Getting SSH error 'connection refused'

sonikbaby · ‎03-05-2012

Hello,

I need some help on this issue. On some routers and switches I am getting connection refused when trying to SSH to them. Telnet works fine ofcourse. I am thinking it maybe the 'crypto key generate rsa' command is missing? But some of the routers that are having the issue have that command issued. Here is the configuration (I removed encrypted passwords) What could it be?

ALAM-RTR1-2811#show run
Building configuration...

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALAM-RTR1-2811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5
!
aaa new-model
!
!
aaa authentication login default group radius local-case
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
memory-size iomem 10
clock timezone MDT -7
clock summer-time mdt recurring
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
ip domain name parametrix.com
ip ssh rsa keypair-name ALAM-RTR1-2811
ip ssh version 2
!
modemcap entry usrmodem1:MSC=&FS0=1&C1&D3&H1&R2&B1
!
!
username routeradmin secret 5
!
!
!
interface Loopback1
ip address 172.30.127.254 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description Uplink to Quest MPLS
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.705
description Quest qmoe
encapsulation dot1Q 705
ip address 192.168.252.65 255.255.255.192
no snmp trap link-status
!
interface FastEthernet0/0.706
description Quest MPLS
encapsulation dot1Q 706
ip address X.x.X.x 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1
description Uplink to internal network
ip address 172.30.0.1 255.255.252.0
duplex full
speed 100
!
ip classless
ip route 0.0.0.0 0.0.0.0 63.234.101.209
ip route x.x.x.x 255.255.255.252 x.x.x.x.
ip route 172.21.0.0 255.255.128.0 192.168.252.66
ip route 172.22.0.0 255.255.128.0 x.x.x.x.x
ip route 172.30.0.0 255.255.128.0 172.30.0.30
!
ip http server
no ip http secure-server
!
snmp-server community XXXXXX RW 1
snmp-server community XXXXXX RO 1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon
snmp-server enable traps config
radius-server host 172.24.10.44 auth-port xxxx acct-port xxxx key 7
!
control-plane
!
banner exec ^CCC
Welcome to the Parametrix Albuquerque Router
^C
banner login ^CCC Welcome to the Albuquerque Router . Please login.
^C
banner motd ^CCC
>>>>>>>>>> WARNING <<<<<<<<<<
Unauthorized access to this system is a violation of the Federal Electronics
Communications Privacy Act of 1986, and may result in fines of $250,000
and/or imprisonment (Title 18, USC).
^C
!
line con 0
exec-timeout 30 0
password 7 XXXXXXXXXXXXX
logging synchronous
line aux 0
password 7 XXXXXXXXXXXXX
logging synchronous
modem InOut
modem autoconfigure type usrmodem1
transport input all
autoselect during-login
autoselect ppp
flowcontrol hardware
line vty 0 4
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXX
transport input telnet ssh
transport output all
!
scheduler allocate 20000 1000
ntp clock-period 17180099
ntp master 2
ntp server 140.142.16.34
!
end

Reza Sharifi · ‎03-05-2012

Hi,

What is the IOS name and version for the devices that are not working?

Can you post "sh ver | inc bin"?

sonikbaby · ‎03-05-2012

it is:

System image file is "flash:c2800nm-ipbasek9-mz.124-3g.bin"

Reza Sharifi · ‎03-05-2012

The image looks good.

1-Did you create the crypto key?

2-If yes, can you replace

transport input telnet ssh

with

transport input all

and test again?

here is a link on how to generate the key

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Make sure you have console access to the router before making any changes for line vty 0 4

HTH

sonikbaby · ‎03-05-2012

Ok thanks. I will try your suggestion and let you know how it goes.

oviedoarieljesus1 · ‎08-09-2021

Dear I need your help.
I have a Cisco Catalyst 4500. Which from one day to the next did not allow me to remotely connect via SSH from my PC. I had to start connecting from a test server. But after a while I can't connect from this server either.
I accessed the switch through an Access-List and both my PC and the server are still in it.
I compare the current running-config with one from a few months ago when I could access it without problems and there are no differences.

I attach the switch configuration

!
ip ssh logging events
ip ssh version 2
!

crypto pki trustpoint TP-self-signed-13161
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-13161
revocation-check none
rsakeypair TP-self-signed-13161
!
crypto pki profile enrollment 4500
!
!
crypto pki certificate chain TP-self-signed-13161
certificate self-signed 01 nvram:IOS-Self-Sig#3131.cer
power redundancy-mode redundant
port-channel load-balance dst-ip

!
ip access-list standard Management-Admin
permit 10.73.6.101 log
permit 10.73.2.55 log
permit 10.73.10.205 log (My PC)
permit 10.73.10.204 log
permit 10.73.2.250 log (Test Server)
permit 172.17.7.82 log
permit 0.0.0.208 255.255.255.0
permit 10.73.102.0 0.0.0.255 log
permit 10.73.10.0 0.0.0.255 log
!

!
control-plane
!
!
line con 0
password 7 1214041E021E5D557C
logging synchronous
stopbits 1
line vty 0 4
access-class Management-Admin in
exec-timeout 0 0
timeout login response 300
privilege level 15
password 7 03347B5E5318715E4A434854414B
transport input ssh
transport output ssh
line vty 5
access-class Management-Admin in
exec-timeout 0 0
timeout login response 300
privilege level 15
transport input ssh
transport output none
!

Leo Laohoo · ‎03-05-2012

no ip http secure-server

One of the reason is this. And where's your crypto?

ntp master 2

Get rid of this line.

sonikbaby · ‎03-05-2012

isn't the no ip http secure-server just disabling HTTP management? How is that related to ssh?

glen.grant · ‎03-05-2012

Thats correct that just shuts off the secure GUI function . Check keys, show crypto key my rsa . You can also try zeroizing the key and recreating it .

msenko · ‎12-04-2017

I ended up re-creating my crypto key to fix the issue. The problem is I don't know why it needed to be recreated as ssh worked before.

pledge500 · ‎05-15-2018

Thank you msenko, I had the same problem. I even generated new keys and it still did not work. I then zeroized them and re-created them, and it worked.

The problem occurred after a reboot of the router. Prior to reboot it worked fine.

The version I am using is 15.4(3)S on ASR1006. Maybe its a bug.

msenko · ‎05-15-2018

Glad to have helped pledge500, thanks for your response!

CERKYR · ‎06-11-2020

inside (Config)#

ip ssh port <network_port> rotary 1

rotary 1

--

Don't forget these commands

daielumoh · ‎07-06-2020

Hello @sonikbaby, Hello all,

Is it possible to pin the crypto key regeneration answer to the top and mark this question as answered ?

In order to ease future searches.

Thanks :)

AhmadmKefaya · ‎10-22-2020

Hi there,

i had the same issue today after i upgraded my router, i checked "show ip ssh" and i saw the version "SSH Enabled - version 1.99", i tried to SSH from my Putty but it was giving this error on the router logging:

%SSH-3-NO_MATCH: No matching mac found: client hmac-sha1,hm ac-sha1-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512

this error mean your Putty ( or the client that you using to ssh to the Router) is sending SSH version 1.0 and you your router is supporting 1.99 as minimum ssh version, what i noticed that my Putty was old version 0.60 i updated to the latest then its start working.

Hope that will help.

Regards,

Ahmad Kefaya