Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1650
Views
1
Helpful
2
Replies

SSH "No matching kex algorithm found"

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎01-17-2024 06:18 PM

The 9407 and 3750 are direct connect.
SSH access fails due to an algorithmic issue.
Please advise.

9407#

C9407#ssh -l admin 192.168.10.10
[Connection to 192.168.10.10 aborted: error status 0]
C9407#
Jan 18 10:39:49.478: %SSH-3-NO_MATCH: No matching kex algorithm found: client curve25519-sha256@libssh.org,ecdh-sha1
C9407#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-52
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
KEX Algorithms:curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): SLA-KeyPair
Modulus Size : 2048 bits
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDdu9G1LqJx7lLCtYkuf7RxkfL6d7BMk/kPI+YloWpz
oUwPKRNlCvMlO1kQONISjb4aBZTFtVm1EHrsJm/CYs3tzQWfrMgENOycUwCX8/jX1rlBFaOSy9qzPQnc
vGEc5TGXHlxnMEjehVPbXPfxYlCBdFE9wgdvRZEgf11IuMvz1cjTHh161CDszO+xwOWyB3PQRpDTnTLS
WNWslyGvkDOzpKqT6tlH9GhUnN3vPXVoAlNehsETJHAgCwiPCcYolZbaSw/fV5JmLYawhFa5MEj4ZapI
vLOctNO40rSRvnxqBlskt+JMzQu7+ub/FqH8bbmuof6v09j+skSo3+MmNO8f

3750#

C3750E#ssh -l admin 192.168.10.1
[Connection to 192.168.10.1 aborted: error status 0]
Jan 17 05:48:23.437: SSH2 CLIENT 0: no matching cipher found: client aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc server chacha20-poly1305@openssh.com,

C3750E#ssh -l admin -c aes128-cbc 192.168.10.1
Jan 17 06:20:18.528: SSH2 CLIENT 0: no matching cipher found: client aes128-cbc server chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-g

C3750E#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
David Ruess
VIP
VIP

‎01-17-2024 06:36 PM - last edited on ‎01-17-2024 11:47 PM by Community Manager

Hello,

It's likely you're devices are supporting several different kinds of kex algorithms but not of them are the same. Try this:

conf t

ip ssh client algorithm kex ?

And see which type both devices support. Then configure that and see if it allows you to login with the matching kex algorithms.

Be advised when enabling certain types of algorithms to abide by your companies security policies. Some may be unauthorized.

 

-David

View solution in original post

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to David Ruess

‎01-17-2024 10:10 PM - last edited on ‎01-17-2024 11:46 PM by Community Manager

The 3750 does not support the

ip ssh server and ip ssh client

commands.
We don't know if other versions support the algorithm, but we don't have a way to find out at this time.

View solution in original post

2 Replies 2

Go to solution
David Ruess
VIP
VIP

‎01-17-2024 06:36 PM - last edited on ‎01-17-2024 11:47 PM by Community Manager

Hello,

It's likely you're devices are supporting several different kinds of kex algorithms but not of them are the same. Try this:

conf t

ip ssh client algorithm kex ?

And see which type both devices support. Then configure that and see if it allows you to login with the matching kex algorithms.

Be advised when enabling certain types of algorithms to abide by your companies security policies. Some may be unauthorized.

 

-David

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to David Ruess

‎01-17-2024 10:10 PM - last edited on ‎01-17-2024 11:46 PM by Community Manager

The 3750 does not support the

ip ssh server and ip ssh client

commands.
We don't know if other versions support the algorithm, but we don't have a way to find out at this time.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card