cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
42194
Views
60
Helpful
15
Replies

SSH Problem

aliahmadi1177
Level 1
Level 1

Hello

We recently bought a 3750G-24TS-S (refurbished) switch and got into trouble to set the SSH on it. The problem arises when the configuration is finished. Everything is working properly and, before exiting the Express Setup, I connected to the switch using SSH and logged in successfully with the password I had entered in configuration. After adding the following few lines to the configuration, I lost the local connection and only had SSH permission from VLAN 99 over port 24:

sw-1(config)#int gi 1/0/24
sw-1(config-if)#switchport mode access
sw-1(config-if)#switchport access vlan 99

 

So I connected to the address 192.168.1.139 with the Putty program, and I logged in by entering the username password, I entered the "wr" or "copy running-config startup-config" command and closed the Putty SSH session, but unfortunately the next time I wanted to connect with the Putty SSH, it showed me "Access Denied" message after entering username and password however I can ping(CMD) and even reach the switch by putty but It looks like my switch is on the Alzheimer's username password.

 

* PC is connected to switch with a CAT6 cable. 

* PC is connected to port 24 and IP has been defined statically : 192.168.1.114 /24  -  Gateway : 192.168.1.139

* A TP-link home router modem is connected to the switch (192.168.1.1 /24).

* CMD Ping and Putty "Access Denied" is attached to this post.

 

I will put run command's output before and after the config and the configuration command I had entered :

 

run before config :

Current configuration : 1734 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
!
ip dhcp pool 10.0.0.0
network 10.0.0.0 255.255.255.0
lease 0 0 10
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0 secondary
ip address 10.0.0.3 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
!
control-plane
!
!
line con 0
line vty 0 4
privilege level 15
no login
line vty 5 15
privilege level 15
no login
!
end

 

Configuration commands :

> conf t
switch(config)# hostname sw-1
sw-1(config)# ip domain-name test.com
sw-1(config)# crypto key generate rsa
2048
sw-1(config)# username test privilege 15 secret 1234
sw-1(config)# line vty 0 15
sw-1(config-line)# login local
sw-1(config-line)# transport input ssh

sw-1(config)# access-list 1 permit 192.168.1.0 0.0.0.255
sw-1(config)# line vty 0 15
sw-1(config-line)# access-class 1 in

sw-1(config)#ip ssh version 2

sw-1(config)#vlan 99
sw-1(config-vlan)#name MGT
sw-1(config)#int vlan 99
sw-1(config-if)#ip address 192.168.1.139 255.255.255.0
sw-1(config-if)#no shut

------"run after config" part is placed before entering 3 following lines, because the switch will be cut off-------
sw-1(config)#int gi 1/0/24
sw-1(config-if)#switchport mode access
sw-1(config-if)#switchport access vlan 99

 

run after config :

Current configuration : 2026 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-1
!
boot-start-marker
boot-end-marker
!
!
username test privilege 15 secret 5 $1$MPpr$p2Wx3zamweRVpBK6aaNHz/
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip domain-name test.com
!
ip dhcp pool 10.0.0.0
network 10.0.0.0 255.255.255.0
lease 0 0 10
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree portfast default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0 secondary
ip address 10.0.0.3 255.255.255.0
!
interface Vlan99
ip address 192.168.1.139 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 1 in
privilege level 15
login local
transport input ssh
!
end

1 Accepted Solution

Accepted Solutions

aliahmadi1177
Level 1
Level 1

I don't know how and why this happened but when I double checked the running-config of before and after configuration I realized that, the "login local" changes to "login" (line vty 0 15) right after I enter the "wr" command and because of that after the very first session of SSH with putty (after moving port 24 to VLAN 99) I'm not able to start SSH session with switch and because of changing "login local" to "login" my username and password is no more usable.

* If you take a look at where I have posted the run or "running-config" in reply to Richard Burts, you can see the login in line vty part.

 

Solution (if you enter "Express Setup" part with a LAN to switch and telnet to "10.0.0.1") :

When the first SSH after "switchport access VLAN 99" established, and you entered the "wr" command, Check the running-config part and if you saw "login" in "line vty 0 4 & line vty 5 15" part, enter following commands :

> enable

sw-1# conf t

sw-1(config)#  line vty 0 15

sw-1(config-line)# login local

 

Hope this save someone's time. I had four days occupied with it.

 

Thanks to @Richard Burts and @balaji.bandi who helped me to solve this problem.

View solution in original post

15 Replies 15

Wassim Aouadi
Level 4
Level 4

In the show run you posted, I do not see that interface g1/0/24 is
configured with VLAN99. It should however look like this if it was
correctly configured:

interface GigabitEthernet1/0/24
switchport access vlan 99

Can you check its configuration again?

Regards,
Wassim

Forum Tips: 1. Paste images inline - don't attach. 2. If you find a post helpful, please give it a thumbs up or mark it as a correct solution.

Yes, I mentioned that in the bottom of "configuration Commands" part.

I do set the VLAN and the access-list / access-class over port 24, but after moving port 24 to VLAN 99 the switch were cut off and I forgot to save the run.

balaji.bandi
Hall of Fame
Hall of Fame

Start with the basic config of Switch and SSH config, before make ACL and other stuff.

 

Make sure your password is good and known.

 

 

https://networklessons.com/cisco/ccna-200-301/configure-ssh-cisco-ios

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

It's about 3 days I'm stuck with this. So I searched for it and found 2 or 3 solutions but they were useless and nothing happened.

solutions were like this :

1- ACL defenition

2- Use password instead of secret 

3- ...

I mean with and without ACL and other stuff the config is done but there were no success.

what is the configuration looks like after you have done the basic changes?

 

can you post the complete config along with the below output?

 

show interface status | in up

show IP interface brief

what is your IP address when you try to connect to the device?  (192.168.1.114  if this IP, what port it connected ?)

show ip route

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello

When you've  added multiple svi on the switch, The will need  to route between those SVIs interfaces as such you need to enable ip routing.

 

conf t

Ip routing

 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

The suggestion by Paul to enable ip routing is an interesting one. And he is correct that if you want anything in vlan 1 to access anything in vlan 99 or anything in vlan 99 to access anything in vlan 1 then you do need to enable ip routing.

 

If you are not able to SSH to the switch are you able to access it via the console? If so please post the output of these commands

show ip interface brief

show interface status

show vlan

HTH

Rick

IP routing is now enabled.

Yes I have console connection. Here are the info (IP int brief, int status, vlan, run) :

* Photos are also included(Attached) due to possible errors in copying text.

 

 

IP interface brief :

Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES other up up
Vlan99 192.168.1.139 YES manual up up
GigabitEthernet1/0/1 unassigned YES unset up up
GigabitEthernet1/0/2 unassigned YES unset down down
GigabitEthernet1/0/3 unassigned YES unset down down
GigabitEthernet1/0/4 unassigned YES unset down down
GigabitEthernet1/0/5 unassigned YES unset down down
GigabitEthernet1/0/6 unassigned YES unset down down
GigabitEthernet1/0/7 unassigned YES unset down down
GigabitEthernet1/0/8 unassigned YES unset down down
GigabitEthernet1/0/9 unassigned YES unset down down
GigabitEthernet1/0/10 unassigned YES unset down down
GigabitEthernet1/0/11 unassigned YES unset down down
GigabitEthernet1/0/12 unassigned YES unset down down
GigabitEthernet1/0/13 unassigned YES unset down down
GigabitEthernet1/0/14 unassigned YES unset down down
GigabitEthernet1/0/15 unassigned YES unset down down
GigabitEthernet1/0/16 unassigned YES unset down down
GigabitEthernet1/0/17 unassigned YES unset down down
GigabitEthernet1/0/18 unassigned YES unset down down
GigabitEthernet1/0/19 unassigned YES unset down down
GigabitEthernet1/0/20 unassigned YES unset down down
GigabitEthernet1/0/21 unassigned YES unset down down
GigabitEthernet1/0/22 unassigned YES unset down down
GigabitEthernet1/0/23 unassigned YES unset down down
GigabitEthernet1/0/24 unassigned YES unset up up
GigabitEthernet1/0/25 unassigned YES unset down down
GigabitEthernet1/0/26 unassigned YES unset down down
GigabitEthernet1/0/27 unassigned YES unset down down
GigabitEthernet1/0/28 unassigned YES unset down down

 

 

 

Interface status :

Port Name Status Vlan Duplex Speed Type
Gi1/0/1 connected 1 a-full a-1000 10/100/1000BaseTX
Gi1/0/2 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/3 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/4 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/5 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/6 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/7 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/8 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/9 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/10 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/11 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/12 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/13 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/14 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/15 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/16 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/17 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/18 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/19 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/20 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/21 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/22 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/23 notconnect 1 auto auto 10/100/1000BaseTX
Gi1/0/24 connected 99 a-full a-1000 10/100/1000BaseTX
Gi1/0/25 notconnect 1 auto auto Not Present
Gi1/0/26 notconnect 1 auto auto Not Present
Gi1/0/27 notconnect 1 auto auto Not Present
Gi1/0/28 notconnect 1 auto auto Not Present

 

 

 

VLAN :

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3
Gi1/0/4, Gi1/0/5, Gi1/0/6
Gi1/0/7, Gi1/0/8, Gi1/0/9
Gi1/0/10, Gi1/0/11, Gi1/0/12
Gi1/0/13, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/17, Gi1/0/18
Gi1/0/19, Gi1/0/20, Gi1/0/21
Gi1/0/22, Gi1/0/23, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
99 MGT active Gi1/0/24
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
99 enet 100099 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

 

 

 

Run :

Current configuration : 1868 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw-1
!
boot-start-marker
boot-end-marker
!
!
username test privilege 15 secret 5 $1$OvpK$Bnl0ycnDVcjE6QKTmCJr4/
no aaa new-model
switch 1 provision ws-c3750g-24ts-1u
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name test.com
!
!
!
!
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
switchport access vlan 99
switchport mode access
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
no ip address
!
interface Vlan99
ip address 192.168.1.139 255.255.255.0
!
ip classless
ip http server
ip http secure-server
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
line vty 0 4
access-class 1 in
login
transport input ssh
line vty 5 15
access-class 1 in
login
transport input ssh
!
end

I suspect the IOS, can you post show version (since you have 12.2 its old need to check what is the version you running)

 

post below output :

 

show version

show ip ssh

 

Try the below configuration - before try SSH try Telenet and confirm is this works ? also try shutdown vlan 1 interface ( as per output does not show any IP address ?)

 

 

 

 

I suggest to try simple configuration :

 

ip domain-name test.com
crypto key generate rsa
username test password cisco 123
!
line vty 0 15
transport input ssh
login local
!
interface Vlan99
ip address 192.168.1.139 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 TPLINK Router Address


Your device should be 192.168.1.114 with mask 255.255.255.0 Gateway 192.168.1.139

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for the outputs that you posted. They do show that 1/0/24 is connected in vlan 99 and that vlan 99 is active and the layer 3 interface is up/up. So I believe that we can eliminate basic IP connectivity as a possible source of the problem.

 

I do agree that the output of show ip ssh might be helpful.

 

The configuration is clear that the vty are configured with transport input ssh. So it would be pretty amazing if telnet were to work.

 

I have been thinking about some possible causes of the problem. You have configured the switch to use version 2 of SSH and to refuse attempts to use version 1. Is it possible that your putty is attempting to connect using version 1? Are there setting in your putty that can specify that it is to use only version 2 for SSH? One way to investigate this would be to use console access to update the configuration and to remove the ip ssh version 2. After you remove that command the switch should accept both version 1 and 2. So test SSH access and let us know the result.

 

Another possible cause of the problem might be the access-class on the vty. What we see in the config looks correct. But I wonder if there is some issue with it. I would suggest that you use console access and remove access-class from the vty lines. After removing access-class test SSH access and let us know the result.

 

If you try both of these and still have the problem I suggest doing this:

- be sure that logging buffered and logging console are enabled at level 7 (debugging)

- using console access enable debug for ip ssh

- test SSH access 

- using the console output or the output of show logging post any debug output

- after testing turn off debug for ip ssh

HTH

Rick

I checked my putty, it was set to SSH-version 2. I will attach images of putty parts to this reply.

Then I changed " ip ssh version 2" to "no ip ssh version".

But nothing changed.

 

After that I deleted access-list and access-class. It didn't worked.

 

Thanks to you(@richard burts) and @balaji.bandi, finally the answer is found !

version :

Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(44)SE6, RELE

 

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE6, RELEASE SOFTWARE

ip SSH (After "no ip ssh version" command) :

SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3

 

I configured Telnet and had no problem with connecting. Worked fine!

Then I shut the VLAN 1 down. It didn't change the SSH connection failure.

 

After that I deleted the access-list / access-class and again nothing happend.

 

But the good news is I found the answer

I will explain it end of this post and thanks to setting telnet up I found the missing part.

Glad it was very helpfull our suggestions, and you able to resolve it now.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

aliahmadi1177
Level 1
Level 1

I don't know how and why this happened but when I double checked the running-config of before and after configuration I realized that, the "login local" changes to "login" (line vty 0 15) right after I enter the "wr" command and because of that after the very first session of SSH with putty (after moving port 24 to VLAN 99) I'm not able to start SSH session with switch and because of changing "login local" to "login" my username and password is no more usable.

* If you take a look at where I have posted the run or "running-config" in reply to Richard Burts, you can see the login in line vty part.

 

Solution (if you enter "Express Setup" part with a LAN to switch and telnet to "10.0.0.1") :

When the first SSH after "switchport access VLAN 99" established, and you entered the "wr" command, Check the running-config part and if you saw "login" in "line vty 0 4 & line vty 5 15" part, enter following commands :

> enable

sw-1# conf t

sw-1(config)#  line vty 0 15

sw-1(config-line)# login local

 

Hope this save someone's time. I had four days occupied with it.

 

Thanks to @Richard Burts and @balaji.bandi who helped me to solve this problem.