ICX7150 - no available SSH session

  • 1
  • Question
  • Updated 7 months ago
  • Answered


Good evening to all, I would have a problem on a Ruckus ICX7150-48P-4X10GR switch installed in the company where I work, in some cases it involves connecting to ssh.
Initially we had no problem connecting to ssh, for about two weeks it has happened that trying to connect in ssh we have this error (I add stamp).
Receiving this error is as if there were no more sessions available for the ssh connection, connecting to the console giving the "sh who" command we actually see that the ssh sessions are almost all closed and therefore available.
The solution to this problem is to wait a few minutes (usually 10-15) to be able to connect again.

Has anyone like this happened to anyone?
The version mounted on the switch is
SW: Version 08.0.80dT211

Thank you in advance
Photo of Andrea Tassi

Andrea Tassi

  • 2 Posts
  • 0 Reply Likes

Posted 7 months ago

  • 1
Photo of William Hadley

William Hadley, Employee

  • 10 Posts
  • 5 Reply Likes
Hi,

Please try 8080e. It has 3 defects fixed for SSH.

Thanks
Bill
Photo of Ryan Guerrero

Ryan Guerrero, Employee

  • 11 Posts
  • 8 Reply Likes
Hi ,

if you copy and paste these commands you can connect via telnet

en


con t



telnet serv


wr mem


end

Photo of Ryan Guerrero

Ryan Guerrero, Employee

  • 11 Posts
  • 8 Reply Likes
Photo of Vu Pham

Vu Pham, Employee

  • 11 Posts
  • 8 Reply Likes
Hi - Is this ICX7150 being managed by Smartzone? Or has SZ function been enable/disable on this ICX several times since bootup? If this is true, please upgrade to 8090a. I'm suspecting that it's running into a known issue which already fixed in 8090a. Also, 8090 is our long term patch, we're recommending 8090x over 8080x

Thanks,

Vu
Photo of NETWizz

NETWizz

  • 181 Posts
  • 57 Reply Likes
I wouldn't use telenet... It is not encrypted nor secure!

Also if you use SMMP, I would recommend only v3 for the same reasons.


We have been running 08.0.80 code since 08.0.80b and have not run into the SSH issue.  I would say, "good for us," but that doesn't help you.

*knocks on wood* before I start having problems with hundreds of devices running 08.0.80d, but thus far SSH works fine in our environment every time!


Based on the post above, if you want to disable Smartzone:
sz disable

Here is our SSH config:
ip ssh  authentication-retries 2
ip ssh  timeout 30
ip ssh  idle-time 30
ip ssh  scp disable
ip ssh  encryption disable-aes-cbc

We are generating an RSA with a 2048 bit modulus:

crypto key generate rsa modulus 2048


We are also using RADIUS for the authentication with a backup account to authenticate if RADIUS is broken:

Our AAA looks like this:
aaa authentication web-server default local
aaa authentication enable default radius local
aaa authentication login default radius local
aaa authentication login privilege-mode

username backupacct password .....
!
radius-server host 10.1.2.3
radius-server host 10.4.5.6
radius-server key 2 $dyIqJzYoZmlpdUldZzBzRShTOjIwXzkzJUNmME8rQjBdNE9QTG1JPVUiOidpFtGh4m2TaCU0XF44XDojb3RrZw==

Each device is uniquely keyed though if you really want, you can create a 10.0.0.0/8 entry in RADIUS for example or whatever your switch management IPs are and key everything with one entry if that is your desire.


If you do not run RADIUS your AAA will be something like:

aaa authentication web-server default local
aaa authentication enable default local
aaa authentication login default local
aaa authentication login privilege-mode


Locking down by OOB or Access List(Unrelated):

Forgot to mention I would lock down SSH access to either Out-of-Bound Management or an Access list.

If you do an ACL, you want to make a simple Standard numbered or named Access list, so you are filtering simply based on the source.

A permit allows access, a deny doesn't.  The lists are processed top down, and once it matches, execution terminates.  There is an implicit deny all at the end, so if nothing matches and returns permit, then access will be denied.

Let's say you want to allow only one device to be able to SSH:

Here would be the Standard ACL statement:
permit host 10.1.2.3


You would apply it  like:
ssh access-group <number or name>

Specifically:
<1-99>       Standard IP access list
  ASCII string   Standard Access List Name




(Edited)
Photo of Andrea Tassi

Andrea Tassi

  • 2 Posts
  • 0 Reply Likes
I updated the switch to 08.0.80eT211 as you suggested.
For now it seems to have solved everything, the problem is no longer recurring.

thanks for the help
Andrea