ACE 4710. Unable to clear ssh sessions

Unanswered Question
Feb 2nd, 2010
User Badges:


Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.

According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

ACE/CONTEXTO_A# show ssh session-info

Session ID     Remote Host         Active Time

13728   67:43:38

13732   67:43:36

13735   67:43:36

13737   67:43:36


ACE/CONTEXTO_A# clear ssh 13728

ACE/CONTEXTO_A# clear ssh 13732

ACE/CONTEXTO_A# clear ssh 13735

ACE/CONTEXTO_A# clear ssh 13737

ACE/CONTEXTO_A# show ssh session-info

Session ID     Remote Host         Active Time

13728   67:43:54

13732   67:43:52

13735   67:43:52

13737   67:43:52

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Sean Merrow Wed, 02/03/2010 - 06:28
User Badges:
  • Silver, 250 points or more


Seems to be working for me in my tests.  Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.

ace-appliance-15/CTX1# sho ssh sess

Session ID     Remote Host         Active Time
24705     0: 1:42
25100     0: 0:27
25116     0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1# sho ssh sess

Session ID     Remote Host         Active Time
24705     0: 2: 5
25100     0: 0:50

What version of software are you running on your 4710?  I am running the latest A3(2.4).  Can you try this version?



Carlos Trujillo... Wed, 02/03/2010 - 19:16
User Badges:

Hi Sean. Thanks for your answer.

The software version is A3(2.3). The reason I want to clear those 4 ssh sessions is because the ace is suffering a D.O.S attack affecting only the SSH administration to the device. I investigated the IP address of the remote hosts that are using all 4 available SSH lines, and they are present in a SSH BLACK LIST from the Internet.

I also tested the "clear ssh session-id" command in another ace with the same software version in my lab, and when I try to reproduce the scenario (taking all the 4 default available lines for SSH, but I guess its not the same as the D.O.S attack the production ACE is suffering), so once all 4 ssh lines are busy, I connect from telnet and doing that clear command I can succesfully clear/kill all the 4 ssh sessions. So according to the observed results, the "clear ssh" command works fine in my lab, but in the production ace it does not. Could it be because the D.O.S attack (that I cant reproduce in my lab) is also avoiding the clear action of that command?


Sean Merrow Thu, 02/04/2010 - 05:49
User Badges:
  • Silver, 250 points or more


Strange indeed.  It doesn't seem to me that even a DoS attack should prevent you from clearing an SSH session.  You might want to open a case with Cisco TAC at this point for further investigation as you may have found a new bug.

As a work-around, you may need to fail over to the standby ACE, so that you can reboot this one to clear the sessions.  However, after performing any measures to clear the SSH sessions, then I would recommend restricting management access to your ACE to trusted networks only.  Allowing management connectivity to the ACE from the Internet was probably not the intention.  You can secure it by modifying your management class-map to something like this:

class-map type management match-any REMOTE_ACCESS
  2 match protocol telnet
  4 match protocol ssh
  6 match protocol icmp any
  5 match protocol xml-https
  8 match protocol https

Where would be a trusted network.

Hope this helps,



This Discussion