Re: SSH2 0: no matching cipher found: client - After 2921 downgrade

UT2018 · ‎11-08-2018

Hello:

Last night we upgraded our 2921 to a 15.7 from 15.0. Once the upgrade was finished I noticed the tunnels we had were not coming up properly. I decided to roll back to the previous version that worked and since then I cannot SSH into the router itself. I was able to SSH from our Core Switch before.

I am consoled in to the router and when I try to SSH into it I am getting the below message.

SSH2 0: no matching cipher found: client aes128-ctr,aes192-ctr,aes256-ctr server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDOOwIwYLTxPRjqNmRxSfsI8iYmILYX8cUA
nazSgZA1K7wIe92RDyjfYA/Oy/L/FVJFSKe1PgE1cigh4X0NgPidaXI2yxEqlGja
1sDPodwJNWcbkjtfpW7bRLpQhC+rv89vaohZdBUANktQy2Z+29aZUW0IBCN+UhLJ
SZDP7CXZTw==

I have tried disabling-reenabling SSH/regenerating new keys as well and that still is not letting me SSH into the router.

On my Core Sw I am getting this message.

[Connection to x.x.x.x aborted: error status 0]

Thanks for any input.

marce1000 · ‎11-08-2018

- I can only assume that the 2921 isn't allowing too weak ciphers after the upgrade, check whether you can find anything about that in the release notes of 15.7

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎11-08-2018

- Further more, if you have nmap , you could compare the list of available ciphers before and after the upgrade using :

nmap --script ssh2-enum-algos target

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

UT2018 · ‎11-08-2018

Thanks for response.

What is weird is that we went to 15.7 but then back to a known working version for us at 15.0. SSH worked on this version, now it does not. Only thing I can see in logs is %SYS-4-CONFIG_NEWER: Configuration from version 15.7 may not be correctly understood. Other then that config is up running tunnels up running..just SSH not allowed in.

marce1000 · ‎11-08-2018

>%SYS-4-CONFIG_NEWER:... : Only means that 15.0 may not understand a 15.7 configuration, but this is likely not happening.

>Just SSH not allowed in : Already being discussed in my initial response.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Deepak Kumar · ‎11-08-2018

Hi,

If the router is reachable from the core switch then try to make it reachable from any PC (If not) and try with Putty. You will get it working.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jvscampos · ‎05-05-2020

♥Solucação do Bug no acesso por SSH♥

O erro acontece pois o sistema operacional
não está conseguindo definir um perfil de
criptografia correspondente para a sessão
por SSH. (cifra correspondente)

Então você precisa fixar manualmente,
como vou mostrar abaixo:

Router# ssh -l "seu login" -c aes128-ctr
-p 22 "ip da máquina que você quer acessar aqui"

A criptografia pode ser esta: -c aes128-ctr
ou pode ser qualquer outra a qual a mensagem
de erro que aparece para você mostra
exemplo:

SSH-3-NO_MATCH: No matching cipher found: client
aes256-cbc server aes128-ctr,aes192-ctr,aes256-ctr

Depois é só inserir a senha e EURECA!
Você conseguiu! :)