SSH 2 Error

Unanswered Question
Jul 19th, 2010

Have you ever seen this log? What does that mean?

This log was exist when I tried to connect with ssh v2 to the Router with SecureCRT. And I couldn't connect to the Router.

Jul 19 09:45:49.455 IND: SSH2 1:  Invalid modulus length


I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Panos Kampanakis Mon, 07/19/2010 - 21:49

Check the key size of your crypto key on your ASA/Router. If it is 512bits it could explain why SecureCRT is complaining.

I hope it helps.


Richard Burts Tue, 07/20/2010 - 15:00


What version of SecureCRT are you using? And what version of IOS was on this router?

I have had the experience that recent versions of IOS have an incompatibility with some older versions of SecureCRT. I think the error message that I saw was similar to the one in your post.



edwin.sanjoto Thu, 07/22/2010 - 19:18


This problem was solved.

I was using SecureCRT version 3 and I've already upgraded to version 6.

I think there are 2 solutions for this ssh error:

1. Downgrade your IOS to meet the requirement of SecureCRT supporting.

2. Upgrade your SecureCRT version to meet the requirement of IOS.

And I choose the solution number 2.

Hope this help.


Richard Burts Fri, 07/23/2010 - 15:01


Thank you for posting back to the forum that the problem was resolved. I very much agree that the better solution is to upgrade the version of SecureCRT.



bberry Fri, 01/13/2012 - 08:48

I am in the process of implementing SSH on all our network hardware. I am receiving this same error on two routers out of the several dozen I have done so far. I can connect using SecureCRT version 5 to all the routers so far except of these two. Some of the routers are 2811s and some are newer 2911s. The two that I am receiving the error message on are running c2900-universalk9-mz.SPA.150-1.M4.bin and c2900-universalk9-mz.SPA.150-1.M3.bin. The other 2911s I have are running c2900-universalk9-mz.SPA.151-4.M1.bin I have compared the sh SSH information from both a working and non working router and they look basically the same. I am using the same script to enable SSH on all the hardware so am now wondering if there is a bug in the IOS? I have zeroized the RSA  and recreated with no change. I also have noticed that the key is not listed in the config as in the working routers.


ip domain name {mydomain}

ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh version 2

crypto key generate rsa general-keys modulus 1024

line vty 0 4
no privilege level 15
login local
transport input ssh
line vty 5 15
no privilege level 15
login local
transport input ssh


Phoenix_r#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDd0h7KPpDkU+aVbyBa44UFqNo7a64JXMD5



Carrollton_r#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC0hG9r5Srg8mvIQlVZU2vJYakJug2OWeRp


Richard Burts Fri, 01/13/2012 - 09:25

Are you using SecureCRT as your terminal emulator? If so what version of SecureCRT are you using?

One way that you could check and see if it is a problem in SSH or in SecureCRT would be to either use some other terminal emulator on your PC (PuTTY is a commonly used emulator that does have good support for SSH) or to SSH to the problem router from some source other than your PC (SSH from one of the other routers would be the easy alternative).



bberry Fri, 01/13/2012 - 11:18

I am using SecureCRT version 5 and like I said is working fine on outer 2911s configured with SSH. I will try to see if I can SSH between routers.

Thanks ...


bberry Fri, 01/13/2012 - 12:24

A little more follow up. It works fine if I have the router set on SSH version 1. I can use any size modulous with out any issues. It is not until I go to version 2 that I start having issues with these specific routers. I guess my next step is to see if I can find any issues regarding SSH on that version?


iswift Fri, 05/18/2012 - 04:45


This is probably old news now but Secure CRT released an upgrade a long time ago, but they pointed the finger at an IOS bug and non strict adherence to the RFC.

Anyhow see,

Am unable to reproduce part of that thread below, but basically I got a result in 2 ways.

# A device was upgraded to new code for another reason and the problem went away

# I tried the edit of the Secure CRT session's .ini file and by changing the Key Exchange Algorithm section and it worked too.

CCO BugID quoted = CSCsq51052



This Discussion