Re: 4500x SSH Error

jnewton83985 · ‎04-14-2023

I am unable to SSH to our 4500x core switches all of a sudden via putty, cisco CLI analyzer, or from another switch. In the logs, I see the following when I try to SSH to it.

Apr 14 15:08:34.476: %SEC-6-IPACCESSLOGP: list SSH_ACCESS permitted tcp 10.200.1.200(7037) -> 0.0.0.0(22), 1 packet

Apr 14 15:08:34.481: %SSH-3-NO_MATCH: No matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

Apr 14 15:08:45.982: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: NAME REMOVED] [Source: 10.200.1.200] [localport: 22] [Reason: Login Authentication Failed] at 10:08:45 CDT Fri Apr 14 2023

I know my logins are correct as they are saved in CLI analyzer. I've already tried the following:

Confirmed IP SSHv2 is enabled
IP domain name is configured
crypto key zeroize rsa
crypto key generate rsa modulus 2048
Output of sh ssh after running the above
- %No SSHv2 server connections running.
- %No SSHv1 server connections running.
Running IOS 03.04.00 with uptime of 10 years
sh crypto key mypubkey rsa: shows key pair was generated

When I try to SSH to it from a switch, I get the following error:

%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)

balaji.bandi · ‎04-14-2023

is this login issue using CLI analyzer or using putty (are you able to connect still issue ?)

can you post show version

show run | in ssh

i generally follow below steps -

######### Generate SSH keys :
crypto key generate rsa

ip domain-name bb.com

ip ssh version 2

line vty 0 4
privilege level 15
transport input ssh

if you like specific algorithm

ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication password
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

example you can also use other option if you ?

Switch(config)#ip ssh client algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jnewton83985 · ‎04-14-2023

I cannot access the switch via putty, cli analyzer, or another switch. I have already tried what you listed before posting and the ip ssh client command is not recognized on a 4500x.

4500X-01#sh run | i ssh
ip ssh version 2
transport input ssh
transport input ssh

4500X-01#sh run | b line vty
line vty 0 4
access-class SSH_ACCESS in
exec-timeout 300 0
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
exec-timeout 300 0
transport input ssh

balaji.bandi · ‎04-14-2023

Can you post the show version

show License

if you do not have SSH config, you wont be able to connect.

try below :

config t

IP ssh ver 2 what error you get ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jnewton83985 · ‎04-14-2023

This is running a K9 image.

4500X-01#sh ver
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.04.00.SG RELEASE SOFTWARE (fc3)

ROM: 15.0(1r)SG7
4500X-01 uptime is 10 years, 6 weeks, 3 days, 3 hours, 38 minutes
Uptime for this control processor is 10 years, 6 weeks, 3 days, 3 hours, 40 minutes
System returned to ROM by power-on
System restarted at 08:31:53 CDT Sat Mar 2 2013
System image file is "bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin"
Jawa Revision 2, Winter Revision 0x0.0x1C

Last reload reason: power-on

License Information for 'WS-C4500X-32'
License Level: entservices Type: Permanent
Next reboot license Level: entservices

cisco WS-C4500X-32 (MPC8572) processor (revision 4) with 4194304K/20480K bytes of memory.
Processor board ID JAE16480B0I
MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
Last reset from PowerUp
55 Virtual Ethernet interfaces
80 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x2102

balaji.bandi · ‎04-14-2023

config t

IP ssh ver 2 - what error you get ?

10years - what a good uptime ( seen 6509 10 years before)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jnewton83985 · ‎04-14-2023

I don't get an error when entering that.

Leo Laohoo · ‎04-14-2023

Try using DH.

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <IP address>

But wow. 10 years uptime on an 11 year old platform. On a version "0". Hats off.

MHM Cisco World · ‎04-15-2023

No matching cipher found <<- this make SSH failed
can you share
show ip ssh <<- share this

jnewton83985 · ‎04-17-2023

Sure, here you go:

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa (I REMOVED THIS FIELD)

MHM Cisco World · ‎04-17-2023

The Switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key,
192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.

I dont fully get what cisco meaning with BOLD statement but I think it can cause SSH failed.

marce1000 · ‎04-14-2023

-Strange %SEC-6-IPACCESSLOGP , is an informational message normally because of the noted logging level -6- (which is informational) ; it's unclear 'what happened to the ciphers' , you may for instance on a system with nmap installed run :
nmap --script ssh2-enum-algos target
(target is the hostname of your 4500)

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

marce1000 · ‎04-14-2023

- Another possibility is that due to the older version and long uptime, some certificates got expired , which would account for the 'sudden effect' ; you may try to set time back (and or disable NTP) , for instance,

M,

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

jnewton83985 · ‎04-17-2023

I tried this and it didn't work unfortunately. Disabled NTP and manually set clock/date back 3 years.

marce1000 · ‎04-17-2023

>...I tried this and it didn't work unfortunately. Disabled NTP and manually set clock/date back 3 years.
I would then upgrade the switch to latest advisory release (your current software version is also old)

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !