Solved: SSH to router has a pause, log says LOGIN FAILED, but then succeeds

Paul Stafford · ‎08-01-2025

I have over a hundred routers in my network and only have this problem with a few of them.

For example, I have TWO identical IR1101 routers, but with different software versions if that matters.
"Broken" router has: Cisco IOS XE Software, Version 17.14.01a
"Working" router has: Cisco IOS XE Software, Version 17.03.06

If I ssh into the "broken" router, I get a short pause and then the password prompt appears and I enter my password and I am in and no problems, however, the router log says:

Aug 1 15:23:44: %SSH-5-SSH2_SESSION: SSH2 Session request from [client IP redacted] (tty = 0) using crypto cipher 'aes192-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded
Aug 1 15:23:46: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: CISCO] [Source: client IP redacted] [localport: 22] [Reason: Login Authentication Failed] at 15:23:46 CDT Fri Aug 1 2025
Aug 1 15:23:49: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: CISCO] [Source: client IP redacted] [localport: 22] at 15:23:49 CDT Fri Aug 1 2025
Aug 1 15:23:49: %SSH-5-SSH2_USERAUTH: User 'CISCO' authentication for SSH2 Session from client IP redacted (tty = 0) using crypto cipher 'aes192-ctr', hmac 'hmac-sha2-256-etm@openssh.com' Succeeded

The "working" router has no pause when I ssh into it, and there are no "failed" log messages, just the "Success" message.

There is no issues with delay or reachability to the TACACS server on the "broken" router, nor others that are having this same issue.

They both have the same identical TACACS config:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa session-id common

ip tacacs source-interface Loopback11

tacacs server TACSERV
address ipv4 10.x.x.x
key MYSECRETKEY

line vty 0 4
privilege level 15
login authentication local
transport input ssh

I have spent HOURS trying to fix this to no avail... any ideas?

Thanks in advance,
Paul

Paul Stafford · ‎08-01-2025

Sorry, I am so forgetful... I had already asked this same question before and figured it out myself. For me, the solution was to delete id_rsa and id_rsa.pub on my Linux client that I was using. I tried to delete this post, but it won't let me.

Sorry for wasting your time.
Paul

View solution in original post

Paul Stafford · ‎08-01-2025

I did figure out how to keep the id_rsa files on my Linux client and still be able to log into these routers.

In my .ssh/config file I added these statements for one host and a network:

Host 10.10.10.10 12.12.12.*
PubKeyAuthentication no

It appears that Linux SSH client was trying to do Public Key authentication first, and for some reason one router didn't mind it, and another did.

Hope this helps someone else and myself when I forget it again.

View solution in original post

MHM Cisco World · ‎08-01-2025

debug ip ssh
debug authc events
show aaa servers

share this

note:- run command when you try ssh to router

MHM

Paul Stafford · ‎08-01-2025

Sorry, I am so forgetful... I had already asked this same question before and figured it out myself. For me, the solution was to delete id_rsa and id_rsa.pub on my Linux client that I was using. I tried to delete this post, but it won't let me.

Sorry for wasting your time.
Paul

Paul Stafford · ‎08-01-2025

I did figure out how to keep the id_rsa files on my Linux client and still be able to log into these routers.

In my .ssh/config file I added these statements for one host and a network:

Host 10.10.10.10 12.12.12.*
PubKeyAuthentication no

It appears that Linux SSH client was trying to do Public Key authentication first, and for some reason one router didn't mind it, and another did.

Hope this helps someone else and myself when I forget it again.