05-23-2020 12:19 AM
Summary: I can ssh to an svi on the switch, but I cannot ssh to an L3 configured port (ie no switchport, ip address set)
I can ping the L3 interface from ssh client and from the internet (so gateways and routing are all working).
The L3 interface can ping the ssh client PC over the Internet and other random Internet up addresses (its the only interface with a public ip, all others are private).
When I try to ssh from an ip that is not part of the ACL on vty then I correctly get a connection refused error in putty. Same happens as expected when trying to ssh to the svi interface when directly connected to the switch.
When I try from an IP that is part of the ACL on vty then I get a timeout on L3 interface. When I try to ssh to an svi when direct connected to switch it works fine.
This is not an internet firewall issue. Ive tried connecting my laptop directly to the L3 interface port and used the gateway IP. I can ping the L3 interface and it can ping me. But ssh times out.
It is almost as though the switch/ssh service isn't listening on the L3 interface and is only listening on SVI.
Is there any special config for ssh service to listen on an L3 interface in addition to svi?
Driving me crazy, thanks in advance :)
05-23-2020 12:26 AM
I would like to see your configuration for the port and other. please provide below output
show run interface ten x/x - where x/x is the one you having issue.
show version
show run | in access-list
show run | in vty
show ip route
05-23-2020 04:13 PM
Hello - thanks for your reply. I saved a copy of "sh run" so I've extracted most of the information you require below.
Is there anything that would prevent SSH from running/listening on a non-svi interface/IP? I just dont know why it would work on an SVI but not an L3 interface. Its like the service just isn't responding to ssh on the L3 interface.
Here are the details:
1) The SVI where ssh works when I connect to the switch and ssh directly:
interface Vlan10
ip address 192.168.12.100 255.255.255.0
!
2) The L3 interface where SSH does not work (but ping works just fine) when coming from internet:
interface GigabitEthernet1/48
no switchport
ip address XXX.XXX.XXX.30 255.255.255.252
!
3) ACL 99 for securing vty:
access-list 99 permit aaa.bbb.ccc.18
access-list 99 permit aaa.bbb.ccc.122
access-list 99 permit 192.168.1.0 0.0.0.255
access-list 99 permit 192.168.11.0 0.0.0.255
access-list 99 permit 192.168.12.0 0.0.0.255
access-list 99 permit 192.168.111.0 0.0.0.255
access-list 99 permit 192.168.222.0 0.0.0.255
access-list 99 deny any log
4) line config:
line con 0
logging synchronous
transport preferred none
stopbits 1
line vty 0 4
access-class 99 in
logging synchronous
transport preferred none
transport input ssh
line vty 5 15
access-class 99 in
logging synchronous
transport preferred none
transport input ssh
!
5) Routing lines from sh run:
ip default-gateway XXX.XXX.XXX.29
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.29
6) Other notes
-I'm running this version: cat4500-entservicesk9-mz.150-2.SG10.bin
-I've tried rebooting the switch
Any assistance would be greatly appreciated, thank you!
05-24-2020 03:00 AM
Thank you for the detailed information.
1. Quick test, if you remove ACL in from VTY Line does this work ?
2. What is the IP from Public you try to connect to in ? .18 or .122 ? or any one not working ?
3. how about other Public IP address ( i know you have mentioned other getting access - not confirmed from Internet or local).
3. Also other side these interface configured /32 IP address as point to point (i am guessing) - is this Public Address or private.
4. If this Interface configured as Private addres space - Do you have NAT for these IP address configured for that interface. ?
Other part we are not sure, if some one configured IP SSH Source interface
like below syntax allow you to configure :
config)#ip ssh ?
authentication-retries Specify number of authentication retries
dscp IP DSCP value for SSH traffic
logging Configure logging for SSH
precedence IP Precedence value for SSH traffic
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version supported
05-24-2020 07:39 PM
Hello - thanks again for your continued help. Answers to your questions:
1) If I try to to ssh to the L3 interface/IP from an IP that is not in the ACL then I get "connection refused".
When I try to ssh to the L3 interface/IP from an IP that is IN the ACL then I get "connection timed out".
This tells me that the ACL is working because it rejects IP's not in the ACL, but when it lets traffic through there is nothing "listening" on the L3 interface so it times out?
2) To clarify, the switch only has 2 IP's:
i) SVI on VLAN 10 configured as follows (private IP on VLAN 10):
interface Vlan10
ip address 192.168.12.100 255.255.255.0
!
ii) An L3 interface configured as follows (connected to the internet, public IP):
interface GigabitEthernet1/48
no switchport
ip address XXX.XXX.XXX.30 255.255.255.252
!
When I connect my laptop directly to an access port ( switchport access vlan 10; switchport mode accesss) and ssh to the SVI it works fine as per my initial (of course I give my laptop a static IP within the VLAN10 subnet).
However, when I try to SSH to the L3/IP which is public it does not work (timeout). Ping works fine. Also, note that I also tried connecting my laptop directly to the L3 port (instead of it going to the gateway) and I assigned the gateway's IP to my laptop and I could ping the L3 interface but again ssh just times out.
3) All putlic IP in the ACL gets gets "connection timed out". If I try from an IP that isn't in the ACL then I get "connection refused".
4) The SVI is private IP space. The L3 interface is public IP. See my initial post, I can ping just fine so there is connectivity. Also, I get "connection refused" if the source internet IP is NOT in ACL, and I get "connection timed out" if it is in the ACL... so I think this means the ACL is working - it blocks unknown IP's, and it allows known IP's through - but then it times out because L3 interface is not listning for ssh? not sure
5) regarding IP ssh source interface - isn't this for OUTBOUND ssh. So if I'm already on the switch and I try to connect to another ssh? How does this affect this scenario. I can run this command tomorrow to advise you as I dont have the switch with me and remote ssh isn't working yet (as per this post)
thanks again - any thoughts?
05-25-2020 12:10 AM
If you saved a copy of the running config it would be helpful to see it. I am especially interested in the possibility of some type of control plane policing or other control that would restrict access using SSH.
05-25-2020 02:37 AM
Thanks for the input and explanation. it is much clear about the problem.
1. Just to clarify some of the things before we go deep, i still remove ACL in from VTY and Test - Is this works ?
2. Post complete configuration, there may be small piece of information we missing here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide