cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7318
Views
0
Helpful
8
Replies

sudden SSH connection refused to cisco 7206vxr

Athiqur Rahman
Level 1
Level 1

 I have had my 7206vxr that has been running fine for about 5 years now.

Just today I have noticed that I am no longer able to SSH to the machine. 

I am getting the following error every once in a while from the cisco

Oct 23 10:06:23 172.16.0.1 12483: Oct 23 10:06:22: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
Oct 23 10:07:37 172.16.0.1 12484: Oct 23 10:07:36: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection
Oct 23 10:07:50 172.16.0.1 12485: Oct 23 10:07:49: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection

This message is not appearing on every single failed attempt, but it is there in the logs appearing, it seems the timing of the messages are random, can not make sense of it. I do not have telnet enabled so I can not test that method.

Any advice will appreciated.

I am thinking I may have to go down to the data centre and connect via the console and reset all configuration for SSH.

 

Thanks,

8 Replies 8

Athiqur Rahman
Level 1
Level 1

Ok, I just managed to log in.

I turned on terminal monitor and tried to open a duplicate session which failed, but there was no debug output on the terminal.

More details on my router is below

 

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 19-Oct-09 22:53 by prod_rel_team

ROM: System Bootstrap, Version 12.3(4r)T1, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version 12.4(4)XD9, RELEASE SOFTWARE (fc1)

7206vxr.rb uptime is 4 years, 26 weeks, 4 days, 22 hours, 13 minutes
System returned to ROM by power-on
System restarted at 11:59:29 GMT Tue Apr 20 2010
System image file is "disk2:c7200-adventerprisek9-mz.124-24.T2.bin"

     check to see if the router has any vty sessions that have not released for some reason using the show line  and show user command  and clear any unused vty sessions.  Cisco has had issues in the past where it would not release the session even if you have the exec-timeout command configured.

Thanks for the advice Glen.

I have been trying to SSH to the cisco for the last few hours. Still havn't got in yet.

When I do, will try clearing the VTY sessions.

Will post on the results.

Ok Glen, 

 

I have managed to login and am getting the following

 

7206vxr.rb#show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    -    - 4350807       0     0/0       -
*     3 VTY              -    -      -    -    - 2024624       0     0/0       -
*     4 VTY              -    -      -    -    - 1166219       0     0/0       -
*     5 VTY              -    -      -    -    - 773561       0     0/0       -
*     6 VTY              -    -      -    -    - 394722       0     0/0       -


7206vxr.rb#show users
    Line       User       Host(s)              Idle       Location
   2 vty 0     root       idle                 00:00:06 144.0.0.51
   3 vty 1                idle                 00:00:04 144.0.0.51
   4 vty 2     root       idle                 00:00:11 144.0.0.51
*  5 vty 3     athiq      idle                 00:00:00 192.168.200.101
   6 vty 4                idle                 00:00:06 144.0.0.51

  Interface    User               Mode         Idle     Peer Address
  
  7206vxr.rb#show users
    Line       User       Host(s)              Idle       Location
   2 vty 0                idle                 00:00:00 144.0.0.51
   3 vty 1                idle                 00:00:06 144.0.0.51
   4 vty 2                idle                 00:00:02 144.0.0.51
*  5 vty 3     athiq      idle                 00:00:00 192.168.200.101
   6 vty 4     root       idle                 00:00:15 144.0.0.51

7206vxr.rb#show users
    Line       User       Host(s)              Idle       Location
   2 vty 0     root       idle                 00:00:12 144.0.0.51
   3 vty 1     root       idle                 00:00:13 144.0.0.51
   4 vty 2     root       idle                 00:00:15 144.0.0.51
*  5 vty 3     athiq      idle                 00:00:00 192.168.200.101
   6 vty 4                idle                 00:00:00 144.0.0.51


7206vxr.rb#show users
    Line       User       Host(s)              Idle       Location
   2 vty 0     root       idle                 00:00:07 144.0.0.51
   3 vty 1     root       idle                 00:00:13 144.0.0.51
   4 vty 2                idle                 00:00:04 144.0.0.51
*  5 vty 3     athiq      idle                 00:00:00 192.168.200.101
   6 vty 4     root       idle                 00:00:14 144.0.0.51

 

it looks weird to me that the even though I am the only one looged in, the output of show line and show users keeps on changing every time i execute the command.

 

What do the ' * ' on the show line command indicate ?

 

I have done the command clear line vty 1 and then do show users, which shows the line clear, but then root user just comes back on it again.

my configuration for the login part looks like as follows

 

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password *******
 transport input ssh

!

 

Any suggestions ?

 

 

looking at the following link 

http://bannedhackersips.blogspot.co.uk/2014/05/fail2ban-ssh-banned-1440051.html

 

it seems the ip address is from a chinese hacker.

Any know best way to stop this IP address 144.0.0.51 from accessing my network?

Any help in writing a quick ACL to block this IP off completely?

 

Thanks

ok, added acl to block all of china. cleared the VTY lines and all seems good now.

I've just had this same issue from exactly the same IP. Unbelieveable.

 

6 vty 4     root       idle                 00:01:36 144.0.0.51

 

To gain root access to the router must be an exploit to a known vulnerability. as there definitely isn't any 'root' users defined on the local DB of the router. My customer is running a very old router on a small site that we will replace this week anyway but it's IOS is - c850-advsecurityk9-mz.124-11.T2.bin

 

Good to see I'm not the only one.

 

Anyone else seen this? I need advise of what small office router/FW to get next?

Mike

 

If anyone wants to know the the commands I used to fix the problem

I created a rotary group to change default SSH port

 

ip ssh port 8811 rotary 15
ip ssh version 2

 

Create an access list for allowed subnet

access-list 110 permit tcp 192.168.0.0 0.0.0.255 any eq 8811

 

Then apply to the vty

line vty 0 4
 access-class 110 in
 rotary 15
 transport input ssh


 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: