Showing results for 
Search instead for 
Did you mean: 

Cisco CLI Analyzer RSA key verification failing everytime

Since version 3.6.7 I get this each time I open an SSH connection to any of the devices in my fleet. I have been using the CLI analyzer tool for more than a year and none of the devices have changed RSA keys.

Deleteing the known_hosts file made no difference.

Screenshot 2021-04-19 084418.png

Scott Hardin
Cisco Employee

Hi Luke. Thanks for using Cisco CLI Analyzer.


If you are on a Windows machine and these devices were working prior to version 3.6.7, it's likely due to the fact that we updated the version of ssh-keyscan included with Cisco CLI Analyzer in order to address some security vulnerabilities. With the upgrade of ssh-keyscan, several dated KEX Algorithms were deprecated and are no longer recognized as valid when doing the handshake for host key verification. This can pose a problem for older Cisco hardware.


We are planning to include a feature to bypass this warning automatically in release 3.6.8 of Cisco CLI Analyzer.

Thanks Scott,  

Would regenerating the ssh key on the switch(es) be a workaround?  If so which algorithms can be used?

Here was my workaround.


1. Close Cisco CLI Analyzer

2. Install Cisco CLI Analyzer v3.6.6 on another PC.

3. Rename the folder C:\Program Files\Cisco Systems, Inc\Cisco CLI Analyzer\keyscan\64 to "old" on your PC

4. Copy same folder from v3.6.6 PC to your PC in the same location.

5. Start Cisco CLI Analyzer.


This replaces their "updated" version if KeyScan with the previous version. You will get a prompt the first time you connect to the switch but then it adds it to the list of trusted hosts and you're golden.

This widget could not be displayed.