This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ICX7150 - no available SSH session

andrea_tassi
New Contributor

‎04-24-2019 05:25 AM



Good evening to all, I would have a problem on a Ruckus ICX7150-48P-4X10GR switch installed in the company where I work, in some cases it involves connecting to ssh.
Initially we had no problem connecting to ssh, for about two weeks it has happened that trying to connect in ssh we have this error (I add stamp).
Receiving this error is as if there were no more sessions available for the ssh connection, connecting to the console giving the "sh who" command we actually see that the ssh sessions are almost all closed and therefore available.
The solution to this problem is to wait a few minutes (usually 10-15) to be able to connect again.

Has anyone like this happened to anyone?
The version mounted on the switch is
SW: Version 08.0.80dT211

Thank you in advance
6 REPLIES 6

netwizz
Contributor III

‎04-24-2019 12:43 PM

I wouldn't use telenet... It is not encrypted nor secure!

Also if you use SMMP, I would recommend only v3 for the same reasons.


We have been running 08.0.80 code since 08.0.80b and have not run into the SSH issue.  I would say, "good for us," but that doesn't help you.

*knocks on wood* before I start having problems with hundreds of devices running 08.0.80d, but thus far SSH works fine in our environment every time!


Based on the post above, if you want to disable Smartzone:
sz disable

Here is our SSH config:
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

We are generating an RSA with a 2048 bit modulus:

crypto key generate rsa modulus 2048


We are also using RADIUS for the authentication with a backup account to authenticate if RADIUS is broken:

Our AAA looks like this:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode

username backupacct password .....
!
radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $dyIqJzYoZmlpdUldZzBzRShTOjIwXzkzJUNmME8rQjBdNE9QTG1JPVUiOidpFtGh4m2TaCU0XF44XDojb3RrZw==

Each device is uniquely keyed though if you really want, you can create a 10.0.0.0/8 entry in RADIUS for example or whatever your switch management IPs are and key everything with one entry if that is your desire.


If you do not run RADIUS your AAA will be something like:

aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode


Locking down by OOB or Access List(Unrelated):

Forgot to mention I would lock down SSH access to either Out-of-Bound Management or an Access list.

If you do an ACL, you want to make a simple Standard numbered or named Access list, so you are filtering simply based on the source.

A permit allows access, a deny doesn't.  The lists are processed top down, and once it matches, execution terminates.  There is an implicit deny all at the end, so if nothing matches and returns permit, then access will be denied.

Let's say you want to allow only one device to be able to SSH:

Here would be the Standard ACL statement:
permit host 10.1.2.3


You would apply it  like:
ssh access-group

Specifically:
<1-99>       Standard IP access list
  ASCII string   Standard Access List Name

andrea_tassi
New Contributor

‎04-29-2019 05:59 AM

I updated the switch to 08.0.80eT211 as you suggested.
For now it seems to have solved everything, the problem is no longer recurring.

thanks for the help
Andrea
0 Kudos
Copyright © 2024 Khoros, LLC