06-17-2019 02:44 PM
Greetings,
I work for a GSM wireless operator who uses Cisco 7201 ITPs as adjunct switches to our Ericsson IPSTPs. Every few months, SSH stops responding to incoming requests. This is maddening. It generally requires logging in over serial console and rebooting it.
Some info:
ITP1#sh ip ssh
SSH Enabled - version 1.5
Authentication timeout: 120 secs; Authentication retries: 3
interface FastEthernet0/0
description "OAM -> itp1 port 1:15"
ip vrf forwarding Management
ip address 172.16.129.27 255.255.255.248
duplex auto
speed auto
access-list 98 remark VTY access
access-list 98 permit 10.10.240.0 0.0.0.255
access-list 98 permit 10.10.5.0 0.0.0.255
access-list 98 permit 10.10.15.0 0.0.0.255
access-list 98 deny any log
line vty 0 4
access-class 98 in
exec-timeout 30 0
transport input ssh
ITP1#sh ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
Now, the fun part:
ITP1#debug ip ssh
Incoming SSH debugging is on
(I try to SSH to admin@172.16.129.27 and get nothing...)
no debug ip ssh
Incoming SSH debugging is off
ITP1#debug ip tcp packet port 22 in
TCP Packet debugging is on for port number 22, incoming packets
ITP1#
Jun 17 21:41:41.461: tcp0: I LISTEN 10.10.240.210:54532 172.16.129.27:22 seq 3402043120
OPTS 20 SYN WIN 27320
Jun 17 21:41:42.461: tcp0: I LISTEN 10.10.240.210:54532 172.16.129.27:22 seq 3402043120
OPTS 20 SYN WIN 27320
Jun 17 21:41:44.465: tcp0: I LISTEN 10.10.240.210:54532 172.16.129.27:22 seq 3402043120
OPTS 20 SYN WIN 27320
So what this tells us is that my SSH client's TCP SYN is making it to the ITP, who then silently discards it. Can anyone offer a clue to what is going on? Thanks in advance..
06-18-2019 12:01 AM
- Could be a software bug. Check if you can upgrade your cisco device (e.g.)
M.
06-26-2019 01:41 PM
No upgrade is practical. Besides, the version is:
Cisco IOS Software, 7200 Software (C7200P-ITPK9-M), Version 12.4(15)SW7, RELEASE SOFTWARE (fc3)
Which is newer than I've worked with on 2811's in the past, that never had this problem. It seems like I am the only one to ever have seen this issue, so for now we have to telnet into a terminal server until the next maintenance window where it can be power cycled...
07-05-2019 01:50 PM
No one?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide