01-25-2021 12:24 AM
Hi,
I have done basic configuration on ASR ROUTER 1000-HX. there is static route and default route. 2 ISP terminated. ISE is not configured. Only one ACL to block ssh and telnet connection for outside interface.
there is 1-2% CPU utilization. But when i tried to login using default local admin account, the response of router is taking 1 minute.
anybody knows what would be the reason ?
Solved! Go to Solution.
01-27-2021 02:49 PM - edited 01-27-2021 02:58 PM
Hello
if you dont want to use tacacs then remove it from aaa.
no aaa authentication login VTY_authen group network-tacacs-group local
no aaa authorization config-commands
no aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
no aaa authorization commands 0 default group network-tacacs-group local
no aaa authorization commands 1 default group network-tacacs-group local
no aaa authorization commands 15 default group network-tacacs-group local
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorisation console
Lastly i would also suggest changing the local password to be encrypted to type 9 if its supported or at least md5 type 5
username xxxx privilege 15 algorithm-type scrypt secret xxx
or
username xxxx privilege 15 secret xxx
01-25-2021 12:58 AM
Hello,
--> Only one ACL to block ssh and telnet connection for outside interface.
Can you post that access list ? Better yet, post the entire router config...
01-25-2021 02:24 AM
Hi,
Please find the config below.
router#show running-config
Building configuration...
Current configuration : 7559 bytes
!
! Last configuration change at 05:07:58 UTC Mon Jan 25 2021 by wxyz
! NVRAM config last updated at 08:50:58 UTC Thu Jan 21 2021 by wxyz
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware crypto-throughput level 8g
!
hostname router
!
boot-start-marker
boot system flash asr1000-universalk9.16.12.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered informational
no logging console
!
aaa new-model
!
!
aaa group server tacacs+ network-tacacs-group
server name tacacs_10.140.167.136
server name tacacs_10.140.167.139
timeout 30
!
aaa authentication login default local
aaa authentication login VTY_authen group network-tacacs-group local
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local
!
aaa session-id common
!
login on-failure log
login on-success log
!
!
subscriber templating
!
flow record type performance-monitor flow-record-1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
!
flow monitor flowmonitor-1
description "Used for basic Traffic Analysis"
cache timeout active 1
record netflow ipv4 original-input
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-654322345678987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-654322345678987
revocation-check none
rsakeypair TP-self-signed-654322345678987
!
!
crypto pki certificate chain TP-self-signed-654322345678987
certificate self-signed 01
!
quit
!
license udi pid ASR1001-HX sn 76543245678
no license smart enable
!
spanning-tree mode mst
spanning-tree extend system-id
diagnostic bootup level minimal
!
!
username wxyz privilege 15 password 7 12345678900987654321
username zyxw privilege 15 password 7 1234567890124567890
!
redundancy
mode none
!
!
bridge irb
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/6
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/7
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/1
description "Connected to ISP1 LAN Segment"
ip address z.z.z.z 255.255.255.248
standby 1 ip z.z.z.1
standby 1 priority 150
standby 1 preempt
!
interface TenGigabitEthernet0/1/2
description "Connected to ISP2 LAN Segment"
ip address y.y.y.y 255.255.255.248
standby 2 ip y.y.y.1
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
!
interface TenGigabitEthernet0/1/4
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/5
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/6
description "ISP2"
ip address x.x.x.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/7
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.116.103.240 255.255.255.0
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 w.w.w.1
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.116.103.1
ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.116.103.1
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf
!
ip ssh version 2
!
!
ip access-list extended block_malicious
deny tcp any any eq 22 log
deny tcp any any eq telnet log
permit ip any any
logging host 10.116.10.254 vrf Mgmt-intf
!
!
tacacs server tacacs_10.140.167.136
address ipv4 10.140.167.136
key 7 6298765423899
timeout 15
tacacs server tacacs_10.140.167.139
address ipv4 10.140.167.139
key 7 4323707652785
timeout 30
!
bridge 100 protocol vlan-bridge
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 5
login local
!
ntp server vrf Mgmt-intf 10.130.116.140
!
end
01-25-2021 03:49 AM
ip domain-name
bb.com
!
line vty 0 5transport input ssh or all
Try above settings also give us what IP address you trying to connect ? is this from VRF ?
01-25-2021 04:05 AM
Hi balaji,
I am trying to connect router from mgmt-Intf vrf IP address. I have removed AAA configuration for line vty It clears that issue with ISE. The router prompts for username and password immediately and logging instantly.
But when i enter show xxxx commands It is taking almost 25 secs to display configuration.
But console logging is fast and show command displays immediately.
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport preferred none
transport input all
line vty 5 7
transport preferred none
transport input all
line vty 8 15
01-25-2021 05:01 AM
Hello,
nothing really obvious in your config that would cause the slow SSH response. One thing you could try is zeroize and then regenerate your RSA keys:
Router(config)#crypto key zeroize rsa
Router(config)#crypto key generate rsa
When you generate a new key, try a few different modulus settings (512/1024/2048), maybe that makes a difference.
01-25-2021 05:06 AM
Hello @Vishnu_RR ,
>> But when i enter show xxxx commands It is taking almost 25 secs to display configuration.
Do you still have the aaa authorization command in place ? If so the device attempts to consult the AAA server to check if the user is enabled to perform the action .
I mean the following ones:
aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local
if you are not using the AAA server try to use a different list with local first.
Hope to help
Giuseppe
01-25-2021 05:03 AM
show run - is slow i can only think of this is more of authorisation. i would advise to remove all ISE related AAA config, make it simple and try.
you need still login local in the VTY Line to work for the local users.
After removing AAA asssociated config make it local, still not working, post the current running config.
01-25-2021 06:53 AM
Hi,
I do not have issue in logging right now after removed AAA from line vty. now the issue is that
when i enter any show xxxx commands, router takes too long time to display the configuration.
I need to try regenerate RSA keys and check that may makes a difference.
Please find the configuration below.
router#show running-config
Building configuration...
Current configuration : 7431 bytes
!
! Last configuration change at 13:16:51 UTC Mon Jan 25 2021 by wxyz
! NVRAM config last updated at 14:25:15 UTC Mon Jan 25 2021 by wxyz
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware crypto-throughput level 8g
!
hostname router
!
boot-start-marker
boot system flash asr1000-universalk9.16.12.03.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered informational
no logging console
!
aaa new-model
!
!
aaa group server tacacs+ network-tacacs-group
server name tacacs_10.140.167.136
server name tacacs_10.140.167.139
timeout 30
!
aaa authentication login default local
aaa authentication login VTY_authen group network-tacacs-group local
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
aaa authorization commands 0 default group network-tacacs-group local
aaa authorization commands 1 default group network-tacacs-group local
aaa authorization commands 15 default group network-tacacs-group local
!
aaa session-id common
!
login on-failure log
login on-success log
!
subscriber templating
!
flow record type performance-monitor flow-record-1
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
!
flow monitor flowmonitor-1
description "Used for basic Traffic Analysis"
cache timeout active 1
record netflow ipv4 original-input
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-654322345678987
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-654322345678987
revocation-check none
rsakeypair TP-self-signed-654322345678987
!
!
crypto pki certificate chain TP-self-signed-654322345678987
certificate self-signed 01
!
quit
!
license udi pid ASR1001-HX sn 76543245678
no license smart enable
!
spanning-tree mode mst
spanning-tree extend system-id
diagnostic bootup level minimal
!
username wxyz privilege 15 password 7 12345678900987654321
username zyxw privilege 15 password 7 1234567890124567890
!
redundancy
mode none
!
bridge irb
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/4
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/5
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/6
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/7
no ip address
shutdown
negotiation auto
!
interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/1
description "Connected to ISP1 LAN Segment"
ip address z.z.z.z 255.255.255.248
standby 1 ip z.z.z.1
standby 1 priority 150
standby 1 preempt
!
interface TenGigabitEthernet0/1/2
description "Connected to ISP2 LAN Segment"
ip address y.y.y.y 255.255.255.248
standby 2 ip y.y.y.1
!
interface TenGigabitEthernet0/1/3
no ip address
shutdown
!
interface TenGigabitEthernet0/1/4
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/5
no ip address
shutdown
no negotiation auto
!
interface TenGigabitEthernet0/1/6
description "ISP2"
ip address x.x.x.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip access-group block_malicious in
!
interface TenGigabitEthernet0/1/7
no ip address
shutdown
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.116.103.240 255.255.255.0
negotiation auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 w.w.w.1
ip route 0.0.0.0 0.0.0.0 x.x.x.1
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.116.103.1
ip route vrf Mgmt-intf 10.0.0.0 255.0.0.0 10.116.103.1
ip tacacs source-interface GigabitEthernet0 vrf Mgmt-intf
!
ip ssh version 2
!
!
ip access-list extended block_malicious
deny tcp any any eq 22 log
deny tcp any any eq telnet log
permit ip any any
logging host 10.16.0.254 vrf Mgmt-intf
!
!
tacacs server tacacs_10.140.167.136
address ipv4 10.140.167.136
key 7 032752180500011D1C5A
timeout 15
tacacs server tacacs_10.140.167.139
address ipv4 10.140.167.139
key 7 4323707652785
timeout 30
!
bridge 100 protocol vlan-bridge
!
control-plane
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport preferred none
transport input all
line vty 5 7
transport preferred none
transport input all
line vty 8 15
!
ntp server vrf Mgmt-intf 10.130.116.140
!
end
01-25-2021 07:30 AM
yes try as you supect and let us know "I need to try regenerate RSA keys and check that may makes a difference."
01-27-2021 05:56 AM
Hi team,
I have regenerated the RSA keys with reference to above commands.
crypto key zeroize rsa
crypto key generate rsa.
but i am still facing the same issue as all "show commands" taking too long time to display.
01-27-2021 10:29 AM
Hello,
for the sake of testing, disable the access list and check if that makes a difference:
interface TenGigabitEthernet0/1/0
description "CONNECTED TO ISP1"
ip address w.w.w.w 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
--> no ip access-group block_malicious in
01-27-2021 02:11 PM
Also, how are you actually establishing the SSH connection, what is the exact command you use ?
01-27-2021 08:56 PM
hi,
i am using putty application to do ssh connection to all devices
01-27-2021 02:49 PM - edited 01-27-2021 02:58 PM
Hello
if you dont want to use tacacs then remove it from aaa.
no aaa authentication login VTY_authen group network-tacacs-group local
no aaa authorization config-commands
no aaa authorization exec VTY_author group network-tacacs-group local if-authenticated
no aaa authorization commands 0 default group network-tacacs-group local
no aaa authorization commands 1 default group network-tacacs-group local
no aaa authorization commands 15 default group network-tacacs-group local
aaa authentication login default local
aaa authorization exec default local if-authenticated
aaa authorisation console
Lastly i would also suggest changing the local password to be encrypted to type 9 if its supported or at least md5 type 5
username xxxx privilege 15 algorithm-type scrypt secret xxx
or
username xxxx privilege 15 secret xxx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide