01-12-2021 03:12 AM
Hi guys,
Happy New year and all the best!
We have an issue that came up recently.
A few months back we have a new backup solution for our network gear (more or less based on rancid) that uses ssh to login to the devices, do a few show outputs, and grep a running-config
It works perfectly with XE, ASR 9k's but it doesn't want to co-operate with NCS540.
When you try to ssh from that backup box to the NCS box, NCS is throwing an error
Failed in version exchange
Incoming SSH session rate limit exceeded
ssh was tried with local user (that has all the rights) and remote (tacacs and radius) user (also with full privileges).
All network boxes are using ssh v2, and we use MPP for restricting access (same control-plane config is deployed and asr 9ks, where that login is working)
Any advice is more than welcome.
Thanks!
01-12-2021 10:31 AM
Explanation (Symptom and conditions):
Problem with the client. Failure in version exchange because not able to receive the proper message from client.
The client closed the SSH session prematurely which caused the version exchange to fail. Depending on when during the session establishment the client disconnected a different syslog may be seen. Also commonly seen, is we are not able to proceed with the version exchange, this can happen if we start our deamon with version 2 and the incoming connection is for ssh version 1
Business impact: SSH session connection will close prematurely.
Recommended action or workaround: Check the client or underlying connection, version settings.
What version is your ASR9K on? We deprecated some ciphers and key types in 6.x code.
'show ssh server' will tell you the available algorithms.
For backwards support the below commands were added:
Went into 6.3.1
RP/0/RP0/CPU0:NCS-55A1-A(config)#ssh server enable cipher ?
3des-cbc Enable ssh server 3des-cbc algorithm
aes-cbc Enable ssh server aes-cbc algorithms
This command went into 6.3.2
RP/0/RP0/CPU0:NCS-55A1-A(config)#ssh server algorithms key-exchange ?
WORD choose one or more in required preference
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
RP/0/RP0/CPU0:NCS-55A1-A(config)#$change diffie-hellman-group1-sha1 ?
WORD choose one or more in required preference
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group14-sha1
diffie-hellman-group1-sha1
<cr>
RP/0/RP0/CPU0:NCS-55A1-A(config)#$change diffie-hellman-group1-sha1
RP/0/RP0/CPU0:NCS-55A1-A#show ssh server | i diffie
Tue Jan 12 18:06:34.525 UTC
Key-Exchange Algorithms := ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1
RP/0/RP0/CPU0:NCS-55A1-A#
diffie-hellman-group1-sha1 is disabled in later versions.
Enabling key cipher and potentially the older ciphers should resolve your issue.
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide