Hi,

Thanks for your quick answer.

I don't know how it's works ! But now i've just add transport input ssh telnet

The output of sh crypto key mypubkey rsa is empty.

Hi,

you should put transport input ssh   as telnet is not secure.

Now you know you ain't got no old keys try to generate a new one with a 1024 modulus and see if it works.

Regards.

Alain.

I can't remove totally ssh from my router because I will loose the access....

I try to generate new keys and it's the same error message.

hi,

I suppose you meant telnet 

Regards.

Alain.

Hi,

did you try configuring general-keys instead of usage-keys? is it also the same if you just use no label but create an ip domain command and then generate key with crypto key gen rsa modulud 1024?

Regards.

Alain.

Hi,

Thanks a lot for your help cadel_alain.

Yes I mean telnet !

I try to generate general-keys but I've the same error:

BI-LOT-C3845-001(config)#crypto key generate rsa general-keys modulus 1024

The name for the keys will be: BI-LOT-C3845-001.biconnect.local

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

% Error in generating keys: could not generate test signature

crypto_lib_keypair_get failed to get BI-LOT-C3845-001.biconnect.local

crypto_lib_keypair_get failed to get BI-LOT-C3845-001.biconnect.local

Hello Mathieu,

I am wondering if you could check whether the key was still generated? Do you see it in show crypto key mypubkey rsa?

What is the IOS you are running?

I found a bug dealing with this error which says that those errors should be cosmetic and the key should still be generated:

CSCsh34835 (the errors should not appear after 12.4(22)T).

Warm Regards,

Rose

Hello,

When i use the show command to see if key are generated the output is empty.

The IOS version I running is the following:

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

BI-LOT-C3845-001 uptime is 14 weeks, 5 days, 4 hours, 6 minutes

System returned to ROM by power-on

System restarted at 11:11:04 CEST Wed Mar 30 2011

System image file is "flash:c3845-advipservicesk9-mz.124-15.T10.bin"

Thanks a lot.

Hello Mathieu,

Sounds like a bug. I cannot see anything missing from the configuration which should prevent us from creating the RSA key. At the same time the IOS is pretty old. I would recommend a software upgrade first and if the error is still present with a recent IOS, then to open a TAC case. This might need involving development.

Warm Regards,

Rose

Hello,

Thanks a lot for your help. I will continue with Telnet because for the moment I can't stop the router (it's a VRF/MPLS ISP router).... to upgrade it.

but it's very strange witch one day SSH stops work.

I've a idee, Where are the key store on the router ? It's the same place than the startup config ?

My startup-config is huge and maybe there is not enought place for store the key.

Mathieu.

Hello Mathieu,

Yes, the keys are stored on the NVRAM in a hidden file.

I would expect that in case we have not enough free space, we would get a specific error referencing lack of memory. However, you could check how much free space you have on the NVRAM:

dir nvram:

If it is indeed very low, you can try to erase the NVRAM (should be ok if the config is saved after trying to generate the RSa keys and it is not reloaded) and try to regenerate the RSA keys.

If you are worried about the size of the config, you might also try "service compress-config"

Warm Regards,

Rose

Hi Rozsa,

Ok thanks for your help...

This morning a unknow problem reload my router.... and now the crypto command for generate keys works and I can connect to my device in SSH.... strange but it's works !!

Thanks a lot for the help !

Mathieu.

Hello Mathieu,

Thank you for letting us know that the SSH connection came back after the reload. Nice to hear that it got sorted out even if we do not have the root cause.

Warm Regards,

Rose