cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
101027
Views
40
Helpful
13
Replies
Highlighted
Beginner

Getting SSH error 'connection refused'

Hello,

I need some help on this issue. On some routers and switches I am getting connection refused when trying to SSH to them. Telnet works fine ofcourse. I am  thinking it maybe the 'crypto key generate rsa' command is missing? But some of the routers that are having the issue have that command issued.  Here is the configuration (I removed encrypted passwords)  What could it be?


ALAM-RTR1-2811#show run
Building configuration...

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ALAM-RTR1-2811
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
no logging console
enable secret 5
!
aaa new-model
!
!
aaa authentication login default group radius local-case
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
!
aaa session-id common
!
resource policy
!
memory-size iomem 10
clock timezone MDT -7
clock summer-time mdt recurring
ip subnet-zero
!
!
ip cef
!
!
no ip domain lookup
ip domain name parametrix.com
ip ssh rsa keypair-name ALAM-RTR1-2811
ip ssh version 2
!
modemcap entry usrmodem1:MSC=&FS0=1&C1&D3&H1&R2&B1
!
!
username routeradmin secret 5
!
!
!
interface Loopback1
ip address 172.30.127.254 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description Uplink to Quest MPLS
no ip address
duplex full
speed 100
!
interface FastEthernet0/0.705
description Quest qmoe
encapsulation dot1Q 705
ip address 192.168.252.65 255.255.255.192
no snmp trap link-status
!
interface FastEthernet0/0.706
description Quest MPLS
encapsulation dot1Q 706
ip address X.x.X.x 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1
description Uplink to internal network
ip address 172.30.0.1 255.255.252.0
duplex full
speed 100
!
ip classless
ip route 0.0.0.0 0.0.0.0 63.234.101.209
ip route x.x.x.x 255.255.255.252 x.x.x.x.
ip route 172.21.0.0 255.255.128.0 192.168.252.66
ip route 172.22.0.0 255.255.128.0 x.x.x.x.x
ip route 172.30.0.0 255.255.128.0 172.30.0.30
!
ip http server
no ip http secure-server
!
snmp-server community XXXXXX RW 1
snmp-server community XXXXXX RO 1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon
snmp-server enable traps config
radius-server host 172.24.10.44 auth-port xxxx acct-port xxxx key 7
!
control-plane
!
banner exec ^CCC
Welcome to the Parametrix Albuquerque Router
^C
banner login ^CCC Welcome to the Albuquerque Router .  Please login.
^C
banner motd ^CCC
        >>>>>>>>>> WARNING <<<<<<<<<<
Unauthorized access to this system is a violation of the Federal Electronics
Communications Privacy  Act of 1986, and may result in fines of $250,000
and/or imprisonment (Title 18, USC).
^C
!
line con 0
exec-timeout 30 0
password 7 XXXXXXXXXXXXX
logging synchronous
line aux 0
password 7 XXXXXXXXXXXXX
logging synchronous
modem InOut
modem autoconfigure type usrmodem1
transport input all
autoselect during-login
autoselect ppp
flowcontrol hardware
line vty 0 4
exec-timeout 30 0
password 7 XXXXXXXXXXXXXXX
transport input telnet ssh
transport output all
!
scheduler allocate 20000 1000
ntp clock-period 17180099
ntp master 2
ntp server 140.142.16.34
!
end

13 REPLIES 13
Highlighted
Hall of Fame Expert

Hi,

What is the IOS name and version for the devices that are not working?

Can you post "sh ver | inc bin"?

Highlighted

it is:

System image file is "flash:c2800nm-ipbasek9-mz.124-3g.bin"

Highlighted

The image looks good.

1-Did you create the crypto key?

2-If yes, can you replace

transport input telnet ssh

with

transport input all

and test again?

here is a link on how to generate the key

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml

Make sure you have console access to the router before making any changes for line vty 0 4

HTH

Highlighted

Ok thanks. I will try your suggestion and let you know how it goes.

Highlighted
Hall of Fame Community Legend

no ip http secure-server

One of the reason is this.  And where's your crypto?

ntp master 2

Get rid of this line.

Highlighted

isn't the no ip http secure-server just disabling HTTP management? How is that related to ssh? 

Highlighted

  Thats correct that just shuts off the secure GUI function .  Check keys, show crypto key my rsa .    You can also try zeroizing the key and recreating it .

Highlighted

I ended up re-creating my crypto key to fix the issue. The problem is I don't know why it needed to be recreated as ssh worked before.

Highlighted

Thank you msenko, I had the same problem.  I even generated new keys and it still did not work.  I then zeroized them and re-created them, and it worked.

 

The problem occurred after a reboot of the router.  Prior to reboot it worked fine.

 

The version I am using is 15.4(3)S on ASR1006.  Maybe its a bug.

Highlighted

Glad to have helped pledge500, thanks for your response!
Highlighted

inside (Config)#

ip ssh port <network_port> rotary 1

rotary 1

 

--

Don't forget these commands

Highlighted

Hello @sonikbaby, Hello all,

Is it possible to pin the crypto key regeneration answer to the top and mark this question as answered ?

In order to ease future searches.

Thanks :)

Highlighted
Beginner

Hi there,

 

i had the same issue today after i upgraded my router, i checked "show ip ssh" and i saw the version "SSH Enabled - version 1.99", i tried to SSH from my Putty but it was giving this error on the router logging:

%SSH-3-NO_MATCH: No matching mac found: client hmac-sha1,hm ac-sha1-96,hmac-md5 server hmac-sha2-256,hmac-sha2-512

this error mean your Putty ( or the client that you using to ssh to the Router) is sending SSH version 1.0 and you your router is supporting 1.99 as minimum ssh version, what i noticed that my Putty was old version 0.60 i updated to the latest then its start working.

 

Hope that will help.

 

Regards,

Ahmad Kefaya

Content for Community-Ad