No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The User Fails to Log in to the Server Through SSH

The User Fails to Log in to the Server Through SSH

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting procedure for the fault that the user fails to log in to the server through SSH.

Common Causes

This fault is commonly caused by one of the following:

  • The route is unreachable and the user cannot set up a TCP connection with the server.
  • SSH services are not enabled.
  • SSH is not configured in the user interface VTY view.
  • The RSA public key is not configured on the SSH server and the client.
  • The user service type, authentication type, and user authentication service type are not configured.
  • The number of users logging in to the server reaches the upper threshold.
  • An ACL is configured in the user interface VTY view.
  • SSH versions of the server and the client are inconsistent.
  • The initial authentication function is not enabled on the SSH client.

Troubleshooting Flowchart

None.

When an SSH client fails to connect to the SSH server, rectify the fault according to Figure 13-3.

Figure 13-3  SSH connection failure troubleshooting flowchart

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

Procedure

  1. Check whether the SSH client and SSH server can communicate with each other.

    On the SSH client and SSH server, run the ping command to check the network connectivity. If the ping fails, the SSH connection cannot be established between the user and the server.

    Check whether packet loss occurs on the network and the user access is stable.

  2. Check whether the SSH service on the SSH server is started.

    Log in to the SSH server by means of Telnet and run the display ssh server status command to view the configuration of the SSH server. The SFTP service is used as an example.

    <Huawei> display ssh server status
     SSH version                         :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP server                         :Disable
     Stelnet server                      :Disable

    The command output shows that the SFTP server is not enabled. The user can log in to the server through SSH only after SSH services are enabled in the system. Run the following command to enable the SSH server.

    <Huawei> system-view
    [Huawei] sftp server enable

  3. On the SSH server, check that the access protocol configured in the VTY user interface view is correct.

    [Huawei] user-interface vty 0 4
    [Huawei-ui-vty0-4] display this
    user-interface vty 0 4
     authentication-mode aaa
     user privilege level 3
     idle-timeout 0 0
     protocol inbound ssh

    Run the protocol inbound { all | ssh | telnet } command to configure the user access protocol. By default, the user access protocol is Telnet. If the user access protocol is set to Telnet, the user cannot log in to the server through SSH. If the user access protocol is set to SSH or "all", the user can log in to the server through SSH.

  4. Check whether an RSA public key is configured on the SSH server.

    When serving as an SSH server, a device must be configured with a local key pair.

    On the SSH server, run the display rsa local-key-pair public command to check whether the key pair is configured on the current server. if the key pair is not configured, run the rsa local-key-pair create command to create it.

    [Huawei] rsa local-key-pair create
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is greater than 512,
           It will take a few minutes.
    Input the bits in the modulus[default = 512]: 768
    Generating keys...
    ...........................++++++++
    .++++++++
    ...............+++++++++
    ......+++++++++

  5. (Optional) Check whether an SSH user is configured on the SSH server.

    An SSH user should be configured on the SSH server. Run the display ssh user-information command to view the configuration of the SSH user. If no SSH user is configured, run the local-user user-name password irreversible-cipher password and local-user service-type ssh commands in the AAA view to create an SSH user.

    NOTE:

    If the SFTP service is enabled, run the local-user user-name ftp-directory directory command in the AAA view to configure the SFTP directory for the SSH user.

    -

    • Create an SSH user.

      [Huawei] aaa
      [Huawei] local-user abc password irreversible-cipher Huawei@123
      [Huawei] local-user abc service-type ssh
      [Huawei] local-user abc ftp-directory flash:/ssh
    • The default authentication mode of the SSH user is password. To change the authentication mode, run the ssh user authentication-type command.

  6. Check whether the number of SSH login users has reached the maximum.

    For the STelnet and Telnet services, both STelnet users and Telnet users log in to the server through VTY channels. The number of available VTY channels ranges from 5 to 15. When the number of users attempt to log in to the server through VTY channels is greater than 15, the new connection cannot be established between the user and the server.

    Log in to the SSH server through a console interface and run the display users command to check whether all the current VTY channels are used. By default, a maximum of 5 users can log in to the server through VTY channels.

    <Huawei> display user-interface maximum-vty
     Maximum of VTY user:5
    <Huawei> display users
    User-Intf    Delay    Type   Network Address     AuthenStatus    AuthorcmdFlag
      129  VTY 0   03:31:35  TEL    10.1.1.1                  pass           no
    Username : Unspecified
      130  VTY 1   03:51:58  TEL    10.1.1.2                  pass           no
    Username : Unspecified
      131  VTY 2   00:10:14  TEL    10.1.1.3                  pass           no
    Username : Unspecified
      132  VTY 3   02:31:58  TEL    10.1.1.4                  pass           no
    Username : Unspecified
    + 133  VTY 4   00:00:00  TEL    10.1.1.5                  pass           no
    Username : Unspecified

    If the number of users logging in to the server reaches the upper threshold, you can run the user-interface maximum-vty vty-number command to increase the maximum number of users allowed to log in to the server through VTY channels to 15.

    <Huawei> system-view
    [Huawei] user-interface maximum-vty 15

  7. Check that an ACL is configured in the VTY user interface view on the SSH server.

    Run the user-interface command on the SSH server to enter the SSH user interface view. Then, run the display this command to check whether an ACL is configured in the VTY user interface view. If an ACL is configured, record the ACL number.

    Run the display acl command on the SSH server to check whether the SSH client address is denied in an ACL. If an ACL is configured but the client address to be denied is not specified in the ACL, the user will fail to log in to the server by means of STelnet or SFTP. To enable a user with a specific IP address to log in to the server through STelnet, permit the user IP address in the ACL.

  8. Check the SSH versions on the SSH client and SSH server.

    On the SSH server, run the display ssh server status command to check the SSH version.

    <Huawei> display ssh server status
     SSH version                         :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP server                         :Enable
     Stelnet server                      :Disable

    If the client logging in to the server adopts SSHv1, the version compatible capability needs to be enabled on the server.

    <Huawei> system-view
    [Huawei] ssh server compatible-ssh1x enable

  9. Check whether first-time authentication is enabled on the SSH client.

    Run the display this command in the system view on the SSH client to check whether first-time authentication is enabled.

    After first-time authentication is enabled, the validity of the RSA public key of the SSH server does not need to be checked when an SFTP user logs in to the SSH server for the first time. This is because the RSA public key of the SSH server is not kept on the SFTP client.

    If first-time authentication is not enabled, an SFTP user fails to log in to the SSH server. This is because checking the validity of the RSA public fails.

    <Huawei> system-view
    [Huawei] ssh client first-time enable

  10. Collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedures
    • Configuration files, log files, and alarm files of the devices

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 447539

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next