When trying to SSH to a Cisco Router or Switch you get this error
The remote system refused the connection
This can be caused by a number of reasons
- The transport setting on the vty lines is not permitting SSH
- You do not have SSH enabled
- An Access-List is blocking SSH traffic
Lets look at each scenario and enable the appropiate setting
For this tutorial I am using a Cisco CSR1000V as a test router running on my esxi server. This is a new install with no configuration.
First check the VTY lines with a simple show run and scroll to the bottom
line vty 0 login transport input none line vty 1 login length 0 transport input none line vty 2 4 login transport input none
Here you can see that for all VTY lines the transport input has been set to none – This means no connectivity!
Let fix that with one command
conf t line vty 0 4 transport input ssh
Now do a show run again and you will see transport input ssh on all lines
line vty 0 login transport input ssh line vty 1 login length 0 transport input ssh line vty 2 4 login transport input ssh
If we try to SSH to the router now it still fails
The remote system refused the connection.
So lets move to step 2 – enable SSH
If you run this command
sh run | inc ssh
It will show you what SSH is setup
In this case none
R1# sh run | inc ssh
R1#
So lets generate some SSH keys
conf t crypto key generate rsa usage-keys modulus 2048 % Please define a domain-name first. R1(config)#
This will fail as we have not specified a DNS name
conf t ip domain-name rogerperkin.co.uk
Now run the crytpo command again and you will see SSH is enabled.
R1(config)#crypto key generate rsa usage-keys modulus 2048 The name for the keys will be: R1.rogerperkin.co.uk % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) R1(config)# *Dec 8 13:50:23.468: %SSH-5-ENABLED: SSH 1.99 has been enabled
Lets try and SSH to our router again
Bingo!
We now have SSH access to our device
The final reason is an access list on vty lines – this can be checked at the first stage to see if there is any security blocking access.
I hope this helps!
Roger