cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13054
Views
10
Helpful
16
Replies

SSH Login Failing

k.minarcin
Level 1
Level 1

When attempting to ssh into the router the connection is never established..please see the following debug output:

5494365: Jul 14 18:44:18.769 UTC: SSH0: starting SSH control process

5494366: Jul 14 18:44:18.769 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494367: Jul 14 18:44:18.769 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494368: Jul 14 18:44:18.769 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494369: Jul 14 18:44:18.769 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494370: Jul 14 18:44:18.893 UTC: SSH2 0: ssh_receive: 464 bytes received

5494371: Jul 14 18:44:18.893 UTC: SSH2 0: input: packet len 464

5494372: Jul 14 18:44:18.893 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494373: Jul 14 18:44:18.893 UTC: SSH2 0: input: padlen 9

5494374: Jul 14 18:44:18.893 UTC: SSH2 0: received packet type 20

5494375: Jul 14 18:44:18.893 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494378: Jul 14 18:44:18.941 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494379: Jul 14 18:44:18.941 UTC: SSH2 0: ssh_receive: 144 bytes received

5494380: Jul 14 18:44:18.941 UTC: SSH2 0: input: packet len 144

5494381: Jul 14 18:44:18.941 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494382: Jul 14 18:44:18.941 UTC: SSH2 0: input: padlen 5

5494383: Jul 14 18:44:18.941 UTC: SSH2 0: received packet type 30

5494384: Jul 14 18:44:18.945 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494385: Jul 14 18:44:19.005 UTC: SSH2 0: RSA_sign: private key not found

5494386: Jul 14 18:44:19.005 UTC: SSH2 0: signature creation failed, status -1

5494387: Jul 14 18:44:19.105 UTC: SSH0: Session disconnected - error 0x00

5494388: Jul 14 18:44:24.361 UTC: SSH0: starting SSH control process

5494389: Jul 14 18:44:24.361 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494390: Jul 14 18:44:24.361 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494391: Jul 14 18:44:24.361 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494392: Jul 14 18:44:24.365 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494393: Jul 14 18:44:24.561 UTC: SSH2 0: ssh_receive: 464 bytes received

5494394: Jul 14 18:44:24.561 UTC: SSH2 0: input: packet len 464

5494395: Jul 14 18:44:24.561 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494396: Jul 14 18:44:24.561 UTC: SSH2 0: input: padlen 9

5494397: Jul 14 18:44:24.561 UTC: SSH2 0: received packet type 20

5494398: Jul 14 18:44:24.561 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494399: Jul 14 18:44:24.565 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494400: Jul 14 18:44:24.565 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494401: Jul 14 18:44:24.613 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494402: Jul 14 18:44:24.613 UTC: SSH2 0: ssh_receive: 144 bytes received

5494403: Jul 14 18:44:24.613 UTC: SSH2 0: input: packet len 144

5494404: Jul 14 18:44:24.613 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494405: Jul 14 18:44:24.613 UTC: SSH2 0: input: padlen 6

5494406: Jul 14 18:44:24.613 UTC: SSH2 0: received packet type 30

5494407: Jul 14 18:44:24.613 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494408: Jul 14 18:44:24.677 UTC: SSH2 0: RSA_sign: private key not found

5494409: Jul 14 18:44:24.677 UTC: SSH2 0: signature creation failed, status -1

5494410: Jul 14 18:44:24.777 UTC: SSH0: Session disconnected - error 0x07

Any ideas what this could be?

16 Replies 16

bansal.ojasvi
Level 1
Level 1

do you have private keys on your router/switch.

Try running

(config)#crypto key generate rsa

I did that...still same result. I can also do sh crypto key mypubkey rsa and it displays the keys.

can you paste a part of your config related to crypto. Also check if you have a domain-name on the device.

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

The only thing I can think about is if you have this command.

(config)#ip domain name domain.local

our domain name is set and is not default...very strange occurance..

What code version is running on the working verses non working routers?

Vandyke's support forum has some info. Some users report that Putty works fine for them but sCRT stopped after upgrading past IOS 12.2.4.15

http://forums.vandyke.com/archive/index.php/t-933.html

On lines from your debug output shows the client sending AES256

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

A search of Cisco's site shows that the error "Session disconnected - error 0x07" indicates the SSH Client Not Compiled with Data Encryption Standard (DES). I use SCRT 6.1.x and it doesn't have DES as an option. I don't have a router to test with. Is there an option to set the encryption type on the router?

Secure Shell Version 2 Support guide for 12.3T - may be of some help.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html

After opening a TAC case it was discovered that I was hitting a bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsa83601

The TAC had me enter the following command:

ip ssh rsa keypair-name < your host.domain >

once I did this, the problem was fixed!!

Kristen

Thank you for posting back to the forum indicating that you have identified and solved your problem. It makes the forum more useful when people can read about a situation, and can know what the problem identification was and what the solution was.

HTH

Rick

HTH

Rick

In my case after applied the command, I can't access anymore... If you have any suggestion, I'll appreciated

 

Thanks!

It is not clear in this post whether SSH access was working, you entered the command, and SSH access stopped working. Or whether SSH access had not worked, you entered the command, and SSH access still did not work. Can you clarify?

 

HTH

 

Rick

HTH

Rick

SSH was working with Putty, I tried to make it works with WinSCP, so I did what this post say and after apply the command mentionned, I lose the SSH connection even with putty. I'm trying to avoid to reboot the router to see if the connection come back.

 

Thanks!

I wonder if the issue is that when you used that command that it pointed to an RSA key that does not exist? Can you post the output of show ip ssh

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: