Solved: Cli-Analyzer 3.7.0 and above gives %SSH-5-SSH_CLOSE

Phillip.Joynes · ‎02-26-2025

Ever since I upgraded to Cli-Analyzer 3.7.0 whenever I connect to a device I get a black screen with no blinking cursor and a red dot on the session. It works on Cli-Analyzer 3.6.8 when I downgrade (I have been using 3.6.8 since the release of 3.7.0). It works on putty and when I putty into the switch (I have tried a variety of switches and routers and it seems to be for all of them). I connected to the switch (using putty) set term mon and got this message "4177009: Feb 26 2025 16:10:50.800 UTC: %SSH-5-SSH_CLOSE: SSH Session from x.x.x.x (tty = 1) for user '' using crypto cipher '' closed" x.x.x.x is the IP address I cleaned. and in the show logging output.

A successful connection looks like this "4176854: Feb 26 2025 16:04:49.717 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from x.x.x.x (tty = 0) using crypto cipher 'aes256-ctr', hmac 'hmac-sha2-256' Succeeded". This suggests to me that it may be the cipher being used by or negotiated with Cli-Analyzer. Any help would be greatly appreciated!!

I am using this on Windows 10 22H2. I have also removed my user profile and my colleagues get the same.

I did note this in the manual and wondered if it had a bearing "Starting with version 3.7.1, the Cisco CLI Analyzer uses a new authentication method.", however this does not work with 3.7.0 either.

Update I found this on the feature guide for 3.7.0 in Cli-Analyzer:

Keyboard Interactive Authentication & Security Updates

The CLI Analyzer now supports Keyboard Interactive as an option for connecting to devices.
Dependencies have been upgraded to improve security.

Phillip.Joynes · ‎02-28-2025

A quick update. I have managed to get 3.7.2 working on one of our servers, so I suspect this is an issue on our end (a policy or security measure, etc.). Thanks for your help.

View solution in original post

Scott Hardin · ‎02-26-2025

Hi Phillip,

CLI Analyzer uses the ssh2 Node.js library under the hood to connect to devices. As the version of this library increments, unfortunately, support for older crypto algorithms is dropped.

Are you able to check what KEX algorithm is being negotiated by CLI Analyzer in the logs? This is typically what I've seen causing our users trouble when connecting to particularly older devices.

Thanks,
Scott

Phillip.Joynes · ‎02-27-2025

Hi Scott,

Thank you for your reply.

We are currently using these KEX algorithms "ecdh-sha2-nistp521 ecdh-sha2-nistp384".

As a test I defaulted these algorithms and tried again and got the same error. I have also tested using telnet and that works, so would suggest an SSH issue.

I have also taken a packet capture of the traffic to a from the switch and can see an SSH version 2 protocol attempt and shortly after the switch sends a fin ack and client tries an ack with no reply. I have attacked a screenshot of this in case it helps.

I cannot find any logs for Cli-Analyzer and only the message above in the first post on the switch. If you would like me to enable more verbose logging then please let me know or I have missed something?

Thanks,
Phill

teegee60510 · ‎02-27-2025

I am having a similar problem. We enabled multi factor authentication in TACACS (ISE) so we now have to check that "Keyboard Interactive" box. I have 3 jump servers, Windows Server 2019. The Interactive prompt works on one server but not on the others. I upgraded one server Cli Analyzer to latest 3.7.2 but no success. Anyone else have this problem? How did you fix it?

teegee60510 · ‎03-04-2025

I did a little more troubleshooting and found that CLI is not passing credentials:

Mar 4 10:02:16.932 CST: %SSH-5-SSH_CLOSE: SSH Session from x.x.x.x (tty = 1) for user '' using crypto cipher '' closed

Mar 4 10:03:45.598 CST: %SSH-5-SSH_CLOSE: SSH Session from x.x.x.x (tty = 1) for user '' using crypto cipher '' closed

PuTTY works fine.

Any ideas for debugging ?

Phillip.Joynes · ‎02-28-2025

I have run a ip ssh debug on the switch and receive the following in the log:

003581: Feb 28 09:56:18.503 GMT: SSH1: starting SSH control process
003582: Feb 28 09:56:18.503 GMT: SSH1: sent protocol version id SSH-2.0-Cisco-1.25
003583: Feb 28 09:56:18.508 GMT: SSH2 1: SSH ERROR closing the connection
003584: Feb 28 09:56:18.508 GMT: SSH1: receive failure - status 0x03
003585: Feb 28 09:56:18.508 GMT: %SSH-5-SSH_CLOSE: SSH Session from x.x.x.x (tty = 1) for user '' using crypto cipher '' closed
003586: Feb 28 09:56:18.609 GMT: SSH1: Session terminated normally

This suggests an issue with the connecting session (we set ip ssh version 2 in the config).

@Scott Hardin Is there someway I can open a case for this please? It would be very grateful!

Please note we use a variety of switches and IOS (IOS XE) versions and this is happening with all of them.

Phillip.Joynes · ‎02-28-2025

I just downgraded to 3.6.8 and when I try to connect I get the pop-up "The authenticity of host x can't be established. RSA key fingerprint is x. Are you sure you want to continue connecting?". I did not get this in version 3.7.0 and above.

Phillip.Joynes · ‎02-28-2025

A quick update. I have managed to get 3.7.2 working on one of our servers, so I suspect this is an issue on our end (a policy or security measure, etc.). Thanks for your help.

teegee60510 · ‎02-28-2025

Please share what you did.

Phillip.Joynes · ‎03-03-2025

So far I have it not working on my laptop, but working on one of our servers. Therefore believe that this will be due to our group policies or other hardening measure on our domain. Now I have the long hard task of trying to discover what that may be. If I figure it out I will post back. Likewise if anyone else finds something along these lines that has caused the same issue, please let me know and I can test.