I have an issue with dynamic routing

zzkang12 · ‎10-02-2023

Hello, I've been struggling with connecting a router to an SSH server recently.

The router#1 can be accessed without any issues from the SSH server, but the router#2, which is part of the cluster with #1, cannot be accessed via SSH. Both routers have routes for SSH segment, and the situation persists where SSH access is possible only on the router#1. Both routers are connected to the opposite routers via WAN tunneling, and they are connected to the SSH server through the same switch and firewall. If anyone has any insights or suggestions regarding the possible reasons for this problem, could you please provide a response?

My using model is ISR4331 and the version is 17.3

Gopinath_Pigili · ‎10-02-2023

I suggest you to compare the configuration of Router#1 and Router#2

What configuration you implemented Router#1 for ssh...do the similar/same configuration for ssh on Router#2

Here is the sample configuration:

R1(config)#username admin password my_password
R1(config)#ip domain-name NETWORKDOMAIN.LOCAL
R1(config)#crypto key generate rsa 2048
R1(config)#ip ssh version 2
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local

Perform the connectivity / communication from Router#1 and #2 to ssh server using ping command...

Try to use traceroute ssh_server_ip (ex: traceroute 192.168.1.100) command to track the path of the packet...

Also try to check and acl is implemented on Router#2 which may block access to ssh

Router2#show ip access-list

From the output of above commands you may get some clue for your issue.....

Best regards
******* If This Helps, Please Rate *******

zzkang12 · ‎10-03-2023

Filnally I solve this issue, but I am not sure I understand this properly.

so the former configuration only RT C has the ip route configuration to RT A like below.

ip route 10.214.18.249 255.255.255.255 172.25.250.254

after I added route D to B like below, it works as like I thought so.

ip route 10.214.18.248 255.255.255.255 172.25.250.250

SSH server is on 192.168.0.0 / 16 segment and RT C and D has route to that segment of course.

RT A B C D has been connected by EIGRP and C and A and D and B are connected by Tunnel 0.

In this situation I don't need to add the route toward SSH server at RT A and B

I just need to add the route to A and D from C and D.

Is that right?

Gopinath_Pigili · ‎10-03-2023

Yes....you don't need to add the route toward SSH server at RT A and B

keep in mind....in production evironment....if you are making any changes...do it according to the comapany policies...

also keep document that changes...

Thanks

MHM Cisco World · ‎10-02-2023

What you meaning of cluster?

paul driver · ‎10-02-2023

Hello
Is rtr 2 reachable,
Do you have local access to the rtr , so to check the mgt configuration?
Can you put a debug on the mgt connection to/from rtr2 and see what the log buffer records

example:
conf t
no logging console
logging buffered
access-list 100 permit tcp host <scrhost> host <desthost> eq 22
access-list 100 permit tcp host <desthost> host <scrhost> eq 22
end
debug condition interface <interface>
debug ip packet detail 100

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul