Re: SSH Error - Failed to Encode IOS

ronaldvg · ‎09-30-2017

Hi - SSH suddenly stopped working on our ASR 1001-x.

investigating showed the following:

sho ip ssh

SSH Enabled - version 1.99

Authentication methods:publickey,keyboard-interactive,password

Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa

Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded): VA.CPCH.HQ.ASR.esvc.us

%SSH: Failed to encode IOS ASN.1 to SECSH format

We tried to zero the existing key and regenerate a new key. no change. reboot the ASR, no change. Telnet works so we are not dead in the water, but we really want to restore SSH access for obvious reasons.

Any help appreciated

Thank you

Ronald

Julio E. Moisa · ‎09-30-2017

Hi Ronald,

Have you tried enabling SSH version 2?

conf t

ip ssh version 2

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ronaldvg · ‎09-30-2017

Yes, and ip ssh ver 1, neither makes any difference.

Julio E. Moisa · ‎09-30-2017

Thank you

Do you see any error like showed on this link?

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu89120/?referring_site=bugquickviewredir

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ronaldvg · ‎09-30-2017

Hi Julio

No, there are no errors in the log file.

Perhaps of interest too, is that this issue prevents the SSH Server process to start on the ASR.

We are running Version 03.16.03.S on both our ASR's The 2nd one has been working just fine.

Julio E. Moisa · ‎09-30-2017

Hi

Try to create a key of 1024 or +

crypto key generate rsa 1024 or 2048

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ronaldvg · ‎09-30-2017

alas tried that too. Zeroid the key first, generated a 512bit key didn't work, zeroid generated a 2048bit key didn't work, generated a 1024bit key, still nothing.

again, there are no errors shown when i generate the key. except that the key doesn't appear to get installed which then prevents the SSH server process to start.

VincentVYZ · ‎06-29-2018

Hi,

I have the same problem as described, but no solution

conf t
ip domain-name mydomain.net
crypto key generate rsa
2048
ip ssh version 2
line vty 0 4
transport input ssh

login local

username admin *****

My telnet connection working fine and I tried to activate SSH2 but cannot too

SW236VLAN109#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2020043264
%SSH: Failed to encode IOS ASN.1 to SECSH format

when I tried SSH2 with the right password

Using username "admin".
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:

PETER MARTLAND · ‎07-24-2018

Did anyone find an answer for this???

saurabhdhakate007 · ‎08-18-2018

Hi Ronaldvg,

Just wanted to make sure if you are trying this on virtual platform like GNS3 or EVE

Regards,

Saurabh Dhakate

ronaldvg · ‎08-18-2018

No, we did this directly on the ASR

Thanks
Ronald

Sriki · ‎08-16-2018

Does anyone got the solution for this problem ?

Egista Hadi Putranto · ‎08-24-2018

I'm also waiting for the update, got the same problem

shottadrae · ‎12-18-2018

I just had this same issue after adding ssh to a switch.

%SSH: Failed to encode IOS ASN.1 to SECSH format

In the logs it showed me trying to connect without a user name. I have logging on for ssh.

ip ssh logging

Dec 18 13:35:29.397: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 10.10.10.10 (tty = 1) using crypto cipher 'aes256-ctr', hmac 'hmac-sha1' Failed

Turns out my ssh config was fine it was the my radius configuration i had the wrong key. after changing the key and then connecting to the device that error went away. Hope that leads you in the right direction.

Clinton Lee · ‎02-04-2019

Having the same issue with an ASR 920, Anybody have a solution to this issue?