10-13-2012 03:26 PM
Hello, we are running CISCOWorks 4.0 (LMS).
I can connect to and update the majority of my 3750's but I have about 20 that result in failure when attempting to update the image on those devices.
The return error is "SWIM50001: Cannot connect to the device "IPAddress" using SSH and TELNET."
When running "sho ssh" you see connection for the current ssh tectia login but nothing pointing to the ciscoworks device.
When I run "sho ssh" from a different device I see both connections, 1 from my desktop ssh connection and the other showing username of ciscoworks.
I ran the Discovery tool, again, but no joy.
I was looking for a manual way to add that connection but again nothing.
Anyone know how to make the ssh connection between ciscoworks and the edge device?
As I said I can ssh from my desktop and manage the box that way but ciscoworks simply won't allow it.
ej
10-14-2012 11:34 AM
Just a thought -
Could it be that those target devices have a smaller RSA key and are thus unable to login using SSH v2? You desktop client might allow v1/v2 selection based on key size but LMS is enforcing longer key length required for v2.
10-14-2012 10:39 PM
Well now we have another issue with logins.
Starting at the begging I updated a single switch on Friday to 15.0.2 SE 1 and it returned to operational status and worked fine.
On Saturday I updated several other switches, all 3750's, to 15.0.2 SE 1 and some failed some passed.
On Sunday I was able to access most of those switches via tectia ssh and ciscoworks with no issues.
Today , Monday I'm unable to access the switches via ssh tectia using our tacacs+ login or the local login either via the network or from consoling in with a laptop.
I remembered that the tacacs+ configuration was to change format in the future and after some googling came across the version number of 12.2(58)SE 1 as when the change was to take affect.
we were at 12.2(55)SE3 and went to 15.0.2 due to an IAVA issued.
I have tried to access using the default username/password and admin/default password but no joy.
I hadn't read any reports of issues with 15.0.2 in the IAVA or when ciscoworks selected 15.0.2 as the recommended upgrade so I went ahead with the upgrade.
any ideas?
You know we after a bit more troubleshooting and some thought we are now looking to see if there is an expired license or key of some sort.
This is the exact type of action I would expect if something like that happened.
ej
10-15-2012 03:28 AM
What is the switch message when you try to log in via console? Console should at least give you some indication of what the IOS believe to be the issue.
Is it possible to power cycle one of the problem switches while connected via console and watching for report of issue during the IOS initialization process?
10-15-2012 05:35 AM
I eliminated the tacacs-server host settings and re-introduced them and
found with 2 of the hosts I could login using my username/default password and en /
default password without having to use en vi.
Eventually I narrowed it down to 2 hosts out of the 4 that forced me to use the default pword and en vi.
That meant tacacs was trying to authenticate with the proper pword but was failing.
I removed 2 and now I'm able to access 1 switch with my tacacs credentials.
Those other servers are causing an issue.
shutting them down or just removing those IP's from the switches should fix
this issue.
I'll see if this can be done via ciscoworks.
ej
10-16-2012 11:03 PM
Hello, is it possible to change the ssh key on a cisco switch without re-installing the current config?
I think the last time I had to make a change to the key I had to wipe the config and re-install it with the proper value 1024 or 2048 for the key size.
ej
10-17-2012 06:30 AM
You can delete and re-create an ssh key:
To delete the RSA key-pair, use the crypto key zeroize rsa global configuration command. Once you delete the RSA key-pair, you automatically disable the SSH server.
Source:
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfssh.html
10-18-2012 07:52 PM
Well I removed the rsa keys and recreated them with modulus 2048.
I can ssh via tectia still but ciscoworks still won't update the ios.
I can view the switch through ciscoview in ciscoworks.
I'm using ssh version 2.
I did a comparison between the newly reconfigured switch and one I know works.
The working switch shows "crypto pki certificate chain TP-self-signed-"somevalues" and then several rows and columns of key values.
The switch I can't update does not show this.
after running the config script the output stated the keys were created but I'm not seeing them.
I'm assuming this is what is causing the ssh telnet rejection?
Well what do they tell you about assuming?
I reloaded the config on that switch from scratch and ran it up.
I'm still getting the same error, the keys are 2048 same as the other switches.
This was the latest config used on some recently deployed devices and they are upgradable via LMS so now I'm lost.
ej
10-19-2012 05:58 AM
Have you checked the device reachability via ssh in device center? Doublecheck the credentials.
If the credentials check out and ssh reachability fails, I'd do a packet capture while attempting a connectivity check to look for anything unusual.
01-21-2014 11:55 AM
Remove the current key information deliberatly or reset the switch to factory defaults and re-install the config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide