Network devices usually managed through SSH services. Sometimes, those devices lost SSH access with
” The remote system refused the connection.”
error message presenting on the SSH client such as SecureCRT. No matter how you tried from Internal or External interface, it is always same. Is there any configuration wrong? If yes, why did it work at last time?
Symptoms:
Through console port, there were some of interesting things:
Router1#show connection
ID Name Segment 1 Segment 2 State
================================================================================
Router1#show users
Line User Host(s) Idle Location
* 1 aux 0 user2 idle 00:00:00
132 vty 0 user1 100.9.1.1 48w0d 10.9.200.28
133 vty 1 user1 100.9.1.1 48w0d 10.9.200.28
134 vty 2 user1 100.9.1.1 48w0d 10.9.200.28
135 vty 3 user1 100.9.1.1 48w0d 10.9.200.28
136 vty 4 user1 100.9.1.1 47w6d 10.9.200.28
137 vty 5 user1 100.9.1.1 47w6d 10.9.200.28
138 vty 6 user1 100.9.1.1 47w6d 10.9.200.28
139 vty 7 user1 100.9.1.1 47w1d 10.9.200.28
140 vty 8 user1 100.9.1.1 47w1d 10.9.200.28
141 vty 9 user1 100.9.1.1 46w5d 10.9.200.28
142 vty 10 user1 100.9.1.1 43w5d 10.9.200.28
143 vty 11 user1 100.9.1.1 43w4d 10.9.200.28
144 vty 12 user1 100.9.1.1 41w6d 10.9.200.28
145 vty 13 user1 100.9.1.1 41w6d 10.9.200.28
146 vty 14 user1 100.9.1.1 41w6d 10.9.200.28
147 vty 15 user1 100.9.1.1 41w6d 10.9.200.28
Interface User Mode Idle Peer Address
Router1#show ssh
Connection Version Mode Encryption Hmac State Username
0 2.0 IN aes256-cbc hmac-sha1 Session started user1
0 2.0 OUT aes256-cbc hmac-sha1 Session started user1
1 2.0 IN aes256-cbc hmac-sha1 Session started user1
1 2.0 OUT aes256-cbc hmac-sha1 Session started user1
2 2.0 IN aes256-cbc hmac-sha1 Session started user1
2 2.0 OUT aes256-cbc hmac-sha1 Session started user1
3 2.0 IN aes256-cbc hmac-sha1 Session started user2
3 2.0 OUT aes256-cbc hmac-sha1 Session started user2
4 2.0 IN aes256-cbc hmac-sha1 Session started user2
4 2.0 OUT aes256-cbc hmac-sha1 Session started user2
5 2.0 IN aes256-cbc hmac-sha1 Session started user1
5 2.0 OUT aes256-cbc hmac-sha1 Session started user1
6 2.0 IN aes256-cbc hmac-sha1 Session started user1
6 2.0 OUT aes256-cbc hmac-sha1 Session started user1
7 2.0 IN aes256-cbc hmac-sha1 Session started user1
7 2.0 OUT aes256-cbc hmac-sha1 Session started user1
8 2.0 IN aes256-cbc hmac-sha1 Session started user1
8 2.0 OUT aes256-cbc hmac-sha1 Session started user1
9 2.0 IN aes256-cbc hmac-sha1 Session started user1
9 2.0 OUT aes256-cbc hmac-sha1 Session started user1
10 2.0 IN aes256-cbc hmac-sha1 Session started user1
10 2.0 OUT aes256-cbc hmac-sha1 Session started user1
11 2.0 IN aes256-cbc hmac-sha1 Session started user1
11 2.0 OUT aes256-cbc hmac-sha1 Session started user1
12 2.0 IN aes256-cbc hmac-sha1 Session started user1
12 2.0 OUT aes256-cbc hmac-sha1 Session started user1
13 2.0 IN aes256-cbc hmac-sha1 Session started user1
13 2.0 OUT aes256-cbc hmac-sha1 Session started user1
14 2.0 IN aes256-cbc hmac-sha1 Session started user1
14 2.0 OUT aes256-cbc hmac-sha1 Session started user1
15 2.0 IN aes256-cbc hmac-sha1 Session started user1
15 2.0 OUT aes256-cbc hmac-sha1 Session started user1
%No SSHv1 server connections running.
Router1#show line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
* 0 0 CTY – – – – – 2 1 0/0 –
1 1 AUX 9600/9600 – – – – – 0 0 0/0 –
2 2 TTY 9600/9600 – – – – – 9 0 0/0 –
* 132 132 VTY – – – – 101 14 0 0/0 –
* 133 133 VTY – – – – 101 10 0 0/0 –
* 134 134 VTY – – – – 101 5 0 0/0 –
* 135 135 VTY – – – – 101 4 0 0/0 –
* 136 136 VTY – – – – 101 2 0 0/0 –
* 137 137 VTY – – – – 101 8 0 0/0 –
* 138 138 VTY – – – – 101 14 0 0/0 –
* 139 139 VTY – – – – 101 5 0 0/0 –
* 140 140 VTY – – – – 101 4 0 0/0 –
* 141 141 VTY – – – – 101 2 0 0/0 –
* 142 142 VTY – – – – 101 4 0 0/0 –
* 143 143 VTY – – – – 101 2 0 0/0 –
* 144 144 VTY – – – – 101 2 0 0/0 –
* 145 145 VTY – – – – 101 2 0 0/0 –
* 146 146 VTY – – – – 101 2 0 0/0 –
* 147 147 VTY – – – – 101 10 0 0/0 –
Line(s) not in async mode -or- with no hardware support:
3-131
Router1#show tcp brief | i .22_
319FCE3C 100.9.1.5.22 10.9.200.28.1903 ESTAB
2901D1E8 100.9.1.2.22 10.9.200.28.2526 FINWAIT1
301631E4 100.9.1.2.22 10.9.200.28.2486 ESTAB
29353A80 100.9.1.5.22 10.9.200.28.2735 ESTAB
28F53880 100.9.1.5.22 10.9.200.28.4035 ESTAB
293533DC 100.9.1.5.22 10.9.200.28.2293 ESTAB
28F408FC 100.9.1.2.22 10.9.200.28.3871 ESTAB
2933B460 100.9.1.2.22 10.9.200.14.8725 ESTAB
28F60DC8 100.9.1.5.22 10.9.200.28.2365 ESTAB
315D3BC0 100.9.1.5.22 10.9.200.28.2819 ESTAB
2934BD88 100.9.1.2.22 10.9.200.28.3128 ESTAB
31904740 100.9.1.2.22 10.9.200.14.8692 ESTAB
2901C298 100.9.1.5.22 10.9.200.28.3874 ESTAB
315D4264 100.9.1.5.22 10.9.200.28.3629 ESTAB
3151B7A4 100.9.1.2.22 10.9.200.28.2639 FINWAIT1
It seems all VTY lines have been used and for somehow system did not end those idle sessions although exec-timeout has been set.
Solution:
1. Clear line
Router2#clear line vty 0
[confirm]
[OK]
2. Set ssh time-out
ip ssh time-out 30
3. set absolute-timeout
line vty 0 15
absolute-timeout 15
4. Using service tcp-keepalives to Avoid Hung Telnet Sessions
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00801365f3.shtml
“If, however, Router 2 is reloaded for any reason, the terminal will not be able to get back into the server. Upon attempting to activate the connection, the user will see a “Connection refused by remote host” message. This message appears because the server believes that the previous telnet session is still connected, thus blocking a new session.“
Router1# config term
Router1(config)# service tcp-keepalives-in
Router1(config)# service tcp-keepalives-out
Router1(config)# end
Hey very nice blog!I’m an instant fan, I have bookmarked you and I’ll be checking back on a regular.See u.
Pgp encryption