Solved: Re: Failed to connect to device x : connection refused: SSH authentication failed in new state

yale.prince@leidos.com · ‎06-05-2019

Hi all,

any one encounted this error ?

Failed to connect to device x : connection refused: SSH authentication failed in new state

just added a new device xr device was able to fetch ssh keys but got the above error when trying a sync from for the first time

Thanks

Regards

Yale

yale.prince@leidos.com · ‎06-11-2019

Response from TAC

Do you have any special symbols in the user password for the device? If yes, try to setup authgroup with putting a password in a quotes, like in the example below:

Yale, so far, no other suggestions. Action Plan is:

try to use quotes around the password
collect raw traces if quotes won’t help

I have played in the lab a bit with my virtual CSR device. Another option is to escape all the special characters, instead of putting quotes around the password. Example:

admin@ncs(config)# devices authgroups group default umap admin remote-name admin remote-password admin\"\!\@\#\%\^\&\*\_\+

admin@ncs(config-umap-admin)# commit

Commit complete.

admin@ncs(config-umap-admin)# devices device CSR-REAL sync-from

result true

View solution in original post

yale.prince@leidos.com · ‎06-12-2019

Putting quotes around, no " in the password

admin@ncs(config)# devices authgroups group default umap admin remote-name admin remote-password "admin!@#%^&*()<>;:'[]{}-="

admin@ncs(config-umap-admin)# commit

Commit complete.

admin@ncs(config-umap-admin)# devices device CSR-REAL sync-from

result true

The only exception I found is if the password has “ and \ . In this case, quotation of password won’t work and only escaping the character helps.

View solution in original post

lmanor · ‎06-05-2019

Yes, this behavior has been seen with a specific version or XR 6.5.2. Presuming this is the issue, it has been fixed in later releases so if you can upgrade that may resolve the issue. A potential work-around could be to disable radius/tacacs in the router if possible.

From the NSO side a work-around has been proved successful is to use a "proxy" to connect to the device - in this example uses the NSO server localhost as proxy:

devices authgroups group asr9k-2-via-localhost default-map remote-name <local-linux-user> remote-password <local-linux-user-password>

devices device asr9k-2-via-localhost address 127.0.0.1 port 22

devices device asr9k-2-via-localhost authgroup asr9k-2-via-localhost device-type cli ned-id cisco-ios-xr protocol ssh

devices device asr9k-2-via-localhost state admin-state unlocked

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy remote-connection ssh

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy proxy-prompt <prompt as appears on linux CLI, in quotes> (For example: ".*[$]" for prompt user-pc:~$ >

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy remote-address <real-device-ip>

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy remote-port 22

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy remote-name <real-device-user-login>

devices device asr9k-2-via-localhost ned-settings cisco-iosxr proxy remote-password <real-device-user-password>

saransu · ‎06-06-2019

I have encountered various SSH errors as I got into NSO recently. The best solution I found was to create a new ssh key, then copy this key into all my devices ssh folders. If you have multiple runtime folders you would need to copy them into every device in each run time folder once you create the new ssh key, and for every device you create in the future you also need to copy in this ssh key.

But if you want to try this here is the code. Notice I am using nso 4.6 though this should work for any version of nso. My nso install is under $HOME/4.6 and my runtime folder is uner $HOME/nso-run-4.6 Adjust to your needs. I copy the new ssh keys into each of my devices, my ios and iosxr device I have created. After that I load the new devices.xml and sync from to make sure the ssh keys are correctly paired. Make sure your devices are on and running before starting this process and show up in nso.

ssh-keygen -t rsa -m PEM -f $HOME/nso-4.6/etc/ncs/ssh/ssh_host_rsa_key -N ''

cd $HOME/nso-4.6/etc/ncs/ssh/

cp ssh_host_rsa_key ssh_host_rsa_key.pub $HOME/nso-run-4.6/netsim/ios_/ios_0/ssh/
cp ssh_host_rsa_key ssh_host_rsa_key.pub $HOME/nso-run-4.6/netsim/iosxr_/iosxr_0/ssh/

cd ~/nso-run-4.6
ncs-netsim ncs-xml-init > devices.xml
ncs_cli -u admin
configure
load merge devices.xml
commit
exit
show devices list
switch cli
devices sync-from
exit

yale.prince@leidos.com · ‎06-11-2019

Response from TAC

Do you have any special symbols in the user password for the device? If yes, try to setup authgroup with putting a password in a quotes, like in the example below:

Yale, so far, no other suggestions. Action Plan is:

try to use quotes around the password
collect raw traces if quotes won’t help

I have played in the lab a bit with my virtual CSR device. Another option is to escape all the special characters, instead of putting quotes around the password. Example:

admin@ncs(config)# devices authgroups group default umap admin remote-name admin remote-password admin\"\!\@\#\%\^\&\*\_\+

admin@ncs(config-umap-admin)# commit

Commit complete.

admin@ncs(config-umap-admin)# devices device CSR-REAL sync-from

result true

yale.prince@leidos.com · ‎06-12-2019

Putting quotes around, no " in the password

admin@ncs(config)# devices authgroups group default umap admin remote-name admin remote-password "admin!@#%^&*()<>;:'[]{}-="

admin@ncs(config-umap-admin)# commit

Commit complete.

admin@ncs(config-umap-admin)# devices device CSR-REAL sync-from

result true

The only exception I found is if the password has “ and \ . In this case, quotation of password won’t work and only escaping the character helps.

hinesriv6 · ‎02-25-2021

I've tried single and double quotes arond the password and I'm still having issues connecting to netsim devices