Re: SSH issue to 3850 switch - Page 2

ittechk4u1 · ‎06-11-2018

Hello experts,

We arenot able to ssh to our new core switches:

Switch: 3850

Software version: 16.3.5b

Error:
350259: Jun 11 08:23:48: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group1-sha1 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

How can we solve that issue?

I saw there is a bug but no resolution : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc96144/?rfs=iqvred

Thanks in advance.

Ken Lin · ‎12-03-2018

On ASA, change ssh key-exchange group dh-group1-sha1 to dh-group14-sha1

angusr · ‎05-26-2023

For anyone else stumbling across this thread: You must read the error message carefully. The switch is the SSH server, the client is the system used to connect to the switch. Therefore, the client must send the correct KEX algorithm. On Linux, ssh -o KexAlgorithms=diffie-hellman-group14-sha1 username@switch_IP. In PuTTY, ensure at least one of the noted algorithms is listed in Connection > SSH > Kex Algorithm selection policy.
There is no need to change the switch's SSH configuration.

Richard Burts · ‎05-27-2023

Old post with a good new observation. The issue is a mismatch between the algorithms supported by the client and the algorithms supported by the server (typically the client supports older/less secure algorithms). So the solution is usually changes in client and not the server.

HTH

Rick