07-14-2009 11:23 AM
When attempting to ssh into the router the connection is never established..please see the following debug output:
5494365: Jul 14 18:44:18.769 UTC: SSH0: starting SSH control process
5494366: Jul 14 18:44:18.769 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
5494367: Jul 14 18:44:18.769 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT
5494368: Jul 14 18:44:18.769 UTC: SSH2 0: send: len 280 (includes padlen 4)
5494369: Jul 14 18:44:18.769 UTC: SSH2 0: SSH2_MSG_KEXINIT sent
5494370: Jul 14 18:44:18.893 UTC: SSH2 0: ssh_receive: 464 bytes received
5494371: Jul 14 18:44:18.893 UTC: SSH2 0: input: packet len 464
5494372: Jul 14 18:44:18.893 UTC: SSH2 0: partial packet 8, need 456, maclen 0
5494373: Jul 14 18:44:18.893 UTC: SSH2 0: input: padlen 9
5494374: Jul 14 18:44:18.893 UTC: SSH2 0: received packet type 20
5494375: Jul 14 18:44:18.893 UTC: SSH2 0: SSH2_MSG_KEXINIT received
5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none
5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none
5494378: Jul 14 18:44:18.941 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT
5494379: Jul 14 18:44:18.941 UTC: SSH2 0: ssh_receive: 144 bytes received
5494380: Jul 14 18:44:18.941 UTC: SSH2 0: input: packet len 144
5494381: Jul 14 18:44:18.941 UTC: SSH2 0: partial packet 8, need 136, maclen 0
5494382: Jul 14 18:44:18.941 UTC: SSH2 0: input: padlen 5
5494383: Jul 14 18:44:18.941 UTC: SSH2 0: received packet type 30
5494384: Jul 14 18:44:18.945 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received
5494385: Jul 14 18:44:19.005 UTC: SSH2 0: RSA_sign: private key not found
5494386: Jul 14 18:44:19.005 UTC: SSH2 0: signature creation failed, status -1
5494387: Jul 14 18:44:19.105 UTC: SSH0: Session disconnected - error 0x00
5494388: Jul 14 18:44:24.361 UTC: SSH0: starting SSH control process
5494389: Jul 14 18:44:24.361 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
5494390: Jul 14 18:44:24.361 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT
5494391: Jul 14 18:44:24.361 UTC: SSH2 0: send: len 280 (includes padlen 4)
5494392: Jul 14 18:44:24.365 UTC: SSH2 0: SSH2_MSG_KEXINIT sent
5494393: Jul 14 18:44:24.561 UTC: SSH2 0: ssh_receive: 464 bytes received
5494394: Jul 14 18:44:24.561 UTC: SSH2 0: input: packet len 464
5494395: Jul 14 18:44:24.561 UTC: SSH2 0: partial packet 8, need 456, maclen 0
5494396: Jul 14 18:44:24.561 UTC: SSH2 0: input: padlen 9
5494397: Jul 14 18:44:24.561 UTC: SSH2 0: received packet type 20
5494398: Jul 14 18:44:24.561 UTC: SSH2 0: SSH2_MSG_KEXINIT received
5494399: Jul 14 18:44:24.565 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none
5494400: Jul 14 18:44:24.565 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none
5494401: Jul 14 18:44:24.613 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT
5494402: Jul 14 18:44:24.613 UTC: SSH2 0: ssh_receive: 144 bytes received
5494403: Jul 14 18:44:24.613 UTC: SSH2 0: input: packet len 144
5494404: Jul 14 18:44:24.613 UTC: SSH2 0: partial packet 8, need 136, maclen 0
5494405: Jul 14 18:44:24.613 UTC: SSH2 0: input: padlen 6
5494406: Jul 14 18:44:24.613 UTC: SSH2 0: received packet type 30
5494407: Jul 14 18:44:24.613 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received
5494408: Jul 14 18:44:24.677 UTC: SSH2 0: RSA_sign: private key not found
5494409: Jul 14 18:44:24.677 UTC: SSH2 0: signature creation failed, status -1
5494410: Jul 14 18:44:24.777 UTC: SSH0: Session disconnected - error 0x07
Any ideas what this could be?
07-14-2009 11:33 AM
do you have private keys on your router/switch.
Try running
(config)#crypto key generate rsa
07-14-2009 11:36 AM
I did that...still same result. I can also do sh crypto key mypubkey rsa and it displays the keys.
07-14-2009 11:45 AM
can you paste a part of your config related to crypto. Also check if you have a domain-name on the device.
07-14-2009 11:52 AM
Here are exceprts for the configuration:
aaa new-model
!
!
aaa authentication login default group tacacs+ local enable
aaa authentication login userauthen1 local
aaa authentication login acs-rad group radius local
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa authorization network groupauthor local
aaa authorization network groupauthor1 local
aaa accounting exec acct start-stop group tacacs+
aaa accounting exec acc-exec start-stop group tacacs+
!
aaa session-id common
!
ip ssh time-out 15
ip ssh authentication-retries 5
ip ssh version 2
line aux 0
no exec
transport input all
transport output all
stopbits 1
speed 115200
line vty 0 4
length 45
transport preferred none
transport input ssh
line vty 5 13
transport input ssh
line vty 14 15
session-timeout 60
access-class IPSec-Mgt in
exec-timeout 60 0
transport input all
!
display from show ip ssh command:
SSH Enabled - version 2.0
Authentication timeout: 15 secs; Authentication retries: 5
There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...
07-14-2009 11:54 AM
Here are exceprts for the configuration:
aaa new-model
!
!
aaa authentication login default group tacacs+ local enable
aaa authentication login userauthen1 local
aaa authentication login acs-rad group radius local
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ local
aaa authorization network groupauthor local
aaa authorization network groupauthor1 local
aaa accounting exec acct start-stop group tacacs+
aaa accounting exec acc-exec start-stop group tacacs+
!
aaa session-id common
!
ip ssh time-out 15
ip ssh authentication-retries 5
ip ssh version 2
line aux 0
no exec
transport input all
transport output all
stopbits 1
speed 115200
line vty 0 4
length 45
transport preferred none
transport input ssh
line vty 5 13
transport input ssh
line vty 14 15
session-timeout 60
access-class IPSec-Mgt in
exec-timeout 60 0
transport input all
!
display from show ip ssh command:
SSH Enabled - version 2.0
Authentication timeout: 15 secs; Authentication retries: 5
There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...
07-14-2009 11:59 AM
The only thing I can think about is if you have this command.
(config)#ip domain name domain.local
07-14-2009 12:02 PM
our domain name is set and is not default...very strange occurance..
07-27-2009 09:01 PM
What code version is running on the working verses non working routers?
Vandyke's support forum has some info. Some users report that Putty works fine for them but sCRT stopped after upgrading past IOS 12.2.4.15
http://forums.vandyke.com/archive/index.php/t-933.html
On lines from your debug output shows the client sending AES256
5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none
5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none
A search of Cisco's site shows that the error "Session disconnected - error 0x07" indicates the SSH Client Not Compiled with Data Encryption Standard (DES). I use SCRT 6.1.x and it doesn't have DES as an option. I don't have a router to test with. Is there an option to set the encryption type on the router?
Secure Shell Version 2 Support guide for 12.3T - may be of some help.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html
09-08-2009 09:31 AM
After opening a TAC case it was discovered that I was hitting a bug:
The TAC had me enter the following command:
ip ssh rsa keypair-name < your host.domain >
once I did this, the problem was fixed!!
09-08-2009 11:11 AM
Kristen
Thank you for posting back to the forum indicating that you have identified and solved your problem. It makes the forum more useful when people can read about a situation, and can know what the problem identification was and what the solution was.
HTH
Rick
10-09-2017 07:40 AM
In my case after applied the command, I can't access anymore... If you have any suggestion, I'll appreciated
Thanks!
10-09-2017 01:42 PM
It is not clear in this post whether SSH access was working, you entered the command, and SSH access stopped working. Or whether SSH access had not worked, you entered the command, and SSH access still did not work. Can you clarify?
HTH
Rick
10-11-2017 05:47 AM - edited 10-11-2017 05:48 AM
SSH was working with Putty, I tried to make it works with WinSCP, so I did what this post say and after apply the command mentionned, I lose the SSH connection even with putty. I'm trying to avoid to reboot the router to see if the connection come back.
Thanks!
10-11-2017 07:46 AM
I wonder if the issue is that when you used that command that it pointed to an RSA key that does not exist? Can you post the output of show ip ssh
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide