Hi,

Thanks for your response.

I will fine tune it once it is working.

Once this configuration is in place I cannot SSH into the router.

I'm using MobaXterm and SSH'ing from my workstation addressed 10.10.101.7.

Could you please share your configuration or the show ssh and show ip ssh output.

Thank you in advance. 

C-F-ISR4331-1#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-ctr hmac-sha1 Session started
0 2.0 OUT aes256-ctr hmac-sha1 Session started
1 2.0 IN aes256-ctr hmac-sha1 Session started
1 2.0 OUT aes256-ctr hmac-sha1 Session started
%No SSHv1 server connections running.

C-F-ISR4331-1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes256-ctr
MAC Algorithms:hmac-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 4096 bits

Hi,

Please try applying this command:

line vty  0 15

transport preferred ssh

No luck.

C-F-ISR4331-1#sh run | beg vty
line vty 0 4
 access-class Inside-Machines in
 exec-timeout 0 0
 transport preferred ssh
 transport input ssh
line vty 5 15
 access-class Inside-Machines in
 exec-timeout 0 0
 transport preferred ssh
 transport input ssh

Can you confirm for us that if you remove the access-class command from the vty that you are successful in SSH to the router from your machine? When you attempt SSH what happens? Do you get any prompt? Do you get any error message? It might be informative to turn on debug for SSH and attempt SSH to see what debug output is produced.

It is probably not related to the problem but I would advise against using exec-timeout 0 0. It is one thing to do this on the console (and has less impact). But doing this on vty means that a session will never time out. If someone has established a remote session to a vty and the session is terminated but not by a successful logout then that session just hangs on and that vty is tied up. I have seen numerous instances where people were not able to access their router because all of the vty were tied up with stale sessions. You can put a very long timeout if you want but I seriously advise against using no timeout for the vty.

HTH

Rick

Thanks for your reply. I don't make exec-timeout 0 0 a habit. Just when I am working on a device. Before I decided to harden this router I could easily SSH to this router. I can easily SSH to the router when I remove the access-list.

I add it: shown with vty config:

C-F-ISR4331-1#sh run | beg vty
line vty 0 4
 access-class Inside-Machines in
 exec-timeout 0 0
 transport preferred ssh
 transport input ssh
line vty 5 15
 access-class Inside-Machines in
 exec-timeout 0 0
 transport preferred ssh
 transport input ssh

C-F-ISR4331-1#conf t
Configuration session is locked. The lock will be cleared once you exit out of configuration mode.
Enter configuration commands, one per line.  End with CNTL/Z.
C-F-ISR4331-1(config)#ip access-list standard Inside-Machines
C-F-ISR4331-1(config-std-nacl)# permit 10.10.0.0 0.0.255.255
C-F-ISR4331-1(config-std-nacl)#

Session stopped
    - Press <return> to exit tab
    - Press R to restart session
    - Press S to save terminal output to file

Network error: Connection refused

Can you tell us the IP of the device which is generating the SSH?

HTH

Rick

10.10.101.7/22

I am not clear about your environment. When you posted this

Session stopped
    - Press <return> to exit tab
    - Press R to restart session
    - Press S to save terminal output to file

Network error: Connection refused

is this from a terminal server or just the terminal emulator running on your PC?

What did you do to stop the session? Was it CtlZ or something else?

At that prompt it does not appear that you pressed R or pressed S, so what did you do? And can we be sure that it did start another SSH session to the router?

One test would be to start debug for SSH on the router, do terminal monitor so that you can see output (being sure that logging monitor is enabled), and then make the config changes, and then from another device initiate an SSH request (need to have the original session to see any debug output)

After you make the change and have the problem how do you recover? Do you establish a console session and back the change out? Or do you just reboot the router to discard the change?

HTH

Rick

The output is from a failed MobaXterm SSH session on my PC. The router refused connection. When I initiate the SSH session that is what is returned in the connection window.

I tried debugging ip ssh.

There is no discernible helpful output.

With the access list applied the router is refusing connection.

After I make the change the initial ssh session is still up and I open up another ssh session to reproduce the failure output in my previous post. At that point I delete the access list.

Thanks,

Bill

Bill

Just to confirm my understanding:

- you have an active SSH session which you use to make the config change to implement access-class with the ACL.

- you leave that session active and initiate another SSH session from the PC

- the attempt for a new SSH is rejected

- using the active session you remove access-class and the ACL

- you then are successful in establishing a second SSH session from your PC

Would you test again and this time after making the config changes please post the output of the commands show access-list and of show line

HTH

Rick

Hi Rick,

It is just as you say.

Commands executed after failure from the second ssh session initiation:

I had to attach the output, wouldn't play nice with formatting here.

BTW  access-list sl_def_acl is Cisco defined.

Thanks.