cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12897
Views
0
Helpful
9
Replies

Unable to ssh to switches

Eric R. Jones
Level 4
Level 4

Hello, we are running CISCOWorks 4.0 (LMS).

I can connect to and update the majority of my 3750's but I have about 20 that result in failure when attempting to update the image on those devices.

The return error is "SWIM50001: Cannot connect to the device "IPAddress" using SSH and TELNET." 

When running "sho ssh" you see connection for the current ssh tectia login but nothing pointing to the ciscoworks device.

When I run "sho ssh" from a different device I see both connections, 1 from my desktop ssh connection and the other showing username of ciscoworks.

I ran the Discovery tool, again, but no joy.

I was looking for a manual way to add that connection but again nothing.

Anyone know how to make the ssh connection between ciscoworks and the edge device?

As I said I can ssh from my desktop and manage the box that way but ciscoworks simply won't allow it.

ej

9 Replies 9

Marvin Rhoads
Hall of Fame
Hall of Fame

Just a thought -

Could it be that those target devices have a smaller RSA key and are thus unable to login using SSH v2? You desktop client might allow v1/v2 selection based on key size but LMS is enforcing longer key length required for v2.

Well now we have another issue with logins.

Starting at the begging I updated a single switch on Friday to 15.0.2 SE 1 and it returned to operational status and worked fine.

On Saturday I updated several other switches, all 3750's, to 15.0.2 SE 1 and some failed some passed.

On Sunday I was able to access most of those switches via tectia ssh and ciscoworks with no issues.

Today , Monday I'm unable to access the switches via ssh tectia using our tacacs+ login or the local login either via the network or from consoling in with a laptop.

I remembered that the tacacs+ configuration was to change format in the future and after some googling came across the version number of 12.2(58)SE 1 as when the change was to take affect.

we were at 12.2(55)SE3 and went to 15.0.2 due to an IAVA issued.

I have tried to access using the default username/password and admin/default password but no joy.

I hadn't read any reports of issues with 15.0.2 in the IAVA or when ciscoworks selected 15.0.2 as the recommended upgrade so I went ahead with the upgrade.

any ideas?

You know we after a bit more troubleshooting and some thought we are now looking to see if there is an expired license or key of some sort.

This is the exact type of action I would expect if something like that happened.

ej

What is the switch message when you try to log in via console? Console should at least give you some indication of what the IOS believe to be the issue.

Is it possible to power cycle one of the problem switches while connected via console and watching for report of issue during the IOS initialization process?

I eliminated the tacacs-server host settings and re-introduced them and

found with 2 of the hosts I could login using my username/default password and en /

default password without having to use en vi.

Eventually I narrowed it down to 2 hosts out of the 4 that forced me to use the default pword and en vi.

That meant tacacs was trying to authenticate with the proper pword but was failing.

I removed 2 and now I'm able to access 1 switch with my tacacs credentials.

Those other servers are causing an issue.

shutting them down or just removing those IP's from the switches should fix

this issue.

I'll see if this can be done via ciscoworks.

ej

Hello, is it possible to change the ssh key on a cisco switch without re-installing the current config?

I think the last time I had to make a change to the key I had to wipe the config and re-install it with the proper value 1024 or 2048 for the key size.

ej

You can delete and re-create an ssh key:

To delete the RSA key-pair, use the crypto key zeroize rsa global configuration command. Once you delete the RSA key-pair, you automatically disable the SSH server.

Source:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh.html

Well I removed the rsa keys and recreated them with modulus 2048.

I can ssh via tectia still but ciscoworks still won't update the ios.

I can view the switch through ciscoview in ciscoworks.

I'm using ssh version 2.

I did a comparison between the newly reconfigured switch and one I know works.

The working switch shows "crypto pki certificate chain TP-self-signed-"somevalues" and then several rows and columns of key values.

The switch I can't update does not show this.

after running the config script the output stated the keys were created but I'm not seeing them.

I'm assuming this is what is causing the ssh telnet rejection?

Well what do they tell you about assuming?

I reloaded the config on that switch from scratch and ran it up.

I'm still getting the same error, the keys are 2048 same as the other switches.

This was the latest config used on some recently deployed devices and they are upgradable via LMS so now I'm lost.

ej

Have you checked the device reachability via ssh in device center? Doublecheck the credentials.

If the credentials check out and ssh reachability fails, I'd do a packet capture while attempting a connectivity check to look for anything unusual.

Eric R. Jones
Level 4
Level 4

Remove the current key information deliberatly or reset the switch to factory defaults and re-install the config.