02-06-2012 03:59 AM - edited 03-07-2019 04:45 AM
I have a weird situation with some switches.
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.
Switch 56 can ssh into Switch 55 and ssh into Switch 57
Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
Thanks, Pat.
Solved! Go to Solution.
02-06-2012 04:58 AM
Hello Patrick,
Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.
Best regards,
Peter
02-06-2012 04:19 AM
Hi Patrick,
Try to generate on all the switches a rsa key of 1024 ( grater then 768 ). This is required by SSH v2.
Dan
02-06-2012 04:32 AM
Thanks, Dan.
I've gone around to all the switches and generated all the keys 1024. I guess there might be a possiblity that I generated a 768. On the switch that shows version 1, I regenerated the key with 1024. I tried to change the version to 2 but, it still stayed at 1. I would have thought that this would have fixed the problem. Do I have to remove the first crypto key before I generate a new one?
02-06-2012 04:33 AM
Pat,
Dan is spot on. To activate SSHv2, you need to have at least 768-bit long key generated.
Please also note that it may not be enough to just generate yet another keypair, as the SSH on your switch may be still using the first keypair which may be shorter. I suggest removing the original keypair entirely and only then generating the new keypair.
Old keypair can be removed using the crypto key zeroize rsa command in the global config mode. Please note that this may remove your existing HTTPS certificates as well and/or impair your connection to the switch, so it may be wise to perform this over a console connection.
Best regards,
Peter
02-06-2012 04:38 AM
Thanks, Peter
Would I lose a telnet connection as well?
Also, will users experience any dropped packets or will it only affect management?
02-06-2012 04:58 AM
Hello Patrick,
Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.
Best regards,
Peter
02-06-2012 05:05 AM
Deleteing and recreating the key did the trick. Thank you.
02-06-2012 05:00 AM
Pat
Removing the old key pair should not impact any telnet sessions.
I am not sure that we have enough information to tell you whether users would experience any dropped packets. What kind of users and are they connected to the router or are they just using transit through the router? Do any users connect with SSH? If so they probably would experience problems. If you are talking about user traffic that is transit through the router then there is little possibility that removing the old key would impact them.
HTH
Rick
02-06-2012 05:04 AM
No problems at all. Thanks for the help.
02-06-2012 05:22 AM
Pat
I am glad that you got it worked out and problem is resolved. Thanks for posting back to the forum and confirming that the suggestions you received did lead to a successful solution.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide