Re: SSH for Cisco C9300 not working correctly

JeremyTenorio00381 · ‎03-02-2021

I'm having an issue where I attempted to use Putty to SSH into the switch and it would not even attempt to connect. However, I was able to connect from Solarwinds and for a short period of time Windows CMD via SSH into the switch. Solarwinds and CMD both logged in using local credentials on the switch. Fast forward over the weekend and CMD is no longer working but Solarwinds is. This is very confusing. Thanks for the help.

balaji.bandi · ‎03-02-2021

very strange, Do you have access to the console of the device. or can you able to pull the running-config from SolarWinds and post here.

also what you see on the switch logs, if you connect to console ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JeremyTenorio00381 · ‎03-02-2021

BB,

aaa new-model
!
!
aaa authentication login default local
aaa authentication login no_authen none
aaa authentication login local_login local
aaa authentication login vty_login group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization exec no_authen none
aaa authorization exec local_login local
aaa authorization exec vty_login group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default stop-only group tacacs+

tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 XXXXXXXXX

ip tacacs source-interface Loopback0
ip ssh time-out 60
ip ssh version 2

line con 0
exec-timeout 15 0
stopbits 1
line vty 0 4
access-class 37 in
transport input ssh
transport output ssh
line vty 5 31
access-class 37 in
transport input ssh
transport output ssh

Another little bit of information, the access class "in" does include the PC I am trying to reach the switch from. I have also gone into the Windows registry editor and cleared out the previous ssh certificate for Putty software. The xxxx values above are for confidentiality but are correct information in my running config. IOS xe version 17.2..

balaji.bandi · ‎03-02-2021

thank you for the information : ( i am sure you able to ping the device ? yes or no ?)

can you post the below information : (along with Access-list 37) - what is the solar wind IP address? show log you see any information?

#show users

You also have AAA configuration - is your radius/tacacs working ? is this appearing after radius/tacacs config ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JeremyTenorio00381 · ‎03-02-2021

No IPs on here...that should go without saying. Just trust that they are in the access list and yes I can ping across my network. The rest of my network works fine. Traffic is passing with no problems. Just SSH.

balaji.bandi · ‎03-02-2021

with this information still just puzzled - all of sudden all gone wrong. as you mentioned there no abnormal logs you noticed.

SolarWinds IP working, your PC in the same IP range does not work, feel me think twice before advise.

 sh ip ssh  - can give you more information

if you get a chance run the debug on the switch console for the SSH connections

or when you get a maintenance window restart the stack and test.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help