.8.183; Device 1.1.50, the controller will prompt: Line 170 2024-05-14 (11:10:42):: CIpSocketManager:: acceptedSocketConnection (ssh) - failed to handshake;
Line 177 2024-05-14 (11:12:06):/usr/sbin/rsyslogd integrity validated Hashes match: 35aff7109e5ce35b3b03702cdf5eeefb7e260a6c890ad76d1f2fb14b1c88216
I have tried to set the user password for the biamp audio processor to log in, but still receive an error message. Is this issue due to the higher level of SSH encryption in the upgraded version of biamp and the lower level of SSH encryption in the amx controller, resulting in handshake issues? Is there any solution to this problem? Can using DUET solve the problem?
Comments
I saw something similar with the new SVSI N2600 series, when secure control is activated. The N2600 manual states that a SSH is required, but didn't get connected with a similar message.
Later it was found that the manual is confusing, as like with the other SVSI units, secure control is still done by TLS.
With the N2600, connection is TLS_CLIENT_OPEN() with the last parameter set to "1", to ignore certificate errors (here in that case, because of the certificates are self signed).
I understand what you mean. If there is a handshake error prompt, I should use the tls open API interface. Is it possible? If I continue to use the ssh open API and use a key to connect, have you tested this method?
I could not get SSH key exchange to work with Tesira so had to give up and fall back to Telnet. I also tested with a Linux server so I could verify the key exchange works with PuTTY but fails from the NX-2200. On the server end it says "Unable to negotiate...no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]" when the NX-2200 tries to connect. The only key I have listed in authorized_keys on the server is an ssh-rsa key.
I don't know if PuTTYgen is exporting the key into a format the NX-2200 can use, but I'm trying the "Export OpenSSH key" option from the Conversions menu. NetLinx Studio says it loads fine to the NX-2200 in Certificate Manager. We moved the Tesira off the customer network and onto the ICS LAN network so having Telnet open isn't so much of an issue anymore.
I haven't touched any Muse controllers yet, but I imagine modern SSH works fine on those. But then I wouldn't be writing NetLinx code anyway...
Later on, I also used telnet to control biamp. I used Java to test SSH connections and it was normal. If I used duet to build jar packages, it should be feasible because official modules use this method!
In Biamp Tesira 4.7.2 firmware, SSH library has been updated to newer version.
As per release notes: "Updated SSH and HTTPS security to remove deprecated ciphers. Ensure a connected device is running a compatible SSH implementation before proceeding with the update. The up to date SSH version can be obtained via Device Information, License Information in Tesira Device Maintenance."
Newer encryption methods are not supported by Netlinx SSH client, while the one supported by Netlinx are now deprecated on Tesira side.
Good catch, tombadger! I'm pretty sure I wrote my module when the TesiraFORTE X was released, so that was probably before they removed the older ciphers. No serial port on the FORTE X unfortunately.
Telnet works fine as long as I keep the equipment off the customer network.
from the current NX master firmware v1.8.183 NX master firmware
v1.8.161 - Upgraded openssh to version OpenSSH_9.3p2
There is also a new version in progress that supports TLSv1.3
And just to note: the v1.6 branch will no longer be developed.
Start by investigating the SSH cipher precision bearings compatibility between the Biamp processor and the nx3200-c controller.
Hello everybody, I have a similar problem with Polycom just now. I developed modul in 2021 for communication with Polycom by SSH without a private key
SSH_CLIENT_OPEN(dvUNIT.Port, IP_ADDRESS, IP_PORT, SSH_USERNAME, SSH_PASSWORD, '/certs/id_rsa', '')- please note, that I did not load any certificate into NX master, I took "/certs/id_rsa" part of SSH_CLIENT_OPEN command from some example here on a forum.
Everything was working until these days. Now I'm getting only handshake error:
CIpSocketManager:: acceptedSocketConnection (ssh) - failed to handshake;while Putty SSH is still working to the same Polycom - the true is, that I had to update PUTTY to the latest version. Before that (with older PUTTY version) I was receiving this error message:
Couldn't agree a host key algorithm (available: rsa-sha2-256)I know, that Polycom has set automatic updates, so maybe there was some update, which also removed some old SSH methods. But now, I can not get it work.
I do not know the way, how to get some private key from Polycom or how to upload to Polycom my own (public) certificate, or if it is even possible.
Do you have any idea for me, how to get it work?
Used AMX systems (several NX systems, several Polycoms):
00000 NX-2200 Master v1.6.179, 05001 NX-2200 v1.1.48 (old NX unit, SSH was working, now it is not)
00000 NX-1200 Master v1.8.190, 05001 NX-1200 v1.1.48 (new NX unit, SSH was never working)
Thanks for any suggestions!
Firmware v1.6 only supports TLSv1.1, thiy may the cause why it no longer works.
Firmware v1.8 can do TLS1.2
you may try the 1.8.196 hotfix, it includes a SSH fix.
https://help.harmanpro.com/nx-master
Marc, thanks for suggestion, I will try it.
But I have some questions about upgrade - there is this note:
When upgrading from 1.3.106 or earlier, you must first upgrade to 1.4.90.I have these systems:
00000 NX-2200 Master v1.6.179, 05001 NX-2200 v1.1.48
00000 NX-1200 Master v1.8.190, 05001 NX-1200 v1.1.48
So I have to upgrade both 5001 devices from v1.1.48 to 1.4.90 (SW2106_NX-X200_Master_v1_4_90 ) first and after that I can upgrade 00000 devices (controllers) to 1.8.196 (SW2106_NX-X200_Controller_v1_8_196)?
Am I correct?
To be precise, here is screenshot:
No, device 5001 is an individual firmware, no update required for it.
The note relates to the master firmware itself, the device 0. As you are already on v1.8, you can load the hotfix directly.
So I tried, but did not help - still receiving failed handshake. So, I tried also 5001 firmware v1.4.90 (from v1.1.48 to 1.4.90 - SW2106_NX-X200_Master_v1_4_90) - and unfortunatelly NX-2200 master became unresponsive (ping is working, but NS can not connect to it, neither telnet or web UI). What could be wrong? I'm a little bit affraid of restarting manually - what do you recommend - is manually restart only option, or is better to wait more time?
I'mm confused, as it should not be possible to load firmware designed for the NX master (device 0) to the NX device 5001... This should report a firmware ID mismatch in Studio...
I would give the unit some more time (eg 1 hour) that it maybe can recover itself. If after this time it still is unresponsive, I would reboot it by power cycle, and give it again about 20 minutes to recover.
If still not working again, we may have to try to reset to factory firmware, which can be done with the "ID" button.
The procedure from the manual based on blink pattern is a little tricky, I did it with
This should bring back the NX on factory firmware and factory settings.
If the NX at this point is back, connect to it and check onlinetree if the unit reports as a NX-2200 with a device 0 and a device 5001.
If the unit comes not back at all, or the device 5001 will not come online, the unit may have to be sent to repair as the device 5001 firmware got damaged.
Thanks for suggestion, we will try to restart it manually after 1 more hour waiting.
Just explanation to upgrade which I did:
Firstly - I selected device 0 and sent SW2106_NX-X200_Controller_v1_8_196 there - after reboot I tried SSH to Polycom - without success
Secondly - I selected device 5001 and sent SW2106_NX-X200_Master_v1_4_90 there - upload was succesfull, but from that moment NX unit is not reachable...
OK, restart helped - thank you!
Now we have this status:
00000 NX-2200 Master v1.8.196
05001 NX-2200 v1.1.48
So, FW update of device 0 was successfull, update of device 5001 failed.
SSH is still not working.
Any other suggestion?
I gave a try... had USB terminal open with "msg on all"
loaded master fw 1.4.90 to device 5001 by http
Transfer is successful, but after a few seconds, in terminal I get messages
(0001179705) CICSPTCP Rx connection to ::ffff:10.68.5.111 (socket=90, idx=1)has been closed locally or by peer, byteRead=0, errno=0
(0001179708) Entry 106:32001 sid=1 not found for termination
(0001179723) CIPConnectionManager::ProcessICSPPacket msg destined for outside but no socket exists iIndex=1 wCommand=$FF00 wCommand+2=$0900
(0001185633) error during kit file extraction:65024:
The http transfer first transfers the kit file to the controller, then the kit it is temporarily extracted, and then transferred internally to the device number given at Studio transfer. Before the internal transfer of the extracted kit starts, it is verified that firmware and hardware will match.
The 1.4.90 is a master kit file. So after http transfer, if the in Studio assigned device is "0" and so a NX master hardware, the internal update starts.
But our transfer above aasigned the firmware to device 5001, which is not matching, snd so it doesn't do the internal update.
So it is impossible to load the wrong firmware kit to a hardware.
But doing that "mistake", the NX master should not become unresponsive.... my NX1200 still works, even after a reboot. So I think your controller got lost for some other reason.
If you can get it back to run, you may check by the command console (terminal/telnet) by MANAGE FIRMWARE
Devices
0 - Master
5001
Select device or press return to cancel:0
Current Version: v1.8.192
Previous Version: 1.6.179
Factory Version: 1.6.179
To install a firmware version:
Enter P (Previous), F (Factory) or press return to cancel:
and/or
Devices
0 - Master
5001
Select device or press return to cancel:5001
Running Version: v1.1.48
Last Loaded Version: v1.1.48
Previous Version: UNAVAILABLE
Factory Version: v1.1.48
To install a firmware version:
Enter L (Last), P (Previous), F (Factory) or press return to cancel:
From that console commands, you can internally up/downgrade firmware between the running, the previous uuning one, and the factory image, that never got overwritten.
Attention on downgrading from 1.8 to 1.6, here you first have to disable the Athenticiation in security settings.
awesome, all is fine fine again now on fw level. But why it doesn't work,I'm not sure.
There is a note to the firmware:
SSH Key algorithm supports only ssh-rsa host key.
Does the Polycom use another key type?
I'm not sure, tomorrow I will have a briefing with Polycom guys, so I will inform you..
Still no news.
But maybe anybody will find something from these pictures:
When SSH was working I got in diagnostics during SSH connection this:
When it stopped to work, I'm receiving only handshake failed:
And another suggestion: when I'm connecting to the same Polycom using Putty, I have to confirm server host key - "Accept" or "Connect Once" - is there any similar option in AMX master?
Thanks!
The message of PuTTY indicates that it is a SSH-rsa2 connection.
The firmware note says: SSH Key algorithm supports only ssh-rsa host key
Maybe that's the problem.... but personally I have only very low experience with SSH, so....
Hello, so I have an answer from Polycom guys.
It says: SSH v2 with AES256 encryption is used.
In the readme file in SW2106_NX-X200_Controller_v1_8_196 release there is this note:
openssh was upgrade to "SSH-2.0-OpenSSH_9.8"So, SSH v2 should not be a problem. Maybe AES256??
I'm wondering, if I will find out more information when I upgrade also master firmware - SW2106_NX-X200_Master_v1_4_90, because there is this note in master fw readme:
Audit log now available for failed SSH login attempts.Is there any known issue for upgrading master (NX-2200) fw from v1.1.48 to 1.4.90? Last time (see previous comments) I tried it, the NX unit became unresponsive...
Or, maybe, is there a contact at AMX, where I can ask the same question? Maybe the guys from Polycom and AMX can solve it together, without an intermediary.
Thanks!
The SW2106_NX-X200_Master_v1_4_90.kit is a NX CPU firmware, loaded to device 0.
The 1.1.48 you refer to is the device firmware for device 5001.
https://www.amx.com/en/softwares/nx-series-x200-nx-dvx-dgx-device-firmware-v1-1-50
(link is just for information; not required to update for you, as it only has a fix for DVX-4K, has no effect to the normal controllers)
At this point, you have to contact Harman/AMX Technical Support.
Oooo. Finaly I got it! I thought, that SW2106_NX-X200_Controller_v1_8_196 and SW2106_NX-X200_Master_v1_4_90 are for different devices, due to their names - "controller" vs "master".
So, now it is clear to me.
Marc, thank you for your support!
Now I have to find the right contact form...
they changed the naming, right... but working daily with that, the thought didn't occur to me that this may confuse