1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SSH Disconnecting

Discussion in 'Networking' started by turbow5, Jan 2, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    I'm novice to networking still but I turned on the switch, all switchports are in vlan 1. Which has a IP of 192.168.1.50 255.255.255.0. This is a home lab hooked up to my regular 192.168.1.0 network. Anyways I set a password and login through line vty 0 4. Transport input all. Set the default-gateway. All seems to be ok. Up and running. I used Tera Term to telnet to it and it said connection timed out. So I tried SSH and it rompt me for password, typed it in, and pressed enter, and it immiedetly closed.

    I thought it was just a program crash. So I reopened the program, SSH again and it said "connection refused". Ok.... so try telnet, and now it's saying connection refused also. If I do it 10 times it might let me in once, but as soon as I press enter it crashes. I can ping it, so I know its up.

    Any ideas would be greatly appreciated.
     
  2. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    Would you post up the relevant parts of your config for command line access?

    As far as SSH is concerned with Cisco switches and routers, you need to generate the PKI keys before SSH will work. To do this, you first need to generate a host name for your Cisco device before generating the key. The key will be created with the host name info. To generate the key, you need to go into config terminal mode. From there, issue this command:

    crypto key generate <cr>

    or

    crypto key generate rsa <cr>

    or

    crypto key generate rsa modulus <encryption key strength value> <cr>

    The key strength is defaulted at 1024 bits. I some times use the default or bump it up to 2048. The greater the key strength the more time the switch/router needs to generate the key (ie processing resources) and also to establish the key exchange to set up the encryption tunnel. In a lab situation, this typically isn't a big deal to go big, but in a production environment where the device is handling large amounts of traffic and processing for other enabled features, this can be a problem.

    As far as the issues with Telnet, I think it has to do with the number of sessions you have open to the switch. The VTY statements are for virtual terminals. line vty 0 4 refers to the first 5 CLI sessions to the switch. If you don't terminate a session to the switch properly, the switch will still have the session as active and will consume one of the 15 (or 16 can't remember at the moment) concurrent sessions the switch supports. So the next Telnet session you establish, will create another instance and that one will by VTY 1 and so on. I think there is a timeout value where the sessions will terminate on their own after a set amount of inactivity time. You can see how many SSH and Telnet sessions are created on the switch by doing the following commands:

    show ssh

    show sessions (this is for Telnet)
     
  3. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    Thank you for replying zx10guy!

    I checked the sessions prior to posting this and there were no sessions and I did disconnect properly. I generated cyrpto keys but it didn't seem to have affect with the issue. It's not included in the show run because I generated them after I copied the config.

    TSwitch#show run
    Building configuration...

    Current configuration : 1517 bytes
    !
    version 12.1
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname TSwitch
    !
    enable secret 5 $1$oLZ6$aIjDcJPYHvyyqzH3DAMad0
    !
    username turbow5 password 0 cisco
    ip subnet-zero
    !
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    !
    spanning-tree mode rapid-pvst
    spanning-tree portfast bpduguard default
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    spanning-tree vlan 1 priority 0
    !
    !
    !
    !
    interface FastEthernet0/1
    switchport mode access
    switchport nonegotiate
    !
    interface FastEthernet0/2
    switchport trunk allowed vlan 1
    switchport mode trunk
    !
    interface FastEthernet0/3
    !
    interface FastEthernet0/4
    !
    interface FastEthernet0/5
    !
    interface FastEthernet0/6
    !
    interface FastEthernet0/7
    !
    interface FastEthernet0/8
    !
    interface FastEthernet0/9
    !
    interface FastEthernet0/10
    switchport mode access
    !
    interface FastEthernet0/11
    !
    interface FastEthernet0/12
    !
    interface FastEthernet0/13
    !
    interface FastEthernet0/14
    !
    interface FastEthernet0/15
    !
    interface FastEthernet0/16
    !
    interface FastEthernet0/17
    !
    interface FastEthernet0/18
    !
    interface FastEthernet0/19
    !
    interface FastEthernet0/20
    !
    interface FastEthernet0/21
    !
    interface FastEthernet0/22
    !
    interface FastEthernet0/23
    !
    interface FastEthernet0/24
    !
    interface Vlan1
    ip address 192.168.1.50 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 192.168.1.1
    ip http server
    banner motd ^C^C
    !
    line con 0
    line vty 0 4
    password cisco
    login
    line vty 5 15
    login
    !
    !
    end

    TSwitch#

    Also I am angle to ping and switch and any router from my lab or the main router or even the WAN but I cannot seem to ping my computer. The switch is hooked up to a smaller 5 port switch, which my computer is a apart of, and one of the ports of the smaller switch hooks up to main router. Well If I can ping the router, which ash to go through that switch...Then why can't I ping my own computer? Think that has something to do with it. I attempted to traceroute but it didn't get me anywhere.
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    Hmm...not sure what is going on here.

    Try adding this to your config:

    aaa new-model

    This command enforces privileges with user accounts. It'll require you to set privilege levels with each account you create. Privilege level 15 is the highest with the most rights.

    Per your config, I also suggest you turn on password encryption. It's showing no service password-encryption currently. I know this is a lab setup, but it's also good practice to NOT post your config on a public forum or sending it to anyone with the passwords still present in the config regardless if they are just hashes. The hashes can be reversed engineered to get the clear text since the hashing of many Cisco devices uses an MD5 type hash.

    With regards to your ping problem, I don't quite understand your network flow. A diagram would help. Also are you able to ping the switch from your PC?
     
  5. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    I am able to ping the switches/routers from my PC. I actually do have password encryption on the routers but not switches. It is a lab afterall.
    The switches and routers can all ping each other, but unable to ping my PC. Think that is the issue because where would the switch/router send the output? Question is why can't it see my PC?
     

    Attached Files:

  6. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    Do you happen to have a software firewall running on your PC?
     
  7. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    Just typical windows firewall. I use tera term and for whatever reason I checked to see if it was allowed by the windows firewall and it wasn't, I allowed it and now it just says connection refused. Pinging the device is less than 1 ms. So.. That's a head scratcher.
     
  8. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    When there is a connection refused response in the absence of an ACL, this means the SSH service isn't fully activated. What model switch are we talking about here?
     
  9. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    Catalyst 2950.

    Why would you need a ACL for a simple telnet/SSH? Isn't that what line vty 0 4 password/login is for? To control who logs in?
     
  10. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    ACLs are used to only allow certain IPs to even communicate to the network device. This is best practices for any enterprise network. You never rely solely on username and password protection. With the networks I've designed, I go one step further and isolate any management interfaces to a separate management network. In this management network, I have things locked down pretty tight with the use of out of band interfaces, private VLANs, ACLs, etc, etc.

    The password/login statements under the vty commands are strictly for Telnet which is something else I never use. Telnet is NOT secure as all transmissions are in clear text. It's one of the first things I disable when I configure a network device. One of the commands I use to ensure no Telnet access on Cisco devices under the vty commands is:

    transport input ssh
    transport output ssh

    You might want to look at what the switch as for the stored key. Run the following command:

    show crypto key mypubkey rsa

    You also might want to delete any key you have stored in the switch and start over.

    I looked at my 2960 switch which has the transport input/output commands and my 3560 which doesn't. Both have SSH operating correctly on them. If the regeneration of the crypto key doesn't fix your problem. You might want to try using the transport commands in your vty statements.
     
  11. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    I did transport output all (just to play around with the lab), which I didn't even know was a command. I thought transport input ssh would have the switch just reply to whatever ssh log in. Anyways I did that and it had no effect. So I deleted the RSA keys and regenerated them.

    I opened Tera Term and a new window came up, authentication required. Before I even clicked the username box, it already disconnected me.

    Do you think it's still because the switch can't even ping my PC? It makes sense that it disconnects me because it doesn't know where to send the output. But...My PC can ping it...
     
  12. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    The transport output all command for vty is only for remote sessions FROM the switch. The command states that the switch is allowing whomever is logged in under that vty session to initiate a SSH/Telnet/what have you session from the switch to another device. It has no bearing on reply or incoming CLI sessions.

    Have you configured aaa new-model command yet. You should as this is the preferred method to configure user access. I think the message you are receiving is related to this. If you don't want to do aaa new-model, then here is a sample config I found on Cisco's support site. I use the aaa new-model on all my Cisco configs.

    Switch(config)# no access-list 101

    Switch(config)# access-list 101 remark Permit SSH access from

    administrators&#8217; systems

    Switch(config)# access-list 101 permit tcp host 10.0.0.2 any eq 22 log

    Switch(config)# access-list 101 permit tcp host 10.0.0.4 any eq 22 log

    Switch(config)# access-list 101 deny ip any any log

    Switch(config)# line vty 0 4

    Switch(config-line)# access-class 101 in

    Switch(config-line)# transport input ssh

    Switch(config-line)# privilege level 0

    Switch(config-line)# exec-timeout 9 0

    Switch(config-line)# login local
     
  13. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    Well, a couple things. I did the commands you suggested, and it again, disconnected me. So I tried a AAA new-model, again disconnected. Then in system log, it said duplicate address on 192.168.1.50 Vlan 1. So I did a show ip dhcp conflict. Nothing showed. Hm..

    Think I should erase flash and restart?
     
  14. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,271
    What system log are you talking about? Sounds like you need to look at your WAN/LAN router to see if you've assigned the IP of the switch inside of the DHCP scope of that router's DHCP server.
     
  15. turbow5

    turbow5 Thread Starter

    Joined:
    Jan 2, 2012
    Messages:
    490
    The switches console log. Says there is a duplicate address on Vlan1. Which is weird considering the only thing hooked up to Vlan 1 is 2 switches and 3 routers. All with static IP addresses. I have it hooked up to the switch nuder desk to but the WAN facing router only assigns IP addresses 192.168.1.2-49. 50+ is reserved for the Lab.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1140463

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice