No relevant resource is found in the selected language.
MENU
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting: SSH Login Fails or Login Fails Through Telnet

Troubleshooting: SSH Login Fails or Login Fails Through Telnet

Possible Causes

  • The network connection is abnormal.
  • The user name or password is incorrect.
  • The server configuration is incorrect.
  • The IP address of the client is blocked.
  • The Telnet server is disabled by default and is not enabled.
  • The encryption/decryption algorithm used by the STelnet client does not match that on the device.
  • (V200R019C10) The source interface of the SSH or Telnet server is configured.
  • The SSH or Telnet interface is disabled by the firewall.

Troubleshooting Process

Device Functioning as an SSH Server

Device Functioning as a Telnet Server

Troubleshooting Procedure

Device Functioning as an STelnet Server

Perform the following operations after logging in to the device through the console port.

  1. Check whether the network connection is normal.

    Before a user logs in to the device using SSH, reachable routes must exist between the client and device. Ping the IP address of the SSH server from the client to check whether the network connection between the client and server is normal. Make sure that the fault is not caused by an SSH connection setup failure.

  2. Check whether the user name and password are correct.

    1. Check whether the user name and password are the same as those configured on the SSH server. If they are inconsistent, enter the correct user name and password. If you are not sure whether the password is correct, perform the following operations to reconfigure the password:
      • Log in to the device using a user account with a higher privilege level (at least level 3) than the previous user account, and configure a new password for the previous user account.
      • Log in to the device through the console port and configure a new password.

      The configuration method is as follows:

      <AC> system-view 
[AC] aaa 
[AC-aaa] local-user test password irreversible-cipher huawei@1234
    2. If a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up an SSH connection with the SSH server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check clients' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
      • Wait for 5 minutes until the device automatically unlocks the IP address.
      • Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.

  3. Check whether the SSH server status on the server is normal.

    1. Log in to the device through a console port and run the display ssh server status command and ensure the following settings are correct:
      1. STelnet service status
      2. Timeout interval for SSH authentication
      3. SSH server port number
      <AC> display ssh server status
 SSH version                      :2.0   
 SSH connection timeout          :60 seconds   //Set the timeout interval for SSH connection authentication.
 SSH server key generating interval :0 hours
 SSH authentication retries         :3 times
 SFTP server                        :Disable
 Stelnet server                   :Disable   //Disable the STelnet service.
 SSH server port                  :1026     //The server port has been changed. The default port number is 22, which is not displayed.
    2. If the STelnet service is disabled, run the stelnet server enable command in the system view to enable it.
    3. Check whether the SSH protocol version of the client is too early. If the protocol version of the client is later than or equal to 1.3 and earlier than 1.99, run the ssh server compatible-ssh1x enable command in the system view to enable the SSH server to be compatible with earlier versions.
    4. If the timeout interval is too short, users will fail to log in to the SSH server. Run the ssh server timeout seconds command in the system view to change the timeout interval for SSH connection authentication.
    5. Ensure that the port number of the SSH server is consistent with that of the SSH client. SSH client can log in to the SSH server with no port number specified only when the port number of the SSH server is 22. If the SSH server uses another port, the port number must be specified when SSH clients log in to the SSH server. If the SSH server's port number has been changed, change the port number accordingly during the SSH login. For example, change the SSH server's port number to 1026 on PuTTY.

      If the default port number is used for SSH login, you need to delete the configuration of changing the server's port number from the device.

      [AC] undo ssh server port 
Warning: The operation will disconnect all online users. Continue? [Y/N]:y 
Info: Succeeded in changing SSH listening port.

  4. Check whether the VTY user interface configuration is correct.

    Log in to the device through the console port. Check the VTY configuration, and ensure that the SSH protocol and AAA authentication have been configured for VTY channels.

    The following example shows that AAA authentication and the SSH protocol have been configured.

    <AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#                                                                               
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 authentication-mode aaa           //The AAA mode has been configured.
 protocol inbound all               //The SSH protocol has been bound.
user-interface vty 16 20
 protocol inbound all
#

    If the SSH protocol is not bound, perform the following operations:

    [AC-ui-vty0-4] protocol inbound ssh

    or

    [AC-ui-vty0-4] protocol inbound all

  5. Check whether the SSH user configuration on the server is correct.

    1. Run the display ssh user-information command in any view to check whether the SSH user exists on the server.
      <AC> display ssh user-information
-------------------------------------------------------------------------------
 Username         Auth-type          User-public-key-name
 -------------------------------------------------------------------------------
 admin            password           null
 -------------------------------------------------------------------------------

      The Username field displays the SSH user name. Based on this field, check whether the current user is displayed in the command output.

      If the current user is not displayed in the command output, perform the following operations to add the user:

      <AC> system-view
[AC] aaa
[AC] local-user test password irreversible-cipher hauwei@123
[AC] local-user test service-type ssh
    2. Check whether the IP address of the client is permitted.
      <AC> display current-configuration | include ssh
ssh server permit interface GigabitEthernet0/0/1  //Allow the client to connect to GigabitEthernet0/0/1 on the SSH server but restrict the connection to other interfaces.

      By default, clients can connect to all physical interfaces on the SSH server. You can run the undo ssh server permit interface command in the system view to restore the default physical interfaces on the SSH server to which clients can connect.

    3. Check whether a public key is configured on the device.

      To avoid logging in to a bogus SSH server, the client uses the digital signature to verify the SSH server's identity during login. If the public key of the SSH server is not saved on the client or the saved public key is incorrect, the server identity verification fails. As a result, the user fails to log in to the server through the client. Therefore, before a user logs in to the server on the client, create a key pair on the server, and save the correct public key of the SSH server on the client. To ensure successful login to the SSH server, configure and generate a local key pair first. The login failure may be caused by an incorrect key pair. The methods of checking whether a key pair is generated on the device are as follows:

      • Run the following command to check whether the RSA public key is configured on the device.
        [AC] display rsa local-key-pair public
Info: Local key pair is not generated. //The RSA public key is not configured.
      • Run the following command to check whether the ECC public key is configured on the device.
        [AC] display ecc local-key-pair public
Info: Local key pair is not generated. //The ECC public key is not configured.

      If no public key is configured for the server, perform the following operations to generate an RSA or ECC key pair:

      [AC] rsa local-key-pair create      //Create an RSA public key.
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
       It will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
[AC] ecc local-key-pair create      //Create an ECC public key.
Info: The key name will be: AC6605_Host_ECC.
Info: The ECC host key named AC6605_Host_ECC already exists.
Warning: Do you want to replace it ? [Y/N]: Y
Info: The key modulus can be any one of the following : 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.

  6. Check whether an ACL is bound to VTY user interfaces on the SSH server.

    Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.

    For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.

    <AC> system-view 
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 acl 3000 inbound         //Bind ACL 3000.
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#

    If an ACL is configured, check whether the IP address of the SSH client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.

    For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.3) of an SSH client.

    [AC-ui-vty0-4] display acl 3000 
Advanced ACL 3000, 1 rule 
Acl's step is 5 
 rule 5 deny tcp source 192.168.1.3 0 
[AC-ui-vty0-4] quit

    Modify the ACL to allow the IP address of the SSH client to access the device.

    [AC] acl 3000 
[AC-acl-adv-3000] undo rule 5 
[AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.3 0 
[AC-acl-adv-3000] display this 
# 
acl number 3000 
 rule 5 permit tcp source 192.168.1.3 0 
# 
return

  7. Ensure that the encryption/decryption algorithm used by the SSH client matches that on the device.

    • To ensure device security, some insecure encryption algorithms are disabled by default. You can run the following command to enable them:
      <AC6605>system-view 
Enter system view, return user view with Ctrl+Z.
[AC6605]ssh server secure-algorithms cipher aes256_ctr aes128_ctr 3des aes128 aes256_cbc
Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm.
[AC6605]ssh server secure-algorithms hmac sha2_256 md5 md5_96 sha1 sha2_256_96 sha1_96
Info:Insecure encryption algorithm is enabled,It is recommended to disable the insecure encryption algorithm.
[AC6605]ssh server key-exchange dh_group14_sha1 dh_group1_sha1 dh_group_exchange_sha1
Info:Insecure exchange algorithm is enabled,It is recommended to disable the insecure exchange algorithm.
    • Replace the SSH client with a new one, such as PuTTY of the latest version.

  8. Check whether management plane separation is configured.

    For devices with management interfaces, such as AC6605, ACU2, and AC6805, check whether management plane separation is enabled. If this function is enabled, the system prohibits users from accessing the management plane through service interfaces. That is, users fail to log in to the device through non-management interfaces.

    1. Check whether management plane separation is configured.

      By default, management plane separation is enabled on a device. To log in to the device through a service interface, run the mgmt isolate disable command to disable management plane separation.

    2. Run the display mgmt interface command to check the management NIC of the current device and check whether the user logs in to the device through a non-management interface.

      # Display the management interface on the device.

      <AC6605> display mgmt interface 
--------------------------------------------------------------------------------- 
Interface name 
--------------------------------------------------------------------------------- 
MEth0/0/1 
--------------------------------------------------------------------------------- 
Count:1

  9. (V200R019C10) Check whether the source interface of the SSH server is configured.

    In V200R019C10, if the AC's source interface is specified, users can log in to the AC only through the specified interface.

    By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.

    To reconfigure the source interface of the SSH server, run the ssh server-source -i { interface-type interface-number | all } command.

    • After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
    • After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.

  10. Check whether the SSH or Telnet interface is disabled by the firewall.

    1. Run the display network status all command to check which interfaces and services are enabled on the network.
      <AC6605> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State 
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   VTYD/3      10.23.23.1:23            10.23.23.201:4332        Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   NTPT/1      0.0.0.0:123              0.0.0.0:0
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP   WEB /1      0.0.0.0:2000             0.0.0.0:0
UDP   L2_P/1      0.0.0.0:40000            0.0.0.0:0
UDP   NAP /1      0.0.0.0:53535            0.0.0.0:0
UDP6  NTPT/2      ::->123                  ::->0
UDP6  AGT6/1      ::->161                  ::->0
    2. Check the firewall policy to determine whether the Telnet or SSH interface is disabled.

Device Functioning as a Telnet Server

Perform the following operations after logging in to the device through the console port.

  1. Check whether the network connection is normal.

    Before a user logs in to the device using Telnet, reachable routes must exist between the client and device. Ping the IP address of the server from the client to check whether the network between the client and server is available.

  2. Check whether the user name and password are correct.

    The Telnet server supports password authentication and AAA authentication. By default, the authentication mode is AAA authentication.

    • In AAA authentication mode, you need to check whether the user name and password are correct. If you do not know whether the password is correct, perform the following operations to change the password for the current user name:
      1. Run the system-view command to enter the system view.
      2. Run the aaa command to enter the AAA view.
      3. Run the local-user user-name password irreversible-cipher irreversible-cipher-password command to configure the password.
    • In password authentication mode, check whether the password is correct. You can run the following commands to change the password:
      1. Run the system-view command to enter the system view.
      2. Run the user-interface vty first-ui-number [ last-ui-number ] command to enter the VTY user interface view.
      3. Run the authentication-mode password command to set the authentication mode to password.
      4. Run the set authentication password cipher command to set the authentication password.

  3. Check whether the Telnet server status on the server is normal.

    Run the display telnet server status command to check whether the following information is correct:
    • Telnet service status
    • Port number of the Telnet server
    <AC> display telnet server status
 TELNET IPV4 server                      :Enable 
 TELNET IPV6 server                      :Disable
 TELNET server port                      :23
    • If the TELNET IPv4 server or TELNET IPv6 server field is Disable, run the telnet [ipv6] server enable command in the system view to enable the Telnet service.
    • Ensure that the port number of the Telnet server is consistent with that of the Telnet client. Telnet client can log in to the Telnet server with no port number specified only when the port number of the Telnet server is 23. If the Telnet server uses another port, the port number must be specified when Telnet clients log in to the Telnet server. If the port numbers are different, run the telnet server port 23 command in the system view to change the Telnet server's port number to 23.

  4. Check whether the VTY user interface configuration is correct.

    1. Log in to the device through the console port. Check the VTY configuration, and ensure that the Telnet protocol has been configured for VTY channels.
      <AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#                                                                               
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh     //The Telnet protocol is not bound.
user-interface vty 16 20
 protocol inbound all
#

      If the Telnet protocol is not bound, perform the following operations:

      [AC-ui-vty0-4] protocol inbound telnet

      or

      [AC-ui-vty0-4] protocol inbound all
    2. Check the login authentication mode.
      Currently, the following authentication modes are mainly used:
      • authentication-mode password: password authentication mode
      • authentication-mode aaa: AAA authentication mode
      <AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this 
# 
user-interface maximum-vty 15 
user-interface con 0 
user-interface vty 0 14 
 authentication-mode aaa 
 user privilege level 3 
 protocol inbound ssh 
user-interface vty 16 20

      If password authentication mode is configured in the VTY user interface, you must configure the login password in the VTY user interface view. You can run the display this command in the VTY user interface view to check whether the login password is configured. If not, run the set authentication password cipher command in the VTY user interface view to configure it.

      If AAA authentication mode is configured in the VTY user interface, you must create a local AAA user. You can run the display this command in the AAA view to check the configuration. You must specify the level and service type for the account; otherwise, you cannot use this account to log in to the device.

      For example, the user name is admin and password is Admin@huawei.com in the command output. If the account configuration is incorrect, run the aaa command to enter the AAA view, reconfigure the account based on the following commands, and log in to the device.

      [AC] aaa
[AC-aaa] local-user admin password irreversible-cipher Admin@huawei.com
[AC-aaa] local-user admin service-type telnet http terminal
    3. In AAA authentication mode, if a user enters incorrect passwords three times consecutively within 5 minutes when the client attempts to set up a Telnet connection with the Telnet server, the IP address of the client will be locked for 5 minutes, and the locked IP address cannot pass authentication. You can run the display aaa online-fail-record username username command in any view to check clients' IP addresses that are locked due to authentication failures. If the IP address of a client is locked, solve the problem using the following methods:
      • Wait for 5 minutes until the device automatically unlocks the IP address.
      • Run the undo local-aaa-user wrong-password command in the AAA view to disable the lock function.
    4. Check whether the IP address of the client is permitted.
      <AC> display current-configuration | include telnet
telnet server permit interface GigabitEthernet0/0/1  //Allow the client to connect to GigabitEthernet0/0/1 on the Telnet server but restrict the connection to other interfaces.

      By default, clients can connect to all physical interfaces on the Telnet server. You can run the undo telnet server permit interface command in the system view to restore the default physical interfaces on the Telnet server to which clients can connect.

  5. Check whether an ACL is bound to VTY user interfaces on the Telnet server.

    Check the VTY configuration to determine whether an ACL rule is bound to VTY user interfaces.

    For example, run the display this command to check whether an ACL has been bound to VTY 0 to VTY 4.

    <AC> system-view 
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
#
user-interface con 0
 authentication-mode password
 set authentication password cipher %^%#3]qy<(%O)95+([Fe0>o7PbnY=>Qr.05%,INA&}t1g}*^FA~qAL*($vVJa"]*%^%# 
user-interface vty 0 4
 acl 3000 inbound         //Bind ACL 3000.
 authentication-mode aaa
 protocol inbound all
user-interface vty 16 20
 protocol inbound all
#

    If an ACL is configured, check whether the IP address of the Telnet client is denied in the ACL. If the IP address is denied, delete the deny rule in the ACL view, and modify the IP addresses of clients that are permitted in the ACL.

    For example, an ACL is configured on the device and a deny rule is configured for the IP address (192.168.1.2) of a Telnet client.

    [AC-ui-vty0-4] display acl 3000 
Advanced ACL 3000, 1 rule 
Acl's step is 5 
 rule 5 deny tcp source 192.168.1.2 0 
[AC-ui-vty0-4] quit

    Modify the ACL to allow the IP address of the Telnet client to access the device.

    [AC] acl 3000 
[AC-acl-adv-3000] undo rule 5 
[AC-acl-adv-3000] rule 5 permit tcp source 192.168.1.2 0 
[AC-acl-adv-3000] display this 
# 
acl number 3000 
 rule 5 permit tcp source 192.168.1.2 0 
# 
return

  6. (V200R019C10) Check whether the source interface of the Telnet server is configured.

    In V200R019C10, if the AC's source interface is specified, users can log in to the AC only through the specified interface.

    By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.

    To reconfigure the source interface of the Telnet server, run the telnet server-source -i { interface-type interface-number | all } command.

    • After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
    • After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.

  7. Check whether the SSH or Telnet interface is disabled by the firewall.

    1. Run the display network status all command to check which interfaces and services are enabled on the network.
      <AC6605> display network status all
Proto Task/SockId Local Addr&Port          Foreign Addr&Port        State 
TCP   VTYD/1      0.0.0.0:23               0.0.0.0:0                Listening
TCP   VTYD/3      10.23.23.1:23            10.23.23.201:4332        Established
TCP6  VTYD/2      ::->23                   ::->0                    Listening
UDP   NTPT/1      0.0.0.0:123              0.0.0.0:0
UDP   AGNT/1      0.0.0.0:161              0.0.0.0:0
UDP   RDS /1      0.0.0.0:1812             0.0.0.0:0
UDP   WEB /1      0.0.0.0:2000             0.0.0.0:0
UDP   L2_P/1      0.0.0.0:40000            0.0.0.0:0
UDP   NAP /1      0.0.0.0:53535            0.0.0.0:0
UDP6  NTPT/2      ::->123                  ::->0
UDP6  AGT6/1      ::->161                  ::->0
    2. Check the firewall policy to determine whether the Telnet or SSH interface is disabled.

Translation
简体中文
Download
Updated: 2020-11-18

Document ID: EDOC1000060368

Views: 442438

Downloads: 2450

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :