Re: SSH is not opening

datacenter.support3f · ‎08-30-2019

HI Everyone,

Kindly help me to resolve ssh, Ip domain-name is created, Crypto rsa key is generated,ssh v2 is enabled & I'm getting output for the following command, show crypto key mypublickey & show ip ssh.

Line vty configuration

line vty 0 4

login local

transport input ssh

Martin L · ‎08-30-2019

do u have hostname for device? username and password ?

datacenter.support3f · ‎08-30-2019

Hi,

We have Hostname & Password & also IOS running K9 IOS.

DaSt-1986 · ‎08-30-2019

Please provide a little more info;

What error do you receive when trying to connect to the host
Do you have a route to the host (can you ping?)
Is this the only device you have this issue on?
Can you connect via SSH to different devices?

datacenter.support3f · ‎08-30-2019

Please provide a little more info;

What error do you receive when trying to connect to the host

Network error: Connection refused

Do you have a route to the host (can you ping?)

Yes I can able to ping

Is this the only device you have this issue on?

Yes Only this device having problem

Can you connect via SSH to different devices?

Yes I can able to connect to other device

I have removed ACL from Line Vty 0 4

luis_cordova · ‎08-30-2019

Hi @datacenter.support3f ,

Could you share the device configuration?

A diagram of your network would also be useful.

Regards

GRANT3779 · ‎08-30-2019

I would enable telnet also and test connectivity via this to narrow it down 100% to SSH issue.
What is the switch model and ios version?

pieterh · ‎08-30-2019

1) you could have a duplicate ip address? so the device you get connected to is not the device you want.

2) if this is a unix host you are connecting from, this may have cached an "old" fingerprint for an earlier RSA-key,

you need to delete this first from $HOME/.ssh/known_hosts

datacenter.support3f · ‎08-30-2019

Dear all,

Now its working.

Thanks for reply from everyone.

Actually my LAN Network is 10.116.x.x series & in standard acl it's not mentioned but in extended ACL 30 deny tcp any any eq 22 is configured. Anyone let me know that ACL function starts from top mentioned list to bottom like below mentioned Scenario

10 permit 10.116.74.18
20 permit 10.116.16.39
30 permit 10.117.3.40 log
40 permit 158.98.123.72
50 permit 10.200.1.42
60 permit 10.200.1.54
70 permit 10.249.23.128, wildcard bits 0.0.0.127
80 permit 10.249.16.0, wildcard bits 0.0.0.255
90 permit 10.116.5.0, wildcard bits 0.0.0.255( Configured Now)
100 deny any
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
100 deny udp any any eq domain
101 deny tcp any any eq domain
102 deny udp any eq bootps any
103 deny udp any any eq bootpc

104 deny udp any eq bootpc any
105 permit tcp any any eq www

Extended IP access list sl_def_acl
10 deny tcp any any eq telnet
20 deny tcp any any eq www
30 deny tcp any any eq 22 (This one I would like to remove Kindly help me to remove this one)
40 permit ip any any

luis_cordova · ‎08-30-2019

Hi @datacenter.support3f ,

Try this:

Execute the show run command

Copy the entire ACL and paste it into a .txt

Remove the ACL from your device

Remove the ACL line in the .txt

Copy the edited ACL from the .txt and paste it on your device

Regards

Richard Burts · ‎08-30-2019

Actually the access list sl_def_acl is self generated by IOS and can not be deleted. See this link which mentions the function of this access list

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/xe-3s/sec-usr-cfg-xe-3s-book/sec-login-enhance.html

HTH

Rick

HTH

Rick