I have a question about SSH, I have a router Cisco 3745 and sometimes trying to access this router it doesn?t respond to SSH requeriments to have console from this router, do you have an idea about SSH problems??? I haven?t found nothing about a Bug with the IOS version running in my router (Version 12.4(5)).
Typically if you can't SSH or telnet to a router, and the problem is intermittent, you might be running out of VTY lines. when the problem occurs, try telnetting to the router on port 22 (i.e. telnet x.x.x.x 22) and see what error you get. If you get a connection refused, connect to the console, and issue a "show line". You will see the all of the VTY lines in use. You can clear the lines manually to allow access once again.
If you do not get a connection refused error, there may be a problem with SSH. You can use "debug ip ssh" to try and figure out what is going wrong with the sessions.
I got a connection refused error, I could see the vty lines are in use and I cleared them, Is it a bad work from the IOS or a bug???? Do you have any idea????
It depends. If you really have people connected to the router doing management work, then it's not a bad thing to have your VTY lines in use. However, if those lines were otherwise wedged, it could point to a bug, or a problem with an external tool. Who established those sessions?
Only people who really manage the router and all the network devices connect through SSH to them. Generally the session is closed automatically but the vty lines are not cleared, we are using SecureCRT 4.1 and someone of us are using Putty.
Do you have any other management tools such as CiscoWorks? Do the IP addresses that are connected to the VTY lines correspond to people's workstations that would be performing management operations? Have you confirmed that those people are actually logging out of the device?
A note on the last question. If they do not log out of the device, and you have "exec-timeout 0 0" under the VTY line in the config then the sessions will never time.
We have Ciscoworks but it?s not working fine yet. Yes the Ip addresses are from workstations performing management operations, but they don?t make logg out of the device. Recentlty, We have configured exec-timeout for 7 minutes under all vty lines. But I think, as you say, the reason of the problem is not logging out of the device, because the SecureCRT close itself automatically but not the session in the device. Is that right???.
I cannot say exactly what is going on based on this information. I do not use SecureCRT, so I am uncertain what its behavior is. I can say that if the client closes the connection, the server should also close the connection. Off the top of my head, I know of no bugs in 12.4(5) that would account for a stuck VTY line.
You might try debugging the SSH sessions, and seeing if you can spot any problems. If you do find that when SecureCRT auto-logs out of a device, the router keeps the VTY line open, you should open a TAC Service Request to determine if a new bug needs to be filed for this issue.
I was thinking the vty lines may be configured with 'exec-timeout 0 0' but since you have it set to 7 minutes that shouldn't be a problem.
A quick bug search on CCO pulled this one and it does appear be the cause.
CSCsd98854 Bug Details
Headline SSH connection - line not release after disconnect from SecureShell
Feature SSH Components Duplicate of
Severity 3 Severity help Status Resolved Status help
First Found-in Version 12.4(7.17) All affected versions First Fixed-in Version 12.4(8), 12.4(9.9), 12.4(9.6)T, 12.4(9.9)T Version help
The line is not released after a ssh session is disconnected.
- the router runs 12.4(5) onwards and is configured as a communication server.
- SSH Terminal-Line Access is configured.
- clear the line
While this bug does sound very likely, the internal notes makes me think it might not be the problem. The internal notes explicitly say 12.4(5) did not have a problem while 12.4(7.17) did have a problem. However, the rest of the symptoms sound dead-on. The SSH debug would confirm.
The problem with SSH has not been presented again since we configure an exec-timeout of 7 minutes in the vty lines in the router. So it?s not posible to make a SSH debug in order to find out if a bug is the problem.
SecureCRT makes an automatic logout and I have been looking its configuration and it does not have an automatic logout option to configure, instead it has an Anti-idle option to send a string (command) every N seconds, in order to keep the connection through SecureCRT. I think the problem was the vty lines were kept in use althought the Software SecureCRT or Putty made an automatic logout but the session were kept lives. What do you think about it???