Re: Unable to SSH directly to Switch(Catalyst 3850)

farhanp · ‎10-06-2022

Hello,

I have this weird issue where the switch majority of times doesn't allow SSH directly into it from LAN but if SSH'ed through VPN or through another network devices, it always allows.

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 4096000
enable secret 5 xxxxxx
!
username admin privilege 15 secret 5
user-name lobby
creation-time 1450511320
privilege 15
password 7 xxxxxx
type lobby-admin
user-name temp
creation-time 1470885033
privilege 15
password 7 xxxxxx
type lobby-admin
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login local_webauth local
aaa authorization network default local
aaa authorization network local_webauth local
aaa authorization credential-download default local
!
!
!
!
!
!
aaa session-id common
clock timezone IST 5 30
switch 1 provision ws-c3850-24t
!
!
!
!
!
ip routing
!
no ip domain-lookup
ip domain-name xxxxxxx.in
!
!
qos wireless-default-untrust
qos queue-softmax-multiplier 100
access-session mac-move deny
!
crypto pki trustpoint TP-self-signed-1152785948
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1152785948
revocation-check none
rsakeypair TP-self-signed-1152785948
!
!
crypto pki certificate chain TP-self-signed-1152785948
diagnostic bootup level minimal
port-channel load-balance src-mixed-ip-port
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1
!
!
parameter-map type webauth WEB-AUTH
type webauth
!
lldp run
!
!
class-map match-any non-client-nrt-class
!
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan5
ip address xxxxxx 255.255.255.0
!
interface Vlan6
ip address xxxxxx 255.255.255.0
!
interface Vlan100
ip address 192.168.10.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.254
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96 hmac-sha1
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
!
!
!
!
!
!
line con 0
privilege level 0
password 7 xxxxxx
logging synchronous
login authentication local_webauth
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxx
transport input ssh
line vty 5 15
password 7 xxxxxx
transport input ssh
!
ntp server 192.168.5.254 source Vlan5
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
wireless mobility controller

Kasun Bandara · ‎10-06-2022

what is the error message you are getting when its SSH is blocking. is it give some encryption errors? or just connection time out?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

farhanp · ‎10-07-2022

Tried using SecureCRT and Putty and it times out. Times out on telnet as well. And I did change line vty to transport input all for testing telnet.