04-14-2023 09:12 AM
I am unable to SSH to our 4500x core switches all of a sudden via putty, cisco CLI analyzer, or from another switch. In the logs, I see the following when I try to SSH to it.
Apr 14 15:08:34.476: %SEC-6-IPACCESSLOGP: list SSH_ACCESS permitted tcp 10.200.1.200(7037) -> 0.0.0.0(22), 1 packet
Apr 14 15:08:34.481: %SSH-3-NO_MATCH: No matching cipher found: client chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Apr 14 15:08:45.982: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: NAME REMOVED] [Source: 10.200.1.200] [localport: 22] [Reason: Login Authentication Failed] at 10:08:45 CDT Fri Apr 14 2023
I know my logins are correct as they are saved in CLI analyzer. I've already tried the following:
When I try to SSH to it from a switch, I get the following error:
%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)
04-14-2023 10:09 AM
is this login issue using CLI analyzer or using putty (are you able to connect still issue ?)
can you post show version
show run | in ssh
i generally follow below steps -
######### Generate SSH keys :
crypto key generate rsa
ip domain-name bb.com
ip ssh version 2
line vty 0 4
privilege level 15
transport input ssh
if you like specific algorithm
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm authentication password
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
example you can also use other option if you ?
Switch(config)#ip ssh client algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode
04-14-2023 10:15 AM
I cannot access the switch via putty, cli analyzer, or another switch. I have already tried what you listed before posting and the ip ssh client command is not recognized on a 4500x.
4500X-01#sh run | i ssh
ip ssh version 2
transport input ssh
transport input ssh
4500X-01#sh run | b line vty
line vty 0 4
access-class SSH_ACCESS in
exec-timeout 300 0
transport input ssh
line vty 5 15
access-class SSH_ACCESS in
exec-timeout 300 0
transport input ssh
04-14-2023 10:17 AM - edited 04-14-2023 10:19 AM
Can you post the show version
show License
if you do not have SSH config, you wont be able to connect.
try below :
config t
IP ssh ver 2 what error you get ?
04-14-2023 10:22 AM
This is running a K9 image.
4500X-01#sh ver
Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.04.00.SG RELEASE SOFTWARE (fc3)
ROM: 15.0(1r)SG7
4500X-01 uptime is 10 years, 6 weeks, 3 days, 3 hours, 38 minutes
Uptime for this control processor is 10 years, 6 weeks, 3 days, 3 hours, 40 minutes
System returned to ROM by power-on
System restarted at 08:31:53 CDT Sat Mar 2 2013
System image file is "bootflash:cat4500e-universalk9.SPA.03.04.00.SG.151-2.SG.bin"
Jawa Revision 2, Winter Revision 0x0.0x1C
Last reload reason: power-on
License Information for 'WS-C4500X-32'
License Level: entservices Type: Permanent
Next reboot license Level: entservices
cisco WS-C4500X-32 (MPC8572) processor (revision 4) with 4194304K/20480K bytes of memory.
Processor board ID JAE16480B0I
MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
Last reset from PowerUp
55 Virtual Ethernet interfaces
80 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.
Configuration register is 0x2102
04-14-2023 10:26 AM
config t
IP ssh ver 2 - what error you get ?
10years - what a good uptime ( seen 6509 10 years before)
04-14-2023 11:17 AM
I don't get an error when entering that.
04-14-2023 07:50 PM
Try using DH.
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <IP address>
But wow. 10 years uptime on an 11 year old platform. On a version "0". Hats off.
04-15-2023 12:25 AM
No matching cipher found <<- this make SSH failed
can you share
show ip ssh <<- share this
04-17-2023 08:11 AM
Sure, here you go:
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa (I REMOVED THIS FIELD)
04-17-2023 08:46 AM
The Switch supports the Advanced Encryption Standard (AES) encryption algorithm with a 128-bit key,
192-bit key, or 256-bit key. However, symmetric cipher AES to encrypt the keys is not supported.
I dont fully get what cisco meaning with BOLD statement but I think it can cause SSH failed.
04-14-2023 10:10 AM
-Strange %SEC-6-IPACCESSLOGP , is an informational message normally because of the noted logging level -6- (which is informational) ; it's unclear 'what happened to the ciphers' , you may for instance on a system with nmap installed run :
nmap --script ssh2-enum-algos target
(target is the hostname of your 4500)
M.
04-14-2023 10:44 PM
- Another possibility is that due to the older version and long uptime, some certificates got expired , which would account for the 'sudden effect' ; you may try to set time back (and or disable NTP) , for instance,
M,
04-17-2023 08:10 AM
I tried this and it didn't work unfortunately. Disabled NTP and manually set clock/date back 3 years.
04-17-2023 08:29 AM
>...I tried this and it didn't work unfortunately. Disabled NTP and manually set clock/date back 3 years.
I would then upgrade the switch to latest advisory release (your current software version is also old)
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide