cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1805
Views
5
Helpful
5
Replies
Muradazz
Beginner

i cannot access to any router with SSH

Dears,

 

in the past   i can access to my routers over SSH   now  after upgrade to the latest version  i can't login to any router  and the error is related to SSH connection 

when i try   to add new router  also i have the same problem with ((( The authenticity of host "x.x.x.x" can't be established. RSA Key fingerprint is unavailable))). 

I upgrade to the last release and the same issue .

 

 

5 REPLIES 5
Muradazz
Beginner

this is the log  on my router since i use  radius server with username and password   to login to my routers over SSH

 

RP/0/RP0/CPU0:Jul 11 07:20:05.945 GMT: SSHD_[65678]: %SECURITY-SSHD-6-INFO_GENERAL : Client closes socket connection
RP/0/RP0/CPU0:Jul 11 07:20:05.946 GMT: SSHD_[65678]: %SECURITY-SSHD-3-ERR_GENERAL : Error in receiving key exchange packet
RP/0/RP0/CPU0:Jul 11 08:11:05.516 GMT: SSHD_[65602]: %SECURITY-SSHD-6-INFO_GENERAL : Client X.X.X.X closes socket connection
RP/0/RP0/CPU0:Jul 11 08:11:05.518 GMT: SSHD_[65602]: %SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange
RP/0/RP0/CPU0:Jul 11 08:11:07.955 GMT: SSHD_[65602]: %SECURITY-SSHD-6-INFO_GENERAL : no matching kex found: client ssh-rsa server ssh-dss

Hi
did you try regenerate the crypto key for ssh on a switch see if it makes a diff

crypto key gernerate rsa (hit return)
2048 (hit return again )

Then try it , looks like a key issue in the logs

Marvin Rhoads
VIP Community Legend

As your log notes:

no matching kex found: client ssh-rsa server ssh-dss

Try updating your client software (putty etc.) to a newer version. Newer IOS versions have deprecated the older ssh-rsa key exchange.

It's the other way around, ssh-dss is deprecated, RSA is in common use today but is going to be replaced by either ECDSA or ed25519.

gunnar.gud
Beginner

This is caused by Cisco CLI Analyzer only supporting RSA.

You should generate an RSA host key for network devices, unless a better type is available.

 

If you want to add other key types to Cisco CLI Analyzer, see: https://community.cisco.com/t5/cisco-cli-analyzer/cli-3-6-7-authenticity-of-rsa-fingerprint-cannot-be-verified/m-p/4390271/highlight/true#M476