cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46660
Views
31
Helpful
9
Replies

Logging - %SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr

jcone
Level 1
Level 1

So today I had an SSH session going to my ISR 3925 SEC/K9 running IOS version 15.7 and I suddenly lost the connection.  When I tried to reconnect I received the error in Putty stating that the connection was refused.  I quickly obtained a console connection to the device and this log message was logging consistently to the console. 

 

%SSH-3-NO_MATCH: No matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr 

 

After re establishing console access to the device I have tested the ssh via a remote site and testing completed successfully.

 

I am the only one who is trying to connect to the device that I am aware of.  This log message is awfully troubling to me, any ideas?

 

 

9 Replies 9

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Did you recently upgrade the IOS on this router? In some platforms, after an upgrade, SSH becomes unusable and so you have to redo the SSH key to get it working again.

HTH

No I haven’t.


Thanks for the advise Reza.

 

I did regenerate the RSA keys and power cycled the router, this did not help.  I Disabled SSH as an access protocol on the the vty line.  The logs are clean now but obviously I do not have remote access to the unit over ssh.

 

 

Hi,

This may be a bug. The only thing I could find is a similar bug but associated with the 7ks and not your platform. Open a ticket with TAC and send them the logs.  This may be a known issue.

 

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCut72659/?rfs=iqvred

 

HTH

I apologize in advance for resurrecting a dead thread..

 

The issue is that PuTTY is attempting to use block-chaining (aes128-cbc) whereas the IOS router is configured to only accept counter mode (aes128-ctr).

 

Either:

  1. Use a newer version of PuTTY that has CTR mode built in.
  2. Configure the IOS router to also offer/accept CBC mode:
    ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr aes256-cbc aes192-cbc aes128-cbc
  3. If using Linux you can specify a cipher to use (if it's not part of the default algorithms offered):
    ssh -c aes128-ctr username@host
  4. If using NX-OS and you can access the bash shell, then you can update the /etc/ssh/ssh_config file to also use other encryption methods.

Hopefully that helps.

 

Cheers

Hi Guys,

 

Take in place the configuration below:

ip ssh server algorithm encryption aes128-cbc 3des-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr

 

It worked for me.

 

IOS  Version 15.0(1r)M12 - Router CISCO1905/K9.

Works for me too. thanks a lot

Thanks for the insight.  I will look into this one and keep you posted.

jvscampos
Level 1
Level 1
♥Solucação do Bug no acesso por SSH♥


O erro acontece pois o sistema operacional
não está conseguindo definir um perfil de
criptografia correspondente para a sessão
por SSH. (cifra correspondente)

Então você precisa fixar manualmente,
como vou mostrar abaixo:


Router# ssh -l "seu login" -c aes128-ctr
-p 22 "ip da máquina que você quer acessar aqui"


A criptografia pode ser esta: -c aes128-ctr
ou pode ser qualquer outra a qual a mensagem
de erro que aparece para você mostra
exemplo:

SSH-3-NO_MATCH: No matching cipher found: client
aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr


Depois é só inserir a senha e EURECA!
Você conseguiu! :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: