topic Re: Issue SSH in Routing and SD-WAN

Issue SSH

pesanchez2002 — Mon, 04 Mar 2019 12:58:42 GMT

I did upgrade to version of IOS cat4000-i9k91s-mz.122-18.EW2.bin to cat4500-entservicesk9-mz.122-52.SG.bin at a catalyst 4507r engine IV.

Before i could to execute:

ssh 1.1.1.1, without problem.

But after upgrade i can't do that.

In catalyst 4507r:

-----------------

router_4507r#sh ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

router_4507r#ssh 1.1.1.1

[Connection to 1.1.1.1 aborted: error status 0]

In router remote:

----------------

Router_remote#sh ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

Re: Issue SSH

Edison Ortiz — Wed, 03 Jun 2009 12:47:00 GMT

Try ssh -l [username] 1.1.1.1

HTH

Edison.

Re: Issue SSH

pesanchez2002 — Wed, 03 Jun 2009 14:44:40 GMT

Hi thanks by your answer

I executed the command

ssh -l username 1.1.1.1

and receive the same message

[Connection to 1.1.1.1 aborted: error status 0]

Re: Issue SSH

Edison Ortiz — Wed, 03 Jun 2009 14:48:29 GMT

Can we see the complete configuration on both devices?

Can you ping 1.1.1.1 ?

Can you verify you have enough VTY sessions available? (show users).

Edison.

Re: Issue SSH

pesanchez2002 — Wed, 03 Jun 2009 15:24:43 GMT

Hi,

Yes i can do ping 1.1.1.1

I can do ssh connection with my Computer using putty in my computer without problem.

I have 3 possible connection vty:

line vty 0 2

session-timeout 3

access-class 51 in

exec-timeout 3 0

timeout login response 15

logging synchronous

transport input ssh

I had no problem to connect before carrying out the upgrade of IOS.

Re: Issue SSH

Edison Ortiz — Wed, 03 Jun 2009 15:33:51 GMT

Then the problem can be IOS related. Try a earlier version than the one you currently have.

Edison.

Re: Issue SSH

ahintzsche — Tue, 02 Nov 2010 10:00:40 GMT

maybe it's still helpful. i had the same issue. check the version of ssh configured on 1.1.1.1.

I have two switches (2950, same IOS etc), destination switch configured with ip ssh version 2. when trying to ssh from switch one to that it gives me error message, even though when showing ssh both seem to run ssh version 2 ok. But when I take the command out they connect on ssh 1.5.

So I guess you can either take the command out or put it in on the other switch (if supported).

Then you might have different switches altogether by now.

Issue SSH

famfran13 — Thu, 08 Aug 2013 22:58:06 GMT

I had a similar case:

+++++++++++++++++++++++++++++++++++++++++++++++++++
Error reported by the customer:

Router2#ssh -l userID x.x.x.x

[Connection to x.x.x.x aborted: error status 0]
Router2#

Resolution:

Enabled on x.x.x.x router:

conf t
crypto key generate rsa
1024

Devices is reachable from Router2 now:

------------------------------------------------------
Router2#ssh -l userID x.x.x.x

Password:
+++++++++++++++++++++++++++++++++++++++++++++++++++

Re: Issue SSH

andacn001 — Fri, 29 Nov 2013 16:16:57 GMT

Your old IOS contains only the Server function for SSHv2.
You can´t operate as a client with this IOS when SSHv2 is enabled
With SSHv1 you can operate both as a server and as a client.
Your new IOS also offers only the same function of SSHv1 and SSHv2 like your old IOS
Still it is not possible with SSHv2 to operate as a client.

You need a newer IOS. The Cisco IOS Releases 15.0(2)SG (Catalyst 4500 Series Switch) contains Secure Shell SSHv2 Client and Server Support

You need a crypto key with at least 768 bit to enable SSHv2

for additional questions look here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24727.html

Check your current IOS features with the Cisco Feature Navigator:

http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

Hi pesanchez2002,

andreslgx_101 — Mon, 03 Apr 2017 09:55:41 GMT

Hi pesanchez2002,

So, although the post is old, I presented the same issue. I saw that my two routers had different version for ssh.

R1#ssh -l cisco 10.12.0.2

[Connection to 10.12.0.2 aborted: error status 0]

R1#

R1#sh ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQCn6ikgcwMwN2ifgWa2rqf/kQFUZnN5+k/XsXXDjV0e

VomwDnPVVTSRBtZR2nEhPRg+Tq9EjF8F8ejB/kewfVob

R1#

R2(config-line)#do sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDvQVznsveLrgk6vMsR3a5BwYPj2vaBPHRttVY6saE

SQ8E0x4HU1rbn94tzjgLQKVvlc4D9dNam1JIw7A07PS6vxoW0NZTXTMRMF+muEmzaWJkpZq5JUwK18Oa

gqToXWyCjqPAn8Hp+ZgInRynXkMudsKVQfSMHKhB3Z7Lua9oO0COv+WJ+74Ci6ipxMWjethQVT6jCQ8u

MkprhOPQx/haQGe2cilIcfHcSmsrGi0DbyTZxVxaqlgfLZzhttMkCg5UYpxCan3BSWxjb4kTs36Wb8Np

6uEZzvDmolHXLG+8V6P6bMAeBB3KLpC3sfHmWEHwcbVN3UAvAeXY8o4sCzdf

R2(config-line)#

My solution was to bring equal the version for ssh in the two equipments.

R1(config)#ip ssh version 2

R1#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnfzqredbdnDrI3BB4G/YcKupR29oRPS3pyxrseEaY

LgmZ59K3NAfriL8LGCa15iZQ4nbRb/OARRTJhP+W2km24kfUEqP6n7BQf4VSaPTAx3RdycV2c+6EoOPp

auDeosPfUn+AD8VmUs1vrk+cHusBdnjIS7PRFaq2TQ7TWJTj+sDsoqLxfmoD5bKb8Y/MFtIKULnsrZiS

hjAA2c3HuiqozVSVU+SW+wHAUYJtat28B3zFA65C0HHsoQSnGGFO+U4W9HHXTNFN6n9Ut2fsoRxagZ54

DbaMN9DyoI2jaWlZV1szO8JOUIuzC1TrnXZvxMEJK55ZHOfRO1rq3cVVwYX7

R1#

R1#ssh -l admin 10.12.0.2

Password:

R2#

I hope that this information help to other people with the same issue.

Note. Sorry for my english, I'm still learning.

Regards

Re: Hi pesanchez2002,

Garry Cross — Fri, 02 Feb 2018 18:22:07 GMT

I would like to continue this thread. The above resolution regarding version 2 and client server does not seem to be relevant in my case. I have not checked the release notes or software features at this point but here is what I have.

I have a 3850 new out of the box. It is running 16.6.1. It cannot ssh to any ASA5525. The version on the ASA is 9.8(1). The 3850 can ssh fine to other Cisco devices. Examples include a 4331. Another 3850. 4500X. N7K, all work fine and all configured with ip ssh version 2. The modulus of all keys is 1024 or better.

Older versions of 3850 can ssh into the ASA fine. Other switches can ssh to the ASA just fine. Putty works fine. I have other ASA's of the same version and this 3850 cannot ssh to any of them. Thinking this might be a bug.

Re: Issue SSH

paul driver — Sat, 03 Feb 2018 16:31:46 GMT

Hello

zerosize the ssh key and recreate it

also allow ssh on all vty lines not just 0 2 test again

res

paul

Re: Issue SSH

Garry Cross — Mon, 05 Feb 2018 16:33:02 GMT

Not sure if this was a response to my post but I don't see how it is relevant to my situation if it was.

ASA has no concept of line vty ... and on the 3850 all vty lines are set to transport input ssh of which this is not input but output.

I think I found the issue.

After debug ssh I see this message.

SSH2 0: kex algo not supported: client diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, server diffie-hellman-group Unfortunately the message is cutoff from display.

The ASA comes by default with

ssh key-exchange group dh-group1-sha1

Changing to

ssh key-exchange group dh-group14-sha1 (the only other choice)

and now the 3850 on Version 16.6.1 can connect to the ASA with SSH.

The 16.6.1 3850 has a new configuration item

ip ssh client ?

encryption

kex

mac

ip ssh client kex ?

diffie-hellman-group-exhange-sha1

diffie-hellman-group14-sha1

The 3.3.3SE release does not have such an option on ip ssh.

So there are changes in the code of 16.6.1 when it comes to ssh protocol.

At this point the ASA does not seem to understand what diffie-hellman-group-exhange-sha1 is.

Re: Issue SSH

asapa — Wed, 12 Dec 2018 22:18:46 GMT

I have same problem on Cisco ASR920.
ACR903#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr

ASR920#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:3des-cbc

I add additional algorithm : ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr 3des-cbc

ASR920#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc

And all work fine

Re: Issue SSH

LEL — Fri, 05 Jul 2019 09:34:33 GMT

Thanks for this information

Re: Issue SSH

jdjmoncivais — Fri, 05 Jul 2019 11:59:12 GMT

Your issue more than likely is ssh strict host key checking is enabled.

Check your ssh configuration for this command:

ip ssh stricthostkeycheck

If it's in your configuration, you have two options:

1. enable the ip ssh pubkey-chain command:

ip ssh pubkey-chain

2. Disable strict host key checking

no ip ssh stricthostkeycheck

In your case, I would try option 2.

Good Luck!

Re: Issue SSH

jdjmoncivais — Fri, 05 Jul 2019 12:00:35 GMT

Your issue more than likely is ssh strict host key checking is enabled.

Check your ssh configuration for this command:

ip ssh stricthostkeycheck

If it's in your configuration, you have two options:

1. enable the ip ssh pubkey-chain command:

ip ssh pubkey-chain

2. Disable strict host key checking

no ip ssh stricthostkeycheck

In your case, I would try option 2.

Good Luck!

Re: Issue SSH

sridharraja91@gmail.com — Thu, 12 Sep 2019 17:09:52 GMT

i am to facing same issue

Core-A-SW#ssh 10.200.2.134

[Connection to 10.200.2.134 aborted: error status 0]

Re: Issue SSH

Ethan and Mia — Fri, 22 Jan 2021 20:05:42 GMT

Me too