SSH issue to 3850 switch

ittechk4u1 · ‎06-11-2018

Hello experts,

We arenot able to ssh to our new core switches:

Switch: 3850

Software version: 16.3.5b

Error:
350259: Jun 11 08:23:48: %SSH-3-NO_MATCH: No matching kex algorithm found: client diffie-hellman-group1-sha1 server diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

How can we solve that issue?

I saw there is a bug but no resolution : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc96144/?rfs=iqvred

Thanks in advance.

johnd2310 · ‎06-11-2018

Hi,

Have you tried using a 1024 bit key? You can use the following command to generate 1024 bit key:

crypto key generate rsa general-keys modulus 1024

Thanks

John

**Please rate posts you find helpful**

malfaro24 · ‎06-13-2018

Reducing the key to 1024 didn't work in this scenario.

ittechk4u1 · ‎06-14-2018

still not working....

afshin.behnam · ‎12-15-2022

or even try lower , crypto key generate rsa general-keys modulus 512 works for me

paul driver · ‎06-14-2018

Hello

What kind of key do you have - Have you tried deleting it and regenerating a new one ?
crypto key zeroize rsa

crypto key generate rsa general-keys

res
Paul

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ittechk4u1 · ‎06-14-2018

yes i did.....still the smae issue..

"

[SSH] Protocol Version 2 (Cisco-1.25)
[SSH] FAIL: no kex alg

[SSH] INFO: DISCONNECT"

Thanks

Georg Pauwen · ‎06-14-2018

Hello,

where is the SSH coming from, that is, what are you using as client ?

malfaro24 · ‎06-14-2018

The issue I'm experiencing is from switch to switch - all switches in the environment use RSA 1024.
I am able to initiate a SSH session from my workstation without issue.

Georg Pauwen · ‎06-14-2018

Hello,

can you try and create a modulus 2048 key and then configure:

ip ssh dh min size 2048

?

Also, just to be sure, check if you have all of the below configured:

hostname myswitch (needs to be different than the default hostname)

username admin privilege 15 password 0 cisco

enable secret xxxxyyyy

!
ip domain-name yourdomain
crypto key generate rsa general-keys modulus 2048
ip ssh version 2
line vty 0 15
login local
transport input ssh

malfaro24 · ‎06-14-2018

Hello,
Thank you for the input - unfortunately I cannot modify production devices - the WS-C3850-12S-S (Denali - 16.3.5b) that's receiving error was an addition to our network.
To answer your questions, yes, all the following are configured:
uniqueHostname
username admin priv 15 password ***
enable secret ***
ip domain-name example.net

aaa new-model
aaa authentication login default local
aaa authorization exec default local

crypto key gen rsa mod 1024
ip ssh ver 2
ip ssh logging events

line vty 0 4
login local
transport input ssh

ittechk4u1 · ‎06-14-2018

I tried, still not working!!!!

Update: SSH is working on putty but not on ZOC terminal emulater!!

Thanks again.

johnd2310 · ‎06-14-2018

Hi,

What ssh client are you using?

Thanks

John

**Please rate posts you find helpful**

Marcelo Tejeda Romero · ‎07-25-2018

Hi,

try to add 3des-cbc algorithm in ip ssh server command for input ssh sessions & 3des-cbc algotithm in ip ssh client command for ouput ssh sessions

regards

bberry · ‎09-13-2018

I am having this same issue connecting with SecureCRT 5.0.5 build 1078. I can however SSH -l from their router to the same switch without issue. We just updated Prime to 3.1 and the sync is basically reporting it to cannot connect to pull the config. I did try redoing the crypto keys to 1024 and it did not change the issue. I am going to try to see if my newer version of SecureCRT does the same thing.

Brent