Can’t connect to MikroTik via SSH - Corrupt host’s key, regenerating it! Reboot required! [SOLVED]

Well, I already had an issue with SecureCRT and SSH on MikroTik and put a note about it some time before. Now I get another one. I tried to log in to RouterOS 6.42.1 via SSH from Linux machine and here is what I saw on Linux side:

linux# ssh -l username
Received disconnect from port 22:3:
Disconnected from port 22

I checked debug message of SSH client, but it didn’t help much:

linux# ssh -l username -v
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: kex: diffie-hellman-group-exchange-sha256 need=20 dh_need=20
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
Received disconnect from port 22:3:
Disconnected from port 22

RouterOS generated the following log messages for every attempt:

ssh,error Corrupt host's key, regenerating it! Reboot required!

I used the same thing to fix it:

[admin@MikroTik] > /ip ssh regenerate-host-key
This will regenerate current SSH host keys, yes? [y/N]:
22:15:58 echo: ssh,critical SSH host key regenerated!
[admin@MikroTik] >

Good luck!

MikroTik ROS - clear ip bgp x.x.x.x

Here is the way how you can bounce BGP session in MikroTik ROS:

/routing bgp peer set [find remote-address=x.x.x.x] disabled=yes
:delay 2
/routing bgp peer set [find remote-address=x.x.x.x] disabled=no

The result will be the same as “clear ip bgp x.x.x.x” in Cisco IOS - BGP session will be dropped and new session will be established.

MikroTik ROS - Time sync OR NTP client configuration.

If MikroTik device has internet access the easiest way for me to configure time synchronization is to use publicly available NTP servers and use DNS names instead of IPs:

We will need to configure DNS client to be able to resolve hostnames into IPs:

/ip dns set servers=, allow-remote-requests=no

Here is the way to check if DNS client works or not:

[admin@MikroTik] > :put [:resolve]
[admin@MikroTik] >

Otherwise you will see an error:

[admin@MikroTik] > :put [:resolve]
failure: dns server failure
[admin@MikroTik] >

If DNS is working fine we can go ahead and configure one or multiple DNS names for NTP server. In addition to that we would configure TimeZone:

/system clock set time-zone-name=PST8PDT
/system ntp client set enabled=yes,,

Check if RouterOS was able to synchronize the time with any of NTP servers:

[admin@MikroTik] > /system ntp client print
           enabled: yes
              mode: unicast
     poll-interval: 16s
[admin@MikroTik] >

As you can see there’s an IP in “active-server” field. That means it’s all good. Now we can check current time in RouterOS:

[admin@MikroTik] > /system clock print
                  time: 09:33:46
                  date: dec/14/2018
  time-zone-autodetect: yes
        time-zone-name: PST8PDT
            gmt-offset: -08:00
            dst-active: no
[admin@MikroTik] >

Good luck!

MikroTik ROS - How to reorder firewall rules.

As you might know, MikroTik RouterOS has a great CLI and built-in scripting language which is extremely versatile. There was a time when RouterOS had Lua language, but not anymore. I enjoy of using CLI for whatever I do and it’s the most efficient way to operate ROS.

One of the most biggest configuration sections in RouterOS is “/ip firewall filter” and might be huge and cumbersome. In addition to the syntax for firewall rules should should know how to put the rules in the right order. There’s re two major commands here:

move - changes the order of items in list.

• first argument specifies the item(-s) being moved.
• second argument specifies the item before which to place all items being moved (they are placed at the end of the list if the second argument is omitted).

/ip firewall filter move 1 0

Keep in mind that recommended way is to use “internal IDs” (you would use find command). Otherwise you will need to execute “/ip firewall filter print” a lot. More info can be found here - Modify firewall order or add firewall with script.

place-before parameter that use can use to specify the place where to put the rule.

Here is an example how to place the rule at the very beginning of the list:

/ip firewall filter add chain=input action=accept place-before=0

The same concept of using “internal IDs” is recommended.

Good luck!

MikroTik ROS - “show ip route” command.

If you are looking for “show ip route” CLI command in MikroTik ROS here is the answer:

[admin@MikroTik] > /ip route print where in dst-address
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADo                             110
[admin@MikroTik] >

Keep in mind this result does NOT take into account Mangle Rules that you might have configured.

Check this forum thread if any questions.

Admin area