3 Replies Latest reply: Apr 1, 2011 5:30 PM by Keith Barker - CCIE RS/Security, CISSP RSS

    Cannot SSH from 2950

    Michael

      Hello,

       

      I am not able to SSH from any of my 2950's.  I can SSH to them though.  I am using c2950-i6k2l2q4-mz.121-22.EA14.bin on all of them.  I have tried 3 other IOSes with no luck and 8 different 2950s. The error I am getting is Connection to 10.0.0.1 aborted.  Error staus: 0.  I have looked all over and cannot find a solution for this.

       

      I have the switch plugged directly plugged into a 3800 router that is running ssh version and it can be sshed into from another router and I can ssh from the 3800 into the 2950 switch.

      2950 interface and vlan configs looks like this:

       

      conf t

      vlan 20

       

      int f0/1

      switchport mode trunk

      switchport trunk native vlan 20

       

      int vlan 20

      ip add 10.0.0.2 255.255.255.240

      no shut

       

      The 2950  interface f0/1 is plugged into the 2800 router int f0/0/0:

      3800 router interface and vlan configs looks like this:

      conf t

      vlan 20

       

      int f0/0/0

      switchport mode trunk

      switchpoirt trunk native vlan 20

       

      int vlan 20

      ip add 10.0.0.1 255.255.255.240

      no shut

       

      They can both successfully ping each other. But only the router can ssh into the switch and the switch cannot ssh the router.

       

      I have setup an ip domain-name, ip ssh version 2, crypto key gen rsa mod 1024, a username and secret password with priv 15,  and added under line vty 0 15, transport input ssh, transport output ssh, login local on both the router and switch.  What is missing here?  I have successfully set up ssh on many 3750s and several models of routers with no issues.

         
        • 1. Re: Cannot SSH from 2950
          Martin

          try without Trunk;  just make it access;

          • 2. Re: Cannot SSH from 2950
            Paul Stewart  -  CCIE Security

            You might do a "debug ip ssh" on the ssh server.  You also might want to do a "no ip ssh version 2" so it can use either versions (at least as a test). 

            • 3. Re: Cannot SSH from 2950
              Keith Barker - CCIE RS/Security, CISSP

              I looked on the feature navigator, and not all IOS images for the 2950 have an integrated SSH integrated client, even though it may have an SSH server function.

               

              It shows that the crypto version of IOS for that platform DOES include an ssh client, and the non-crypto version doesn NOT have an ssh integrated client.

               

              Now if your IOS does have the ssh client, and is trying the connection, it is possible that the client (built into the switch) only supports SSH v1, or only some some of the older algorithms that are not being accepted by the destination SSH sever.

               

              You  may want to verify that SSH 1 connections are accepted by the target, as well as perhaps try different options of encryption or hashing from your client.

               

              Below is from a router that supports SSH2 client functions:


              R1#ssh ?

                -c    Select encryption algorithm

                -l    Log in using this user name

                -m    Select HMAC algorithm

                -o    Specify options

                -p    Connect to this port

                -v    Specify SSH Protocol Version

                WORD  IP address or hostname of a remote system

               

              R1#ssh -c ?

                3des        triple des

              SSHv2 only cipher list:

                aes128-cbc  AES 128 bits

                aes192-cbc  AES 192 bits

                aes256-cbc  AES 256 bits


               

              Best wishes,

               

              Keith