cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4074
Views
5
Helpful
5
Replies

i cannot access to any router with SSH

Muradazz
Level 1
Level 1

Dears,

 

in the past   i can access to my routers over SSH   now  after upgrade to the latest version  i can't login to any router  and the error is related to SSH connection 

when i try   to add new router  also i have the same problem with ((( The authenticity of host "x.x.x.x" can't be established. RSA Key fingerprint is unavailable))). 

I upgrade to the last release and the same issue .

 

 

5 Replies 5

Muradazz
Level 1
Level 1

this is the log  on my router since i use  radius server with username and password   to login to my routers over SSH

 

RP/0/RP0/CPU0:Jul 11 07:20:05.945 GMT: SSHD_[65678]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection
RP/0/RP0/CPU0:Jul 11 07:20:05.946 GMT: SSHD_[65678]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving key exchange packet
RP/0/RP0/CPU0:Jul 11 08:11:05.516 GMT: SSHD_[65602]: %SECURITY-SSHD-6-INFO_GENERAL : Client X.X.X.X closes socket connection
RP/0/RP0/CPU0:Jul 11 08:11:05.518 GMT: SSHD_[65602]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP/0/RP0/CPU0:Jul 11 08:11:07.955 GMT: SSHD_[65602]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ssh-rsa server ssh-dss

Hi
did you try regenerate the crypto key for ssh on a switch see if it makes a diff

crypto key gernerate rsa (hit return)
2048 (hit return again )

Then try it , looks like a key issue in the logs

As your log notes:

no matching kex found: client ssh-rsa server ssh-dss

Try updating your client software (putty etc.) to a newer version. Newer IOS versions have deprecated the older ssh-rsa key exchange.

It's the other way around, ssh-dss is deprecated, RSA is in common use today but is going to be replaced by either ECDSA or ed25519.

gunnar.gud
Level 1
Level 1

This is caused by Cisco CLI Analyzer only supporting RSA.

You should generate an RSA host key for network devices, unless a better type is available.

 

If you want to add other key types to Cisco CLI Analyzer, see: https://community.cisco.com/t5/cisco-cli-analyzer/cli-3-6-7-authenticity-of-rsa-fingerprint-cannot-be-verified/m-p/4390271/highlight/true#M476

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: