cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8294
Views
5
Helpful
9
Replies

Remote SSH access to 2811 router

Benjamin.Hay
Level 1
Level 1

Hi,

I have being having an issue getting SSH to work to a router in my network. The SSH request seems to make it to the router and then fails with the router closing the connections. I checked my configs and cannot see anything obvious. I have also tried putty as well as secureCRT in case the issue was with my SSH client. Im at a loss and would appreciated it if someone could view the below outputs and offer and help or advice.

Dugging output:


*Oct  4 23:37:52.511: SSH0: starting SSH control process
*Oct  4 23:37:52.515: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
*Oct  4 23:37:52.559: SSH0: protocol version id is - SSH-2.0-OpenSSH_4.6
*Oct  4 23:37:52.559: SSH2 0: send:packet of  length 344 (length also includes padlen of 5)
*Oct  4 23:37:52.559: SSH2 0: SSH2_MSG_KEXINIT sent
*Oct  4 23:37:52.559: SSH2 0: ssh_receive: 536 bytes received
*Oct  4 23:37:52.559: SSH2 0: input: total packet length of 704 bytes
*Oct  4 23:37:52.559: SSH2 0: partial packet length(block size)8 bytes,needed 696 bytes, maclen 0
*Oct  4 23:37:52.559: SSH2 0: ssh_receive: 168 bytes received
*Oct  4 23:37:52.559: SSH2 0: partial packet length(block size)8 bytes,needed 696 bytes, maclen 0
*Oct  4 23:37:52.559: SSH2 0: input: padlength 4 bytes
*Oct  4 23:37:52.559: SSH2 0: SSH2_M
iSG_KEXINIT received
*Oct  4 23:37:52.563: SSH2:kex: client->server enc:aes128-cbc mac:hmac-md5
*Oct  4 23:37:52.563: SSH2:kex: server->client enc:aes128-cbc mac:hmac-md5
*Oct  4 23:37:52.567: SSH2 0: ssh_receive: 24 bytes received
*Oct  4 23:37:52.567: SSH2 0: input: total packet length of 24 bytes
*Oct  4 23:37:52.567: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes, maclen 0
*Oct  4 23:37:52.567: SSH2 0: input: padlength 6 bytes
*Oct  4 23:37:52.567: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Oct  4 23:37:52.567: SSH2 0: Range sent by client is - 1024 < 1024 < 8192
*Oct  4 23:37:52.567: SSH2 0:  Modulus size established : 1024 bits
*Oct  4 23:37:52.567: SSH2 0: send:packet of  length 152 (length also includes padlen of 8)
*Oct  4 23:37:52.595: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT
*Oct  4 23:37:52.619: SSH2 0: ssh_receive: 144 bytes received
*Oct  4 23:37:52.619: SSH2 0: input: total packet length of 144 bytes
*Oct  4 23:37:52.619: SSH2 0: partial packet length(block size)8 bytes,needed 136 bytes, maclen 0
*Oct  4 23:37:52.619: SSH2 0: input: padlength 6 bytes
*Oct  4 23:37:52.619: SSH2 0: SSH2_MSG_KEXDH_INIT received
*Oct  4 23:37:52.687: SSH2 0: signature length 143
*Oct  4 23:37:52.687: SSH2 0: send:packet of  length 448 (length also includes padlen of 8)
*Oct  4 23:37:52.691: SSH2: kex_derive_keys complete
*Oct  4 23:37:52.691: SSH2 0: send:packet of  length 16 (length also includes padlen of 10)
*Oct  4 23:37:52.691: SSH2 0: newkeys: mode 1
*Oct  4 23:37:52.691: SSH2 0: SSH2_MSG_NEWKEYS sent
*Oct  4 23:37:52.691: SSH2 0: waiting for SSH2_MSG_NEWKEYS
*Oct  4 23:37:52.735: SSH2 0: send:packet of  length 80 (length also includes padlen of 15)
*Oct  4 23:37:52.735: SSH2 0: computed MAC for sequence no.#4
*Oct  4 23:37:52.735: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection 
*Oct  4 23:37:52.867: SSH0: Session disconnected - error 0x00


ip ssh time-out 30
ip ssh source-interface FastEthernet0/0

access-list 10 permit <omitted>
access-list 10 permit <omitted>
access-list 10 permit <omitted>

line vty 0 4
access-class 10 in
privilege level 15
transport preferred none
transport input ssh

#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 30 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits

#show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.

#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)

Cheers,

Ben

9 Replies 9

paolo bevilacqua
Hall of Fame
Hall of Fame

In Putty, try forcing SSH v1 somewhere in SSH options.

Leo Laohoo
Hall of Fame
Hall of Fame

Have you tried this command "cryp key generate rsa general-keys modulus 768 "?

Hey,

I have entered the command 'cryp key generate rsa general-keys modulus 1024'

Also tried forcing putty to use SSH v1

Neither seem to have made a difference.

Cheers,

Ben

And you've also tried by removing the ACL?

Hi,

I have tried it without the ACL with no success.

To give a bit more background the router configuration was an existing configuration that was working fine. I backed up the configuration in a text file then changed the IOS version to the one listed in my original post. I reapplied the configuration from the text file, generated the RSA Key  and then ran into this problem.

Cheers,

Ben

So if you rolled back to the old IOS does it work?

Hi, Ben:

Looking at the debugs you had provided, the underlying TCP transport is working fine so the ACL is unlikely to be the problem. SSH has completed DH key exchange, and the server is simply waiting for the client side SSH_MSG_NEWKEYS message when the unexpected ssh message was received from the client. I'm not all that familiar with Putty, but for clients that enforce strict host key checking (such as the openSSH client), what you had observed is typically caused by a client RST due to mismatched RSA fingerprint between what's received and what's in the know_hosts file.

So when you tried to connect, what do you see on the client side? If you re-generated the RSA key pair on the router, then upon the new connection attempt, the client should at least prompt you with a security alert and ask you how you want to proceed with the new RSA key presented (overwrite the existing key, ignore, or terminate). Do you see that at all? A simple way to see whether this is the case or not on the router is to enable "debug ip tcp packet" along with "debug ip ssh". What you should see is a 16 byte SSH_MSG_NEWKEYS from the client.

I hope this helps.

Thanks,

Wen

Ben

What version of SecureCRT are you running? I very recently had a similar experience. I upgraded an IOS router to 12.4(24)T and found that our version of SecureCRT could no longer establish SSH sessions to the router. In our troubleshooting we found that newer version of SecureCRT did work with this router but that the sersion that we were running could not. So it was a version issue of the SecureCRT.

In this case I would expect that putty should have worked, so perhaps the issue is something else.

HTH

Rick

HTH

Rick

Hi, Rick:

The problem you described is a known issue with interoperability between SecureCRT and IOS after 12.4(20)T, which introduced the new SSH DH group14 support. This issue has since been fixed by SecureCRT (DH group offered in GEX exchange is mod8) in versions 6.1.2 and later. However, this particular problem is easily identified on IOS, whereas an "Invalid modulus length" will be reported. So I don't believe this is the issue we are looking at here.

Thanks,

Wen