Need assistance: Cisco 2811 + EtherSwitch module

docrice

I was tempted to post this in the CCNP forum, but it's technically not certification-related, so ... here's to hoping that the good folks on TechExams can help me out.

I have a 2811 with a NME-16ES-1G-P and lately attempts to access the module via SSH have been refused. Perhaps I made a config change without realizing its impact, etc., but now I seem to be locked out, even when trying to connect / reverse telnet from the router itself. (my commands are in red)

myrouter#sh ver
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE

(fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 25-Feb-09 17:55 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

myrouter uptime is 1 week, 16 hours, 44 minutes
System returned to ROM by reload at 18:04:02 pacific Mon Jan 31 2011
System restarted at 18:05:50 pacific Mon Jan 31 2011
System image file is "flash:c2800nm-spservicesk9-mz.124-24.T.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.50) with 245760K/16384K bytes of memory.
Processor board ID FTX1123A300
2 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial interface
2 terminal lines
2 Voice FXO interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


myrouter#sh run

Current configuration : 5376 bytes
!
! Last configuration change at 18:26:50 pacific Mon Jan 31 2011 by someaccount
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
boot-start-marker
boot system flash:c2800nm-spservicesk9-mz.124-24.T.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
no logging console
logging monitor notifications
enable secret 5

---

!
no aaa new-model
clock timezone pacific -8
clock summer-time pdt recurring
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip domain lookup
ip domain name

---

ipv6 unicast-routing
ipv6 cef
ntp server 192.168.0.225
multilink bundle-name authenticated
!
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-1510330141
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1510330141
revocation-check none
rsakeypair TP-self-signed-1510330141
!
!
crypto pki certificate chain TP-self-signed-1510330141
certificate self-signed 01
[cert blob]
quit
username

---

username

---

archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
ip address

---

duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
!
interface GigabitEthernet1/0
ip address 192.168.98.1 255.255.255.0
!
interface Async0/0/0
no ip address
encapsulation slip
!
ip forward-protocol nd
[routes]
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination

---

2055
!
!
logging trap warnings
logging source-interface FastEthernet0/0
logging

---

logging

---

!
!
snmp-server community

---

RO
snmp-server community

---

RO
snmp-server trap link ietf
snmp-server host

---

!
control-plane
!
!
!
voice-port 0/1/0
!
voice-port 0/1/1
!
!
mgcp fax t38 ecm
!
!
!
!
banner login ^C
[banner blob]
^C
!
line con 0
login local
line aux 0
line 0/0/0
stopbits 1
speed 115200
flowcontrol hardware
line 66
no activation-character
no exec
transport preferred none
transport input ssh
transport output all
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
privilege level 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end


myrouter#sh ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0

---

YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Async0/0/0 unassigned YES NVRAM down down
GigabitEthernet1/0 192.168.98.1 YES NVRAM up up

myrouter#service-module g1/0 session
Trying 192.168.98.1, 2066 ...
% Connection refused by remote host

myrouter#service-module g1/0 session clear
[confirm]
[OK]
myrouter#service-module g1/0 session
Trying 192.168.98.1, 2066 ...
% Connection refused by remote host

myrouter#service-module g1/0 statistics

Module Reset Statistics:
CLI reset count = 0
CLI reload count = 1
Registration request timeout reset count = 0
Error recovery timeout reset count = 0
Module registration count = 3

The last IOS initiated event was a cli reload at 18:31:38.303 pacific Mon Jan 31 2011

myrouter#service-module g1/0 status
Service Module is Cisco GigabitEthernet1/0
Service Module supports session via TTY line 66
Service Module is in Steady state
Service Module reset on error is disabled
Service Module heartbeat-reset is enabled
Getting status from the Service Module, please wait..


EtherSwitch Service Module with 16 PoE FE ports and 1 GE port
System name = myroutersw
Model string = NME-16ES-1G-P
System board ID = 0x18
Base MAC addr = 001b.53ca.5a00
Switch number = 1
System uptime = 7 days, 16 hours, 42 minutes, 59 seconds

Software Details:
Operating System = Cisco C3750 IOS Software
Vesrion = 12.2(52)SE
Major version = 1
Minor Vesrion = 42
Image path = flash:c3750-ipbasek9-mz.122-52.SE.bin

I've edited some of the more sensitive and hopefully-irrelevant details to trim the config down a bit. While the network is still flowing, I can't manage any of the ACLs I put in place on the 3750 module, so I need to get to this soon. I rebooted the unit a little over a week ago, but still no go.

Any suggestions?

phoeneous

Do you get errors when you try to ssh?

docrice

When I tried to SSH in, I'm able to enter in my username / password, but immediately after that the connection just dies so my SSH window closes. I haven't run a packet trace to see more yet. I haven't changed the authentication config so I'm sure it's not that.

phoeneous

So it doesnt say "Access is denied"?

docrice

I just tested it now. If I enter in bad credentials, at least it prompts me to try again. If I enter in the right one, my Putty session dies (window closes), my systems sends over the FIN-ACK, to which the SSH daemon on the switch module responds with two RST packets. It's being rude, and it could at least give me a reason for the rejection, especially this close to Valentine's Day.

phoeneous

If you do a tran in ssh tel and then telnet in does it let you?

docrice

The problem is I can't even log into the switch module at all, even from the router. I can SSH into the router, but consoling from the router to the module via reverse telnet doesn't work, so I'm essentially locked out from the 3570.

SteveO86

I see "no aaa new-model", maybe specify a new model and set authentication to local.

I've only had the pleasure of using a single etherSwitch model in a 2801 (or 2811) for a rather small (and I mean small) branch office of mine, and when I login to the router I can access the fa ports from there. (but it was a fairly cheap etherswitch module)

Might be something in the log, if not I would increase the logging temporarily just to see if it gives any useful information.

docrice

The AAA config you see above is for the router, not the EtherSwitch module. I looked at the previous config backup for the 3750 module and it does have a AAA config that allows local. I've had this problem maybe a year ago and reloading the switch solved it. The same fix didn't happen a week ago, so bummer for me.

docrice

I finally got around to solving this today. If anyone cares (or for the sake of posterity), in my case the solution was to:

(on the router)

conf t
line con 66
transport input all

which finally allowed me to use the service-module g1/0 session command with success. Once that was done, I solved the SSH problem by logging into the EtherSwitch module via the above command and:

conf t
line vty 0 15
exec

Or maybe it was no exec. I don't remember. I must've misconfigured the device(s) at some months ago. In hindsight, I might have pinpointed the problem faster if I had compared two sets of config backups. I kept suspecting hardware failure of some kind.

Logging out of the module has always been the weirdest experience, even after all these years. For those who don't know, you have to Control+Shift / then press x, which brings you back to the router prompt. Then you service-module g1/0 session clear.