1. Checking Whether the SSH Server Can Be Pinged

Check whether the switch (that is, the SSH server) and terminal can ping each other.
First check whether an IP address conflict occurs based on ARP entries. To view ARP entries on a PC (for example, a PC running a Windows operating system), choose Start > Run, enter cmd, press Enter, and run the arp -a command in the window that is displayed.

<PC> arp -a 
Interface: 10.10.10.150 --- 0xb
Internet Address   Physical Address    Type
10.10.10.1         00-00-00-00-11-11   dynamic  //ARP entry of the gateway
10.10.10.23        00-00-00-00-22-22   dynamic
10.10.10.255      ff-ff-ff-ff-ff-ff   dynamic

 
Check whether the IP and MAC addresses of the gateway in the ARP table are the same as the actual ones. If not, check whether a device on the intranet uses the same IP address as the gateway. If so, modify the IP address of the conflicting device.
Ensure that there is no IP address conflict. If the PC has two network adapters that use the same external IP address, disable one network adapter. Ping the SSH server’s IP address from the PC. If a VPN is configured, add the VPN instance name. The following is an example that shows how to ping the management IP address of the SSH server (189.54.251.43) from the PC.

<PC> ping 189.54.251.43  
PING 189.54.251.43: 56data bytes, press CTRL_C to break
Reply from 189.54.251.43: bytes=56 Sequence=1 ttl=127 time=3 ms
Reply from 189.54.251.43: bytes=56 Sequence=2 ttl=127 time=11 ms
Reply from 189.54.251.43: bytes=56 Sequence=3 ttl=127 time=2 ms
Reply from 189.54.251.43: bytes=56 Sequence=4 ttl=127 time=2 ms
Reply from 189.54.251.43: bytes=56 Sequence=5 ttl=127 time=11 ms
--- 189.54.251.43 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/5/11 ms

 
If the ping operation fails, rectify the fault. If the PC and switch are directly connected, locate the fault by referring to “A Switch Cannot Be Pinged by a Directly Connected Device” in the Revelations of Troublesolving. If the PC is not directly connected to the switch, check whether there is a reachable route between them, and whether restriction policies are configured on the PC, switch, or intermediate device.
 

2. Checking SSH Server Status on the Server

Log in to the switch using Telnet or through a console port. Run the display ssh server status command and ensure the following settings are correct:

SSH version number (the value 1.99 indicates v1 and v2 are both supported)
The STelnet service is enabled and the source IP address is configured for the SSH server.
SSH server port number

[HUAWEI] display ssh server status
 SSH version                      :1.99   //SSH v1 and SSH v2 are both supported.
 SSH connection timeout             :60 seconds
 SSH server key generating interval :0 hours
 SSH authentication retries         :3 times
 SFTP server                        :Disable
 Stelnet server                   :Disable   //The STelnet·service is disabled.
 Scp server                         :Disable
 SSH server port                  :1026     //The SSH server port number is changed.
 SSH server source interface     :LoopBack100   //The source IP address is configured for the SSH server.

 
If the STelnet service is disabled, run the stelnet server enable command in the system view to enable it.
If the source IP address is configured, log in to the switch using this IP address. Otherwise, run the undo ssh server-source command to cancel the configuration.

[HUAWEI] undo ssh server-source
Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]:y
Info: The source configuration of SSH server is restored to default value..

 
 
If the SSH server port number has been changed, change the port number accordingly during the SSH login. For example, change the SSH server port number to 1026 in SecureCRT.

If you use the default port number during the SSH login, delete the configured SSH server port number.

[HUAWEI] undo ssh server port
Warning: The operation will disconnect all online users. Continue? [Y/N]:y
Info: Succeeded in changing SSH listening port.

3. Checking for Idle Channels on the SSH Server

Log in to the switch using Telnet or through the console port. Check the VTY configuration, and ensure that the SSH protocol and AAA authentication have been configured for VTY channels.
The following example shows that AAA authentication and the SSH protocol have been configured.

[HUAWEI] display current-configuration configuration user-interface
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
 authentication-mode aaa           //AAA mode is configured.
 user privilege level 15
 protocol inbound all               //THe SSH protocol is configured.
user-interface vty 16 20
#

 
Check whether all VTY channels are occupied by online users.
For example, run the display users command. The output shows that VTY 0-4 are occupied, so SSH login fails.

<HUAWEI> display users
  User-Intf    Delay    Type   Network Address     AuthenStatus   AuthorcmdFlag
  34  VTY 0   00:04:11  TEL    10.137.211.108                           no        Username : Unspecified
 +35  VTY 1   00:00:00  TEL    10.137.211.108                           no        Username : Unspecifie
  36  VTY 2   00:37:19  TEL    10.135.41.122                            no        Username : Unspecified
  37  VTY 3   00:31:06  TEL    10.135.32.199                            no        Username : Unspecified
  38  VTY 4   02:14:06  TEL    10.135.22.124                            no        Username : Unspecified

4. Checking SSH Configuration Information on the Server

Log in to the switch using Telnet or through the console port. Check the following SSH configuration information:
Check whether SSH configuration information is available for the login account and whether the configuration is complete.
If SSH configuration information is unavailable for the login account, run the ssh authentication-type default password command.
If the RSA public key does not exist on the switch, run the rsa local-key-pair create command.
The following example shows how to check SSH configuration information for the login account.

<HUAWEI> display current-configuration | include ssh
 ssh authentication-type default password
 ssh user client001
 ssh user client001 authentication-type password
 ssh user client001 service-type all

 
Check whether the RSA public key exists on the switch.

[HUAWEI] display rsa local-key-pair public
[HUAWEI]             //No output, indicating that the key pair does not exist and needs to be created.
[HUAWEI] rsa local-key-pair create      //Create an RSA public key.
The key name will be: Quidway_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
       it will take a few minutes.
Input the bits in the modulus[default = 512]:1024   //Enter the value manually.

5. Checking Whether an ACL Is Bound to VTY User Interfaces on the SSH Server

Log in to the switch using Telnet or through the console port. Check VTY configuration and determine whether an ACL has been bound to VTY user interfaces.
For example, run the display this command to check whether an ACL has been bound to VTY 0-4.

[HUAWEI] user-interface vty 0 4
[HUAWEI-ui-vty0-4] display this
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
 acl 3999 inbound         //ACL 3999 is bound to VTY 0-4.
 authentication-mode aaa
 user privilege level 15
 protocol inbound all
user-interface vty 16 20
#

 
Check ACL configuration and determine whether the client IP address is permitted.

[HUAWEI] acl 3999
[HUAWEI-acl-adv-3999] display this
#
acl number 3999
rule 1 permit tcp source 2.2.2.2 0 0
rule 2 permit tcp source 3.3.3.3 0 0
rule 3 permit tcp source 4.4.4.4 0 0
rule 4 permit tcp source 5.5.5.5 0 0
rule 15 deny ip
#

 
NOTICE:
If the IP address belongs to a VPN instance, specify VPN parameters in the ACL.

6. Checking Whether a TCP Connection Can Be Established

Log in to the switch using Telnet or through the console port. Connect to the switch using STelnet from the SSH server. If the connection can be established, the SSH service is normal but the link is faulty.
[HUAWEI] ssh client first-time enable    //Ensure ssh client first-time enable has been configured before using STelnet to connect to the switch.

[HUAWEI] stelnet 10.137.131.164    //Connect to the switch using STelnet from the SSH server, and check whether the IP address is allowed in the ACL.
Please input the username:ssh
Trying 10.137.131.164 ...
Press CTRL+K to abort
Connected to 10.137.131.164 ...
Enter password:        //Successfully connected to the switch.
Info: The max number of VTY users is 20, and the number
      of current VTY users on line is 7.
      The current login time is 2013-12-16 11:44:29+00:00.

7. Checking Whether a Correct User Name and Password Are Provided

Ensure that the user name and password you entered have been configured on the SSH server. If an incorrect user name or password was provided, enter the correct one. If the user name and password are correct, check the protocol type, IP address, and port number configured on the client software. If login still fails, try another PC or client software.
 

8. Collecting Information and Seeking Technical Support

If the fault persists, collect related information and seek technical support.
Collecting Fault Information
Collect operation results of the preceding steps and record the results in a file.
Collect all diagnostic information and export the information to a file.
Run the display diagnostic-information file-name command in the user view to collect diagnostic information and save the information to a file.

<HUAWEI> display diagnostic-information dia-info.txt
Now saving the diagnostic information to the device
 100%
Info: The diagnostic information was saved to the device successfully.

 
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.
NOTICE:
You can run the dir command in the user view to check whether the file is generated.
You can also run the display diagnostic-information command and save terminal logs in a diagnostic file on a disk.
If this command displays a long output, press Ctrl+C to abort this command.
This command displays diagnostic information, which helps locate faults but may affect system performance. For example, CPU usage may become high. Therefore, do not use this command when the system is running properly.
Running the display diagnostic-information command simultaneously on multiple terminals connected to the device is prohibited. This is because CPU usage of the device may obviously increase and the device performance may be degraded.
 
Collect the log and trap information on the device and export the information to files.
Run the save logfile all command in the user view to save the logs in the user log buffer area and diagnostic log buffer area to the user log file and diagnostic log file, respectively.

<HUAWEI> save logfile all
Info: Save logfile successfully.
Info: Save diagnostic logfile successfully.
When the diagnostic file is generated, you can export the file from the device using FTP, SFTP, or SCP.

 
NOTE:
You can also run the display logbuffer and display trapbuffer commands to view the log and trap information on the device, and save the information in diagnostic files on a disk.
If you are still confused about the steps, you can contact csd@telecomate.com to seek technical support.
NOTE:
Technical support personnel will provide instructions for you to submit all the collected information and files, so that they can locate faults.