No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 Troubleshooting Guide V1.0 (VRPv8)

This document provides the maintenance guide of the device, including daily maintenance, emergence maintenance, and typical troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SSH Troubleshooting

SSH Troubleshooting

This chapter describes common causes of the fault that the user fails to log in to the server using SSH, and provides the corresponding troubleshooting flowcharts and examples.

A User Fails to Log in to the Server Using SSH

This section describes the step-by-step troubleshooting procedure for the fault when the user fails to log in to the server using SSH.

Common Causes

The user fails to log in to the server using SSH fault is commonly caused by one of the following:

  • The route between a client and server is unreachable, as a result, the TCP connection between the client and server cannot be established.
  • SSH services are not enabled.
  • SSH is not configured in the user interface VTY view.
  • The RSA public key is not configured on the SSH server and the client.
  • The user service type, authentication type, and user authentication service type are not configured.
  • The number of users logging in to the server has reached the upper threshold.
  • An ACL is configured in the user interface VTY view.
  • SSH versions of the server and the client are inconsistent.
  • The initial authentication function is not enabled on the SSH client.
Troubleshooting Flowchart
Figure 4-7 Troubleshooting flowchart for the fault that the user fails to log in to the server using SSH

Troubleshooting Procedure

Context

NOTE:

After the commands are configured to troubleshoot the faults, check the configuration validation mode to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to immediate validation mode.

  • In immediate validation mode, the configurations take effect after the commands are entered.
  • In two-phase validation mode, after the commands are configured, the commit command needs to be run to commit the configurations.

Save the results of each troubleshooting step so that if your troubleshooting attempts fail to correct the fault, you will have a record of your actions to present to Huawei.

Procedure

  1. Check network connectivity.

    Run the ping command to check network connectivity.

  2. Check whether SSH services are enabled.

    Run the display ssh server status command to view the configuration of the SSH server.

    <HUAWEI> display ssh server status
     SSH version                   :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP server                         :Disable
     STELNET server                      :Disable
     SNETCONF server                     :Disable
    NOTE:

    If SSH services are enabled, go to Step 3.

    The command output shows that the SFTP, STelnet and SNetconf servers are not enabled. The user can log in to a server using SSH only after SSH services are enabled in the system. Run the following commands to enable the SSH server.

    <HUAWEI> system-view
    [HUAWEI] sftp server enable
    [HUAWEI] stelnet server enable
    [HUAWEI] snetconf server enable

  3. Check whether the access protocol configured in the VTY user interface view is correct.

    [HUAWEI] user-interface vty 0 4
    [HUAWEI-ui-vty0-4] display this
     user-interface vty 0 4
     authentication-mode aaa
     user privilege level 3
     idle-timeout 0 0
     protocol inbound all
    • If the user access protocol is set to Telnet, go to Step 4.
    • If the user access protocol is set to SSH or all, go to Step 5.

  4. Run protocol inbound { SSH | all } command to configure the user access protocol to SSH or "all".

    [HUAWEI] user-interface vty 0 4
    [HUAWEI-ui-vty0-4] protocol inbound ssh

  5. Check whether the RSA public key is configured.

    When the device functions as an SSH server, the device must have a local key pair configured.

    Run the display rsa local-key-pair public command to check whether the key pair is configured on the current server. If the key pair is not configured, run the rsa local-key-pair create command to configure it.

    [HUAWEI] rsa local-key-pair create
    The key name will be:HUAWEI_Host 
    The range of public key size is (2048 ~ 2048). 
    NOTE: Key pair generation will take a short while. 
    

  6. Check that the user service type, authentication type, and authentication service type (for password authentication only) are configured.

    • Create an SSH user.

      [HUAWEI] ssh user abc
      [HUAWEI] ssh user abc authentication-type all
      [HUAWEI] ssh user abc service-type all
      [HUAWEI] ssh user abc sftp-directory cfcard:/ssh

      Configure the same SSH user in the AAA view and configure the authentication server type.

      [HUAWEI] aaa
      [HUAWEI-aaa] local-user abc password cipher abc-Pass123
      [HUAWEI-aaa] local-user abc service-type ssh
      [HUAWEI-aaa] quit
    • Configure password authentication as the default authentication mode for the SSH user.

      [HUAWEI] ssh authentication-type default password

      Configure the same SSH user in the AAA view and configure the authentication server type.

      [HUAWEI] aaa
      [HUAWEI-aaa] local-user abc password cipher abc-Pass123
      [HUAWEI-aaa] local-user abc service-type ssh
      [HUAWEI-aaa] quit

  7. Check whether the number of users logging in to the server has reached the upper threshold.

    Both SSH users and Telnet users log in to the server through VTY channels. The number of available VTY channels ranges from 0 to 21. When the number of users attempting to log in to the server through VTY channels is greater than 21, the new connection cannot be established between the user and the server.

    Log in to the server using a console interface and then run the display users command to check whether all the current VTY channels have been used. By default, a maximum of 5 users can log in to the server through VTY channels.

    [HUAWEI] display user-interface maximum-vty
     Maximum of VTY user:5
    [HUAWEI] display users
    User-Intf    Delay    Type   Network Address     AuthenStatus    AuthorcmdFlag
      34  VTY 0   03:31:35  TEL    10.138.81.138             pass           yes         Username : Unspecified
      35  VTY 1   03:51:58  TEL    10.137.128.126            pass           yes         Username : Unspecified
      36  VTY 2   00:10:14  TEL    10.138.81.184             pass           yes         Username : Unspecified
      37  VTY 3   02:31:58  TEL    10.138.80.199             pass           yes         Username : Unspecified
    + 39  VTY 5   00:00:00  TEL    10.138.78.80              pass           yes         Username : Unspecified

    If the number of users logging in to the server has reached the upper threshold, run the user-interface maximum-vty vty-number command to increase the maximum number of users allowed to log in to the server through VTY channels.

    [HUAWEI] user-interface maximum-vty 18

  8. Check whether an ACLis configured in the VTY user interface view.

    If an ACL with a permit rule is configured but the IP address of the client is not specified in the permit rule of the ACL, the user cannot log in to the server using SSH. To enable a user with a specific IP address to log in to the server using SSH, specify the IP address of the user in the ACL's permit rule.

  9. Check the SSH version.

    Run the display ssh server status command to check the SSH version.

    <HUAWEI> display ssh server status
     SSH version                         :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP server                         :Enable
     Stelnet server                      :Enable
     SNETCONF server                     :Enable

    • If the client logging in to the server is running SSHv1, the version compatible capability needs to be enabled on the server.

      <HUAWEI> system-view
      [HUAWEI] ssh server compatible-ssh1x enable

      If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

  10. Collect the following information and contact Huawei technical support personnel.

    • Results of the preceding troubleshooting procedures
    • Configuration files, log files, and alarm files of the devices

Relevant Alarms and Logs
Relevant Alarms

None.

Relevant Logs

None.

Translation
Download
Updated: 2019-06-11

Document ID: EDOC1000175918

Views: 4753

Downloads: 209

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next