SSH from CW LMS3.0. Strange behavior.

Unanswered Question
Sep 22nd, 2009

Hi all.

Here is the problem.

3845 constantly enters the quiet mode, saying that there is a login attack.

After some research i have found the following strange thing.

Something is opening an SSH connection to the router. Then, when a syslog message appears, some part of this message enters in the username field, other part enters in the password field. Router says authentication failed and after several attemtps enters the quiet-mode.

Here is an example

Sep 23 09:50:51.987: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 09:50:51 PRM Wed Sep 23 2009

Sep 23 09:50:54.263: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cause block per] [Source:] [localport: 0] [Reason: Login Authentication Failed] at 09:50:54 PRM Wed Sep 23 2009

as you can see a part of the syslog message is entered as a username.

I can see requests on port 22 coming from the CW server ip address.

From the other side, device troubleshooting applet from CW says that ssh connectivity failed. (telnet connectivity is successful).

Putty from the CW server is working without any problem.

Router is running cisco ios 12.4(24)T1.

Any ideas how to troubleshoot and fix this strange behaviour?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Joe Clarke Tue, 09/22/2009 - 20:20

Should RME be using SSH to connect to this device, or should it be using telnet? What version of RME are you using?

DPodtikhov Tue, 09/22/2009 - 20:30

RME version is 4.1.1

Well, it should use SSH to manage devices.

But RME reports that it is unable to use SSH, so it uses Telnet/SNMP.

Joe Clarke Tue, 09/22/2009 - 20:54

You need to make sure that you can connect to the device from the RME server using the credentials found in DCR. If that works, and you're seeing the following error in ConfigMgmtServer.log when you try to run a config fetch operation against these devices, then you may be seeing CSCso57052: connect timed out

But based on the failed login messages, I'm betting the credentials in DCR are wrong for these devices.

DPodtikhov Tue, 09/22/2009 - 21:46

Device troubleshooting applet tells me that telnet connection is successful.

The DCR credentials are right, i've re-entered them once again but it didn't help.

Is it possible to disable SSH management from RME? So that CW do not even attempt to open SSH sessions to the routers?

Joe Clarke Tue, 09/22/2009 - 21:47

Sure. Go to RME > Admin > Config Mgmt > Transport Settings, and remove SSH from all of the protocol order lists.

DPodtikhov Wed, 09/23/2009 - 00:16

I have removed SSH from all protocol order lists, but the problem remains.

Maybe some other modules except RME are opening this SSH sessions?

Besides, i can't understand why parts of the syslog messages get into the username/password fields.

Syslog messages are sent only to the buffer and console, not to the line.

DPodtikhov Wed, 09/23/2009 - 02:19

This lines are also strange for me

Source:] [localport: 0]

The router is trying to establish the session with itself?

Joe Clarke Wed, 09/23/2009 - 07:13

This does look like a bug. It appears to be some memory corruption, but I cannot find an existing bug on this. I suggest you open a TAC service request so more analysis can be done.

DPodtikhov Wed, 09/23/2009 - 07:27

Pity, but I'm unable to open TAC request because i've no Smartnet contract.

I've enabled login on-failure on the other 3845 running the same IOS and I've got the same situation.

I've enabled login on-failure on the two other routers, running older versions of ios, no such mistakes for several hours.

Maybe you are right and this is a bug.

Joe Clarke Wed, 09/23/2009 - 07:35

This is certainly a bug. Leaking of memory like this is always bad. Unfortunately, I do not have a router running this code on which to test. However, I have confirmed (as you did) that older code is working properly.

As to answer your other question, only RME makes unsolicited SSH connections to devices. Other applications (like Campus or Common Services) would only make connections if you requested them.

DPodtikhov Wed, 09/23/2009 - 08:01

I have one more 3845 which is not in production network. I will test it tomorrow.

You say leaking is bad, does it mean that I will probably have other problems with the router? , Should I get back to some older ioses?

I suppose even if i disable the login on-failure feature the same things will be happenning in the backgound.

DPodtikhov Wed, 09/23/2009 - 19:37

Well, i've figured out what caused this problem.

AUX port on one router was connected to the console port of the other router and vice versa.

So i suppose that one router initiated some console session to another router and syslogs falling into the console were entered as username/password fields.

The no logging console command did not solve the problem. The router uses the command line invitation (Router0xx>) as a username fnd authentication fails.

I have unplugged the cables and all is going fine. So it is not the bug of cisco ios, maybe there is some workaround to keep the console-aux cables plugged but i have not found it yet.

Thanks jclarke for your replies.


This Discussion