Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

switch cannot be access via SSH

Hi All,

i have a 3850 switch up and running in our office. from past week i am not able to do ssh to my switch. below is the configuration attached, it was working pretty much good and i haven't done any changes in the configuration.

line con 0
password 7 xxxxxxxxxxxxxxx
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxxxxxxxxxx
login local
transport input ssh
line vty 5 15
password 7 xxxxxxxxxxxxx
login local
transport input ssh

also below is the output of vty connections

Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 CTY - - - - - 0 0 0/0 -
1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 VTY - - - - - 0 0 0/0 -
3 VTY - - - - - 0 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -
7 VTY - - - - - 0 0 0/0 -
8 VTY - - - - - 0 0 0/0 -
9 VTY - - - - - 0 0 0/0 -
10 VTY - - - - - 0 0 0/0 -
11 VTY - - - - - 0 0 0/0 -
12 VTY - - - - - 0 0 0/0 -
13 VTY - - - - - 0 0 0/0 -
14 VTY - - - - - 0 0 0/0 -
15 VTY - - - - - 0 0 0/0 -
16 VTY - - - - - 0 0 0/0 -
17 VTY - - - - - 0 0 0/0 -

i am not able to figure out the issue, can anyone help me out. thanks in advance

Regards,

Harsha

3 REPLIES
VIP Purple

Hi Harsha

Hi Harsha

regenerate the crypto keys sometimes they get corrupted and this needs to be done , alos make sure you can ping it

crypto key generate rsa

Please provide output from show ip ssh

New Member

Hello Mark,

Hello Mark,

well to i am not using any crypto keys here. below is the output for #sh ip ssh

SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes19 2-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):

VIP Purple

Hi

Hi

you have to use crypto keys to setup ssh its not optional feature it wont work without them , that's why you have a k9 image to support ssh/crypto-- you have them set Minimum expected Diffie Hellman key size : 1024 bits

change the ssh to be fully v2 -- ip ssh version 2 ots using an unsecure ssh version 1.99 whihci is v1 and v2 you don't want v1 active its insecure

Then regenerate the keys--- crypto key generate rsa (hit return type 1024 for sshv2 keys) , then debug ip ssh and try and access the router , make sure the putty/terminal is set to use sshv2

You should see something like  in your logs---

Aug  3 09:47:12.779 UTC: SW1: SSH2 1: authentication successful for mmalone

Then debug ip ssh and try  again , everything looks ok from your output so your keys are either corrupted or your using a terminal thats set to v2 only or something else

There are four steps required to enable SSH support on a Cisco IOS router:
  • Configure the hostname command.
  • Configure the DNS domain.
  • Generate the SSH key to be used.
  • Enable SSH transport support for the virtual type terminal (vtys).

 

123
Views
0
Helpful
3
Replies
CreatePlease to create content