SSH/5/SSH_USER_LOGIN_FAIL
Message
SSH/5/SSH_USER_LOGIN_FAIL: The SSH user failed to login. (ServiceType=[ServiceType], FailedReason=[FailedReason], UserName=[UserName], IPAddress=[IPAddress], VPNInstanceName=[VPNInstanceName].)
Parameters
Parameter Name | Parameter Meaning |
---|---|
ServiceType |
Service type. |
FailedReason |
Cause of the login failure. |
UserName |
User name. |
IPAddress |
IP address of the client. |
VPNInstanceName |
Index of the VPN instance name. |
Possible Causes
The possible causes are as follows:
Cause 1:
The SSH user does not exist.
Cause 2:
RSA, DSA, or ECC key does not exist.
Cause 3:
The user name or password is incorrect.
Cause 4:
Service is not enabled.
Cause 5:
A deny rule is set for the IP address in ACL.
Cause 6:
Maximum sessions are reached.
Cause 7:
Permissions are not there for user default directory.
Cause 8:
The SSH server does not support SSHv1.
Procedure
- Run the display ssh user-information command to view the configuration of all the SSH users.
- If the SSH user is not configured, run the ssh user command to create an SSH user.
- If the SSH user is configured, go to other steps.
- Run the display rsa
local-key-pair public, display dsa
local-key-pair public, display ecc
local-key-pair public command to view the public
key in the local key pair.
- If the RSA, DSA, or ECC key is not configured, run the rsa local-key-pair create, display dsa local-key-pair public, ecc local-key-pair create command to generate the local host key pair and the server key pair.
- If the RSA, DSA, or ECC key is configured, go to other steps.
- Ensure that the user name and password is correct.
- Ensure that the services are enabled.
- Run the display acl command to review ACL rules.
- If the user IP address matches a rule with the behavior of deny, run the acl command to enter the ACL view and run the rule command to change the behavior from deny to permit.
- If the user IP address does not match a rule with the behavior of deny, go to other steps.
- Ensure that the maximum sessions are not reached.
- Enable SSH users to access the default directory on the SSH server.
- Check the supported SSH versions using the display ssh server statuscommand, and use a correct SSH version to log in to the system. SSHv1 is insecure and therefore not recommended.
- Collect information about configurations, and log messages, and then contact technical support personnel.