Shark Attack
asked on
ssh issues to router
I will get a chance to get into the router via console. The router is at another state. For some reason, I am getting "connection refused" errors when trying to ssh in. It works just fine after a reboot, but after few times or few hours it will fail again with the above error. It happens daily. The only way to get back in is if I reboot the router.
The VTY lines look normal
line vty 0 4
session-timeout 40
exec-timeout 40
password 7 xxxxxxxxxxxx
transport input ssh
I also have this:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
Anything I should be checking for when I get into the console?
- I will check if the certificate is present
- If there are hung sessions
Anything else I could check to verify? There is no acl's on the vty lines as you can see, not sure what else to look for.
thank you
The VTY lines look normal
line vty 0 4
session-timeout 40
exec-timeout 40
password 7 xxxxxxxxxxxx
transport input ssh
I also have this:
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service password-recovery
Anything I should be checking for when I get into the console?
- I will check if the certificate is present
- If there are hung sessions
Anything else I could check to verify? There is no acl's on the vty lines as you can see, not sure what else to look for.
thank you
ASKER
also got this on "show login"
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 6385 seconds.
Denying logins from all sources.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 6385 seconds.
Denying logins from all sources.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thats my acl
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (2454 matches)
40 permit tcp any any eq 22 log
this is the log message
Jan 28 16:05:56.528: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 10.153.0.223(54163) -> 0.0.0.0(22), 2 packet
So i can't do anything until that time elapses? Even via console mode?
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (2454 matches)
40 permit tcp any any eq 22 log
this is the log message
Jan 28 16:05:56.528: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 10.153.0.223(54163) -> 0.0.0.0(22), 2 packet
So i can't do anything until that time elapses? Even via console mode?
you should be able to get in via console. I believe quiet mode is only applied to the vty interfaces.
ASKER
what is the command to lower that number down ?
it should be the login block-for command. Do a "sh run | i block" (no quotes and leave a space before and after the pipe).
ASKER
alright I modified it. will see what happens. Thanks.
ASKER
So I tried to take the ACL off the vty's and it gives me the below error
config-line)#no access-class sl_def_acl in
%WARNING: The access list currently in force is the Quiet Mode access
list. The specified access list takes effect only after switching back
to normal mode operation.
How do I turn off the quite mode? or fix the above so I can get back in?
I tried:
no login quiet-mode - that didnt help
Any help?