Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Random SSH Authentication Failure on 2960

Hi CSC,

I encounter an issue during authentication (SSH) on my 2960 and I've been attempting various troubleshooting - without success so far.

Network topology:

Core Switch (Cisco) ------------ DMZ Switch 1 (Cisco, 2960) ------------ Internet Firewall Cluster Member#1

    ||                                                         ||                                                          ||

    ||                                                         ||                                                          ||

Core Switch (Cisco) ------------ DMZ Switch 2 (Cisco, 2960) ------------ Internet Firewall Cluster Member#2

This issue only happens on DMZ Switch 1. Both DMZ Switches have latest firmware and same configuration (except port configuration for attached hosts). These are layer 2 switches with just one IP for Management and normal SSH v2 configured. 

I open SSH connection to DMZ Switch 2, no problem. Enter username and password and I'm in.

However when opening SSH connection to DMZ Switch 1 from my laptop in the LAN, and altough entering correct credentials, access is denied.

The way I workaround this is by SSHing on DMZ Switch 2 then hopping to DMZ Switch 1. *This is the only way I can remote access DMZ Switch 1.*

Suspicious error message I can see on DMZ Switch 1 (terminal Monitor, when SSHing from DMZ Switch 2)  is "Duplicate Address <IP of DMZ Switch 1> on VLAN <Management VLAN ID>, sourced by <some MAC address>. I am not able to trace the MAC address (this traces back to trunk link between the DMZ Switches).

Any ideas? This is happening randomly.

Thanks

6 REPLIES
New Member

Hi Martin,For the issue that

Hi Martin,

For the issue that you are getting, its looks like that somewhere L2 loop is forming in between the FW & Switch 2960. And to check this you have to share the below details from both the 2960 switches

Show logs:

Show run int Vl(xxx)

sh standby vl(xxx)

Could you check whether the FW cluster is configured correctly.

Had you configured this ( spanning-tree bpdu-guard enable ) in that port where you are getting the logs.

Trace the origination of the  Mac address.

 

BR// Sanjay

New Member

Hi again,+ Nothing fancy for

Hi again,

+ Nothing fancy for the Management VLAN ....

Switch 1:

interface vlan 100

description Management Interface

ip address 192.168.100.21

no ip route-cache

end

Switch 2:

interface vlan 100

description Management Interface

ip address 192.168.100.22

no ip route-cache

end

+ There is no HSRP configured. DGateway: 192.168.100.1

+ My FW Cluster is correctly configured. The .1 DGateway is the VIP of the cluster.

+ Why are you suggesting BPDUGuard on the trunk link between the Switches? That would precisely be the place where BPDUs would be sent/received or am I missing something?

Thanks,

Martin

New Member

Hi Martin,BPDU is never been

Hi Martin,

BPDU is never been suggested on the trunk link between the switches. I am suggesting it towards the FW connected interface.

 

New Member

Hello again,Problem not

Hello again,

Problem not solved. BPDUGuard was enabled on interface to FW but I still get duplicate IP error.

regards,

Martin

New Member

Hi Martin,Could you share the

Hi Martin,

Could you share the configuration file of the devices that are in topology.

BR// Sanjay

Hi Martin,What is the output

Hi Martin,

What is the output of "sh mac-address-table address <the-mac-address-you-see-in-the-duplicate-ip-message>" either on DMZ Switch 1 and DMZ Switch 2?

On DMZ Switch 1 it should show you the port on which is connected, try to trace the device connected to that port (based on your descriptions it should be DMZ Switch 2) and check if it has any duplicate ip address configured on it with "sh ip int b | in 192.168.100.21" command, if no duplicate address is configured on DMZ Switch 2, try to trace that mac address on DMZ Switch 2 to see if that mac address is connected to some other port that would have a device connected to it with that duplicate mac address.

Regards,

Aref

281
Views
0
Helpful
6
Replies