10-02-2023 01:01 AM
Hello, I've been struggling with connecting a router to an SSH server recently.
The router#1 can be accessed without any issues from the SSH server, but the router#2, which is part of the cluster with #1, cannot be accessed via SSH. Both routers have routes for SSH segment, and the situation persists where SSH access is possible only on the router#1. Both routers are connected to the opposite routers via WAN tunneling, and they are connected to the SSH server through the same switch and firewall. If anyone has any insights or suggestions regarding the possible reasons for this problem, could you please provide a response?
My using model is ISR4331 and the version is 17.3
10-02-2023 02:19 AM
I suggest you to compare the configuration of Router#1 and Router#2
What configuration you implemented Router#1 for ssh...do the similar/same configuration for ssh on Router#2
Here is the sample configuration:
R1(config)#username admin password my_password
R1(config)#ip domain-name NETWORKDOMAIN.LOCAL
R1(config)#crypto key generate rsa 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local
Perform the connectivity / communication from Router#1 and #2 to ssh server using ping command...
Try to use traceroute ssh_server_ip (ex: traceroute 192.168.1.100) command to track the path of the packet...
Also try to check and acl is implemented on Router#2 which may block access to ssh
Router2#show ip access-list
From the output of above commands you may get some clue for your issue.....
Best regards
******* If This Helps, Please Rate *******
10-03-2023 05:16 PM
Filnally I solve this issue, but I am not sure I understand this properly.
so the former configuration only RT C has the ip route configuration to RT A like below.
ip route 10.214.18.249 255.255.255.255 172.25.250.254
after I added route D to B like below, it works as like I thought so.
ip route 10.214.18.248 255.255.255.255 172.25.250.250
SSH server is on 192.168.0.0 / 16 segment and RT C and D has route to that segment of course.
RT A B C D has been connected by EIGRP and C and A and D and B are connected by Tunnel 0.
In this situation I don't need to add the route toward SSH server at RT A and B
I just need to add the route to A and D from C and D.
Is that right?
10-03-2023 06:45 PM - edited 10-03-2023 11:39 PM
Yes....you don't need to add the route toward SSH server at RT A and B
keep in mind....in production evironment....if you are making any changes...do it according to the comapany policies...
also keep document that changes...
Thanks
10-02-2023 03:09 AM
What you meaning of cluster?
10-02-2023 04:51 AM
Hello
Is rtr 2 reachable,
Do you have local access to the rtr , so to check the mgt configuration?
Can you put a debug on the mgt connection to/from rtr2 and see what the log buffer records
example:
conf t
no logging console
logging buffered
access-list 100 permit tcp host <scrhost> host <desthost> eq 22
access-list 100 permit tcp host <desthost> host <scrhost> eq 22
end
debug condition interface <interface>
debug ip packet detail 100
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide