[SOLVED] 4321 ISR - Cannot SSH to router vty from network

Casgrain IT · ‎08-24-2016

So I just received this new 4321 ISR and proceeding to configure it (replacing an aging 1841).
Mostly everything is working but I cannot get to SSH in it (so we don't use telnet anymore).

Here is the 'sh version' short output:

Cisco IOS XE Software, Version 03.16.02.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S2, RELEASE SOFTWARE (fc2)

Here is the 'sh ip ssh' output:

SSH Enabled - version 2.0
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
MAC Algorithms:hmac-sha1,hmac-sha1-96
Authentication timeout: 30 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): ** rsa key **

The 'sh ssh' output:

%No SSHv2 server connections running.
%No SSHv1 server connections running.

And finally, the config (asterisks are censored info):

Current configuration : 2538 bytes
!
! Last configuration change at 19:15:40 UTC Tue Aug 23 2016
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ********
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
card type t1 0 1
no logging console
enable secret 5 ********************************
enable password *********************
!
no aaa new-model
!
no ip domain lookup
ip domain name ******.ca
no ip dhcp use vrf connected
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn ****************
license boot suite FoundationSuiteK9
!
spanning-tree extend system-id
!
username ********* secret 5 *************************
!
redundancy
 mode none
!
!
!
!
controller T1 0/1/0
 framing esf
 clock source internal
 linecode b8zs
 cablelength short 110
 channel-group 0 timeslots 24
!
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Loopback0
 ip address 10.0.137.10 255.255.255.255
!
interface GigabitEthernet0/0/0
 ip address 192.168.160.20 255.255.255.0
 ip nat inside
 negotiation auto
 no mop enabled
!
interface GigabitEthernet0/0/1
 no ip address
 shutdown
 negotiation auto
!
interface Serial0/1/0:0
 ip address 192.168.0.2 255.255.255.252
 ip nat outside
 encapsulation ppp
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 192.168.20.0 255.255.255.0 192.168.160.254
ip route 192.168.30.0 255.255.255.0 192.168.160.254
ip ssh time-out 30
ip ssh version 2
!
!
!
access-list 1 permit 192.0.0.0 0.255.255.255
!
!
!
control-plane
!
!
line con 0
 exec-timeout 30 0
 login local
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 30 0
 login local
 transport input telnet ssh
line vty 5 15
 exec-timeout 30 0
 login local
 transport input telnet ssh
!
ntp server 192.168.20.1
ntp server 192.168.20.150
!
end

So I can ping the host from my computer and I can telnet just fine. When I try to ssh, putty or linux host, all I get is 'Connection timed out' after a while. I turned on debug for ssh but nothing. Also, ssh from the router to itself works fine.

Any idea what is the trouble here?

mikeleebrla · ‎08-24-2016

I don't see the SSH keys in your config. Did you create them?

crypto key generate rsa

Casgrain IT · ‎08-24-2016

yes, it's there but I didn't post all (last line of 'sh ip ssh')

paul driver · ‎08-26-2016

Hello

try zero sizing the local rsa key and re creating it then try again!

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ahmedshoaib · ‎08-24-2016

Hi;

As part the SSH configuration is ok and you are running K9 IOS which is requirement for SSH.

Please try to do SSH from Router to itself to verify the SSH is working fine on Router. If it's work fine then the issue seems to be Firewall either exists inyour network or your PC.

Thanks & Best regards;

Casgrain IT · ‎08-25-2016

Please read the last line of my post...

Also, firewall isn't the issue because I can SSH anywhere else and connected via a switch on the same VLAN.

ahmedshoaib · ‎08-25-2016

Hi;

If SSH works fine from Router itself, then for sure its Firewall issue.

If it's Cisco Firewall can you use the packet tracer and verify that firewall is allow SSH traffic to Router. In non Cisco firewall either enable the logging on policy where you allow SSH for Router or use alternate tool of packet tracer.

Thanks & Best regards;

Casgrain IT · ‎08-25-2016

Again, no firewall in between and the request doesn't even reach the router ('timeout', not 'refused') as per debug.

I tried crossover and it worked so it's something with our aging switch. Will do some more testing but I'm confident it will work.