cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
923
Views
2
Helpful
9
Replies

Why workstation can't SSH into device, though other boxes can?

Hello.

Workstation1 <==> 9300-stack <==> ROUTER1 <==many hops==> Router5 172.16.3.3

1. ROUTER1 can SSH into Router5
2. 9300-stack cannot SSH into Router5
3. Workstation1 cannot SSH into Router5

-Workstation1 CAN SSH into many devices in Enterprise, so #2 is probably irrelevant, but please elaborate on that point as well.

9300-stack#ssh 172.16.3.3
[Connection to 172.16.3.3 aborted: error status 0]

Why can't Workstation1 SSH into Router5 ?

Thank you?

9 Replies 9

follow........

balaji.bandi
Hall of Fame
Hall of Fame

[Connection to 172.16.3.3 aborted: error status 0]

- this looks for me reachability or routing issue

what is the IP address of Cat 9K IP address ?

check on Router 5 and Router 1 have  route back to switch IP address.

try traceroute from cat 9K switch to 172.16.3.3

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

your reply came in right when i was editing, so please view again. Thank you!

9300-stack  - so the issue you not able to SSH to router from Switch, and you able to do so from Workstation.

what is the IP address of Cat 9K IP address ?

try traceroute from cat 9K switch to 172.16.3.3

can I view configuration, check is the VTY lines have transport output configured ? what SSH version you using ?

EDIT : when you try SSH from switch, what logs you see on the router ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

post a diagram of your topology including relevant IP addressing.

Richard Burts
Hall of Fame
Hall of Fame

When SSH does not work one likely explanation is an issue with IP connectivity. But pretty clearly that is not an issue here. Another likely explanation is that configuration of the remote device does not allow connection from this source IP (access-class configured). But clearly that is not the issue here.

Given the error message "Connection to 172.16.3.3 aborted: error status 0" I wonder if the issue might be related to mismatch of encryption algorithms required by destination and what is available on source?

HTH

Rick

Updated info below.

How do I enable connectivity from Workstation 1 to ROUTER5? What commands do i input?

Thank you.

-------------

Workstation1 172.16.1.77 <==> 9300-SWITCH 172.16.1.1 <==> ROUTER1 172.16.1.9 <==many hops==> ROUTER5 172.16.3.3

1. Workstation1    cannot SSH into ROUTER5
2. 9300-SWITCH cannot SSH into ROUTER5      **2** (maybe 9300-SWITCH cannot SSH into anything.)
3. ROUTER1         can     SSH into ROUTER5

4. ROUTER5         can     SSH into 9300-switch-stack
5. 9300-SWITCH cannot SSH into ROUTER1      **5** (maybe 9300-SWITCH cannot SSH into anything.)
6. Workstation1   can      SSH into all devices but ROUTER5
---

9300-SWITCH#sh ip int br
Interface IP-Address
Vlan8 172.16.1.1

**2** 9300-SWITCH#ssh 172.16.3.3
[Connection to 172.16.3.3 aborted: error status 0]

**5** 9300-SWITCH#ssh 172.16.1.9
[Connection to 172.16.1.9 aborted: error status 0]
=====

9300-SWITCH#sh ssh
Connection Version Mode Encryption Hmac
0 2.0 IN aes128-ctr hmac-sha2-256
0 2.0 OUT aes128-ctr hmac-sha2-256

ROUTER1#sh ssh
Connection Version Mode Encryption Hmac
1 2.0 IN aes256-ctr hmac-sha1
1 2.0 OUT aes256-ctr hmac-sha1

ROUTER5#sh ssh
Connection Version Mode Encryption Hmac
0 2.0 IN aes256-ctr hmac-sha1
0 2.0 OUT aes256-ctr hmac-sha1
=====

9300-SWITCH#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,x509v3-ecdsa-sha2-nistp256,x509v3-ecdsa-sha2-nistp384,x509v3-ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Hostkey Algorithms:x509v3-ssh-rsa,rsa-sha2-512,rsa-sha2-256,ssh-rsa
Encryption Algorithms:aes128-gcm,aes256-gcm,aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-512
KEX Algorithms:ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-2113934893

ROUTER1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha1
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-770071026

ROUTER5#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha1
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): ROUTER5.mycompany.org
Modulus Size : 2048 bits
==

you need to add required cipher to work.

download latest putty version on windows workstation and test it.

Router 5 has older ciphers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

beendly12
Level 1
Level 1

Beendly is a global media and a beacon of innovative content focusing on lifestyle, business, investing, technology, and leadership. What sets Beendly apart is its latest information delivery.

Review Cisco Networking for a $25 gift card