cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
9
Replies

Crypto issue

CSCO12348032
Level 1
Level 1

I am having an issue, where I had two c3750 stacks configured, connected via Etherchannel, and I was able to connect to both of them via SSH.  We removed most of the switches in the stacks, leaving only the master switch of the first stack and now i am unable to connect via ssh.

I have tried all the usual things, like crypto key zeroize rsa and then recreating them with crypto key generate rsa but I still can't connect (connection refused).

I have the hostname configured.

I have the ip domain-name configured.

I have ip ssh version 2 configured and I have transport input ssh configured on the vty lines.

When you do a show ssh when connected via the console there are no connections.

In the running config, when I compare it to another switch / stack I can see that there are no crypto pki trustpoint TP-self-signed-... or crypto pki certificate chain TP-self-signed-... entries

You can ping from this switch to other switches / stacks.

You can authenticate with tacacs+ using test aaa group tacacs+ {username} {password} legacy

Any ideas what I am doing wrong.  

9 Replies 9

Mark Malone
VIP Alumni
VIP Alumni

Hi

copy the trust point and the certificate from the working switch in running config  to the switch its missing in save it and try again , have you tried reloading the switch as well yet ?

it should come back with reboot

Note the part of the certificate that says self-signed. Copying a self signed certificate from one device to another device will not solve the problem. If you believe that the switch needs a certificate and a trust point then the thing to do would be to get the switch to generate its own self signed certificate - which usually is related to enabling http secure-server. SSH does need the crypto keys but does not depend on a certificate.

Since the original post says that the crypto key was zeroized and then generated a new key I believe that we can assume that the crypto key is present and that we need to look for some other explanation of this problem. If logging buffered is enabled on this switch then can the original poster look in the logs and see if there is any log message that might shed light on this.

Also can the original poster please post the output of show version from the switch? It would also be helpful if we could see what is in the configuration for this switch.

HTH

Rick

HTH

Rick

I had no ip http server and no ip http secure-server configured.

I tried putting them back in and it generated the keys, saved the config (wr mem and copy run start) both the crypto pki trustpoint TP-self-signed-... and crypto pki certificate chain TP-self-signed-... entries now show in the running-config.

Tried to connect via ssh, same result.  Tried reloading the switch and then connecting via ssh, same result.  Still getting connection refused.

So we have proved that the self signed certificate was not causing the issue with SSH.

It was working with multiple switches in the stack. You removed some switches. Now it does not work. So in removing some switches something changed. Perhaps posting the current configuration might help us to find the issue. It might also help if you post the output of show ip ssh.

Perhaps you should turn on debug for ssh. Then attempt another ssh access. Then post any debug output.

HTH

Rick

HTH

Rick

cisco WS-C3750-48P (PowerPC405) processor (revision H0) with 131072K bytes of memory.

Processor board ID CAT0920X1M4

Last reset from power-on

1 Virtual Ethernet interface

48 FastEthernet interfaces

4 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

 

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address       : 00:14:69:45:CA:00

Motherboard assembly number     : 73-9675-08

Power supply part number        : 341-0029-03

Motherboard serial number       : CAT09200PUL

Power supply serial number      : DTH09186GND

Model revision number           : H0

Motherboard revision number     : A0

Model number                    : WS-C3750-48PS-E

System serial number            : CAT0920X1M4

SFP Module assembly part number : 73-7757-02

SFP Module revision Number      : A0

SFP Module serial number        : CAT09191AA2

Top Assembly Part Number        : 800-26377-03

Top Assembly Revision Number    : A0

Version ID                      : V05

CLEI Code Number                : COM1Y00ARB

Hardware Board Revision Number  : 0x01

 

 

Switch Ports Model              SW Version            SW Image

------ ----- -----              ----------            ----------

*    1 52    WS-C3750-48P       12.2(55)SE1           C3750-IPSERVICESK9-M

CSCO12348032
Level 1
Level 1

On further investigation, I have noticed that Vlan2 is up, line protocol is down.

I am assuming that this is because the Etherchannel trunk ports to the other stack are no longer active and that when I reconnect them, then Vlan2 will change to line protocol is up as STP will have a L2 interface in a forwarding state.

If the trunk ports are not active and if there is no physical device connected in vlan 2 then that certainly explains why vlan 2 is in protocol down state.

HTH

Rick

HTH

Rick

I configured a switchport to use VLAN2 and connected my laptop with an IP Address in the VLAN2 range, spanning-tree showed a port in VLAN2 in a forwarding state and I was able once again to connect via ssh.

Thanks for posting back to the forum and letting us know that you have solved the problem. It is an expected behavior that if there are no devices active in a vlan and no active trunks that include the vlan that the vlan would be in the protocol down state. And that would prevent SSH attempting to use that address.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco