When trying to SSH to a Cisco Router or Switch you get this error
|
1 |
The remote system refused the connection |
This can be caused by a number of reasons
- The transport setting on the vty lines is not permitting SSH
- You do not have SSH enabled
- An Access-List is blocking SSH traffic
Lets look at each scenario and enable the appropiate setting
For this tutorial I am using a Cisco CSR1000V as a test router running on my esxi server. This is a new install with no configuration.
First check the VTY lines with a simple show run and scroll to the bottom
|
1 2 3 4 5 6 7 8 9 10 |
line vty 0 login transport input none line vty 1 login length 0 transport input none line vty 2 4 login transport input none |
Here you can see that for all VTY lines the transport input has been set to none – This means no connectivity!
Let fix that with one command
|
1 2 3 |
conf t line vty 0 4 transport input ssh |
Now do a show run again and you will see transport input ssh on all lines
|
1 2 3 4 5 6 7 8 9 10 |
line vty 0 login transport input ssh line vty 1 login length 0 transport input ssh line vty 2 4 login transport input ssh |
If we try to SSH to the router now it still fails
|
1 |
The remote system refused the connection. |
So lets move to step 2 – enable SSH
If you run this command
|
1 |
sh run | inc ssh |
It will show you what SSH is setup
In this case none
R1# sh run | inc ssh
R1#
So lets generate some SSH keys
|
1 2 3 4 5 6 7 |
conf t crypto key generate rsa usage-keys modulus 2048 % Please define a domain-name first. R1(config)# |
This will fail as we have not specified a DNS name
|
1 2 |
conf t ip domain-name rogerperkin.co.uk |
Now run the crytpo command again and you will see SSH is enabled.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
R1(config)#crypto key generate rsa usage-keys modulus 2048 The name for the keys will be: R1.rogerperkin.co.uk % The key modulus size is 2048 bits % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) % Generating 2048 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) R1(config)# *Dec 8 13:50:23.468: %SSH-5-ENABLED: SSH 1.99 has been enabled |
Lets try and SSH to our router again
Bingo!
We now have SSH access to our device
The final reason is an access list on vty lines – this can be checked at the first stage to see if there is any security blocking access.
I hope this helps!
Roger
Read about Rogers' CCIE Journey here "My CCIE Journey."
You can read more about who Roger is here About Roger.
Feel free to Send Roger a message here
Follow Roger on Twitter -- Google Plus and on Linkedin
Leave a Reply