Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1284
Views
2
Helpful
14
Replies

CoPP SSH not working

sebastien3
Level 4
Level 4

‎04-27-2023 04:30 AM

Hello,

From my computer 192.168.1.253 I would like to only be able to connect in SSH on port 2022 of the router. It does not work I cannot establish an SSH connection...

class-map match-any CoPP-SSH
match access-group name SSH-ACL
!
policy-map CoPP
class CoPP-SSH
police 8000 conform-action transmit exceed-action drop
!
control-plane
service-policy input CoPP
!
ip access-list extended SSH-ACL
permit tcp host 192.168.1.253 eq 2022 any
deny ip any any


ip ssh time-out 60
ip ssh port 2022 rotary 1
ip ssh version 2

line vty 0 4
login local
rotary 1
length 0
transport input ssh
transport output none

I can't find my mistake, can you help me ?

THANKS !

Labels:
0 Helpful
14 Replies 14

marce1000
Hall of Fame
Hall of Fame

‎04-27-2023 05:14 AM

 

                     >...I cannot establish an SSH connection...
                        - What error do you get then ?

  1) Verify if the port is open/available with for instance an nmap scan as in : %  nmap -p2022 yourswitch
  2) Connect with an ssh client supporting verbose modes (such as typical linux ssh) , perhaps it can provide more insights, 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎04-27-2023 05:36 AM

Always your post super 

Now

permit tcp any host 192.168.1.253 eq 2022 

Since the R is ssh server here and listen to port 

sebastien3
Level 4
Level 4

‎04-27-2023 06:48 AM

@marce1000: Yes the port 2022 is UP on router 192.168.1.1.

# nmap -p 2022 192.168.1.1
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-27 15:39 CEST
Nmap scan report for 192.168.1.1
Host is up (0.0013s latency).

PORT STATE SERVICE
2022/tcp open EtherNetIP-1
MAC Address: 00:C8:8B:9D:94:97 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds


# ssh -p 2022 -l Cisco 192.168.1.1
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.1.1 port 2022

@MHM Cisco World: Even changing the ACL I can't connect to SSH...

0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to sebastien3

‎04-27-2023 09:01 AM

 

   >...# ssh -p 2022 -l Cisco 192.168.1.1
            kex_exchange_identification: read: Connection reset by peer
           Connection reset by 192.168.1.1 port 2022

  - Check the logs on the router when getting that error , also try for starters with removing any acl's and policing (COPP) , start with 'sufficient'  access (setup) on the intended port only , check if that can work, 

 M,



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

MHM Cisco World
VIP
VIP

‎04-27-2023 06:58 AM

If you add new acl then it can add after deny tcp any any' you must sure the acl line add in correct order 

0 Helpful

sebastien3
Level 4
Level 4
In response to MHM Cisco World

‎04-27-2023 07:21 AM

You're right but that doesn't change anything either...

0 Helpful

sebastien3
Level 4
Level 4

‎04-27-2023 07:33 AM

ip debug ssh : Apr 27 14:29:58.931: SSH: throttling requests: Please try after some time

Do you know the reason for this error ? The policy-map on control-plane does not increment as if the ACL does not match the traffic... ???

sh policy-map control-plane
Control Plane

Service-policy input: CoPP

Class-map: CoPP-SSH (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name SSH-ACL
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0000 bps, exceeded 0000 bps

0 Helpful

MHM Cisco World
VIP
VIP
In response to sebastien3

‎04-27-2023 09:56 AM

Show policy-map control-map input 

I want to see default class 

0 Helpful

sebastien3
Level 4
Level 4
In response to MHM Cisco World

‎04-28-2023 03:14 AM

Show policy-map control-map input does not work !

I'm having trouble understanding how CoPP works... Should I use access-class SSH-ACL in line vty 0 4 ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to sebastien3

‎04-28-2023 03:25 AM - edited ‎04-28-2023 04:07 AM

Show policy-map control-plane <<- this I want to see default class (try keyword input with it)

0 Helpful

sebastien3
Level 4
Level 4
In response to MHM Cisco World

‎04-28-2023 04:05 AM

ASR1K#sh policy-map control-?
WORD control-plane

0 Helpful

MHM Cisco World
VIP
VIP
In response to sebastien3

‎04-28-2023 04:22 AM

Please check previous comment 

0 Helpful

sebastien3
Level 4
Level 4
In response to MHM Cisco World

‎04-28-2023 04:46 AM

@MHM Cisco World As indicated above the counters only work if I add access-class in the vty line...

Is this normal ?

And to answer you, sh policy-map control-plane does show the INPUT with SSH-ACL

0 Helpful

MHM Cisco World
VIP
VIP
In response to sebastien3

‎04-28-2023 07:26 AM

permit tcp any host 192.168.1.253 eq 2022 

you config CoPP to all SSH to host 192.168.1.253
and you then mention 192.168.1.1 !!

that can make CoPP not work. 

for the ACL under VTY vs ACL in CoPP I deep dive to check the different, 
but NOW I need to see CoPP and use correct IP in SSH

0 Helpful
Customers Also Viewed These Support Documents