Wired Intelligent Edge

Hi!

 

Ssh on HP J9775A 2530-48G is broken. The switch does listen on port 22 but cannot do ssh. I disabled/enabled it again but it didnt solve the issue. I dont want to restart my switch.

 

Any tip for this?

 

Thanks

Greetings!

 

We would need to know a few things to assist with troubleshooting:

 

• What specific symptoms are you seeing — is the switch refusing SSH connections entirely, or are you seeing authentication failures?
• Was SSH working at some point, and now is not?
• Do you have a Management VLAN assigned, and is the SSH client attached to that VLAN with an IP address in the same subnet as the switch Management VLAN IP?
• Are there any log messages on the switch ('show logging -r') or your SSH client indicating a possible cause (such as a cipher mismatch)?
• What software version are you running on the switch in question?

One thing you can try is enabling SSH debug logging on the switch, which would capture info that could help with troubleshooting. In your serial console session, run the following commands:

 

switch# debug destination session
switch# debug security ssh verbose

Once debug logging is enabled, try to open an SSH session to the switch, and watch for any debug messages to be printed to the open console session. (If you don't see any messages in the console and debug logging is enabled, it's possible your SSH station does not have full connectivity to the switch and this would need to be investigated as a separate issue.) Once you've captured debug info, you can turn debug logging off:

 

switch# no debug destination session
switch# no debug security ssh

Hi!

 

The switch is on remote site so I will try again via console cable.

As I recall well it was refusing connection.

Yes it was working. 

IP address is assigned on interface vlan 10.

There was not log showing up in recent logs related to ssh.

I have similar switch so pretty sure they have the same version.

Primary Image : 13277269 08/29/16 YA.16.02.0012

 

Will these debug commands impact the cpu when I enable them?

If only SSH debugging is enabled, I would not expect any significant CPU utilization.

ok Thanks I will check that and get back to you.

I dont see anything in the debug

ssh: Ssh server enabled

ssh: New 2048-bit RSA SSH host key installed.

 

When I do ssh then I get "Connection was reset."

 

Have you tried to generate a new SSH key at the switch?

configure
crypto key generate ssh rsa

yes again now but same result

Have you tried to do a telnet at port 22?

Normally you will see a message like this
SSH-2.0-Mocana SSH 6.3

 

In the latest release for the 2530 there are some fixes related to SSH issues.

Have you tried to kill all the sessions? use the command kill for this

I can see blank screen but NOT this message "SSH-2.0-Mocana SSH 6.3"

 

 

The only thing I can see different is "management-vlan 1". This shows in my running config and non of the other switch has it.

I did open ticket with Aruba support one week ago with native vlan issue.

I recall he didnt change management-vlan 10 or something like that to testing and then enter some command.

Like Matthew already mentioned the management VLAN has impact to the management of a device.
If configured you can only manage the switch from the management VLAN

I agree but I just saw it as I never configured that. When i saw this then I recall that Aruba engineer did enter similar command one week ago and after that I have to move the IP to vlan 10 and it got broken.

Is it save to just remove this command or should I open ticket with them again?

The switch is in production and I dont want any issue with it.

You can remove the management-vlan configuration without any impact.

Thanks. Its working now.

What a long troubleshooting for small thing. I was so confused that why its not working.

This is almost certainly your issue here. If the management station with the SSH client isn't on the management VLAN or doesn't have an IP address in the same subnet as the one assigned to the management VLAN (even if it is actually connected to a management VLAN interface), it won't be able to connect. Removing the management-vlan command will correct this behavior.

 

If you need to be able to manage the switch from a routed connection, but still want to restrict access to authorized users, you can use either the Authorized IP managers feature or ACLs to implement access controls. 

Agree.

Actually I looked into the configure couple of times but never went to down because I never entered that command. So today I went through again througly and saw that the managment vlan was set to 1 and recalled how it was set.

 

I would like to thanks all of you for your input and time.