cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
421
Views
3
Helpful
6
Replies

Cisco 3650 SSH2 Log

D Fan
Level 1
Level 1

Hi All,

Any ideas on how to fix this? These logs appear when someone tries to ssh into the connection.

The switch config has set timezone +8. But UTC+0 logs will still in the log.

These ssh2 logs fill up the log file, and have never been seen before.

 

010048: Jun 14 07:25:02.055: SSH2 2: ssh_receive: 80 bytes received
010049: Jun 14 07:25:02.055: SSH2 2: input: total packet length of 48 bytes
010050: Jun 14 07:25:02.055: SSH2 2: partial packet length(block size)16 bytes,needed 32 bytes, maclen 32
010051: Jun 14 07:25:02.056: SSH2 2: MAC compared for #4 :ok
010052: Jun 14 07:25:02.056: SSH2 2: input: padlength 7 bytes
010053: Jun 14 07:25:02.056: SSH2 2: Using method = none
010054: Jun 14 07:25:02.056: SSH2 2: Authentications that can continue = publickey,keyboard-interactive,password
010055: Jun 14 07:25:02.056: SSH2 2: send:packet of length 64 (length also includes padlen of 14)
010056: Jun 14 07:25:02.056: SSH2 2: computed MAC for sequence no.#4 type 51
010057: Jun 14 07:25:05.716: SSH2 2: ssh_receive: 112 bytes received
010058: Jun 14 07:25:05.716: SSH2 2: input: total packet length of 80 bytes
010059: Jun 14 07:25:05.716: SSH2 2: partial packet length(block size)16 bytes,needed 64 bytes, maclen 32
010060: Jun 14 07:25:05.716: SSH2 2: MAC compared for #5 :ok
010061: Jun 14 07:25:05.716: SSH2 2: input: padlength 18 bytes
010062: Jun 14 07:25:05.717: SSH2 2: Using method = password
010063: Jun 14 07:25:05.950: SSH2 2: send:packet of length 16 (length also includes padlen of 10)
010064: Jun 14 07:25:05.950: SSH2 2: computed MAC for sequence no.#5 type 52
010065: Jun 14 07:25:05.951: SSH2 2: authentication successful for admin
010066: Jun 14 15:25:05 CST: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.88.2] [localport: 22] at 15:25:05 CST Fri Jun 14 2024    <--- login success log
010067: Jun 14 07:25:05.956: SSH2 2: ssh_receive: 80 bytes received
010068: Jun 14 07:25:05.956: SSH2 2: input: total packet length of 48 bytes
010069: Jun 14 07:25:05.956: SSH2 2: partial packet length(block size)16 bytes,needed 32 bytes, maclen 32
010070: Jun 14 07:25:05.956: SSH2 2: MAC compared for #6 :ok
010071: Jun 14 07:25:05.956: SSH2 2: input: padlength 19 bytes
010072: Jun 14 07:25:05.956: SSH2 2: channel open request
010073: Jun 14 07:25:05.957: SSH2 2: send:packet of length 32 (length also includes padlen of 10)
010074: Jun 14 07:25:05.957: SSH2 2: computed MAC for sequence no.#6 type 91
010075: Jun 14 07:25:05.963: SSH2 2: ssh_receive: 128 bytes received
010076: Jun 14 07:25:05.963: SSH2 2: input: total packet length of 96 bytes
010077: Jun 14 07:25:05.963: SSH2 2: partial packet length(block size)16 bytes,needed 80 bytes, maclen 32
010078: Jun 14 07:25:05.964: SSH2 2: MAC compared for #7 :ok
010079: Jun 14 07:25:05.964: SSH2 2: input: padlength 11 bytes
010080: Jun 14 07:25:05.964: SSH2 2: send:packet of length 16 (length also includes padlen of 6)
010081: Jun 14 07:25:05.964: SSH2 2: computed MAC for sequence no.#7 type 100
010082: Jun 14 07:25:05.965: SSH2 2: x11-req request
010083: Jun 14 07:25:05.965: SSH2 2: ssh_receive: 112 bytes received
010084: Jun 14 07:25:05.965: SSH2 2: input: total packet length of 80 bytes
010085: Jun 14 07:25:05.965: SSH2 2: partial packet length(block size)16 bytes,needed 64 bytes, maclen 32
010086: Jun 14 07:25:05.965: SSH2 2: MAC compared for #8 :ok
010087: Jun 14 07:25:05.966: SSH2 2: input: padlength 18 bytes
010088: Jun 14 07:25:05.966: SSH2 2: pty-req request
010089: Jun 14 07:25:05.966: SSH2 2: setting TTY - requested: height 32, width 148; set: height 32, width 148
010090: Jun 14 07:25:05.966: SSH2 2: ssh_receive: 64 bytes received
010091: Jun 14 07:25:05.966: SSH2 2: input: total packet length of 32 bytes
010092: Jun 14 07:25:05.966: SSH2 2: partial packet length(block size)16 bytes,needed 16 bytes,
maclen 32
010093: Jun 14 07:25:05.967: SSH2 2: MAC compared for #9 :ok
010094: Jun 14 07:25:05.967: SSH2 2: input: padlength 12 bytes

 

The config about VTY below:

line vty 0 4
exec-timeout 0 0
login local
transport input ssh

 

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @D Fan ,

>> These ssh2 logs fill up the log file, and have never been seen before.

check if any debug is active with:

show debug

otherwise this can be a protocol trace enabled on the device but it should write to a specific file not to the logging buffer.

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

marce1000
VIP
VIP

 

            - How do you mean , the time mentioned doesn't seem wrong to me ?

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @D Fan ,

>> These ssh2 logs fill up the log file, and have never been seen before.

check if any debug is active with:

show debug

otherwise this can be a protocol trace enabled on the device but it should write to a specific file not to the logging buffer.

Hope to help

Giuseppe

 

I believe that there are 2 issues in the OP. 

One issue is the log messages that fill up the log file. I believe that @Giuseppe Larosa is correct in suggesting that debug for ssh is running and generating those messages.

The other issues seems to be about configuration of time. The post says "The switch config has set timezone +8. But UTC+0 logs will still in the log". I believe that to understand this we need to start with the fact that you can configure a timezone for the switch to use, and you can configure a timestamp for log messages to use. It appears that debug output is using one timestamp and the Login Success (normal log message) is using a different time stamp.

HTH

Rick

Thanks a lot. You are right. I think that's the point bother me.

Leo Laohoo
Hall of Fame
Hall of Fame
undebug all

Hello,

I assume you have ' no login on-success log' already configured ?

Though not a real 'solution', you could try the logging discriminator below to at least get rid of these messages in your logs:

logging discriminator LOGSUC severity drops 5 facility drops SEC mnemonics drops LOGIN_SUCCESS
!
logging buffered discriminator LOGSUC 100000
logging console discriminator LOGSUC
logging monitor discriminator LOGSUC
logging host ip_address_of_host discriminator LOGSUC

 

Review Cisco Networking for a $25 gift card