I have a weird situation with some switches.
Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.
Switch 56 can ssh into Switch 55 and ssh into Switch 57
Switch 57 can ssh into Switch 55 and ssh into Switch 56
The software on .56 is:
C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)
I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running into?
Solved! Go to Solution.
I've gone around to all the switches and generated all the keys 1024. I guess there might be a possiblity that I generated a 768. On the switch that shows version 1, I regenerated the key with 1024. I tried to change the version to 2 but, it still stayed at 1. I would have thought that this would have fixed the problem. Do I have to remove the first crypto key before I generate a new one?
Dan is spot on. To activate SSHv2, you need to have at least 768-bit long key generated.
Please also note that it may not be enough to just generate yet another keypair, as the SSH on your switch may be still using the first keypair which may be shorter. I suggest removing the original keypair entirely and only then generating the new keypair.
Old keypair can be removed using the crypto key zeroize rsa command in the global config mode. Please note that this may remove your existing HTTPS certificates as well and/or impair your connection to the switch, so it may be wise to perform this over a console connection.
Would I lose a telnet connection as well?
Also, will users experience any dropped packets or will it only affect management?
Removing the old key pair should not impact any telnet sessions.
I am not sure that we have enough information to tell you whether users would experience any dropped packets. What kind of users and are they connected to the router or are they just using transit through the router? Do any users connect with SSH? If so they probably would experience problems. If you are talking about user traffic that is transit through the router then there is little possibility that removing the old key would impact them.
I am glad that you got it worked out and problem is resolved. Thanks for posting back to the forum and confirming that the suggestions you received did lead to a successful solution.