Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unexpected Behavior With SSH

I have a weird situation with some switches.

Switch .55 can ssh into Switch .57 but cannot ssh into Switch .56.

Switch 56 can ssh into Switch 55 and ssh into Switch 57

Switch 57 can ssh into Switch 55 and ssh into Switch 56

The software on .56 is:

C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE3, RELEASE SOFTWARE (fc1)

I noticed on .56, when I do a show ip ssh I get: SSH Enabled - version 1.5. It doesn't say version 1.99 like the others even when I configure version 2. Is this a bug I am running  into?

Thanks, Pat.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Unexpected Behavior With SSH

Hello Patrick,

Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.

Best regards,

Peter

9 REPLIES

Unexpected Behavior With SSH

Hi Patrick,

Try to generate on all the switches a rsa key of 1024 ( grater then 768 ). This is required by SSH v2.

Dan

New Member

Unexpected Behavior With SSH

Thanks, Dan.

I've gone around to all the switches and generated all the keys 1024. I guess there might be a possiblity that I generated a 768. On the switch that shows version 1, I regenerated the key with 1024. I tried to change the version to 2 but, it still stayed at 1. I would have thought that this would have fixed the problem. Do I have to remove the first crypto key before I generate a new one?

Cisco Employee

Unexpected Behavior With SSH

Pat,

Dan is spot on. To activate SSHv2, you need to have at least 768-bit long key generated.

Please also note that it may not be enough to just generate yet another keypair, as the SSH on your switch may be still using the first keypair which may be shorter. I suggest removing the original keypair entirely and only then generating the new keypair.

Old keypair can be removed using the crypto key zeroize rsa command in the global config mode. Please note that this may remove your existing HTTPS certificates as well and/or impair your connection to the switch, so it may be wise to perform this over a console connection.

Best regards,

Peter

New Member

Unexpected Behavior With SSH

Thanks, Peter

Would I lose a telnet connection as well?

Also, will users experience any dropped packets or will it only affect management?

Cisco Employee

Unexpected Behavior With SSH

Hello Patrick,

Telnet should stay up with no issues whatsoever. Users should not experience any outages - this should affect only the management plane.

Best regards,

Peter

New Member

Unexpected Behavior With SSH

Deleteing and recreating the key did the trick. Thank you.

Hall of Fame Super Silver

Unexpected Behavior With SSH

Pat

Removing the old key pair should not impact any telnet sessions.

I am not sure that we have enough information to tell you whether users would experience any dropped packets. What kind of users and are they connected to the router or are they just using transit through the router?  Do any users connect with SSH? If so they probably would experience problems. If you are talking about user traffic that is transit through the router then there is little possibility that removing the old key would impact them.

HTH

Rick

New Member

Unexpected Behavior With SSH

No problems at all. Thanks for the help.

Hall of Fame Super Silver

Unexpected Behavior With SSH

Pat

I am glad that you got it worked out and problem is resolved. Thanks for posting back to the forum and confirming that the suggestions you received did lead to a successful solution.

HTH

Rick

320
Views
15
Helpful
9
Replies