I'm trying to configure SSH on a 2621 running IOS ik9o3s3.
The ssh server is working fine but whenever I attempt to connect via the ssh client to a remote host (or even the 2621 itself) the session just hangs and I have to break out of the vty session. It leaves behind a "zombie" ssh session which does not time out and which I cannot kill using "disconnect ssh".
I've tried to debug the problem but there is no output at all from "debug ip ssh client". I've set "terminal monitor" when I log in.
Debugging on the remote host shows that the cisco attempts to make a connection but it never completes. Here is a snoop trace from a solaris box (which works for several other ssh clients).
# /opt/sbin/sshd -d debug1: sshd version OpenSSH_4.0p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: rexec_argv[0]='/opt/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.15.1 port 50758
This appears OK to me as far as it gets but it never gets to the authentication/login phase?
"sh ssh" gives the following (after 6 failed connections): cisco#sh ssh Connection Version Encryption State Username
0 1.5 3DES Session started young 1 1.5 3DES Session started young 2 1.5 3DES Session started young 3 1.5 3DES Session started young 4 1.5 3DES Session started young 5 1.5 3DES Session started youngThe above are the "zombie" connections one from each attempt to set up an SSH connection from the router.
"sh ip ssh" gives the following: cisco#sh ip ssh SSH Enabled - version 1.5 Authentication timeout: 120 secs; Authentication retries: 3
Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(15), RELEASE SOFTWARE (fc3) Technical Support:
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(15), RELEASE SOFTWARE (fc3)
cisco uptime is 1 day, 19 hours, 14 minutes System returned to ROM by reload at 22:04:32 PDT Tue Oct 10 2006 System restarted at 22:07:05 PDT Tue Oct 10 2006 System image file is "flash:c2600-ik9o3s3-mz.123-15.bin"
------------------ show running-config ------------------
Building configuration...
Current configuration : 3707 bytes ! ! Last configuration change at 12:26:19 PDT Thu Oct 12 2006 by young ! NVRAM config last updated at 21:35:05 PDT Wed Oct 11 2006 by young ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname cisco ! boot-start-marker boot system flash boot-end-marker ! logging buffered 256000 debugging no logging console enable secret 5 ! clock timezone Pacific -8 clock summer-time PDT recurring 1 Sun Apr 1:00 last Sun Oct 1:00 aaa new-model ! aaa session-id common ip subnet-zero ip cef ! ip domain name normyoung.com ! ip audit po max-events 100 ipv6 unicast-routing ipv6 cef ! class-map match-all class1 description Classify RTP packets from VoIP match input-interface FastEthernet0/1 match protocol rtp audio ! policy-map policy1 description Tag packets from RTP with DSCP EF class class1 set ip dscp ef ! interface Tunnel0 description IPv6 Tunnel Broker no ip address ipv6 address ipv6 enable tunnel source tunnel destination tunnel mode ipv6ip ! interface FastEthernet0/0 description WAN - DHCP Configured ip address dhcp ip nat outside no ip mroute-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/1 description LAN ip address 192.168.15.1 255.255.255.0 ip nat inside no ip mroute-cache duplex auto speed auto ipv6 address ipv6 enable priority-group 4 no cdp enable
ip nat translation tcp-timeout 900 ip nat inside source list 7 interface FastEthernet0/0 overload ip nat inside source static udp 192.168.15.15 5060 interface FastEthernet0/0 5060 ip nat inside source static udp 192.168.15.15 5061 interface FastEthernet0/0 5061 ip nat inside source static udp 192.168.15.15 10050 interface FastEthernet0/0 10050 ip nat inside source static udp 192.168.15.15 10000 interface FastEthernet0/0 10000 ip nat inside source static udp 192.168.15.10 55555 interface FastEthernet0/0 55555 ip nat inside source static tcp 192.168.15.10 443 interface FastEthernet0/0 443 ip nat inside source static tcp 192.168.15.10 25 interface FastEthernet0/0 25 ip nat inside source static tcp 192.168.15.10 80 interface FastEthernet0/0 80 ip nat inside source static tcp 192.168.15.10 143 interface FastEthernet0/0 143 ip nat inside source static tcp 192.168.15.10 993 interface FastEthernet0/0 993 ip nat inside source static tcp 192.168.15.10 119 interface FastEthernet0/0 119 ip nat inside source static tcp 192.168.15.10 55555 interface FastEthernet0/0 55555 no ip http server ip http secure-server ip classless ! access-list 7 permit 192.168.15.0 0.0.0.255 access-list 7 remark Hosts on Internal LAN access-list 111 remark VoIP from RTP-300 access-list 111 permit udp host 192.168.15.15 any priority-list 4 protocol ip high list 111 priority-list 4 protocol ip medium udp domain priority-list 4 protocol ip medium udp ntp priority-list 4 protocol ip normal tcp nntp priority-list 4 protocol ip normal tcp 993 priority-list 4 protocol ip normal tcp 143 priority-list 4 protocol ip no cdp run ipv6 route ::/0 Tunnel0 ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 5 session-timeout 30 exec-timeout 60 0 absolute-timeout 90 transport input ssh transport output telnet ssh ! ntp clock-period 17180048 ntp server 192.36.144.23 prefer ! end
Anyone have any idea as to why the ssh client just hangs and why I'm not getting any debug output from it?
Thanks in advance, Norm