SSH Connection Refused

[hobbes80]

I have a 6509. When I try to SSH to it, I get "Connection Refused".

I used to SSH to this box all the time. I do not believe anything has changed. I logged in via the console and generated a new key to see if this was the problem, and it is still doing the same thing. There is no firewall between my computer and the switch, so I do not believe this is the problem.

I am able to ping it, and it does not time out on an SSH request, says "Connection Refused" using putty. Telnet results in connection refused as well.

Below is my Code, I have removed the interfaces (for space concerns) and blanked out security sensitive info:

show run
Building configuration...

Current configuration : 46056 bytes
!
! Last configuration change at 13:36:22 EST Fri Oct 13 2006
! NVRAM config last updated at 13:36:24 EST Fri Oct 13 2006
!
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
!
hostname ******
!
boot system flash disk0:s72033-advipservicesk9_wan-mz.122-18.SXE1.bin
logging console informational
enable password ***********
!
username Administrator password 0 ***********
username test password 0 *******
username ds3tech password 0 ***********
aaa new-model
 !
aaa session-id common
clock timezone EST -5
svclc vlan-group 1  4-6,10,11,100,175,200-202
firewall multiple-vlan-interfaces
firewall module 4 vlan-group 1
firewall module 5 vlan-group 1
firewall vlan-group 1  4-6,10,11,100,175,200-202
ip subnet-zero
!
!
!
ip ssh version 2
no ip domain-lookup
ip domain-name ds3llc.local
ipv6 mfib hardware-switching replication-mode ingress
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls qos aggregate-policer 2mbLimit 120000000 97000 97000 conform-action transmit exceed-action drop
mls qos
mls verify ip length minimum 
 no mls acl tcam share-global
mls cef error action freeze
no scripting tcl init
no scripting tcl encdir
!
!
! 
!
!
!
!
!
!
!
redundancy
 mode rpr-plus
 main-cpu
  auto-sync running-config
  auto-sync standard
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
!
power redundancy-mode combined
 diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
port-channel load-balance src-dst-mac
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
class-map match-all Limit
  match access-group 110
class-map match-all ANY
  match access-group 1
!
!
policy-map TRAFFIC
  class ANY
    shape peak 195000000 780000 780000
policy-map Limit
  class Limit
     police aggregate 2mbLimit
!
!
interface Vlan1
 no ip address
!
interface Vlan2
 no ip address
 shutdown
!
interface Vlan4
 ip address ***.***.***.*** 255.255.255.192
!
interface Vlan6
 ip address 10.10.2.1 255.255.240.0
!
interface Vlan8
 no ip address
 shutdown
!
interface Vlan175
 no ip address
!
interface Vlan200
 no ip address
 load-interval 30
!         
interface Vlan2000
 no ip address
 shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 199.107.65.66
ip route 10.11.5.0 255.255.255.0 Tunnel0
ip route 10.11.10.0 255.255.255.0 Tunnel0
ip route 172.16.1.0 255.255.255.0 10.10.0.1
ip route 192.168.0.0 255.255.255.0 10.10.0.1
!
no ip http server
!
access-list 1 permit any
access-list 110 permit ip any any
!
snmp-server community public RO
snmp-server community private RW
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps chassis
snmp-server enable traps module
snmp-server enable traps bgp
snmp-server enable traps tty
snmp-server enable traps casa
snmp-server enable traps config
snmp-server enable traps dlsw
snmp-server enable traps frame-relay
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps MAC-Notification move threshold
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps rf
snmp-server enable traps rtr
snmp-server enable traps slb real virtual csrp
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps stpx inconsistency root-inconsistency loop-inconsistency
snmp-server enable traps syslog
snmp-server enable traps sonet
snmp-server enable traps dial
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps rsvp
snmp-server enable traps srp
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps c6kxbar swbus
snmp-server enable traps envmon fan shutdown supply temperature status
snmp-server enable traps csg agent quota database
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls ldp
snmp-server enable traps vlan-mac-limit
snmp-server enable traps voice poor-qov
snmp-server enable traps mpls vpn
!
radius-server source-ports 1645-1646
!
control-plane
!
!
!
dial-peer cor custom
!
!
!
!
line con 0
line vty 0
 exec-timeout 0 0
 password ******
 length 0
 transport input pad telnet ssh acercon
line vty 1 4
 exec-timeout 0 0
 length 0
 transport input pad telnet ssh acercon
!         
!
monitor session 10 source vlan 200
monitor session 10 destination interface Gi1/23
no cns aaa enable
end

 

[Ru55ell]

I don’t see your key , or any ssh parameters in your config. Your telnet is not working because of the “transport input pad telnet ssh acercon” line under vty.

Questions,
Did anything change on your domain?
ip domain-name ds3llc.local

Do you have a backup of this config you can reference?

I don’t have a strong suspicion of any one thing but wanted to offer my observations.

 

[hobbes80]

I generated a new key, but I'm still not seeing it show up in a show run.

DS3ASH01(config)#crypto key generate 
% You already have RSA keys defined named DS3ASH01.ds3llc.local.
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 
1y18w: %SSH-5-DISABLED: SSH 2.0 has been disabled1024
% Generating 1024 bit RSA keys ...[OK]

DS3ASH01(config)#
1y18w: %SSH-5-ENABLED: SSH 2.0 has been enabled

 

[hobbes80]

Also:

DS3ASH01#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
DS3ASH01#

 

[Ru55ell]

See if there are any active connections. run a show user command and see if 5 vty ports are in use/hung.

 

[hobbes80]

Sure enough, that must be what it is.

How do I clear them?

DS3ASH01#show ssh 
Connection Version Mode Encryption  Hmac         State                 Username
0          2.0     IN   aes256-cbc  hmac-sha1    Session started       Administrator
0          2.0     OUT  aes256-cbc  hmac-sha1    Session started       Administrator
1          2.0     IN   aes256-cbc  hmac-sha1    Session started       Administrator
1          2.0     OUT  aes256-cbc  hmac-sha1    Session started       Administrator
2          2.0     IN   aes256-cbc  hmac-sha1    Session started       Administrator
2          2.0     OUT  aes256-cbc  hmac-sha1    Session started       Administrator
3          2.0     IN   aes256-cbc  hmac-sha1    Session started       Administrator
3          2.0     OUT  aes256-cbc  hmac-sha1    Session started       Administrator
4          2.0     IN   aes256-cbc  hmac-sha1    Session started       Administrator
4          2.0     OUT  aes256-cbc  hmac-sha1    Session started       Administrator
%No SSHv1 server connections running.
DS3ASH01

 

[hobbes80]

Nevermind. Figured it out.
Thanks for all your help!

 

[DanInRaleigh]

..what what the hell was it..

CCNP,CCSP,MCSE,Sec+,Net+,A+...