Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3057
Views
3
Helpful
26
Replies

SSH not working for some devices, PING works for all - 3560 switch

Go to solution
Filip Knezevic
Level 1
Level 1

‎12-08-2023 05:44 AM

I have a strange problem which I already encountered before.

There is a 3560 switch, L2 device with VLANs. SSH was working properly. I setup the new MGMT VLAN and it was still working. Yesterday I noticed I cannot connect to SSH from a laptop on another network, but I can ping it. Read all the threads were no ip classless was recommended and no ip routing as well, didn't help.

So, SSHB is version 2. There are no ACLs blocking ssh. Telnet is also enabled and not working.

I can connect from a directly connected switch.

From a laptop on a different subnet I can ping it, but SSH is not prompting. Telnet is not prompting.

This means:

IP connectivity is good, all devices can ping the switch.

SSH is properly configured, key is generated and SSH works from directly connected network.

PING is working from a PC that cannot SSH - so we know the IP connectivity and the gateway are good.

What I tried:
no ip routing

no ip route with ip default gateway

ip classless no ip classless

I noticed it was setup as login local on vty so I tried with AAA new model and also didn't work.

Relevant switch config

line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
ntp clock-period 36029542
ntp server 172.20.200.110
ntp server 172.20.200.121
end

version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname ARO-MTL-4
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Oek6$R.PwLMORbgHuxDLtDLnEH0

username filip privilege 15 secret 5 $1$Owme$WdVrNCWx1T0NQUVUqGzTT.

aaa new-model
aaa session-id common
clock timezone GMT -5
clock summer-time EDT recurring
system mtu routing 1500
vtp domain ARO2
vtp mode transparent
ip domain-name ARO

!

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name ALL-VLANs
!
spanning-tree mst 0 priority 8192
spanning-tree vlan 1-200 priority 8192
!
vlan internal allocation policy ascending
!
vlan 81
name MGMT-VLAN
!
vlan 90
name PHONE
!
vlan 91
name MGMT
!
vlan 120
name DATA
lldp run
!
ip ssh version 2
!

ip default-gateway 172.20.11.129
ip classless
ip http server
ip http secure-server
!
no cdp run
snmp-server community checkmk RO
!
banner login ^C Wel^C
!
line con 0
logging synchronous
line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
ntp clock-period 36029542
ntp server 172.20.200.110
ntp server 172.20.200.121
end

 

 

 

 

Labels:
0 Helpful
26 Replies 26

Go to solution
Filip Knezevic
Level 1
Level 1
In response to balaji.bandi

‎12-08-2023 06:46 AM

NOT RESOLVED.

I can connect with SSH from directly connected switches. TRUE. This indicates the SSH v2 is working properly.

I cannot connect from vlan 120 PC. Same PC can connect to other switches on 172.20.11.128/26 network.

SO I SSH to 172.20.11.131, 172.20.11.132, 172.20.11.137 but NOT to 172.20.11.134.

I hope it's more clear now. Yes, I agree, it's very confusing and that's why I'm seeking help. This should all be basic stuff.

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1

‎12-08-2023 06:37 AM

This doesn't look good.

capture.png

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Filip Knezevic

‎12-08-2023 06:40 AM

So you can access now?

If not share config of aaa vty 

MHM

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1
In response to MHM Cisco World

‎12-08-2023 06:50 AM - edited ‎12-08-2023 06:52 AM

NO ACCESS from PC. I can access from other switches using SSH.

ARO-MTL-7# ssh -l filip 172.20.11.134
Password:

ARO-MTL-4#

 

 

no aaa new-model
clock timezone GMT -5
clock summer-time EDT recurring
system mtu routing 1500
vtp domain ARO6
vtp mode transparent
ip routing
no ip domain-lookup


ip default-gateway 172.20.11.129
no ip classless
ip http server
ip http secure-server
!
no cdp run
snmp-server community checkmk RO
!
banner login ^C Wel^C
!
line con 0
logging synchronous
login local
line vty 0 4
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
ntp clock-period 36029540
ntp server 172.20.200.110
ntp server 172.20.200.121
end

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Filip Knezevic

‎12-08-2023 06:55 AM

Username filip password xxxx privilege 15

Enable password xxxx <- this so important 

Then try access 

Since ssh ask you for password then connect is OK

MHM

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1
In response to MHM Cisco World

‎12-08-2023 07:01 AM

Sorry for the confusion.

So, SSH asks for password when I try to connect from the switch and it then WORKS.

When I connect from putty from PC it DOESN'T WORK. It doesn't even prompt for password and it says Network error: Software caused connection abort.

Go to solution
MHM Cisco World
VIP
VIP
In response to Filip Knezevic

‎12-08-2023 07:08 AM

Then it connect issue.

Make sure the pc have ip in same subnet of mgmt vlan of SW

Connect it to port assign with same vlan

Check above 

MHM

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1
In response to MHM Cisco World

‎12-08-2023 07:14 AM

It's NOT the connection issue because PC can PING the switch. 

Obviously devices don't have to be in the same VLAN for SSH to works.

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1
In response to Filip Knezevic

‎12-08-2023 07:20 AM

I fixed it. The issue might be in multiple VLAN interfaces on the switch and some asymmetrical routing. I removed VLANs 120 and 90 and I left only the 172.20.11.134 VLAN. Now it works immediately

thanks

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Filip Knezevic

‎12-08-2023 08:22 AM 

I fixed it. The issue might be in multiple VLAN interfaces on the switch and some asymmetrical routing. I removed VLANs 120 and 90 and I left only the 172.20.11.134 VLAN. Now it works immediately

If you enable ip routing and ip route with gateway fix the issue. PC may reach switch, but switch may be or uplink router deoes not know who to reach PC looks like for me.

or you can also use SSH source interface if you looking to.

Any way glad all good.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Filip Knezevic
Level 1
Level 1

‎12-09-2023 11:40 PM

Thanks.

The thing is I tried ip default gateway (no ip routing) and it didn't work. I also tried no ip default gateway, with ip routing with ip route 0.0.0.0 0.0.0.0 and it also didn't work. Once I removed the interface VLAN 120 from the switch the PC that was also on VLAN 120 was able to connect.

Anyway, it's fixed so thanks for brainstorming

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Filip Knezevic

‎12-10-2023 01:35 AM

Sure if thast works for you and happy, but technically the kit should able to add more VLAN and more IP address, but you saying you are limited to One VLAN and working,(that is not intended) - i am sure there is routing issue here. if you like to fix that one (your choice)

i leave it with you as this is your requirement.

as per we know the  only device you mentioned here, as i asked before how is your topology look like where is the PC connected ?

where is the PC gateway ? (on this same switch ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Top