can you also post output -----show ip ssh

looks like mismatch of ssh version ?

Thanks

Ajay 

Ajay,

it could also be a problem with the initiating DH Key-Exchange that happens before the SSH-Connection is confirmed on both sites.

Another hint could be the keys generated on the router. If they were generated as non-exportable or have not been explicitely assigned to ssh issuing:

     ip ssh rsa keypair-name

Regards,

David.

HUH!

I made mistake,

please do _N O T_ issue:

no line con 0

in case your are with a terminal connected.

Regards,

D.

I still get the same authentication server refused authentication protocol.

Here's the updated config.

aaa new-model

!

!

aaa authentication login default local

!

!

aaa session-id common

#sho ip ssh

SSH Enabled - version 2.0

Authentication timeout: 60 secs; Authentication retries: 2

However, when I entered this:

no line vty 0 4

I got a response:

% Can't delete last 5 VTY lines

Now my lines look like this:

line vty 0 4

privilege level 15

password 7

rotary 1

international

transport input ssh

!

Erika,

do you get the error message instantly when you try to connect or after typed your login credentials?

you need at least one user on the machine as SSH requires User+Password.

If you do not provide a username, by standard the username you logged in on your workstation is

sent to the other ssh site.

Other points to turn an eye to in order to target the problem:

- ip inspect configured on the machine?

- do you try to connect over VPN? try to reduce the MTU so that all packets get transmitted.

setup a username with priv level 15 as advised in my previous post and configure your lines new as follows:

conf t

     line vty 0 4

     no privilege level 15

     no password

     transport input ssh

     international

     rotary 1

exit

line con 0

     speed 115200

end

wr

copy run start

I am actully doing this over a VPN, but I'll be in the office in a little bit.  I'll hold off on doing yoru last suggestions until I get there. 

I do get the message immediately when I connect.  I'm not asked for a user name and password like I get when I telnet in. I do already have 2 users on the router. 

ok.

this makes sense.

can you please provide me the MTU values from your tunnel interface?

Cisco VPN is Layer 2 over IPSec. The IPSec may cause in some cases a protocol overhead.

This causes breaks in the connection.

Regards,

David.

The VPN isn't on my equipment, it's been assigned to me by my ISP.  It's an usual situattion, enterprise configuration. 

Now I was surprised when I consoled in - couldn't get in. 

I couldn't get in through Telnet or SSH either.

I connected to the AUX port and finally got in. Then the language was not English.  I removed the International line and got it back to English. 

if you have the router physically available, then try to connect over SSH from the same switch.

If it then lets you in without any interrupt, you have the solution.

you maybe couldn't connect to console because my sample config changed the speed of the console to 115200.

the value needs to be assigned in your terminal for the serial port.

Regards,

David.

I created a new user.  Tried to connect again, from a swtich directly connected to the router.  Still fails.  I do see the SSH authentication challenge window open when I initiate the connection, but the error opens and is the only active window. 

I tried to connect directly to the router, but couldn't get anywhere.  I assigned an IP address to my laptop and did a no shutdown on the interface, but I still couldn't get even to the router.

which program do you have in use on your notebook for the ssh connection?