SSH Login FailureTMAdmin
1. Checking Whether the SSH Server Can Be Pinged
Check whether the switch (that is, the SSH server) and terminal can ping each other.
First check whether an IP address conflict occurs based on ARP entries. To view ARP entries on a PC (for example, a PC running a Windows operating system), choose Start > Run, enter cmd, press Enter, and run the arp -a command in the window that is displayed.
<PC> arp -a Interface: 10.10.10.150 --- 0xb Internet Address Physical Address Type 10.10.10.1 00-00-00-00-11-11 dynamic //ARP entry of the gateway 10.10.10.23 00-00-00-00-22-22 dynamic 10.10.10.255 ff-ff-ff-ff-ff-ff dynamic
Check whether the IP and MAC addresses of the gateway in the ARP table are the same as the actual ones. If not, check whether a device on the intranet uses the same IP address as the gateway. If so, modify the IP address of the conflicting device.
Ensure that there is no IP address conflict. If the PC has two network adapters that use the same external IP address, disable one network adapter. Ping the SSH server’s IP address from the PC. If a VPN is configured, add the VPN instance name. The following is an example that shows how to ping the management IP address of the SSH server (18.104.22.168) from the PC.
<PC> ping 22.214.171.124 PING 126.96.36.199: 56data bytes, press CTRL_C to break Reply from 188.8.131.52: bytes=56 Sequence=1 ttl=127 time=3 ms Reply from 184.108.40.206: bytes=56 Sequence=2 ttl=127 time=11 ms Reply from 220.127.116.11: bytes=56 Sequence=3 ttl=127 time=2 ms Reply from 18.104.22.168: bytes=56 Sequence=4 ttl=127 time=2 ms Reply from 22.214.171.124: bytes=56 Sequence=5 ttl=127 time=11 ms --- 126.96.36.199 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/5/11 ms
If the ping operation fails, rectify the fault. If the PC and switch are directly connected, locate the fault by referring to “A Switch Cannot Be Pinged by a Directly Connected Device” in the Revelations of Troublesolving. If the PC is not directly connected to the switch, check whether there is a reachable route between them, and whether restriction policies are configured on the PC, switch, or intermediate device.
2. Checking SSH Server Status on the Server
Log in to the switch using Telnet or through a console port. Run the display ssh server status command and ensure the following settings are correct:
SSH version number (the value 1.99 indicates v1 and v2 are both supported)
The STelnet service is enabled and the source IP address is configured for the SSH server.
SSH server port number
[HUAWEI] display ssh server status SSH version :1.99 //SSH v1 and SSH v2 are both supported. SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH authentication retries :3 times SFTP server :Disable Stelnet server :Disable //The STelnet·service is disabled. Scp server :Disable SSH server port :1026 //The SSH server port number is changed. SSH server source interface :LoopBack100 //The source IP address is configured for the SSH server.
If the STelnet service is disabled, run the stelnet server enable command in the system view to enable it.
If the source IP address is configured, log in to the switch using this IP address. Otherwise, run the undo ssh server-source command to cancel the configuration.
[HUAWEI] undo ssh server-source Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]:y Info: The source configuration of SSH server is restored to default value..
If the SSH server port number has been changed, change the port number accordingly during the SSH login. For example, change the SSH server port number to 1026 in SecureCRT.
If you use the default port number during the SSH login, delete the configured SSH server port number.
[HUAWEI] undo ssh server port Warning: The operation will disconnect all online users. Continue? [Y/N]:y Info: Succeeded in changing SSH listening port.
3. Checking for Idle Channels on the SSH Server
Log in to the switch using Telnet or through the console port. Check the VTY configuration, and ensure that the SSH protocol and AAA authentication have been configured for VTY channels.
The following example shows that AAA authentication and the SSH protocol have been configured.
[HUAWEI] display current-configuration configuration user-interface # user-interface con 0 user-interface aux 0 user-interface vty 0 4 authentication-mode aaa //AAA mode is configured. user privilege level 15 protocol inbound all //THe SSH protocol is configured. user-interface vty 16 20 #
Check whether all VTY channels are occupied by online users.
For example, run the display users command. The output shows that VTY 0-4 are occupied, so SSH login fails.
<HUAWEI> display users User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag 34 VTY 0 00:04:11 TEL 10.137.211.108 no Username : Unspecified +35 VTY 1 00:00:00 TEL 10.137.211.108 no Username : Unspecifie 36 VTY 2 00:37:19 TEL 10.135.41.122 no Username : Unspecified 37 VTY 3 00:31:06 TEL 10.135.32.199 no Username : Unspecified 38 VTY 4 02:14:06 TEL 10.135.22.124 no Username : Unspecified
4. Checking SSH Configuration Information on the Server
Log in to the switch using Telnet or through the console port. Check the following SSH configuration information:
Check whether SSH configuration information is available for the login account and whether the configuration is complete.
If SSH configuration information is unavailable for the login account, run the ssh authentication-type default password command.
If the RSA public key does not exist on the switch, run the rsa local-key-pair create command.
The following example shows how to check SSH configuration information for the login account.
<HUAWEI> display current-configuration | include ssh ssh authentication-type default password ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type all
Check whether the RSA public key exists on the switch.
[HUAWEI] display rsa local-key-pair public [HUAWEI] //No output, indicating that the key pair does not exist and needs to be created. [HUAWEI] rsa local-key-pair create //Create an RSA public key. The key name will be: Quidway_Host The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 512]:1024 //Enter the value manually.
5. Checking Whether an ACL Is Bound to VTY User Interfaces on the SSH Server
Log in to the switch using Telnet or through the console port. Check VTY configuration and determine whether an ACL has been bound to VTY user interfaces.
For example, run the display this command to check whether an ACL has been bound to VTY 0-4.
[HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-4] display this # user-interface con 0 user-interface aux 0 user-interface vty 0 4 acl 3999 inbound //ACL 3999 is bound to VTY 0-4. authentication-mode aaa user privilege level 15 protocol inbound all user-interface vty 16 20 #
Check ACL configuration and determine whether the client IP address is permitted.
[HUAWEI] acl 3999 [HUAWEI-acl-adv-3999] display this # acl number 3999 rule 1 permit tcp source 188.8.131.52 0 0 rule 2 permit tcp source 184.108.40.206 0 0 rule 3 permit tcp source 220.127.116.11 0 0 rule 4 permit tcp source 18.104.22.168 0 0 rule 15 deny ip #
If the IP address belongs to a VPN instance, specify VPN parameters in the ACL.
6. Checking Whether a TCP Connection Can Be Established
Log in to the switch using Telnet or through the console port. Connect to the switch using STelnet from the SSH server. If the connection can be established, the SSH service is normal but the link is faulty.
[HUAWEI] ssh client first-time enable //Ensure ssh client first-time enable has been configured before using STelnet to connect to the switch.
[HUAWEI] stelnet 10.137.131.164 //Connect to the switch using STelnet from the SSH server, and check whether the IP address is allowed in the ACL. Please input the username:ssh Trying 10.137.131.164 ... Press CTRL+K to abort Connected to 10.137.131.164 ... Enter password: //Successfully connected to the switch. Info: The max number of VTY users is 20, and the number of current VTY users on line is 7. The current login time is 2013-12-16 11:44:29+00:00.
7. Checking Whether a Correct User Name and Password Are Provided
Ensure that the user name and password you entered have been configured on the SSH server. If an incorrect user name or password was provided, enter the correct one. If the user name and password are correct, check the protocol type, IP address, and port number configured on the client software. If login still fails, try another PC or client software.
8. Collecting Information and Seeking Technical Support
If the fault persists, collect related information and seek technical support.
Collecting Fault Information
Collect operation results of the preceding steps and record the results in a file.
Collect all diagnostic information and export the information to a file.
Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.
<HUAWEI> display diagnostic-information dia-info.txt Now saving the diagnostic information to the device 100% Info: The diagnostic information was saved to the device successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
You can run the dir command in the user view to check whether the file is generated.
You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk.
If this command displays a long output, press Ctrl+C to abort this command.
This command displays diagnostic information, which helps locate faults but may affect system performance. For example, CPU usage may become high. Therefore, do not use this command when the system is running properly.
Running the display diagnostic-information command simultaneously on multiple terminals connected to the device is prohibited. This is because CPU usage of the device may obviously increase and the device performance may be degraded.
Collect the log and trap information on the device and export the information to files.
Run the save logfile all command in the user view to save the logs in the user log buffer area and diagnostic log buffer area to the user log file and diagnostic log file, respectively.
<HUAWEI> save logfile all Info: Save logfile successfully. Info: Save diagnostic logfile successfully. When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
You can also run the display logbuffer and display trapbuffer commands to view the log and trap information on the device, and save the information in diagnostic files on a disk.
If you are still confused about the steps, you can contact [email protected] to seek technical support.
Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.