Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SHH Sessions in Syslog

I have a 2620xm router with SSH for authentication/access......

I monitor the router with Syslog Watcher.....

I keep getting messages in syslog that a SSH session from my workstation has been started and then terminated when I am not accessing the router....

thanks

Dave

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SHH Sessions in Syslog

Can we try it using with putty to rule out secureCRT problem?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
9 REPLIES
Cisco Employee

SHH Sessions in Syslog

can you please paste the exact syslog message? Also, are you using any script to login into the router?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: SHH Sessions in Syslog

Here are the messages I keep getting........I am not running any scripts.

I just do not understand why I get the message when I have not accessed the router at all.....

I believe it is just an annoying message but I thank you for any clarification.....

10/15/2013 14:11    Notice    192.168.0.50    %SSH-5-SSH2_CLOSE: SSH2 Session from 192.168.0.15(scorpion-7.scorpnet.drichwalski.net) (tty = 0) for user 'SCORPION' using crypto cipher 'aes192-cbc'     hmac 'hmac-md5' closed
10/15/2013 14:11    Notice    192.168.0.50    %SSH-5-SSH2_USERAUTH: User 'SCORPION' authentication for SSH2 Session from 192.168.0.15(scorpion-7.scorpnet.drichwalski.net) (tty = 0) using crypto cipher 'aes192-cbc'     hmac 'hmac-md5' Succeeded
10/15/2013 14:11    Notice    192.168.0.50    %SSH-5-SSH2_SESSION: SSH2 Session request from 192.168.0.15(scorpion-7.scorpnet.drichwalski.net) (tty = 0) using crypto cipher 'aes192-cbc'     hmac 'hmac-md5' Succeeded

Cisco Employee

Re: SHH Sessions in Syslog

could you please provide me the output of commands mentioned below.

show ip ssh

show line

who

show run | in ssh

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: SHH Sessions in Syslog

Here is the output.......

stinger#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 5
stinger#sh line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
     65 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
*    66 VTY              -    -      -    -   23     91       0     0/0       -
     67 VTY              -    -      -    -   23      0       0     0/0       -
     68 VTY              -    -      -    -   23      0       0     0/0       -
     69 VTY              -    -      -    -   23      0       0     0/0       -
     70 VTY              -    -      -    -   23      0       0     0/0       -

Line(s) not in async mode -or- with no hardware support:
1-64

stinger#who
    Line       User       Host(s)              Idle       Location
* 66 vty 0     SCORPION   idle                 00:00:00
                                             scorpion-7.scorpnet.drichwalski.net

  Interface    User               Mode         Idle     Peer Address

stinger#show run | in ssh
ip ssh authentication-retries 5
ip ssh logging events
ip ssh version 2
transport input ssh

Cisco Employee

Re: SHH Sessions in Syslog

looking at the above debugs, it seems on line vty 66, a connection is continous to attemp on port 23 with a username scorpion.

I need to know if it's only happening on this line or any random line. Can you do clear line vty 66 and keep monitor the session of show line and who.

Also, make sure we don't have any application in use to connect with this device with auto-login.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: SHH Sessions in Syslog

I rebooted the router to clear everything out.......

I flushed the syslog server........

I access the router using SecureCRT..........

I still show many connections have been made to line vty 66...........

I have a feeling that SecureCRT is leaving something weird behind when I disconnect from a session.........

Cisco Employee

Re: SHH Sessions in Syslog

Can we try it using with putty to rule out secureCRT problem?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: SHH Sessions in Syslog

ok.....I rebooted the router again and my workstation.........

Ran putty and it looks like it was a problem with SecureCRT.......

With putty I only show the connection I made.....

Unless you can think of anything else I consider this case CLOSED!!

THANK YOU............for your help.

Cisco Employee

Re: SHH Sessions in Syslog

I'm glad that we able to figured it out

Take care.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
637
Views
0
Helpful
9
Replies