Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1701
Views
5
Helpful
3
Replies

Cipher error on WS-C2950G-24-EI switch |

Go to solution
Amol_Telore
Level 1
Level 1

‎10-08-2018 02:04 AM - edited ‎03-10-2019 01:06 AM

Hi Team,

 

im trying to ssh switch but getting below error

 

ssh dduser@XX.XX.XX.XX

Unable to negotiate with 172.19.12.4 port 22: no matching cipher found. Their offer: 3des-cbc

 

if i used below cmd will get access.

ssh -c 3des-cbc dduser@XX.XX.XX.XX 

 

Please let me know this switches (WS-C2950G-24-EI )can support algorithm encryption aes128-cbc ?

 

With 12.1(22)EA13 veersion.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Amol_Telore

‎10-08-2018 02:45 AM

Run that command from a host CLI which has nmap installed. Not the switch.

 

cheers,

Seb.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎10-08-2018 02:28 AM

Hi there,

The images released for the 2950G are of such a vintage that I doubt these ‘next-generation’ ciphers are available.

 

This document:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

 

…dated 2012 recommends replacing 3DES with AES. So it is probably safe to assume the 2950G image builds were not around when Cisco was making this transition.

 

Nmap has a built in script you run against your switches to determine ciphersuite:

nmap --script ssh2-enum-algos -sV -p <port> <host>

 

  

cheers,

Seb.

Go to solution
Amol_Telore
Level 1
Level 1
In response to Seb Rupik

‎10-08-2018 02:41 AM

HI Sep,

 

thanks for the reply... 

 

how do i run below script  on switch ? 

 

nmap --script ssh2-enum-algos -sV -p <port> <host>

 Regards,

Amol

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to Amol_Telore

‎10-08-2018 02:45 AM

Run that command from a host CLI which has nmap installed. Not the switch.

 

cheers,

Seb.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents