Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4906
Views
3
Helpful
11
Replies

Unable to Make SSH work between 9200L & 3560CX

larrycraig
Level 1
Level 1

‎06-15-2023 07:54 AM - edited ‎06-15-2023 08:23 AM

Hello,  I am building a network that leverages a stacked pair of C9200L-24P-4G switches running 17.11.01 code with the following configuration for SSH


ip ssh authentication-retries 5
ip ssh rsa keypair-name customkey
crypto key generate rsa usage-keys label customkey modulus 2048

ip domain-name ourdomain.com

line vty 0 15
transport input ssh
login local

There are eight WS-C3560CX-8PC-S switches connected via trunk ports to the eight SFP ports. The 3560CX switches are all running 15.2(7)E7 code and have the exact same configuration for SSH. 

When attempting to SSH from the core to any of the 3560CX switches I get the following error:

SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com server hmac-sha1

I have read a lot of post so far that took me down a bunch of rabbit holes. I tried the following commands based on a suggestion but they did not resolve the issue, only changed the error slightly. 

ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-ctr
ip ssh client algorithm mac hmac-sha1
ip ssh client algorithm encryption aes256-ctr

So what I would like to know is as follows:

Can this be made to work with the current code level?  If yes, then how? If not, then what code do I need to run in order for SSH to function as expected. This is a discrete network that will not touch the internet in case that matters.

Any assistance or guidance you can provide is appreciated. 

 

 

 

 

 

 

 

Labels:
11 Replies 11

Flavio Miranda
VIP
VIP

‎06-15-2023 08:17 AM

Hi

 I would try to create the key again on the 3560. As this is a old device, the key create can be at 1024  and you are using 2048 on the 9200 side, this could  be a problem.

Run the command crypto key generate ssa and use 2048

You may need to add domain first, which can be any domain.

ip doman-name mynetwork.com

 

0 Helpful

larrycraig
Level 1
Level 1
In response to Flavio Miranda

‎06-15-2023 08:21 AM

First I do have the ip-domain-name command configured on all devices, sorry to not have included that. Also the VTP domains are all the same as well.   As for the key size, I used 2048 on every device, literally the same command set on all devices from a script. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to larrycraig

‎06-15-2023 08:27 AM

ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-ctr 

SSH-3-NO_MATCH: No matching mac found: client hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com

why you use SHA2 not SHA1 when you want to access SW?

0 Helpful

M02@rt37
VIP
VIP

‎06-15-2023 09:22 AM

Hello @larrycraig,

The error message you're encountering suggests a mismatch between the SSH encryption and MAC algorithms supported by the SSH client (core switch) and server (3560CX switches). The core switch is proposing HMAC-SHA2 algorithms for MAC, while the 3560CX switches only support HMAC-SHA1.

Unfortunately, the C9200L switches running IOS-XE 17.11.01 do not support HMAC-SHA1 as a MAC algorithm for SSH. The SHA1 algorithm is considered weak and is no longer recommended due to security vulnerabilities. The C9200L switches only support the newer and more secure HMAC-SHA2 algorithms.

Using HMAC-SHA1 for SSH is not recommended from a security standpoint. If possible, upgrading the WS-C3560CX switches to a software version that supports HMAC-SHA2 algorithms is the preferred option. This ensures stronger security for your SSH connections.

 

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

larrycraig
Level 1
Level 1
In response to M02@rt37

‎06-15-2023 10:09 AM

This is all very helpful, Thank You.

Since the HMAC-SHA2 was released in ios version 15.5 and the latest ios for the 3560CX is Release 15.2.7E8 MD, my only option is to downgrade the ios on the 9200's to the point that they only support HMAC-SHA1?

Is that correct, or am I missing something?

 

MHM Cisco World
VIP
VIP
In response to larrycraig

‎06-15-2023 10:17 AM - edited ‎06-15-2023 10:22 AM

Downgrade for ssh' 

Mr @Leo Laohoo  can confirm that.

But for me no' need downgrade for only ssh.

I will check if the 9200 support md5 not sha 

 

Until now I dont get what is relate of ssh of 9200 and 3650 ?

Also did you try change ssh version ?

larrycraig
Level 1
Level 1
In response to MHM Cisco World

‎06-19-2023 07:14 AM

It seems that the 9200 on that level of code will not support version 1 of SSH. So I am unable to change the version. 

 

0 Helpful

M02@rt37
VIP
VIP
In response to larrycraig

‎06-15-2023 11:43 AM

You're correct @larrycraig , but it'a pitty to downgrade 9200L only for ssh use case. I'm agree with@MHM Cisco World.

@MHM Cisco World said: Also did you try change ssh version ?

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

larrycraig
Level 1
Level 1
In response to M02@rt37

‎06-19-2023 07:15 AM - edited ‎06-19-2023 07:19 AM

I don't disagree with you.  I was directed "We want the latest version, and we want SSH enabled for the network" which leaves me with solving one of the problems.  It turns out that SSH is more important to them than the Code level.  So a downgrade seems my only option here.  However, unfortunately the version suggested (pre 15.5) is no longer available it would seem. 

 

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎06-15-2023 05:19 PM

If you are not "helping Cisco find bugs", I suggest downgrading to 17.9.3.

0 Helpful

larrycraig
Level 1
Level 1
In response to Leo Laohoo

‎06-19-2023 07:15 AM

I agree 100% Leo.  Was just doing as directed. 

0 Helpful
Customers Also Viewed These Support Documents