Solved: Re: Disable SSH time-out not working

sSiDs · ‎01-13-2021

Hi team!

I am managing C9300 through MGMT int g0/0

i have tried different settings to prevent ssh disconnect, but anyhow...it happens

any ideas?) may be i have misschecked elsewhere something?

000291: Jan 13 19:01:51 MSK: %SYS-6-LOGOUT: User sid has exited tty session 0()
000292: Jan 14 07:40:15 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000293: Jan 14 07:40:15 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 07:40:15 MSK Thu Jan 14 2021
000294: Jan 14 07:40:15 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000295: Jan 14 07:50:17 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid
000296: Jan 14 07:50:17 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200)
000297: Jan 14 07:50:17 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000298: Jan 14 08:54:29 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000299: Jan 14 08:54:29 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 08:54:29 MSK Thu Jan 14 2021
000300: Jan 14 08:54:29 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000301: Jan 14 08:54:45 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:system mtu 9198
000302: Jan 14 08:54:58 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200)
000303: Jan 14 09:05:22 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid
000304: Jan 14 09:05:22 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200)
000305: Jan 14 09:05:22 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000306: Jan 14 09:08:36 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000307: Jan 14 09:08:36 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:08:36 MSK Thu Jan 14 2021
000308: Jan 14 09:08:36 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000309: Jan 14 09:19:01 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid
000310: Jan 14 09:19:01 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200)
000311: Jan 14 09:19:01 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000312: Jan 14 09:37:02 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000313: Jan 14 09:37:02 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:37:02 MSK Thu Jan 14 2021
000314: Jan 14 09:37:02 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000315: Jan 14 09:37:18 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:line vty 5 15
000316: Jan 14 09:37:24 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:exec-timeout 0
000317: Jan 14 09:37:34 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:session-timeout 0
000318: Jan 14 09:37:37 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200)
000319: Jan 14 09:38:46 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:line vty 5 15
000320: Jan 14 09:38:49 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:logging synchronous 
000321: Jan 14 09:41:41 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200)
000322: Jan 14 09:51:43 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid
000323: Jan 14 09:51:43 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200)
000324: Jan 14 09:51:43 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000325: Jan 14 09:55:51 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000326: Jan 14 09:55:51 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:55:51 MSK Thu Jan 14 2021
000327: Jan 14 09:55:51 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
MSK-CORE-C9300# 
MSK-CORE-C9300#
MSK-CORE-C9300#
MSK-CORE-C9300#
MSK-CORE-C9300#sh run | i ssh
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
ip ssh stricthostkeycheck
ip ssh rekey time 120
ip ssh rekey volume 1000000
ip ssh server algorithm mac hmac-sha1 hmac-sha1-96
ip ssh server algorithm encryption aes128-cbc aes256-cbc
 transport preferred ssh
 transport input ssh
 transport output ssh
MSK-CORE-C9300#sh run | s line
line con 0
 session-timeout 120  output
 exec-timeout 120 35
 logging synchronous
 exec prompt timestamp
 stopbits 1
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 exec prompt timestamp
 transport preferred ssh
 transport input ssh
 transport output ssh
MSK-CORE-C9300#

SK-CORE-C9300#sh line vty 5
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      6 VTY              -    -      -    -    -      0       0     0/0       -

Line 6, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: No Exit Banner
Capabilities: Timestamp Enabled
Modem state: Idle
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none         
Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
                never         never                        none     not set
                            Idle Session Disconnect Warning
                              never 
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set 
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are ssh.
Allowed output transports are ssh.
Preferred transport is ssh.
Shell: enabled
Shell trace: off
No output characters are padded
No special data dispatching characters
MSK-CORE-C9300#sh line co   
MSK-CORE-C9300#sh line console 0
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -

Line 0, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits
Status: Ready
Capabilities: Output non-idle, Timestamp Enabled
Modem state: Ready
Switch 1: RJ45 Console is in use
Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation
                ^^x    none   -     -       none         
Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch
               02:00:35       02:00:00                       none     not set
Session idle time reset by output.
                            Idle Session Disconnect Warning
                              never 
                            Login-sequence User Response
                             00:00:30
                            Autoselect Initial Wait
                              not set 
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 10.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are telnet ssh.
Preferred transport is telnet.
Shell: enabled
Shell trace: off
No output characters are padded
No special data dispatching characters
MSK-CORE-C9300#
MSK-CORE-C9300#
MSK-CORE-C9300#who
    Line       User       Host(s)              Idle       Location
*  1 vty 0     sid        idle                 00:00:00 192.168.200.200

  Interface    User               Mode         Idle     Peer Address

sSiDs · ‎01-14-2021

no.

i completely remove all users, aaa, ip ssh key and etc and configured from the scratch.

no disconnects for now....

my be some BUG....

View solution in original post

Georg Pauwen · ‎01-14-2021

Hello,

the config looks correct. The only thing I can think of is to disable ssh rekeying:

no ip ssh rekey

What device is the SSH session initiated from ? Is it possible that the initiating device itself is causing the timeout ?

sSiDs · ‎01-14-2021

i am usinf VanDYKE SecureCRT for ssh-ing. first time see that problem.

will try to no ip ssh rekey

sSiDs · ‎01-14-2021

no luck...still disconnects. it looks like 10 minutes timeout...but there is any mention about it in config.

i could assume, may be this bihavour of mgmt interface g0/0 by default? but never saw it before on other routers or switches.

c9300 configuring for the first time

000506: Jan 14 11:24:50 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid  logged command:no vlan 220
000507: Jan 14 11:24:52 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200)
000508: Jan 14 11:34:55 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid
000509: Jan 14 11:34:55 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200)
000510: Jan 14 11:34:55 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed

sSiDs · ‎01-14-2021

found similar discussion https://community.cisco.com/t5/wireless/to-increase-ssh-session-timeout/td-p/3098020

no solution

Georg Pauwen · ‎01-14-2021

Hello,

how are you authenticating ? Locally or through e.g. TACACS ?

sSiDs · ‎01-14-2021

local

MSK-CORE-C9300#sh run | i aaa
aaa new-model
aaa local authentication attempts max-fail 5
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication webauth default local
aaa authorization console
aaa authorization exec default local 
aaa common-criteria policy AAA
aaa login success-track-conf-time 24
aaa session-id common

Georg Pauwen · ‎01-14-2021

Hello,

since you (apparently) have no external TACACS server, I wonder if there is an implicit timeout in TACACS. Can you try to, for the sake of testing, get rid of AAA altogether, and just use local authentication ?

no aaa new-model

!

username admin privilege 15 password 0 cisco

!

line vty 0 4
--> login local
exec-timeout 0 0
logging synchronous
exec prompt timestamp
transport preferred ssh
transport input ssh
transport output ssh

!

line vty 5 15
--> login local
exec-timeout 0 0
logging synchronous
exec prompt timestamp
transport preferred ssh
transport input ssh
transport output ssh

marce1000 · ‎01-14-2021

- If an external (AAA)-authenticating user/profile is being used. make sure it has or has not a timeout setting according to intended ssh-usage.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

sSiDs · ‎01-14-2021

we don't have TACACs or any ISE or RADIUS yet.

sSiDs · ‎01-14-2021

recently i have install ISR4351

and just copy aaa settings to c9300.

on 4351 there wasn't ssh disconncts....it is odd

Georg Pauwen · ‎01-14-2021

Hello,

try and zeroize the rsa key:

crypto key zeroize rsa

and generate a new one with a different modulus.

crypto key generate rsa

It is possible that SecureCRT and the 9300 use other default parameters...

sSiDs · ‎01-14-2021

oh god....now its copmpletely doesn't let ssh in ^(

MSK-CORE-C9300#sh logg | b 000567: Jan 14 1
000567: Jan 14 15:34:16 MSK: %SYS-5-CONFIG_I: Configured from console by console
000568: Jan 14 15:34:58 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair2 has been generated or imported by SLA-KeyPair2
000569: Jan 14 15:35:38 MSK: %CALL_HOME-5-SL_MESSAGE_FAILED: Fail to send out Smart Licensing message to: https://tools.cisco.com/its/service/oddce/services/DDCEService (ERR 201 : Http failed)
000570: Jan 14 15:35:38 MSK: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : Fail to send out Call Home HTTP message. 
000571: Jan 14 15:36:26 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000572: Jan 14 15:36:31 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
000573: Jan 14 15:36:31 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000574: Jan 14 15:36:35 MSK: %SYS-5-CONFIG_I: Configured from console by console
000575: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named MSK-CORE-C9300.satel.local has been removed from key storage
000576: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named MSK-CORE-C9300.satel.local.server has been removed from key storage
000577: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair2 has been removed from key storage
000578: Jan 14 15:39:01 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:crypto key zeroize rsa 
000579: Jan 14 15:39:01 MSK: %SSH-5-DISABLED: SSH 2.0 has been disabled
000580: Jan 14 15:39:18 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named MSK-CORE-C9300.satel.local has been generated or imported by crypto-engine
000581: Jan 14 15:39:18 MSK: %SSH-5-ENABLED: SSH 2.0 has been enabled
000582: Jan 14 15:39:18 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:crypto key generate rsa modulus 2048
000583: Jan 14 15:39:18 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named MSK-CORE-C9300.satel.local.server has been generated or imported by crypto-engine
000584: Jan 14 15:39:55 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username sid privilege 15 algorithm-type sha256 secret *
000585: Jan 14 15:39:55 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED
000586: Jan 14 15:39:58 MSK: %SYS-5-CONFIG_I: Configured from console by console
000587: Jan 14 15:40:07 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000588: Jan 14 15:40:22 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
000589: Jan 14 15:40:22 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000590: Jan 14 15:41:42 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no username sid
000591: Jan 14 15:41:48 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username sid privilege 15 algorithm-type sha256 secret *
000592: Jan 14 15:41:48 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED
000593: Jan 14 15:41:52 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000594: Jan 14 15:42:11 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
000595: Jan 14 15:42:11 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000596: Jan 14 15:43:33 MSK: %SYS-5-CONFIG_I: Configured from console by console
000597: Jan 14 15:45:21 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:username sids privilege 15 secret *
000598: Jan 14 15:45:21 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!config: USER TABLE MODIFIED
000599: Jan 14 15:45:26 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded
000600: Jan 14 15:45:53 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed
000601: Jan 14 15:45:53 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
000602: Jan 14 15:45:56 MSK: %SYS-5-CONFIG_I: Configured from console by console
MSK-CORE-C9300#   
MSK-CORE-C9300#sh run | s line
line con 0
 session-timeout 120  output
 exec-timeout 120 35
 logging synchronous
 exec prompt timestamp
 stopbits 1
line vty 0 4
 login
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 login local
 exec prompt timestamp
 transport preferred ssh
 transport input ssh
 transport output ssh
MSK-CORE-C9300#sh run | i aaa
no aaa new-model
MSK-CORE-C9300#

sSiDs · ‎01-14-2021

there wasn't

line vty 0 4
 login

how does it appears?)))))

it only was vty 5 15

Georg Pauwen · ‎01-14-2021

Hello,

not sure, they are usually in there...maybe somebody removed those VTYs.

Either way, does that make a difference (no TACACS, just local login) ?