Re: SSH resets to version 1.99 after reboot

Aublysodon · ‎09-22-2018

Hi Everyone,

Just started working with Cisco switches so a bit of a newbie.

I was asked to step up some IE5000 switches running OS15.2 with SSH version 2 only. Which went fine, thanks to the tutorials in the community, however once the device is power off and power back on. The SSH version resets to 1.99, which I believe is both SSHv1 and SSHv2.

Is there a way to force the switch to only use SSHv2 even after a reboot.

tldr:

- Setup SSH to run on the switch;

- Did use command: Switch(config): ip ssh version 2

- Device was set to SSHv2 which was confirmed using sh ip ssh

- copy run start

- rebooted the device

- checked the ssh version and it was SSHv1.99

Any help at all would be great.

Thanks in advance,

Aublysodon :)

balaji.bandi · ‎09-22-2018

Just did steps for you --one of my test device. hope this information help you. but make sure take precautions if you doing on production system.

CE1#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE
CE1#config t
Enter configuration commands, one per line. End with CNTL/Z.

CE1(config)#ip domain-name bb.com

CE1(config)#username bbandi password bbandi

CE1(config)#crypto key generate rsa
The name for the keys will be: CE1.bb.com
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

CE1(config)#
%SSH-5-ENABLED: SSH 1.99 has been enabled

CE1(config)#ip ssh version 2

CE1(config)#line vty 0 4

CE1(config-line)#transport input none

CE1(config-line)#transport input ssh
CE1(config-line)#end

%SYS-5-CONFIG_I: Configured from console by console

CE1#show ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): CE1.bb.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2sle25cmVMxdOs247A7x41eIGBPkZ61ZHr+zCORvh
Bdrx4uFdIL9kk+Iu2swZENJHX4E7EfUKnWSW7rYe4btPKORezOhorAojgdPACcliTlSoaG/pCGhBZCrC
knlGoRqspnL63oDi8pqGqRNt+MnSfUgaYRm6ecgt+r3H0zmlQw==

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aublysodon · ‎10-03-2018

Hi Balaji,

Sorry for the late reply.

Unfortunately even after following your steps, after a reload of switch the SSH version resets to version 1.99 (this includes a copy run start).

It your attempt, did you reload the system? Did it remember that you only want Version 2?

Thanks again for all your help,

Regards,

Aublysodon

balaji.bandi · ‎10-04-2018

You do not required to reload. post complete steps and logs.(your full configuration - device and IOS information)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gaston.benitez · ‎12-04-2018

Hi

Can you share a show version?

BR

Gaston

StevenCAnderson · ‎01-09-2023

I have run into this issue several times on Catalyst switches and various routers. From what I have seen you have to set the SSH Version to 2 before you generate the RSA Key. Otherwise when the key is created there is a flag of some sort that identifies it as Version 1 compatible and during the boot process the switch turns on support for Version 1, forcing SSH Version 1.99. I have not seen any other fixes for this but I know this is a method that works.