Solved: Re: c9200L Unable to SSH

azman.mansor · ‎10-25-2021

Hello Experts,

Need your help on my issue once I 've installed new access switch 9200L model to replace 2960s series. Problem is I cant ssh from other switch to new switch 9200

Error prompt out

xx-xx-c3750x-01#ssh 10.245.122.3

[Connection to 10.245.122.3 aborted: error status 0]

Below my configuration in that new switch

ip default-gateway 10.245.122.254
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
logging history debugging
logging trap debugging
!
snmp-server community public RO
snmp-server community continw02 RW
!
control-plane
service-policy input system-cpp-policy
!
banner motd ^CCC
========================================================================================
Unauthorised access and/or misuse of the systems is prohibited and a serious
offence under Malaysia laws. Disconnect immediately if you are not an authorized user!
========================================================================================
^C
!
line con 0
session-timeout 30
exec-timeout 5 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 30
exec-timeout 5 0
login local
transport input telnet ssh
transport output telnet ssh
line vty 5 15
session-timeout 30
exec-timeout 5 0
login local
transport input telnet ssh
transport output telnet ssh
!
ntp server 10.250.200.250
!
!
!
!
!
!
end

balaji.bandi · ‎10-26-2021

setup RSA Keys :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/sec/b_169_sec_9200_cg/configuring_secure_shell__ssh_.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

ilay · ‎10-25-2021

cat9200L uses a more secure encryption algorithm. The IOS12.x version does not have an encryption algorithm that matches the 9200L. Unsuccessful ssh negotiation results in connection failure.You can view the log information of 9200L
Solution:

1. upgrade 2960/3560/3750 ios to 15.x (considering the risk of upgrading, this does not seem to be a good method)
2. Use software like putty for ssh login

-----

log info:

TEST-PoE# show log // Omit part of the output

Oct 26 2021 12:23:37.194 CST: %SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr
Oct 26 2021 12:28:32.658 CST: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group1-sha1 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

TEST-PoE# sh module
Switch Ports Model Serial No. MAC address Hw Ver. Sw Ver.
------ ----- --------- ----------- -------------- ------- --------
1 28 C9200L-24P-4G JAXXXXXXZGJ 7061.7bcc.cccc V01 16.9.5
TEST-PoE#

azman.mansor · ‎10-27-2021

Hi.. Our network switches running on model 2960x updated to run IOS v15 with no issue with ssh connection and yes i'm using putty to console remotely into the switch

balaji.bandi · ‎10-26-2021

setup RSA Keys :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/16-9/configuration_guide/sec/b_169_sec_9200_cg/configuring_secure_shell__ssh_.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎10-27-2021

Hello,

check if you can get the switch to accept the server ciphers:

ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc

azman.mansor · ‎10-27-2021

Hello Georg,

command mentioned accepted but still ssh connection

[Connection to 10.245.112.3 aborted: error status 0]

anything missing in this current configuration below?

Current configuration : 13511 bytes
!
! No configuration change since last restart
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
service counters max age 5
!
hostname pj-r24-c3750x-01
!
boot-start-marker
boot-end-marker
!
logging buffered 32768
no logging console
enable secret 5 $1$XQxW$bznZotozlKPueTuEE6CK6.
!
username conti privilege 15 secret 5 $1$zLA0$5REKtssLFVyfQ86ea/ETb1
!
!
no aaa new-model
clock timezone MYT 8
switch 1 provision ws-c3750x-12s
switch 2 provision ws-c3750x-12s
system mtu routing 1500
no ip source-route
!
!
no ip domain-lookup
ip domain-name tiretech2.contiwan.com
vtp domain conti
vtp mode transparent
!
!
crypto pki trustpoint TP-self-signed-2936320768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2936320768
revocation-check none
rsakeypair TP-self-signed-2936320768
!
!
crypto pki certificate chain TP-self-signed-2936320768
certificate self-signed 01
30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32393336 33323037 3638301E 170D3933 30333031 30303031
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39333633
32303736 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009C1B 7C6C2730 0E78F85D 927EDF70 AA1485D6 03DF9E38 BD0ED920 9ED1E45A
B7F5053A 43572738 C90E223B D69B45EA 91E0019F BA71E1EC 9902A775 DC64DB5C
608E5C66 68F48FD7 690C9F82 6679B958 FD37216E C31B401B 81BD8292 26D1B6B1
693CDCC2 79E19410 984E2CFA 33445862 3A6F26BD C892A8F6 C04B3349 EEC7617A
82110203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
0603551D 11042B30 29822770 6A2D7232 342D6333 37353078 2D30312E 74697265
74656368 322E636F 6E746977 616E2E63 6F6D301F 0603551D 23041830 168014DA
5F79F548 2BEF9465 D21C521C CD055B26 EEF42630 1D060355 1D0E0416 0414DA5F
79F5482B EF9465D2 1C521CCD 055B26EE F426300D 06092A86 4886F70D 01010405
00038181 0083C3E8 3F0AFC29 75E0798F C90277FE AF9B195B 7202CEC6 450B19DC
ED8F3748 1D33120D 58E747E6 2010EA15 6806674B 719BEC3C 037144BF F2ED4EF5
7CCEED1A 6883FBD8 7539AD9B 69A91860 AADDE8EE 6C41A919 F7405FF2 5BDB470E
B54F6CD3 E20C2A91 F908A880 4E79AEE6 05C7471C C59A1417 A238AD65 5C3EED3C
64255201 FA
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
spanning-tree mode pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 16384

marce1000 · ‎10-27-2021

> Connection to 10.245.112.3 aborted: error status 0

Check the logs on the 9200 when this happens, also use a ssh client which can set or use verbose mode and try again.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

paul driver · ‎10-28-2021

Hello

have you enabled ssh correctly on this device?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul