12-03-2018 01:54 AM - edited 03-08-2019 04:44 PM
I'm having an issue accessing a Cisco 2960x remotely via SSH. Basic Architecture is as follows
Server --> Nexus 3K --> 2960x
I can SSH from the server to 3K, and then SSH from Nexus to 2960x, but cannot directly SSH to the 2960x from server. The 2960x pings from the server fine.
Any help would be appriciated, thanks.
Solved! Go to Solution.
12-11-2018 04:12 AM
So I think I have fixed the issue
I've walked into this environment and have been trying to get this to work. I've realised there is no actual business reason to have the SVI's or the secondary address on VLAN 2001 and therefore removed them. Now when trying SSH to 192.168.1.2 it works.
I now also get a clean packet capture in wireshark without the TCP retranmissions.
I havent got my head around theory, but there must have been differnet source MAC's or IP's being used for traffic.......or something along those line.......anyway, for the time being it seems to be working.
Thank you for all your help
Regards
Matt
12-03-2018 02:27 AM
Hello
Does the 2960 have any ACL applied for MGT access?
12-03-2018 02:28 AM
Thank you for your reply.
No, there are no ACL.s applied for management access
12-03-2018 03:00 AM
Hello,
I think problem may be related to the differences between encryption and/or MAC algorithm. The switch may not negotiate what the server proposes. Do you have available the command "sh ip ssh"??
3650_24# sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 30 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
Take a look a tell us.
12-03-2018 03:10 AM
Hi,
Here is the ouput from the sh ip ssh command on the Cisco 2960x
ukgbpedensw1#sh ip ssh
SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
12-03-2018 03:19 AM
Could you please add the Nexus output for this command. In this way we can see if this is the problem
12-03-2018 03:14 AM - edited 12-03-2018 03:15 AM
Hello
Is it possible the Nk3 is negating this access for the server?
Can you post the config of the switch.
12-03-2018 03:39 AM
12-03-2018 06:33 AM
You told us that the switch can ping the server. Can you confirm that the server can ping the switch?
When you attempt ssh from the server to the switch are there any log messages generated on the switch that reflect this?
It is nice to see the config of the nexus. Paul requested the config of the 2960 and seeing it might be quite helpful.
HTH
Rick
12-03-2018 07:19 AM
Apologies, I read his message as needing to see the Nexus config......anyway 2960x config attached.
The switch cannot ping the server. I said the switch pings from the server
Server --> switch (pings)
Switch --> Server (doesnt ping)
Its not the firewall on there server, as this is allowing ping and the Nexus is able to ping the server fine.
There are no SSH related logs on the switch
Thank you for your help.
12-03-2018 11:17 AM
Having read the post from Paul again it does seem that perhaps he was asking for the Nexus switch config. I guess I interpreted it differently because I wanted to see the config from the 2960. So thank you for posting the config. Would you also post the output of show ip interface brief from the 2960? Also please post the output of show ip route from the 2960.
It is interesting that ping from the server to switch does work but ping from switch to server does not work. Since the switch has multiple IP addresses can you tell us which switch address you use when ping from server to switch? And can you tell us when attempting SSH to the switch are you using the same IP address that is used for the successful ping? Could you post output of traceroute from server to switch and traceroute from switch to server?
HTH
Rick
12-05-2018 03:32 AM
12-05-2018 08:09 AM
Thank you for the additional information. I am interested in the fact that when the 2960 attempts to traceroute that the first probe does not receive a response. The first probe packet should go to 192.168.1.1 and should receive a response. But it does not. I looked through the config of the nexus and do not see anything on the interface that would impact sending a response. Can the 2960 ping 192.168.1.1?
Would you post the output of show arp (or perhaps show ip arp)? And would you post the output of show cdp neighbor?
HTH
Rick
12-06-2018 01:49 AM
12-06-2018 07:57 AM
Matt
Thank you for the additional information. Would you run debug for ssh on the 2960, attempt ssh from the server, and post the output?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide