Solved: Re: Cisco 2911 IOS 15.7 - Cannot access the router via SSH from the local switch

calderonl.odari11 · ‎03-08-2021

I have set up SSH on the switch and the router; I can SSH from the router to the switch but not from the switch to the router. Any suggestions?

This is the message I get when trying to SSH to the router [Connection to 192.168.0.5 aborted: error status 0]

The following is the sh run command on the router:

R1#sh run
Building configuration...

Current configuration : 1657 bytes
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable password Admin1
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name odari.homemadelab.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2911/K9 sn FTX1543AH6P
hw-module pvdm 0/0
!
!
!
username cisco password 0 admin
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Link-to-SW3
ip address 192.168.0.5 255.255.255.128
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0/2
description Link-to-SW4
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip ssh version 2
ip ssh client algorithm encryption 3des-cbc
!
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 3
login local
transport input ssh
transport output ssh
line vty 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

paul driver · ‎03-10-2021

Hello

The line configuration looks okay so if this hasnt already been suggested try a rsa key regeneration on the switch and test again.

switch:
crypto key zerosize
crypto key generate rsa label switch general-keys modulus 2048
ip ssh version 2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Francesco Molino · ‎03-08-2021

Hi

What is your switch model and IOS version?

Can you run show ip ssh on both devices please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

calderonl.odari11 · ‎03-09-2021

SW1#sh ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 15.0(2)SE11, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 19-Aug-17 09:28 by prod_rel_team

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

SW1 uptime is 13 minutes
System returned to ROM by power-on
System image file is "flash:/c3750-ipservicesk9-mz.150-2.SE11/c3750-ipservicesk9-mz.150-2.SE11.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750G-48PS (PowerPC405) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC0916U14W
Last reset from power-on
2 Virtual Ethernet interfaces
52 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:15:62:55:33:00
Motherboard assembly number : 73-9365-08
Power supply part number : 341-0108-02
Motherboard serial number : FOC09343S9H
Power supply serial number : DCA09260MDP
Model revision number : C0
Motherboard revision number : A0
Model number : WS-C3750G-48PS-E
System serial number : FOC0916U14W
SFP Module assembly part number : 73-7757-03
SFP Module revision Number : A0
SFP Module serial number : CAT093108DF
Top Assembly Part Number : 800-26344-02
Top Assembly Revision Number : A0
Version ID : 02
CLEI Code Number : CNMWM00ARB
Hardware Board Revision Number : 0x05

Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 52 WS-C3750G-48PS 15.0(2)SE11 C3750-IPSERVICESK9-M

Configuration register is 0xF

KateMatushenko13411 · ‎03-10-2021

Thanks for info, it's helps me.

paul driver · ‎03-08-2021

Hello

@calderonl.odari11 wrote:
I can SSH from the router to the switch but not from the switch to the router

This is what I get when trying to SSH to the Switch from the router
R1#ssh -l cisco 192.168.0.1
%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)
[Connection to 192.168.0.1 aborted: error status 0]

So is it from switch to rtr or rtr to switch or either way?

On the siwtch is ssh allowed egress and can you ping the rtr from it?
line vty 0 4
transport output ssh

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

calderonl.odari11 · ‎03-09-2021

I will post the sh run info soon.

paul driver · ‎03-10-2021

Hello

The line configuration looks okay so if this hasnt already been suggested try a rsa key regeneration on the switch and test again.

switch:
crypto key zerosize
crypto key generate rsa label switch general-keys modulus 2048
ip ssh version 2

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

calderonl.odari11 · ‎03-09-2021

This is what I get when trying to SSH to the Switch from the router

R1#ssh -l cisco 192.168.0.1
%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)
[Connection to 192.168.0.1 aborted: error status 0]

R1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): R1.homemadelab
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCezbfyLO2QimMSIF5pCIPNea0PrwCT5QhRyqLb+q2M
X/S43YBNka793s2XbhrYNah8LfzvXpApRbMYQZsKJTXci4VhOho4BjbuZ5v10AQGbqqmD0cHB9RtzFlW
knzFam+wJEkCLk/91kqIi9suPOlQrsgUPk2EGP4Y2vrMI5obIQ==

SW1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDFnejquktVs4GZz2jGunrPJxAItWy1hA7N4b/r6X4g
J5deaDu4prTPMNZhZRCliMICwZYC0UH1yq0EuYxrnDfznvmrQs5Vhgr05ia7Xz0XAudj9GD3yOeft8mx
tPkI3oQoHuo4pYsQYxBiqr0yy6zf+Ek2+lJBiOm1XqV0JFg4ww==

calderonl.odari11 · ‎03-09-2021

SW1#sh run
Building configuration...

Current configuration : 7040 bytes
!
! Last configuration change at 00:14:43 UTC Mon Mar 1 1993 by cisco
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SW1
!
boot-start-marker
boot-end-marker
!
!
enable password Admin1
!
username cisco password 0 admin
no aaa new-model
switch 1 provision ws-c3750g-48ps
system mtu routing 1500
no ip domain-lookup
ip domain-name homemadelab
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1649750784
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1649750784
revocation-check none
rsakeypair TP-self-signed-1649750784
!
!
crypto pki certificate chain TP-self-signed-1649750784
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363439 37353037 3834301E 170D3933 30333031 30303034
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36343937
35303738 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C59D E8EABA4B 55B38199 CF68C6BA 7ACF2710 08B56CB5 840ECDE1 BFEBE97E
2027975E 683BB8A6 B4CF30D6 616510A5 88C202C1 9602D141 F5CAAD04 B98C6B9C
37F39EF9 AB42CE55 860AF4E6 26BB5F3D 1702E763 F460F7C8 E79FB7C9 B1B4F908
DE84281E EA38A58B 10631062 AABD32CB ACDFF849 36FA5241 88E9B55E A5742458
38C30203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1484E351 45932C10 B36E4489 71F2EA89 8DBB5777 67301D06
03551D0E 04160414 84E35145 932C10B3 6E448971 F2EA898D BB577767 300D0609
2A864886 F70D0101 05050003 8181005C 0CB72BBB 9907AE7A FBB1A536 B7AED032
E837AAAB C7AEBD56 39F2B49F 5CB610D3 72700ED3 93514DA4 094C10FD 61AD644C
C7C5A1A1 C99C0D5D 9CDD3F43 57966813 8D0B8B3E B3A3AD6F C410F071 9608630E
0EA1CD1A 791F2EF8 77841886 1E5B50FA 8AE56F63 A987F55D 092D99C3 C99CE596
3B2F83BD E10B8759 5AFB5098 03BB8D
quit
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet1/0/1
description Workstation
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/6
switchport access vlan 4
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/22
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/23
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/24
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/25
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/26
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/27
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/28
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/29
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/30
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/31
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/32
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/33
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/34
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/35
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/36
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/37
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/38
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/39
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/40
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/41
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/42
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/43
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/44
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/45
description Trunk-Link-to-SW3
switchport access vlan 99
switchport trunk native vlan 99
!
interface GigabitEthernet1/0/46
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/47
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/48
description Trunk-Link-to-SW2
switchport access vlan 99
switchport trunk native vlan 99
!
interface GigabitEthernet1/0/49
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/50
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/51
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/52
switchport access vlan 99
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan99
description Management
ip address 192.168.0.1 255.255.255.128
!
ip http server
ip http secure-server
!
!
!
!
!
vstack
!
line con 0
line vty 0 4
login local
transport input ssh
transport output ssh
line vty 5
login local
transport input ssh
line vty 6 15
login
!
end

Georg Pauwen · ‎03-09-2021

Hello,

what sometimes help is to zeroize and then regenerate the RSA key (try different 'modulus' values:

R1#conf t

R1(config)#crypto key zeroize rsa

R1(config)#crypto key generate rsa modulus