Solved

ssh issues to router

Posted on 2015-01-28
8
798 Views
Last Modified: 2015-01-28
I will get a chance to get into the router via console. The router is at another state. For some reason, I am getting "connection refused" errors when trying to ssh in. It works just fine after a reboot, but after few times or few hours it will fail again with the above error. It happens daily. The only way to get back in is if I reboot the router.

The VTY lines look normal
line vty 0 4                  
 session-timeout 40                  
 exec-timeout 40            
 password 7 xxxxxxxxxxxx
 transport input ssh                  

I also have this:
service tcp-keepalives-in                        
service tcp-keepalives-out                        
service timestamps debug datetime msec                        
service timestamps log datetime msec                        
service password-encryption                        
no service password-recovery                        

Anything I should be checking for when I get into the console?
- I will check if the certificate is present
- If there are hung sessions

Anything else I could check to verify? There is no acl's on the vty lines as you can see, not sure what else to look for.

thank you
0
Comment
Question by:Shark Attack
  • 5
  • 3
8 Comments
 
LVL 3

Author Comment

by:Shark Attack
ID: 40575481
well i did find out there is an ACL on the vty lines. I am not sure why it didnt show up in my previous show run. Must have been coming back after reboots.

So I tried to take the ACL off the vty's and it gives me the below error

config-line)#no access-class sl_def_acl in
%WARNING: The access list currently in force is the Quiet Mode access
list. The specified access list takes effect only after switching back
to normal mode operation.

How do I turn off the quite mode? or fix the above so I can get back in?

I tried:
no login quiet-mode - that didnt help

Any help?
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40575486
also got this on "show login"


     Router presently in Quiet-Mode.
     Will remain in Quiet-Mode for 6385 seconds.
     Denying logins from all sources.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40575682
sh run | i quiet

it sounds like quiet mode is turned on.

first try updating the access-list and reapply it to the vty.  then optionally modify the quiet mode configuration to something lower.

that is, after your 6385 seconds have elapsed.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 3

Author Comment

by:Shark Attack
ID: 40575701
thats my acl
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log (2454 matches)
    40 permit tcp any any eq 22 log

this is the log message
Jan 28 16:05:56.528: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 10.153.0.223(54163) -> 0.0.0.0(22), 2 packet

So i can't do anything until that time elapses? Even via console mode?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40575707
you should be able to get in via console.  I believe quiet mode is only applied to the vty interfaces.
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40575727
what is the command to lower that number down ?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40575734
it should be the login block-for command.  Do a "sh run | i block" (no quotes and leave a space before and after the pipe).
0
 
LVL 3

Author Comment

by:Shark Attack
ID: 40575745
alright I modified it. will see what happens. Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question