cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
475
Views
11
Helpful
5
Replies

SSH configured but not working on 3600 box

Kevin Melton
Level 2
Level 2

I am at a Customer Site. the customer has a 3600 box facing the INternet running Code 12.2(16a). I have examined the configuration on this box, and I am confused by what I see.

There is an ACL applied to the Interface facing the internet. It specifically allows SSH connections to that interface. But when I try to connect, it is refused.

I looked at vty 0 4 to see if the statement "transport input ssh" was present, but it is not.

I also tried to generate crypto keys using the command "cry key generate rsa", but I got back "unrecognized command".

I am not sure how to proceed. I need to have SSH access to the box from the OUtside for Remote Support.

Thanks

5 Replies 5

It sounds like the router mayn't be running a crypto image. Do you see the letter k9 part of the IOS filename and if it doesn't you need to upgrade the feature set to a crypto image for SSH to work.

HTH

Sundar

There is not a K9 as part of the IOS Installed. I did a sho ver and it is running

flash:c3660-i-mz.122-16a.bin.

I would surmise by your response and those others that I do indeed need to upgrade the code on this.

Kevin

The code that is currently running is the IP only image and it does not support SSH. To support SSH you need an image with crypto support and so yes you will need to upgrade the code.

I checked in the software advisor on the Cisco site to find equivalent code that would support SSH. I find c3660-ik9s-mz.12.2-16d which is the IP PLUS IPSEC 3DES image to probably be the closest match to your current code. Of course if you upgrade code you might consider upgrading to a more recent version of code. Be aware that the requirements for flash and for memory are different in these 2 versions. While the IP only code requires 8 MB of flash and 32 MB of memory the IP PLUS IPSEC 3DES code requires 16 MB of flash and 64 MB of memory. Check the router to verify whether it has those resources.

HTH

Rick

HTH

Rick

Amit Singh
Cisco Employee
Cisco Employee

please paste " show version" from the router. As pointed out by Sunder, it seems you dont have the correct IOS with SSH support.

-amit singh

In addition to the good suggestions made by Sunday and Amit it would be helpful to see the output of show ip ssh.

The fact that an access list is written to allow SSH does not necessarily indicate that SSH is running on the router. And there being no transport input ssh does not mean that SSH is necessarily disabled since the default is transport input all which does include SSH. The invalid command response to the attempt to generate RSA keys is a strong indicator that the image being run does not include crypto support. The output of show ip ssh would confirm the status of SSH.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: