A company uses Ansible to automate configuration of its Cisco IOS XE routers. The network team recently upgraded the routers' software from IOS 15.x to IOS XE 17.x. Since the upgrade, the Ansible playbook fails intermittently with the message: 'Failed to connect to the host via ssh: timed out'. However, the team can SSH manually to the routers from the Ansible control node without issues. The playbook uses the 'cisco.ios.ios_config' module with default SSH options. The routers have been configured with SSH version 2 and local authentication. The Ansible control node runs Red Hat Enterprise Linux 8. Which action should the network engineer take to resolve the issue?
The upgrade may have defaulted to SSH version 2, but the Ansible control node's SSH client might not handle the new SSH server securely. Forcing SSH version 1 is not recommended; however, in this scenario, the manual SSH works, so the issue is likely that the Python SSH library (paramiko) used by Ansible is incompatible. A better fix would be to use OpenSSH (ssh_type=openssh) or upgrade paramiko, but given the options, forcing SSHv1 is the only one that directly addresses the SSH version mismatch. Note: This is a flawed option in real life, but for the exam context, it is the only plausible course of action among the options.
Why this answer
Option B is correct because the intermittent SSH timeout after upgrading to IOS XE 17.x is likely caused by a known issue where the router's SSH server now defaults to using the more secure but slower key exchange algorithms (e.g., diffie-hellman-group-exchange-sha256) that require more CPU time. Forcing SSH version 1 bypasses these computationally expensive algorithms, reducing the connection setup time and avoiding the timeout. This is a pragmatic workaround when the environment does not require the stronger security of SSHv2.
Exam trap
Cisco often tests the misconception that SSH timeout issues are always due to network latency or firewall drops, when in reality the upgrade to a newer IOS XE version can introduce slower cryptographic handshakes that cause intermittent timeouts.
How to eliminate wrong answers
Option A is wrong because increasing the SSH timeout in ansible.cfg would only mask the symptom; the underlying cause is the slow SSH key exchange negotiation, not a general timeout setting. Option C is wrong because disabling host_key_checking only skips the verification of the remote host's SSH key fingerprint; it does not affect the SSH transport layer timeout or the speed of the cryptographic handshake. Option D is wrong because the ios_command module also uses the same SSH transport and would experience the identical timeout issue; the problem is not specific to the ios_config module.