topic Re: ICX7150 - no available SSH session in ICX Switches

ICX7150 - no available SSH session

andrea_tassi — Wed, 24 Apr 2019 12:25:15 GMT

Good evening to all, I would have a problem on a Ruckus ICX7150-48P-4X10GR switch installed in the company where I work, in some cases it involves connecting to ssh.
Initially we had no problem connecting to ssh, for about two weeks it has happened that trying to connect in ssh we have this error (I add stamp).
Receiving this error is as if there were no more sessions available for the ssh connection, connecting to the console giving the "sh who" command we actually see that the ssh sessions are almost all closed and therefore available.
The solution to this problem is to wait a few minutes (usually 10-15) to be able to connect again.

Has anyone like this happened to anyone?
The version mounted on the switch is
SW: Version 08.0.80dT211

Thank you in advance

Re: ICX7150 - no available SSH session

william_hadley_ — Wed, 24 Apr 2019 12:34:56 GMT

Hi,

Please try 8080e. It has 3 defects fixed for SSH.

Thanks
Bill

Re: ICX7150 - no available SSH session

ryan_guerrero_6 — Wed, 24 Apr 2019 13:06:45 GMT

Hi ,

if you copy and paste these commands you can connect via telnet

en

con t

telnet serv

wr mem

end

Re: ICX7150 - no available SSH session

ryan_guerrero_6 — Wed, 24 Apr 2019 13:09:01 GMT

Hi

I also found this online for enabling SSH:

http://docs.ruckuswireless.com/fastiron/08.0.80/fastiron-08080-securityguide/GUID-1D2BFDC1-B1B5-4B4D-B3BB-18B3D5BD410A.html

Thanks,
Ryan

Re: ICX7150 - no available SSH session

vu_pham_ghtztqm — Wed, 24 Apr 2019 13:41:15 GMT

Hi - Is this ICX7150 being managed by Smartzone? Or has SZ function been enable/disable on this ICX several times since bootup? If this is true, please upgrade to 8090a. I'm suspecting that it's running into a known issue which already fixed in 8090a. Also, 8090 is our long term patch, we're recommending 8090x over 8080x

Thanks,

Vu

Re: ICX7150 - no available SSH session

netwizz — Wed, 24 Apr 2019 19:43:28 GMT

I wouldn't use telenet... It is not encrypted nor secure!

Also if you use SMMP, I would recommend only v3 for the same reasons.

We have been running 08.0.80 code since 08.0.80b and have not run into the SSH issue. I would say, "good for us," but that doesn't help you.

*knocks on wood* before I start having problems with hundreds of devices running 08.0.80d, but thus far SSH works fine in our environment every time!

Based on the post above, if you want to disable Smartzone:
sz disable

Here is our SSH config:
ip ssh authentication-retries 2
ip ssh timeout 30
ip ssh idle-time 30
ip ssh scp disable
ip ssh encryption disable-aes-cbc

We are generating an RSA with a 2048 bit modulus:

crypto key generate rsa modulus 2048

We are also using RADIUS for the authentication with a backup account to authenticate if RADIUS is broken:

Our AAA looks like this:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode

username backupacct password .....
!
radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $dyIqJzYoZmlpdUldZzBzRShTOjIwXzkzJUNmME8rQjBdNE9QTG1JPVUiOidpFtGh4m2TaCU0XF44XDojb3RrZw==

Each device is uniquely keyed though if you really want, you can create a 10.0.0.0/8 entry in RADIUS for example or whatever your switch management IPs are and key everything with one entry if that is your desire.

If you do not run RADIUS your AAA will be something like:

aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode

Locking down by OOB or Access List(Unrelated):

Forgot to mention I would lock down SSH access to either Out-of-Bound Management or an Access list.

If you do an ACL, you want to make a simple Standard numbered or named Access list, so you are filtering simply based on the source.

A permit allows access, a deny doesn't. The lists are processed top down, and once it matches, execution terminates. There is an implicit deny all at the end, so if nothing matches and returns permit, then access will be denied.

Let's say you want to allow only one device to be able to SSH:

Here would be the Standard ACL statement:
permit host 10.1.2.3

You would apply it like:
ssh access-group

Specifically:
<1-99> Standard IP access list
ASCII string Standard Access List Name

Re: ICX7150 - no available SSH session

andrea_tassi — Mon, 29 Apr 2019 12:59:11 GMT

I updated the switch to 08.0.80eT211 as you suggested.
For now it seems to have solved everything, the problem is no longer recurring.

thanks for the help
Andrea