cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38735
Views
0
Helpful
22
Replies

SSH connection fails - server refused authentication protocol

erikahess
Level 1
Level 1

I have a 3845 router. 

  • Setup SSH Version 2
  • generated rsa keys (1024)
  • set login local
  • transport input ssh and telnet is enabled since I can't get ssh connection working

When I connect using SSH, I get the following error.

server refused authentication protocol.

2 Accepted Solutions

Accepted Solutions

Erika,

please consider carefully posting passwords. Even if they encrypted those password hashes are vere quick transformed

back to clear text......

I see you have ssh enabled on 2 lines at a time - I do not know if this is done for purpose, for security reasons I recommend to enable ssh just on a single line and disable telnet access completely

Putting passwords and priv levels in the line config is not a good style, aaa methods are a better way.

To put the matter right:

we first create a new strong keypair for your ssh access involving a 2048bit key to sleep well at night

conf t

crypto key generate rsa general-keys label modulus 2048

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

!

username privilege 15 password 0

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!!! the next command makes your ssh available at port 2222

!! this is to deny on the firewall ssh standard port 22 as it is a welcome target

!

ip ssh port 2222 rotary 1

ip ssh rsa keypair-name

ip ssh logging events

ip ssh version 2

!

!!!! we now setup the lines from scratch

!!!! first deleting them

no line con 0

no line aux

no line vty 0 4

!

!!!! now the new declarations:

!

!

!        

line con 0

speed 115200

line aux 0

line vty 0 4

rotary 1

international

transport input ssh

!        

that's it

Regards,

David.

View solution in original post

another idea:

did you earlier connect to another device over ssh which had either the same ip address or hostname?

maybe this a key issue. ttermpro2 knows the old key and tries to exchange with a different machine.

of course this must fail. the same comes to light when the ssh keypair itself is replaced on the router.

try to find the known_host key cache on your ttermpro and either clear it or remove the entries concerning

the particular IP or hostname.

View solution in original post

22 Replies 22

dese.co.uk
Level 1
Level 1

Erica,

can you please post the config snipets from your ssh and line section?

Thanks.

David.

can you also post output -----show ip ssh

looks like mismatch of ssh version ?

Thanks

Ajay 

Ajay,

it could also be a problem with the initiating DH Key-Exchange that happens before the SSH-Connection is confirmed on both sites.

Another hint could be the keys generated on the router. If they were generated as non-exportable or have not been explicitely assigned to ssh issuing:

     ip ssh rsa keypair-name

Regards,

David.

Erika,

please consider carefully posting passwords. Even if they encrypted those password hashes are vere quick transformed

back to clear text......

I see you have ssh enabled on 2 lines at a time - I do not know if this is done for purpose, for security reasons I recommend to enable ssh just on a single line and disable telnet access completely

Putting passwords and priv levels in the line config is not a good style, aaa methods are a better way.

To put the matter right:

we first create a new strong keypair for your ssh access involving a 2048bit key to sleep well at night

conf t

crypto key generate rsa general-keys label modulus 2048

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

!

username privilege 15 password 0

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!!! the next command makes your ssh available at port 2222

!! this is to deny on the firewall ssh standard port 22 as it is a welcome target

!

ip ssh port 2222 rotary 1

ip ssh rsa keypair-name

ip ssh logging events

ip ssh version 2

!

!!!! we now setup the lines from scratch

!!!! first deleting them

no line con 0

no line aux

no line vty 0 4

!

!!!! now the new declarations:

!

!

!        

line con 0

speed 115200

line aux 0

line vty 0 4

rotary 1

international

transport input ssh

!        

that's it

Regards,

David.

HUH!

I made mistake,

please do _N O T_ issue:

no line con 0

in case your are with a terminal connected.

Regards,

D.

I still get the same authentication server refused authentication protocol.

Here's the updated config.

aaa new-model

!

!

aaa authentication login default local

!

!

aaa session-id common

#sho ip ssh

SSH Enabled - version 2.0

Authentication timeout: 60 secs; Authentication retries: 2

However, when I entered this:

no line vty 0 4

I got a response:

% Can't delete last 5 VTY lines

Now my lines look like this:

line vty 0 4

privilege level 15

password 7

rotary 1

international

transport input ssh

!

Erika,

do you get the error message instantly when you try to connect or after typed your login credentials?

you need at least one user on the machine as SSH requires User+Password.

If you do not provide a username, by standard the username you logged in on your workstation is

sent to the other ssh site.

Other points to turn an eye to in order to target the problem:

- ip inspect configured on the machine?

- do you try to connect over VPN? try to reduce the MTU so that all packets get transmitted.

setup a username with priv level 15 as advised in my previous post and configure your lines new as follows:

conf t

     line vty 0 4

     no privilege level 15

     no password

     transport input ssh

     international

     rotary 1

exit

line con 0

     speed 115200

end

wr

copy run start



I am actully doing this over a VPN, but I'll be in the office in a little bit.  I'll hold off on doing yoru last suggestions until I get there. 

I do get the message immediately when I connect.  I'm not asked for a user name and password like I get when I telnet in. I do already have 2 users on the router. 

ok.

this makes sense.

can you please provide me the MTU values from your tunnel interface?

Cisco VPN is Layer 2 over IPSec. The IPSec may cause in some cases a protocol overhead.

This causes breaks in the connection.

Regards,

David.

The VPN isn't on my equipment, it's been assigned to me by my ISP.  It's an usual situattion, enterprise configuration. 

Now I was surprised when I consoled in - couldn't get in. 

I couldn't get in through Telnet or SSH either.

I connected to the AUX port and finally got in. Then the language was not English.  I removed the International line and got it back to English. 

if you have the router physically available, then try to connect over SSH from the same switch.

If it then lets you in without any interrupt, you have the solution.

you maybe couldn't connect to console because my sample config changed the speed of the console to 115200.

the value needs to be assigned in your terminal for the serial port.

Regards,

David.

I created a new user.  Tried to connect again, from a swtich directly connected to the router.  Still fails.  I do see the SSH authentication challenge window open when I initiate the connection, but the error opens and is the only active window. 

I tried to connect directly to the router, but couldn't get anywhere.  I assigned an IP address to my laptop and did a no shutdown on the interface, but I still couldn't get even to the router.

which program do you have in use on your notebook for the ssh connection?

Review Cisco Networking for a $25 gift card