Solved: Unexpected Behavior With SSH

Patrick McHenry · ‎02-06-2012

I have a weird situation with some switches.

Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.

Switch 56 can ssh into Switch 55 and ssh into Switch 57

Switch 57 can ssh into Switch 55 and ssh into Switch 56

The software on .56 is:

C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?

Thanks, Pat.

Peter Paluch · ‎02-06-2012

Hello Patrick,

Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.

Best regards,

Peter

View solution in original post

Dan-Ciprian Cicioiu · ‎02-06-2012

Hi Patrick,

Try to generate on all the switches a rsa key of 1024 ( grater then 768 ). This is required by SSH v2.

Dan

Patrick McHenry · ‎02-06-2012

Thanks, Dan.

I've gone around to all the switches and generated all the keys 1024. I guess there might be a possiblity that I generated a 768. On the switch that shows version 1, I regenerated the key with 1024. I tried to change the version to 2 but, it still stayed at 1. I would have thought that this would have fixed the problem. Do I have to remove the first crypto key before I generate a new one?

Peter Paluch · ‎02-06-2012

Pat,

Dan is spot on. To activate SSHv2, you need to have at least 768-bit long key generated.

Please also note that it may not be enough to just generate yet another keypair, as the SSH on your switch may be still using the first keypair which may be shorter. I suggest removing the original keypair entirely and only then generating the new keypair.

Old keypair can be removed using the crypto key zeroize rsa command in the global config mode. Please note that this may remove your existing HTTPS certificates as well and/or impair your connection to the switch, so it may be wise to perform this over a console connection.

Best regards,

Peter

Patrick McHenry · ‎02-06-2012

Thanks, Peter

Would I lose a telnet connection as well?

Also, will users experience any dropped packets or will it only affect management?

Peter Paluch · ‎02-06-2012

Hello Patrick,

Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.

Best regards,

Peter

Patrick McHenry · ‎02-06-2012

Deleteing and recreating the key did the trick. Thank you.

Richard Burts · ‎02-06-2012

Pat

Removing the old key pair should not impact any telnet sessions.

I am not sure that we have enough information to tell you whether users would experience any dropped packets. What kind of users and are they connected to the router or are they just using transit through the router? Do any users connect with SSH? If so they probably would experience problems. If you are talking about user traffic that is transit through the router then there is little possibility that removing the old key would impact them.

HTH

Rick

HTH

Rick

Patrick McHenry · ‎02-06-2012

No problems at all. Thanks for the help.

Richard Burts · ‎02-06-2012

Pat

I am glad that you got it worked out and problem is resolved. Thanks for posting back to the forum and confirming that the suggestions you received did lead to a successful solution.

HTH

Rick

HTH

Rick