Hi Martin,What is the output

Martin Paul · ‎10-20-2014

Hi CSC,

I encounter an issue during authentication (SSH) on my 2960 and I've been attempting various troubleshooting - without success so far.

Network topology:

Core Switch (Cisco) ------------ DMZ Switch 1 (Cisco, 2960) ------------ Internet Firewall Cluster Member#1

|| || ||

Core Switch (Cisco) ------------ DMZ Switch 2 (Cisco, 2960) ------------ Internet Firewall Cluster Member#2

This issue only happens on DMZ Switch 1. Both DMZ Switches have latest firmware and same configuration (except port configuration for attached hosts). These are layer 2 switches with just one IP for Management and normal SSH v2 configured.

I open SSH connection to DMZ Switch 2, no problem. Enter username and password and I'm in.

However when opening SSH connection to DMZ Switch 1 from my laptop in the LAN, and altough entering correct credentials, access is denied.

The way I workaround this is by SSHing on DMZ Switch 2 then hopping to DMZ Switch 1. *This is the only way I can remote access DMZ Switch 1.*

Suspicious error message I can see on DMZ Switch 1 (terminal Monitor, when SSHing from DMZ Switch 2) is "Duplicate Address <IP of DMZ Switch 1> on VLAN <Management VLAN ID>, sourced by <some MAC address>. I am not able to trace the MAC address (this traces back to trunk link between the DMZ Switches).

Any ideas? This is happening randomly.

Thanks

Sanjay Shaw · ‎10-20-2014

Hi Martin,

For the issue that you are getting, its looks like that somewhere L2 loop is forming in between the FW & Switch 2960. And to check this you have to share the below details from both the 2960 switches

Show logs:

Show run int Vl(xxx)

sh standby vl(xxx)

Could you check whether the FW cluster is configured correctly.

Had you configured this ( spanning-tree bpdu-guard enable ) in that port where you are getting the logs.

Trace the origination of the Mac address.

BR// Sanjay

Martin Paul · ‎10-21-2014

Hi again,

+ Nothing fancy for the Management VLAN ....

Switch 1:

interface vlan 100

description Management Interface

ip address 192.168.100.21

no ip route-cache

end

Switch 2:

interface vlan 100

description Management Interface

ip address 192.168.100.22

no ip route-cache

end

+ There is no HSRP configured. DGateway: 192.168.100.1

+ My FW Cluster is correctly configured. The .1 DGateway is the VIP of the cluster.

+ Why are you suggesting BPDUGuard on the trunk link between the Switches? That would precisely be the place where BPDUs would be sent/received or am I missing something?

Thanks,

Martin

Sanjay Shaw · ‎10-25-2014

Hi Martin,

BPDU is never been suggested on the trunk link between the switches. I am suggesting it towards the FW connected interface.

Martin Paul · ‎10-27-2014

Hello again,

Problem not solved. BPDUGuard was enabled on interface to FW but I still get duplicate IP error.

regards,

Martin

Sanjay Shaw · ‎11-02-2014

Hi Martin,

Could you share the configuration file of the devices that are in topology.

BR// Sanjay

Aref Alsouqi · ‎11-02-2014

Hi Martin,

What is the output of "sh mac-address-table address <the-mac-address-you-see-in-the-duplicate-ip-message>" either on DMZ Switch 1 and DMZ Switch 2?

On DMZ Switch 1 it should show you the port on which is connected, try to trace the device connected to that port (based on your descriptions it should be DMZ Switch 2) and check if it has any duplicate ip address configured on it with "sh ip int b | in 192.168.100.21" command, if no duplicate address is configured on DMZ Switch 2, try to trace that mac address on DMZ Switch 2 to see if that mac address is connected to some other port that would have a device connected to it with that duplicate mac address.

Regards,

Aref

Random SSH Authentication Failure on 2960