cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
434
Views
0
Helpful
5
Replies

loosing SSH Telnet remote connection to switches

bibi
Level 1
Level 1

Hello everyone,

Unfortunately, I made a huge mistake when I changed the IP management of my switches. For authentication I use a tacacs solution, but I have some doubts about the configuration I have on all the devices.

What I did was change the IP management (I'm using native vlan 1) because I wanted it to join my IP range of another infrastructure. only where I made a mistake was that I forgot to change the IP default gateway.

From another switch I can ping all those that are failing, but I can't log in SSH with the local account or Telnet (authentication failed). here's a copy of the config.

 

 

 

 

hostname ****
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
!
username **** password 7 ****
aaa new-model
!
!
aaa group server tacacs+ ACS
 server 10.166.17.196
!
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+ 
aaa authorization commands 15 default group ACS if-authenticated 
aaa accounting commands 15 default start-stop group ACS
!
aaa session-id common
clock timezone gmt 1 0
clock summer-time gmt+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
switch 1 provision ws-c2960x-24ps-l
!
!
interface Vlan1
 ip address 10.166.16.152 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.166.30.1
no ip http server
ip http secure-server
!
ip ssh time-out 60
ip ssh version 2
ip scp server enable
!
logging trap debugging
logging facility syslog
logging source-interface Vlan1
logging host 10.166.17.70
access-list 1 remark *** ACL for VTY ***
access-list 1 permit 10.166.17.70
access-list 1 permit any
access-list 10 remark *** ACL for SNMP read Only ***
access-list 10 permit 10.166.17.70
access-list 10 permit any
access-list 11 remark *** ACL for SNMP write ***
access-list 11 permit 10.166.17.70
access-list 11 permit any
!
line con 0
 password 7 *****
line vty 0 4
 password 7 *****
 transport input ssh
line vty 5 14
 password 7 *****
 transport input ssh
line vty 15
!

 

 

 

 

i'm desperate because even if i try to log into console port, i'll get this authentication error...

if anyone has any ideas, I'd love to hear them!

5 Replies 5

Hi @bibi 

 If you change the switch management IP address and you are suing TACACS, you need to update the TACACS with the new IP address, otherwise the TACACS server will reject this new IP. 

Hello @Flavio Miranda 

First of all, thanks for your help.

good point, but in reality the switches now have an IP within the scope of another infrastructure. I had enough host available (10.166.16.0/24). my TACACS server covers the entire range.

Well, on that case, you might not have problem with TACACS denying you.

nterface Vlan1
 ip address 10.166.16.152 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.166.30.1

Your default gateway does not belong to the network you have on vlan 1.  If this Vlan is the only one on the switch, the communication from outside the vlan will fail.

You need to change the command ip default-gateway and use the gateway for vlan 1.

You can also use the command  ip route 0.0.0.0  0.0.0.0  <vlan1 gateway>

Of cuorse, if you change the Vlan you also need to update the gatetway.

That's exactly the point where I've done the mistake. I thought the problem was with the TACACS, as the switch can't communicate with it when I try to make an SSH connection, because I've forgotten to change the IP default-gateway.

Now I can't connect on it, but maybe the problem lies elsewhere but I can't put my finger on it 

If you have access to another switch which is using the vlan1 for management, you can fix it.  

The problem on this case would be access the switch from any other vlan but from vlan1 you dont need the gateway.

You can access on switch, which is using vlan1, try to access using local user.  Then change the gateway. 

The local user should work after the TACACS fail for some times. 

Review Cisco Networking for a $25 gift card