Telnet/SSH Connection to Switch

Similar Messages

• Prime 4.2 Telnet/ SSH Connections to Switches

  Hi everybody,
  I have a problem with LMS 4.2 and use Telnet/ SSH tool to open network devices.
  If I start the tool telnet/ssh, always starts a telnet session and no ssh session.
  But telnet is disabled on all devices in my network. Can I change something to open automatically a ssh session with putty?
  regards Bjoern

  Hi Bjoern,
  I am assuming you refer to the Device Center > Tools > Telnet/SSH option.
  The problem is not on LMS actually. What happens is that in the background, a telnet:// is being called.
  What will happen is that your system will launch whatever application has been assigned to the telnet protocol, typically the Windows CMD, which will open a telnet session automatically.
  In order to change this to use Putty for example, which would allow you to change to SSH connectivity (manually though) you can do the following:
  1) BACKUP YOUR REGISTRY.
  Go to Start > Run > Regedit > File > Export.
  2) Locate the following key:
  HKEY_CLASSES_ROOT > Telnet > shell > Open > command > (default)
  3) Modify the key value to point to the location of your "putty.exe" file (make sure to include the double quotes).
  Default value:
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\url.dll",TelnetProtocolHandler %l
  New value (will open putty automatically to the selected IP):
  "D:\Tools\putty.exe" %l
  New value (will open putty normally, you will need to type the IP but can change the connection protocol/port if desired):
  "D:\Tools\putty.exe"
  This should make your system open Putty for any "telnet://" links, including the Telnet/SSH link in the Tools section of Device Center.
  Best regards,
  Luis
  Message was edited by: Luis Jimenez
  Message was edited by: Luis Jimenez

• LMS 4.2 is not releasing SSH connections of the devices

  Hello!
  We have LMS opens SSH sessions to Nexus 5000 devices as part of some jobs.
  These SSH connections are not being released by LMS as soon as jobs are completed, which leads the N5K devices to hang without any way of managing them remotely.
  We see these connections as idle on the nexus devices (which also should kill these sessions, but this is not the issue).
  We have found a known bug:
  CSCty90928
  LMS Pari jobs are not releasing SSH,telnet connections of the devices
  Symptom:
  Telnet/SSH connections are not released by LMS
  Conditions:
  Pari collections jobs are not releasing the connections after the Job completed
  Workaround:
  None
  This bug is categorized as "2 – severe" and is in "Open (Postponed)" status.
  I have a few questions, if anyone can assist:
  1.) What is the ETA to fix this bug?
  2.) Are there any other known bugs matching what we see (documented public bugs, with bug ID's, internal bugs or even undocumented bugs).
  3.) Is there any released or unreleased (even yet to be tested by TAC) patch we can use that should fix the issue?
  4.) Is there any way to adjust LMS idle timeout of SSH/Telnet sessions (I couldn't find it in the GUI, but maybe there is a way to change this parameter using a perl script or modifying one of LMS properties files)?
  Thanking in advance, Udi Dahan.

  Hello Ehud
  From N5k side we have submitted bug CSCty00044
  Currently there is no fix for it and our debelopment team is catively working on it and investigating the issue in the lab.
  To get ETA for the release I would suggest you reach your account team and check with them how fast fixed release will be available.
  HTH,
  Alex

• Unable to Telnet / SSH to a particular cisco switch

  Hello,
  I have an unusual issue that I just can't seem to track down.  We have a Windows Server 2008 R2 box that is unable to telnet or ssh to one switch in our network.
  Server IP:  10.0.0.74
  Cisco Switch IP:  10.1.0.7
  I am able to access all other switches/routers on the 10.1.0.x network, but not this one.  I ping and tracert by ip address and name.
  We have a number other servers on our network and they all can access this switch
  Example:  
  a.  10.0.0.73 can telnet/ssh to 10.1.0.7
  b.  10.0.0.72  can telnet/ssh to 10.1.0.7
  c.  10.0.0.50  can telnet/ssh to 10.1.0.7
  d.  My workstation (10.0.250.213) can telnet/ssh to 10.1.0.7
  If anyone can help with troubleshooting further, I would greatly appreciate it.

  Thanks for the reply Philippe!  Here is the route print
  IPv4 Route Table
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0         10.0.0.2        10.0.0.74    266
           10.0.0.0      255.255.0.0         On-link         10.0.0.74    266
          10.0.0.74  255.255.255.255         On-link         10.0.0.74    266
       10.0.255.255  255.255.255.255         On-link         10.0.0.74    266
          10.10.0.0      255.255.0.0         On-link         10.0.0.74    266
         10.10.0.74  255.255.255.255         On-link         10.0.0.74    266
      10.10.255.255  255.255.255.255         On-link         10.0.0.74    266
          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
          224.0.0.0        240.0.0.0         On-link         10.0.0.74    266
    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    255.255.255.255  255.255.255.255         On-link         10.0.0.74    266
  ===========================================================================
  Persistent Routes:
    Network Address          Netmask  Gateway Address  Metric
            0.0.0.0          0.0.0.0         10.0.0.2  Default
  ===========================================================================
  IPv6 Route Table
  ===========================================================================
  Active Routes:
   If Metric Network Destination      Gateway
    1    306 ::1/128                  On-link
    1    306 ff00::/8                 On-link
  ===========================================================================
  Persistent Routes:
    None
  Firewall is disabled and there is no active antivirus.  Im pretty sure port blocking is not the issue.  I am able to ssh and telnet from this box to every other switch/router in our network.
  This server has Solarwinds on it and tracks the health of our network (servers, routers, switches, ups, ect.).  The only reason we noticed an issue is because it stopped backing up the config for this particular switch.  All other switchs/routers
  config is backed up to this server every morning at 2:00AM.  
  With solarwinds, this server is also able to communicate with this switch via snmp / icmp and ping.
  Thanks again for the help!

• LAN Switches cannot be accessed by Telnet, SSH or console in native vlan

  Hi to all of you:
  I do have a question about tagging the native vlan.
  In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
  our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
  We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
  I have to reset or reload (power cycle) if I want to access the switch.
  I have read that having the native vlan can be a problem.
  Could you please let me know if you have gone through this problem?
  Thanks in advance for your help.
  Javier F. Berthin H.

  Hi Karhtick:
  I guess you have the best answer, you suggested the memory command and I am attaching you as result.
  Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
  If you need the config please let me know, for complementary comments.
  Thanks for your help.
  Javier
  Core_Toldos#
  Core_Toldos#
  Core_Toldos#sh processes memory sorted
  Processor Pool Total:   57114592 Used:   42061488 Free:   15053104
        I/O Pool Total:   12582912 Used:    9397428 Free:    3185484
  Driver te Pool Total:    1048576 Used:         40 Free:    1048536
  PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
     0   0   56706116   14325484   38372056          0          0 *Init*
  197   0    4506712    2363500    1463652          0          0 Auth Manager
     0   0          0          0    1443720          0          0 *MallocLite*
     0   0  577244636  370831296     916016   12457311    3203234 *Dead*
  236   0     532808      46152     507068          0          0 IP ARP Adjacency
  303   0    1335768     890528     450448          0          0 ADJ resolve proc
  230   0   27640244      15996     378344      10152          0 CDP Protocol
    77   0     368260   14413456     377820          0          0 EEM ED ND
  102   0     385848        232     362236          0          0 HLFM address lea
  404   0    3397428    3069392     334928          0          0 hulc running con
  192   0     307492      21604     294808          0          0 HL2MCM
  193   0     356552      70624     294744          0          0 HL2MCM
  357   0     265100          0     275260     100548          0 EEM ED Syslog
  365   0  126849404   86726456     255248          0          0 EEM Server
    87   0     569060     274864     244984          0          0 Stack Mgr Notifi
  203   0     753032     492440     164316          0          0 DTP Protocol
  201   0     737920     526656     159424          0          0 802.1x switch
    13   0  505129716  504972016     156620          0          0 ARP Input
  Core_Toldos#

• Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients

  Hi All,
  I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it.  I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network.  However, they are both associated to the WLC and as far as I can tell, they have clients associated to them.  If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
  The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems.  I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
  Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
  Thanks.

  please
  https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap

• Telnet / SSH Software options?

  Hello...
  After 20 years of using PCs I switched and I'm very happy. I'm figuring most things out easily but cannot find graphical SSH client software.
  I can use terminal but what I need is a software package that will store all my server accounts and passwords. Or am I missing something, some way I can do that with the built in terminal combined with the keychain?
  On a PC I would use something like SecureCRT.
  To reiterate, my main need here is the ability to store a list of servers, ids, and passwords that I connect to telnet (SSH). So I can pick a server and connect without having to lookup the id and password for each server.
  Thanks for any guidance..

  I'm not sure this is exactly what you're looking for, but I use a program called sshkeychain to store these passwords:
  www.sshkeychain.org/

• Block Telnet/SSH

  Applying the below to a Catalyst 3560 switch, I can only telnet/ssh using 10.1.0.1. Host 10.1.0.50 telnet/ssh is blocked.
  Please advise.
  access-list 101 permit host 10.1.0.1 any eg 22
  access-list 101 permit host 10.1.0.1 any eg 23
  access-list 101 permit host 10.1.0.50 any eg 22
  access-list 101 permit host 10.1.0.50 any eg 22
  line vty 0 4
  access-class 101 in

  Colm
  If the first two lines work then I would expect the second two lines to also work. My first thought is that there may be some difference in what is actually configured and what you posted (especially since it is obvious that you just typed in the access list and did not copy it from the device config - the missing TCP parameter in the access list shows that. So copy the access list exactly from the device and post it.
  Other possibilities that occur to me:
  - is it possible that there is some IP connectivity issue which prevents 10.1.0.50 from connecting (or prevents responses from going back)?
  - is it possible that there are interface access lists which prevent the connection?
  Collin
  While I agree with you that it is generally better to use standard access lists with access-class, I do not believe that changing from extended to standard access list will solve this problem. If the problem were the extended access list then how does 10.1.0.1 work?
  HTH
  Rick

• SSH enable on switches

  Hi,
  I am trying to configue ssh on Cat 3750 & cat 3560 switches so that users cannot access directly through telnet to the switches instead they need to use ssh(say putty utility)to connect to switches.
  Problem - Once I login to switch through ssh (using say putty utility).from next time it allows access through telnet for all users.
  Below is the config
  crypto key generate
  ip ssh timeout 120
  ip ssh auth-retries 3
  line vty 0 4
  login local
  transport input ssh
  Is there any thing else to be configured to enable ssh.
  IOS ver is c3560-ipbasek9-mz.122-25.SED.bin.
  Regds
  KMS

  hi
  The domain which is required to generate the key is missing in ur config which you have posted here.
  is it due to typo error ?? without that you will get error message while generating the pub key.
  also can you check which version of SSH ur running using show ssh command in ur switches ??
  if its version 1 can you change that to version 2 and check out ?
  that you can configure using ip ssh version 2 ..
  regds

• Problems with SSH: Connection Refused

  Greetings fellow Arch users,
  I have hit a bit of a snag that I could really use some extra help getting around. I've tried everything I can think of (and everything that Google thought might work) and I have my back rather against a wall, so I thought I'd come here to see if anyone can offer some advice.
  To make a long story short, I am a college student and am attempting to set up an ssh server on a desktop at my house so I can access it remotely from the college. I have the computer set up and the server running, however I am having difficulty making connections to it from my laptop. I know that the server is running, because I can log into it both from the server itself (sshing into local host) and from my laptop when I use the internal IP address.
  The server is on a static IP address within the network(192.168.0.75), and my router is configured to forward TCP port 1500 to it (I'm using 1500 as the port for my ssh server). However, when I attempt to log into the ssh server using my network's external IP address, the connection is refused. I used nmap to scan my network and found that, even though the proper ports are forwarded to the proper place as far as my Router's configuration interface is concerned, port 1500 is not listed as one of the open TCP ports. I also, to test it, temporarily disabled the firewalls on both the server and the client. That didn't help. The command that I am running is:
  ssh -p 1500 douglas@[external ip address
  As I am really not sure what is causing this problem, I don't know what information to provide. So here is everything that my inexperienced mind sees as likely being important. If you need anything more, let me know and I will do my best to provide it.
  Here is the sshd_config file from my server.
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options override the
  # default value.
  Port 1500
  #AddressFamily any
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  # The default requires explicit activation of protocol 1
  #Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  #HostKey /etc/ssh/ssh_host_ecdsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Ciphers and keying
  #RekeyLimit default none
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  #LoginGraceTime 2m
  PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  #RSAAuthentication yes
  #PubkeyAuthentication yes
  # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
  # but this is overridden so installations will only check .ssh/authorized_keys
  AuthorizedKeysFile .ssh/authorized_keys
  #AuthorizedPrincipalsFile none
  #AuthorizedKeysCommand none
  #AuthorizedKeysCommandUser nobody
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication. Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  #X11Forwarding no
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  PrintMotd no # pam does that
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  UsePrivilegeSeparation sandbox # Default for new installations.
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /run/sshd.pid
  #MaxStartups 10:30:100
  #PermitTunnel no
  #ChrootDirectory none
  #VersionAddendum none
  # no default banner path
  #Banner none
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  # X11Forwarding no
  # AllowTcpForwarding no
  # ForceCommand cvs server
  The ouptut of ip addr when run on the server:
  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
  valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
  valid_lft forever preferred_lft forever
  2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
  link/ether 00:21:9b:3a:be:94 brd ff:ff:ff:ff:ff:ff
  inet 192.168.0.75/24 brd 192.168.255.0 scope global enp8s0
  valid_lft forever preferred_lft forever
  inet6 fe80::221:9bff:fe3a:be94/64 scope link
  valid_lft forever preferred_lft forever
  Here is the output from running nmap on the network:
  Starting Nmap 6.40 ( http://nmap.org ) at 2013-09-28 21:05 EDT
  Initiating Ping Scan at 21:05
  Scanning address [2 ports]
  Completed Ping Scan at 21:05, 0.01s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 21:05
  Completed Parallel DNS resolution of 1 host. at 21:05, 0.05s elapsed
  Initiating Connect Scan at 21:05
  Scanning pa-addresss.dhcp.embarqhsd.net (address) [1000 ports]
  Discovered open port 80/tcp on address
  Discovered open port 443/tcp on address
  Discovered open port 23/tcp on address
  Discovered open port 21/tcp on address
  Completed Connect Scan at 21:05, 4.08s elapsed (1000 total ports)
  Nmap scan report for pa-address.dhcp.embarqhsd.net (address)
  Host is up (0.036s latency).
  Not shown: 995 closed ports
  PORT STATE SERVICE
  21/tcp open ftp
  23/tcp open telnet
  80/tcp open http
  443/tcp open https
  8080/tcp filtered http-proxy
  Read data files from: /usr/bin/../share/nmap
  Nmap done: 1 IP address (1 host up) scanned in 4.19 seconds
  Here is the ssh_config client-side:
  # $OpenBSD: ssh_config,v 1.27 2013/05/16 02:00:34 dtucker Exp $
  # This is the ssh client system-wide configuration file. See
  # ssh_config(5) for more information. This file provides defaults for
  # users, and the values can be changed in per-user configuration files
  # or on the command line.
  # Configuration data is parsed as follows:
  # 1. command line options
  # 2. user-specific file
  # 3. system-wide file
  # Any configuration value is only changed the first time it is set.
  # Thus, host-specific definitions should be at the beginning of the
  # configuration file, and defaults at the end.
  # Site-wide defaults for some commonly used options. For a comprehensive
  # list of available options, their meanings and defaults, please see the
  # ssh_config(5) man page.
  # Host *
  # ForwardAgent no
  # ForwardX11 no
  # RhostsRSAAuthentication no
  # RSAAuthentication yes
  # PasswordAuthentication yes
  # HostbasedAuthentication no
  # GSSAPIAuthentication no
  # GSSAPIDelegateCredentials no
  # BatchMode no
  # CheckHostIP yes
  # AddressFamily any
  # ConnectTimeout 0
  # StrictHostKeyChecking ask
  # IdentityFile ~/.ssh/identity
  # IdentityFile ~/.ssh/id_rsa
  # IdentityFile ~/.ssh/id_dsa
  # Port 22
  Protocol 2
  # Cipher 3des
  # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
  # EscapeChar ~
  # Tunnel no
  # TunnelDevice any:any
  # PermitLocalCommand no
  # VisualHostKey no
  # ProxyCommand ssh -q -W %h:%p gateway.example.com
  # RekeyLimit 1G 1h
  Output of ssh -v during connection attempt:
  OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
  debug1: Reading configuration data /home/douglas/.ssh/config
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to address [address] port 1500.
  debug1: connect to address address port 1500: Connection refused
  ssh: connect to host address port 1500: Connection refused
  Thank you guys ahead of time. Getting this server operational is hardly critical, it is just a side project of mine, but I would really like to see it working.
  Douglas Bahr Rumbaugh
  Last edited by douglasr (2013-09-29 02:58:56)

  Okay, so I finally have the opportunity to try and log in from a remote network. And. . .  it doesn't work. Which is just my luck because I now need to wait an entire week, at least, before I can touch the server again. Anyway, running ssh with the maximum verbosity I get this output:
  douglas ~ $ ssh -vvv -p 2000 address
  OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
  debug1: Reading configuration data /home/douglas/.ssh/config
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to address [address] port 2000.
  debug1: connect to address address port 2000: Connection timed out
  ssh: connect to host address port 2000: Connection timed out
  It takes a minute or two for the command to finish with the connection timeout, as one would expect. And yes, I am reasonably sure that the address that I am using is my home network's external IP. It is dynamic, but I checked it before I left which was just over an hour ago. I guess that it may have changed. I'll know that for sure in the morning, when my server sends me an automatic email with the network's current address. In the meantime I am operating under the assumption that the address I am using is correct. What else could be the problem?

• Telnet cannot connect

  Hi, i have a strange problem with my cisco 837. I can telnet to it from my local lan no problems but when i try to telnet to it from work or any external ip it will not and eventually times out. I did have an access list applied to the vty lines but i allowed my work ip address and could see the match counter increment on the allow statement. I have now completely removed the access list but the problem remains.
  Trying 82.12.xxx.xxx...
  telnet: connect to address 82.12.xxx.xxx: Connection timed out
  line vty 0 4
  session-timeout 35791
  exec-timeout 35791 0
  logging synchronous
  length 0
  transport preferred telnet
  transport input telnet ssh
  transport output all

  took me a little while but figured it out. I had my internet connected nat'd, the route map pointed to an access list which said permit ip any any. This was causing the remote telnet/ssh problems. The nat access list needed to be for the inside networks permited only i.e. something like permit 192.168.1.0 0.0.0.255 any.

• WS-6509 refusing SSH connections via TACACS+ 5.5

  Hello everyone, we have our Core 6509's using AAA with TACACS+ version 5.5 appliance.
  We have 4 appliances 2 each in 2 locations.
  We have an issue where 6509's refuse to authorize/authenticate valid users for ssh connections.
  When you ssh to the device you can enter your password but ssh tectia just closes or you see the login banner and "Authorization denied" and ssh closes.
  The switches have there tacacs-server settings pointing to all four TACACS+ devices.
  Occasionally one or both will attempt to use one of the 2 non local TACACS+ servers to authenticate/athorize connections.
  You can login from the console if you interrupt it's connection to TACACS by disconnecting the fiber connections momentarily.
  Has anyone seen something like this before?
  This happens once or twice a year.
  ej

  That's the funny part, TACACS shows green stating that I'm passing all the checks.
  When I select the magnifying glass I see "passed" in green at the top.
  when I check "Evaluating Identity Policy" it says.
  Matched Default Rule
  Selected Identity Store - Internal Users
  Authenticating user against Active Directory
  Could not establish connection with ACS Active Directory agent
  Looking up User in Internal Users IDStore - "My username"
  Found User in Internal Users IDStore
  Wrong password or invalid shared secret
  The advanced option that is configured for a failed authentication request is used.
  The 'Continue' advanced option is configured in case of a failed authentication request.
  But I'm able to access all other switches so my AD username/password are correct.
  At first I was unable to access it's pair. After we did a hard reset on one of the ACS's that was resolved.
  But I still can't get into the other pair.
  ej

• Reverse a chained SSH connection ?

  Hi,
  I need to reverse an opened chained SSH connection to copy files back to my own computer.
  I know that when an SSH connection is active, it is possible to do ~ -R port:localhost:port2 to provide a reverse connection to send files back to the machine. But this doesn't seem to work in a chained configuration.
  Here's what I have :
  My computer === ssh ===> First server === ssh ===> Second server
  And I need to scp files from the second server onto my computer.
  Ideally, I'd like to have a "one command line" command, without tricks in ssh_config with proxy commands because I want to be able to use this easily on any computer.
  Thanks
  EDIT : I know ssh -R port:localhost:port1 server1
  and ssh -R port1:localhost:port2 server2
  but I'm looking for a way to do this once the connection is established.
  Last edited by doupod (2013-06-17 15:56:23)

  You can try by removing your original accounts and then logging back through SDM, then disable telnet and again create those original accounts.

• Transport input telnet ssh help

  Hello,
  I had two questions about remotely login to switch or router :
  1. What is the default setting on switch or router to accept remote login (i.e., telnet or ssh)
  2. If i configure...TRANSPORT INPUT TELNET SSH... which one is default and accepted first by switch or router. I mean I know that it will accept both but I want to know that If I configure both to accept then which one has the first priority or by default which one is accepted first, tenet or ssh.
  Thanks

  1) Default settings on all VTYs are "transport input all" --> all the supported protocols, that includes both telnet and ssh.
  2) There is no priority level on which one is accepted first. Basically it just listens on both protocols (telnet - tcp/23 and ssh - tcp/22) for remote management.
  Here is the command description for your reference:
  http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_s1.html#wp1069219
  Hope that helps.

• ASA5520 - Management0/0 Telnet/SSH/Ping Access

  hey all, hope this is an easy one.
  - how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
  - i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
  - i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
  - is a security level required on the mgmt interface? it does not  work unless we put one. if so, what are you guys setting it to?
  interface Ethernet0/0.101
  description Outside
  vlan 101
  nameif outside
  security-level 0
  ip address 101.1.1.100 255.255.255.0
  interface Ethernet0/1.102
  description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
  vlan 102
  nameif inside
  security-level 100
  ip address 192.168.100.100 255.255.252.0
  interface Management0/0
  nameif mgmt
  security-level 90
  ip address 192.168.253.100 255.255.255.0
  management-only
  ssh 192.168.100.0 255.255.255.0 mgmt
  telnet 192.168.100.0 255.255.255.0 mgmt
  I try to add a static route but get an error:
  ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
  ERROR: Cannot add route, connected route exists

  Hello Robert,
  by default the Managment interface of an ASA is going to be used just for managment traffic only.
  Now in order to be able to use it as any other interface you will need to use the following command:
       -     Interface managment 0/0
       -     no managment-only
  And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
  Regards,
  Julio