Showing results for 
Search instead for 
Did you mean: 

Unable to SSH a leaf from Apic after replacement of the leaf switch with same Node ID from the fabric



There was a leaf Switch live in our fabric which was having some issues . We got an RMA for it and replaced the new leaf Switch with the same Node ID. After replacement we are unable to SSH the new leaf Switch from APIC .getting some error for RSA keys related


1 Comment
Jayesh Singh
Cisco Employee

Hello Tushar,

Seems like you will have to remove the entry for that particular leaf from SSH known hosts list on APIC and that should fix the issue. Please follow below steps and see if that works:

Step 1: Look for Leaf hostname and IP address

apic1# acidiag fnvread  <-- This will show you the list of nodes and their IP addresses. Identify your respective node here.

Step 2 (Optional): Verify if there is any existing entry for your leaf

apic1# cat /home/admin/.ssh/known_hosts 

NOTE: Hostname is shown in lower case even if you have defined it in CAPs. So while removing the entry in Step 3, mention the leaf hostname in lower case. Eg. If the hostname is POD1-LEAF-101 then you need to mention pod1-leaf-101 in next step.

Step 3: Remove RSA host keys from the APIC for your leaf

apic1# ssh-keygen -R <leaf-hostname>   <-- hostname identified in Step 1, mention in lower case letters and without bracket <>

apic1# ssh-keygen -R <leaf-IP>               <-- leaf IP identified in Step 1 and without bracket <>

Step 4(Optional): Verify if the entry is removed for your leaf

apic1# cat /home/admin/.ssh/known_hosts 

Step 5: Try to SSH your Leaf from APIC and it should add fresh RSA key to the list of known hosts

apic1# ssh <leaf-hostname>  <-- hostname identified in Step 1, mention as it is and not required to be mentioned in lower case if it contains upper case letters

Please engage Cisco TAC if the issue is business impacting and is not resolved by this method!

Hope that helps!

Best Regards,


Recognize Your Peers
Content for Community-Ad