11-17-2022 01:34 PM
Hi,
We suddenly lost the ability to use SSH to remotely connect to a router (ISR 4331). It just says connection refused, either via Putty, or Win command line, Powershell, etc. The router itself is still up and functioning, and the other connected network equipment is available to SSH into. Nothing should've changed on the configuration that would make this happen that I know of. The strange thing is I can still get in via direct console cable or even the management IP on a browser.
Could it maybe have something to do with vty line configuration? I didn't see anything unusual in the config when I looked at it.
11-17-2022 02:17 PM - edited 11-17-2022 02:18 PM
The crypto key got zero-ize, ACL, firmware bug, VTY settings disabled SSH.
11-17-2022 02:31 PM - edited 11-18-2022 12:00 AM
do you change DNS domain ?
11-18-2022 07:16 AM
The suggestion of a change in domain name is interesting. That is one of several things that could make the RSA key invalid which would deny SSH access. There are a few other things which could impact the RSA key.Would you post the output of show ip ssh?
Has there been an upgrade to the code on the router recently? Some new versions of code change the algorithms that are acceptable for SSH.
If neither of these possible issues turn out to be the cause of the problem then I suggest that you enable debug for SSH, attempt SSH access, and post the debug output.
11-18-2022 08:47 AM
Hi, here is the show ip ssh output:
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): RTR_BranchOffice.contoso.com
ssh-rsa AAAAB3NzaC1yz2EAAAADAQABAAAAgQCYInOlpRQUtrAW0rswiiSpa5UTGBzBmvsQXYII4eW0
NCHCh9q+FxJHmL40rkaV1Qd+/OwjgwMBcVpp+Qhen9R4/wn7a7g+026qd02jhiJ53vZvPEw+/1ExPTLp
gq8XPmzTsq4ak5jp5pkXRWNPFqG6DSssnBPLfzYH/LAFFfSDIw==
Also, I did enable ssh debugging and tried to SSH in via several ways, but got no messages on the router's console oddly.
Now I noticed the web interface at the router's IP no longer works. But I can still ping it.
11-18-2022 10:44 PM
Thanks for the additional information. The output of show ip ssh does confirm that ssh is enabled (and requires version 2). It is good to know that. Thanks for trying debug. The lack of output on the console is disappointing and raises the question of the logging level for the console. It is fairly common to configure the logging level of console so that debug is not displayed. The first page or two of output of the command show log would provide information about that. Given that we know that ssh is enabled I do not see any benefit from generating a new RSA key.
It is interesting that the web interface no longer works. It might or might not relate to problems with ssh. Could you post the output of the command show run | inc http?
11-21-2022 08:17 AM
Actually, I figured it out. Apparently another team member slipped in an ACL as some added security measure but didn't tell us and also didn't explicitly add an exception for our subnet. Although I might want to just use a static IP and only except that to be safer. He also turned off http/https so that accounts for the web ui. Sorry for the sort of "false alarm" here. Although what you said about the debugging level for ssh is useful and I will look into adjusting that as necessary for future occasions.
Thanks again.
11-21-2022 08:52 AM
Thanks for the update. Glad that you figured out the issue and have addressed it.
11-18-2022 09:07 AM
just rekey it. Make sure you still have ip domain-name in there. crypto key generate rsa
I go with 2048 when I feel saucy. Otherwise 1024 is sufficient
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide