SSH configured but not working on 3600 box

Unanswered Question
May 8th, 2007

I am at a Customer Site. the customer has a 3600 box facing the INternet running Code 12.2(16a). I have examined the configuration on this box, and I am confused by what I see.

There is an ACL applied to the Interface facing the internet. It specifically allows SSH connections to that interface. But when I try to connect, it is refused.

I looked at vty 0 4 to see if the statement "transport input ssh" was present, but it is not.

I also tried to generate crypto keys using the command "cry key generate rsa", but I got back "unrecognized command".

I am not sure how to proceed. I need to have SSH access to the box from the OUtside for Remote Support.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
sundar.palaniappan Tue, 05/08/2007 - 06:26

It sounds like the router mayn't be running a crypto image. Do you see the letter k9 part of the IOS filename and if it doesn't you need to upgrade the feature set to a crypto image for SSH to work.



Kevin Melton Tue, 05/08/2007 - 12:02

There is not a K9 as part of the IOS Installed. I did a sho ver and it is running


I would surmise by your response and those others that I do indeed need to upgrade the code on this.

Richard Burts Tue, 05/08/2007 - 12:36


The code that is currently running is the IP only image and it does not support SSH. To support SSH you need an image with crypto support and so yes you will need to upgrade the code.

I checked in the software advisor on the Cisco site to find equivalent code that would support SSH. I find c3660-ik9s-mz.12.2-16d which is the IP PLUS IPSEC 3DES image to probably be the closest match to your current code. Of course if you upgrade code you might consider upgrading to a more recent version of code. Be aware that the requirements for flash and for memory are different in these 2 versions. While the IP only code requires 8 MB of flash and 32 MB of memory the IP PLUS IPSEC 3DES code requires 16 MB of flash and 64 MB of memory. Check the router to verify whether it has those resources.



Amit Singh Tue, 05/08/2007 - 06:50

please paste " show version" from the router. As pointed out by Sunder, it seems you dont have the correct IOS with SSH support.

-amit singh

Richard Burts Tue, 05/08/2007 - 08:00

In addition to the good suggestions made by Sunday and Amit it would be helpful to see the output of show ip ssh.

The fact that an access list is written to allow SSH does not necessarily indicate that SSH is running on the router. And there being no transport input ssh does not mean that SSH is necessarily disabled since the default is transport input all which does include SSH. The invalid command response to the attempt to generate RSA keys is a strong indicator that the image being run does not include crypto support. The output of show ip ssh would confirm the status of SSH.




This Discussion