SSH not working on 2811

Answered Question
Aug 18th, 2008

okay, i am at a complete lost. could someone explain to me why ssh is not working on this config. or perhaps what else i can look for. much appreciated.


ip domain-name

crypto key generate rsa general-keys modulus 1024

ip ssh authentication-retries 4

ip ssh source-interface FastEthernet0/1.5

ip ssh version 2

interface FastEthernet0/1.5

description Houston Test Interface

encapsulation dot1Q 5

ip address

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

ip access-list extended acl_CISCO

permit ip any any

line vty 5 15

access-class acl_CISCO in

privilege level 15

password cisco

transport input ssh


cisco_router(config)#do sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)

Technical Support:

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Thu 10-Jul-08 22:00 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

STR-SGMNY-RT01 uptime is 2 days, 18 hours, 32 minutes

System returned to ROM by reload at 20:34:07 GMT Fri Aug 15 2008

System image file is "flash:c2800nm-adventerprisek9-mz.124-20.T.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

If you require further assistance please contact us by sending email to

Cisco 2811 (revision 53.51) with 249856K/12288K bytes of memory.

Processor board ID FTX1231A12E

2 FastEthernet interfaces

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


Correct Answer by husycisco about 8 years 6 months ago

Can you try it with Putty instead SCRT?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
husycisco Mon, 08/18/2008 - 07:36

Hello Dwayne,

Config looks good, were you able to telnet before you enabled SSH? WHat SSH client are you using?


Richard Burts Mon, 08/18/2008 - 07:40


You have given us some things to work on and I do not see an obvious problem in what you have posted. Some additional information would be helpful in identifying the problem.

- would you post the output of show ip ssh

- can you clarify what is happening, and what is not working? When you attempt to connect do you get a prompt? If you get a prompt does it ask for username or password? Is there an error message - is so can you tell us exactly what the error message is?

- your backup authentication is local. You do not show that you have a username configured. Is there a username and password configured? If so is it the same username as is defined in your authentication server or different? Have you tried the SSH connection with both the name from the authentication server and the locally configured one?

I am wondering whether the problem is with SSH or if it might be a problem in authentication.

If none of these questions lead to a solution then I would ask that you run debug ip ssh, attempt an SSH connection, and post the debug output.



dphills18 Mon, 08/18/2008 - 08:16

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 4

Minimum expected Diffie Hellman key size : 1024 bits


I do have a username and password set. i can telnet and authenticate to the acs with no issues what so ever.


I actually don't receive any error what so ever. I am able to ssh into other devices. it really makes no since to me.


I took aaa new-model off and still had the same issue. I'm wondering if it could be a bug with the ios.

husycisco Mon, 08/18/2008 - 08:21


What SSH client are you using? Putty? Do you get the Public Key prompt with accept or save options? Are you able to telnet when you change transport input ssh telnet ? Did you first create rsa keys than entered domain name? If so, try recreating the rsa keys.


Richard Burts Mon, 08/18/2008 - 08:24


The additional information that you posted here is helpful, especially since it does demonstrate that SSH is configured and running.

But it does not demonstrate whether there is an issue with SSH or if the issue is something else. Running debug ip ssh as I suggested in my previous post would be the most effective way to determine this. Would you be able to run the debug and post the output?

Also in re-reading your original post I see that you are showing us the config of vty 5 15. What do vty 0 4 look like?

[edit] I had one additional thought. In your SSH client are you specifying sshv2 for connection to this device? It needs to specify version 2 of SSH since the configuration of the router specifies version 2 and I believe that means that it will not accept any version 1.



dphills18 Mon, 08/18/2008 - 08:41

sorry, didn't see the debug request. didn't even think about it. thanks


*Aug 18 16:38:28.407: SSH1: starting SSH control process

*Aug 18 16:38:28.407: SSH1: sent protocol version id SSH-2.0-Cisco-1.25

*Aug 18 16:38:28.515: SSH1: protocol version id is - SSH-2.0-SecureCRT_6.0.2 (build 260) SecureCRT

*Aug 18 16:38:28.515: SSH2 1: send:packet of length 344 (length also includes padlen of 5)

*Aug 18 16:38:28.519: SSH2 1: SSH2_MSG_KEXINIT sent

*Aug 18 16:38:28.519: SSH2 1: ssh_receive: 456 bytes received

*Aug 18 16:38:28.519: SSH2 1: input: total packet length of 456 bytes

*Aug 18 16:38:28.519: SSH2 1: partial packet length(block size)8 bytes,needed 448 bytes,

maclen 0

*Aug 18 16:38:28.519: SSH2 1: input: padlength 11 bytes

*Aug 18 16:38:28.519: SSH2 1: SSH2_MSG_KEXINIT received

*Aug 18 16:38:28.519: SSH2:kex: client->server enc:aes256-cbc mac:hmac-sha1

*Aug 18 16:38:28.519: SSH2:kex: server->client enc:aes256-cbc mac:hmac-sha1

*Aug 18 16:38:28.523: SSH2 1: ssh_receive: 24 bytes received

*Aug 18 16:38:28.523: SSH2 1: input:

STR-SGMNY-RT01total packet length of 24 bytes

*Aug 18 16:38:28.523: SSH2 1: partial packet length(block size)8 bytes,needed 16 bytes,

maclen 0

*Aug 18 16:38:28.523: SSH2 1: input: padlength 6 bytes

*Aug 18 16:38:28.523: SSH2 1: SSH2_MSG_KEX_DH_GEX_REQUEST received

*Aug 18 16:38:28.523: SSH2 1: Range sent by client is - 1024 < 2046 < 2046

*Aug 18 16:38:28.523: SSH2 1: Invalid modulus length

*Aug 18 16:38:28.623: SSH1: Session disconnected - error 0x00#


i am using SecureCRT. I do have the client set for SSHv2


line vty 0 4

exec-timeout 60 0

privilege level 15

password 7 0874551B1D4A08

transport input telnet ssh

Richard Burts Mon, 08/18/2008 - 08:52


Thanks for the additional information. I believe that the debug points to the error:

*Aug 18 16:38:28.523: SSH2 1: Range sent by client is - 1024 < 2046 < 2046

*Aug 18 16:38:28.523: SSH2 1: Invalid modulus length

*Aug 18 16:38:28.623: SSH1: Session disconnected - error 0x00#

I have not seen that error and am not clear what it means or how to solve it.



dphills18 Mon, 08/18/2008 - 09:17

That did the trick (putty). for what ever reason, my SecureCRT application doesn't like that particular router. Very strange. I have been using it for years, with not one problem. It works with other devices, but not this one. I even deleted the certificate, and tried it again.

Hey everybody, thanks for all your help. You all are a blessing indeed.

husycisco Mon, 08/18/2008 - 09:26

Nice to hear that problem is resolved. I use secure crt ver 6.0, maybe updating it may resolve the issue if you have version lower than 6.0

dphills18 Mon, 08/18/2008 - 09:32

yep. that's what i am using. SecureCRT has been golden for me. i may try reinstalling it. but like i said, it only has issues with this one device. like the error is stuck in cache or something. very, very strange. i thank you for all your help. i was baffled.

kmccourt Mon, 08/18/2008 - 10:34

There is a known problem between the current version of SecureCRT and the SSH implementation in IOS 12.4(20)T.

There is a beta release of SecureCRT 6.1 which fixes this. I got a copy from


This Discussion