Solved: Re: SSH terminated connection on log

mamadou.barry · ‎08-23-2017

Hello

I've just migrate my core switch from Cisco 3560 to Cisco WS-C3850-48T-L (IOS-XE Software, (CAT3K_CAA-UNIVERSALK9-M), Version 03.06.06E).

I observe on my switchs logs on every hour a terminated ssh connection from public Ip address (Outside interface) of my firewall (Huawei USG5530)

Aug 23 08:31:11: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:32: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:33: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:34: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx
Aug 23 08:31:35: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 213.xxx.xxx.xxx

This message did not appear on my old 3560 ( (C3560-IPSERVICESK9-M), Version 12.2(55)SE10) replaced.

I have tried to recreate the crypto rsa key but the issue remains.

Thank you for any help

halldentong · ‎08-23-2017

1. Check any public IP NAT mapping to switch address.

2. Check the USG firewall session table by "display firewall session table verbose destination inside <IP address>, to check anyone SSH to your network

View solution in original post

Mark Malone · ‎08-23-2017

Hi do you know that address if not maybe an automated attack somone trying to get in brute force if its internet facing ?

this will slow them down below , change the X to your vty access-list

login block-for 500 attempts 10 within 60
login quiet-mode access-class x

mamadou.barry · ‎08-23-2017

Yes I know this address, it's my firewall outside interface.

Even if I create an acces list denying all ssh except my LAN, I receive this message.

mamadou.barry · ‎08-25-2017

Thank you Mark

I saw the source of my problem, a Rancid server in datacenter network connects to the devices to backup configs, but a NAT rule was created from that network to the LAN using a public IP address (witch makes no sens, a big mistake).

I disabed the NAT rule to realise the real Ip address connecting to the switches.

I have just taken over the management of the network infrastructure, so there is a lot of things to understand and some other to fix.

So thank you so much for your help

Mamadou

halldentong · ‎08-23-2017

1. Check any public IP NAT mapping to switch address.

2. Check the USG firewall session table by "display firewall session table verbose destination inside <IP address>, to check anyone SSH to your network

Mark Malone · ‎08-23-2017

Have you tried zero the crypto then regenerate the keys , try reboot the switch too before if possible

crypto key zeroize rsa .....

This will wipe any trace of keys form the device incase its stuck when your regenerating and its seeing the old keys somehwow

nothing has changed on the client side intiating this as the wrong ssh type can also causre this alert from the client as its coming in ?

mamadou.barry · ‎08-23-2017

I can't reboot the switch right now, but I can plane it.

Nothing known has chenged on the firewall.

I'll try zero the crypto and regenerate new crypto key.

Tanks, will let you know

Mark Malone · ‎08-23-2017

You have probably done this but just in case

make sure your side is set to v2 ssh and the crypto keys are 1024 minimum too if they are already ignore i just cant see your ssh config and if the versions are missmatched between client and router you get that alert too

rodrigoalvesm11 · ‎11-28-2018

I had the same issue, fixed it by adding the following

mxaraxr01(config-line)#ip ssh rsa keypair-name SSH

mxaraxr01(config)#cry key generate rsa modulus 2048 label SSH

On client side removed the known_hosts

[ncmuser@atrl12746ds11 ~]$ cd /home/ncmuser/.ssh/
[ncmuser@atrl12746ds11 .ssh]$ rm known_hosts