10-16-2022 10:59 PM
Hello,
I have this weird issue where the switch doesn't allow SSH directly from LAN majority of times. SSH and telnet from LAN times out. But if SSH'ed through VPN or through another network devices, it always allows.t
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 4096000
enable secret 5 xxxxxx
!
username admin privilege 15 secret 5
user-name lobby
creation-time 1450511320
privilege 15
password 7 xxxxxx
type lobby-admin
user-name temp
creation-time 1470885033
privilege 15
password 7 xxxxxx
type lobby-admin
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login local_webauth local
aaa authorization network default local
aaa authorization network local_webauth local
aaa authorization credential-download default local
!
!
!
!
!
!
aaa session-id common
clock timezone IST 5 30
switch 1 provision ws-c3850-24t
!
!
!
!
!
ip routing
!
no ip domain-lookup
ip domain-name xxxxxxx.in
!
!
qos wireless-default-untrust
qos queue-softmax-multiplier 100
access-session mac-move deny
!
crypto pki trustpoint TP-self-signed-1152785948
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1152785948
revocation-check none
rsakeypair TP-self-signed-1152785948
!
!
crypto pki certificate chain TP-self-signed-1152785948
diagnostic bootup level minimal
port-channel load-balance src-mixed-ip-port
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-4094 priority 4096
hw-switch switch 1 logging onboard message level 3
!
redundancy
mode sso
!
!
parameter-map type webauth global
virtual-ip ipv4 1.1.1.1
!
!
parameter-map type webauth WEB-AUTH
type webauth
!
lldp run
!
!
class-map match-any non-client-nrt-class
!
!
policy-map port_child_policy
class non-client-nrt-class
bandwidth remaining ratio 10
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan5
ip address xxxxxx 255.255.255.0
!
interface Vlan6
ip address xxxxxx 255.255.255.0
!
interface Vlan100
ip address 192.168.10.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.5.254
ip ssh authentication-retries 2
ip ssh version 2
ip ssh server algorithm mac hmac-sha1-96 hmac-sha1
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
!
!
!
!
!
!
line con 0
privilege level 0
password 7 xxxxxx
logging synchronous
login authentication local_webauth
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password 7 xxxxxx
transport input ssh
line vty 5 15
password 7 xxxxxx
transport input ssh
!
ntp server 192.168.5.254 source Vlan5
wsma agent exec
profile httplistener
profile httpslistener
!
wsma agent config
profile httplistener
profile httpslistener
!
wsma agent filesys
profile httplistener
profile httpslistener
!
wsma agent notify
profile httplistener
profile httpslistener
!
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
!
wireless mobility controller
10-16-2022 11:19 PM
- Check if any local intranet firewalling solutions may block this ssh access.
M.
10-17-2022 12:07 AM
This is an interesting issue. I wonder if this behavior might be related to this part of your config
ip ssh server algorithm mac hmac-sha1-96 hmac-sha1
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
10-17-2022 04:53 AM
I have recreated the algorithms before. I will try it once more.
10-17-2022 04:51 AM
There is no firewall in LAN. And SSH works 10% of the times.
10-17-2022 08:53 AM
There isn't a firewall or a firewall solution internally. The clients connects to wireless and this switch is the WLC for APs so, no L3 hops as well.
10-17-2022 05:19 AM
Hello,
which Vlan are the SSH clients that experience intermittent connectivity sitting in ?
10-17-2022 08:52 AM
The clients are in VLAN 5. I tried connecting to all the VLAN interfaces on switch and if it works, it works on all or doesn't at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide