Solved: SSH into APIC

ksherwood · ‎10-25-2016

I can PING and HTTPS into my APIC but can't SSH ???

Does anyone know why this might be the case ?

Tomas de Leon · ‎10-25-2016

Did SSH work to this APIC before?
Can you successfully SSH to APIC2 or APIC3? Leaf(s) & Spine(s)?
What has changed? Did you upgrade APICs? if so, from what version to what version?
In Pod Policies, Are you using the "default" management access policy or a "custom name" management access policy? What is the settings configured for SSH & SSH via WEB?
If you ssh to APIC with the following syntax, capture the output and paste to Text file. Please attach the text file. "ssh -vvv admin@1.2.3.4"

Thanks

T.

View solution in original post

Tomas de Leon · ‎10-25-2016

Did SSH work to this APIC before?
Can you successfully SSH to APIC2 or APIC3? Leaf(s) & Spine(s)?
What has changed? Did you upgrade APICs? if so, from what version to what version?
In Pod Policies, Are you using the "default" management access policy or a "custom name" management access policy? What is the settings configured for SSH & SSH via WEB?
If you ssh to APIC with the following syntax, capture the output and paste to Text file. Please attach the text file. "ssh -vvv admin@1.2.3.4"

Thanks

T.

ksherwood · ‎10-25-2016

Thanks Tom, I went in to this GUI area and SSH was already enabled but didn't work.

So I enabled SSH via WEB and even the Telnet option, submitted and tried SSH via web...worked.

So then out of curiosity I tried SSH again and that worked too.

Thanks.

When you get a chance, can you please email me: kevin.sherwood@dsto.defence.gov.au

Tomas de Leon · ‎10-26-2016

There is a known issue:

CSCva22593 [APIC commPol] Custom mgmt access policy ignored after upgrade

A fabric has "Custom" management access policies configured and applied to a particular POD for the block of nodes in each POD.  The policies, policy groups, and profiles are created and deployed to each node in the fabric.  The Custom policies are tested and working as expected.  The "default" mgmt policy disables all protocols except HTTPS.  The default "Profile" is deleted so that it can not be used for the default policy (which cannot be deleted).

The Custom mgmt access policies configuration continue to work as expected until an "upgrade" is performed in the fabric. After an upgrade, the APIC creates a "default" profile and uses the "default" policy instead of the Configured "Configured" Policies & Profiles.  The APIC should not use the default policy since it is not applied to ALL or a specific range of nodes.  Since the APIC creates a "default" profile after upgrade and applies to all nodes and overrides "Custom" policies.  This should not happen.

The workaround is to change any item in the Custom Policy and submit.  At this time, the Custom policy is deployed and works as expected until the next upgrade.

you may be running into this.

T.

ksherwood · ‎11-03-2016

I was always just using the default access policy.

Now I can SSH directly to my only APIC but not to any other switch...is this normal ?

micgarc2 · ‎12-06-2016

Hello,

Have you configured the following?

- static out-of-band node management addresses for each APIC node

- a pool for the out-of-band node management addresses for a range of nodes

- an OOB contract for the node management out-of-band EPG

- an external network instance profile for the OOB management network

This all can be done under the management tenant.

Hope this helps.

Regards,

Michael G.

Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.