Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
121
Views
0
Helpful
5
Replies

RESTCONF or NETCONF when SSH isn't available?

Venison Mogambi
Level 1
Level 1

‎06-26-2025 02:23 AM

We've had an issue lately where SSH management access on our 4300 routers breaks after an IOS upgrade. Would RESTCONF or NETCONF be a viable method for bypassing SSH access? For example, if SSH is hosed and we can't connect to the router, could we push config changes via RESTCONF or NETCONF to enable Telnet, something like that? And can anyone suggest any resources that cover this exact issue?

Labels:
0 Helpful
5 Replies 5

Torbjørn
VIP
VIP

‎06-26-2025 03:43 AM

If it is available you might be able to correct it over REST/NET- CONF. You might also be able to correct the issue through SNMP. Do you know why it fails though? Which version are you upgrading from/to? 

Some RESTCONF resources:

https://developer.cisco.com/docs/cisco-netconf-and-rest-device-management-api-documentation/cisco-netconf-and-rest-device-management-api-documentation/#edit-a-device-configuration-using-restconf

https://github.com/CiscoDevNet/restconf-examples 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Venison Mogambi
Level 1
Level 1
In response to Torbjørn

‎06-26-2025 06:30 AM

We don't know why it fails, we're guessing something with the RSA keys. I believe it happened when they upgraded the IOS from went from 17.06.06a to 17.12.05a. But we've got loads of routers running 17.12.05a without issues, the SSH issue only happened with a couple. I'll take a look at the REST/NET-CONF links, thanks for the feedback!

0 Helpful

wajidhassan
Level 1
Level 1

‎06-26-2025 06:59 AM

Hey @Venison Mogambi

If RESTCONF or NETCONF is already set up and reachable on the router, then yes, you could use it to push changes like enabling Telnet or regenerating SSH keys. But it depends on those services still being functional after the upgrade. If the upgrade affected HTTP or HTTPS access as well, RESTCONF won't help much.

Since you mentioned it only happened on a couple of routers after upgrading to 17.12.05a, it's very likely an RSA key issue. Some systems may have had corrupted or missing keys during the upgrade process. You can check with the command show crypto key mypubkey rsa and if needed, re-generate the keys using crypto key generate rsa.

Glad the RESTCONF links were useful. Still, it's a good idea to figure out why SSH fails in the first place, especially if the issue is inconsistent across devices. If it happens again and you can gather logs, Cisco TAC could probably help confirm whether it’s a known issue in that upgrade path.

0 Helpful

Larry Sullivan
Level 3
Level 3

‎06-26-2025 10:14 AM

With our newer IOS-XE we have to enter the below command to allow us to ssh to it as it breaks ssh with securecrt, and older IOS-XE devices.

"ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-256-etm@openssh.com"

0 Helpful

Venison Mogambi
Level 1
Level 1
In response to Larry Sullivan

‎06-27-2025 01:00 AM

Thanks, I'll take a look at that.

0 Helpful
Customers Also Viewed These Support Documents