ACE 4710. Unable to clear ssh sessions

Carlos T · ‎02-02-2010

Hi.

Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.

According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335

ACE/CONTEXTO_A# show ssh session-info

Session ID Remote Host Active Time

13728 222.98.54.158:50556 67:43:38

13732 200.44.158.70:46172 67:43:36

13735 200.44.158.70:46174 67:43:36

13737 200.44.158.70:46177 67:43:36

ACE/CONTEXTO_A#

ACE/CONTEXTO_A# clear ssh 13728

ACE/CONTEXTO_A# clear ssh 13732

ACE/CONTEXTO_A# clear ssh 13735

ACE/CONTEXTO_A# clear ssh 13737

ACE/CONTEXTO_A# show ssh session-info

Session ID Remote Host Active Time

13728 222.98.54.158:50556 67:43:54

13732 200.44.158.70:46172 67:43:52

13735 200.44.158.70:46174 67:43:52

13737 200.44.158.70:46177 67:43:52

Sean Merrow · ‎02-03-2010

Hello,

Seems to be working for me in my tests. Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.

ace-appliance-15/CTX1# sho ssh sess

Session ID     Remote Host         Active Time
24705          161.44.77.245:1586     0: 1:42
25100          161.44.77.245:1589     0: 0:27
25116          161.44.77.245:1590     0: 0:16
ace-appliance-15/CTX1# clear ssh 25116
ace-appliance-15/CTX1#
ace-appliance-15/CTX1# sho ssh sess

Session ID     Remote Host         Active Time
24705          161.44.77.245:1586     0: 2: 5
25100          161.44.77.245:1589     0: 0:50

What version of software are you running on your 4710? I am running the latest A3(2.4). Can you try this version?

Thanks,

Sean

Carlos T · ‎02-03-2010

Hi Sean. Thanks for your answer.

The software version is A3(2.3). The reason I want to clear those 4 ssh sessions is because the ace is suffering a D.O.S attack affecting only the SSH administration to the device. I investigated the IP address of the remote hosts that are using all 4 available SSH lines, and they are present in a SSH BLACK LIST from the Internet.

I also tested the "clear ssh session-id" command in another ace with the same software version in my lab, and when I try to reproduce the scenario (taking all the 4 default available lines for SSH, but I guess its not the same as the D.O.S attack the production ACE is suffering), so once all 4 ssh lines are busy, I connect from telnet and doing that clear command I can succesfully clear/kill all the 4 ssh sessions. So according to the observed results, the "clear ssh" command works fine in my lab, but in the production ace it does not. Could it be because the D.O.S attack (that I cant reproduce in my lab) is also avoiding the clear action of that command?

Regards.

Sean Merrow · ‎02-04-2010

Hello,

Strange indeed. It doesn't seem to me that even a DoS attack should prevent you from clearing an SSH session. You might want to open a case with Cisco TAC at this point for further investigation as you may have found a new bug.

As a work-around, you may need to fail over to the standby ACE, so that you can reboot this one to clear the sessions. However, after performing any measures to clear the SSH sessions, then I would recommend restricting management access to your ACE to trusted networks only. Allowing management connectivity to the ACE from the Internet was probably not the intention. You can secure it by modifying your management class-map to something like this:

class-map type management match-any REMOTE_ACCESS
2 match protocol telnet 172.16.2.0 255.255.255.0
4 match protocol ssh 172.16.2.0 255.255.255.0
6 match protocol icmp any
5 match protocol xml-https 172.16.2.0 255.255.255.0
8 match protocol https 172.16.2.0 255.255.255.0

Where 172.16.2.0/24 would be a trusted network.

Hope this helps,

Sean