02-02-2010 09:41 AM
Hi.
Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:38
13732 200.44.158.70:46172 67:43:36
13735 200.44.158.70:46174 67:43:36
13737 200.44.158.70:46177 67:43:36
ACE/CONTEXTO_A#
ACE/CONTEXTO_A# clear ssh 13728
ACE/CONTEXTO_A# clear ssh 13732
ACE/CONTEXTO_A# clear ssh 13735
ACE/CONTEXTO_A# clear ssh 13737
ACE/CONTEXTO_A# show ssh session-info
Session ID Remote Host Active Time
13728 222.98.54.158:50556 67:43:54
13732 200.44.158.70:46172 67:43:52
13735 200.44.158.70:46174 67:43:52
13737 200.44.158.70:46177 67:43:52
02-03-2010 06:28 AM
Hello,
Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 1:42
25100 161.44.77.245:1589 0: 0:27
25116 161.44.77.245:1590 0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess
Session ID Remote Host Active Time
24705 161.44.77.245:1586 0: 2: 5
25100 161.44.77.245:1589 0: 0:50
What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?
Thanks,
Sean
02-03-2010 07:16 PM
Hi Sean. Thanks for your answer.
The software version is A3(2.3). The reason I want to clear those 4 ssh sessions is because the ace is suffering a D.O.S attack affecting only the SSH administration to the device. I investigated the IP address of the remote hosts that are using all 4 available SSH lines, and they are present in a SSH BLACK LIST from the Internet.
I also tested the "clear ssh session-id" command in another ace with the same software version in my lab, and when I try to reproduce the scenario (taking all the 4 default available lines for SSH, but I guess its not the same as the D.O.S attack the production ACE is suffering), so once all 4 ssh lines are busy, I connect from telnet and doing that clear command I can succesfully clear/kill all the 4 ssh sessions. So according to the observed results, the "clear ssh" command works fine in my lab, but in the production ace it does not. Could it be because the D.O.S attack (that I cant reproduce in my lab) is also avoiding the clear action of that command?
Regards.
02-04-2010 05:49 AM
Hello,
Strange indeed. It doesn't seem to me that even a DoS attack should prevent you from clearing an SSH session. You might want to open a case with Cisco TAC at this point for further investigation as you may have found a new bug.
As a work-around, you may need to fail over to the standby ACE, so that you can reboot this one to clear the sessions. However, after performing any measures to clear the SSH sessions, then I would recommend restricting management access to your ACE to trusted networks only. Allowing management connectivity to the ACE from the Internet was probably not the intention. You can secure it by modifying your management class-map to something like this:
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet 172.16.2.0 255.255.255.0
4 match protocol ssh 172.16.2.0 255.255.255.0
6 match protocol icmp any
5 match protocol xml-https 172.16.2.0 255.255.255.0
8 match protocol https 172.16.2.0 255.255.255.0
Where 172.16.2.0/24 would be a trusted network.
Hope this helps,
Sean
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: