cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2072
Views
5
Helpful
8
Replies

What can cause you to be unable to SSH into a router anymore?

InquiringTech
Level 1
Level 1

Hi,

We suddenly lost the ability to use SSH to remotely connect to a router (ISR 4331). It just says connection refused, either via Putty, or Win command line, Powershell, etc. The router itself is still up and functioning, and the other connected network equipment is available to SSH into. Nothing should've changed on the configuration that would make this happen that I know of. The strange thing is I can still get in via direct console cable or even the management IP on a browser.

Could it maybe have something to do with vty line configuration? I didn't see anything unusual in the config when I looked at it.

8 Replies 8

Leo Laohoo
Hall of Fame
Hall of Fame

The crypto key got zero-ize, ACL, firmware bug, VTY settings disabled SSH.

do you change DNS domain ?

The suggestion of a change in domain name is interesting. That is one of several things that could make the RSA key invalid which would deny SSH access. There are a few other things which could impact the RSA key.Would you post the output of show ip ssh?

Has there been an upgrade to the code on the router recently? Some new versions of code change the algorithms that are acceptable for SSH. 

If neither of these possible issues turn out to be the cause of the problem then I suggest that you enable debug for SSH, attempt SSH access, and post the debug output.

HTH

Rick

Hi, here is the show ip ssh output:

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): RTR_BranchOffice.contoso.com
ssh-rsa AAAAB3NzaC1yz2EAAAADAQABAAAAgQCYInOlpRQUtrAW0rswiiSpa5UTGBzBmvsQXYII4eW0
NCHCh9q+FxJHmL40rkaV1Qd+/OwjgwMBcVpp+Qhen9R4/wn7a7g+026qd02jhiJ53vZvPEw+/1ExPTLp
gq8XPmzTsq4ak5jp5pkXRWNPFqG6DSssnBPLfzYH/LAFFfSDIw==

 

Also, I did enable ssh debugging and tried to SSH in via several ways, but got no messages on the router's console oddly.

Now I noticed the web interface at the router's IP no longer works. But I can still ping it.

Thanks for the additional information. The output of show ip ssh does confirm that ssh is enabled (and requires version 2). It is good to know that. Thanks for trying debug. The lack of output on the console is disappointing and raises the question of the logging level for the console. It is fairly common to configure the logging level of console so that debug is not displayed. The first page or two of output of the command show log would provide information about that. Given that we know that ssh is enabled I do not see any benefit from generating a new RSA key.

It is interesting that the web interface no longer works. It might or might not relate to problems with ssh. Could you post the output of the command show run | inc http?

HTH

Rick

Actually, I figured it out. Apparently another team member slipped in an ACL as some added security measure but didn't tell us and also didn't explicitly add an exception for our subnet. Although I might want to just use a static IP and only except that to be safer. He also turned off http/https so that accounts for the web ui. Sorry for the sort of "false alarm" here. Although what you said about the debugging level for ssh is useful and I will look into adjusting that as necessary for future occasions.

Thanks again.

Thanks for the update. Glad that you figured out the issue and have addressed it.

HTH

Rick

MrButton
Level 1
Level 1

just rekey it.  Make sure you still have ip domain-name in there. crypto key generate rsa

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe-3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_0110.pdf

I go with 2048 when I feel saucy. Otherwise 1024 is sufficient

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: