Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Issue SSH

I did upgrade to version of IOS cat4000-i9k91s-mz.122-18.EW2.bin to cat4500-entservicesk9-mz.122-52.SG.bin at a catalyst 4507r engine IV.

Before i could to execute:

ssh 1.1.1.1, without problem.

But after upgrade i can't do that.

In catalyst 4507r:

-----------------

router_4507r#sh ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

router_4507r#ssh 1.1.1.1

[Connection to 1.1.1.1 aborted: error status 0]

In router remote:

----------------

Router_remote#sh ip ssh

SSH Enabled - version 1.99

Authentication timeout: 120 secs; Authentication retries: 3

12 REPLIES
Hall of Fame Super Bronze

Re: Issue SSH

Try ssh -l [username] 1.1.1.1

HTH

__

Edison.

Community Member

Re: Issue SSH

Hi thanks by your answer

I executed the command

ssh -l username 1.1.1.1

and receive the same message

[Connection to 1.1.1.1 aborted: error status 0]

Hall of Fame Super Bronze

Re: Issue SSH

Can we see the complete configuration on both devices?

Can you ping 1.1.1.1 ?

Can you verify you have enough VTY sessions available? (show users).

__

Edison.

Community Member

Re: Issue SSH

Hi,

Yes i can do ping 1.1.1.1

I can do ssh connection with my Computer using putty in my computer without problem.

I have 3 possible connection vty:

line vty 0 2

session-timeout 3

access-class 51 in

exec-timeout 3 0

timeout login response 15

logging synchronous

transport input ssh

I had no problem to connect before carrying out the upgrade of IOS.

Hall of Fame Super Bronze

Re: Issue SSH

Then the problem can be IOS related. Try a earlier version than the one you currently have.

__

Edison.

Community Member

Re: Issue SSH

maybe it's still helpful. i had the same issue. check the version of ssh configured on 1.1.1.1.

I have two switches (2950, same IOS etc), destination switch configured with ip ssh version 2. when trying to ssh from switch one to that it gives me error message, even though when showing ssh both seem to run ssh version 2 ok. But when I take the command out they connect on ssh 1.5.

So I guess you can either take the command out or put it in on the other switch (if supported).

Then you might have different switches altogether by now.

Community Member

Issue SSH

I had a similar case:


+++++++++++++++++++++++++++++++++++++++++++++++++++
Error reported by the customer:

Router2#ssh -l userID x.x.x.x

[Connection to x.x.x.x aborted: error status 0]
Router2#

Resolution:

Enabled on x.x.x.x router:

conf t
crypto key generate rsa
1024

Devices is reachable from Router2 now:

------------------------------------------------------
Router2#ssh -l userID x.x.x.x

Password:
+++++++++++++++++++++++++++++++++++++++++++++++++++

Community Member

Re: Issue SSH

Your old IOS contains only the Server function for SSHv2.
You can´t operate as a client with this IOS when SSHv2 is enabled
With SSHv1 you can operate both as a server and as a client.
Your new IOS also offers only the same function of SSHv1 and SSHv2 like your old IOS
Still it is not possible with SSHv2 to operate as a client.

You need a newer IOS. The Cisco IOS Releases 15.0(2)SG (Catalyst 4500 Series Switch) contains Secure Shell SSHv2 Client and Server Support

You need a crypto key with at least 768 bit to enable SSHv2

for additional questions look here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/release/note/OL_24727.html


Check your current IOS features with the Cisco Feature Navigator:

http://tools.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

Community Member

Hi pesanchez2002,

Hi pesanchez2002,

So, although the post is old, I presented the same issue. I saw that my two routers had different version for ssh.

R1#ssh -l cisco 10.12.0.2

[Connection to 10.12.0.2 aborted: error status 0]

R1#

R1#sh ip ssh

SSH Enabled - version 1.5

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQCn6ikgcwMwN2ifgWa2rqf/kQFUZnN5+k/XsXXDjV0e

VomwDnPVVTSRBtZR2nEhPRg+Tq9EjF8F8ejB/kewfVob                                    

R1#

R2(config-line)#do sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDvQVznsveLrgk6vMsR3a5BwYPj2vaBPHRttVY6saE

SQ8E0x4HU1rbn94tzjgLQKVvlc4D9dNam1JIw7A07PS6vxoW0NZTXTMRMF+muEmzaWJkpZq5JUwK18Oa

gqToXWyCjqPAn8Hp+ZgInRynXkMudsKVQfSMHKhB3Z7Lua9oO0COv+WJ+74Ci6ipxMWjethQVT6jCQ8u

MkprhOPQx/haQGe2cilIcfHcSmsrGi0DbyTZxVxaqlgfLZzhttMkCg5UYpxCan3BSWxjb4kTs36Wb8Np

6uEZzvDmolHXLG+8V6P6bMAeBB3KLpC3sfHmWEHwcbVN3UAvAeXY8o4sCzdf                    

R2(config-line)#

My solution was to bring equal the version for ssh in the two equipments.

R1(config)#ip ssh version 2

R1#sh ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnfzqredbdnDrI3BB4G/YcKupR29oRPS3pyxrseEaY

LgmZ59K3NAfriL8LGCa15iZQ4nbRb/OARRTJhP+W2km24kfUEqP6n7BQf4VSaPTAx3RdycV2c+6EoOPp

auDeosPfUn+AD8VmUs1vrk+cHusBdnjIS7PRFaq2TQ7TWJTj+sDsoqLxfmoD5bKb8Y/MFtIKULnsrZiS

hjAA2c3HuiqozVSVU+SW+wHAUYJtat28B3zFA65C0HHsoQSnGGFO+U4W9HHXTNFN6n9Ut2fsoRxagZ54

DbaMN9DyoI2jaWlZV1szO8JOUIuzC1TrnXZvxMEJK55ZHOfRO1rq3cVVwYX7                    

R1#

R1#ssh -l admin 10.12.0.2

Password:

R2#

R2#

I hope that this information help to other people with the same issue.

Note. Sorry for my english, I'm still learning.

Regards

Community Member

Re: Hi pesanchez2002,

I would like to continue this thread. The above resolution regarding version 2 and client server does not seem to be relevant in my case.  I have not checked the release notes or software features at this point but here is what I have.

I have a 3850 new out of the box. It is running 16.6.1. It cannot ssh to any ASA5525. The version on the ASA is 9.8(1). The 3850 can ssh fine to other Cisco devices. Examples include a 4331. Another 3850. 4500X. N7K, all work fine and all configured with ip ssh version 2. The modulus of all keys is 1024 or better.

Older versions of 3850 can ssh into the ASA fine. Other switches can ssh to the ASA just fine. Putty works fine. I have other ASA's of the same version and this 3850 cannot ssh to any of them. Thinking this might be a bug.

VIP Purple

Re: Issue SSH

Hello

zerosize the ssh key and recreate it

also allow ssh on all vty lines not just 0 2 test again 

 

res

paul

Please don't forget to rate any posts that have been helpful. Thanks.
Community Member

Re: Issue SSH

Not sure if this was a response to my post but I don't see how it is relevant to my situation if it was.

ASA has no concept of line vty ... and on the 3850 all vty lines are set to transport input ssh of which this is not input but output.

I think I found the issue.

After debug ssh I see this message.

SSH2 0: kex algo not supported: client diffie-hellman-group-exchange-sha1, diffie-hellman-group14-sha1, server diffie-hellman-group   Unfortunately the message is cutoff from display.

 

The ASA comes by default with

ssh key-exchange group dh-group1-sha1

Changing to

ssh key-exchange group dh-group14-sha1 (the only other choice)

and now the 3850 on Version 16.6.1 can connect to the ASA with SSH.

 

The 16.6.1 3850 has a new configuration item

ip ssh client ?

encryption

kex

mac

ip ssh client kex ?

diffie-hellman-group-exhange-sha1

diffie-hellman-group14-sha1

The 3.3.3SE release does not have such an option on ip ssh.

So there are changes in the code of 16.6.1 when it comes to ssh protocol.

At this point the ASA does not seem to understand what diffie-hellman-group-exhange-sha1 is.

 

 

30020
Views
8
Helpful
12
Replies
CreatePlease to create content