Roger Perkin

Network Automation Architect

The Remote System Refused the Connection – Cisco Router SSH

When trying to SSH to a Cisco Router or Switch you get this error

The remote system refused the connection

This can be caused by a number of reasons

  • The transport setting on the vty lines is not permitting SSH
  • You do not have SSH enabled
  • An Access-List is blocking SSH traffic

Lets look at each scenario and enable the appropiate setting 

For this tutorial I am using a Cisco CSR1000V as a test router running on my esxi server. This is a new install with no configuration.

First check the VTY lines with a simple show run and scroll to the bottom

line vty 0
 login
 transport input none
line vty 1
 login
 length 0
 transport input none
line vty 2 4
 login
 transport input none

Here you can see that for all VTY lines the transport input has been set to none – This means no connectivity!

Let fix that with one command

conf t
line vty 0 4
transport input ssh

Now do a show run again and you will see transport input ssh on all lines

line vty 0
 login
 transport input ssh
line vty 1
 login
 length 0
 transport input ssh
line vty 2 4
 login
 transport input ssh

If we try to SSH to the router now it still fails

The remote system refused the connection.

So lets move to step 2 – enable SSH

If you run this command

sh run | inc ssh

It will show you what SSH is setup

In this case none

R1# sh run | inc ssh
R1#

So lets generate some SSH keys

conf t
crypto key generate rsa usage-keys modulus 2048 


% Please define a domain-name first.
R1(config)#

This will fail as we have not specified a DNS name

conf t
ip domain-name rogerperkin.co.uk

Now run the crytpo command again and you will see SSH is enabled.

R1(config)#crypto key generate rsa usage-keys modulus 2048 
The name for the keys will be: R1.rogerperkin.co.uk

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

R1(config)#
*Dec 8 13:50:23.468: %SSH-5-ENABLED: SSH 1.99 has been enabled

Lets try and SSH to our router again

the remote system refused the connection cisco ssh tutorial

Bingo!

We now have SSH access to our device

The final reason is an access list on vty lines – this can be checked at the first stage to see if there is any security blocking access.

I hope this helps!

Roger

Category:
ansible course for network engineers
Get Access to my Ansible Course NOW