Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
667
Views
1
Helpful
4
Replies

Cisco ISR 4221 – SSH Disabled After Reboot Even After Configuring RSA

Go to solution
Abu-Man
Level 1
Level 1

‎08-26-2025 12:38 AM

 

Hello Cisco Community,

I am experiencing an issue with SSH on my Cisco ISR 4221 router.

When I check the SSH status, I see the following:

R# show ip ssh
SSH Disabled - version 2.0
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods: publickey, keyboard-interactive, password
Authentication Publickey Algorithms: x509v3-ssh-rsa, ssh-rsa
Hostkey Algorithms: x509v3-ssh-rsa, ssh-rsa
Encryption Algorithms: aes128-ctr, aes192-ctr, aes256-ctr
MAC Algorithms: hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-sha1-96
KEX Algorithms: diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format (ssh-rsa, base64 encoded): NONE

 

To fix it, I configured the SSH host key as follows:

crypto key zeroize rsa
crypto key generate rsa modulus 2048 label SSH_KEY

 

This worked, and SSH was enabled.
However, after I reboot the router, SSH becomes disabled again and the RSA key is missing (IOS Keys in SECSH format: NONE).

My questions:

  • Why are the SSH keys not persisting after reload on ISR 4221?

  • Do I need an additional command to save or bind the key?

  • Could this be related to IOS XE version, license type, or storage location of the keys?

Any help or pointers would be greatly appreciated.

Thanks in advance!

 
 

 

 
 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kasun Bandara
VIP
VIP

‎08-26-2025 12:51 AM

@Abu-Man hi, did you saved the config before reboot?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

View solution in original post

0 Helpful

Go to solution
Abu-Man
Level 1
Level 1
In response to Jens Albrecht

‎08-26-2025 07:21 AM

Thank you very much, The issue has been resolved

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Kasun Bandara
VIP
VIP

‎08-26-2025 12:51 AM

@Abu-Man hi, did you saved the config before reboot?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-26-2025 02:14 AM

show crypto key mypubkey rsa <<- share this after reboot 

MHM

0 Helpful

Go to solution
Jens Albrecht
Spotlight
Spotlight

‎08-26-2025 06:18 AM - edited ‎08-26-2025 06:20 AM

Hello @Abu-Man,

this issue is most likely due to not saving the config after creating the SSH_KEY as mentioned by @Kasun Bandara.

The reason is simple. When you create the keys and then enter the 'reload' command, the router does NOT ask you whether or not you want to save the configuration. From the devices's perspective this is correct, as creating ssh keys does not change the system configuration.

You can easily verify this behavior:

Rtr01#sh ip ssh
SSH Disabled - version 2.0
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
...
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
Rtr01#conf t
! Create the SSH_KEY:
Rtr01(config)#crypto key gen rsa mod 2048 label SSH_KEY
The name for the keys will be: SSH_KEY

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

Rtr01(config)#
*Aug 26 13:05:47.082: %SSH-5-ENABLED: SSH 2.0 has been enabled
!
! ### Check the file size of the private-config - it is empty! ###
!
Rtr01(config)#do dir nvram:                            
Directory of nvram:/

  251  -rw-        3524                    <no date>  startup-config
  252  ----           5                    <no date>  private-config
    1  ----          41                    <no date>  udi
    2  -rw-          17                    <no date>  ecfm_ieee_mib
    3  ----          23                    <no date>  persistent-data

262144 bytes total (255491 bytes free)
! Save the config
Rtr01(config)#do wr
Building configuration...

  [OK]
Rtr01(config)#do write
!
! ### Now check the file size of private-config again - SSH_KEY is saved! ###
!
Rtr01(config)#do dir nvram:
Directory of nvram:/

  248  -rw-        3522                    <no date>  startup-config
  249  ----        3553                    <no date>  private-config
    1  ----          41                    <no date>  udi
    2  -rw-          17                    <no date>  ecfm_ieee_mib
    3  ----          23                    <no date>  persistent-data

262144 bytes total (251945 bytes free)
Rtr01(config)#

Looking at the size of the file private-config shows that the SSH_KEY is only stored after saving the configuration.

So you must save after creating the keys even though the device is not explicitly asking you upon reload.

HTH!

Go to solution
Abu-Man
Level 1
Level 1
In response to Jens Albrecht

‎08-26-2025 07:21 AM

Thank you very much, The issue has been resolved

0 Helpful
Customers Also Viewed These Support Documents