2

I have a couple of switches that are trunked via a LAN cable from another switch. I noticed that these switches sometimes have a hard time to SSH into. I get the error: "Connection timed out". After a while and a few tries I can connect just fine. I checked the logs (sh log) and don't really see anything helpful.

I have the following set an all the switches:

aaa new-model
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network default local 
aaa session-id common

line vty 0 4
 access-class VTY-ACL in vrf-also
 exec-timeout 9 59
 logging synchronous
 transport input ssh
 transport output ssh
line vty 5 15
 access-class VTY-ACL in vrf-also
 exec-timeout 9 59
 logging synchronous
 no exec
 transport input none
 transport output none
line vty 16 31
 exec-timeout 9 59
 no exec
 transport input none
 transport output none

The switches are up with no interruption. I can console in fine.

#Show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 VTY              -    -      -    -    -     57       0     0/0       -
*     2 VTY              -    -      -    -    -      9       0     0/0       -
      3 VTY              -    -      -    -    -      0       0     0/0       -
      4 VTY              -    -      -    -    -      0       0     0/0       -
      5 VTY              -    -      -    -    -      0       0     0/0       -
      6 VTY              -    -      -    -    -      0       0     0/0       -
      7 VTY              -    -      -    -    -      0       0     0/0       -
      8 VTY              -    -      -    -    -      0       0     0/0       -
      9 VTY              -    -      -    -    -      0       0     0/0       -
     10 VTY              -    -      -    -    -      0       0     0/0       -
     11 VTY              -    -      -    -    -      0       0     0/0       -
     12 VTY              -    -      -    -    -      0       0     0/0       -
     13 VTY              -    -      -    -    -      0       0     0/0       -
     14 VTY              -    -      -    -    -      0       0     0/0       -
     15 VTY              -    -      -    -    -      0       0     0/0       -
     16 VTY              -    -      -    -    -      0       0     0/0       -
     17 VTY              -    -      -    -    -      0       0     0/0       -
     18 VTY              -    -      -    -    -      0       0     0/0       -
     19 VTY              -    -      -    -    -      0       0     0/0       -
     20 VTY              -    -      -    -    -      0       0     0/0       -
     21 VTY              -    -      -    -    -      0       0     0/0       -
     22 VTY              -    -      -    -    -      0       0     0/0       -
     23 VTY              -    -      -    -    -      0       0     0/0       -
     24 VTY              -    -      -    -    -      0       0     0/0       -
     25 VTY              -    -      -    -    -      0       0     0/0       -
     26 VTY              -    -      -    -    -      0       0     0/0       -
     27 VTY              -    -      -    -    -      0       0     0/0       -
     28 VTY              -    -      -    -    -      0       0     0/0       -
     29 VTY              -    -      -    -    -      0       0     0/0       -
     30 VTY              -    -      -    -    -      0       0     0/0       -
     31 VTY              -    -      -    -    -      0       0     0/0       -
     32 VTY              -    -      -    -    -      0       0     0/0       -


#Show access-list VTY-ACL
Extended IP access list VTY-ACL
    10 permit tcp 10.20.30.0 0.0.0.255 10.20.30.0 0.0.0.255 eq 22 (16 matches)
    20 permit tcp 10.20.30.0 0.0.15.255 10.20.30.0 0.0.0.255 eq 22 (92 matches)
    30 permit tcp host 10.20.30.100 10.20.30.0 0.0.15.255 eq 22
    70 deny ip any any log-input (11 matches)
Improve this question
7
  • Connection timed out implies that you don't have (reliable) IP connectivity. Either a physical problem (layer 1) or a routing problem. Perhaps a FW?
    – Ron Trunk
    Commented Mar 27 at 14:06
  • If there were a misconfiguration, you would likely get a "connection refused" message.
    – Ron Trunk
    Commented Mar 27 at 14:11
  • All switches have the same FW (17.09.04a) Aside from initial ssh connectivity, everything else seems to be working normally. Once I can connect to ssh, it doesn't drop out.
    – Rick151
    Commented Mar 27 at 14:17
  • 1
    Probably IP conflict. Something else has the same IP you are using and once ARP times out you get in and stay in as long as the connection is in use. The configuration of the different VTYs seems odd to me too. Why are they different?
    – FrameHowitzer
    Commented Mar 27 at 14:26
  • Please show which IP you're trying to SSH into and where that IP is configured. Also, have you enabled IP routing?
    – guninvalid
    Commented Mar 30 at 6:19

1 Answer 1

Reset to default
1

You can only SSH into VTY lines 0 to 4. If you hit a VTY line above that, you have disabled SSH. You need to enable it on all your VTY lines. Just do the same thing as you have for 0 to 4 to 0 to 31:

line vty 0 31
 access-class VTY-ACL in vrf-also
 exec-timeout 9 59
 logging synchronous
 transport input ssh
 transport output ssh
Improve this answer
2
  • 1
    if SSH were disabled, he would get "connection refused."
    – Ron Trunk
    Commented Mar 27 at 14:45
  • Depends on the acl, and several other bits of config that aren't shown.
    – Ricky
    Commented Mar 28 at 1:56

Not the answer you're looking for? Browse other questions tagged or ask your own question.