No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Troubleshooting Guide

CloudEngine 16800, 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting Procedure

Troubleshooting Procedure

If password authentication is configured for SSH users, generate a local RSA, DSA, or ECC key on the SSH server. If RSA, DSA, or ECC authentication is configured for SSH users, generate a local RSA, DSA, or ECC key pair on both the SSH server and client, and configure the server's public key on the client and the client's public key on the server.

  1. Check whether the network connection is normal.

    Before a user logs in to the SSH server using SSH, reachable routes must exist between the user client and SSH server. Ping the IP address of the SSH server from the client to check whether the network connection between the client and server is normal. Make sure that the fault is not caused by an SSH connection setup failure.

  2. Check whether a local key pair is generated on the SSH server.

    To ensure successful login to the SSH server, configure and generate a local key pair first. The login failure may be caused by an incorrect key pair. The methods of checking whether a key pair is generated on the SSH server are as follows:
    • View RSA public key information.

      <HUAWEI> display rsa local-key-pair public
      Info: Local key pair is not generated.  
    • View DSA public key information.

      <HUAWEI> display dsa local-key-pair public
      Info: The DSA host keys are not found.   
    • View ECC public key information.

      <HUAWEI> display ecc local-key-pair public
      Info: Local key pair is not generated.  

    The preceding command outputs show that no public key is configured on the server. Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair command in the system view to generate an RSA, a DSA, or an ECC key pair.

  3. Check whether the public key allocated to the SSH server by the SSH client is correct.

    The user public key is a hexadecimal string generated by SSH client software. Take RSA authentication as an example. Run the display rsa local-key-pair public command in the system view on the client to view the public key in the RSA key pair generated on the client, and compare the public key with the user public key saved on the SSH server. If the public keys are different, the server needs to obtain the correct user public key again. The following example uses the user name client001 and RSA public key pubkey. The configuration is as follows:
    <SSH Server> system-view
    [~SSH Server] rsa peer-public-key pubkey
    [*SSH Server-rsa-public-key] public-key-code begin
    [*SSH Server-rsa-public-key-rsa-key-code] 30820107 02820100 7FAEE115 9EEFE3E8 65F976AA 5CE3EDEE
    [*SSH Server-rsa-public-key-rsa-key-code] 681830C0 F787B88C F5C7619D 13169F6D B6D43090 FCBADE17                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 9EBFCFFD D7645C35 EC32764B 28EAABFD 31C740AF 552FE37A                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 0772DFBB F0D32DDB 8F6505D0 8989E69F 5FA95E7D 132B84BD                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] E89D8342 F10198DD 9F2980AF A06A311C A7359FA0 D5CBC186                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 9DF21AC4 7621F630 3112753D 9AD37F5A CCE0341A 39D774A6                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 4344A2B6 DE48CDED 8107F91E B582C3EB B10A418B 92397306                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] E16F68D2 A693361A A63C3138 A5E787F7 238D2016 96603CA3                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 69B36F3D 1FDF370F A90AA914 20CBDA22 E9470606 7C38310D                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] EEA8D501 405D49DA 4B079726 7DB89C71 8BBF872F 7484E7FA                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 7E212465 6276B6EE 9406D306 74BE7781 DD5CFE43 CEB30C7F                                                                 
    [*SSH Server-rsa-public-key-rsa-key-code] 020125                                
    [*SSH Server-rsa-public-key-rsa-key-code] public-key-code end                                      
    [*SSH Server-rsa-public-key] peer-public-key end
    [*SSH Server] ssh user client001 assign rsa-key pubkey
    [*SSH Server] commit
  4. Check whether first-time authentication is enabled on the SSH client.

    If the SSH client connects to the SSH server for the first time and the SSH server's public key is not configured on the SSH client, enable first-time authentication on the SSH client to access the SSH server and save the public key on the SSH client. The SSH client uses the saved public key to authenticate the SSH server the next time it connects to the server. By default, first-time authentication is disabled on the SSH client.
    • The check method is as follows:

      <HUAWEI> display current-configuration | include ssh
      ssh client first-time enable   

      If ssh client first-time enable is displayed in the command output, first-time authentication is enabled on the SSH client. Otherwise, first-time authentication is disabled.

    • The configuration method is as follows:

      <HUAWEI> system-view
      [~HUAWEI] ssh client first-time enable
      [*HUAWEI] commit
  5. Check whether the SSH versions of the SSH client and server match.

    There are two incompatible SSH versions: 1.x and 2.0. If the SSH version of the client is 2.0 and that of the server is 1.x, the client fails to log in to the server. Change the SSH version of the server to 2.0 to rectify the login failure fault caused by incompatible SSH versions.

    Compared with SSH 1.x, SSH 2.0 is expanded in structure to support more authentication modes and key exchange modes, and has higher security (avoiding security risks of SSH 1.X). Therefore, SSH 2.0 is recommended.

Updated: 2020-01-07

Document ID: EDOC1000060766

Views: 604675

Downloads: 2938

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Previous Next