Solved: SSH2 issues

debottym2 · ‎10-09-2014

Any idea how to resolve this? I can't seem to ssh into the router, and consoling in yields the following error message.

Running cat4500e-entservicesk9-mz.151-1.SG.bin on a 4948.

*Dec 31 17:32:39 PST: SSH2 0: input: padlength 6 bytes
*Dec 31 17:32:39 PST: SSH2 0: SSH2_MSG_KEXINIT received
*Dec 31 17:32:39 PST: SSH2:kex: client->server enc:aes128-cbc mac:hmac-sha1
*Dec 31 17:32:39 PST: SSH2:kex: server->client enc:aes128-cbc mac:hmac-sha1
*Dec 31 17:32:39 PST: SSH2 0: ssh_receive: 24 bytes received
*Dec 31 17:32:39 PST: SSH2 0: input: total packet length of 24 bytes
*Dec 31 17:32:39 PST: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes,
maclen 0
*Dec 31 17:32:39 PST: SSH2 0: input: padlength 6 bytes
*Dec 31 17:32:39 PST: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Dec 31 17:32:39 PST: SSH2 0: Range sent by client is - 1024 < 7680 < 8192
*Dec 31 17:32:39 PST: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with maximum configured DH key on server
*Dec 31 17:32:40 PST: SSH0: Session disconnected - error 0x00
fr01.ash2#

patoberli · ‎05-28-2019

Sorry for updating in this old thread.

I just had this issue on a newly patched Catalyst 2960X, which was upgraded to 15.2(7)E.

Our self-made application only supported DH key lengths of 1024, but this new IOS only supports 2048 or 4096.

hostnam(config)#ip ssh dh min size ?
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key

Here the debug output:

May 28 13:55:59.615: SSH0: starting SSH control process
May 28 13:55:59.615: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
May 28 13:55:59.615: SSH0: protocol version id is - SSH-2.0-Renci.SshNet.SshClient.0.0.1
May 28 13:55:59.615: SSH2 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
May 28 13:55:59.615: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
May 28 13:55:59.615: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
May 28 13:55:59.615: SSH2 0: send:packet of length 256 (length also includes padlen of 4)
May 28 13:55:59.618: SSH2 0: SSH2_MSG_KEXINIT sent
May 28 13:55:59.622: SSH2 0: ssh_receive: 464 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 464 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 456 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEXINIT received
May 28 13:55:59.622: SSH2 0: kex: client->server enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: kex: server->client enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
May 28 13:55:59.622: SSH2 0: ssh_receive: 32 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 32 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 24 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
May 28 13:55:59.622: SSH2 0: Range sent by client is - 1024 < 1024 < 1024
May 28 13:55:59: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server
May 28 13:55:59.622: SSH2 0: send:packet of length 104 (length also includes padlen of 7)
May 28 13:55:59.727: SSH0: Session disconnected - error 0x00

We fixed it by upgrading our SSH client to a (much) more recent version in our application.

View solution in original post

rvarelac · ‎10-14-2014

Hi debottym2

Check this previous post,

https://supportforums.cisco.com/discussion/11396186/ssh-3-dhrangefail

There is also a bug reported , ( not sure if you're matching )

https://tools.cisco.com/bugsearch/bug/CSCuo76464

Hope this helps

Do not forget to rate helpful posts

-Randy-

patoberli · ‎05-28-2019

Sorry for updating in this old thread.

I just had this issue on a newly patched Catalyst 2960X, which was upgraded to 15.2(7)E.

Our self-made application only supported DH key lengths of 1024, but this new IOS only supports 2048 or 4096.

hostnam(config)#ip ssh dh min size ?
2048 Diffie Group 14 2048-bit key
4096 Diffie Group 16 4096-bit key

Here the debug output:

May 28 13:55:59.615: SSH0: starting SSH control process
May 28 13:55:59.615: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
May 28 13:55:59.615: SSH0: protocol version id is - SSH-2.0-Renci.SshNet.SshClient.0.0.1
May 28 13:55:59.615: SSH2 0: kexinit sent: kex algo = diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
May 28 13:55:59.615: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
May 28 13:55:59.615: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr
May 28 13:55:59.615: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
May 28 13:55:59.615: SSH2 0: send:packet of length 256 (length also includes padlen of 4)
May 28 13:55:59.618: SSH2 0: SSH2_MSG_KEXINIT sent
May 28 13:55:59.622: SSH2 0: ssh_receive: 464 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 464 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 456 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEXINIT received
May 28 13:55:59.622: SSH2 0: kex: client->server enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: kex: server->client enc:aes256-ctr mac:hmac-sha1
May 28 13:55:59.622: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
May 28 13:55:59.622: SSH2 0: ssh_receive: 32 bytes received
May 28 13:55:59.622: SSH2 0: input: total packet length of 32 bytes
May 28 13:55:59.622: SSH2 0: partial packet length(block size)8 bytes,needed 24 bytes,
maclen 0
May 28 13:55:59.622: SSH2 0: input: padlength 14 bytes
May 28 13:55:59.622: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
May 28 13:55:59.622: SSH2 0: Range sent by client is - 1024 < 1024 < 1024
May 28 13:55:59: %SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server
May 28 13:55:59.622: SSH2 0: send:packet of length 104 (length also includes padlen of 7)
May 28 13:55:59.727: SSH0: Session disconnected - error 0x00

We fixed it by upgrading our SSH client to a (much) more recent version in our application.