Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1973
Views
0
Helpful
1
Replies

NCS540 ssh version exchange

sphere365
Level 1
Level 1

‎01-12-2021 03:12 AM

Hi guys,

 

Happy New year and all the best!

 

We have an issue that came up recently.

A few months back we have a new backup solution for our network gear (more or less based on rancid) that uses ssh to login to the devices, do a few show outputs, and grep a running-config

It works perfectly with XE, ASR 9k's but it doesn't want to co-operate with NCS540.

When you try to ssh from that backup box to the NCS box, NCS is throwing an error

Failed in version exchange

Incoming SSH session rate limit exceeded

 

ssh was tried with local user (that has all the rights) and remote (tacacs and radius) user (also with full privileges).

All network boxes are using ssh v2, and we use MPP for restricting access (same control-plane config is deployed and asr 9ks, where that login is working)

 

Any advice is more than welcome.

 

Thanks!

 

Labels:
0 Helpful
1 Reply 1

smilstea
Cisco Employee
Cisco Employee

‎01-12-2021 10:31 AM

%SECURITY-SSHD-3-ERR_GENERAL : Failed in version exchange

 

Explanation (Symptom and conditions):

 

Problem with the client. Failure in version exchange because not able to receive the proper message from client.

 

The client closed the SSH session prematurely which caused the version exchange to fail. Depending on when during the session establishment the client disconnected a different syslog may be seen. Also commonly seen, is we are not able to proceed with the version exchange, this can happen if we start our deamon with version 2 and the incoming connection is for ssh version 1 

 

Business impact: SSH session connection will close prematurely.

 

Recommended action or workaround: Check the client or underlying connection, version settings.

 

 

 

What version is your ASR9K on? We deprecated some ciphers and key types in 6.x code.

'show ssh server' will tell you the available algorithms.

 

For backwards support the below commands were added:

 

Went into 6.3.1

RP/0/RP0/CPU0:NCS-55A1-A(config)#ssh server enable cipher ?
3des-cbc Enable ssh server 3des-cbc algorithm
aes-cbc Enable ssh server aes-cbc algorithms

 

 

This command went into 6.3.2

RP/0/RP0/CPU0:NCS-55A1-A(config)#ssh server algorithms key-exchange ?
WORD choose one or more in required preference
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
RP/0/RP0/CPU0:NCS-55A1-A(config)#$change diffie-hellman-group1-sha1 ?
WORD choose one or more in required preference
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
<cr>
RP/0/RP0/CPU0:NCS-55A1-A(config)#$change diffie-hellman-group1-sha1

 

 

RP/0/RP0/CPU0:NCS-55A1-A#show ssh server | i diffie
Tue Jan 12 18:06:34.525 UTC
Key-Exchange Algorithms := ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1
RP/0/RP0/CPU0:NCS-55A1-A#

diffie-hellman-group1-sha1 is disabled in later versions.

 

Enabling key cipher and potentially the older ciphers should resolve your issue.

 

Sam

0 Helpful
Customers Also Viewed These Support Documents