So today I had an SSH session going to my ISR 3925 SEC/K9 running IOS version 15.7 and I suddenly lost the connection. When I tried to reconnect I received the error in Putty stating that the connection was refused. I quickly obtained a console connection to the device and this log message was logging consistently to the console.
%SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr
After re establishing console access to the device I have tested the ssh via a remote site and testing completed successfully.
I am the only one who is trying to connect to the device that I am aware of. This log message is awfully troubling to me, any ideas?
Did you recently upgrade the IOS on this router? In some platforms, after an upgrade, SSH becomes unusable and so you have to redo the SSH key to get it working again.
Thanks for the advise Reza.
I did regenerate the RSA keys and power cycled the router, this did not help. I Disabled SSH as an access protocol on the the vty line. The logs are clean now but obviously I do not have remote access to the unit over ssh.
This may be a bug. The only thing I could find is a similar bug but associated with the 7ks and not your platform. Open a ticket with TAC and send them the logs. This may be a known issue.
I apologize in advance for resurrecting a dead thread..
The issue is that PuTTY is attempting to use block-chaining (aes128-cbc) whereas the IOS router is configured to only accept counter mode (aes128-ctr).
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc
ssh -c aes128-ctr username@host
Hopefully that helps.
Take in place the configuration below:
ip ssh server algorithm encryption aes128-cbc 3des-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
It worked for me.
IOS Version 15.0(1r)M12 - Router CISCO1905/K9.