05-23-2011 07:02 AM - edited 03-07-2019 12:37 AM
I have 2 Cisco 2960's which have to have the vty lines configured for ssh. I will call the switches Switch 1 and Switch 2. AAA/ssh config has been added to both switches and SSH only works on switch 1. I can successfully access the switch 2 using telnet but not ssh. I have been through the config and can see no differences.
I have updated the IOS to 12.2-58 SE1 and it was previously on 12.2-44 SE6 and this has made no difference. I have removed the config and put the config from Switch 1(the one that ssh works on) and I get the same response. When using ssh i get a "Network Error - Connection Refused" msg.
The hardware revisions are exactly the same between the switches as were the IOS's before I upgraded Switch 2
I have enabled debugging and can see no output when accessing Switch 2 via ssh, i do see output when using telnet. I have removed the acl that was attached to the vty lines and the result is the same. Config below
aaa new-model
!
aaa group server tacacs+ Group1
server x.x.x.x
server y.y.y.y
!
aaa authentication login VTY_Admin group tacacs+ none
aaa authentication login CON_Admin group Group1 line local
aaa authentication enable default group Group1 enable
aaa authorization exec default group Group1 if-authenticated
aaa authorization commands 15 default group Group1 if-authenticated
aaa authorization network default group Group1 if-authenticated
aaa accounting exec default start-stop group Group1
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group Group1
aaa accounting network default start-stop group Group1
!
aaa session-id common
tacacs-server host x.x.x.x
tacacs-server host y.y.y.y single-connection
tacacs-server directed-request
tacacs-server key xxxxxxxx
line vty 0 4
exec-timeout 5 0
password cisco
logging synchronous
login authentication VTY_Admin
transport input ssh telnet
line vty 5 15
password cisco
login authentication VTY_Admin
transport input ssh telnet
If anyone has any suggestions it would be much appreciated.
Solved! Go to Solution.
05-23-2011 08:18 AM
Is ssh server activated on your switch? Can you do these commands sh ip ssh and sh crypto key mypubkey rsa, are you seeing something in the output?
Regards.
Alain.
05-23-2011 07:59 AM
Make sure that you are running a k9 software version like:
c2960-lanlitek9-mz.122-58.SE1.bin
This should allow your to enable SSHv1 (SSHv2 with 1024-bit key) on the switch.
Please rate if helpful.
05-23-2011 08:18 AM
Is ssh server activated on your switch? Can you do these commands sh ip ssh and sh crypto key mypubkey rsa, are you seeing something in the output?
Regards.
Alain.
05-23-2011 12:32 PM
Did you creat the keys on both ? "show crypto key my rsa" .
05-23-2011 02:00 PM
I am bet it was was glen.grant was saying. You probably need to run:
05-23-2011 11:22 PM
Thanks or the responses. Shortly after my post I found that I had not generated the RSA key.
ssh is now up and running on both.
Thanks
09-10-2018 05:51 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: