Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24041
Views
5
Helpful
6
Replies

SSH connection not working on C9300 switch

Go to solution
JBlanchon
Level 1
Level 1

‎09-18-2020 08:43 AM

Hello,

 

I can't connect remotely on the management VLAN on a C9300 switch (IOS version 16.9.5), and I really can't understand because it's the only device on this site with this issue...

When I try to SSH the device, I have a "connection refused by remote host" straight away. I can ping the switch just fine from the outside, I even tested to SSH from a device in the same location and the problem is the same, so this is not a routing issue.

The SSH config is OK, I have created an RSA key, the switch has a domain-name and "ip ssh version 2" is configured.

 

We are using only local user/passwords to connect, so this is not a RADIUS or TACACS issue as there are none configured. Also, there are no ACLs applied on the VTYs.

 

As it just wouldn't work with our standard AAA template, I have someone sent on site to login via console, and remove every AAA config and just follow this Cisco doc for the most stripped down local AAA config https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/configuring_local_authentication_and_authorization.pdf

So now, my aaa config is:

 

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

aaa session-id common

 

And my VTY config has been stripped down as well, now it's only:

line vty 0 4

 transport input all

 transport input all

=> one thing that's bothering me, I tried to configure "login authentication default" in the line config, the command was accepted without any error message, but it doesn't show when I do a show run.

 

The tech on site didn't have much time, so I couldn't have him run debugs and send me the captures.

Does anyone have any idea about what's going on? This is pretty frustrating, as the issue looks so simple, but I just can't understand why/where something so basic is failing.

 

Thank you,

Julien

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎09-19-2020 09:00 PM

The original post shows that aaa new-model is configured. When this is configured then the behavior is the same as login local. Configuring that command is not needed. 

 

It would be helpful to see the output of show ip ssh on the device. Perhaps also helpful to use debug for ssh. 

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-18-2020 08:55 AM - edited ‎09-18-2020 08:58 AM

 

try below command and let us know :  ( i belive you have already crypto and username created)

 

line vty 0 4

login local

 

 

or

line vty 0 15

login local

if this is not working post complete config to understand.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to balaji.bandi

‎09-19-2020 09:00 PM

The original post shows that aaa new-model is configured. When this is configured then the behavior is the same as login local. Configuring that command is not needed. 

 

It would be helpful to see the output of show ip ssh on the device. Perhaps also helpful to use debug for ssh. 

HTH

Rick

Go to solution
JBlanchon
Level 1
Level 1
In response to Richard Burts

‎09-21-2020 05:00 AM

Hi Richard,

 

You were definitely on to something with the show ip ssh. I had a tech on site this morning, after a few tests we decided to re-generate the RSA key, and that fixed our issue.

As expected, it was a simple issue, I was just a bit too tired on Friday afternoon to get what was going wrong as fast as I should have.

 

Thank you!

Julien

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to JBlanchon

‎09-21-2020 05:49 PM

Julien

 

Thanks for the update. Glad that my suggestion pointed you in the right direction. Happy that you got the issue solved. Thanks for sharing the solution with us.

HTH

Rick
0 Helpful

Go to solution
Hiago Mendes
Level 1
Level 1

‎04-26-2022 04:37 AM

For anyone with problems to access via SSH, its just use a updated version of Putty and regerate a new RSA key too.

0 Helpful

Go to solution
tzakis2003
Level 1
Level 1

‎05-12-2023 06:33 PM

I do not understand why on standard IOS releases the seem to have caveats that prohibit standard and know command line to work. It is extremely frustrating.  I too had this issue. We have a catalyst routing a point to point and trunking to a 6500 we can ssh to the 6500 no problem the command as expected on both access-class 99 in  (network permited)  transport ssh in  transport out none 

works on all our other switches but not this one.  It gets frustrating when you look at ever little detail and spend so much time before going to a forum and seeing a work around posted.  Developers need to get online and make everything standard or at least update software commandline docs to assist customers  

 

0 Helpful
Customers Also Viewed These Support Documents