PDA

View Full Version : SSH problem to Cisco rotuer (but workes fine with Putty)


Jeff West
07-26-2005, 12:47 PM
I have several devices that I can not get to via SSH when using SecureCRT (5.0.1 build 1008), but I can access them with no problem if I use putty. Below are traces from SecureCRT and debug SSH from the router. Does anyone have any idea how to solve this?

Thank you

From SecureCRT:
[LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_EXPECT_KEX_INIT.
[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = "SSH-2.0-Cisco-1.25"
[LOCAL] : CAP : Remote can re-key
[LOCAL] : CAP : Remote sends language in password change requests
[LOCAL] : CAP : Remote sends algorithm name in PK_OK packets
[LOCAL] : CAP : Remote sends algorithm name in public key packets
[LOCAL] : CAP : Remote sends algorithm name in signatures
[LOCAL] : CAP : Remote sends error text in open failure packets
[LOCAL] : CAP : Remote sends name in service accept packets
[LOCAL] : CAP : Remote includes port number in x11 open packets
[LOCAL] : CAP : Remote uses 160 bit keys for SHA1 MAC
[LOCAL] : CAP : Remote supports new diffie-hellman group exchange messages
[LOCAL] : CAP : Remote correctly handles unknown SFTP extensions
[LOCAL] : CAP : Remote correctly encodes OID for gssapi
[LOCAL] : CAP : Remote correctly uses connected addresses in forwarded-tcpip requests
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : GSS : Requesting full delegation
[LOCAL] : RECV : Read kexinit
[LOCAL] : RECV: TCP/IP close
[LOCAL] : Changing state from STATE_EXPECT_KEX_INIT to STATE_CLOSED.
[LOCAL] : Connected for 15 seconds, 48 bytes sent, 598 bytes received


From the router:
001540: Jul 25 12:15:23.954 UTC: SSH2 1: send: len 48 (includes padlen 14)
001541: Jul 25 12:15:23.954 UTC: SSH2 1: done calc MAC out #300
001542: Jul 25 12:15:24.078 UTC: SSH2 1: ssh_receive: 52 bytes received
001543: Jul 25 12:15:24.078 UTC: SSH2 1: input: packet len 32
001544: Jul 25 12:15:24.078 UTC: SSH2 1: partial packet 16, need 16, maclen 20
001545: Jul 25 12:15:24.078 UTC: SSH2 1: MAC #240 ok
001546: Jul 25 12:15:24.078 UTC: SSH2 1: input: padlen 17
001547: Jul 25 12:15:24.082 UTC: SSH2 1: received packet type 94
001548: Jul 25 12:15:24.082 UTC: SSH2 1: send: len 32 (includes padlen 16)
001549: Jul 25 12:15:24.082 UTC: SSH2 1: done calc MAC out #301
001550: Jul 25 12:15:24.082 UTC: SSH2 1: send: len 48 (includes padlen 16)
001551: Jul 25 12:15:24.082 UTC: SSH2 1: done calc MAC out #302
001552: Jul 25 12:15:30.962 UTC: SSH0: starting SSH control process
001553: Jul 25 12:15:30.962 UTC: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
001554: Jul 25 12:15:30.962 UTC: SSH0: protocol version id is - SSH-2.0-SecureCRT_5.0.1 (build 1008) SecureCRT
001555: Jul 25 12:15:30.962 UTC: SSH2 0: send: len 280 (includes padlen 4)
001556: Jul 25 12:15:30.966 UTC: SSH2 0: SSH2_MSG_KEXINIT sent
001557: Jul 25 12:15:45.966 UTC: SSH2 0: send: len 72 (includes padlen 7)
001558: Jul 25 12:15:46.066 UTC: SSH0: Session disconnected - error 0x00
001559: Jul 25 12:15:52.062 UTC: SSH2 1: ssh_receive: 52 bytes received
001560: Jul 25 12:15:52.062 UTC: SSH2 1: input: packet len 32
001561: Jul 25 12:15:52.062 UTC: SSH2 1: partial packet 16, need 16, maclen 20
001562: Jul 25 12:15:52.062 UTC: SSH2 1: MAC #241 ok
001563: Jul 25 12:15:52.062 UTC: SSH2 1: input: padlen 17
001564: Jul 25 12:15:52.062 UTC: SSH2 1: received packet type 94
001565: Jul 25 12:15:52.062 UTC: SSH2 1: send: len 32 (includes padlen 17)
001566: Jul 25 12:15:52.062 UTC: SSH2 1: done calc MAC out #303
001567: Jul 25 12:15:52.158 UTC: SSH2 1: ssh_receive: 52 bytes received
001568: Jul 25 12:15:52.158 UTC: SSH2 1: input: packet len 32
001569: Jul 25 12:15:52.158 UTC: SSH2 1: partial packet 16, need 16, maclen 20
001570: Jul 25 12:15:52.158 UTC: SSH2 1: MAC #242 ok
001571: Jul 25 12:15:52.158 UTC: SSH2 1: input: padlen 17
001572: Jul 25 12:15:52.162 UTC: SSH2 1: received packet type 94
001573: Jul 25 12:15:52.162 UTC: SSH2 1: send: len 32 (includes padlen 17)
001574: Jul 25 12:15:52.162 UTC: SSH2 1: done calc MAC out #304
001575: Jul 25 12:15:52.218 UTC: SSH2 1: ssh_receive: 52 bytes received
001576: Jul 25 12:15:52.218 UTC: SSH2 1: input: packet len 32
001577: Jul 25 12:15:52.222 UTC: SSH2 1: partial packet 16, need 16, maclen 20

jjh
07-27-2005, 03:10 PM
Jeff,

We have created an incident report and our development team is looking into the problem you are experiencing while trying to connect to Cisco 2811 routers. We will reply to you via e-mail when we have more information.


If anyone else in the forums is experiencing the same problem, or has in the past, please let us know or send e-mail to support@vandyke.com

Thank you

JJH

kenner@nyu.edu
07-28-2005, 08:11 AM
I had no problems doing that.

matrixnet88
09-06-2008, 12:44 PM
I am having problems using securecrt 6.1 to an 1811 router after upgrading IOS 12.2.4.20T. I was running IOS 12.2.4.15 with SECURTCRT fine.

Once I finish upgrade the firmware, SecureCRT 6.1 stop working and will make any connection. PUTTY.EXE works fine and ssh between router is working fine.

If I have submit a support questions to VanDyke Engineer team. If anyone having the same problems, please email me at matrixnet88@yahoo.com.

I have regenrate the RSA key on the router as well with modulus 1024.

Please help and advise.

matrixnet88
09-06-2008, 01:03 PM
What I did to solve this for me was to move diffie-hellman to be the
first key which fixed it.

stolmik
06-10-2009, 06:24 AM
after upgrading IOS to 12.4(24)T i had the same problem, but in debug messages i saw this:

!---bla-bla-bla----
*12:19:02.119: SSH2:kex: client->server enc:aes256-cbc mac:hmac-sha1
*12:19:02.119: SSH2:kex: server->client enc:aes256-cbc mac:hmac-sha1
*12:19:02.119: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
*12:19:02.119: SSH2 0: Range sent by client is - 1024 < 2046 < 2046
*12:19:02.119: SSH2 0: Invalid modulus length
*12:19:02.119: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.32.5.35 (tty = 0) using crypto cipher '', hmac '' Failed
*12:19:02.119: %SSH-5-SSH2_CLOSE: SSH2 Session from 10.32.5.35 (tty = 0) for user '' using crypto cipher '', hmac '' closed

problem solution is in order of priorities of DH groups.
diffie-hellman should be first in this list.

BTW: after this i changed default session settings.

rtb
06-12-2009, 03:21 PM
Here is some additional information for those who are interested.

RFC4419 does not specify anywhere that the modulus length must be a power of 2, but Cisco IOS versions with broken implementations of diffie-hellman group exchange incorrectly require the modulus length be a power of 2. This is the cause of the problem you are seeing.

In additional to moving diffie-hellman to the top of the key exchange list in SecureCRT, another solution is to open the .ini file associated with the session being used to connect to the Cisco device and manually change the following line from:
D:"GEX Preferred Size"=000007fe
to:
D:"GEX Preferred Size"=00000800

Also, SecureCRT versions 6.1.2 and newer, provide a more automatic work-around to this problem caused by broken Cisco implementations of diffie-hellman group exchange.

Alfyj
10-21-2009, 11:38 AM
Cisco IOS release 12.4(24)T1, with SecureCRT 4.0.9. Is there a way to get around this problem with this version of SecureCRT? I don't see a way to move the DH key in 4.09. We were able to do this on a 6.x version of SecureCRT, but we don't have a site license for that version.

Alfyj
10-21-2009, 12:17 PM
I took a wireshark trace and saw that the Cisco 2431 advertises SSH V1. I changed the SecureCRT session to use SSH V1, and it connects properly now.

bgagnon
10-21-2009, 12:56 PM
Hi Alfyj,

Thank you for posting your solution here!

You can also enable 'Trace Options' from SecureCRT's 'File' menu. This will cause debugging information to be displayed in the terminal window that is not there by default. It will display useful connection information similar to what is shown below:

[LOCAL] : Using protocol SSH2
[LOCAL] : RECV : Remote Identifier = 'SSH-2.0-VShell_3_5_3_516 VShell'