cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2028
Views
5
Helpful
15
Replies

ASR 1000-HX slow response for ssh login and show commands

Vishnu_RR
Level 1
Level 1

Hi,

 

I have done basic configuration on ASR ROUTER 1000-HX. there is static route and default route. 2 ISP terminated. ISE is not configured. Only one ACL to block ssh and telnet connection for outside interface.

 

there is 1-2% CPU utilization. But when i tried to login using default local admin account, the response of router is taking 1 minute.

 

anybody knows what would be the reason ?

1 Accepted Solution

Accepted Solutions

Hello

if you dont want to use tacacs then remove it from aaa.


no aaa authentication login VTY_authen group network-tacacs-group local

no aaa authorization config-commands

no aaa authorization exec VTY_author group network-tacacs-group local if-authenticated

no aaa authorization commands 0 default group network-tacacs-group local

no aaa authorization commands 1 default group network-tacacs-group local

no aaa authorization commands 15 default group network-tacacs-group local

 

aaa authentication login default local

aaa authorization exec default local if-authenticated

aaa authorisation console

 

Lastly i would also suggest changing the local password to be encrypted to type 9 if its supported or at least md5 type 5

 

username xxxx privilege 15 algorithm-type scrypt secret xxx

or 

username xxxx privilege 15 secret xxx

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

15 Replies 15

Hello,

 

--> Only one ACL to block ssh and telnet connection for outside interface.

 

Can you post that access list ? Better yet, post the entire router config...

Hi,

 

Please find the config below.

 

router#show running-config
Building configuration...

Current configuration : 7559 bytes
!
! Last configuration change at 05:07:58 UTC Mon Jan 25 2021 by wxyz
! NVRAM config last updated at 08:50:58 UTC Thu Jan 21 2021 by wxyz
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware crypto-throughput level 8g
!
hostname router
!
boot-start-marker
boot system flash asr1000-universalk9.16.12.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered informational
no logging console
!
aaa new-model
!
!
aaa group server tacacs+ network-tacacs-group
server name tacacs_10.140.167.136
server name tacacs_10.140.167.139
timeout 30
!
aaa authentication login default local
aaa authentication login VTY_authen group network-tacacs-group local
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local
!
aaa session-id common
!
login on-failure log
login on-success log
!

!
subscriber templating
!
flow record type performance-monitor flow-record-1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
!
flow monitor flowmonitor-1
description "Used for basic Traffic Analysis"
cache timeout active 1
record netflow ipv4 original-input
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-654322345678987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-654322345678987
revocation-check none
rsakeypair TP-self-signed-654322345678987
!
!
crypto pki certificate chain TP-self-signed-654322345678987
certificate self-signed 01
!
quit
!
license udi pid ASR1001-HX sn 76543245678
no license smart enable
!
spanning-tree mode mst
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
username wxyz privilege 15 password 7 12345678900987654321
username zyxw privilege 15 password 7 1234567890124567890
!
redundancy
mode none
!

!
bridge irb
!

interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/6
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/7
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/1
description "Connected to ISP1 LAN Segment"
ip address z.z.z.z 255.255.255.248
standby 1 ip z.z.z.1
standby 1 priority 150
standby 1 preempt
!
interface TenGigabitEthernet0/1/2
description "Connected to ISP2 LAN Segment"
ip address y.y.y.y 255.255.255.248
standby 2 ip y.y.y.1
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
!
interface TenGigabitEthernet0/1/4
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/5
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/6
description "ISP2"
ip address x.x.x.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/7
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.116.103.240 255.255.255.0
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 w.w.w.1
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.116.103.1
ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.116.103.1
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf
!
ip ssh version 2
!
!
ip access-list extended block_malicious
deny tcp any any eq 22 log
deny tcp any any eq telnet log
permit ip any any
logging host 10.116.10.254 vrf Mgmt-intf
!
!
tacacs server tacacs_10.140.167.136
address ipv4 10.140.167.136
key 7 6298765423899
timeout 15
tacacs server tacacs_10.140.167.139
address ipv4 10.140.167.139
key 7 4323707652785
timeout 30
!
bridge 100 protocol vlan-bridge
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 5
login local
!
ntp server vrf Mgmt-intf 10.130.116.140
!
end

ip domain-name bb.com
!
line vty 0 5
transport input ssh  or all

 Try above settings also give us what IP address you trying to connect ? is this from VRF ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi balaji,

 

I am trying to connect router from mgmt-Intf vrf IP address. I have removed AAA configuration for line vty It clears that issue with ISE. The router prompts for username and password immediately and logging instantly.

 

But when i enter show xxxx commands It is taking almost 25 secs to display configuration.

 

But console logging is fast and show command displays immediately.

 

line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport preferred none
transport input all
line vty 5 7
transport preferred none
transport input all
line vty 8 15

Hello,

 

nothing really obvious in your config that would cause the slow SSH response. One thing you could try is zeroize and then regenerate your RSA keys:

 

Router(config)#crypto key zeroize rsa

Router(config)#crypto key generate rsa

 

When you generate a new key, try a few different modulus settings (512/1024/2048), maybe that makes a difference.

Hello @Vishnu_RR ,

>>  But when i enter show xxxx commands It is taking almost 25 secs to display configuration.

 

Do you still have the aaa authorization command in place ? If so the device attempts to consult the AAA server to check if the user is enabled to perform the action .

 

I mean the following ones:

aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local

 

if you are not using the AAA server try to use a different list with local first.

 

Hope to help

Giuseppe

 

balaji.bandi
Hall of Fame
Hall of Fame

show run - is slow i can only think of this is more of authorisation. i would advise to remove all ISE related AAA config, make it simple and try.

 

you need still login local in the VTY Line to work for the local users.

 

After removing AAA asssociated config make it local, still not working, post the current running config.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

I do not have issue in logging right now after removed AAA from line vty. now the issue is that
when i enter any show xxxx commands, router takes too long time to display the configuration.

I need to try regenerate RSA keys and check that may makes a difference.

Please find the configuration below.

router#show running-config
Building configuration...

Current configuration : 7431 bytes
!
! Last configuration change at 13:16:51 UTC Mon Jan 25 2021 by wxyz
! NVRAM config last updated at 14:25:15 UTC Mon Jan 25 2021 by wxyz
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware crypto-throughput level 8g
!
hostname router
!
boot-start-marker
boot system flash asr1000-universalk9.16.12.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered informational
no logging console
!
aaa new-model
!
!
aaa group server tacacs+ network-tacacs-group
server name tacacs_10.140.167.136
server name tacacs_10.140.167.139
timeout 30
!
aaa authentication login default local
aaa authentication login VTY_authen group network-tacacs-group local
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local
!
aaa session-id common
!
login on-failure log
login on-success log
!
subscriber templating
!
flow record type performance-monitor flow-record-1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
!
flow monitor flowmonitor-1
description "Used for basic Traffic Analysis"
cache timeout active 1
record netflow ipv4 original-input
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-654322345678987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-654322345678987
revocation-check none
rsakeypair TP-self-signed-654322345678987
!
!
crypto pki certificate chain TP-self-signed-654322345678987
certificate self-signed 01
!
quit
!
license udi pid ASR1001-HX sn 76543245678
no license smart enable
!
spanning-tree mode mst
spanning-tree extend system-id
diagnostic bootup level minimal
!
username wxyz privilege 15 password 7 12345678900987654321
username zyxw privilege 15 password 7 1234567890124567890
!
redundancy
mode none
!
bridge irb
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/6
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/7
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/1
description "Connected to ISP1 LAN Segment"
ip address z.z.z.z 255.255.255.248
standby 1 ip z.z.z.1
standby 1 priority 150
standby 1 preempt
!
interface TenGigabitEthernet0/1/2
description "Connected to ISP2 LAN Segment"
ip address y.y.y.y 255.255.255.248
standby 2 ip y.y.y.1
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
!
interface TenGigabitEthernet0/1/4
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/5
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/6
description "ISP2"
ip address x.x.x.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/7
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.116.103.240 255.255.255.0
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 w.w.w.1
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.116.103.1
ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.116.103.1
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf
!
ip ssh version 2
!
!
ip access-list extended block_malicious
deny tcp any any eq 22 log
deny tcp any any eq telnet log
permit ip any any
logging host 10.16.0.254 vrf Mgmt-intf
!
!
tacacs server tacacs_10.140.167.136
address ipv4 10.140.167.136
key 7 032752180500011D1C5A
timeout 15
tacacs server tacacs_10.140.167.139
address ipv4 10.140.167.139
key 7 4323707652785
timeout 30
!
bridge 100 protocol vlan-bridge
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport preferred none
transport input all
line vty 5 7
transport preferred none
transport input all
line vty 8 15
!
ntp server vrf Mgmt-intf 10.130.116.140
!
end

balaji.bandi
Hall of Fame
Hall of Fame

yes try as you supect and let us know "I need to try regenerate RSA keys and check that may makes a difference."

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi team,

 

I have regenerated the RSA keys with reference to above commands.

crypto key zeroize rsa 

crypto key generate rsa.

 

but i am still facing the same issue as all "show commands" taking too long time to display.

Hello,

 

for the sake of testing, disable the access list and check if that makes a difference:

 

interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip access-group block_malicious in

Also, how are you actually establishing the SSH connection, what is the exact command you use ?

hi,

 

i am using putty application to do ssh connection to all devices

Hello

if you dont want to use tacacs then remove it from aaa.


no aaa authentication login VTY_authen group network-tacacs-group local

no aaa authorization config-commands

no aaa authorization exec VTY_author group network-tacacs-group local if-authenticated

no aaa authorization commands 0 default group network-tacacs-group local

no aaa authorization commands 1 default group network-tacacs-group local

no aaa authorization commands 15 default group network-tacacs-group local

 

aaa authentication login default local

aaa authorization exec default local if-authenticated

aaa authorisation console

 

Lastly i would also suggest changing the local password to be encrypted to type 9 if its supported or at least md5 type 5

 

username xxxx privilege 15 algorithm-type scrypt secret xxx

or 

username xxxx privilege 15 secret xxx

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: