Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18322
Views
15
Helpful
4
Replies

SSH failed on 3750 switch

George Paraschivescu
Level 1
Level 1

‎06-09-2017 12:17 PM

Hi

When i'm trying to SSH to my 3750 switch i get the following error:

Unable to negotiate with 192.168.1.250 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

I tried to use the command ip ssh dh min size 4096, but my switch doesn't know it.

Here is the config on the cisco switch:

Current configuration : 2325 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Switch

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxx

!

username admin privilege 15 secret 5 xxxxx

!

!

no aaa new-model

switch 4 provision ws-c3750-24p

system mtu routing 1500

ip domain-name zorf.local

!         

!

!

!

crypto pki trustpoint TP-self-signed-483538176

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-483538176

 revocation-check none

 rsakeypair TP-self-signed-483538176

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

ip ssh version 2

!

!

!

interface FastEthernet4/0/1

!

interface FastEthernet4/0/2

 switchport access vlan 10

 switchport mode access

 spanning-tree portfast

!

interface FastEthernet4/0/3

!

interface FastEthernet4/0/4

 switchport access vlan 10

 switchport mode access

 spanning-tree portfast

!

interface FastEthernet4/0/5

!

interface FastEthernet4/0/6

!

interface FastEthernet4/0/7

!

interface FastEthernet4/0/8

!

interface FastEthernet4/0/9

!         

interface FastEthernet4/0/10

!

interface FastEthernet4/0/11

!

interface FastEthernet4/0/12

 switchport access vlan 10

 switchport mode access

!

interface FastEthernet4/0/13

!

interface FastEthernet4/0/14

!

interface FastEthernet4/0/15

!

interface FastEthernet4/0/16

!

interface FastEthernet4/0/17

!

interface FastEthernet4/0/18

!

interface FastEthernet4/0/19

 switchport mode access

 switchport voice vlan 10

 spanning-tree portfast

!

interface FastEthernet4/0/20

!

interface FastEthernet4/0/21

 switchport mode access

 switchport voice vlan 10

 spanning-tree portfast

!

interface FastEthernet4/0/22

!

interface FastEthernet4/0/23

 switchport mode access

 switchport voice vlan 10

 spanning-tree portfast

!

interface FastEthernet4/0/24

!

interface GigabitEthernet4/0/1

!

interface GigabitEthernet4/0/2

!

interface Vlan1

 no ip address

!

interface Vlan10

 ip address 192.168.1.250 255.255.255.0

!

ip default-gateway 192.168.1.1

ip classless

ip http server

ip http secure-server

!

!

ip sla enable reaction-alerts

!

!

!

line con 0

 logging synchronous

line vty 0 4

 password xxxxxxx

 logging synchronous

 login local

 transport input all

line vty 5 15

 login

!

end

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎06-09-2017 11:37 PM

Hello,

try to zeroize and recreate the crypto key:

crypto key zeroize rsa

crypto key generate rsa modulus 2048

1024 is the default, so changing it to 2048 might help...

0 Helpful

George Paraschivescu
Level 1
Level 1
In response to Georg Pauwen

‎07-01-2017 08:08 PM

 

 Hi,

As you can see in the output below, the modulus command is not available.

Switch(config)#crypto key zer

Switch(config)#crypto key zeroize ?

  rsa  Remove RSA keys

  <cr>

Switch(config)#crypto key zeroize rsa

% All RSA keys will be removed.

% All router certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

Switch(config)#crypto key gener

Switch(config)#crypto key generate rsa modu

Switch(config)#crypto key generate rsa modu?

% Unrecognized command

Switch(config)#crypto key generate rsa ?   

  general-keys  Generate a general purpose RSA key pair for signing and

                encryption

  storage       Provide a storage location

  usage-keys    Generate separate RSA key pairs for signing and encryption

  <cr>

Switch(config)#crypto key generate rsa

So i used:

crypto key generate rsa general-keys modulus 2048

But the error is the same:

Unable to negotiate with 192.168.1.250 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

0 Helpful

Erik T.
Level 1
Level 1
In response to George Paraschivescu

‎02-16-2018 06:07 AM

The solution i have come across so far is putting some additional parameters to the ssh client.

$ ssh -l <USERNAME> -oHostKeyAlgorithms=+ssh-dss -oKexAlgorithms=+diffie-hellman-group1-sha1 <HOST>

andromeda
Level 1
Level 1
In response to Erik T.

‎05-01-2020 12:05 PM

Could some of the experts here what is the solution to bring up the cisco switch to the modern KEX instead of using a workaround?

 

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents