Solved: Re: SSH error message "No matching ciphers found"

asheemy · ‎04-25-2018

Hello,

i have a new 3850 Switch and i configured ip ssh ver 2 and all ssh commands but when i access the switch using ssh i got "No matching ciphers found. Client (x.x.x.x) supported ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se .Server supported ciphers : aes128-ctr".

"%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server" log on switch

Also got " No compatible Cipher. The server supports these ciphers:aes128-ctr,aes192-ctr,aes256-ctr" message on my secureCRT

is there anyone face such issue.

Reza Sharifi · ‎04-25-2018

Hi,

What is the output of "sh ip ssh"?

Also, what client software are you using to access the switch?

HTH

View solution in original post

asheemy · ‎12-10-2018

to solve this issue we must use SecureCRT new versions not old Versions.

View solution in original post

Reza Sharifi · ‎04-25-2018

Hi,

What is the output of "sh ip ssh"?

Also, what client software are you using to access the switch?

HTH

asheemy · ‎04-26-2018

from butty SSH working fine but from SecureCRT not connected.

Kindly find the show ip ssh output as well as the running software version.

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2720490143
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDLwcXA1SG739xRLLHmDOXMHsj5ObbH4zB1CWcJ2A
k5RVaeutE5koSvNN0QKI3grLJSL4R3elWleLra+kV+Ys0fUwlO9T1dU72nMhLLXi6ojs0YCrxDdtn1xj
9SdRyg/fvxGxaQb6dVMzAPo7X5qA95IIp7fY+RV5bGZ5b3mcLbh8z2ceBhO4gj3kvQjpg8a4HDmrh+kb
y+mdBEHvKgYXuLgSolzlveqznPnhmxQUg8cBTPBQCMUNuwsYZkW8EQnQz5GfePvhrQC0D3RafJiMgg4i
bmlpNTU3A21ObYTJyht2LsH8LDLc+nmiehUl1TbVSLRyBMx1kg57TucWLzpN

Cisco IOS XE Software, Version 16.06.02

WS-C3850-48P?

the client use Secure CRT

asheemy · ‎04-26-2018

From putty SSH working fine but from SecureCRT No

Kindly find the show ip ssh output as well as the running software version.

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa

Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr

MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96

KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 2048 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2720490143

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDLwcXA1SG739xRLLHmDOXMHsj5ObbH4zB1CWcJ2A

k5RVaeutE5koSvNN0QKI3grLJSL4R3elWleLra+kV+Ys0fUwlO9T1dU72nMhLLXi6ojs0YCrxDdtn1xj

9SdRyg/fvxGxaQb6dVMzAPo7X5qA95IIp7fY+RV5bGZ5b3mcLbh8z2ceBhO4gj3kvQjpg8a4HDmrh+kb

y+mdBEHvKgYXuLgSolzlveqznPnhmxQUg8cBTPBQCMUNuwsYZkW8EQnQz5GfePvhrQC0D3RafJiMgg4i

bmlpNTU3A21ObYTJyht2LsH8LDLc+nmiehUl1TbVSLRyBMx1kg57TucWLzpN

Cisco IOS XE Software, Version 16.06.02

WS-C3850-48P

the client use Secure CRT

user_zhang · ‎06-07-2018

I have the same question. How did you solve it? Thanks

sanjoher · ‎07-06-2018

Hi, I've the exactly same issue... Please advise how did this solved.

ANT2CISCO · ‎07-06-2018

I've the exactly same issue too when tried to connect from ios 15.6 router to cisco sg500 switch.

Just should to get connect with -c aes256-cbc or add command "ip ssh client algorithm encryption aes256-cbc" in your router config for working.

Rinat Garipov · ‎11-29-2018

Or alternatively you could modify SSH server configuration on your router like this:
ip ssh server algorithm encryption aes256-cbc [aes192-cbc aes128-cbc]

[this is optional]

After that I was able to connect my ISR4K from another router (ISR G2)

asheemy · ‎12-10-2018

to solve this issue we must use SecureCRT new versions not old Versions.

Maestro · ‎01-23-2019

perfect answer, Huge Thanks Rinat

just type on your switch or router "ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc"

then try Securecrt old version it will work fine

ciscoreg2 · ‎06-20-2019

Seems my switch cannot run ip ssh server algorithm ***. my ios version was 15.0.2

reikidude · ‎06-30-2019

I have the same problem...

SW(config)#$er algorithm encryption aes256-cbc aes192-cbc aes128-cbc
ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc
^
% Invalid input detected at '^' marker.

SW(config)#

wlauderdale · ‎09-04-2019

This issue can occur on the client or server side of the SSH connection. When the "no matching ciphers found" message appears on the client side, the client is attempting to enforce a more strict policy. When it appears on the server side, the server is enforcing the stricter policy.

To make it work:

1. Read the message "No matching cipher found: client aes128-ctr..., server aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

2. The message states which ciphers the client supports followed by the ciphers the server will accept. It's a little misleading, because your client probably supports more ciphers.

3. Type: ssh -c aes128-cbc -l username server-IP-address

4. The -c flag forces the [aes128-cbc] cipher to be used in the ssh connection, thereby meeting the server's requirements. You're in!

Garry Cross · ‎09-12-2019

I thought I would add to this.

Client 3750x, version 15.0(1)SE3, only supports aesxxxcbc.

Server 4431 isr, Version 16.9.2

Added this to 4431 config.

ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-ctr aes256-ctr

Now able to ssh from 3750x.

Here are the choices for the -c option

Lab3750X#ssh -c ?
3des triple des
SSHv2 only cipher list:
aes128-cbc AES 128 bits
aes192-cbc AES 192 bits
aes256-cbc AES 256 bits

For a 3650 running Version 16.3.5b

show run all | inc ssh client

ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

I have had unsupported kex issues as well in the past between switches and ISR's.

robwiley · ‎03-16-2020

ROBWILEY-M-V7Y9:~ robwiley$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc vt100@172.16.0.2

Password:

Wiley-S1#sho ver | i VER

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2)

* 1 54 WS-C3750E-48PD 12.2(55)SE12 C3750E-UNIVERSALK9-M