Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
2
Replies

Catalyst 9300 - %SSH: Failed to encode IOS ASN.1 to SECSH format

Craig Hunt
Level 1
Level 1

‎04-17-2020 07:49 AM

I am having an issue configuring SSH on a Catalyst 9300 switch. IOSXE 16.6.3.

After generating the RSA, SSH gets enabled but I see "%SSH: Failed to encode IOS ASN.1 to SECSH format" in the output of 'show ip ssh'.  I have tried regenerating the key multiple times with various modulus sizes (1024,2048,4096) without any luck.  I have tried re-entering the hostname and domain-name and it still doesn't work.  I have also tried reverting back and forth between ssh v1.99 and v2.

 

SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): myhostname.mydomain-name
%SSH: Failed to encode IOS ASN.1 to SECSH format

 

I've also noticed that on the "IOS Keys in SECSH format" line, it has my hostname.domain-name combintation.  On all the other switches in our environment (200+ of them) it shows as either blank or "TP-self-signed-".

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎04-17-2020 07:55 AM

i found some bug related kind  before not sure is this resolve yet

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuu89120/?referring_site=bugquickviewredir

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Craig Hunt
Level 1
Level 1
In response to balaji.bandi

‎04-17-2020 08:00 AM - edited ‎04-17-2020 08:03 AM

Thanks @balaji.bandi. Unfortunately there is no workaround in that bug report. I am hoping there are some steps to resolve the issue.
I forgot to mention, too, that I have tried to zeroize the keys but still get the error after regenerating them.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card