cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
367
Views
0
Helpful
1
Replies

SSH from CW LMS3.0. Strange behavior.

DPodtikhov
Level 1
Level 1

Hi all.

Here is the problem.

3845 constantly enters the quiet mode, saying that there is a login attack.

After some research i have found the following strange thing.

Something is opening an SSH connection to the router. Then, when a syslog message appears, some part of this message enters in the username field, other part enters in the password field. Router says authentication failed and after several attemtps enters the quiet-mode.

Here is an example

Sep 23 09:50:51.987: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 09:50:51 PRM Wed Sep 23 2009

Sep 23 09:50:54.263: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: cause block per] [Source: 0.0.0.0] [localport: 0] [Reason: Login Authentication Failed] at 09:50:54 PRM Wed Sep 23 2009

as you can see a part of the syslog message is entered as a username.

I can see requests on port 22 coming from the CW server ip address.

From the other side, device troubleshooting applet from CW says that ssh connectivity failed. (telnet connectivity is successful).

Putty from the CW server is working without any problem.

Router is running cisco ios 12.4(24)T1.

Any ideas how to troubleshoot and fix this strange behaviour?

Thx

1 Reply 1

DPodtikhov
Level 1
Level 1

Hm. Sorry, perhaps a browser has re-created this topic.

The solution was already found.

>>>

Well, i've figured out what caused this problem.

AUX port on one router was connected to the console port of the other router and vice versa.

So i suppose that one router initiated some console session to another router and syslogs falling into the console were entered as username/password fields.

The no logging console command did not solve the problem. The router uses the command line invitation (Router0xx>) as a username fnd authentication fails.

I have unplugged the cables and all is going fine. So it is not the bug of cisco ios, maybe there is some workaround to keep the console-aux cables plugged but i have not found it yet.

Thanks jclarke for your replies.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco