cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4918
Views
5
Helpful
5
Replies

Cisco Catalyst 2959 - SSH access "connection refused"

geruetzel
Level 1
Level 1

Hi everybody, I am relatively new to the world of Cisco.

I managed to configure my switch to allow SSH access, which worked fine until half an hour ago.

When I try to connect via PuTTy i get an error message "Network error: connection refused".

Here is my running-config:

Current configuration : 1683 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname SW2

!

enable secret 5 $1$eOdi$b8sqR/ZgrwmYsV3QbIarN1

enable password 7 005518012F480F072D

!

username geruetzel password 7 1543000B2F392F250A72

ip subnet-zero

!

ip domain-name geruetzel.com

ip ssh time-out 120

ip ssh authentication-retries 3

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

!

!

!

interface FastEthernet0/1

!

interface FastEthernet0/2

!

interface FastEthernet0/3

!

interface FastEthernet0/4

!

interface FastEthernet0/5

!

interface FastEthernet0/6

!

interface FastEthernet0/7

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface FastEthernet0/25

!

interface FastEthernet0/26

!

interface Vlan1

ip address 10.0.0.1 255.0.0.0

no ip route-cache

!

ip http server

!

line con 0

line vty 0 4

password 7 0355500C2D1C254D6C48

login local

transport input ssh

line vty 5 15

password 7 1446190C27172E2A0669

login local

transport input ssh

!

!

end

Can someone help me find the problem?

Thank you very much.

By the way, is there no spoiler function in this forums?

5 Replies 5

Hello,

First, there is a quote button (right next to smiley icon) in the menu above your answer field.

Second, I see no rsa key in your config output. Please check your config again, it should look something like this:

crypto pki trustpoint TP-self-signed-1900006654
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1900006654
revocation-check none
rsakeypair TP-self-signed-1900006654
!
!
crypto pki certificate chain TP-self-signed-1900006654
certificate self-signed 01
  XXXXXXXXX 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393030 30303636 3536301E 170D3933 30333031 30303031
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39303030
  30363635 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BBE3 3B881EE0 75F7C192 C31C15CD 2118F401 39A87B45 D9D7D391 E29B2A9D
  3DCC9A75 AF3850AD D4F6A09C 15EA386A 88688875 0351CF31 46D7190A CB6AFAB5
  EB045167 60F892DE AF188B8A F967F89E E7AF5EE0 8244619F 3D645A0F CAE29903
  D44CDC50 C3E18FC8 344B8D1B 96C38821 DEC66756 560A433D 9E436677 4B78AA96
  7D8D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 134C656F 6E617264 6F2E686F 6D652E6C 6F63616C 301F0603
  551D2304 18301680 14C05543 92F8B319 53E8DBE5 13C7016C 61269245 FC301D06
  03551D0E 04160414 C0554392 F8B31953 E8DBE513 C7016C61 269245FC 300D0609
  2A864886 F70D0101 04050003 81810073 EECCE1F1 XXXXXXXX 088A1F30 4F422E05
  B202C032 CB88B8F6 E4B31A8C 6424EF1E 9271F4F3 12EA3E02 02AC2F63 7565270B
  4D7995CB C556FB5E DE6E8584 411777F4 0B44F5C4 834D17F6 2B88920C 02964537
  6BCD74BC 8D025498 E2DB0434 A7DE6061 9F7FA9CD XXXXXXXXX E8699865 9DC44831
  E5A16127 91830404 DC27E426 3BA0F7
  quit
!

Or at least like this:

crypto pki token default removal timeout 0

You can also reinitialize your rsa key pairs by typing the following in the Global Configuration EXEC mode:

crypto key generate rsa

Seb Rupik
VIP Alumni
VIP Alumni

You'll probably need the following global command to enable SSH:

crypto key generate rsa modulus 1024



Sent from Cisco Technical Support Android App

I would like some clarification from the original poster. You say that it worked fine till a half hour ago. Are you saying that SSH was working fine and then it stopped?

Was some change made a half hour ago?

Do you have console access to the switch? If so would you post the output of show ip ssh

HTH

Rick

HTH

Rick

sorry for digging, but I had the same problem.

my issue was that all the possible 15 vty sessions were used and weren't timed out.

#show ssh revealed that all the 15 connections had a status of "session started" although nobody was actually using those connections.

This is because of the exec-timeout 0 0 configured under line vty 0 15

#who confirmed that the sessions have been hanging for days:


DLS1#who

    Line       User       Host(s)              Idle       Location

   2 vty 1     admin      idle                    5d16h 10.113.214.148

   3 vty 2     admin      idle                    6d17h 10.113.214.148

   5 vty 4     admin      idle                    5d00h 10.113.214.148

   6 vty 5     admin      idle                    5d21h 10.113.214.148

   7 vty 6     admin      idle                    5d19h 10.113.214.148

   9 vty 8     admin      idle                    4d22h 10.113.214.148

  10 vty 9     admin      idle                    4d17h 10.113.214.148

  11 vty 10    admin      idle                    3d16h 10.113.214.196

  12 vty 11    admin      idle                    4d00h 10.113.214.148

  13 vty 12    admin      idle                 20:13:53 10.113.214.196

  14 vty 13    admin      idle                 16:44:06 10.113.214.197

  15 vty 14    admin      idle                 18:37:16 10.113.214.148

* 16 vty 15    admin      idle                 00:01:48 10.113.214.196

manually disconnecting the sessions didnt do much help. Had to reboot the switch.

I am surprised that disconnecting sessions did not allow you to establish new sessions. Were you doing a disconnect command or were you using clear line n?

It has been a while since I have seen a post about the subject of exec-timeout 0 0. So I would like to thank you for pointing out the potential difficulty of configuring this on vty ports. It may be just fine to have exec-timeout 0 0 on the console. But configuring it on vty is an invitation to have a problem. You can set relatively long timeout if you wish, but it is certainly a Best Practice to have some timeout on the vty lines.

HTH

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card