CISCO SWITCH SG 350 PERL SCRIPT- TELNET CONNECTION REJECTED

aneplas · ‎07-21-2023

Hello guys,

I have many cisco sg 350 and i wanna take mass backup of every switch.

I have made a script in perl, that logs in the switch, backup the switch to a tftp server and move to the next switch.

The script is working perfectly fine in SG220, but in SG350 it gives me an error that the connection is rejected by the switch.

I have enabled ssh and telnet on the switch.

Is there any kind of intrusion detection enabled by default in the 350 series that im not aware of?

Flavio Miranda · ‎07-21-2023

Hi @aneplas

You may take a look on the security feature. Try to disable DoS if enabled. And ACLs also could cause the reject.

If you try to access using a SSH/Telnet client from your machine does it works?

aneplas · ‎07-21-2023

Hello Flavio,

DoS is disabled, i dont have any ACL.

If i manually telnet or ssh i connect normaly to the switch.

This is the message i get in the dashboard of the switch:

%AAA-W-REJECT: New telnet connection, source 192.168.99.206 destination 192.168.99.101 REJECTED

And this is the message i get in the CLI that i run the script:

Error occurred for 192.168.99.101: read error: An existing connection was forcibly closed by the remote host. at cisco_backup3.pl line 19

Flavio Miranda · ‎07-21-2023

The message on the switch side with "AAA" suggest radius server. Do you have radius enabled:?

aneplas · ‎07-21-2023

No radius is enabled.

This is the script, might help you.

use Net::Telnet::Cisco;
use Timestamp::Simple qw(stamp);
use Time::HiRes qw(sleep);

my $user = "X";
my $pass = "X";

my $backup_host = '192.168.99.206';
my $dt = stamp;
my $enable_pass = "X";
foreach my $device ('192.168.99.101','192.168.99.102','192.168.99.103','192.168.99.104','192.168.99.105','192.168.99.106','192.168.99.108', '192.168.99.107', '192.168.99.109','192.168.99.110','192.168.99.111','192.168.99.112') {
my $session; # Declare the session variable outside the eval block

eval {
$session = Net::Telnet::Cisco->new(
Host => $device,
Timeout => 60
);
$session->login($user, $pass);

if ($session->enable($enable_pass)) {
my @output = $session->cmd('show privilege');
print "My privileges on $device: @output";
$session->cmd("copy running-config tftp://$backup_host/$device-$dt.cfg");
print "Backup of $device completed.\n";
} else {
warn "Can't enable on $device: " . $session->errmsg;
}
};

if ($@) {
if ($@ =~ /Connection forcibly closed by the remote host/) {
warn "Connection forcibly closed by the remote host for $device";
} elsif ($@ =~ /pattern match timed-out/) {
warn "Timeout occurred for $device";
} else {
warn "Error occurred for $device: $@";
}
}

$session->close if $session; # Close the session if it exists
sleep 3; # Wait for 3 seconds before moving to the next switch
}

Flavio Miranda · ‎07-21-2023

Hard to believe the problem could be the script if you can access other switch. But I also have no idea what else could deny you from access the switch.

aneplas · ‎07-21-2023

Me too, i have spent countless hours searching what could be wrong in the switch. i even updated the firmware.

thanks for answering though

Georg Pauwen · ‎07-22-2023

Hello,

I have read through the post and I have seen that you don't have RADIUS enabled. I don't know what exactly the command 'no aaa authentication dot1x default' disables, and if it is the same thing that Flavio showed on the screenshot, but you might want to run that command from the command line...

aneplas · ‎07-23-2023

Hello Georg,

I have tried your suggestion, still no luck. Thank you for your time

Georg Pauwen · ‎07-24-2023

Hello,

annoying. What if you hard code the username/password/enable password ? So instead of:

$session->login($user, $pass);

if ($session->enable($enable_pass)) {

use e.g. admin/admin/enable (your REAL usernames and passwords):

$session->login('admin', 'admin');

if ($session->enable('enable')) {