Showing results for 
Search instead for 
Did you mean: 

Unable to ssh to router


Hey all,


I have a router that I have configured ssh on with local aaa authentication enabled. I am prompted to login, but the login is prompting access denied. Curious as to why this was happening I enabled telnet to test as well. Using the same configuration and credentials I am able connect via telnet fine. Only when I try entering the credentials in SSH do I get "access denied". Please see my relevant configuration below.


aaa new-model
aaa authentication login default local


ip domain name

username cisco privilege 15 password cisco


ip ssh version 2


line vty 0 4
privilege level 15
transport input all
line vty 5 15
privilege level 15
transport input all




output of sh version


Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 15.1(3)T1, RELEASE SOFTWARE (fc2)
Technical Support:
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Sun 27-Mar-11 09:27 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

Mirion_Router uptime is 30 weeks, 5 days, 1 hour, 16 minutes
System returned to ROM by power-on
System image file is "flash:c3845-adventerprisek9-mz.151-3.T1.bin"
Last reload type: Normal Reload

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

Cisco 3845 (revision 1.0) with 1008640K/39936K bytes of memory.
Processor board ID FCZ130270P9
2 Gigabit Ethernet interfaces
1 Serial interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)

License Info:

License UDI:

Device# PID SN
*0 CISCO3845-MB FOC124926TY


Configuration register is 0x2102




1 Accepted Solution

Accepted Solutions



    Per the provided config, if still in place, there are two possible outcomes:

           1. The router has a funky SSH bug, to isolate it, ssh to the router itself from a  remote telnet session; so connect via telnet and run "ssh -l cisco x.x.x.x", where x.x.x.x is an IP of the router; if it works, all good on the router side, if not, reload and/or upgrade

            2. The SSH agent you're using, either has specific cryptographic algorithm requirements which don't match what your Cisco device is using, either it does not meed the minimum requirements from the Cisco output; try using a different ssh client:


Minimum expected Diffie Hellman key size : 1024 bits



Cristian Matei.

View solution in original post

8 Replies 8