Re: asr 1002 telnet-ssh timeout

Giulio Lo Presti · ‎12-18-2020

hello guys,

i've got a very strange problem, my cisco asr1002 BRAS disconnect me randomly after a couple of seconds from telnet/ssh from a pc directly connected to gigabitethernet 0 interface(off band MGMT) and also inband. i've updated also firmware to see if maybe there is a problem with version, but the same happens with new version.

this is the output when i was connected:

bras#show pppoe summary
    PTA  : Locally terminated sessions
    FWDED: Forwarded sessions
    TRANS: All other sessions (in transient state)

                                TOTAL     PTA   FWDED   TRANS
TOTAL                            4810    4810       0       0
TenGigabitEthernet0/1/0          4810    4810       0       
bras#Connection to 10.77.124.14 closed by remote host.
Connection to 10.77.124.14 closed.

here the lines reguarding the line vty 0 4

line vty 0 4
 exec-timeout 60 0
 logout-warning 30
 absolute-timeout 40
 transport input all

the ssh crypto key has modulus 2048

here ssh debug when i get disconnected

*Dec 18 07:00:43.446: SSH0: starting SSH control process
*Dec 18 07:00:43.447: SSH0: sent protocol version id SSH-2.0-Cisco-1.25
*Dec 18 07:00:43.453: SSH0: protocol version id is - SSH-2.0-OpenSSH_7.6p1 Ubuntu-4
*Dec 18 07:00:43.453: SSH2 0: Server certificate trustpoint not found. Skipping hostkey algo = x509v3-ssh-rsa
*Dec 18 07:00:43.453: SSH2 0: kexinit sent: hostkey algo = ssh-rsa
*Dec 18 07:00:43.453: SSH2 0: kexinit sent: encryption algo = aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
*Dec 18 07:00:43.453: SSH2 0: kexinit sent: mac algo = hmac-sha1,hmac-sha1-96
*Dec 18 07:00:43.454: SSH2 0: send:packet of  length 368 (length also includes padlen of 5)
*Dec 18 07:00:43.454: SSH2 0: SSH2_MSG_KEXINIT sent
*Dec 18 07:00:43.541: SSH2 0: ssh_receive: 1358 bytes received
*Dec 18 07:00:43.541: SSH2 0: input: total packet length of 1360 bytes
*Dec 18 07:00:43.541: SSH2 0: partial packet length(block size)8 bytes,needed 1352 bytes,
               maclen 0
*Dec 18 07:00:43.548: SSH2 0: ssh_receive: 2 bytes received
*Dec 18 07:00:43.548: SSH2 0: partial packet length(block size)8 bytes,needed 1352 bytes,
               maclen 0
*Dec 18 07:00:43.548: SSH2 0: input: padlength 5 bytes
*Dec 18 07:00:43.548: SSH2 0: SSH2_MSG_KEXINIT received
*Dec 18 07:00:43.548: SSH2 0: kex: client->server enc:aes128-ctr mac:hmac-sha1
*Dec 18 07:00:43.548: SSH2 0: kex: server->client enc:aes128-ctr mac:hmac-sha1
*Dec 18 07:00:43.548: SSH2 0: Using kex_algo = diffie-hellman-group-exchange-sha1
*Dec 18 07:00:43.854: SSH2 0: ssh_receive: 24 bytes received
*Dec 18 07:00:43.854: SSH2 0: input: total packet length of 24 bytes
*Dec 18 07:00:43.854: SSH2 0: partial packet length(block size)8 bytes,needed 16 bytes,
               maclen 0
*Dec 18 07:00:43.854: SSH2 0: input: padlength 6 bytes
*Dec 18 07:00:43.854: SSH2 0: SSH2_MSG_KEX_DH_GEX_REQUEST received
*Dec 18 07:00:43.854: SSH2 0: Range sent by client is - 2048 < 4096 < 8192
*Dec 18 07:00:43.854: SSH2 0:  Modulus size established : 4096 bits
*Dec 18 07:00:43.854: SSH2 0: send:packet of  length 536 (length also includes padlen of 8)
*Dec 18 07:00:43.997: SSH2 0: expecting SSH2_MSG_KEX_DH_GEX_INIT
*Dec 18 07:00:43.997: SSH2 0: ssh_receive: 528 bytes received
*Dec 18 07:00:43.997: SSH2 0: input: total packet length of 528 bytes
*Dec 18 07:00:43.997: SSH2 0: partial packet length(block size)8 bytes,needed 520 bytes,
               maclen 0
*Dec 18 07:00:43.997: SSH2 0: input: padlength 5 bytes
*Dec 18 07:00:43.997: SSH2 0: SSH2_MSG_KEXDH_INIT received
*Dec 18 07:00:44.182: SSH2 0: signature length 271
*Dec 18 07:00:44.182: SSH2 0: send:packet of  length 1088 (length also includes padlen of 8)
*Dec 18 07:00:44.183: SSH2: kex_derive_keys complete
*Dec 18 07:00:44.183: SSH2 0: send:packet of  length 16 (length also includes padlen of 10)
*Dec 18 07:00:44.183: SSH2 0: newkeys: mode 1
*Dec 18 07:00:44.184: SSH2 0: SSH2_MSG_NEWKEYS sent
*Dec 18 07:00:44.184: SSH2 0: waiting for SSH2_MSG_NEWKEYS
*Dec 18 07:00:44.414: SSH2 0: ssh_receive: 16 bytes received
*Dec 18 07:00:44.414: SSH2 0: input: total packet length of 16 bytes
*Dec 18 07:00:44.414: SSH2 0: partial packet length(block size)8 bytes,needed 8 bytes,
               maclen 0
*Dec 18 07:00:44.414: SSH2 0: input: padlength 10 bytes
*Dec 18 07:00:44.414: SSH2 0: newkeys: mode 0
*Dec 18 07:00:44.414: SSH2 0: SSH2_MSG_NEWKEYS received
*Dec 18 07:00:44.734: SSH2 0: ssh_receive: 52 bytes received
*Dec 18 07:00:44.734: SSH2 0: input: total packet length of 32 bytes
*Dec 18 07:00:44.734: SSH2 0: partial packet length(block size)16 bytes,needed 16 bytes,
               maclen 20
*Dec 18 07:00:44.734: SSH2 0: MAC compared for #4 :ok
*Dec 18 07:00:44.734: SSH2 0: input: padlength 10 bytes
*Dec 18 07:00:44.734: SSH2 0: send:packet of  length 32 (length also includes padlen of 10)
*Dec 18 07:00:44.734: SSH2 0: computed MAC for sequence no.#4 type 6
*Dec 18 07:00:44.734: SSH2 0: Authentications that can continue = publickey,keyboard-interactive,password
*Dec 18 07:00:44.833: SSH2 0: ssh_receive: 68 bytes received
*Dec 18 07:00:44.833: SSH2 0: input: total packet length of 48 bytes
*Dec 18 07:00:44.833: SSH2 0: partial packet length(block size)16 bytes,needed 32 bytes,
               maclen 20
*Dec 18 07:00:44.834: SSH2 0: MAC compared for #5 :ok
*Dec 18 07:00:44.834: SSH2 0: input: padlength 7 bytes
*Dec 18 07:00:44.834: SSH2 0: Using method = none
*Dec 18 07:00:44.834: SSH2 0: Authentications that can continue = publickey,keyboard-interactive,password
*Dec 18 07:00:44.834: SSH2 0: send:packet of  length 64 (length also includes padlen of 14)
*Dec 18 07:00:44.834: SSH2 0: computed MAC for sequence no.#5 type 51
*Dec 18 07:00:44.934: SSH2 0: ssh_receive: 100 bytes received
*Dec 18 07:00:44.934: SSH2 0: input: total packet length of 80 bytes
*Dec 18 07:00:44.934: SSH2 0: partial packet length(block size)16 bytes,needed 64 bytes,
               maclen 20
*Dec 18 07:00:44.934: SSH2 0: MAC compared for #6 :ok
*Dec 18 07:00:44.934: SSH2 0: input: padlength 15 bytes
*Dec 18 07:00:44.934: SSH2 0: Using method = keyboard-interactive
*Dec 18 07:00:44.934: SSH2 0: send:packet of  length 48 (length also includes padlen of 11)
*Dec 18 07:00:44.934: SSH2 0: computed MAC for sequence no.#6 type 60
*Dec 18 07:00:49.564: SSH2 0: ssh_receive: 84 bytes received
*Dec 18 07:00:49.564: SSH2 0: input: total packet length of 64 bytes
*Dec 18 07:00:49.564: SSH2 0: partial packet length(block size)16 bytes,needed 48 bytes,
               maclen 20
*Dec 18 07:00:49.564: SSH2 0: MAC compared for #7 :ok
*Dec 18 07:00:49.564: SSH2 0: input: padlength 40 bytes
*Dec 18 07:00:49.564: SSH2 0: send:packet of  length 16 (length also includes padlen of 10)
*Dec 18 07:00:49.564: SSH2 0: computed MAC for sequence no.#7 type 52
*Dec 18 07:00:49.564: SSH2 0: authentication successful for user
*Dec 18 07:00:49.664: SSH2 0: ssh_receive: 68 bytes received
*Dec 18 07:00:49.664: SSH2 0: input: total packet length of 48 bytes
*Dec 18 07:00:49.664: SSH2 0: partial packet length(block size)16 bytes,needed 32 bytes,
               maclen 20
*Dec 18 07:00:49.664: SSH2 0: MAC compared for #8 :ok
*Dec 18 07:00:49.664: SSH2 0: input: padlength 19 bytes
*Dec 18 07:00:49.664: SSH2 0: channel open request
*Dec 18 07:00:49.664: SSH2 0: send:packet of  length 32 (length also includes padlen of 10)
*Dec 18 07:00:49.664: SSH2 0: computed MAC for sequence no.#8 type 91
*Dec 18 07:00:49.764: SSH2 0: ssh_receive: 476 bytes received
*Dec 18 07:00:49.764: SSH2 0: input: total packet length of 336 bytes
*Dec 18 07:00:49.764: SSH2 0: partial packet length(block size)16 bytes,needed 320 bytes,
               maclen 20
*Dec 18 07:00:49.764: SSH2 0: MAC compared for #9 :ok
*Dec 18 07:00:49.764: SSH2 0: input: padlength 15 bytes
*Dec 18 07:00:49.765: SSH2 0: send:packet of  length 16 (length also includes padlen of 6)
*Dec 18 07:00:49.765: SSH2 0: computed MAC for sequence no.#9 type 99
*Dec 18 07:00:49.765: SSH2 0: pty-req request
*Dec 18 07:00:49.765: SSH2 0: setting TTY - requested: height 30, width 120; set: height 30, width 120
*Dec 18 07:00:49.765: SSH2 0: input: total packet length of 48 bytes
*Dec 18 07:00:49.765: SSH2 0: partial packet length(block size)16 bytes,needed 32 bytes,
               maclen 20
*Dec 18 07:00:49.765: SSH2 0: MAC compared for #10 :ok
*Dec 18 07:00:49.765: SSH2 0: input: padlength 11 bytes
*Dec 18 07:00:49.765: SSH2 0: env request
*Dec 18 07:00:49.765: SSH2 0: input: total packet length of 32 bytes
*Dec 18 07:00:49.765: SSH2 0: partial packet length(block size)16 bytes,needed 16 bytes,
               maclen 20
*Dec 18 07:00:49.765: SSH2 0: MAC compared for #11 :ok
*Dec 18 07:00:49.765: SSH2 0: input: padlength 12 bytes
*Dec 18 07:00:49.765: SSH2 0: send:packet of  length 16 (length also includes padlen of 6)
*Dec 18 07:00:49.765: SSH2 0: computed MAC for sequence no.#10 type 99
*Dec 18 07:00:49.765: SSH2 0: shell request
*Dec 18 07:00:49.765: SSH2 0: shell message received
*Dec 18 07:00:49.765: SSH2 0: starting shell for vty
*Dec 18 07:00:49.766: SSH2 0: send:packet of  length 32 (length also includes padlen of 5)
*Dec 18 07:00:49.766: SSH2 0: computed MAC for sequence no.#11 type 94
*Dec 18 07:01:03.791: SSH2 0: send:packet of  length 48 (length also includes padlen of 18)
*Dec 18 07:01:03.791: SSH2 0: computed MAC for sequence no.#12 type 98
*Dec 18 07:01:03.791: SSH2 0: send:packet of  length 16 (length also includes padlen of 6)
*Dec 18 07:01:03.791: SSH2 0: computed MAC for sequence no.#13 type 96
*Dec 18 07:01:03.791: SSH2 0: send:packet of  length 16 (length also includes padlen of 6)
*Dec 18 07:01:03.791: SSH2 0: computed MAC for sequence no.#14 type 97
*Dec 18 07:01:03.791: SSH0: Session terminated normally

i cannot understand what can be the problem here. maybe you can point me in the right direction.

BR

marce1000 · ‎12-19-2020

- Make sure the client supports SSHv2

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

paul driver · ‎12-19-2020

Hello

Does this occur tested from another pc, are you using AAA taccas/radius?

try extending the following values:
ip ssh timeout xx

ip tcp synwait-time xx

show line

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Giulio Lo Presti · ‎12-19-2020

Hello,

Thanks for all reply, the problem happens also on telnet, the exactly same problem...personally I have not ever seen this behavior.

No nat

Directly connected to off band port.

Interesting ip-tcp synwait, i will try it anni let you know

Richard Burts · ‎12-19-2020

It is interesting, and perhaps significant, that the issue impacts both SSH and telnet.

The extensive debug output for SSSH posted shows what seems to be normal processing for the initiation of an SSH session. It would be nice if we could see debug output at the time that the SSH session was dropped.

I note in the partial config in the original post that you have configured both an exec timeout and an absolute timeout. I wonder if your issue might be that your timeout configuration is what is dropping your session (and the fact that the problem impacts both SSH and telnet seems consistent with it being something about the vty and less about SSH).

HTH

Rick

Giulio Lo Presti · ‎12-20-2020

Hello Rick,

The original output was captured when ssh has been dropped with the message you see in the cli above the debug.

It seems that something is wrong on tty. But I don't understand what. I can remove all tty conf, but already tried with no luck. It is not a bug or something else it is the ios that kick me out for some reason.

What you suggest st this point?

paul driver · ‎12-20-2020

Hello

Show line

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Burts · ‎12-20-2020

What is 10.77.124.14? The message in the original post says only that the session was closed by the remote host. It does not have any information about what kind of sessions that was and no information about how long that sessions had been established.

The debug output that was posted is clearly about session establishment. There is no output generated when the session was terminated. Information about termination would be helpful.

With the timeouts that are shown in your vty configuration I would expect sessions to be dropped if there was not continuing activity. I would suggest doing a test using these steps

- establish a session to the asr

- do terminal monitor to display log output to the terminal

- start debug for ssh

- every 2 minutes hit enter on this session to keep it active

- establish an ssh session to the asr

- monitor the debug output as the session gets established

- continue to monitor the debug output while keeping this session active

- when the second session is terminated post the output from the first session so we can see what was going on

HTH

Rick

Giulio Lo Presti · ‎12-20-2020

Hello Rick,

Thanks for the reply.

I'm not understand you points.

When I connect in ssh trough a pc directly connected to asr in Port gi0( the mgmt port) the session disconnect in couple of second from the cisco I cannot debug for 2 min...

My post say that I will be disconnected from ssh or telnet after a couple of sec despite the line configuration also if I insert exec timeout 0 0 everything o configure is not work.

The debug you see is the complete output of debug ssh when I was in console and establish an ssh session. After what you see I got disconnected from cisco.

I hope that I will clear all the thought about the problem.

Hope to ear anyone that can help soon.

BR

Richard Burts · ‎12-20-2020

Ok so it is literally only a few seconds between establishing the session and termination of the session? And it is the same for SSH and for telnet?

The suggestion about the output of show line is interesting and that output might show us something helpful. In addition I would ask that you post the router config (masking Public IP and passwords etc).

HTH

Rick

Giulio Lo Presti · ‎12-21-2020

hello,

here the output of show line and the configuration:

   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*     0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    -    -     11       0     0/0       -
      3 VTY              -    -      -    -    -      0       0     0/0       -
      4 VTY              -    -      -    -    -      0       0     0/0       -
      5 VTY              -    -      -    -    -      0       0     0/0       -
      6 VTY              -    -      -    -    -      0       0     0/0       -

Building configuration...

Current configuration : 20441 bytes
!
! Last configuration change at 07:59:41 GMT Fri Dec 18 2020
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname bras
!
boot-start-marker
boot system flash bootflash:/asr1000rp1-k9.03.16.08.S.155-3.S8-ext.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable password 
!
aaa new-model
!
!
aaa group server radius RADIUS
 server name radius
 server-private x.x.x.x auth-port 1812 acct-port 1813 key xxxxxxxxx
 server x.x.x.x auth-port 1812 acct-port 1813
!
aaa authentication ppp default group RADIUS local
aaa authentication ppp RADIUS group RADIUS
aaa authorization network default group radius
aaa authorization network RADIUS group RADIUS
aaa authorization subscriber-service default local
aaa accounting send stop-record authentication failure
aaa accounting delay-start all
aaa accounting update periodic 5
aaa accounting exec default
 action-type start-stop
 group RADIUS
!
aaa accounting network default start-stop group RADIUS
aaa accounting network RADIUS start-stop group RADIUS
aaa accounting connection default start-stop group RADIUS
aaa accounting system default start-stop group radius
aaa accounting resource default start-stop group RADIUS
!
!
aaa nas port extended
!
!
!
aaa server radius dynamic-author
 client x.x.x.x server-key xxxxxxxx
 client x.x.x.x server-key xxxxxxxx
 client x.x.x.x server-key xxxxxxxx
 server-key xxxxxxxxxx
 auth-type any
 ignore session-key
!
aaa session-id common
aaa max-sessions 10000
aaa policy interface-config allow-subinterface
clock timezone GMT 1 0
clock summer-time Rome recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!
!
!
!
!
!


ip name-server 8.8.8.8 8.8.4.4

ip domain name xxxxxxxxxx.local
!
!
!
ipv6 unicast-routing
ipv6 dhcp pool CPE
 prefix-delegation pool PPPOE6 lifetime infinite infinite
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
spanning-tree extend system-id
!
username xxxxxxxxx privilege 0 password 0 xxxxxxxxxxx
username xxxxxxxx privilege 15 password 0 xxxxxxxxxxx
!
redundancy
 mode none
!
!
!
!
!
cdp run
!
!
policy-map 3M
 class class-default
  police 3000000 1500000 1000 conform-action transmit  exceed-action drop
policy-map 11M
 class class-default
  shape average 20000000
policy-map 8M
 class class-default
  police 8000000 4000000 1000 conform-action transmit  exceed-action drop
policy-map 300M
 class class-default
  police cir 307200000 bc 1800000 be 1800000 conform-action transmit  exceed-action drop
policy-map 5M_DOWN
 class class-default
  shape average 5120000
policy-map 200M
 class class-default
  police cir 204800000 bc 1200000 be 1200000 conform-action transmit  exceed-action drop
policy-map 5M
 class class-default
  police 5000000 2500000 1000 conform-action transmit  exceed-action drop
policy-map 11M_UP
 class class-default
  police cir 2000000 bc 1000000 be 1000 conform-action transmit  exceed-action drop
policy-map 2M
 class class-default
  police 2000000 1000000 1000 conform-action transmit  exceed-action drop
policy-map 7M
 class class-default
  police 7000000 3500000 1000 conform-action transmit  exceed-action drop
policy-map 15M
 class class-default
  police 15000000 7500000 1000 conform-action transmit  exceed-action drop
policy-map 30M
 class class-default
  police 30000000 15000000 1000 conform-action transmit  exceed-action drop
policy-map 10M
 class class-default
  police 10000000 5000000 1000 conform-action transmit  exceed-action drop
policy-map 500M
 class class-default
  police cir 512000000 bc 3000000 be 3000000 conform-action transmit  exceed-action drop
policy-map 20M
 class class-default
  police 20000000 10000000 1000 conform-action transmit  exceed-action drop
policy-map 100M
 class class-default
  police cir 102400000 bc 600000 be 600000 conform-action transmit  exceed-action drop
policy-map 4M
 class class-default
  police 4000000 2000000 1000 conform-action transmit  exceed-action drop
policy-map 1M
 class class-default
  police 1000000 500000 1000 conform-action transmit  exceed-action drop
policy-map 50M
 class class-default
  police 50000000 25000000 1000 conform-action transmit  exceed-action drop
policy-map 1000M
 class class-default
  police cir 1024000000 bc 6000000 be 6000000 conform-action transmit  exceed-action drop
policy-map 12M
 class class-default
  police 12000000 6000000 1000 conform-action transmit  exceed-action drop
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
bba-group pppoe test
 virtual-template 1
 vendor-tag circuit-id service
 vendor-tag remote-id service
 sessions auto cleanup
!
bba-group pppoe ipv6
 virtual-template 2
!
!
!
interface Loopback0
 ip address x.x.x.x 255.255.255.255
 ipv6 address x.x.x.x..x.x::x/128
 ipv6 ospf 10 area 0.0.0.0
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
 ethernet oam
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface TenGigabitEthernet0/1/0
 description pppoe-termination
 no ip address
 cdp enable
!
interface TenGigabitEthernet0/1/0.984
 description SERVICE2
 encapsulation dot1Q 984
 pppoe enable group test

interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address x.x.x.x 255.255.255.0
 negotiation auto
 cdp enable
 no mop enabled
!
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback0
 no ip redirects
 peer default ip address pool test
 ppp mtu adaptive
 ppp authentication chap RADIUS
 ppp authorization RADIUS
 ppp accounting RADIUS
 ppp ipcp dns 8.8.8.8 8.8.4.4
!
interface Virtual-Template2
 no ip address
 ipv6 address autoconfig
 ipv6 enable
 ipv6 nd ra lifetime 21600
 ipv6 nd ra interval 4 3
 ipv6 dhcp server CPE_atomo
 peer default ipv6 pool PPPOE6
 ppp authentication chap callin
 ppp accounting PPPOE_LIST
!
router ospfv3 10
 !
 address-family ipv6 unicast
 exit-address-family
!
router ospf 1
 router-id x.x.x.x
 redistribute connected subnets
 network x.x.x.x 0.0.0.3 area 0.0.0.0
!
ip local pool disabled 10.12.0.1 10.12.255.255
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip ssh version 2
!
ipv6 local pool PPPOE6 xxxxxxxxxxx::/56 64
ipv6 router ospf 1
!
!
snmp-server community xxxxxxx RO
snmp-server location xxxxxxx
snmp-server host x.x.x.x
!
!
radius-server attribute nas-port format d
radius-server attribute 61 extended
radius-server attribute 31 mac format ietf
radius-server attribute 31 send nas-port-detail mac-only
radius-server attribute 31 remote-id
radius-server timeout 30
!
!
control-plane
!
 !
 !
 !
 !
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 logout-warning 30
 absolute-timeout 40
 transport input all
!
!
end

please let me know

Richard Burts · ‎12-21-2020

Thanks for posting the configuration. With all of the IP addresses given as x.x.x.x it makes it difficult to understand the relationships and what is going on. Certainly the one IP address that showed up in your output was a private IP - what is the purpose of obscuring private IP addresses? You are running OSPF but what interface is it running on? Does it have neighbors? Are there any networks it has learned and put into the routing table?

Perhaps it would be helpful if you would post the output of show ip route.

Am I correct in assuming that you attempts to SSH or telnet are to the address of GigE0? I wonder if part of the issue here is that GigE0 is assigned to a vrf. Can you try SSH or telnet to one of the other addresses on the router?

HTH

Rick

Giulio Lo Presti · ‎12-22-2020

hello Rick,

sorry didin't understand why you need ips from interfaces, i say in my post that in the gi0 with vrf mgmt telnet/ssh get disconnected after some second, the same happens on other interfaces.

the gi0 has another vrf then all other interfaces is not involved in this, but nevertheless i got the same problem on all other interfaces.

the gi0 interfaces has ip.

10.77.124.14

with a pc directly connected to this interface the connection dropped, this is the problem. i don't think routing appear to be the problem, but for completion this is the ip route

show ip route vrf Mgmt-intf

Routing Table: Mgmt-intf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.77.124.0/24 is directly connected, GigabitEthernet0
L        10.77.124.14/32 is directly connected, GigabitEthernet0

please let me know

Richard Burts · ‎12-22-2020

Thanks for the additional information. Yes if the IP address of the PC is in the same subnet as the address of GigE0 then routing should not be an issue.

It is interesting that it affects both SSH and telnet and that it affects connections to GigE0 and also connections to other interfaces. When you establish a connection using SSH or telnet are you able to enter and execute any commands? If you execute a command, then up arrow and enter, and up arrow and enter, and keep doing that does it delay the session dropping? Or does it still just drop the session in a few seconds regardless of activity? (essentially wondering if it might be inactivity related or an absolute timer related)

Am I correct in assuming that you do have a working console connection to the router? (is that how you get the output that you posted?) If so please make sure that logging is enabled to the console at level of debug, make a connection, wait for connection to drop, and post any output to console. If that does not show anything significant then please enable debug for aaa authorization, make a connection, wait for the connection to drop, and post output.

HTH

Rick