Solved: ip ssh maxstartups

Mark Pace Balzan · ‎08-25-2025

Hi,

Im struggling to understand what this command <ip ssh maxstartups value> actually does.

documentation seems to indicate that this limits the total concurrent ssh ssessions to the specified value.

reading some info about the ssh daemon itself (man pages on a *nix box) seems to point to unauthenticated ssh session limit

tried both in the lab and neither of them work - there does not seem to be an actual enforced limit on authenticated or unauthenticated sessions, so im a little confused.

anyone figured this one out ?

thanks

Mark

M02@rt37 · ‎08-25-2025

Hello @Mark Pace Balzan

This command only limit how many SSH connection attempts can be in the handshake phase at the same time _ to protect against DoS floods...

It does not restrict how many users can be logged in; the actual limit on concurrent authenticated sessions comes from the number of configured VTY lines...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

Mark Elsen · ‎08-25-2025

- @Mark Pace Balzan FYI : https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i3.html#wp3414043258

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Mark Pace Balzan · ‎08-25-2025

thanks @Mark Elsen - yes indeed the documentation says "If the SSH server negotiates the establishment of too many SSH sessions at the same time, it could cause high CPU consumption. To control the maximum number of SSH sessions that can be started simultaneously, use the ip ssh maxstartups command in global configuration mode."

I tried to open more ssh sessions than the value specified, without closing them, but the value configured could be exceeded. ie I configured 'ip ssh maxstartups 5' but I managed to open 6 sessions without problems

am i missing something ?

MHM Cisco World · ‎08-25-2025

If you want to try command dont enter password for each attempt and try 6 times you will see the router/SW will reject it

The device acount open ssh without entering password

MHM

Mark Pace Balzan · ‎08-25-2025

tried that - it does not work as you say

MHM Cisco World · ‎08-25-2025

How you try exactly?

MHM

MHM Cisco World · ‎08-25-2025

limit the maximum number of concurrent, unauthenticated SSH connection attempts

M02@rt37 · ‎08-25-2025

Hello @Mark Pace Balzan

This command only limit how many SSH connection attempts can be in the handshake phase at the same time _ to protect against DoS floods...

It does not restrict how many users can be logged in; the actual limit on concurrent authenticated sessions comes from the number of configured VTY lines...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Mark Pace Balzan · ‎08-25-2025

Hello M02@rt37

ah i see - this now makes more sense. its the ssh sessions 'inflight' rather than the total ssh sessions established whether authenticated or not, correct ?

unfortunately documentation is misleading

thanks

Mark

MHM Cisco World · ‎08-25-2025

the total ssh sessions established whether authenticated or not, correct ? Big NO

Device count correct different than count non correct or attempt

MHM

MHM Cisco World · ‎08-25-2025

I will out now later after 2-3 hrs I will share more info

And mention how you exactly try

MHM

MHM Cisco World · ‎08-25-2025

@Mark Pace Balzan I think I found way to test this count.

If you interest send me PM

MHM