01-13-2021 11:30 PM
Hi team!
I am managing C9300 through MGMT int g0/0
i have tried different settings to prevent ssh disconnect, but anyhow...it happens
any ideas?) may be i have misschecked elsewhere something?
000291: Jan 13 19:01:51 MSK: %SYS-6-LOGOUT: User sid has exited tty session 0() 000292: Jan 14 07:40:15 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000293: Jan 14 07:40:15 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 07:40:15 MSK Thu Jan 14 2021 000294: Jan 14 07:40:15 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000295: Jan 14 07:50:17 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid 000296: Jan 14 07:50:17 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200) 000297: Jan 14 07:50:17 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000298: Jan 14 08:54:29 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000299: Jan 14 08:54:29 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 08:54:29 MSK Thu Jan 14 2021 000300: Jan 14 08:54:29 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000301: Jan 14 08:54:45 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:system mtu 9198 000302: Jan 14 08:54:58 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200) 000303: Jan 14 09:05:22 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid 000304: Jan 14 09:05:22 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200) 000305: Jan 14 09:05:22 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000306: Jan 14 09:08:36 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000307: Jan 14 09:08:36 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:08:36 MSK Thu Jan 14 2021 000308: Jan 14 09:08:36 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000309: Jan 14 09:19:01 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid 000310: Jan 14 09:19:01 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200) 000311: Jan 14 09:19:01 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000312: Jan 14 09:37:02 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000313: Jan 14 09:37:02 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:37:02 MSK Thu Jan 14 2021 000314: Jan 14 09:37:02 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000315: Jan 14 09:37:18 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:line vty 5 15 000316: Jan 14 09:37:24 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:exec-timeout 0 000317: Jan 14 09:37:34 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:session-timeout 0 000318: Jan 14 09:37:37 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200) 000319: Jan 14 09:38:46 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:line vty 5 15 000320: Jan 14 09:38:49 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:logging synchronous 000321: Jan 14 09:41:41 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200) 000322: Jan 14 09:51:43 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid 000323: Jan 14 09:51:43 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200) 000324: Jan 14 09:51:43 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000325: Jan 14 09:55:51 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000326: Jan 14 09:55:51 MSK: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: sid] [Source: 192.168.200.200] [localport: 22] at 09:55:51 MSK Thu Jan 14 2021 000327: Jan 14 09:55:51 MSK: %SSH-5-SSH2_USERAUTH: User 'sid' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded MSK-CORE-C9300# MSK-CORE-C9300# MSK-CORE-C9300# MSK-CORE-C9300# MSK-CORE-C9300#sh run | i ssh ip ssh authentication-retries 5 ip ssh logging events ip ssh version 2 ip ssh stricthostkeycheck ip ssh rekey time 120 ip ssh rekey volume 1000000 ip ssh server algorithm mac hmac-sha1 hmac-sha1-96 ip ssh server algorithm encryption aes128-cbc aes256-cbc transport preferred ssh transport input ssh transport output ssh MSK-CORE-C9300#sh run | s line line con 0 session-timeout 120 output exec-timeout 120 35 logging synchronous exec prompt timestamp stopbits 1 line vty 5 15 exec-timeout 0 0 logging synchronous exec prompt timestamp transport preferred ssh transport input ssh transport output ssh MSK-CORE-C9300#
SK-CORE-C9300#sh line vty 5 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 6 VTY - - - - - 0 0 0/0 - Line 6, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600 Status: No Exit Banner Capabilities: Timestamp Enabled Modem state: Idle Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch never never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. Time since activation: never Editing is enabled. History is enabled, history size is 10. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are ssh. Allowed output transports are ssh. Preferred transport is ssh. Shell: enabled Shell trace: off No output characters are padded No special data dispatching characters MSK-CORE-C9300#sh line co MSK-CORE-C9300#sh line console 0 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 0 CTY - - - - - 0 0 0/0 - Line 0, Location: "", Type: "" Length: 24 lines, Width: 80 columns Baud rate (TX/RX) is 9600/9600, no parity, 1 stopbits, 8 databits Status: Ready Capabilities: Output non-idle, Timestamp Enabled Modem state: Ready Switch 1: RJ45 Console is in use Special Chars: Escape Hold Stop Start Disconnect Activation ^^x none - - none Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch 02:00:35 02:00:00 none not set Session idle time reset by output. Idle Session Disconnect Warning never Login-sequence User Response 00:00:30 Autoselect Initial Wait not set Modem type is unknown. Session limit is not set. Time since activation: never Editing is enabled. History is enabled, history size is 10. DNS resolution in show commands is enabled Full user help is disabled Allowed input transports are none. Allowed output transports are telnet ssh. Preferred transport is telnet. Shell: enabled Shell trace: off No output characters are padded No special data dispatching characters MSK-CORE-C9300# MSK-CORE-C9300# MSK-CORE-C9300#who Line User Host(s) Idle Location * 1 vty 0 sid idle 00:00:00 192.168.200.200 Interface User Mode Idle Peer Address
Solved! Go to Solution.
01-14-2021 05:07 AM
no.
i completely remove all users, aaa, ip ssh key and etc and configured from the scratch.
no disconnects for now....
my be some BUG....
01-14-2021 12:04 AM
Hello,
the config looks correct. The only thing I can think of is to disable ssh rekeying:
no ip ssh rekey
What device is the SSH session initiated from ? Is it possible that the initiating device itself is causing the timeout ?
01-14-2021 12:09 AM
i am usinf VanDYKE SecureCRT for ssh-ing. first time see that problem.
will try to no ip ssh rekey
01-14-2021 12:42 AM
no luck...still disconnects. it looks like 10 minutes timeout...but there is any mention about it in config.
i could assume, may be this bihavour of mgmt interface g0/0 by default? but never saw it before on other routers or switches.
c9300 configuring for the first time
000506: Jan 14 11:24:50 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:sid logged command:no vlan 220 000507: Jan 14 11:24:52 MSK: %SYS-5-CONFIG_I: Configured from console by sid on vty0 (192.168.200.200) 000508: Jan 14 11:34:55 MSK: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 1 (192.168.200.200)), user sid 000509: Jan 14 11:34:55 MSK: %SYS-6-LOGOUT: User sid has exited tty session 1(192.168.200.200) 000510: Jan 14 11:34:55 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user 'sid' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed
01-14-2021 12:45 AM
found similar discussion https://community.cisco.com/t5/wireless/to-increase-ssh-session-timeout/td-p/3098020
no solution
01-14-2021 12:54 AM
Hello,
how are you authenticating ? Locally or through e.g. TACACS ?
01-14-2021 01:17 AM
local
MSK-CORE-C9300#sh run | i aaa aaa new-model aaa local authentication attempts max-fail 5 aaa local authentication default authorization default aaa authentication login default local aaa authentication webauth default local aaa authorization console aaa authorization exec default local aaa common-criteria policy AAA aaa login success-track-conf-time 24 aaa session-id common
01-14-2021 02:56 AM
Hello,
since you (apparently) have no external TACACS server, I wonder if there is an implicit timeout in TACACS. Can you try to, for the sake of testing, get rid of AAA altogether, and just use local authentication ?
no aaa new-model
!
username admin privilege 15 password 0 cisco
!
line vty 0 4
--> login local
exec-timeout 0 0
logging synchronous
exec prompt timestamp
transport preferred ssh
transport input ssh
transport output ssh
!
line vty 5 15
--> login local
exec-timeout 0 0
logging synchronous
exec prompt timestamp
transport preferred ssh
transport input ssh
transport output ssh
01-14-2021 02:49 AM
- If an external (AAA)-authenticating user/profile is being used. make sure it has or has not a timeout setting according to intended ssh-usage.
M.
01-14-2021 03:26 AM
we don't have TACACs or any ISE or RADIUS yet.
01-14-2021 03:28 AM
recently i have install ISR4351
and just copy aaa settings to c9300.
on 4351 there wasn't ssh disconncts....it is odd
01-14-2021 03:42 AM
Hello,
try and zeroize the rsa key:
crypto key zeroize rsa
and generate a new one with a different modulus.
crypto key generate rsa
It is possible that SecureCRT and the 9300 use other default parameters...
01-14-2021 04:48 AM
oh god....now its copmpletely doesn't let ssh in ^(
MSK-CORE-C9300#sh logg | b 000567: Jan 14 1 000567: Jan 14 15:34:16 MSK: %SYS-5-CONFIG_I: Configured from console by console 000568: Jan 14 15:34:58 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named SLA-KeyPair2 has been generated or imported by SLA-KeyPair2 000569: Jan 14 15:35:38 MSK: %CALL_HOME-5-SL_MESSAGE_FAILED: Fail to send out Smart Licensing message to: https://tools.cisco.com/its/service/oddce/services/DDCEService (ERR 201 : Http failed) 000570: Jan 14 15:35:38 MSK: %SMART_LIC-3-COMM_FAILED: Communications failure with the Cisco Smart Software Manager (CSSM) : Fail to send out Call Home HTTP message. 000571: Jan 14 15:36:26 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000572: Jan 14 15:36:31 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed 000573: Jan 14 15:36:31 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000574: Jan 14 15:36:35 MSK: %SYS-5-CONFIG_I: Configured from console by console 000575: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named MSK-CORE-C9300.satel.local has been removed from key storage 000576: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named MSK-CORE-C9300.satel.local.server has been removed from key storage 000577: Jan 14 15:39:01 MSK: %CRYPTO_ENGINE-5-KEY_DELETED: A key named SLA-KeyPair2 has been removed from key storage 000578: Jan 14 15:39:01 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto key zeroize rsa 000579: Jan 14 15:39:01 MSK: %SSH-5-DISABLED: SSH 2.0 has been disabled 000580: Jan 14 15:39:18 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named MSK-CORE-C9300.satel.local has been generated or imported by crypto-engine 000581: Jan 14 15:39:18 MSK: %SSH-5-ENABLED: SSH 2.0 has been enabled 000582: Jan 14 15:39:18 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:crypto key generate rsa modulus 2048 000583: Jan 14 15:39:18 MSK: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named MSK-CORE-C9300.satel.local.server has been generated or imported by crypto-engine 000584: Jan 14 15:39:55 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:username sid privilege 15 algorithm-type sha256 secret * 000585: Jan 14 15:39:55 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!config: USER TABLE MODIFIED 000586: Jan 14 15:39:58 MSK: %SYS-5-CONFIG_I: Configured from console by console 000587: Jan 14 15:40:07 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000588: Jan 14 15:40:22 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed 000589: Jan 14 15:40:22 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000590: Jan 14 15:41:42 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:no username sid 000591: Jan 14 15:41:48 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:username sid privilege 15 algorithm-type sha256 secret * 000592: Jan 14 15:41:48 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!config: USER TABLE MODIFIED 000593: Jan 14 15:41:52 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000594: Jan 14 15:42:11 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed 000595: Jan 14 15:42:11 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000596: Jan 14 15:43:33 MSK: %SYS-5-CONFIG_I: Configured from console by console 000597: Jan 14 15:45:21 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:username sids privilege 15 secret * 000598: Jan 14 15:45:21 MSK: %PARSER-5-CFGLOG_LOGGEDCMD: User:console logged command:!config: USER TABLE MODIFIED 000599: Jan 14 15:45:26 MSK: %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Succeeded 000600: Jan 14 15:45:53 MSK: %SSH-5-SSH2_USERAUTH: User '' authentication for SSH2 Session from 192.168.200.200 (tty = 0) using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' Failed 000601: Jan 14 15:45:53 MSK: %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.200.200 (tty = 0) for user '' using crypto cipher 'aes256-cbc', hmac 'hmac-sha1' closed 000602: Jan 14 15:45:56 MSK: %SYS-5-CONFIG_I: Configured from console by console MSK-CORE-C9300# MSK-CORE-C9300#sh run | s line line con 0 session-timeout 120 output exec-timeout 120 35 logging synchronous exec prompt timestamp stopbits 1 line vty 0 4 login line vty 5 15 exec-timeout 0 0 logging synchronous login local exec prompt timestamp transport preferred ssh transport input ssh transport output ssh MSK-CORE-C9300#sh run | i aaa no aaa new-model MSK-CORE-C9300#
01-14-2021 04:50 AM
there wasn't
line vty 0 4 login
how does it appears?)))))
it only was vty 5 15
01-14-2021 05:05 AM
Hello,
not sure, they are usually in there...maybe somebody removed those VTYs.
Either way, does that make a difference (no TACACS, just local login) ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide