No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Cause Analysis and Solutions for NE Router Login Failures

This document describes the possible causes of and solutions to login failures on NE routers.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Login Failure Cause Analysis and Solutions

Login Failure Cause Analysis and Solutions

User Login Modes

Users can log in to a device for local or remote configuration, monitoring, or maintenance only after VTY user interfaces, user management, and terminal services are configured. User interfaces provide the login portal, user management ensures login security, and terminal services offer login protocols.

Users can log in to a device through the console port, Telnet, or STelnet. Different login modes require different device configuration. For details, see Table 1-1.

Telnet is not as secure as STelnet. Therefore, STelnet is recommended.

Table 1-1 User login modes

Login Mode

Login Description

Login through the console port

To log in to a device from a PC through the console port, connect the console port of the device to the COM port of the PC through a serial cable.

Use this login mode when a device is powered on for the first time or if Telnet or STelnet cannot be used.

Login through Telnet

This login mode is disabled by default. Before logging in to a device through Telnet, log in through the console port and perform the following operations:

  • Configure an IP address for the management network port on the device and ensure that routes are available between the user terminal and the device. By default, the IP address of the management network port is 192.168.0.1/24.

  • Configure an authentication mode for VTY user interfaces. The default authentication mode is none for VTY user interfaces.

  • Configure a user level for VTY user interfaces. By default, the user level is 0 for VTY user interfaces.

  • Enable the Telnet server function. By default, the Telnet server function is disabled.

Login through STelnet

By default, a device allows users to log in using STelnet through the management network port.
NOTE:

After a device is powered on, the management network port is automatically bound to a reserved VPN (__LOCAL_OAM_VPN__) and is assigned the IP address 192.168.0.1/24. This IP address can be changed or deleted, and the management network port can be shut down as required.

To log in to the device from a terminal through SSH (STelnet), assign any other IP address on the network segment 192.168.0.0/24 to the terminal. The default username and password are root and Changeme_123, respectively. Change the default username and password in time to ensure service security.

If you do not want to use the default user name root and password Changeme_123 to log in through the management network port, first locally log in to the device through the console port and perform the following configurations:

  • Configure an IP address for the management network port on the device and ensure that routes are available between the user terminal and the device. By default, the IP address of the management network port is 192.168.0.1/24.

  • Configure an authentication mode for VTY user interfaces. The default authentication mode is none for VTY user interfaces.

  • Configure a user level for VTY user interfaces. By default, the user level is 0 for VTY user interfaces.

  • Configure VTY user interfaces to support SSH. By default, VTY user interfaces support Telnet.

  • Configure an SSH user and specify STelnet as a service mode. By default, no SSH user is configured on the device, and the service mode of SSH users is empty (no service mode is supported).

  • Enable the STelnet server function.

Possible Causes of Login Failures

This section describes the possible causes of login failures. Before locating the device login failure, ensure that the main control board of the device is running properly. If the RUN indicator on the main control board is green and blinks at the frequency of 0.5 Hz, the device is running properly. Otherwise, the device is not running properly. In this case, check the hardware of the device first.

Table 1-2 Login failure cause analysis

Login Mode

Possible Cause

Solution

Login through the console port

A serial cable is connected to the slave main control board, not to the master main control board.

Connect the serial cable to the console port on the master main control board.

NOTE:

To determine whether a main control board is the master or slave main control board, check the ACT indicator on the board. If this indicator is steady green, the main control board is the master main control board. If this indicator is off, the main control board is the slave main control board.

The pinout of the serial cable connected to the ATN, NE05E, or NE08E does not meet requirements.

Replace the cable with one that meets requirements. For details about serial cable requirements, see the product documentation.

The parameters of HyperTerminal on the PC are inconsistent with those configured on the device.

Ensure that the following parameters of HyperTerminal on the PC are consistent with the default parameters of the device:

  • Bits per second. The default value is 9600.
  • Flow control. The default value is none.
  • Parity. The default value is none.
  • Stop bits. The default value is 1.
  • Data bits. The default value is 8.
    NOTE:

    When the device is powered on for the first time, the preceding parameters of HyperTerminal must be the same as the default parameters of the device. Otherwise, login to the device fails.

Login through Telnet/STelnet

The PC fails to ping the device's login address due to overlong link transmission delay.

Increase the ping packet timeout interval.

The PC fails to ping the device's login address because routing or ARP entries are incorrect on nodes through which ping packets pass.

Check the reachability of the destination IP address of each node hop by hop along the path between the two ends and the ARP entries learned by the nodes.

The number of users who access VTY user interfaces exceeds the upper limit. As a result, new users cannot access the VTY user interfaces.

  • Log in to the device through the console port and run the kill user-interface command to disconnect some users from the VTY user interfaces.
  • Log in to the device through the console port and run the user-interface maximum-vty command to change the maximum number of users allowed to access VTY user interfaces. By default, the maximum number of Telnet and SSH users allowed to access VTY user interfaces is 5.

An ACL is configured in the VTY user interface view to filter out the Telnet or SSH source IP address.

Modify the ACL to ensure that the Telnet or SSH source IP address is not filtered out.

The protocol supported by the current VTY user interface is incorrectly configured.

Run the protocol inbound { all | ssh | telnet } command to configure the protocol supported by the current VTY user interface.

  • If the protocol inbound ssh command is run, users cannot access the current VTY user interface through Telnet.

  • If the protocol inbound all command is run, users can access the current VTY user interface through Telnet or SSH.

    If the protocol inbound telnet command is run, users cannot access the current VTY user interface through SSH.

Password authentication fails.

For details, see How Do I Clear a Console Port Password After a Login Failure?.

Login through Telnet

Port 23 is not enabled, as shown in the display tcp status command output.

Run the telnet server-source all-interface or telnet ipv6 server-source all-interface command to allow users to log in to the Telnet server through any valid interface.

No login authentication is configured.

Perform either of the following operations as required:

  • Run the authentication-mode password command to set the login authentication mode to password, and configure an authentication password.

  • Run the authentication-mode aaa command to set the login authentication mode to aaa and run the local-user password command to create a local AAA user and set a login password for the user.

The ACL configured on the device filters out the Telnet source IP addresses of users.

Modify the ACL specified in the telnet server acl command to ensure that the Telnet source IP addresses of users are not filtered out.

Login through STelnet

Port 22 is not enabled, as shown in the display tcp status command output.

Run the ssh server-source all-interface or ssh ipv6 server-source all-interface command to allow users to log in to the SSH server through any valid interface.

The ACL configured on the device filters out the SSH source IP addresses of users.

Modify the ACL specified in the ssh server acl command to ensure that the SSH source IP addresses of users are not filtered out.

The STelnet service is disabled.

Run the display ssh server status command to check the global configuration information of the STelnet server. If the status of the server is Disable, run the stelnet server enable command to enable the STelnet service.

No RSA public key is configured on the device.

Run the display rsa local-key-pair public command to check the RSA public key in the local key pair. If no RSA public key is configured in the local key pair, run the rsa local-key-pair create command to generate the local RSA key pair.

The SSH client uses SSHv1, but the device (server) is not configured to be compatible with earlier SSH versions.

Run the display ssh server status command to check the value of the SSH version 1.x compatibility field. If the value is Disable, run the ssh server compatible-ssh1x enable command on the device to configure it to be compatible with earlier SSH versions.

NOTE:

Enabling the device to be compatible with earlier SSH versions poses security risks to the system.

RADIUS authentication fails after it is configured on the device.

  • Check that the IP address of the RADIUS server is reachable.
  • Check that an SSH user service type and user authentication mode are configured on the device. To configure an SSH user service type and user authentication mode, you can run the following three commands:

    ssh user user-name

    ssh user user-name service-type stelnet

    ssh user user-name authentication-type

    Alternatively, run the ssh authentication-type default password command.

The configured user privilege level is too low.

Log in to the device through the console port and run the user privilege level command to configure a desired user privilege level.

How Do I Clear a Console Port Password After a Login Failure?

This section uses a Huawei router as an example to describe how to clear a console port password.

Information displayed in the HyperTerminal window may vary according to the router type. Perform operations as prompted.

Procedure

  1. Log in to the device through the console port.
  2. Restart the device. During the device restart, the following information is displayed on the HyperTerminal:
    	*********************************************************
    	*      Copyright 2011-2012 Huawei Tech. Co., Ltd.       *
    	*********************************************************
    	Bios Version Data: Mar 19 2014 09:28:05
    	Clock Configuration:
    	       CPU:1200 MHz
    	       CCB:600  MHz
    	       DDR:400  MHz (800 MT/s data rate) (Asynchronous)
    	       LBC:37.500 MHz
    	Board Name ....................................... CX68MPUK
    	SDRAM Size ....................................... 2048MB
    	SDRAM ECC initializing ........................... pass 
    	Press CTRL+T for full memory test ................   0 0 0skip
    	
    	Memory Test ...................................... pass
    	
    	 Normal Boot ...
    	Press Ctrl+A to enter bios Menu...  
    	Boot from main ... 
    	gd->board_type: 4050020
    	FPGA load ........................................ pass
    	FPGA version: 2012-12-26
    	Net:   USB:   Register 10011 NbrPorts 1
    	USB EHCI 1.00
    	scanning bus for devices... 2 USB Device(s) found
    	       scanning bus for storage devices... 
    	1 Storage Device(s) found
    	
    	Main Boot Version data: Mar 21 2014 time: 11:26:20
    	
    	Press Ctrl+B to enter bootload Menu...   1
      Password:
  3. Press Ctrl+B within 3 seconds after the message "Press Ctrl+B to enter Main Menu... 3" is displayed.
  4. Enter the password to access the BootLoad menu.
    • The default passwords for the BootLoad system and BIOS system are both WWW@HUAWEI. Using the default password has security risks. You are advised to set a new password after login and change it periodically. The two passwords are independent of each other, and you can change them separately in their main menus.
    • After an upgrade, the BIOS system menu password is reset to the default WWW@HUAWEI. You are advised to set a new password after login and change it periodically.
    • A new password must be a string of no less than six characters with at least three of the following types of characters: uppercase letters, lowercase letters, digits, and special characters.
  5. Choose 9. Clear password for console user from the main menu. The message "clear console pwd flag has been set" is then displayed.
          Bootload Menu(Hiboot Version: 04.00)
    
         1. Boot with default mode
         2. Boot from CFcard
         3. Enter ethernet submenu
         4. Set boot file and path
         5. Modify boot ROM password
         6. List file in CFcard
         7. Modify System and Chassis Parameters
         8. Modify start mode
         9. Clear password for console user
        10. Reboot
        11. Enter TPM Submenu
    
    Enter your choice(1-11):9 
    
    clear console pwd flag has been set.
    
  6. When the message "Please Press ENTER." is displayed, the system has cleared the console password flag. In this case, press Enter, set a new password for login through the console port, and then log in to the device. After the login succeeds, you can set an address for the management network port and complete other settings.
    Please configure the login password (8-16) 
    Enter Password: 
    Confirm Password: 
    Info: The max number of VTY users is 5, the number of current VTY users online 
  7. Choose 10. Reboot to restart the device so that the configuration file takes effect.

Related Documents

Translation
Download
Updated: 2019-12-18

Document ID: EDOC1100118960

Views: 166

Downloads: 8

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next