cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
220894
Views
118
Helpful
20
Replies

SSH error message "No matching ciphers found"

asheemy
Level 1
Level 1

Hello,

 

i have a new 3850 Switch and i configured ip ssh ver 2 and all ssh commands but when i access the switch using ssh i got "No matching ciphers found. Client (x.x.x.x) supported ciphers :  aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se .Server supported ciphers : aes128-ctr​".

 

"%SSH-3-DH_RANGE_FAIL: Client DH key range mismatch with minimum configured DH key on server​" log on switch

Also got " No compatible Cipher. The server supports these ciphers:aes128-ctr,aes192-ctr,aes256-ctr" message on my secureCRT

 

is there anyone face such issue.

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

What is the output of "sh ip ssh"?

Also, what client software are you using to access the switch?

HTH

View solution in original post

to solve this issue we must use SecureCRT new versions not old Versions.

View solution in original post

20 Replies 20

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

What is the output of "sh ip ssh"?

Also, what client software are you using to access the switch?

HTH

from butty SSH working fine but from SecureCRT not connected.

 

Kindly find the show ip ssh output as well as the running software version.

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2720490143
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDLwcXA1SG739xRLLHmDOXMHsj5ObbH4zB1CWcJ2A
k5RVaeutE5koSvNN0QKI3grLJSL4R3elWleLra+kV+Ys0fUwlO9T1dU72nMhLLXi6ojs0YCrxDdtn1xj
9SdRyg/fvxGxaQb6dVMzAPo7X5qA95IIp7fY+RV5bGZ5b3mcLbh8z2ceBhO4gj3kvQjpg8a4HDmrh+kb
y+mdBEHvKgYXuLgSolzlveqznPnhmxQUg8cBTPBQCMUNuwsYZkW8EQnQz5GfePvhrQC0D3RafJiMgg4i
bmlpNTU3A21ObYTJyht2LsH8LDLc+nmiehUl1TbVSLRyBMx1kg57TucWLzpN


Cisco IOS XE Software, Version 16.06.02

WS-C3850-48P?


the client use Secure CRT


From putty SSH working fine but from SecureCRT No

 

Kindly find the show ip ssh output as well as the running software version. 
 
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2720490143
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsDLwcXA1SG739xRLLHmDOXMHsj5ObbH4zB1CWcJ2A
k5RVaeutE5koSvNN0QKI3grLJSL4R3elWleLra+kV+Ys0fUwlO9T1dU72nMhLLXi6ojs0YCrxDdtn1xj
9SdRyg/fvxGxaQb6dVMzAPo7X5qA95IIp7fY+RV5bGZ5b3mcLbh8z2ceBhO4gj3kvQjpg8a4HDmrh+kb
y+mdBEHvKgYXuLgSolzlveqznPnhmxQUg8cBTPBQCMUNuwsYZkW8EQnQz5GfePvhrQC0D3RafJiMgg4i
bmlpNTU3A21ObYTJyht2LsH8LDLc+nmiehUl1TbVSLRyBMx1kg57TucWLzpN                    


Cisco IOS XE Software, Version 16.06.02
 
WS-C3850-48P​
 

the client use Secure CRT

 

I have the same question. How did you solve it? Thanks

sanjoher
Level 1
Level 1

Hi, I've the exactly same issue... Please advise how did this solved.

I've the exactly same issue too when tried to connect from ios 15.6 router to cisco sg500 switch.

 

Just should to get connect with -c aes256-cbc or add command "ip ssh client algorithm encryption aes256-cbc" in your router config for working.

Or alternatively you could modify SSH server configuration on your router like this:
ip ssh server algorithm encryption aes256-cbc [aes192-cbc aes128-cbc]

 

[this is optional]

After that I was able to connect my ISR4K from another router (ISR G2)

to solve this issue we must use SecureCRT new versions not old Versions.

perfect answer, Huge Thanks Rinat 

just type on your switch or router "ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc"

 

then try Securecrt old version it will work fine 

 

Seems my switch cannot run ip ssh server algorithm ***. my ios version was 15.0.2

 

 

I have the same problem...

 

SW(config)#$er algorithm encryption aes256-cbc aes192-cbc aes128-cbc
ip ssh server algorithm encryption aes256-cbc aes192-cbc aes128-cbc
^
% Invalid input detected at '^' marker.

SW(config)#

wlauderdale
Level 1
Level 1

This issue can occur on the client or server side of the SSH connection. When the "no matching ciphers found" message appears on the client side, the client is attempting to enforce a more strict policy. When it appears on the server side, the server is enforcing the stricter policy.

 

To make it work:

 

1. Read the message "No matching cipher found: client aes128-ctr..., server aes128-cbc, 3des-cbc, aes192-cbc, aes256-cbc

 

2. The message states which ciphers the client supports followed by the ciphers the server will accept. It's a little misleading, because your client probably supports more ciphers.

 

3. Type: ssh -c aes128-cbc -l username server-IP-address

 

4. The -c flag forces the [aes128-cbc] cipher to be used in the ssh connection, thereby meeting the server's requirements. You're in!

 

 

I thought I would add to this.

Client 3750x, version 15.0(1)SE3, only supports aesxxxcbc.

Server 4431 isr, Version 16.9.2

 

Added this to 4431 config.

ip ssh server algorithm encryption aes128-cbc aes128-ctr aes192-ctr aes256-ctr

 

Now able to ssh from 3750x.

Here are the choices for the -c option

Lab3750X#ssh -c ?
3des triple des
SSHv2 only cipher list:
aes128-cbc AES 128 bits
aes192-cbc AES 192 bits
aes256-cbc AES 256 bits

 

For a 3650 running Version 16.3.5b

show run all | inc ssh client

ip ssh client algorithm mac hmac-sha1 hmac-sha1-96
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr aes128-cbc 3des-cbc aes192-cbc aes256-cbc
ip ssh client algorithm kex diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

 

I have had unsupported kex issues as well in the past between switches and ISR's.

 

ROBWILEY-M-V7Y9:~ robwiley$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes128-cbc vt100@172.16.0.2

Password:

 

Wiley-S1#sho ver | i VER

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE12, RELEASE SOFTWARE (fc2)

*    1 54    WS-C3750E-48PD     12.2(55)SE12          C3750E-UNIVERSALK9-M

Review Cisco Networking for a $25 gift card