cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2006
Views
25
Helpful
14
Replies
Highlighted
Beginner

SSH problem

Hello everyone, I write to you today for some assistance getting my management network to work properly.

 

I have 4 routers connected to a switch all have ssh configured and I am able to reach them all from the switch via Putty. When I access them via putty I am prompted for username and password as it should. 

 

my problem is that I am unable to ssh from one device to another 

if I am in the switch (10.10.10.1) and try to ssh to one of the routers (10.10.10.5) using the following commands

ssh -l username 10.10.10.5 it doesn't work

ssh 10.10.10.5 since the username is the same for all devices still doesn't work 

 

any help would be great. Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Contributor

Re: SSH problem

Under your VTY lines, are you allowing the ability to be able to SSH from the device itself?

Line vty 0 15
Transport output SSH


As others have said, potential ACLs?

View solution in original post

14 REPLIES 14
Highlighted
Collaborator

Re: SSH problem

Hi,

 

What is the ssh configuration of the devices? Do you have access lists on the devices to restrict what addresses can ssh to the device?

 

Thanks

John

**Please rate posts you find helpful**
Highlighted
Collaborator

Re: SSH problem


can you ping a device? is switch L2 type?
you do need ssh -l username ip address

besides username and password, you will need following commands to be present:
hostname of a device set
ip domain name xxx
crypto key generate rsa usage-keys
- get at least 512 generated for ssh v1, 756 i think is min. for v2

ip ssh version 2 
line vty 0 4
transport input ssh
password

Highlighted
VIP Mentor

Re: SSH problem

As you mentioned you able to SSH to switches using Putty, this clear that you have SSH configured. (still below are the steps if you missed)

 

config t

hostname XXX

ip domain-name bbandi.com  <<- change as per your requirement

crypto key generate rsa

1024 or higher is suggested.

 

Setup vty lines

line vty 0 4

transport input ssh

login local

paswword XXX

 

line con 0

logging  sync

login local

 

username bbandi passwork bandib

enable secred trynewpassword

 

service password-encryption

 

configure tansport output also to make connection out

 

transport output ssh

 

save the config and  try from switch to switch

 

if you have issue, there may be ACL Setup (please post the complete configuration).

BB
*** Rate All Helpful Responses ***
Highlighted
Frequent Contributor

Re: SSH problem

Under your VTY lines, are you allowing the ability to be able to SSH from the device itself?

Line vty 0 15
Transport output SSH


As others have said, potential ACLs?

View solution in original post

Highlighted
Beginner

Re: SSH problem

Can't believe I overlooked that one command "transport output ssh" that is exactly what was missing. However I am still having the same problem from one device, my management switch still can't establish ssh connection with the other devices connected to it. I can initiate ssh connection from all other devices to each other but can't seem to get an outbound connection from this switch (C2950-24)
I tried with console connection and with mgmt Rj45 connection to no avail.

 

I've attached the config for SW1 my management switch that is giving me the issue can someone take a look and see why I might be getting the error (bottom of document) 

 

Thanks in advance for your assistance. 

Highlighted
Beginner

Re: SSH problem

Can't believe I overlooked that one command "transport output ssh" that is exactly what was missing. However I am still having the same problem from one device, my management switch still can't establish ssh connection with the other devices connected to it. I can initiate ssh connection from all other devices to each other but can't seem to get an outbound connection from this switch (C2950-24)
I tried with console connection and with mgmt Rj45 connection to no avail.

 

I've attached the config for SW1 my management switch that is giving me the issue can someone take a look and see why I might be getting the error (bottom of document) 

 

Thanks in advance for your assistance. 

Highlighted
Frequent Contributor

Re: SSH problem

I think this is related to the IOS version on that switch.
Notice is has K2 in the name,

flash:/c2950-i6k2l2q4-mz.121-22.EA7.bin

What is the output of show ip ssh from the management switch and also same command from a working switch?
Highlighted
Beginner

Re: SSH problem

Here is the results of the command "sh ip ssh" and "sh ssh" on a switch that and a router in the same network as the one that is not acting right.

HOME-SW-1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
HOME-SW-1#
HOME-SW-1#
HOME-SW-1#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN 3des-cbc hmac-sha1 Session started gmcclintock
0 2.0 OUT 3des-cbc hmac-sha1 Session started gmcclintock
%No SSHv1 server connections running.
HOME-SW-1#

HOME-SW-2#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
HOME-SW-2#

HOME-RTR-3#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiOGyAPhtpudFT7G7+dai1Hk9/6T9NdJzZOkiBIc8l
bjvBcSvU2UG61rVJy6H4C8GQa0n8sHC65CpZpESS2PYGVuGukN3reTwHilduFI6j351CSEUFj0J1ixqM
lJ6/e/OXriopiGOQOBpnGKFgKjbVkJ5boT4qtUqdCdOSX4JYUw==
HOME-RTR-3#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started gmcclintock
0 2.0 OUT aes128-cbc hmac-sha1 Session started gmcclintock
%No SSHv1 server connections running.
HOME-RTR-3#
Highlighted
Frequent Contributor

Re: SSH problem

I have looked at the cisco feature navigator and your 2950 management sw ios only supports the ability to be a version 1 SSH client. Also doesn't look to be a version of software available to change that for your model.
You coud try allowing v1 on the other switches also or if this is a lab environment allow telnet.
Highlighted
VIP Mentor

Re: SSH problem

Another suggestion, if ssh have difficulties, you can allow Telenet for the device IP only with ACL in place to secure the Control plane, i understand some old devices still have old secure services

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: SSH problem

Well that's a bummer....anyway thanks for the assist I'll just replace the switch with one that supports ssh v2 and push forward because I'm not a fan of telnet so Id rather not deal with it altogether. 

 

thanks again.

Highlighted
VIP Mentor

Re: SSH problem

Sure that is good Move to migrate to higher level, so risk lowers, the suggest only made since some enterprise take long time to get down time to replace..and you would like to have access also.

 

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: SSH problem

So as I understand it there is no IOS available that would allow ssh outbound connection?

I find this very hard to believe or strange at best. 

Highlighted
Frequent Contributor

Re: SSH problem

Hi
For your 2950 it can be a ssh v2 server but not client so you won't be able to utilise ssh v2 outbound.

Have a look here, it is very helpful and provide you all the info on features etc for your ios version, platform and available images.
https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
Content for Community-Ad