Solved: SSH problem

gmcclintock · ‎07-06-2019

Hello everyone, I write to you today for some assistance getting my management network to work properly.

I have 4 routers connected to a switch all have ssh configured and I am able to reach them all from the switch via Putty. When I access them via putty I am prompted for username and password as it should.

my problem is that I am unable to ssh from one device to another

if I am in the switch (10.10.10.1) and try to ssh to one of the routers (10.10.10.5) using the following commands

ssh -l username 10.10.10.5 it doesn't work

ssh 10.10.10.5 since the username is the same for all devices still doesn't work

any help would be great. Thank you

GRANT3779 · ‎07-06-2019

Under your VTY lines, are you allowing the ability to be able to SSH from the device itself?

Line vty 0 15
Transport output SSH

As others have said, potential ACLs?

View solution in original post

johnd2310 · ‎07-06-2019

Hi,

What is the ssh configuration of the devices? Do you have access lists on the devices to restrict what addresses can ssh to the device?

Thanks

John

**Please rate posts you find helpful**

Martin L · ‎07-06-2019

can you ping a device? is switch L2 type?
you do need ssh -l username ip address

besides username and password, you will need following commands to be present:
hostname of a device set
ip domain name xxx
crypto key generate rsa usage-keys
- get at least 512 generated for ssh v1, 756 i think is min. for v2

ip ssh version 2
line vty 0 4
transport input ssh
password

balaji.bandi · ‎07-06-2019

As you mentioned you able to SSH to switches using Putty, this clear that you have SSH configured. (still below are the steps if you missed)

config t

hostname XXX

ip domain-name bbandi.com <<- change as per your requirement

crypto key generate rsa

1024 or higher is suggested.

Setup vty lines

line vty 0 4

transport input ssh

login local

paswword XXX

line con 0

logging sync

login local

username bbandi passwork bandib

enable secred trynewpassword

service password-encryption

configure tansport output also to make connection out

transport output ssh

save the config and try from switch to switch

if you have issue, there may be ACL Setup (please post the complete configuration).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

GRANT3779 · ‎07-06-2019

Under your VTY lines, are you allowing the ability to be able to SSH from the device itself?

Line vty 0 15
Transport output SSH

As others have said, potential ACLs?

gmcclintock · ‎07-07-2019

Can't believe I overlooked that one command "transport output ssh" that is exactly what was missing. However I am still having the same problem from one device, my management switch still can't establish ssh connection with the other devices connected to it. I can initiate ssh connection from all other devices to each other but can't seem to get an outbound connection from this switch (C2950-24)
I tried with console connection and with mgmt Rj45 connection to no avail.

I've attached the config for SW1 my management switch that is giving me the issue can someone take a look and see why I might be getting the error (bottom of document)

Thanks in advance for your assistance.

gmcclintock · ‎07-07-2019

Can't believe I overlooked that one command "transport output ssh" that is exactly what was missing. However I am still having the same problem from one device, my management switch still can't establish ssh connection with the other devices connected to it. I can initiate ssh connection from all other devices to each other but can't seem to get an outbound connection from this switch (C2950-24)
I tried with console connection and with mgmt Rj45 connection to no avail.

I've attached the config for SW1 my management switch that is giving me the issue can someone take a look and see why I might be getting the error (bottom of document)

Thanks in advance for your assistance.

GRANT3779 · ‎07-07-2019

I think this is related to the IOS version on that switch.
Notice is has K2 in the name,

flash:/c2950-i6k2l2q4-mz.121-22.EA7.bin

What is the output of show ip ssh from the management switch and also same command from a working switch?

gmcclintock · ‎07-07-2019

Here is the results of the command "sh ip ssh" and "sh ssh" on a switch that and a router in the same network as the one that is not acting right.

HOME-SW-1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
HOME-SW-1#
HOME-SW-1#
HOME-SW-1#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN 3des-cbc hmac-sha1 Session started gmcclintock
0 2.0 OUT 3des-cbc hmac-sha1 Session started gmcclintock
%No SSHv1 server connections running.
HOME-SW-1#

HOME-SW-2#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
HOME-SW-2#

HOME-RTR-3#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDiOGyAPhtpudFT7G7+dai1Hk9/6T9NdJzZOkiBIc8l
bjvBcSvU2UG61rVJy6H4C8GQa0n8sHC65CpZpESS2PYGVuGukN3reTwHilduFI6j351CSEUFj0J1ixqM
lJ6/e/OXriopiGOQOBpnGKFgKjbVkJ5boT4qtUqdCdOSX4JYUw==
HOME-RTR-3#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes128-cbc hmac-sha1 Session started gmcclintock
0 2.0 OUT aes128-cbc hmac-sha1 Session started gmcclintock
%No SSHv1 server connections running.
HOME-RTR-3#

GRANT3779 · ‎07-07-2019

I have looked at the cisco feature navigator and your 2950 management sw ios only supports the ability to be a version 1 SSH client. Also doesn't look to be a version of software available to change that for your model.
You coud try allowing v1 on the other switches also or if this is a lab environment allow telnet.

balaji.bandi · ‎07-08-2019

Another suggestion, if ssh have difficulties, you can allow Telenet for the device IP only with ACL in place to secure the Control plane, i understand some old devices still have old secure services

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gmcclintock · ‎07-08-2019

Well that's a bummer....anyway thanks for the assist I'll just replace the switch with one that supports ssh v2 and push forward because I'm not a fan of telnet so Id rather not deal with it altogether.

thanks again.

balaji.bandi · ‎07-08-2019

Sure that is good Move to migrate to higher level, so risk lowers, the suggest only made since some enterprise take long time to get down time to replace..and you would like to have access also.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gmcclintock · ‎07-08-2019

So as I understand it there is no IOS available that would allow ssh outbound connection?

I find this very hard to believe or strange at best.

GRANT3779 · ‎07-08-2019

Hi
For your 2950 it can be a ssh v2 server but not client so you won't be able to utilise ssh v2 outbound.

Have a look here, it is very helpful and provide you all the info on features etc for your ios version, platform and available images.
https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp