switch cannot be access via SSH

harsha003 · ‎08-02-2016

Hi All,

i have a 3850 switch up and running in our office. from past week i am not able to do ssh to my switch. below is the configuration attached, it was working pretty much good and i haven't done any changes in the configuration.

line con 0
password 7 xxxxxxxxxxxxxxx
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxxxxxx
login local
transport input ssh
line vty 5 15
password 7 xxxxxxxxxxxxx
login local
transport input ssh

also below is the output of vty connections

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 0 0 0/0 -
1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 VTY - - - - - 0 0 0/0 -
3 VTY - - - - - 0 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -
7 VTY - - - - - 0 0 0/0 -
8 VTY - - - - - 0 0 0/0 -
9 VTY - - - - - 0 0 0/0 -
10 VTY - - - - - 0 0 0/0 -
11 VTY - - - - - 0 0 0/0 -
12 VTY - - - - - 0 0 0/0 -
13 VTY - - - - - 0 0 0/0 -
14 VTY - - - - - 0 0 0/0 -
15 VTY - - - - - 0 0 0/0 -
16 VTY - - - - - 0 0 0/0 -
17 VTY - - - - - 0 0 0/0 -

i am not able to figure out the issue, can anyone help me out. thanks in advance

Regards,

Harsha

Mark Malone · ‎08-02-2016

Hi Harsha

regenerate the crypto keys sometimes they get corrupted and this needs to be done , alos make sure you can ping it

crypto key generate rsa

Please provide output from show ip ssh

harsha003 · ‎08-03-2016

Hello Mark,

well to i am not using any crypto keys here. below is the output for #sh ip ssh

SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes19 2-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):

Mark Malone · ‎08-03-2016

Hi

you have to use crypto keys to setup ssh its not optional feature it wont work without them , that's why you have a k9 image to support ssh/crypto-- you have them set Minimum expected Diffie Hellman key size : 1024 bits

change the ssh to be fully v2 -- ip ssh version 2 ots using an unsecure ssh version 1.99 whihci is v1 and v2 you don't want v1 active its insecure

Then regenerate the keys--- crypto key generate rsa (hit return type 1024 for sshv2 keys) , then debug ip ssh and try and access the router , make sure the putty/terminal is set to use sshv2

You should see something like in your logs---

Aug 3 09:47:12.779 UTC: SW1: SSH2 1: authentication successful for mmalone

Then debug ip ssh and try again , everything looks ok from your output so your keys are either corrupted or your using a terminal thats set to v2 only or something else

There are four steps required to enable SSH support on a Cisco IOS router:

Configure the hostname command.
Configure the DNS domain.
Generate the SSH key to be used.
Enable SSH transport support for the virtual type terminal (vtys).