cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1417
Views
3
Helpful
6
Replies

CLI-Analyser needs ciphers added to fix this symptom?

Error shown in logs of ISR4321-K9, Version 16.06.04, when trying to use CLI-Analyser to SSH into it ...

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
--

ISR4321-K9#sh ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-(!! obfuscated !!)
ssh-rsa (!! obfuscated !!)

Is this because CLI-analyzer is missing ciphers?

Must I update from SSH 1.99 to SSH 2.0 ?
Please fix this ASAP? May you please inform me here that this is fixed?

Thank you!

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

as i suggested another post - you have a cipher mismatch 

read this log correctly :

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

EDIT: IOS XE 16.6 is an old code try to upgrade to 17.X

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

as i suggested another post - you have a cipher mismatch 

read this log correctly :

Mar 9 20:32:45.675: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

 

EDIT: IOS XE 16.6 is an old code try to upgrade to 17.X

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo
Hall of Fame
Hall of Fame

Wait .... The error message means the SSH client is not Deffie-Hellman but the router is expecting DH.  

This is not a code issue, this is an issue with the SSH client-side. 

This is not a code issue, this is an issue with the SSH client-side. 

I was not suggesting to upgrade IOS due to this issue, since i saw old IOS, so suggesting to upgrade to latest.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

It surprises me that a mainstream commercial SSH client would have this issue.

Shouldn't a commercial SSH client just hold every reasonable cypher preference a mainstream box might require, such as diffie-hellman-group-exchange-sha1, and diffie-hellman-group14-sha1 ?


@jmaxwellUSAF wrote:
It surprises me that a mainstream commercial SSH client would have this issue.

I am using SecureCRT and DH is disabled by default.  If I see a message like that, I usually just put a tick in the SSH option for DH and it starts working.

Due to security reasons some of the old ciphers fade  (one side people asking to move to the next level of security, once asking legacy cipher in the network ) - so one needs to make a decision on what needs to be used for their use case.

As I mentioned earlier in another post - the CLI analyzer stopped releasing a new version, and it ended in 2021

I have also suggested some steps they recommend to ignore the options in the CLI analyser  - have you tried them?

(Note : I do not remember, there is some where option you can do, but try to download cli analyser - giving me error - will try again and let you know if I come across any findings)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help