Courseiva
SecurityCCNA 200-301

SSH Not Working — Unable to Connect to Router/Switch

Presenting Symptom

A network engineer is unable to establish an SSH connection to a Cisco router or switch, receiving 'Connection refused' or 'Connection timed out' errors.

Network Context

The issue occurs in a small branch office with a Cisco 4321 router and a Cisco 2960 switch running IOS 15.x. The devices are configured for remote management via SSH, but the engineer cannot connect from a management workstation on the same VLAN. The devices have IP connectivity (ping works), but SSH fails.

Diagnostic Steps

1

Check if SSH server is enabled and running on the device

show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie-Hellman key size: 1024 bits
IOS Keys in SECSH format(ssh-rsa, ssh-dsa)
Crypto keys loaded: YES

If 'SSH Enabled - version 2.0' is not displayed, SSH is not enabled. If 'Crypto keys loaded: NO', RSA keys are missing. This indicates SSH configuration is incomplete.

2

Verify that RSA keys are generated and of sufficient size

show crypto key mypubkey rsa
Key name: router.cisco.com
  Serial number: 12345678
  Usage: General Purpose Key
  Key is not exportable.
  Key data:
  30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 020100
  ...
  % Key pair was generated at: 12:34:56 UTC Jan 1 2023
  Key size: 2048

If no keys are shown or key size is less than 2048 bits (CCNA minimum), SSH will not work. The device needs a minimum 2048-bit RSA key pair.

3

Check if VTY lines are configured to accept SSH connections

show line vty 0 4
  Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
    0 VTY              -    -      -    -    -       0       0     0/0       -
    1 VTY              -    -      -    -    -       0       0     0/0       -
    2 VTY              -    -      -    -    -       0       0     0/0       -
    3 VTY              -    -      -    -    -       0       0     0/0       -
    4 VTY              -    -      -    -    -       0       0     0/0       -

Line 0, Location: '', Type: 'VT100'
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: Ready
Capabilities: none
Modem state: Ready
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
    ^^x  none  no    yes

Group codes:   0

Look for the 'transport input' setting. If it shows 'telnet' or 'none', SSH is not allowed. The expected setting is 'transport input ssh' or 'transport input all'.

4

Verify VTY line access-class and authentication settings

show running-config | section line vty
line vty 0 4
 password 7 0822455D0A16
 login
 transport input ssh
!

Ensure 'login local' or 'login' with a username/password is configured. If 'login' is used without a password, SSH will fail. Also check for an access-class that might be blocking the management workstation IP.

Root Cause

The SSH server is not enabled because the RSA key pair was not generated, or the key size is less than 2048 bits. Additionally, the VTY lines may not be configured to accept SSH transport input.

Resolution

1. Generate RSA keys with at least 2048 bits: configure terminal crypto key generate rsa modulus 2048 (Answer 'yes' to use the keys for SSH) 2. Enable SSH server (if not already): ip ssh version 2 3. Configure VTY lines for SSH: line vty 0 4 transport input ssh login local exit 4. Create a local user account if not present: username admin secret cisco 5. Apply the configuration and test.

Verification

1. show ip ssh — should show 'SSH Enabled - version 2.0' 2. show crypto key mypubkey rsa — should show key size 2048 3. show line vty 0 4 | include transport — should show 'transport input ssh' 4. Attempt SSH from a workstation: ssh -l admin 192.168.1.1 — should succeed.

Prevention

1. Use a configuration template or script to generate RSA keys during initial device setup. 2. Always configure VTY lines with 'transport input ssh' and 'login local' as part of the baseline configuration. 3. Implement AAA with TACACS+ or RADIUS for centralized authentication and authorization.

CCNA Exam Relevance

On the CCNA 200-301 exam, SSH troubleshooting appears in multiple-choice questions and simulation labs. The exam tests the candidate's ability to identify missing RSA keys, incorrect VTY transport settings, and authentication misconfigurations. A key fact is that SSH requires a minimum 2048-bit RSA key and the 'ip ssh version 2' command.

Exam Tips

1.

Memorize the minimum RSA key size for SSH: 2048 bits.

2.

Remember that 'transport input ssh' must be configured on VTY lines; 'transport input telnet' will not allow SSH.

3.

Know that 'show ip ssh' displays the SSH version and key status; if SSH is not enabled, check for RSA keys.

Commands Used in This Scenario

show ip ssh

Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions