Can't SSH into Switch

chueymtz · ‎12-11-2023

I get this error when trying to telnet

2023/12/11 15:17:43.606 {nginx_R0-0}{1}: [ngx_core] [29797]: UUID: 0, ra: 0, TID: 0 (ERR): [29803] 2023/12/11 10:17:43 [crit] 29803#0: *3520 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 10.78.2.227, server: 0.0.0.0:443

balaji.bandi · ‎12-11-2023

Not sure what is the device model and what IOS code running.

as per the message it try to connect port 443 - not SSH port 22 here, also looks like you have handshake issue between client and the device you connecting.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

bigevilbeard · ‎12-11-2023

@chueymtz The error message you are receiving is indicating that there is an issue with the SSL/TLS handshake when trying to telnet to your Cisco switch. The specific error code is 140E0197, which means that the SSL/TLS handshake was aborted while it was still in the initialisation phase. This could be caused by a couple of thing

An incorrect SSL/TLS cipher suite being negotiated If the client and server are not using compatible cipher suites, the handshake will fail.
A network configuration issue preventing the SSL/TLS connection from being established. Is there a firewall rule blocking the connection, or routing issue that is causing the packets to be lost
A software bug, check your image or bug tool

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

chueymtz · ‎12-11-2023

I'm using superputty and it worked last week I don't think i've made any other changes but I can still access the switch using the webgui. Do you think it oculd be a configuration issue?

balaji.bandi · ‎12-11-2023

something sure might have changed, the logs shows not related to SSH - when you SSH collect the logs from Device Cli. alos post show ip ssh (output from device)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-11-2023

show tcp brief
share this here
the 443 is for http so there is conflict between two SSH and HTTP since both use TCP L4.
share show tpc brief
let see the IP and port use
MHM

chueymtz · ‎12-11-2023

#show tcp brief
TCB Local Address Foreign Address (state)
7FD93A6406D0 192.168.1.6.443 192.168.1.5.47444 ESTAB

MHM Cisco World · ‎12-11-2023

so this is tcp session
clear tcp tcb*

do clear tcp then try connect again using SSH

chueymtz · ‎12-11-2023

Tried this but it didn't fix it

MHM Cisco World · ‎12-11-2023

show tcp brief
are you see same entry ?
if Yes
then try

clear tcp tcb <the number if tcb appear in table first number in line >

MHM

MHM Cisco World · ‎12-11-2023

0.0.0.0 Server ?
can I see the config of SSH ?

chueymtz · ‎12-11-2023

#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-417665234
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCF9S5HGof40OyzSpSO2mep5XNOMDdyyVh1vjgsKcfQ
qq1TpZjxtg6gvcWZnhI81rUPheKEak6NPjqMkbYwzEsUiSWLSPhMxuk3cyGbb0cGDyWVAv6Ai2sPaZ1Q
h3DuOSJI5JB+Zm02eQ9MXrZPpwEstT9XWzhOAzCDzgyiSIWPXuUJ7oIW3g2YJnJB8IyJBpQJdNH/wleG
1nbKsQWHRGMtNc9L3MqkEB5NLWvO+mRzeuxQp1BryuAQeLqNHfAghJx2TAL8xpaHog7UDS9FxmvgipTo
tbZYCaada4aPjsqBhQ3Rdi0Alm+s2HMwFxqjC28nIKnCfkFXXpaoJN+YvgIZ