Hi Michael,

If possible can you please provide configuration of your box and also let us know which IP address you are trying to telnet/ssh.

I am not familiar with this particular platform. But on most Cisco devices this symptom (that SSH access was working, no config changes were made, but SSH access stopped working) is frequently caused by the fact that their vty lines were configured with no exec-timeout (or with exec-timeout 0). What happens is that SSH sessions were started, were not properly terminated, and now all vty lines have an existing SSH session and no new sessions can be established. Is it possible that your device has configured no exec-timeout? If this is the case you should be able to use the console session and clear some of the vty lines which will allow new sessions to be established.

HTH

Rick

Hi Rick,

thx for your reply, exec timeout is set to 60 and no idle users are shown.

i added the config of my cmts, i removed most of the docsis concerning stuff so it looks like as an normal cisco config

Thanks for posting the config. It does confirm that the vty lines do have a non zero exec-timeout so that is not the issue. So we need to look for something else.

I am not sure that it is significant, but I do notice that while you vty 0 4 do have access-class configured to control remote access that your vty 5 15 do not have access-class. Was that intentional?

Could you post the output of the command sh ip ssh

Are there any log messages generated when someone attempts SSH access? With a logging buffered size of 8192 I am not sure how quickly your log fills up and starts over (erasing older messages as it goes). So you might need to look fairly quickly after someone attempts SSH access?

It seems a pretty obvious point but I will ask it anyway: are you sure that the SSH attempts are coming from an IP address that is permitted? Note that your access list only permits two hosts to access. There is a third line in the access list which is probably a mistake

 permit 22 host 10.89.2.3 any log

I am sure that they were thinking that SSH is tcp port 22 but what they used was IP protocol 22 is a port for XNS and almost certainly not what was intended.

HTH

Rick

Hi Michael,

As Richard highlighted correct only 2 hosts are allowed to SSH and nothing else, please check if the sources are the right ones. Below are few concerns from my side.

> When you did testing by removing ACL from vty, did you try "transport input telnet" as well to check if telent is working?

> Was SSH working before anytime, as I am not seeing "ip domain-name" set which is needed for SSH connection. Also ensure crypto keys were generated.

hi,

i've removed the access class for testing and forgot to set it again on that lines, thanks for the info :)

CMTS61#sh ssh
%No SSHv1 server connections running.
%No SSHv2 server connections running.
CMTS61#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -      8       0     0/0       -
     1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
     2 VTY              -    -      -    -    -   2251       0     0/0       -
     3 VTY              -    -      -    -    -    346       0     0/0       -
     4 VTY              -    -      -    -    -     20       0     0/0       -
     5 VTY              -    -      -    -    -      9       0     0/0       -
     6 VTY              -    -      -    -    -      6       0     0/0       -
     7 VTY              -    -      -    -    -      4       0     0/0       -
     8 VTY              -    -      -    -    -      4       0     0/0       -
     9 VTY              -    -      -    -    -      3       0     0/0       -
    10 VTY              -    -      -    -    -      3       0     0/0       -
    11 VTY              -    -      -    -    -      3       0     0/0       -
    12 VTY              -    -      -    -    -      3       0     0/0       -
    13 VTY              -    -      -    -    -      3       0     0/0       -
    14 VTY              -    -      -    -    -      3       0     0/0       -
    15 VTY              -    -      -    -    -      2       0     0/0       -
    16 VTY              -    -      -    -    -      2       0     0/0       -
    17 VTY              -    -      -    -    -      2       0     0/0       -

log doesn't help at the moment, because no ssh messages are shown, i started ssh debugging on cmts and tried to connenct, but again cmts log shows no ssh messages, i tried "debug ip ssh"

only 2 hosts are allowed, that is correct, the third entry was a mistake and i removed it. 10.89.2.20 is a catalyst 3750x i can log into, from here i have multiple cmts connectet, which are alle connectable via ssh, so i think i can exclude this one.

as i removed the acl i tried "transport input ssh telnet", but can't login with telnet.

ssh works for some years without any probs, i removed the crypto key and generated a new one after ssh doesn't work, but it didn't help, outbound ssh works fine

Michael