Catalyst 9300 - %SSH: Failed to encode IOS ASN.1 to SECSH format
I am having an issue configuring SSH on a Catalyst 9300 switch. IOSXE 16.6.3.
After generating the RSA, SSH gets enabled but I see "%SSH: Failed to encode IOS ASN.1 to SECSH format" in the output of 'show ip ssh'. I have tried regenerating the key multiple times with various modulus sizes (1024,2048,4096) without any luck. I have tried re-entering the hostname and domain-name and it still doesn't work. I have also tried reverting back and forth between ssh v1.99 and v2.
SSH Enabled - version 1.99 Authentication methods:publickey,keyboard-interactive,password Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96 KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 2048 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): myhostname.mydomain-name %SSH: Failed to encode IOS ASN.1 to SECSH format
I've also noticed that on the "IOS Keys in SECSH format" line, it has my hostname.domain-name combintation. On all the other switches in our environment (200+ of them) it shows as either blank or "TP-self-signed-".
Thanks @balaji.bandi. Unfortunately there is no workaround in that bug report. I am hoping there are some steps to resolve the issue. I forgot to mention, too, that I have tried to zeroize the keys but still get the error after regenerating them.
Hello!I'm looking for a way to make my EEM script more dynamic and automated for my environment. This is what I have - basically I just capture the 4 IPSec peer IP addresses of each neighbor and insert this data into 4 different variables. ...
Hi all,I have a couple of Nexus9k switches. I need to get tcpdump from the physical interface which connected to the server. I'm looking for a specific protocol on tcpdump so that which feature should I use? I asked that because I couldn't full...
We are building out our first few AAR polices and are running into an error message.Built Global Policy with SLA class and traffic rules for voice traffic, attached to to the sites and VPN we needed, no issue. Building a second policy for management ...
Cisco Champion Radio · S7|E45 Network Insights with AI Endpoint Analytics
Identifying who and what is on the network is a challenge for many organizations. Incomplete visibility makes it difficult to implement advanced security policies and recommendatio...