Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1395
Views
3
Helpful
6
Replies

CLI-Analyser needs ciphers added to fix this symptom?

Go to solution
jmaxwellUSAF
VIP
VIP

‎03-09-2023 02:19 PM

Error shown in logs of ISR4321-K9, Version 16.06.04, when trying to use CLI-Analyser to SSH into it ...

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
--

ISR4321-K9#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-(!! obfuscated !!)
ssh-rsa (!! obfuscated !!)

Is this because CLI-analyzer is missing ciphers?

Must I update from SSH 1.99 to SSH 2.0 ?
Please fix this ASAP? May you please inform me here that this is fixed?

Thank you!

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2023 02:44 PM - edited ‎03-09-2023 02:47 PM

as i suggested another post - you have a cipher mismatch 

read this log correctly :

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

EDIT: IOS XE 16.6 is an old code try to upgrade to 17.X

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2023 02:44 PM - edited ‎03-09-2023 02:47 PM

as i suggested another post - you have a cipher mismatch 

read this log correctly :

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

EDIT: IOS XE 16.6 is an old code try to upgrade to 17.X

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎03-09-2023 02:49 PM

Wait .... The error message means the SSH client is not Deffie-Hellman but the router is expecting DH.  

This is not a code issue, this is an issue with the SSH client-side. 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎03-10-2023 03:50 AM 

This is not a code issue, this is an issue with the SSH client-side.

I was not suggesting to upgrade IOS due to this issue, since i saw old IOS, so suggesting to upgrade to latest.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Leo Laohoo

‎03-10-2023 07:54 AM

It surprises me that a mainstream commercial SSH client would have this issue.

Shouldn't a commercial SSH client just hold every reasonable cypher preference a mainstream box might require, such as diffie-hellman-group-exchange-sha1, and diffie-hellman-group14-sha1 ?

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎03-10-2023 03:42 PM

@jmaxwellUSAF wrote:
It surprises me that a mainstream commercial SSH client would have this issue.

I am using SecureCRT and DH is disabled by default.  If I see a message like that, I usually just put a tick in the SSH option for DH and it starts working.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to jmaxwellUSAF

‎03-11-2023 02:45 AM

Due to security reasons some of the old ciphers fade  (one side people asking to move to the next level of security, once asking legacy cipher in the network ) - so one needs to make a decision on what needs to be used for their use case.

As I mentioned earlier in another post - the CLI analyzer stopped releasing a new version, and it ended in 2021

I have also suggested some steps they recommend to ignore the options in the CLI analyser  - have you tried them?

(Note : I do not remember, there is some where option you can do, but try to download cli analyser - giving me error - will try again and let you know if I come across any findings)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents