Device management and management tool troubleshooting - Part II

VTY Access Troubleshooting

Most devices are capable of accessing remotely via telnet or SSH. Telnet is not recommended because all sessions communicate between the management station and routing sending packet as plain text. If an attacker hacks the data, the attacker can see all the data which is forwarding back and forth. If you use SSH, it is secured and cannot readable even an attacker captured the data. Let’s see some troubleshooting scenarios in telnet.

IP is reachable of remote switch/router? > Can test this with a PING test.

Correct transport protocols defined for the line? > By default, IOS 15.0 and later telnet and SSH are allowed. If other protocols are supported, they would typically be allowed as well. You can change which transport protocols are allowing for remote access via transport input command. Verified the allowed protocol with command # show line vty line number |include allowed. Below example, both telnet and SSH allowed for transport inbound and outbound connections of line vty 0.

Line configuration asks user credentials? > It asks by default. The login command used to prompt the password for users. If you need to authenticate the user via the local database, login local command is used. If you need to authenticate the user via AAA, login authentication {default | list_name} command is required.

Password specified? > A password is required because the login command is enabled by default. If the password doesn’t set, an error message ‘password required’ but none set will appear. If you use login local or AAA, it will prompt username. If there isn’t stored anything in the database or either, your login will fail.

Any ACL defines which management IP can access the router? > Below shows ACL 1 applied to the vty lines. It allows only 192.168.1.11 IP. Below show results review (7 matches) which means the router kept a track of numbers that how many denied remote access attempts made to log in. To receive a log message to indicate which IP is denied, need to configure log keyword to the end of explicitly deny entry in ACL. Log messages: %SEC-6-IPACCESSLOGS: list 1 denied 10.40.40.2 1 packet.

All vty lines busy? > 5 vty lines by default, as configured in 0 to 4. If all lined are used to connect, a new connection wouldn’t establish. The # show users command shows 1 console line and 5 vty connections on line 0 to 4. If anyone tries to login, the request is refused and the switch will prompt a message ‘password required’, but none set, although it is not a technical issue. If you want to manually clear the lines, use clear line command followed by the line number specified before vty as shown in below, not the actual vty number listed after vty.

ACL in the path between user and router blocking port 23? > 23 port – Telnet. If there ACL to block port 23, you cannot telnet to the router.

Correct version of SSH? > Both 1 and 2 are enabled by default. # ip ssh version {1|2} command can change the version. The versions should be matched between user and the device, vice versa. # show ip ssh command can view the version. Noticed if version 1.99 showing means both 1 and 2 versions are running.

Correct login command specified? > SSH uses a username/password for authentication. Therefore, login command won’t work because it requests a password only. Use login local command to authenticate with local database or login authentication {default | list_name} command to authenticate with AAA server.

Correct size key specified? > SSHv2 = RSA key uses 768 or greater value, if you moving v1 to v2, you need to create a new key for v2. Other SSHv2 won’t work. However, you plan to use V2, but RSA key size below to 768, then the connections are not allowing for SSH.

ACL implements to block the port 22 (SSH), the connection between client and router? > SSH TCP protocol is 22, if it blocks by ACL, you cannot login via SSH.

To verify the SSH connection, use the #show ssh command. Here, SSH inbound and outbound connections of SSHv2. Username is cisco. Encryption is aes128-cbc. HMAC = hmac-sha1.