cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
38051
Views
30
Helpful
16
Replies

%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

syedhashmi455
Beginner
Beginner

Hello folks, please help me in resolving the issue. I get this error message twice a week resulting in complete network failure with 2 ISP's connected to this stack switch

%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

The switch version is /c3750e-universalk9-mz.122-55.SE1

Has it got any thing to do with this version? Do I need to upgrade it to 15.4?

Regards,

Hashmi

2 Accepted Solutions

Accepted Solutions

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

it might be somebody (unauthorized) trying to get SSH access to your switch.

What does your VTY access-group look like ? To only allow SSH from authorized sources, it should look something like this:

ip access-list extended SSH_ACCESS_CONTROL
permit udp x.x.x.x/y.y.y.y any eq 22
permit tcp x.x.x.x/y.y.y.y. any eq 22
deny udp any any eq 22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
ip access-group SSH_ACCESS_CONTROL

Also, you could add an rsa keypair to you config:

ip ssh rsa keypair-name <hostname>

View solution in original post

ok so this is at the front of the network yes the 2 ISP circuits are directly connected to this 3750 , your not crossing any other devices that ping may stop at ?

can you post the show tech off the switch really need to see what happening here if there is anything else going on

if you cant and your certain ssh is causing this upgrade the switch to test as a fix , if its dropping off 3 times a day you need to do something asap

I have never seen ssh to cause something like this that's way I think something else is dropping your connection but bugs can do weird things , a software upgrade will rule it out

View solution in original post

16 Replies 16

Mark Malone
Mentor
Mentor

Hi

I don't see how ssh attempts to your device are knocking off 2 ISP circuits ?

is there any other logs when the issue occurs did you check cpu mem etc , what are you doing to bring the ISP links back online ?

can you post the show ip ssh

usually this is from somoen trying to acces the device with sshv1 when the switch or router only accepts v2

Hi Mark,

NET#sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

When this SSH time out happens, it gets back online by itself in about 2-3 minutes without me doing nothing

??never seen that before , if your 100% on that all it could be is a bug , the timeout is only for the client that's trying to connect to the switch , it has no control over physical interfaces

what exactly is dropping on these circuits are they going hard down ? or is BGP dropping  ?

can you post the ISP interfaces

............................

try change your ssh to v2 anyway you shouldn't use v1 its insecure , your allowing sshv1 and v2 there as the keys are only set to 512

regenerate your crypto keys

crypto key generate rsa

Hit return then type 1024 and return again

posting ssh output

NET#sh ssh
Connection      Version Encryption      State                   Username
0               0.0        -            Open                    -
1               0.0        -            Open                    -
2               0.0        -            Open                    -
9               0.0        -            Open                    -
14              0.0        -            Open                    -
Connection Version Mode Encryption  Hmac         State                 Username
3          2.0     IN   aes256-cbc  hmac-sha1    Session started       ****
3          2.0     OUT  aes256-cbc  hmac-sha1    Session started       *****

**************************************************************************************

NET#sh version
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Thu 02-Dec-10 06:08 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x02800000

ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)

NET uptime is 3 years, 26 weeks, 1 hour, 35 minutes
System returned to ROM by power-on
System restarted at 10:25:23 KSA Mon Aug 26 2013
System image file is "flash:/c3750e-universalk9-mz.122-55.SE1/c3750e-universalk9-mz.122-55.SE1.bin"


*****************************************************************************

The switch is not going down physically

The 2 ISP's are connected to this internet switch and the other side is the LAN, The firewall is sitting after this internet switch......Strange but ture

Hey Mark and Georg,

Apologies for not getting back. But with the support of you 2, the problem got fixed

There was a brute-force attack on ssh from a particular IP after enabling logging and identifying the issue, I upgraded IOS and applied SSH-ACCESS-CONTROL to specifuc subnet and since then the network is stable.

I rank both your answers to be right, thank you both of you

Regards,

Hashmi

glad you got it fixed

This will slow down brute attacks on a router / switch

it will stop the automated attack after 10 attempts in 60 seconds for 5 minutes , you can increase it , but always allow you vty access line in send line so you never get blocked as an authorised user  

login block-for 300 attempts 10 within 60
login quiet-mode access-class x

Got it Mark

I am also Facing the same issue. can anyone help me.

Hello,

 

what exactly are you facing ? The thread has a solution I guess...does that work for you ?

Dear Sir,

 

thanks from your prompt reply, i am facing this issue with my Cisco 3750 Switch and getting the message (%SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection) i have change even the complete switch and installed another one but same result in another switch also.

i have changed the management IP of the switch but didn't had any affect and still i am getting the same message and my switch WAN port color is going green and orange and giving me packet lost for 10 seconds and again becoming normal for few minutes.

i have also deployed access list for only one IP but it didn't worked for me. following is access list configuration.

access-list 10 permit <Allowed IP>
line vty 0 15
 access-class 10 in
 transport input ssh

and the solution which you have shared i can deployed the access list but while i m going to my (line vty 0 15) my installed switch is not accepting (ip access-group) and (ip ssh rsa keypair-name) command they don't have it.

my switch IOS is ("flash:c3750-ipservicesk9-mz.122-50.SE3.bin").

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

it might be somebody (unauthorized) trying to get SSH access to your switch.

What does your VTY access-group look like ? To only allow SSH from authorized sources, it should look something like this:

ip access-list extended SSH_ACCESS_CONTROL
permit udp x.x.x.x/y.y.y.y any eq 22
permit tcp x.x.x.x/y.y.y.y. any eq 22
deny udp any any eq 22
deny tcp any any eq 22
permit ip any any
!
line vty 0 15
ip access-group SSH_ACCESS_CONTROL

Also, you could add an rsa keypair to you config:

ip ssh rsa keypair-name <hostname>

Hey Georg,

No one has access to this switch except me.

ip ssh rsa keypair-name <hostname>

hostname in the sense, hostname of the switch is it? And what does this command do

I lost the connectiviy 3 times today with the same error message, not sure what's going on

when you lose access to the switch , run a trace route from a pc or device an see if its definitely the switch causing it and its stopping just at that hop

Yes its definitely the switch bcoz I lose the pings to this switch when the network is down, as soon as the pings comes back, the network is online

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: