Solved: 4510+R ssh error after upgrade xe 3.11.07 to xe 3.11.09

Hubert Kupper · ‎10-24-2023

Hi,

after a upgrade from xe 3.11.07 to 3.11.09 we cannot open a ssh session to our 4510+R Switch. Before the upgrade everything works fine. The error message in the log is:

%SSH-3-BAD_PACK_LEN: Bad packet lenghth

We zeroised the rsa key and generate it new but the error still occours.

Any idea?

Regards, Hubert

Leo Laohoo · ‎11-15-2023

Thanks for the update and confirmation.

I have re-posted the EEM here to save people the time.

event manager applet KEX_ALGO
event syslog pattern "SSH-3-BAD_PACK_LEN"
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "ip ssh server algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1"
 action 4.0 cli command "end"

Update (27 November 2023): CSCwi02895

IMPORTANT: The above EEM is a Workaround and should not be treated as a permanent "fix".

View solution in original post

marce1000 · ‎10-24-2023

- Possibly your client does not support newer ciphers , examine with :
% nmap --script ssh2-enum-algos switch-hostname
and compare with available ciphers on the client ,
Linux ssh client (or perhaps others) also support verbose mode , which when enabled can also provide (similar) insights,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hubert Kupper · ‎10-24-2023

I compared the ciphers on the 4510 and my clients. They was the same as before.

Hubert Kupper · ‎10-24-2023

No clients (ubuntu, windows, debian, etc.) work after the xe upgrade.

Hubert Kupper · ‎10-24-2023

We won't go back to xe 3.11.07 because there are security issues.

Leo Laohoo · ‎10-24-2023

@Hubert Kupper wrote:
We zeroised the rsa key and generate it new but the error still occours.

How big is the key, 2048? 4096?

Is SSHv2 enabled?

Hubert Kupper · ‎10-24-2023

sshv2 is enabled the key size is 2048

Hubert Kupper · ‎10-24-2023

Before we did the upgrade, we changed nothing in the configuration.

Hubert Kupper · ‎10-24-2023

there are dual supervisor 8 modules in redundancy mode in the switch.

Hubert Kupper · ‎10-24-2023

After fallback to 3.11.07 for testing without changing the config on switch or clients, ssh works again.

pieterh · ‎10-24-2023

Solved: Re: SSH ISSUE %SSH-3-BAD_PACK_LEN: Bad packet length - Cisco Community
suggests to check/upgrade your putty (or other ssh client) version

Hubert Kupper · ‎10-26-2023

I used different clients on windows and linux an no one connects. When I downgrade to 3.11.07 all clients work fine.

Leo Laohoo · ‎10-24-2023

Post the complete output to the command "sh ssh".

Hubert Kupper · ‎10-25-2023

Thanks to all for your answers. I'm out of office today. Tomorrow I post the output.

Hubert Kupper · ‎10-25-2023

sh ssh
%No SSHv2 server connections running.

# sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): SSH-KEY
Modulus Size : 4096 bits