Re: Remote router refusing Telnet and SSH connection attempts

adnan · ‎07-19-2005

One of my remote 2650 router1 is refusing all telnet and SSH connection attempts. I tried going through the other 2650 router(2) on the same location and through the switch to various interfaces on the first router1 and has no luck. Router1 connects to ATT and the Router2 connets to sprint for redundancy purposes. The router is alive as I could ping the loopback address but for some reason can't access it. Any suggestions.

Richard Burts · ‎07-19-2005

Well if you can ping the router that pretty well rules out IP connectivity issues as the cause of the problem. I can think of a few other things that might cause this:

- if there is an access list and access-class applied to the vty it may not allow access from your address space.

- if it has been configured with transport input it would refuse the connection.

- if it was configured to authenticate remote sessions with some authentication server and can not communicate with the server and if there was no backup method of authentication configured it would refuse the connection.

- if the vty ports were configured with exec-timeout 0 and there are a bunch of hanging sessions the vty ports could all be occupied.

- if the vty ports were configured with no exec they would refuse the connection. (I have seen people configure no exec thinking that it was an abreviation for no exec-timeout but no exec is not an abreviation it is a separate command.)

Do you have a config of the router? If so please post it.

Has the router been accessible remotely before and this is a recent change in behavior? Or is this a recently deployed router and this is its behavior?

If you attempt remote access do you get any response? If so what?

For a few of these situations it might respond to being power cycled and begin to work again. Otherwise it may need someone to gain console access.

HTH

Rick

HTH

Rick

adnan · ‎07-19-2005

Rick,

Thanks for your response. The router has been accessible in past and the transport on the vty line is configured for "input ssh". The response that I get when trying to access is via SSH in the secure CRT telnet program.

" Remote connection refuesed the connection. This means that remote system does not provide the service you are trying to access, or that service is being provided on a different port.

On a pure IP telnet, following is the message that I get.

" The specified address is not available from the local computer".

Even though I coud ping the loopback address from the local computer.

Richard Burts · ‎07-19-2005

There are several interesting peices of information here. It is good to know that it has worked and therefore has (or had subject to potentially someone making changes) a good config that would allow remote access.

Especially when you tell me that it was configured with transport input ssh, I think I can explain what happens when you attempt to telnet. The telnet sends a TCP SYN on port 23. The router will not accept telnet and probably sends an ICMP port unreachable. Your device translates that response to specified address is not available (technically should be specified port is not available).

I am wondering more about the possibility of all the vty ports being busy. Can you tell me if perhaps the vty ports were configured with exec-timeout 0 (or with a very long timeout)?

What is the possibility of getting someone to access the router via the console? Or what are the implications of rebooting the router?

HTH

Rick

HTH

Rick

adnan · ‎07-19-2005

Here is the config on the vty ports.

"exec-timeout 15 0

password 7 xxxxxxxxxxx

transport input ssh".

I am trying to get the access via modem to look into configs and the last resort would be a reebot.

scottmac · ‎07-19-2005

Check your SSH config and ensure you are using SSH v.1

Until very recently, only SSH version 1 was supported by Cisco.

Perhaps the SecureCRT config was accidently changed or you're using a different profile.

Good Luck

Scott

s.conway · ‎07-19-2005

I've had issues where the memory has become fragmented severely enough that there wasn't enough free memory to allow a connection. We do get an SNMP trap for the memory problem. Have you received any alerts? We also just ran into a bug where the vty sessions don't close, even when someone logs out. We use telnet not SSH, not yet anyway.

our device

Cat6509 running CatOS 7.6.6 and MSFC2 version 12.1.22(E2)

From TAC

Bug ID

CSCef35192: Exec-timeout not working at more prompt as expected by customer

Its fixed in 12.1(22)EA03 and anything above that.

adnan · ‎07-20-2005

I finally got access to the router through modem. Sounds wiered but I re-generated the encryption keys and was able to access the router via ssh/telnet.

curmie41 · ‎12-21-2017

In my case the aaa and vty lines were correct but it was the crypto modulus RSA keys that had not been run. Once that was done, I was able to login.

(config)# crypto key generate rsa general-keys modulus 1024

Richard McLoughlin · ‎06-13-2018

Thank you - Regenerating the crypto keys worked for me too.

Luckily I was fortunate enough to be able to SSH to another C2801 ISR via Secure CRT and then spring board from that to the C2801 that was refusing connections. From then it was just a case of:

conf t

aaa new-model

crypto key generate rsa modulus 2048

and I was then able to SSH directly to the box via Secure CRT. What is curious is that I had been able to SSH to the box previously but on generating the new key I didn't get the prompt:-

% You already have RSA keys defined named <your host name.your domain>
% They will be replaced.

Any how, for me the issue is resolved and it saved me a trip to site

Best

Rich