12-12-2006 09:00 PM - edited 03-05-2019 01:19 PM
Hi, I have reconfigure my Cisco 3825 for ssh after we lost the config sue to a power faliure. I have reconfigure the same way it was configured before and working properly.
now, when I try to access the router using Putty ssh, I get to the authentication screen but after entering uername and password (enable secrete and line password the same) i get access denied.
Below is the ssh and line configuration on the router. I have seen the pdf that has been recommended here at Netpro and have followed that document but still having problem:
no ip bootp server
ip domain lookup source-interface Serial0/0/0.1
ip domain name gmac
ip name-server 198.6.1.5
ip ssh maxstartups 5
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh source-interface GigabitEthernet0/0
ip ssh logging events
voice-card 0
no dspfarm
crypto pki trustpoint border-p.gmac
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1590450227
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1590450227
revocation-check none
rsakeypair TP-self-signed-1590450227
border-p#show cry key mypubkey rsa
% Key pair was generated at: 23:41:15 UTC Dec 12 2006
Key name: border-p.gmac
Usage: General Purpose Key
Key is not exportable.
Key Data:
30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E81AB7
CB1E6A0E 4E0B0511 60518967 B5051E0F 671781B3 87A76647 D85D3BE5 A49D6A49
A38A4CE1 D0551A1E 8CD503B2 000A58E4 9CB82B99 9FC0D97D 34400B6C BDD26DB4
403978BC 91AE97AC 935F2B3D 9784A13D FBD3F346 D0C3E602 4726AE4D 9C67C628
7D97B85D F620DCED 55B9FEDD F1F23160 3D7AF90D 5E226CBB 073D98C3 51020301 0001
% Key pair was generated at: 23:41:15 UTC Dec 12 2006
Key name: border-p.gmac.server
Usage: Encryption Key
Key is not exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00C4B5D5 3AD95B74
C71341E1 F92425D0 E34B3BCA 81F6D67B C9D112C5 9893A93F DA9763BD 01F097CF
9F6DFB70 F2449976 BBBA98F8 96F72082 EDA5E33F 9685997B FE77E9C3 71F2E3BF
D2543E10 611D9907 8D7CD273 48AB04B3 761EDBBB 770D7FA2 FD020301 0001
border-p#
line con 0
password 7 094B471F1C081247050313
login
stopbits 1
line aux 0
password 7 02010D4D0E0B0A7442411E
login
stopbits 1
line vty 0 3
privilege level 15
password 7 14101B1D09092F7E2A2724
login
transport input telnet ssh
line vty 4
privilege level 15
password 7 1515021A01272E71263C22
login
transport input telnet ssh
please advise,
Masood
12-13-2006 03:42 AM
Hi, bit of a longshot really but sometime ago I configured IPSec with CA Server. This required RSA keys on the router and one thing I remember was that the router clock had to be set correctly or the RSA key would not be active. Can you confirm the clock is set correctly and the RSA key is active?
12-13-2006 08:12 AM
thanks for your response. the clock is synched with an ntp server and correct. the rsa is active too. i am puzzled!
Masood
12-14-2006 01:16 AM
Try recreating your RSA key and test the login
Narayan
12-14-2006 03:25 AM
Masood
While I frequently share the approach that Narayan is suggesting to recreate the RSA key (most especially if there was some event that lost the config it is fairly likely to have impacted the RSA keys) the output that you posted seems to indicate that the keys were generated on Dec 12 which implies that you generated keys after doing the new config. Is that correct? While it certainly can not hurt to recreate the keys, I am not optimistic that it will fix the problem.
The parts of the config that you posted do not show whether you have configured aaa authentication or not. Perhaps you can clarify this?
It might also be helpful to give us the exact error message that you get when you attempt ssh access.
If we do not find a solution otherwise it might be helpful to do debug for ssh, attempt access, and post the debug output.
HTH
Rick
12-14-2006 05:29 AM
You arte right, the rsa key was created after I lost the config and reconfigured the route and yes, recreating the rsa didn't fix my problem.
when I run the Putty ssh, I get to the router's login,asking me for username and then password. I enter the username and then password but it comes back and tell me that access denied.
I have not configure aaa yet but I will after a few days for my Cisco Secure ACS TACACS+ installation is finished.
I have tried all that i could but still having problem.
how can I delete the vty lines and recreate? the no line vty 0 3 and no line vty 4 doesn't do the trick.
Thanks,
Masood
12-14-2006 06:23 AM
Hi Rick,
here is the debug ssh output:
border-p#sh logging
Syslog logging: enabled (11 messages dropped, 2 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 256554 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
No active filter modules.
Trap logging: level notifications, 6135 message lines logged
--More--
Log Buffer (4096 bytes):
O
256572: Dec 14 09:18:14.662 UTC: SSH2 0: ssh_receive: 276 bytes received
256573: Dec 14 09:18:14.662 UTC: SSH2 0: input: packet len 256
256574: Dec 14 09:18:14.662 UTC: SSH2 0: partial packet 16, need 240, maclen 20
256575: Dec 14 09:18:14.662 UTC: SSH2 0: MAC #6 ok
256576: Dec 14 09:18:14.662 UTC: SSH2 0: input: padlen 197
256577: Dec 14 09:18:14.666 UTC: SSH2 0: received packet type 50
56619: Dec 14 09:18:36.712 UTC: SSH0: sent protocol version id SSH-1.99-Cisco-1.25
256620: Dec 14 09:18:36.716 UTC: SSH0: protocol version id is - SSH-1.5-OpenSSH_3.7.1p2
256621: Dec 14 09:18:36.716 UTC: SSH0: SSH_SMSG_PUBLIC_KEY msg
256622: Dec 14 09:18:36.817 UTC: SSH0: Session disconnected - error 0x07len 32 (includes padlen 13)
256581: Dec 14 09:18:16.666 UTC: SSH2 0: done calc MAC out #7
256583: Dec 14 09:18:17.310 UTC: SSH2 0: ssh_receive: 276 bytes received
256584: Dec 14 09:18:17.310 UTC: SSH2 0: input: packet len 256
256585: Dec 14 09:18:17.310 UTC: SSH2 0: partial packet 16, need 240, maclen 20
256586: Dec 14 09:18:17.310 UTC: SSH2 0: MAC #7 ok
256587: Dec 14 09:18:17.310 UTC: SSH2 0: input: padlen 207
256588: Dec 14 09:18:17.310 UTC: SSH2 0: received packet type 50
256591: Dec 14 09:18:19.310 UTC: SSH2 0: send: len 32 (includes padlen 13)
256592: Dec 14 09:18:19.310 UTC: SSH2 0: done calc MAC out #8
256596: Dec 14 09:18:22.879 UTC: SSH2 0: ssh_receive: 276 bytes received
256597: Dec 14 09:18:22.879 UTC: SSH2 0: input: packet len 256
256598: Dec 14 09:18:22.879 UTC: SSH2 0: partial packet 16, need 240, maclen 20
256599: Dec 14 09:18:22.879 UTC: SSH2 0: MAC #8 ok
256600: Dec 14 09:18:22.879 UTC: SSH2 0: input: padlen 197
256601: Dec 14 09:18:22.879 UTC: SSH2 0: received packet type 50
256604: Dec 14 09:18:24.879 UTC: SSH2 0: authentication failed for userid (code=1)
256605: Dec 14 09:18:24.979 UTC: SSH0: Session disconnected - error 0x09
border-p#
hope this show what the issue might be. i think there is a ssh version problem here!
your thoghts??
Thx,
Masood
12-14-2006 07:17 AM
Masood
Before you lost the config and the SSH access was working was it configured for aaa?
I am wondering if the issue is that SSH wants both a user name and a password but the default authentication on the vty ports only uses a password. I wonder if you were to configure a username and password on the router and then were to configure the vty ports with login local (which will authenticate with the username and password configured) if you would solve the authentication problem.
HTH
Rick
12-14-2006 08:39 AM
here is what i did: deleted rsa key
configured the vty lines for login local and password set as the enable secret for the username but I still get access-deined when I try to access the router using Putty ssh.
I realy don't know what else is there to configure?
border-p(config)#cry key generate rsa
The name for the keys will be: border-p.gmac
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
border-p(config)#exit
border-p#wr mem
Building configuration...
[OK]
border-p#
your thoughs?/
thx,
Masood
12-14-2006 09:06 AM
Masood
I can not tell from your message whether you followed all of my suggestion about login local. When you do login local it is important that there be at least one username and password configured on the router.
for example: username masood password letmein
Then try ssh with the username of masood and the password as letmein
Also it would be helpful to know if the router was configured with aaa when it was working correctly before the config was lost.
HTH
Rick
12-14-2006 05:24 AM
I have done that many times so far..
Thx,
Masood
12-14-2006 09:03 AM
OK Guys,
Its now fixed and thanks all of you who shared your thoughs with me.
It was solely an authenticatio issue. I deleted rsa and then deleted all th eusernames I had in the configuration and recreated the username, then generated the rsa keys and that fixed the ssh access to this router.
Thank you very much for all th egood ideas.
Regards,
Masood
12-14-2006 09:08 AM
Masood
I am glad that you got it fixed.
Thanks for posting to the forum indicating what the solution was. It makes the forum more useful when people can read about a problem and can read what solution resolved the problem.
HTH
Rick
12-14-2006 11:03 AM
You are welcom Rick. thans for helping me. all the responses were right and to the point.
we use this froum and we need to take care of it.
Thx,
Masood
04-13-2012 09:52 PM
Hi there.
I had the same issue, and after readind this, I try only to change "login" to "login local". Then I was sucessfull acessing my router via SSH.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide