I ran into an issue yesterday with a 2960X IOS based Cisco switch, and being unable to connect over SSH. Everytime I connected, it prompted me for my credentials, but as soon as I entered them it instantly kicked me out. I asked my coworker to try his and he had the same experience.
I went over to the switch and consoled in to the master one of the stack, and was able to get right in. I checked the logs, but nothing abnormal. I checked AAA settings, but nothing was wrong there either. The configuration hadn't been modified all day, and I remember having successfully logged into this switch just earlier that morning.
Then I checked the VTY lines at the bottom of the running configuration.
Switch#sh run | b line vty
line vty 0 4
access-class 10 in
exec-timeout 0 0
logging synchronous
transport input ssh
line vty 5 15
access-class 10 in
no exec
transport input ssh
I thought this was really oddly configured. The access-list 10 is to restrict certain users from logging in, but that was configured correctly. But the exec-timeout set to "0 0" meant unlimited timeout. In other words, anyone could connect over SSH and as long as they didn't disconnect, they would never be forced to. By default, this setting is set to "exec-timeout 10 0", or 10 minutes and 0 seconds.
Additionally, the "no exec" under line vty 5 15 meant that once the first 5 vty lines filled up, a user could connect but wouldn't be allowed to go to the enable prompt. Instead, they'd be disconnected.
Next, I checked all active SSH connections.
Switch#sh ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started user1
0 2.0 OUT aes256-cbc hmac-sha1 Session started user1
1 2.0 IN aes256-cbc hmac-sha1 Session started user1
1 2.0 OUT aes256-cbc hmac-sha1 Session started user1
2 2.0 IN aes256-cbc hmac-sha1 Session started user2
2 2.0 OUT aes256-cbc hmac-sha1 Session started user2
3 2.0 IN aes256-cbc hmac-sha1 Session started user3
3 2.0 OUT aes256-cbc hmac-sha1 Session started user3
4 2.0 IN aes256-cbc hmac-sha1 Session started user1
4 2.0 OUT aes256-cbc hmac-sha1 Session started user1
Aha! I found the issue! There were 5 active SSH connections, 3 of which from the same user. Therefore, when I tried to connect, I was assigned vty line 5, but because of the "no exec" command, I was immediately kicked out.
It turned out the above users had SSH'd into this switch at some point, but never manually disconnected (via the "exit" command). Most likely, they closed their Putty/Terminal session without properly exiting, but with the timeout set to infinite, the connection remained established.
A few commands later, and I was able to SSH in.
Switch#disconnect ssh vty 0
Switch#disconnect ssh vty 1
Switch#disconnect ssh vty 2
Switch#disconnect ssh vty 3
Switch#disconnect ssh vty 4
I then reset the vty config settings back to default to prevent this from happening again.
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#line vty 0 15
Switch(config-line)#exec-timeout 10 0
Switch(config-line)#exec
Switch(config-line)#end
Switch#sh run | b line vty
line vty 0 4
access-class 10 in
logging synchronous
transport input ssh
line vty 5 15
access-class 10 in
transport input ssh
grt
ReplyDelete