01-15-2015 05:37 AM
Hi,
I've installed the Cisco Prime 2.2.0 OVA (VMware) and ran discovery with a Credential Profile.
some of the device has discovered with complete state and some with Partial Collection Failure state.
when trying to edit the device (under network inventory) and verify credentials i'm getting the above error "Telnet/SSH : Unreachable", but when SSH from the Cisco Prime CLI with the same credentials all works just fine.
%SSH-5-SSH2_SESSION: SSH2 Session request from X.X.X.X (tty = 1) using crypto cipher '', hmac '' Failed
please help...
10x
Eyal
01-15-2015 08:53 AM
Eyal,
it must be credentials issue only , please make sure the credentials are correct
Thanks-
Afroz
01-15-2015 10:59 AM
Hi Afroz,
All of my net devices use AAA for login.
I'm using credentials profile to discover my devices and some of them has discovered as they should and some of them are partialy discover with the Cisco Prime log it with CLI/ssh issue.
But when I'm SSH to the partialy discovered device via the Cisco Prime CLI with the same credentials as configured at the credential profile, I'm able to login with no issue.
Please note - while I'm editing the partialy discovered device and testing the credential via the Prime GUI, it display the error message "Telnet/SSH : Unreachable" - and the device log meeage is %SSH-5-SSH2_SESSION: SSH2 Session request from X.X.X.X (tty = 1) using crypto cipher '', hmac '' Failed.
What does it mean?
10x
Eyal
01-17-2015 11:38 PM
For the devices that aren't working do you perchance have a non-default Diffie-Hellman (DH) group set for ssh?
PI only communicates via DH1. Some people using DH14 or other non-default DH groups have reported similar problems.
01-17-2015 11:38 PM
how can I check/configure this?
01-18-2015 06:17 AM
Generally it would show up in the device configuration file. Look for an entry like "ip ssh dh min size".
Here is a link to the command reference explaining the options.
01-22-2015 05:53 AM
guess i'm running old IOS version
01-22-2015 12:51 PM
I had a similar issue with PI2.1 not sure if I still have it with PI2.2
The issue turned out to be that the devices PI could not SSH onto where running SSHv1, turned out that some idiot had only configured the SSH crypto key with a 512 bit key so the device would not let me switch to SSHv2.
01-23-2015 05:50 AM
That's an excellent point, Richard.
The bottom line seems to be that PI's programmatic ssh access requires ssh v2 using DH group 1 to work properly.
Erring with either ssh v1 (most likely due to too small a modulus in the crypto key) or a more recent DH group causes it to fail.
01-28-2015 10:59 PM
It looks like Prime 2.2 maybe trying to use DH group14 and older devices fail.
Jan 26 22:10:54.498 Central: SSH2 10: kex algo not supported: client diffie-hellman-group14-sha1, server diffie-hellman-group1-sha1
04-23-2015 08:04 AM
Hi guys,
Its happening to me as well, I recently installed CPI 2.2, I have a population of 3750 on OS 15.0 (2)SE7 working fine, but devices on OS 12... doesn't works, if any work around for this that doesn't include update the switch OS?
From the Prime CLI I can ssh without problem to those devices but I can not import the devices.
" Could not connect to device via CLI (SSH/telnet). Check device credentials and SSH/telnet reachability."
Thanks in advance
05-01-2018 12:45 PM
Has this been resolved? I have the same issue on a few devices and I just can not get this to work. sh ip ssh shows im running 2048 key and sshv2. Everything matches and it refuses to login. I can login using the user/password just fine, but when attempting to use Prime it tells me Telnet/SSH unreachable. When I do a debug ip ssh client it tells me: SSH-3-No_MATCH: no matching cipher found, but those ciphers are there??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide