Re: Cisco 9200L SSH Issues

bristi · ‎06-30-2024

We are experiencing an unusual issue concerning SSH connections to Cisco 9200L switches. We recently migrated from Cisco 2960 switches to Cisco 9200L models. When connecting from the same network using a Linux server, SSH to the switches works successfully. However, SSH connections from other networks are not successful.

The default gateway is correctly set, and SSH is enabled on the switches. Notably, we still have one Cisco 2960 switch that was not replaced, and we can SSH into it from other networks without any problems. The IP addresses of the switches are on the same subnet, and we can ping them from other networks, but SSH connections fail.

I have consulted with TAC support, and they have reviewed the configuration, indicating that it appears correct. I also provided them with packet captures but have not yet received further feedback. Has anyone else encountered a similar issue and could provide insights or suggestions?

Additionally, the SSH connection issue is intermittent from other networks, but consistently works when connecting from a server on the same subnet. Any recommendations would be appreciated.

Cisco 9200L version is - C9200L-24P-4X 17.14.01 CAT9K_LITE_IOSXE

MHM Cisco World · ‎06-30-2024

can you share topolgy and from which point to try to access via SSH

MHM

bristi · ‎06-30-2024

For example, the management VLAN is on VLAN 99 with the network 192.168.99.x. Another VLAN is 100 with the network 192.168.100.x. We can ping the switches from VLAN 100 but are unable to SSH into them. However, we can establish a connection to the older 2960 switch from VLAN100. The only way to SSH into the 9200 switches is by either hopping from another switch or using a Linux server on the same management VLAN. Upon reviewing the community discussions, it appears that the 9200 series switches employ a different algorithm compared to the 2960 series.

MHM Cisco World · ‎06-30-2024

sorry are there any FW in your Network

MHM

bristi · ‎06-30-2024

Yes, there are two firewalls configured for HA. However, I do not believe the issue is related to the firewalls, because, as I mentioned, the old Cisco 2960 switch is still accessible from other networks. The issue appears to be with the 9200L switches, which are not accessible. This is a very unusual problem.

MHM Cisco World · ‎06-30-2024

2960 and 9300 SW how it connect to FW?
FW is statful device and allow traffic IN and OUT same interface same VLAN
if this not same the FW drop the traffic
MHM

bristi · ‎06-30-2024

The 9200L setup consists of a stack of three switches, connected as shown in the attached screenshot. All other 2960 switches have been replaced with 9200 models. Only one 2960 switch remains in the infrastructure, and it is the only one accessible via SSH.

MHM Cisco World · ‎06-30-2024

these two link is config as port channel ?

MHM

bristi · ‎07-01-2024

Sorry for the delay. There isn't a port channel configured.

MHM Cisco World · ‎07-01-2024

so two link from switch stack to two FW HA, there two link allow same vlan
I think this not correct,
return to your FW and check best FW HA design you must config PO between FW HA and stack SW or VSS or vPC

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-management-center/221664-integrate-redundant-solution-for-secure.html
MHM

MHM Cisco World · ‎07-01-2024

you can check if you have asymmetric routing by remove one link and check, I think it not effect your SSH only it will effect all other traffic

MHM

Scott Leport · ‎06-30-2024

Hello,

Complete stab in the dark, but I am basing it on an issue I've seen not too long ago which was similar. Make sure the command "IP Classless" is configured on the switch you're trying to SSH to. If the line of config isn't in your current configuration, it will be enabled. Alternatively, just make sure that you've got the support SSH cipher suites enabled on your kit to make the SSH connection, but sounds like that's not a problem based on what you said in your original post.

bristi · ‎06-30-2024

Yes, it feels like stabbing in the dark. I've never encountered such an issue before. The command "ip classless" is already configured, but the problem still persists.

Scott Leport · ‎07-01-2024

Hi there,

When you did the switch migration, was the configuration carried over as-is, e.g. same VLANs, management IP, default gateway / default route etc?

If you're unable to SSH from networks from outside the local subnet, but able to SSH from the same subnet, usually that's a default gateway / default route misconfiguration. It could be a subnet mask misconfiguration too (hence why I was asking about the "ip classless" configuration).

If you debug SSH transactions on your affected switch, do you see it reaching the switch from an affected source network?

paul driver · ‎06-30-2024

Hello
Have you tried zerozising ssh and testing again?

crypto key zerosise
crypto key generate rsa general-keys modulus 2048
ip ssh version 2

or (if you have no local domain set)

crypto key generate rsa label SSH general-keys modulus 2048

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul