Network devices usually managed through SSH services. Sometimes, those devices lost SSH access with" The remote system refused the connection."
error message presenting on the SSH client such as SecureCRT. No matter how you tried from Internal or External interface, it is always same. Is there any configuration wrong? If yes, why did it work at last time?
Symptoms:
Through console port, there were some of interesting things:
Router1#show connection
ID Name
Segment 1
Segment 2
State
================================================================================
Router1#show users
Line
User Host(s)
Idle Location
* 1 aux 0 user2
idle
00:00:00
132 vty 0 user1
100.9.1.1 48w0d
10.94.200.28
133 vty 1 user1
100.9.1.1 48w0d 10.94.200.28
134 vty 2 user1
100.9.1.1 48w0d
10.94.200.28
135 vty 3 user1
100.9.1.1 48w0d
10.94.200.28
136 vty 4 user1
100.9.1.1 47w6d
10.94.200.28
137 vty 5 user1
100.9.1.1 47w6d
10.94.200.28
138 vty 6 user1
100.9.1.1 47w6d
10.94.200.28
139 vty 7 user1
100.9.1.1 47w1d
10.94.200.28
140 vty 8 user1
100.9.1.1 47w1d
10.94.200.28
141 vty 9 user1
100.9.1.1 46w5d
10.94.200.28
142 vty 10 user1
100.9.1.1 43w5d
10.94.200.28
143 vty 11 user1
100.9.1.1 43w4d
10.94.200.28
144 vty 12 user1
100.9.1.1 41w6d
10.94.200.28
145 vty 13 user1
100.9.1.1 41w6d
10.94.200.28
146 vty 14 user1
100.9.1.1 41w6d
10.94.200.28
147 vty 15 user1
100.9.1.1 41w6d
10.94.200.28
Interface User
Mode
Idle Peer Address
Router1#show ssh
Connection Version Mode Encryption
Hmac State
Username
0
2.0 IN aes256-cbc hmac-sha1
Session started user1
0
2.0 OUT aes256-cbc hmac-sha1
Session started user1
1
2.0 IN aes256-cbc hmac-sha1
Session started user1
1
2.0 OUT aes256-cbc hmac-sha1
Session started user1
2
2.0 IN aes256-cbc hmac-sha1
Session started user1
2
2.0 OUT aes256-cbc hmac-sha1
Session started user1
3
2.0 IN aes256-cbc hmac-sha1
Session started user2
3
2.0 OUT aes256-cbc hmac-sha1
Session started user2
4
2.0 IN aes256-cbc hmac-sha1
Session started user2
4
2.0 OUT aes256-cbc hmac-sha1
Session started user2
5
2.0 IN aes256-cbc hmac-sha1
Session started user1
5
2.0 OUT aes256-cbc hmac-sha1
Session started user1
6
2.0 IN aes256-cbc hmac-sha1
Session started user1
6
2.0 OUT aes256-cbc hmac-sha1
Session started user1
7
2.0 IN aes256-cbc hmac-sha1
Session started user1
7
2.0 OUT aes256-cbc hmac-sha1
Session started user1
8
2.0 IN aes256-cbc hmac-sha1
Session started user1
8
2.0 OUT aes256-cbc hmac-sha1
Session started user1
9
2.0 IN aes256-cbc hmac-sha1
Session started user1
9
2.0 OUT aes256-cbc hmac-sha1
Session started user1
10 2.0
IN aes256-cbc hmac-sha1 Session started
user1
10 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
11 2.0
IN aes256-cbc hmac-sha1 Session started
user1
11 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
12 2.0
IN aes256-cbc hmac-sha1 Session started
user1
12 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
13 2.0
IN aes256-cbc hmac-sha1 Session started
user1
13 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
14 2.0
IN aes256-cbc hmac-sha1 Session started
user1
14 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
15 2.0
IN aes256-cbc hmac-sha1 Session started
user1
15 2.0
OUT aes256-cbc hmac-sha1 Session started
user1
%No SSHv1 server connections
running.
Router1#show line
Tty Line Typ
Tx/Rx A Modem Roty AccO AccI Uses Noise
Overruns Int
* 0 0
CTY - -
- - - 2
1 0/0 -
1
1 AUX 9600/9600 - - -
- - 0 0
0/0 -
2
2 TTY 9600/9600 - - -
- - 9 0
0/0 -
* 132 132 VTY
- - -
- 101 14 0 0/0
-
* 133 133 VTY
- - -
- 101 10 0 0/0
-
* 134 134 VTY
- - -
- 101 5 0 0/0
-
* 135 135 VTY
- - -
- 101 4 0 0/0
-
* 136 136 VTY
- - -
- 101 2 0 0/0
-
* 137 137 VTY
- - -
- 101 8 0 0/0
-
* 138 138 VTY
- - -
- 101 14 0 0/0
-
* 139 139 VTY
- - -
- 101 5 0 0/0
-
* 140 140 VTY
- - -
- 101 4 0 0/0
-
* 141 141 VTY
- - -
- 101 2 0 0/0
-
* 142 142 VTY
- - -
- 101 4 0 0/0
-
* 143 143 VTY
- - -
- 101 2 0 0/0
-
* 144 144 VTY
- - -
- 101 2 0 0/0
-
* 145 145 VTY
- - -
- 101 2 0 0/0
-
* 146 146 VTY
- - -
- 101 2 0 0/0
-
* 147 147 VTY
- - -
- 101 10 0 0/0
-
Line(s) not in async mode -or- with
no hardware support:
3-131
Router1#show tcp brief | i \.22_
319FCE3C 100.9.1.5.22
10.9.200.28.1903
ESTAB
2901D1E8 100.9.1.2.22
10.9.200.28.2526
FINWAIT1
301631E4 100.9.1.2.22
10.9.200.28.2486
ESTAB
29353A80 100.9.1.5.22
10.9.200.28.2735
ESTAB
28F53880 100.9.1.5.22
10.9.200.28.4035
ESTAB
293533DC 100.9.1.5.22
10.9.200.28.2293
ESTAB
28F408FC 100.9.1.2.22
10.9.200.28.3871
ESTAB
2933B460 100.9.1.2.22
10.9.200.14.8725
ESTAB
28F60DC8 100.9.1.5.22
10.9.200.28.2365
ESTAB
315D3BC0 100.9.1.5.22
10.9.200.28.2819
ESTAB
2934BD88 100.9.1.2.22
10.9.200.28.3128
ESTAB
31904740 100.9.1.2.22
10.9.200.14.8692
ESTAB
2901C298 100.9.1.5.22
10.9.200.28.3874
ESTAB
315D4264 100.9.1.5.22
10.9.200.28.3629
ESTAB
3151B7A4 100.9.1.2.22
10.9.200.28.2639
FINWAIT1
It seems all VTY lines have been used and for somehow system did not end those idle sessions although exec-timeout has been set.
Solution:
1. Clear line
Router2#clear line vty 0
[confirm]
[OK]
2. Set ssh time-out
ip ssh time-out 30
3. set absolute-timeout
line vty 0 15
absolute-timeout 15
4. Using service tcp-keepalives to Avoid Hung Telnet Sessions
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00801365f3.shtml
"If, however, Router 2 is reloaded for any reason, the terminal will not be able to get back into the server. Upon attempting to activate the connection, the user will see a "Connection refused by remote host" message. This message appears because the server believes that the previous telnet session is still connected, thus blocking a new session."
Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end
Hey very nice blog!I’m an instant fan, I have bookmarked you and I’ll be checking back on a regular.See u.
ReplyDeletePgp encryption