Solved: ssh error message "CBC Ciphers got moved out of default config"

ruslan932 · ‎06-06-2019

Hello,

i have a new 3650 Switch and when i using ssh i got "%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)
[Connection to 10.1.33.3 aborted: error status 0]".

is there anyone face such issue?

Jaderson Pessoa · ‎06-06-2019

@ruslan932 hello,

try run it: sw(config): crypto key generate rsa modulus 2048 and test again.

Jaderson Pessoa
*** Rate All Helpful Responses ***

View solution in original post

ruslan932 · ‎06-06-2019

Hi!

Command(only) crypto key generate rsa modulus 2048 is not enough.

Solution: using also this command:

Switch(config)#ip ssh client algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

Thanks for your attention!

View solution in original post

Jaderson Pessoa · ‎06-06-2019

@ruslan932 hello,

try run it: sw(config): crypto key generate rsa modulus 2048 and test again.

Jaderson Pessoa
*** Rate All Helpful Responses ***

ruslan932 · ‎06-06-2019

Hi!

Command(only) crypto key generate rsa modulus 2048 is not enough.

Solution: using also this command:

Switch(config)#ip ssh client algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode

Thanks for your attention!

Ricky S · ‎08-14-2020

Thanks. This solved my problem also.

it_sa · ‎01-18-2021

I've got this problem after upgrade router 2951/K9 from 15.1(4)M1 to 15.7(3)M7.

I've fixed the problem as described upper by the command :

ip ssh client algorithm encryption aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr

@ruslan932 , thank you!!!

VimalDhasmana9182 · ‎06-24-2020

getting below error while taking ssh session- device (Cisco 3650)

%SSH: CBC Ciphers got moved out of default config. Please configure ciphers as required(to match peer ciphers)
[Connection to 10.139.xx.xx aborted: error status 0]

Issued below command, but still getting same error

( config)#crypto key generate rsa modulus 2048

PlanaRamirez · ‎07-02-2024

If you are willing to connect from a modern CLI to a legacy one you should try this command:

# ssh -v <SSH_VERSION> -c <CYPHER> -l <USERNAME> <IP/FQDN>

IOS-XE17.6.4#ssh ?
  -c    Select encryption algorithm
  -l    Log in using this user name
  -m    Select HMAC algorithm
  -o    Specify options
  -p    Connect to this port
  -v    Specify SSH Protocol Version
  -vrf  Specify vrf name
  WORD  IP address or hostname of a remote system

IOS-XE17.6.4#ssh -c 3des -l CiscoAdmin IOS15_0_2.legacy.com
Password: 
IOS15_0_2.legacy.com> Enable
IOS15_0_2.legacy.com#

Hope this helps

BR

Alfred