Why Cisco Devices refused SSH connection

Network devices usually managed through SSH services. Sometimes, those devices lost SSH access with
" The remote system refused the connection."
error message presenting on the SSH client such as SecureCRT. No matter how you tried from Internal or External interface, it is always same. Is there any configuration wrong? If yes, why did it work at last time?

Symptoms:

Through console port, there were some of interesting things:

Router1#show connection

ID Name Segment 1 Segment 2 State

================================================================================

Router1#show users

Line User Host(s) Idle Location

* 1 aux 0 user2 idle 00:00:00

132 vty 0 user1 100.9.1.1 48w0d 10.94.200.28

133 vty 1 user1 100.9.1.1 48w0d 10.94.200.28

134 vty 2 user1 100.9.1.1 48w0d 10.94.200.28

135 vty 3 user1 100.9.1.1 48w0d 10.94.200.28

136 vty 4 user1 100.9.1.1 47w6d 10.94.200.28

137 vty 5 user1 100.9.1.1 47w6d 10.94.200.28

138 vty 6 user1 100.9.1.1 47w6d 10.94.200.28

139 vty 7 user1 100.9.1.1 47w1d 10.94.200.28

140 vty 8 user1 100.9.1.1 47w1d 10.94.200.28

141 vty 9 user1 100.9.1.1 46w5d 10.94.200.28

142 vty 10 user1 100.9.1.1 43w5d 10.94.200.28

143 vty 11 user1 100.9.1.1 43w4d 10.94.200.28

144 vty 12 user1 100.9.1.1 41w6d 10.94.200.28

145 vty 13 user1 100.9.1.1 41w6d 10.94.200.28

146 vty 14 user1 100.9.1.1 41w6d 10.94.200.28

147 vty 15 user1 100.9.1.1 41w6d 10.94.200.28

Interface User Mode Idle Peer Address

Router1#show ssh

Connection Version Mode Encryption Hmac State Username

0 2.0 IN aes256-cbc hmac-sha1 Session started user1

0 2.0 OUT aes256-cbc hmac-sha1 Session started user1

1 2.0 IN aes256-cbc hmac-sha1 Session started user1

1 2.0 OUT aes256-cbc hmac-sha1 Session started user1

2 2.0 IN aes256-cbc hmac-sha1 Session started user1

2 2.0 OUT aes256-cbc hmac-sha1 Session started user1

3 2.0 IN aes256-cbc hmac-sha1 Session started user2

3 2.0 OUT aes256-cbc hmac-sha1 Session started user2

4 2.0 IN aes256-cbc hmac-sha1 Session started user2

4 2.0 OUT aes256-cbc hmac-sha1 Session started user2

5 2.0 IN aes256-cbc hmac-sha1 Session started user1

5 2.0 OUT aes256-cbc hmac-sha1 Session started user1

6 2.0 IN aes256-cbc hmac-sha1 Session started user1

6 2.0 OUT aes256-cbc hmac-sha1 Session started user1

7 2.0 IN aes256-cbc hmac-sha1 Session started user1

7 2.0 OUT aes256-cbc hmac-sha1 Session started user1

8 2.0 IN aes256-cbc hmac-sha1 Session started user1

8 2.0 OUT aes256-cbc hmac-sha1 Session started user1

9 2.0 IN aes256-cbc hmac-sha1 Session started user1

9 2.0 OUT aes256-cbc hmac-sha1 Session started user1

10 2.0 IN aes256-cbc hmac-sha1 Session started user1

10 2.0 OUT aes256-cbc hmac-sha1 Session started user1

11 2.0 IN aes256-cbc hmac-sha1 Session started user1

11 2.0 OUT aes256-cbc hmac-sha1 Session started user1

12 2.0 IN aes256-cbc hmac-sha1 Session started user1

12 2.0 OUT aes256-cbc hmac-sha1 Session started user1

13 2.0 IN aes256-cbc hmac-sha1 Session started user1

13 2.0 OUT aes256-cbc hmac-sha1 Session started user1

14 2.0 IN aes256-cbc hmac-sha1 Session started user1

14 2.0 OUT aes256-cbc hmac-sha1 Session started user1

15 2.0 IN aes256-cbc hmac-sha1 Session started user1

15 2.0 OUT aes256-cbc hmac-sha1 Session started user1

%No SSHv1 server connections running.

Router1#show line

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

* 0 0 CTY - - - - - 2 1 0/0 -

1 1 AUX 9600/9600 - - - - - 0 0 0/0 -

2 2 TTY 9600/9600 - - - - - 9 0 0/0 -

* 132 132 VTY - - - - 101 14 0 0/0 -

* 133 133 VTY - - - - 101 10 0 0/0 -

* 134 134 VTY - - - - 101 5 0 0/0 -

* 135 135 VTY - - - - 101 4 0 0/0 -

* 136 136 VTY - - - - 101 2 0 0/0 -

* 137 137 VTY - - - - 101 8 0 0/0 -

* 138 138 VTY - - - - 101 14 0 0/0 -

* 139 139 VTY - - - - 101 5 0 0/0 -

* 140 140 VTY - - - - 101 4 0 0/0 -

* 141 141 VTY - - - - 101 2 0 0/0 -

* 142 142 VTY - - - - 101 4 0 0/0 -

* 143 143 VTY - - - - 101 2 0 0/0 -

* 144 144 VTY - - - - 101 2 0 0/0 -

* 145 145 VTY - - - - 101 2 0 0/0 -

* 146 146 VTY - - - - 101 2 0 0/0 -

* 147 147 VTY - - - - 101 10 0 0/0 -

Line(s) not in async mode -or- with no hardware support:

3-131

Router1#show tcp brief | i \.22_

319FCE3C 100.9.1.5.22 10.9.200.28.1903 ESTAB

2901D1E8 100.9.1.2.22 10.9.200.28.2526 FINWAIT1

301631E4 100.9.1.2.22 10.9.200.28.2486 ESTAB

29353A80 100.9.1.5.22 10.9.200.28.2735 ESTAB

28F53880 100.9.1.5.22 10.9.200.28.4035 ESTAB

293533DC 100.9.1.5.22 10.9.200.28.2293 ESTAB

28F408FC 100.9.1.2.22 10.9.200.28.3871 ESTAB

2933B460 100.9.1.2.22 10.9.200.14.8725 ESTAB

28F60DC8 100.9.1.5.22 10.9.200.28.2365 ESTAB

315D3BC0 100.9.1.5.22 10.9.200.28.2819 ESTAB

2934BD88 100.9.1.2.22 10.9.200.28.3128 ESTAB

31904740 100.9.1.2.22 10.9.200.14.8692 ESTAB

2901C298 100.9.1.5.22 10.9.200.28.3874 ESTAB

315D4264 100.9.1.5.22 10.9.200.28.3629 ESTAB

3151B7A4 100.9.1.2.22 10.9.200.28.2639 FINWAIT1

It seems all VTY lines have been used and for somehow system did not end those idle sessions although exec-timeout has been set.

Solution:

1. Clear line

Router2#clear line vty 0

[confirm]

[OK]

2. Set ssh time-out

ip ssh time-out 30

3. set absolute-timeout

line vty 0 15

absolute-timeout 15

4. Using service tcp-keepalives to Avoid Hung Telnet Sessions

http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00801365f3.shtml

"If, however, Router 2 is reloaded for any reason, the terminal will not be able to get back into the server. Upon attempting to activate the connection, the user will see a "Connection refused by remote host" message. This message appears because the server believes that the previous telnet session is still connected, thus blocking a new session."

Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end

Latest

NETSEC

Tuesday, April 30, 2013

Why Cisco Devices refused SSH connection

Symptoms: