cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1938
Views
0
Helpful
6
Replies
Terry MacDougal
Beginner

2960 and SSH

I can't seem to figure out why I am not allowed to ssh into a 2960 (The remote system refused the connection). The config is as follows:

version 15.0

!

enable secret 5 $1$uA9E$qWSBnSAMMylcZxoOIA0QV.
enable password 7 053C0303221C430C484456
!
username xxxxxxx password 7 106xxxxxxxxx
username jxxxxxxx password 7 012xxxxxxxxx
aaa new-model

!
aaa session-id common

!
interface Vlan2000
 description Device Management
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
ip default-gateway xxx.xxx.xxx.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
line con 0
 password 7 142017070F54272E7569
 logging synchronous
line vty 0 4
 transport input ssh
 transport output ssh
line vty 5 15
 transport input ssh
 transport output ssh
!

Thanks

6 REPLIES 6
Mark Malone
Mentor

Hi

are you running a K9 image yes for crypto and ssh its requires this ?

If you are reset the keys , that can be a common fix for ssh problems

crypto key generate rsa....hit return

Then type 1024 and hit return again

if its still not working after that please post ...sho ip ssh

#sho ver
Cisco IOS Software, C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)SE8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 13-May-15 23:10 by prod_rel_team

ROM: Bootstrap program is C2960S board boot loader
BOOTLDR: C2960S Boot Loader (C2960S-HBOOT-M) Version 12.2(55r)SE, RELEASE SOFTWARE (fc1)

System returned to ROM by power-on
System image file is "flash:c2960s-universalk9-mz.150-2.SE8.bin"

ok so you have the correct image

check the show ip ssh , see if the keys are  there like below and make sure its says enabled

xxxxx#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 60 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): xse-b100vpn01.xilinx.com
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyrQpuadRnzHUi2LXHDt1O/+zBbepI2l3BKfgoshYp
8lb23Ke60W1cExZ6nBFUInh0bdoQSQhdp6YisWOukRhDlQmZ3fiut3y6V0cGDONC+hCOWttv3xGtz6YK
u9d083WyvHKMZuAffFwlMA6OMrqIlt8yNFXINQ5gICWOEx9pNw==

The next step once all your ssh commands are there and keys are there

is to debug the ip ssh while your trying to connect , it will tell you if you where its failing

This is from a good output I just ran , sometime you can see things like password fail or other indicators of what might be the issue

1205542: *Mar 31 15:15:54.823 UTC: SSH2 1: MAC compared for #4 :ok
1205543: *Mar 31 15:15:54.823 UTC: SSH2 1: input: padlength 5 bytes
1205544: *Mar 31 15:15:54.823 UTC: SSH2 1: Using method = none
1205545: *Mar 31 15:15:54.823 UTC: SSH2 1: Authentications that can continue = publickey,keyboard-interactive,password
1205546: *Mar 31 15:15:54.823 UTC: SSH2 1: send:packet of  length 64 (length also includes padlen of 14)
1205547: *Mar 31 15:15:54.823 UTC: SSH2 1: computed MAC for sequence no.#5 type 51
1205548: *Mar 31 15:15:54.866 UTC: SSH2 1: ssh_receive: 100 bytes received
1205549: *Mar 31 15:15:54.866 UTC: SSH2 1: input: total packet length of 80 bytes
1205550: *Mar 31 15:15:54.866 UTC: SSH2 1: partial packet length(block size)16 bytes,needed 64 bytes,

#sho ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyXRJAGjZefs/PDGBQHkLami9bBeu6P37PB7MuiDmF
UCIhLCu/z+RPgf+0XCj1wE05VVwsi2jF/TKljeLvHGCp6WPzKr5u4cjl519R6Yp/9ZAav9/IcI55vWdu
iAd9XzoX+sAgXBWCC4EQpcPKgZSrtnZ6sYLd4XlZyB9HEGvqQDh9qmfdiU2PA229eWuE5FvKqEDrSMfi
vS4NugcUocfcdOdu+8XdVSQf408LX91uKTG15nFMwzO4U+wOlQh5VcGDvwRMoSTswNP0Ble9bBwCB7uB
YlxEwG1MjlhDmdctJ3eTYHYJh42n6Hs2+yMSzO3LxNVl+taXyP0zIU6rV2pv  

that looks fine , you are local here and not coming across the wan or through any other device that may have an acl applied that could be preventing SSH access to this switch or mgmt. ip address ?

I would check the debug next make sure your ssh protocol traffic is actually reaching the switch and if it is it should tell you why its blocking or refusing it

For your reference, if I can add ssh sample commands. 

Image=?k9

ip domain-name domain
crypto key generate rsa general-keys modulus 1024
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
transport input ssh

http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html