Cisco 9300 switch doesn't connect via SSH

Rick001 · ‎03-27-2024

I have a couple of switches that are trunked via a LAN cable from another switch. I noticed that these switches sometimes have a hard time to SSH into. I get the error: "Connection timed out". After a while and a few tries I can connect just fine. I checked the logs (sh log) and don't really see anything helpful.

I have the following set an all the switches:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common

line vty 0 4
access-class VTY-ACL in vrf-also
exec-timeout 9 59
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
access-class VTY-ACL in vrf-also
exec-timeout 9 59
logging synchronous
no exec
transport input none
transport output none
line vty 16 31
exec-timeout 9 59
no exec
transport input none
transport output none

The switches are up with no interruption. I can console in fine.

MHM Cisco World · ‎03-27-2024

Show line

Show access-list VTY-ACL

Share both

MHM

Rick001 · ‎03-27-2024

#Show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 VTY              -    -      -    -    -     57       0     0/0       -
*     2 VTY              -    -      -    -    -      9       0     0/0       -
      3 VTY              -    -      -    -    -      0       0     0/0       -
      4 VTY              -    -      -    -    -      0       0     0/0       -
      5 VTY              -    -      -    -    -      0       0     0/0       -
      6 VTY              -    -      -    -    -      0       0     0/0       -
      7 VTY              -    -      -    -    -      0       0     0/0       -
      8 VTY              -    -      -    -    -      0       0     0/0       -
      9 VTY              -    -      -    -    -      0       0     0/0       -
     10 VTY              -    -      -    -    -      0       0     0/0       -
     11 VTY              -    -      -    -    -      0       0     0/0       -
     12 VTY              -    -      -    -    -      0       0     0/0       -
     13 VTY              -    -      -    -    -      0       0     0/0       -
     14 VTY              -    -      -    -    -      0       0     0/0       -
     15 VTY              -    -      -    -    -      0       0     0/0       -
     16 VTY              -    -      -    -    -      0       0     0/0       -
     17 VTY              -    -      -    -    -      0       0     0/0       -
     18 VTY              -    -      -    -    -      0       0     0/0       -
     19 VTY              -    -      -    -    -      0       0     0/0       -
     20 VTY              -    -      -    -    -      0       0     0/0       -
     21 VTY              -    -      -    -    -      0       0     0/0       -
     22 VTY              -    -      -    -    -      0       0     0/0       -
     23 VTY              -    -      -    -    -      0       0     0/0       -
     24 VTY              -    -      -    -    -      0       0     0/0       -
     25 VTY              -    -      -    -    -      0       0     0/0       -
     26 VTY              -    -      -    -    -      0       0     0/0       -
     27 VTY              -    -      -    -    -      0       0     0/0       -
     28 VTY              -    -      -    -    -      0       0     0/0       -
     29 VTY              -    -      -    -    -      0       0     0/0       -
     30 VTY              -    -      -    -    -      0       0     0/0       -
     31 VTY              -    -      -    -    -      0       0     0/0       -
     32 VTY              -    -      -    -    -      0       0     0/0       -

#Show access-list VTY-ACL
Extended IP access list VTY-ACL
    10 permit tcp 10.20.30.0 0.0.0.255 10.20.30.0 0.0.0.255 eq 22 (16 matches)
    20 permit tcp 10.20.30.0 0.0.15.255 10.20.30.0 0.0.0.255 eq 22 (92 matches)
    30 permit tcp host 10.20.30.100 10.20.30.0 0.0.15.255 eq 22
    70 deny ip any any log-input (11 matches)

Richard Burts · ‎03-27-2024

When someone reports intermittent problems logging in remotely, my first thought is possible problems in accessing the authentication server. But the posted config shows no authentication server and that authentication uses local. So we need to look for something else.

The next thing that I thought about was the ACL used to restrict access to vty. I note that you are using an extended acl and I wonder why? I note that it restricts access to only tcp port 22. But that is not needed because the config of the vty excludes anything other than SSH. My experience is that acl used for access-class is usually not effective in filtering on destination addresses, but your acl does seem to differentiate. Is this running on real equipment or is it on some emulator. I would suggest changing to a standard acl. But I believe that the acl is not related to your experience of intermittent problems with remote access.

My best guess about the intermittent problem with remote access is based on the observation that you have only 5 functional vty ports (no exec is configured on all other vty ports). If all 5 ports report they are active/connected than attempts to access will fail. When someone logs off (or is timed out due to inactivity) then your remote access is successful.

HTH

Rick

Rick001 · ‎05-05-2024

I've noticed that if from another switch I ping the IP of the switch I'm trying to SSH into, it then will let me SSH into it. I've also noticed that it happens to switches which are trunked to other 9300 switches via CAT 6 cabling. There are no other accounts trying to SSH into the switch.

MHM Cisco World · ‎05-05-2024

debug ip tcp transactions
Debug ip ssh detail 
Debug ip packet <acl> <<- acl is ise to make debug show only packet from specific IP' IP of mgmt PC
Show tcp breif all

until now we dont know it issue of ssh or connectivity

Share above debug output from SW

MHM

Rick001 · ‎05-08-2024

I ran the show tcp br all command and took a long time.

TCB Local Address Foreign Address (state)
7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB
7F68XXXXXXA0 ::.21111 *.* LISTEN
7F68XXXXXXE8 0.0.0.0.21111 *.* LISTEN
7F68XXXXXX18 ::.443 *.* LISTEN
7F68XXXXXX18 0.0.0.0.443 *.* LISTEN

Don't see anything odd in the show log.

MHM Cisco World · ‎05-09-2024

7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB <<- if this IP 10.30.10.48 of Admin PC you use to SSH to SW then
from this entry there is connection and it dont deny or have any L2 L3 issue

can you share the debug of ssh

MHM

Rick001 · ‎05-09-2024

What is the command to view the debug of ssh?

MHM Cisco World · ‎05-09-2024

Debug ip ssh packet <<<- run this debug when you ssh to SW

MHM

Rick001 · ‎05-09-2024

All I get is "ssh packet messages debugging is on"

MHM Cisco World · ‎05-09-2024

No debug at all?

7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB

IP appear here for what then?

MHM

Rick001 · ‎05-09-2024

I would assume it is the switch, but I don't recognize that IP. I looked through the sh run, but didn't find that IP. The second IP is my PC.

MHM Cisco World · ‎05-09-2024

10.30.10.29.22

The SSH port 22 with this IP is IP of SW

Double check IP

MHM

Rick001 · ‎05-09-2024

Sorry, didn't notice when I edited the IP here. So, the first IP under local is the switch itself.