thanks for your answer but I got this question in exam and it was asking me which will be choosen by default by router or switch and they give me two options..telnet or ssh, so which one is correct ?

I would say the default would be telnet, eventhough I think the question is incorrect. Purely because with SSH you would need to generate the RSA keypair, etc etc before you can even use SSH to access the router. So base on that theory, telnet would be the answer.

The correct exam answer (actually I need to know the wording used on the exam) is that there isn't a default. Both protocols are listening.  To go a little further on this, SSH might error out if not configured properly (PC may also need config). This is why many people configure Telnet as a backup and why an ACL to restrict source address is necessary.

How Cisco words a question and their answer can be tricky. You interpreted this as an either/or question.

Dear,

I have both enabled but i dont able to do the ssh, however I am able to telnet the device.

Kindly let me know what could be wrong ?

@Ashis Patra

Have you confirmed your RSA keypair?

Dear Marvin,

I am getting the below error while trying to login the device. Are you asking about the below command in bold whether ts there in the switch or not? If Yes then this command is not there in the switch.

Server: ssh 10.X.X.X
ssh: connect to host 10.X.X.X port 22: Connection refused

crypto key generate rsa modulus 1024

Thanks,

Ashis

The "crypto key generate..." command will never be in the running-config as it is a runtime command used only to generate a new key.

However you should have at least one RSA key present. You can confirm it with the following command:

show crypto key mypubkey rsa

Thanks Marvin I am getting this output. Please explain me.

show crypto key mypubkey rsa
% Key pair was generated at: 19:00:09 GMT Oct 22 2018
Key name: CISCO
Key type: RSA KEYS
On Cryptographic Device: act2 (label=act2, key index=24)
Usage: General Purpose Key
Key is not exportable.
Key Data:

30820122 

That looks ok. Can you ssh to any other device?

What is the device you are attempting to access?

Can you provide the output of "show version" from it?

Dear Marvin,

Sorry for the late response. I am able to do the ssh to other device. Please find the below output FYI. And kindly advice.

sh version
Cisco IOS XE Software, Version 16.06.01
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Sat 22-Jul-17 05:55 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2017 by cisco Systems, Inc.
All rights reserved. Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0. The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY. You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0. For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON
Hostname uptime is 3 weeks, 2 days, 16 hours, 44 minutes
Uptime for this control processor is 3 weeks, 2 days, 16 hours, 46 minutes
System returned to ROM by Reload Command at 18:53:16 GMT Mon Oct 22 2018
System restarted at 18:49:58 GMT Mon Oct 22 2018
System image file is "bootflash:isr4300-universalk9.16.06.01.SPA.bin"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9 None None None
securityk9
appxk9

AdvUCSuiteK9 None None None
uck9
cme-srst
cube

Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 None None None
uck9 None None None
securityk9 securityk9 EvalRightToUse securityk9
ipbase ipbasek9 Permanent ipbasek9

cisco ISR4351/K9 (2RU) processor with 1797107K/6147K bytes of memory.
Processor board ID FLM2133W0J2
3 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3125247K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102

Thanks,

Ashis

That's odd. All of the common issues seem ok.

You have an image that supports strong crypto, you have an RSA key, you've enabled ssh input, your client PC can ssh to other devices.

Is it possible somebody has modified the Diffie-Hellman (dh) key exchange specification?

It is probably best to do a packet capture of an attempted logon from your PC. You can then examine the initial communications attempt and see exactly where it is failing.

If you haven't already seen it, also have a look at this guide:

https://community.cisco.com/t5/security-documents/guide-to-better-ssh-security/ta-p/3133344