Thank you Richard.

I have another ASR1002-X to replace this week, if I can reproduce the issue, is it logical to assume that this is some kind of a bug?

If another ASR1002-X does show the same symptom it might point toward some type of bug. There are a number of things that we do not know about your situation which might be helpful to explore:

- is this a new config on a not used before router?

- or has this router been deployed for a while and then developed the symptom?

- if it has been deployed for a while were there any recent changes?

- was the attempt at access from a single host or did multiple hosts attempt access and experience the same problem?

HTH

Rick

-This config was previously used on an 1800 router, which was in production for years. I am migrating the config to this ASR and removing an intermediate ISP switch (connecting the ASR directly to 2 ISP last mile devices)

-The access was first performed with a local user during a maintenance window by one coworker. Later this behavior was confirmed by me (telneting a directly connected switch and then initiating another backward telnet to this same router. In that moment I thought that maybe such connections were not allowed, if you enter a directly connected device and then initate a telnet/ssh back to the original device, but it seems that it was not the case) Later, when the tacacs config was uploaded to router, the issue persisted. When you were introducing a tacacs username it would just not let you in.

The router was also rebooted, but the issue persisted until explicitly configured with exec command.

Thanks for the additional information. The config may have been used on 1800 router. But there is so much different between the code for 1800 and for ASR that we should consider this as a fresh config on not used before hardware. So there is not any consideration of whether there have been changes in a working config.

It is good to know that the symptoms were observed in attempts from multiple hosts. And to know that the router was rebooted but that did not affect the symptoms. It is interesting that the debug shows normal processing on the ASR for the attempt to SSH. If there had really been a "no exec"in the config then I would expect to see no SSH processing. So I continue to believe that something got out of sync and that configuring exec reset something and got it back into sync. Please do let us know if another ASR has the same symptoms.

HTH

Rick

I resolved the issue by looking for an ssh debug and googling it.

You know, when you explicitly configure no exec under line vty the ssh shows the same (that the session terminated normally)

I used this link

https://supportforums.cisco.com/t5/wan-routing-and-switching/telnet-ssh-not-working-strange/td-p/1498434

Anyway, I will have another window this week and see how another ASR behaves.

Thanks a lot Richard!!

In the link that you reference the issue clearly was that "no exec" was configured on the vty. That does not seem to be the case with your issue. Please do let us know what happens with your next ASR.

HTH

Rick 

Hello Richard,

I think it was my mistake. For some reason the ASR1002-X created:

line vty 0

no-exec

line vty 0 4

login local

transport input ssh

line vty 5 15

login local transport input ssh

Every new connection I was initiating was falling under vty 0 which had no-exec..

First I did line vty 1 15, exec, but that did not fix the issue (because vty 0 still had no-exec...)

I must have confused the line vty 0 with a case where for example you have 2 line consoles in a router, where the first one is where you are connected and the second one is disconnected..

Sorry for any confusion caused!