i have a new 3850 Switch and i configured ip ssh ver 2 and all ssh commands but when i access the switch using ssh i got "No matching ciphers found. Client (x.x.x.x) supported ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,firstname.lastname@example.org .Server supported ciphers : aes128-ctr".
"%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server" log on switch
Also got " No compatible Cipher. The server supports these ciphers:aes128-ctr,aes192-ctr,aes256-ctr" message on my secureCRT
is there anyone face such issue.
Solved! Go to Solution.
from butty SSH working fine but from SecureCRT not connected.
Kindly find the show ip ssh output as well as the running software version.
SSH Enabled - version 2.0
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2720490143
Cisco IOS XE Software, Version 16.06.02
the client use Secure CRT
From putty SSH working fine but from SecureCRT No
the client use Secure CRT
I've the exactly same issue too when tried to connect from ios 15.6 router to cisco sg500 switch.
Just should to get connect with -c aes256-cbc or add command "ip ssh client algorithm encryption aes256-cbc" in your router config for working.
Or alternatively you could modify SSH server configuration on your router like this:
ip ssh server algorithm encryption aes256-cbc [aes192-cbc aes128-cbc]
[this is optional]
After that I was able to connect my ISR4K from another router (ISR G2)
perfect answer, Huge Thanks Rinat
just type on your switch or router "ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc"
then try Securecrt old version it will work fine
I have the same problem...
SW(config)#$er algorithm encryption aes256-cbc aes192-cbc aes128-cbc
ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc
% Invalid input detected at '^' marker.
This issue can occur on the client or server side of the SSH connection. When the "no matching ciphers found" message appears on the client side, the client is attempting to enforce a more strict policy. When it appears on the server side, the server is enforcing the stricter policy.
To make it work:
1. Read the message "No matching cipher found: client aes128-ctr..., server aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc
2. The message states which ciphers the client supports followed by the ciphers the server will accept. It's a little misleading, because your client probably supports more ciphers.
3. Type: ssh -c aes128-cbc -l username server-IP-address
4. The -c flag forces the [aes128-cbc] cipher to be used in the ssh connection, thereby meeting the server's requirements. You're in!
I thought I would add to this.
Client 3750x, version 15.0(1)SE3, only supports aesxxxcbc.
Server 4431 isr, Version 16.9.2
Added this to 4431 config.
ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-ctr aes256-ctr
Now able to ssh from 3750x.
Here are the choices for the -c option
Lab3750X#ssh -c ?
3des triple des
SSHv2 only cipher list:
aes128-cbc AES 128 bits
aes192-cbc AES 192 bits
aes256-cbc AES 256 bits
For a 3650 running Version 16.3.5b
show run all | inc ssh client
ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
I have had unsupported kex issues as well in the past between switches and ISR's.
ROBWILEY-M-V7Y9:~ robwiley$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc email@example.com
Wiley-S1#sho ver | i VER
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2)
* 1 54 WS-C3750E-48PD 12.2(55)SE12 C3750E-UNIVERSALK9-M