How to fix “Cannot SSH to ScreenOS device from a Cisco Switch”

Sponsored Link

When attempting to SSH to a ScreenOS device from a Cisco switch, the following error is reported in the logs:

Event Log on ScreenOS device (NetScreen):

system error 00528 SSH: Failed to negotiate host key algorithm with host x.x.x.x.

Cisco Switch Log:

SSH2 CLIENT 0: hostkey algo not supported: client ssh-rsa, server ssh-dss


Cisco client is using SSH-RSA , and ScreenOS device is using SSH-DSA (same as DSS).

ScreenOS supports SSH-RSA in SSHv1, and it supports SSH-DSA in SSHv2.

To find the version of the SSH and see the algorithm being used, run the following commands:

Example 1 DSA key:

get ssh

SSH V2 is active
SSH is NOT enabled
SSH is NOT ready for connections
Maximum sessions: 24
Active sessions: 0

get ssh host-key

DSA fingerprint:
finger_print = 37:23:74:ba:4c:a5:91:d1:ea:4e:a2:a8:46:58:4e:b1

Example 2 RSA Key:

get ssh

SSH V1 is active
SSH is enabled
SSH is ready for connections
Key regeneration time: 60 minutes
Maximum sessions: 24
Active sessions: 0

get ssh host-key

Length: 1024
Exponent: 65537

Key ID: 0F96C0C2EE54B93A1BB6

RSA1 key fingerprint:

In order to resolve this issue, the algorithm has to match. Therefore either set the firewall to SSHv1 or SSHv2 to match the Cisco unit, or you set the Cisco unit to match the firewall.

To change to SSHv1 you run the following commands:

delete ssh device all
set ssh version v1
set ssh enable

Sponsored Link

Leave a comment

Your email address will not be published. Required fields are marked *