When we use Huawei NE series routers, we sometimes encounter problems. How can these problems be solved? We provide the Troubleshooting Guide to help you.
If you encounter A User Fails to Log in to the Server Using SSH, perform the following steps:
1. Check network connectivity.
Run the ping command to check network connectivity.
§ If the ping fails, the network connection fails.
§ If the ping succeeds, go to Step 2.
2. Check whether SSH services are enabled.
Run the display ssh server status command to view the configuration of the SSH server.
<HUAWEI> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP server :Disable
STELNET server :Disable
SNETCONF server :Disable
The command output shows that the SFTP, STelnet and SNetconf servers are not enabled. The user can log in to a server using SSH only after SSH services are enabled in the system. Run the following commands to enable the SSH server.
<HUAWEI> system-view
[HUAWEI] sftp server enable
[HUAWEI] stelnet server enable
[HUAWEI] snetconf server enable
3. Check whether the access protocol configured in the VTY user interface view is correct.
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] display this
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 0 0
protocol inbound all
§ If the user access protocol is set to Telnet, go to Step 4.
§ If the user access protocol is set to SSH or all, go to Step 5.
4. Run protocol inbound { SSH | all } command to configure the user access protocol to SSH or "all".
[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] protocol inbound ssh
5. Check whether the RSA public key is configured.
When the device functions as an SSH server, the device must have a local key pair configured.
Run the display rsa local-key-pair public command to check whether the key pair is configured on the current server. If the key pair is not configured, run the rsa local-key-pair create command to configure it.
[HUAWEI] rsa local-key-pair create
The key name will be:HUAWEI_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
6. Check that the user service type, authentication type, and authentication service type (for password authentication only) are configured.
§ Create an SSH user.
[HUAWEI] ssh user abc
[HUAWEI] ssh user abc authentication-type all
[HUAWEI] ssh user abc service-type all
[HUAWEI] ssh user abc sftp-directory cfcard:/ssh
Configure the same SSH user in the AAA view and configure the authentication server type.
[HUAWEI] aaa
[HUAWEI-aaa] local-user abc password cipher abc-Pass123
[HUAWEI-aaa] local-user abc service-type ssh
[HUAWEI-aaa] quit
§ Configure password authentication as the default authentication mode for the SSH user.
[HUAWEI] ssh authentication-type default password
Configure the same SSH user in the AAA view and configure the authentication server type.
[HUAWEI] aaa
[HUAWEI-aaa] local-user abc password cipher abc-Pass123
[HUAWEI-aaa] local-user abc service-type ssh
[HUAWEI-aaa] quit
7. Check whether the number of users logging in to the server has reached the upper threshold.
Both SSH users and Telnet users log in to the server through VTY channels. The number of available VTY channels ranges from 0 to 21. When the number of users attempting to log in to the server through VTY channels is greater than 21, the new connection cannot be established between the user and the server.
Log in to the server using a console interface and then run the display users command to check whether all the current VTY channels have been used. By default, a maximum of 5 users can log in to the server through VTY channels.
[HUAWEI] display user-interface maximum-vty
Maximum of VTY user:5
[HUAWEI] display users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
34 VTY 0 03:31:35 TEL 10.138.81.138 pass yes Username : Unspecified
35 VTY 1 03:51:58 TEL 10.137.128.126 pass yes Username : Unspecified
36 VTY 2 00:10:14 TEL 10.138.81.184 pass yes Username : Unspecified
37 VTY 3 02:31:58 TEL 10.138.80.199 pass yes Username : Unspecified
+ 39 VTY 5 00:00:00 TEL 10.138.78.80 pass yes Username : Unspecified
If the number of users logging in to the server has reached the upper threshold, run the user-interface maximum-vty vty-number command to increase the maximum number of users allowed to log in to the server through VTY channels.
[HUAWEI] user-interface maximum-vty 18
8. Check whether an ACLis configured in the VTY user interface view.
If an ACL with a permit rule is configured but the IP address of the client is not specified in the permit rule of the ACL, the user cannot log in to the server using SSH. To enable a user with a specific IP address to log in to the server using SSH, specify the IP address of the user in the ACL's permit rule.
9. Check the SSH version.
Run the display ssh server status command to check the SSH version.
<HUAWEI> display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP server :Enable
Stelnet server :Enable
SNETCONF server :Enable
§ If the client logging in to the server is running SSHv1, the version compatible capability needs to be enabled on the server.
<HUAWEI> system-view
[HUAWEI] ssh server compatible-ssh1x enable
If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.
10. Collect the following information and contact Huawei technical support personnel.
§ Results of the preceding troubleshooting procedures
§ Configuration files, log files, and alarm files of the devices
For more troubleshooting cases, see: NE40E Troubleshooting Guide V4.0 (VRPv8)
https://support.huawei.com/enterprise/en/doc/EDOC1000177634
