Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2665
Views
0
Helpful
14
Replies

Can not ssh to other devices from 3850 switch

Mark_Zhang
Level 1
Level 1

‎01-27-2018 03:50 AM - edited ‎03-08-2019 01:35 PM

Hi there, 

 I'm not able to ssh to other devices using 3850 Switch as SSH client.

PS:  3850 switch IOS version is: 16.3.5b  (ssh client)

       the ssh server is an ASA (9.6.3)

below is the Syslog: 

 

 

how can I solve it?

Labels:
Preview file
805 KB
Preview file
784 KB
0 Helpful
14 Replies 14

Julio E. Moisa
VIP
VIP

‎01-27-2018 04:26 AM - edited ‎01-27-2018 04:28 AM

Hi

The SSH configuration should be:

 

conf t

hostname <name of the device>

ip domain name <domain.com example>

ip ssh version 2

ip ssh authen 3

ip ssh time 120

cryto key generate rsa <enter and type 1024 at least>

 

* if you are going to create local credentials*

username <user> privi 15 password <password>

 

line vty 0 15

login local

transport input ssh

 

* Do you have any ACL to allow just specific IP address to manage the devices?* The trouble could be caused because the terminal does not support the version configured, if you are using putty check the version configured on the settings on the left.

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Georg Pauwen
VIP
VIP

‎01-27-2018 04:57 AM

Hello,

 

in addition to Julio's remarks, what IP address are you using for SSH access ? The HSRP log message indicates that there is a mismatch between the configured authentication parameters. Are you using the standby IP to access the switch ?

Also, make sure the modulus (1024 or 2048) match on both sides (the ASA and the 3850). Try 1024 first...

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎01-27-2018 05:06 AM

It appears the client is setup to only accept advanced (Next Generation Encryption - NGE) cryptographic algorithms and the server offers a public key using the older RSA encryption method. the mismatch causes the attempted connection to fail.

Either the client needs to relax the requirements or a new public key need to be generated on the server.

 

Reference:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

 

And I am not sure about your IOS version. There is a bug reported for the same:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc96144/?referring_site=bugquickviewredir

 

My suggestion is that please regenerate the Key with 1024 bits.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Mark_Zhang
Level 1
Level 1
In response to Deepak Kumar

‎01-27-2018 06:22 AM

At first, thank you for your advice. Since the 3850 Switch is our Core Switch, and if we want to login other devices I must use 3850 Switch as the SSH Client (this is our company policy T_T), So I prefer to relax the requirements of SSH client(3850 Switch),  But I don't know how to configure it, cloud you please give me some hints? 

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mark_Zhang

‎01-27-2018 06:27 AM - edited ‎01-27-2018 10:24 AM

conf t

hostname <hostname of device>

Your Switch configuration as below:

 

ip domain name <yourdomain.com example>

ip ssh version 2

ip ssh authen 3

ip ssh time 120

cryto key generate rsa <enter and type 1024 at least>

 

line vty 0 15

login local

transport input ssh

Transport output ssh <<edited>>

 

 

Make sure you have a local account for emergency recovery process and AAA configuration on Switch.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Mark_Zhang
Level 1
Level 1
In response to Deepak Kumar

‎01-27-2018 07:54 AM

Deepak:

thank you, I'll try it tomorrow.

0 Helpful

paul driver
VIP
VIP
In response to Deepak Kumar

‎01-27-2018 09:50 AM

@Deepak Kumar wrote:

conf t

hostname <hostname of device>

Your Switch configuration as below:

 

ip domain name <yourdomain.com example>

ip ssh version 2

ip ssh authen 3

ip ssh time 120

cryto key generate rsa <enter and type 1024 at least>

 

line vty 0 15

login local

transport input ssh

 

 

Make sure you have a local account for emergency recovery process and AAA configuration on Switch.

 

Regards,

Deepak Kumar


Hello deepak

You allow outbound ssh connections from the switch it should br

 

Transport output ssh

 

Res

paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to paul driver

‎01-27-2018 09:58 AM

yah.. I missed.. Thanks for the update.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Mark_Zhang
Level 1
Level 1
In response to Deepak Kumar

‎01-28-2018 12:08 AM

It doesn't work for our situation

0 Helpful

paul driver
VIP
VIP

‎01-27-2018 09:47 AM - edited ‎01-27-2018 09:48 AM

Hello

Just like to add -

 

Worth checking to see if the switch is allowing | denying  ssh outbound 

 

sh run | be vty 

 

your should at least have 

Line vty xx

transport output ssh

 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Mark_Zhang
Level 1
Level 1
In response to paul driver

‎01-28-2018 12:09 AM

I've tried it, but it doesn't work.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to Mark_Zhang

‎01-28-2018 12:37 AM

Please attach the configuration and command output "Error" which you got during the configuration.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Julio E. Moisa
VIP
VIP
In response to Deepak Kumar

‎01-28-2018 04:33 AM

@Mark_Zhang

Are you able to ping the Switch management IP from the 3850? I assume you are using the same network segment to manage the devices. Also try to remove the key pair using the crypto key zeroize rsa from console and set the crypto key generate rsa, again. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

Eric101
Level 1
Level 1

‎06-14-2018 05:16 AM

From my understanding of your situation, you're currently unable to connect to the ASA via SSH from your 3850 switch, due to the SSH KEX errors.
As seen in your logs, the 3850 (client) is negotiating diffie-hellman-group-exchange-sha1 and the ASA (server) is sending diffie-hellman-group1-sha1 which are not the same.
Either the switch or the server are sending incorrect values.

I'd suggest modifying your ssh client ciphers on both the switch and the ASA to a matching supported value which would be a DH group14 KEX algorithm looking at my ASA running 9.6 and switch running 16.3.6

On the ASA
config t
ssh key-exchange-group dh-group14-sha1
end

On the 3850
conf t
ip ssh client algorithm kex diffie-hellman-group14-sha1
end

And ensure that the RSA key is at least 2048 bits long (longer is better) I would re-generate the keys on both sides to make sure.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card