Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1389
Views
0
Helpful
7
Replies

intermittent access issue to ssh vss switch 6500

Network_Sarovani
Level 3
Level 3

‎11-12-2021 08:06 AM

Hi Team , 

 

We have an issue accessing the VSS switch remotely via ssh , It works 1 or 2 times and does not work for 3rd time .. ( or works 1st time and 2nd time does not work ) 

How can we troubleshoot this issue , Cn we run any debug on the switch to find any abnormal logs . 

We are using CyberArk to connect via ssh to client Network device . 

 

Whenever it works , I get a popup first , I click on Yes and I get access to device . 

SSH issue.PNG

 

If the above pop up doesn't comes up then that is the time the screen will be blank as below : 

ssh error.PNG

Regards , 

CK 

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎11-12-2021 08:19 AM

Looks you have old , configure below method based on the client and test it :

 

https://nbctcp.wordpress.com/2018/02/01/error-the-first-key-exchange-algorithm-supported-by-the-server-is-diffie-hellman-group1-sha1/

 

6500  - what is the IOS code running ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Network_Sarovani
Level 3
Level 3
In response to balaji.bandi

‎11-15-2021 07:49 AM

SOFTWARE VERSION  : 15.0(1)SY4, RELEASE SOFTWARE (fc3)

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Network_Sarovani

‎11-15-2021 08:33 AM

try reconfigure with higher secure as per the link suggested above post.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎11-12-2021 08:27 AM

Hello,

 

diffie-hellman-group1-sha1 is considered insecure, that is probably why Cyberark is showing that message.

 

Try to zeroize and regenerate the RSA key on the 6500s, and check if they support 2048 bit encryption:

 

crypto key zeroize rsa

crypto key generate rsa modulus 2048

0 Helpful

Network_Sarovani
Level 3
Level 3
In response to Georg Pauwen

‎11-30-2021 11:46 AM

We are facing this problem only with 6500 VSS switch only . 

 

ssh works for below switch with model C3750G and probably having 1024 bit encryption and uses diffie-hellman-group1-sha1 .

Model : WS-C3750G-24PS

 

SWITCH_WORKING_ONE>show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDBl+UUWZXxWKp2SsNF90XQSluprhrUxQsVQ87c+TGy
euPFmTVkAZdmHibTghgR4zmX2cgLn94MkTcQEd0yUtvWzrJbdvQ/Vb4q5FbZhR4AQqegGE8vfeLm/Sv3
b1ZimOwaCq+sC/oj0XThHgfQbN81QsvTyAbSDLIMZjUsq+D1Vw==

 

 

0 Helpful

Network_Sarovani
Level 3
Level 3
In response to Georg Pauwen

‎01-12-2022 01:08 PM

What will be the impact of doing this ? 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Network_Sarovani

‎01-12-2022 03:07 PM - edited ‎01-12-2022 03:08 PM

changing the ssh with higer encryption. not major effect - but good to do in maintenance window if you have concern. The version of code running you can change it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card