cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20434
Views
20
Helpful
9
Replies

Unable to SSH into router

Hi group,

I have a cisco 2800 series router that I'm trying to setup for ssh access. The router is outside of the firewall. I've consoled in and setup ssh access and setup routing for return traffic. When I open a putty session, i can connect and enter a username, but when I enter the password, the putty session closes. Here's a snippet of the config:

line con 0

exec-timeout 15 0

password 7 046253483875666A5D

login

line aux 0

line vty 0 4

login local

no exec

transport input ssh

transport output ssh

line vty 5 15

login local

transport input ssh

transport output ssh

!

Thanks for any help.

Chris

9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

Chris

There is a potentially interesting issue here but not nearly enough information for us to be able to give you much help. The only conclusion I can draw from what you have posted is the the SSH sessions are coming in through vry 5 15 and not vty 0 4. But that does not explain the SSH behavior.

Since you have specified login local for the vty a good place to start would be with what users you have configured on the router and what parameters you have assigned to these users.

It might also be helpful to know what you have configured (or not configured) for aaa.

Since you are getting a login prompt it probably does indicate that SSH is correctly initiated, though the output of show ip ssh might be helpful. And the login prompt probably does indicate that it is not a routing issue.

HTH

Rick

HTH

Rick

Richard, I'm sure I had tried this before, but I removed the line vty configuration and all usernames, then reconfigured. Viola! It worked!

Thanks,

Chris

Chris

I am glad that you have solved your own problem. Thank you for posting back to the foum to tell us that it is fixed and what you did that had this result. We will not know exactly what the problem was but we do know that when you removed it and re-configured it that something that that had been out of sync with what you were doing to test became in sync. And the most important thing is that now SSH access is working.

HTH

Rick

HTH

Rick

All,

Funny thing, this exact problem happened to me.  I had a 4331 router using AAA authenticating back to an ACS server.  My SSH keys were correct, I even recreated the keys during troubleshooting.  I was using ACL's to only allow certain subnets to ssh to the device and all of those were correct.  I finally ended up using one of my Linux utility boxes to SSH into the router and the output would tell me that my SSH keys were incorrect and not to trust the device but still let me log in.  I finally found in my  vty line config that "no exec" was set for lines 0-4.  I removed that and everything started working.  Here is my vty line config now.

line vty 0
 session-timeout 10
 access-class ACL_VTY in vrf-also
 no activation-character
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
 stopbits 1
line vty 1 4
 session-timeout 10
 access-class ACL_VTY in vrf-also
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
line vty 5 15

-Brad

i kinda the same exact issue.... but my problem was this "no exec" commando that was in the VTY....that fixed it

I am glad to know that you got your issue figured out and resolved. Certainly the "no exec" under the vty has potential to create problems.

HTH

Rick

HTH

Rick

Interesting. Is it working even though vty 0 4 have "no exec"? What's your purpose of having that in the first place?

Earlier you may have had all the available lines exhausted. Removing the configurations of the lines vty 5 15 would have the effect of clearing those lines thus making them available once the vty lines were recreated.

Marvin, I think that's what the problem was. I have no idea how 'no exec' got in there and when i pasted that config into this thread, I thought..."Hmmm...". Seeing that pulled out of the rest of the config helped me to see things a little different. I was looking hard at access-lists!

Chris

It is too bad that we will never know for sure what the problem was. But I think that if the problem had been with access lists that you would never have gotten the login prompt.

Marvin's suggestion that all vty lines were exhausted is an interesting possibility. My guess is that what was configured as user password was (slightly) different from what you were entering when you were attempting to login.

HTH

Rick

HTH

Rick

Review Cisco Networking for a $25 gift card