03-27-2024 07:07 AM
I have a couple of switches that are trunked via a LAN cable from another switch. I noticed that these switches sometimes have a hard time to SSH into. I get the error: "Connection timed out". After a while and a few tries I can connect just fine. I checked the logs (sh log) and don't really see anything helpful.
I have the following set an all the switches:
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
line vty 0 4
access-class VTY-ACL in vrf-also
exec-timeout 9 59
logging synchronous
transport input ssh
transport output ssh
line vty 5 15
access-class VTY-ACL in vrf-also
exec-timeout 9 59
logging synchronous
no exec
transport input none
transport output none
line vty 16 31
exec-timeout 9 59
no exec
transport input none
transport output none
The switches are up with no interruption. I can console in fine.
03-27-2024 07:11 AM
Show line
Show access-list VTY-ACL
Share both
MHM
03-27-2024 07:24 AM
#Show line
Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 CTY - - - - - 0 0 0/0 -
1 VTY - - - - - 57 0 0/0 -
* 2 VTY - - - - - 9 0 0/0 -
3 VTY - - - - - 0 0 0/0 -
4 VTY - - - - - 0 0 0/0 -
5 VTY - - - - - 0 0 0/0 -
6 VTY - - - - - 0 0 0/0 -
7 VTY - - - - - 0 0 0/0 -
8 VTY - - - - - 0 0 0/0 -
9 VTY - - - - - 0 0 0/0 -
10 VTY - - - - - 0 0 0/0 -
11 VTY - - - - - 0 0 0/0 -
12 VTY - - - - - 0 0 0/0 -
13 VTY - - - - - 0 0 0/0 -
14 VTY - - - - - 0 0 0/0 -
15 VTY - - - - - 0 0 0/0 -
16 VTY - - - - - 0 0 0/0 -
17 VTY - - - - - 0 0 0/0 -
18 VTY - - - - - 0 0 0/0 -
19 VTY - - - - - 0 0 0/0 -
20 VTY - - - - - 0 0 0/0 -
21 VTY - - - - - 0 0 0/0 -
22 VTY - - - - - 0 0 0/0 -
23 VTY - - - - - 0 0 0/0 -
24 VTY - - - - - 0 0 0/0 -
25 VTY - - - - - 0 0 0/0 -
26 VTY - - - - - 0 0 0/0 -
27 VTY - - - - - 0 0 0/0 -
28 VTY - - - - - 0 0 0/0 -
29 VTY - - - - - 0 0 0/0 -
30 VTY - - - - - 0 0 0/0 -
31 VTY - - - - - 0 0 0/0 -
32 VTY - - - - - 0 0 0/0 -
#Show access-list VTY-ACL
Extended IP access list VTY-ACL
10 permit tcp 10.20.30.0 0.0.0.255 10.20.30.0 0.0.0.255 eq 22 (16 matches)
20 permit tcp 10.20.30.0 0.0.15.255 10.20.30.0 0.0.0.255 eq 22 (92 matches)
30 permit tcp host 10.20.30.100 10.20.30.0 0.0.15.255 eq 22
70 deny ip any any log-input (11 matches)
03-27-2024 09:30 AM
When someone reports intermittent problems logging in remotely, my first thought is possible problems in accessing the authentication server. But the posted config shows no authentication server and that authentication uses local. So we need to look for something else.
The next thing that I thought about was the ACL used to restrict access to vty. I note that you are using an extended acl and I wonder why? I note that it restricts access to only tcp port 22. But that is not needed because the config of the vty excludes anything other than SSH. My experience is that acl used for access-class is usually not effective in filtering on destination addresses, but your acl does seem to differentiate. Is this running on real equipment or is it on some emulator. I would suggest changing to a standard acl. But I believe that the acl is not related to your experience of intermittent problems with remote access.
My best guess about the intermittent problem with remote access is based on the observation that you have only 5 functional vty ports (no exec is configured on all other vty ports). If all 5 ports report they are active/connected than attempts to access will fail. When someone logs off (or is timed out due to inactivity) then your remote access is successful.
05-05-2024 06:03 AM
I've noticed that if from another switch I ping the IP of the switch I'm trying to SSH into, it then will let me SSH into it. I've also noticed that it happens to switches which are trunked to other 9300 switches via CAT 6 cabling. There are no other accounts trying to SSH into the switch.
05-05-2024 06:26 AM - edited 05-05-2024 08:54 AM
debug ip tcp transactions
Debug ip ssh detail
Debug ip packet <acl> <<- acl is ise to make debug show only packet from specific IP' IP of mgmt PC
Show tcp breif all
until now we dont know it issue of ssh or connectivity
Share above debug output from SW
MHM
05-08-2024 09:48 AM - edited 05-08-2024 09:51 AM
I ran the show tcp br all command and took a long time.
TCB Local Address Foreign Address (state)
7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB
7F68XXXXXXA0 ::.21111 *.* LISTEN
7F68XXXXXXE8 0.0.0.0.21111 *.* LISTEN
7F68XXXXXX18 ::.443 *.* LISTEN
7F68XXXXXX18 0.0.0.0.443 *.* LISTEN
Don't see anything odd in the show log.
05-09-2024 12:20 AM
7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB <<- if this IP 10.30.10.48 of Admin PC you use to SSH to SW then
from this entry there is connection and it dont deny or have any L2 L3 issue
can you share the debug of ssh
MHM
05-09-2024 03:42 AM
What is the command to view the debug of ssh?
05-09-2024 03:46 AM
Debug ip ssh packet <<<- run this debug when you ssh to SW
MHM
05-09-2024 04:08 AM
All I get is "ssh packet messages debugging is on"
05-09-2024 04:13 AM
No debug at all?
7F68XXXXXX30 10.30.10.29.22 10.30.10.48.57472 ESTAB
IP appear here for what then?
MHM
05-09-2024 04:22 AM
I would assume it is the switch, but I don't recognize that IP. I looked through the sh run, but didn't find that IP. The second IP is my PC.
05-09-2024 04:32 AM
10.30.10.29.22
The SSH port 22 with this IP is IP of SW
Double check IP
MHM
05-09-2024 04:59 AM
Sorry, didn't notice when I edited the IP here. So, the first IP under local is the switch itself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide