Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSH Login Failing

When attempting to ssh into the router the connection is never established..please see the following debug output:

5494365: Jul 14 18:44:18.769 UTC: SSH0: starting SSH control process

5494366: Jul 14 18:44:18.769 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494367: Jul 14 18:44:18.769 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494368: Jul 14 18:44:18.769 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494369: Jul 14 18:44:18.769 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494370: Jul 14 18:44:18.893 UTC: SSH2 0: ssh_receive: 464 bytes received

5494371: Jul 14 18:44:18.893 UTC: SSH2 0: input: packet len 464

5494372: Jul 14 18:44:18.893 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494373: Jul 14 18:44:18.893 UTC: SSH2 0: input: padlen 9

5494374: Jul 14 18:44:18.893 UTC: SSH2 0: received packet type 20

5494375: Jul 14 18:44:18.893 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494378: Jul 14 18:44:18.941 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494379: Jul 14 18:44:18.941 UTC: SSH2 0: ssh_receive: 144 bytes received

5494380: Jul 14 18:44:18.941 UTC: SSH2 0: input: packet len 144

5494381: Jul 14 18:44:18.941 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494382: Jul 14 18:44:18.941 UTC: SSH2 0: input: padlen 5

5494383: Jul 14 18:44:18.941 UTC: SSH2 0: received packet type 30

5494384: Jul 14 18:44:18.945 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494385: Jul 14 18:44:19.005 UTC: SSH2 0: RSA_sign: private key not found

5494386: Jul 14 18:44:19.005 UTC: SSH2 0: signature creation failed, status -1

5494387: Jul 14 18:44:19.105 UTC: SSH0: Session disconnected - error 0x00

5494388: Jul 14 18:44:24.361 UTC: SSH0: starting SSH control process

5494389: Jul 14 18:44:24.361 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25

5494390: Jul 14 18:44:24.361 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_6.2.2 (build 263) SecureCRT

5494391: Jul 14 18:44:24.361 UTC: SSH2 0: send: len 280 (includes padlen 4)

5494392: Jul 14 18:44:24.365 UTC: SSH2 0: SSH2_MSG_KEXINIT sent

5494393: Jul 14 18:44:24.561 UTC: SSH2 0: ssh_receive: 464 bytes received

5494394: Jul 14 18:44:24.561 UTC: SSH2 0: input: packet len 464

5494395: Jul 14 18:44:24.561 UTC: SSH2 0: partial packet 8, need 456, maclen 0

5494396: Jul 14 18:44:24.561 UTC: SSH2 0: input: padlen 9

5494397: Jul 14 18:44:24.561 UTC: SSH2 0: received packet type 20

5494398: Jul 14 18:44:24.561 UTC: SSH2 0: SSH2_MSG_KEXINIT received

5494399: Jul 14 18:44:24.565 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494400: Jul 14 18:44:24.565 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

5494401: Jul 14 18:44:24.613 UTC: SSH2 0: expecting SSH2_MSG_KEXDH_INIT

5494402: Jul 14 18:44:24.613 UTC: SSH2 0: ssh_receive: 144 bytes received

5494403: Jul 14 18:44:24.613 UTC: SSH2 0: input: packet len 144

5494404: Jul 14 18:44:24.613 UTC: SSH2 0: partial packet 8, need 136, maclen 0

5494405: Jul 14 18:44:24.613 UTC: SSH2 0: input: padlen 6

5494406: Jul 14 18:44:24.613 UTC: SSH2 0: received packet type 30

5494407: Jul 14 18:44:24.613 UTC: SSH2 0: SSH2_MSG_KEXDH_INIT received

5494408: Jul 14 18:44:24.677 UTC: SSH2 0: RSA_sign: private key not found

5494409: Jul 14 18:44:24.677 UTC: SSH2 0: signature creation failed, status -1

5494410: Jul 14 18:44:24.777 UTC: SSH0: Session disconnected - error 0x07

Any ideas what this could be?

16 REPLIES
New Member

Re: SSH Login Failing

do you have private keys on your router/switch.

Try running

(config)#crypto key generate rsa

New Member

Re: SSH Login Failing

I did that...still same result. I can also do sh crypto key mypubkey rsa and it displays the keys.

New Member

Re: SSH Login Failing

can you paste a part of your config related to crypto. Also check if you have a domain-name on the device.

New Member

Re: SSH Login Failing

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

New Member

Re: SSH Login Failing

Here are exceprts for the configuration:

aaa new-model

!

!

aaa authentication login default group tacacs+ local enable

aaa authentication login userauthen1 local

aaa authentication login acs-rad group radius local

aaa authentication ppp default local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa authorization network groupauthor local

aaa authorization network groupauthor1 local

aaa accounting exec acct start-stop group tacacs+

aaa accounting exec acc-exec start-stop group tacacs+

!

aaa session-id common

!

ip ssh time-out 15

ip ssh authentication-retries 5

ip ssh version 2

line aux 0

no exec

transport input all

transport output all

stopbits 1

speed 115200

line vty 0 4

length 45

transport preferred none

transport input ssh

line vty 5 13

transport input ssh

line vty 14 15

session-timeout 60

access-class IPSec-Mgt in

exec-timeout 60 0

transport input all

!

display from show ip ssh command:

SSH Enabled - version 2.0

Authentication timeout: 15 secs; Authentication retries: 5

There are other routers on the network with the exact same configuration as far as ssh is concerned that work fine...

New Member

Re: SSH Login Failing

The only thing I can think about is if you have this command.

(config)#ip domain name domain.local

New Member

Re: SSH Login Failing

our domain name is set and is not default...very strange occurance..

New Member

Re: SSH Login Failing

What code version is running on the working verses non working routers?

Vandyke's support forum has some info. Some users report that Putty works fine for them but sCRT stopped after upgrading past IOS 12.2.4.15

http://forums.vandyke.com/archive/index.php/t-933.html

On lines from your debug output shows the client sending AES256

5494376: Jul 14 18:44:18.893 UTC: SSH2: kex: client->server aes256-cbc hmac-sha1 none

5494377: Jul 14 18:44:18.893 UTC: SSH2: kex: server->client aes256-cbc hmac-sha1 none

A search of Cisco's site shows that the error "Session disconnected - error 0x07" indicates the SSH Client Not Compiled with Data Encryption Standard (DES). I use SCRT 6.1.x and it doesn't have DES as an option. I don't have a router to test with. Is there an option to set the encryption type on the router?

Secure Shell Version 2 Support guide for 12.3T - may be of some help.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html

New Member

Re: SSH Login Failing

After opening a TAC case it was discovered that I was hitting a bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsa83601

The TAC had me enter the following command:

ip ssh rsa keypair-name < your host.domain >

once I did this, the problem was fixed!!

Hall of Fame Super Silver

Re: SSH Login Failing

Kristen

Thank you for posting back to the forum indicating that you have identified and solved your problem. It makes the forum more useful when people can read about a situation, and can know what the problem identification was and what the solution was.

HTH

Rick

Re: SSH Login Failing

In my case after applied the command, I can't access anymore... If you have any suggestion, I'll appreciated

 

Thanks!

Hall of Fame Super Silver

Re: SSH Login Failing

It is not clear in this post whether SSH access was working, you entered the command, and SSH access stopped working. Or whether SSH access had not worked, you entered the command, and SSH access still did not work. Can you clarify?

 

HTH

 

Rick

Re: SSH Login Failing

SSH was working with Putty, I tried to make it works with WinSCP, so I did what this post say and after apply the command mentionned, I lose the SSH connection even with putty. I'm trying to avoid to reboot the router to see if the connection come back.

 

Thanks!

Hall of Fame Super Silver

Re: SSH Login Failing

I wonder if the issue is that when you used that command that it pointed to an RSA key that does not exist? Can you post the output of show ip ssh

 

HTH

 

Rick

Re: SSH Login Failing

Unfortunately I can't, I have no more access to routeur, only SSH connections where allowed in the VTY lines. I'll request to reboot the router and I'll see if the connection comes back.

 

Thank you!

Hall of Fame Super Silver

Re: SSH Login Failing

Does that router allow SNMP write access? There is no possibility of console access? After you made the change did you do copy run start?

 

HTH

 

Rick

4947
Views
10
Helpful
16
Replies
CreatePlease login to create content