10-09-2014 11:19 AM - edited 03-10-2019 10:06 PM
Any idea how to resolve this? I can't seem to ssh into the router, and consoling in yields the following error message.
Running cat4500e-entservicesk9-mz.151-1.SG.bin on a 4948.
*Dec 31 17:32:39 PST: SSH2 0: input: padlength 6 bytes
*Dec 31 17:32:39 PST: SSH2 0: SSH2_MSG_KEXINIT received
*Dec 31 17:32:39 PST: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1
*Dec 31 17:32:39 PST: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1
*Dec 31 17:32:39 PST: SSH2 0: ssh_receive: 24 bytes received
*Dec 31 17:32:39 PST: SSH2 0: input: total packet length of 24 bytes
*Dec 31 17:32:39 PST: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes,
maclen 0
*Dec 31 17:32:39 PST: SSH2 0: input: padlength 6 bytes
*Dec 31 17:32:39 PST: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Dec 31 17:32:39 PST: SSH2 0: Range sent by client is - 1024 < 7680 < 8192
*Dec 31 17:32:39 PST: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
*Dec 31 17:32:40 PST: SSH0: Session disconnected - error 0x00
fr01.ash2#
Solved! Go to Solution.
05-28-2019 07:32 AM
Sorry for updating in this old thread.
I just had this issue on a newly patched Catalyst 2960X, which was upgraded to 15.2(7)E.
Our self-made application only supported DH key lengths of 1024, but this new IOS only supports 2048 or 4096.
hostnam(config)#ip ssh dh min size ?
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key
Here the debug output:
May 28 13:55:59.615: SSH0: starting SSH control process
May 28 13:55:59.615: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
May 28 13:55:59.615: SSH0: protocol version id is - SSH-2.0-Renci.SshNet.SshClient.0.0.1
May 28 13:55:59.615: SSH2 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
May 28 13:55:59.615: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
May 28 13:55:59.615: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
May 28 13:55:59.615: SSH2 0: send:packet of length 256 (length also includes padlen of 4)
May 28 13:55:59.618: SSH2 0: SSH2_MSG_KEXINIT sent
May 28 13:55:59.622: SSH2 0: ssh_receive: 464 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 464 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 456 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEXINIT received
May 28 13:55:59.622: SSH2 0: kex: client->server enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: kex: server->client enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
May 28 13:55:59.622: SSH2 0: ssh_receive: 32 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 32 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 24 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
May 28 13:55:59.622: SSH2 0: Range sent by client is - 1024 < 1024 < 1024
May 28 13:55:59: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server
May 28 13:55:59.622: SSH2 0: send:packet of length 104 (length also includes padlen of 7)
May 28 13:55:59.727: SSH0: Session disconnected - error 0x00
We fixed it by upgrading our SSH client to a (much) more recent version in our application.
10-14-2014 11:20 AM
Hi debottym2
Check this previous post,
https://supportforums.cisco.com/discussion/11396186/ssh-3-dhrangefail
There is also a bug reported , ( not sure if you're matching )
https://tools.cisco.com/bugsearch/bug/CSCuo76464
Hope this helps
Do not forget to rate helpful posts
-Randy-
05-28-2019 07:32 AM
Sorry for updating in this old thread.
I just had this issue on a newly patched Catalyst 2960X, which was upgraded to 15.2(7)E.
Our self-made application only supported DH key lengths of 1024, but this new IOS only supports 2048 or 4096.
hostnam(config)#ip ssh dh min size ?
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key
Here the debug output:
May 28 13:55:59.615: SSH0: starting SSH control process
May 28 13:55:59.615: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
May 28 13:55:59.615: SSH0: protocol version id is - SSH-2.0-Renci.SshNet.SshClient.0.0.1
May 28 13:55:59.615: SSH2 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
May 28 13:55:59.615: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
May 28 13:55:59.615: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
May 28 13:55:59.615: SSH2 0: send:packet of length 256 (length also includes padlen of 4)
May 28 13:55:59.618: SSH2 0: SSH2_MSG_KEXINIT sent
May 28 13:55:59.622: SSH2 0: ssh_receive: 464 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 464 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 456 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEXINIT received
May 28 13:55:59.622: SSH2 0: kex: client->server enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: kex: server->client enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
May 28 13:55:59.622: SSH2 0: ssh_receive: 32 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 32 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 24 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
May 28 13:55:59.622: SSH2 0: Range sent by client is - 1024 < 1024 < 1024
May 28 13:55:59: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server
May 28 13:55:59.622: SSH2 0: send:packet of length 104 (length also includes padlen of 7)
May 28 13:55:59.727: SSH0: Session disconnected - error 0x00
We fixed it by upgrading our SSH client to a (much) more recent version in our application.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide