Symptom

Weak crypto algorithms including MD5, DES, and 3DES should not be used for SNMP v3 user configuration as these algorithms are insecure and do not provide adequate protection from modern threats. Instead, SHA, SHA-2, and AES should be used for authentication and privacy protocols respectively.

Conditions

SNMP v3 user configured to use MD5 as the authentication protocol, or DES and 3DES as the privacy protocol.

Workaround

Update the authentication protocol to SHA or SHA-2, and privacy protocol to AES respectively. If this is not possible, then the following configuration command is required for SNMP to continue to function with the weak algorithms upon an upgrade to IOS XE version 17.11.1: Device(config)#crypto engine compliance shield disable Note the above command will only take effect after a reboot. Cisco does NOT recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats and should only be used as a last resort.

Further Problem Description