Solved: SSH not working for some devices, PING works for all - 3560 switch

Filip Knezevic · ‎12-08-2023

I have a strange problem which I already encountered before.

There is a 3560 switch, L2 device with VLANs. SSH was working properly. I setup the new MGMT VLAN and it was still working. Yesterday I noticed I cannot connect to SSH from a laptop on another network, but I can ping it. Read all the threads were no ip classless was recommended and no ip routing as well, didn't help.

So, SSHB is version 2. There are no ACLs blocking ssh. Telnet is also enabled and not working.

I can connect from a directly connected switch.

From a laptop on a different subnet I can ping it, but SSH is not prompting. Telnet is not prompting.

This means:

IP connectivity is good, all devices can ping the switch.

SSH is properly configured, key is generated and SSH works from directly connected network.

PING is working from a PC that cannot SSH - so we know the IP connectivity and the gateway are good.

What I tried:
no ip routing

no ip route with ip default gateway

ip classless no ip classless

I noticed it was setup as login local on vty so I tried with AAA new model and also didn't work.

Relevant switch config

line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
ntp clock-period 36029542
ntp server 172.20.200.110
ntp server 172.20.200.121
end

version 12.2
no service pad
service timestamps debug uptime
service timestamps log datetime
no service password-encryption
service sequence-numbers
!
hostname ARO-MTL-4
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Oek6$R.PwLMORbgHuxDLtDLnEH0

username filip privilege 15 secret 5 $1$Owme$WdVrNCWx1T0NQUVUqGzTT.

aaa new-model
aaa session-id common
clock timezone GMT -5
clock summer-time EDT recurring
system mtu routing 1500
vtp domain ARO2
vtp mode transparent
ip domain-name ARO

!

spanning-tree mode mst
spanning-tree extend system-id
!
spanning-tree mst configuration
name ALL-VLANs
!
spanning-tree mst 0 priority 8192
spanning-tree vlan 1-200 priority 8192
!
vlan internal allocation policy ascending
!
vlan 81
name MGMT-VLAN
!
vlan 90
name PHONE
!
vlan 91
name MGMT
!
vlan 120
name DATA
lldp run
!
ip ssh version 2
!

ip default-gateway 172.20.11.129
ip classless
ip http server
ip http secure-server
!
no cdp run
snmp-server community checkmk RO
!
banner login ^C Wel^C
!
line con 0
logging synchronous
line vty 0 4
logging synchronous
length 0
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
ntp clock-period 36029542
ntp server 172.20.200.110
ntp server 172.20.200.121
end

MHM Cisco World · ‎12-08-2023

Then it connect issue.

Make sure the pc have ip in same subnet of mgmt vlan of SW

Connect it to port assign with same vlan

Check above

MHM

View solution in original post

Filip Knezevic · ‎12-08-2023

I fixed it. The issue might be in multiple VLAN interfaces on the switch and some asymmetrical routing. I removed VLANs 120 and 90 and I left only the 172.20.11.134 VLAN. Now it works immediately

thanks

View solution in original post

MHM Cisco World · ‎12-08-2023

There is no IP for any vlan?

MHM

Filip Knezevic · ‎12-08-2023

there is IP of course

Vlan81 172.20.11.134/26
Vlan90 10.120.1.11/24
Vlan120 172.20.120.4/24

MHM Cisco World · ‎12-08-2023

Did you generate RSA key for SSH?

You need domain and generate key

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html

MHM

balaji.bandi · ‎12-08-2023

As you mentioned Layer 2 switch and have configured Default gateway.

From what IP address you trying to SSH to device ?

Can you post below output :

show ip interface brief

show ssh

show ip ssh

On other hand you have telnet also enable using from PC are you able to telnet to switch ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Filip Knezevic · ‎12-08-2023

Yes, I have all that. Also, note that even telnet doesn't work.

Also note that SSH is working from other switches to this SAME switch.

no aaa new-model
clock timezone GMT -5
clock summer-time EDT recurring
system mtu routing 1500
vtp domain ARO2
vtp mode transparent
ip domain-name ARO
!

MHM Cisco World · ‎12-08-2023

No aaa new model

And there is no password and login local or login under vty

Sure that make vty stop work.

MHM

balaji.bandi · ‎12-08-2023

You are not answering what was asked in the past post

From what IP address you trying to SSH to device ?

Also note that SSH is working from other switches to this SAME switch. - this works since it is in the same subnet ?

So if the device have IP address, and multiple vlan interface in it, move from default gateway to ip routing (enable routing and static route - ip route x.x.x.x y.y.y.y

that should fix the issue high level

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Filip Knezevic · ‎12-08-2023

BB sorry mate, will answer everything. Thanks for taking an interest into my post.

I tried everything you suggested already.

I'm trying to SSH from a PC on 172.20.120.40. That same PC CAN PING the switch. So the default gateway/ip route is good.

I tried to do it with ip routing and ip route and without ip routing with ip default gateway, same issue.

what you saw in vty was because of aa new model. When you turn that on, login local is gone.

Again, I tried both with aaa new model and with login local.

Now I disabled aaa new model and it's just login local.

ARO-MTL-4#sh run | b vty
line vty 0 4
logging synchronous
login local
length 0
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
ntp clock-period 36029541
ntp server 172.20.200.110
ntp server 172.20.200.121
end

MHM Cisco World · ‎12-08-2023

Login local is best if you dont need to controle command and exec.

Go with login local.

MHM

Filip Knezevic · ‎12-08-2023

Yeah, I did. Still the same. I was trying aaa newmodel because I didn't know what else to try lol

MHM Cisco World · ‎12-08-2023

Don't worry friend

It happened alot

Good luck

Have a nice weekend

MHM

MHM Cisco World · ‎12-08-2023

When you use aaa new model

All vty use

Login auth defualt

But you dont config

Aaa auth login command

That why the access failed and login local disappear

So when you enable aaa new model

You need to use

Aaa auth login defualt local

Command

And I prefer login local than use aaa.

MHM

Filip Knezevic · ‎12-08-2023

I also only use login local and aaa only for radius implementations.

I don't think this issue is related to that, however. I think the switch config is correct and that's why I'm confused by the issue.

balaji.bandi · ‎12-08-2023

So is this resolved - still having issue ?

you mentioned coming from PC 172.20.120.40 Vlan120 172.20.120.4/24

it bit confusing here you mentioned that from other switches you able to login - if this is true ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help