08-23-2017 03:29 AM - edited 03-08-2019 11:48 AM
Hello
I've just migrate my core switch from Cisco 3560 to Cisco WS-C3850-48T-L (IOS-XE Software, (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.06E).
I observe on my switchs logs on every hour a terminated ssh connection from public Ip address (Outside interface) of my firewall (Huawei USG5530)
Aug 23 08:31:11: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:32: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:33: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:34: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:35: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
This message did not appear on my old 3560 ( (C3560-IPSERVICESK9-M), Version 12.2(55)SE10) replaced.
I have tried to recreate the crypto rsa key but the issue remains.
Thank you for any help
Solved! Go to Solution.
08-23-2017 04:00 AM
1. Check any public IP NAT mapping to switch address.
2. Check the USG firewall session table by "display firewall session table verbose destination inside <IP address>, to check anyone SSH to your network
08-23-2017 03:58 AM
Hi do you know that address if not maybe an automated attack somone trying to get in brute force if its internet facing ?
this will slow them down below , change the X to your vty access-list
login block-for 500 attempts 10 within 60
login quiet-mode access-class x
08-23-2017 04:07 AM
Yes I know this address, it's my firewall outside interface.
Even if I create an acces list denying all ssh except my LAN, I receive this message.
08-25-2017 03:16 AM
Thank you Mark
I saw the source of my problem, a Rancid server in datacenter network connects to the devices to backup configs, but a NAT rule was created from that network to the LAN using a public IP address (witch makes no sens, a big mistake).
I disabed the NAT rule to realise the real Ip address connecting to the switches.
I have just taken over the management of the network infrastructure, so there is a lot of things to understand and some other to fix.
So thank you so much for your help
Mamadou
08-23-2017 04:00 AM
1. Check any public IP NAT mapping to switch address.
2. Check the USG firewall session table by "display firewall session table verbose destination inside <IP address>, to check anyone SSH to your network
08-23-2017 04:38 AM
Have you tried zero the crypto then regenerate the keys , try reboot the switch too before if possible
crypto key zeroize rsa .....
This will wipe any trace of keys form the device incase its stuck when your regenerating and its seeing the old keys somehwow
nothing has changed on the client side intiating this as the wrong ssh type can also causre this alert from the client as its coming in ?
08-23-2017 05:18 AM
I can't reboot the switch right now, but I can plane it.
Nothing known has chenged on the firewall.
I'll try zero the crypto and regenerate new crypto key.
Tanks, will let you know
08-23-2017 05:28 AM
You have probably done this but just in case
make sure your side is set to v2 ssh and the crypto keys are 1024 minimum too if they are already ignore i just cant see your ssh config and if the versions are missmatched between client and router you get that alert too
11-28-2018 04:58 AM
I had the same issue, fixed it by adding the following
mxaraxr01(config-line)#ip ssh rsa keypair-name SSH
mxaraxr01(config)#cry key generate rsa modulus 2048 label SSH
On client side removed the known_hosts
[ncmuser@atrl12746ds11 ~]$ cd /home/ncmuser/.ssh/
[ncmuser@atrl12746ds11 .ssh]$ rm known_hosts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide