Problems accessing switch via telnet

Hi guys,

I've configured my switch with SSH, however when i try accessing it from a PC i get

"closed by foreign host" error.

I know how ro resolve the issue by configuring in line vty #transport input all, however if i set the #transport input ssh , then the error comes back.

Anyone have any ideas?

Using Packet Trace BTW

thanks

Find more posts tagged with

Comments

Ertaz

Did you generate the keys?

sub-zero

Ertaz wrote: »

Did you generate the keys?

Hi, pretty sure i did unless I've made an error somewhere

SW1#show run Building configuration...

Current configuration : 1931 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW1
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
ip ssh version 2
no ip domain-lookup
ip domain-name google.com
!
username umar secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport access vlan 2
switchport mode access
switchport voice vlan 4
!
interface FastEthernet0/2
switchport access vlan 2
switchport mode access
switchport voice vlan 4
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
switchport voice vlan 4
!
interface FastEthernet0/4
switchport access vlan 3
switchport mode access
switchport voice vlan 4
!
interface FastEthernet0/5
switchport trunk allowed vlan 1-4
switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
mac-address 0001.423b.d203
ip address 192.168.2.2 255.255.255.0
!
interface Vlan3
mac-address 0001.423b.d202
ip address 192.168.4.10 255.255.255.0
!
interface Vlan4
mac-address 0001.423b.d201
no ip address
!
!
!
!
line con 0
logging synchronous
login local
!
line vty 0 4
password cisco
login local
transport input ssh
line vty 5 15
password cisco
login local
transport input ssh
!
!
!
end

rob42

What does your show ip ssh look like?

sub-zero

rob42 wrote: »

What does your show ip ssh look like?

Hi Rob,

SW1#sho ip ssh SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
SW1#

I can't figure it out, is it me missing something or packet tracer playing up?

cheers

rob42

Doesn't look right to me.

What about your show ssh

edit to add...
I'd go through the SSH configuration process again if I were you. Are you sure of the command sequence?

If you let me know which Switch you're using (I'm assuming CPT v7), I'll go through it also if you like and we can compare the results?

sub-zero

rob42 wrote: »

Doesn't look right to me.

What about your show ssh

edit to add...
I'd go through the SSH configuration process again if I were you. Are you sure of the command sequence?

If you let me know which Switch you're using (I'm assuming CPT v7), I'll go through it also if you like and we can compare the results?

Rob, not sure what I am doing wrong, however I've just ran the config for setting up ssh again

TESTLAB#conf t Enter configuration commands, one per line. End with CNTL/Z.
TESTLAB(config)#ip dom
TESTLAB(config)#ip domain
TESTLAB(config)#ip domain-n
TESTLAB(config)#ip domain-name example.com
TESTLAB(config)#cry
TESTLAB(config)#crypto key
TESTLAB(config)#crypto key ge
TESTLAB(config)#crypto key generate rs
TESTLAB(config)#crypto key generate rsa

% You already have RSA keys defined named SW1.google.com .

% Do you really want to replace them? [yes/no]: y
The name for the keys will be: TESTLAB.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

TESTLAB# show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
TESTLAB#

Still unable to gain access.

I am using Packet Tracer, 2960 switch.

thanks

rob42

It seems to be okay my end...

Topology

PC [ip 192.168.1.20] fa0 connected to SW1 fa/01

Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#int vlan 1
SW1(config-if)#ip address 192.168.1.10 255.255.255.0
SW1(config-if)#no shutdown

SW1#
SW1#ping 192.168.1.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms

SW1#
SW1#show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
SW1#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
SW1#

C:\>ssh -l admin 192.168.1.10
Open

[Connection to 192.168.1.10 closed by foreign host]
C:\>

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#line vty 0 15
SW1(config-line)#login local
SW1(config-line)#exit
SW1(config)#username admin password cisco
SW1(config)#ip domain-name techexams.net
SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.techexams.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SW1(config)#ip ssh version 2
SW1(config)#line vty 0 15
SW1(config-line)#transport input ssh
SW1(config-line)#^z
SW1#

C:\>ssh -l admin 192.168.1.10
Open
Password:

SW1>

If you compare your command sequence with mine, you'll see that you've missed a couple of things, namely, 'login local' and 'username'.

Try it again, bud'

sub-zero

rob42 wrote: »

It seems to be okay my end...

Topology

PC [ip 192.168.1.20] fa0 connected to SW1 fa/01

Switch>en
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname SW1
SW1(config)#int vlan 1
SW1(config-if)#ip address 192.168.1.10 255.255.255.0
SW1(config-if)#no shutdown

SW1#
SW1#ping 192.168.1.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.20, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 0/0/0 ms

SW1#
SW1#show ssh
%No SSHv2 server connections running.
%No SSHv1 server connections running.
SW1#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
SW1#

C:\>ssh -l admin 192.168.1.10
Open

[Connection to 192.168.1.10 closed by foreign host]
C:\>

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#line vty 0 15
SW1(config-line)#login local
SW1(config-line)#exit
SW1(config)#username admin password cisco
SW1(config)#ip domain-name techexams.net
SW1(config)#crypto key generate rsa
The name for the keys will be: SW1.techexams.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SW1(config)#ip ssh version 2
SW1(config)#line vty 0 15
SW1(config-line)#transport input ssh
SW1(config-line)#^z
SW1#

C:\>ssh -l admin 192.168.1.10
Open
Password:

SW1>

If you compare your command sequence with mine, you'll see that you've missed a couple of things, namely, 'login local' and 'username'.

Try it again, bud'

Hi Rob,

As you can see from post #3 already configured the username and login local.

However I've just typed in the commands again,

TESTLAB#conf t Enter configuration commands, one per line. End with CNTL/Z.
TESTLAB(config)#user
TESTLAB(config)#username admin
TESTLAB(config)#username admin sc
TESTLAB(config)#username admin se
TESTLAB(config)#username admin secret cisco
TESTLAB(config)#host
TESTLAB(config)#hostname TestLAB
TestLAB(config)#Ip domaian-n
TestLAB(config)#Ip domain-n
TestLAB(config)#Ip domain-name techexams.net
TestLAB(config)#cry
TestLAB(config)#crypto key
TestLAB(config)#crypto key ge
TestLAB(config)#crypto key generate rsa
% You already have RSA keys defined named TESTLAB.example.com .
% Do you really want to replace them? [yes/no]: y
The name for the keys will be: TestLAB.techexams.net
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

TestLAB(config)#^Z
*Mar 1 0:2:40.82: %SSH-5-ENABLED: SSH 2 has been enabled
TestLAB#
%SYS-5-CONFIG_I: Configured from console by console

I am still unable to access via SSH.

If i change the command to # transport input all in vty line config, I can telnet into the switch , but not SSH.

Thanks for helping BTW

rob42

... I am still unable to access via SSH.

If i change the command to # transport input all in vty line config, I can telnet into the switch , but not SSH.

Thanks for helping BTW

No probs and you're very welcome.

I can't understand why it's not working for you. The fact that you can use TELNET demonstrates that you've got a valid IP connection (as no doubt you understand), so it has to be an issue with the SSH configuration. If you want to made your CPT file available, I'll gladly have a look at it.

Cheers for now.

sub-zero

rob42 wrote: »

No probs and you're very welcome.

I can't understand why it's not working for you. The fact that you can use TELNET demonstrates that you've got a valid IP connection (as no doubt you understand), so it has to be an issue with the SSH configuration. If you want to made your CPT file available, I'll gladly have a look at it.

Cheers for now.

Thanks Rob, still confused myself.

As soon as I add the #transport input all command in line vty , it allows me to telnet into the switch.

OfWolfAndMan

Probably a bug. Zeroize key and reinitialize. If that doesn't work, just go with telnet

#crypto key zeroize rsa

#crypto key gener rsa general-keys mod 1024

also, what SSH client are you using?

rob42

sub-zero wrote: »

Thanks Rob, still confused myself.

As soon as I add the #transport input all command in line vty , it allows me to telnet into the switch.

No probs.

b.t.w, you are using the command...

C:\>ssh -l umar 192.168.5.2

...right?

edit...

No, forget that; it's an invalid command if it's not typed correctly...

ImYourOnlyDJ

Odd the config looks good to me. I'd take a closer look at the SSH client (maybe its doing something weird). Have you tried using Putty? You could also run Wireshark to see what exactly is going on.