cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16867
Views
0
Helpful
13
Replies

3750 ssh problem

psaravanan
Level 1
Level 1

Hi friend,

I have an issue in ssh in 3750 switch. I get the following error message while login.

*Mar  8 02:20:03.972: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.16.10 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded


*Mar  8 02:20:06.975: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.16.10 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed.

I have an error message while connect to the switch through putty.

My switch IOS version is : c3750-ipbasek9-mz.122-50.SE1

Please check th configuration, i enclosed it.

13 Replies 13

cadet alain
VIP Alumni
VIP Alumni

Hi,

Verify putty is not using a wrong user for ssh.

if not then do a debug ip ssh and debug aaa authentication and post output here.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi,

Have you configured rsa key?
I think that is the problem..
create an RSA encryption key pair for the router to use for authentication and encryption of the SSH data, below is the right command to enable rsa.

#crypto key generate rsa

Please rate the helpfull posts.

Regards,
Naidu.

do a:

show run | begin line c

do you have a:

line vty 0 4

I had the same problem and I only had a 

line vty 5 15 

in my configuration so you can never login until there are 5 sessions already established.  Just add the "line vty 0 4" to your configuration if this is the case, and configure it as required.

I hope this helps.

Hi Alain/Naidu,

Thanks for your reply,

I enabled the debug commands above mentioned, but i am not receive any debug messages while connect to ssh protocol.

I received the following error message.

*Mar  8 02:20:03.972: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.16.10 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded

*Mar  8 02:20:06.975: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.16.10 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed.

I had enabled crypto key generate rsa as 1024bit.

I had tried to zeroise the crypto and regenerate the crypto key, eventhough it shows the same message.

Thanks in advance.

Does it work with telnet? The message indicates you have an authentication problem, not a transport problem.

Do you have AAA configured or local username and password?

Hi Ortiz,

Telnet is working fine, but i need ssh authentication.

I configured the same model, another switch is working fine with SSH.

I had tried to reconfigure the switch, eventhough the problem is not rectify.

Thanks for your reply,

Saravanan

hi,

trying adding ip domain-name and test again. also, try using ssh version 1 (ip ssh version) first and if doesn' work try version 2. kindly post your show ip ssh and show ssh output. could you try with other application program and ensure your host PC is using 192.168.16.10 or .12.

Hi John,

I have configured domain and i can use ssh ver 1 and login to the switch.

If I enabled ssh ver 2 and login to the switch, it show the following error and protocol error.

login as: admin
Using keyboard-interactive authentication.
Password:

then disconnect the connection.

The following logs are taken while ssh ver 1.

Core-Sw(config)#do sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

Core-Sw#sh ssh
%No SSHv1 server connections running.
Connection Version Mode Encryption  Hmac         State                 Username
1          2.0     IN   aes256-cbc  hmac-sha1    Session started         admin
1          2.0     OUT  aes256-cbc  hmac-sha1    Session started       admin

I don't know, while enable ssh ver 2, it's not login.

thanks & regards,

Saravanan.

Hello

Can you increase the SSH time-out value ;-)

you've configured:

ip ssh time-out 3

Could you configure it to value 60?

ip ssh time-out 60

-------------

HTH

plz rate helpfull posts

tjroth1987
Level 1
Level 1

           

I am getting the same error with the Catalyst 3750X. I am running code 12.2(53r)SE2.

I used the same ssh and AAA configuration for the 3750X as I did on a 2960S. The 2960s ssh works with no issues.

Here are the things I have attempted on the 3750X to fix the issue.

1.change the timeout

2.set a proper domain name

3. zeroize the rsa keys and reapply them

This is what I recieve in the logs when I go to login into the 3750X.

Jun 19 15:01:56.238: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.250.34.125 (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded

Jun 19 15:02:01.254: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from X.X.X.X (tty = 1) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed

The only time I do not get this is error is when I quickly enter my username and password. If I let it sit there for 5 seconds or more without enterning a username and password I get the above errors in the log. I also get the attached error message in putty.

Any help is greatly apperciated!

Tim

It sounds like you have an issue with timing relative to login. Can you post the config?

HTH

Rick

HTH

Rick

Did anyone find the solution eventually to this problem?

andrianna358
Level 1
Level 1

I had the same issue and I found the problem. Check your Memory:

SSH Authentication Failure Due to Low Memory Conditions

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080c1e4c6.shtml

SSH Working:
--------------
ASR1#show memory summary
                Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor  7FE150387010    1160982064     1146067400     14914664    14225352    13918620
lsmpi_io  7FE14FB7E1A8     6295128     6294304         824         824         412

SSH Not Working:
-------------------
ASR2#show memory summary
                Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor  7FFB6ACB0010    1160982064     1120122056     40860008    29163912    24132068
lsmpi_io  7FFB6A4A71A8     6295128     6294304         824         824         412

If you do not want to proceed with upgrade there is a temporary solution:

aaa memory threshold authentication reject 2

aaa memory threshold accounting disable 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco