HPE Community
Switches, Hubs, and Modems
1753412 Members
7201 Online
108793 Solutions
New Discussion юеВ

Re: SSH problem between PCM3+ and 5406zl

 
SOLVED
Go to solution
F. SAINT-MICHEL
Occasional Advisor

тАО05-31-2010 07:30 AM

тАО05-31-2010 07:30 AM

SSH problem between PCM3+ and 5406zl

Hi all,

Since we updated from PCM2.3+ to PCM3.1+, we have a problem to communicate in SSH mode with our three 5406zl.

When we use "Test Communication Parameters in PCM", the result with SSH is "Failed : Device Unreachable", but in the switch's log a message indicating that a SSH connection is established from the server.

When the parameters in PCM is changed to use the telnet mode, the test is ok.

When the software PuTTY is used from the server where PCM is installed, the ssh connection works fine.

On all other device on our network the SSH mode works fine with the same login/password without problem.

Our three 5406zl are with the firmware K.14.41 and this problem is same on the three device.


Someone had an idea about this problem?

Thanks
F.Saint-Michel
0 Kudos
22 REPLIES 22
Javed Padinhakara
Respected Contributor

тАО05-31-2010 10:14 PM

тАО05-31-2010 10:14 PM

Re: SSH problem between PCM3+ and 5406zl

jst give this a try:
if you do not have operator login/password enabled for those 5406's (and have only manager login/password set) do configure operator login/password these devices and provide the same in PCM via "Device Manager > Communication Parameters in PCM".

let know how this goes about?

`Javed
0 Kudos
F. SAINT-MICHEL
Occasional Advisor

тАО05-31-2010 10:47 PM

тАО05-31-2010 10:47 PM

Re: SSH problem between PCM3+ and 5406zl

Hi Javed,

Thanks for your answer but on the three 5406zl I've configured Manager AND Operator login/password.
The test communication in telnet mode with the login/password for Manager and Operator works fine but not in SSH mode, whereas with other software such as PuTTY or with SSH session from Linux server, it works fine.
As if in PCM, a validation of the SSH key was pending as at a first connection using SSH.
0 Kudos
Shadow13
Respected Contributor

тАО06-01-2010 12:23 AM

тАО06-01-2010 12:23 AM

Re: SSH problem between PCM3+ and 5406zl

Copy the SSH public key of the 5406zl switch to PCM and check.

#show crypto host-public-key

I dont remember exactly If PCM will accept the key or only needs the fingerprint/babble only, you can check on the PCM guide
0 Kudos
F. SAINT-MICHEL
Occasional Advisor

тАО06-01-2010 12:59 AM

тАО06-01-2010 12:59 AM

Re: SSH problem between PCM3+ and 5406zl

Hi Shadow13,

The case that you explain is if you used the SSH authentification key.

In this case, the fingerprint of the device is needed and can be obtained with the command "show crypto host-public-key fingerprint", and the public-key of PCM must be copied by tftp on the device (file procurveSSH2.pub or procurveSSH1.pub in the folder server/config).
I try this solution too but unfortunately the result is same.

Thank you anyway.
0 Kudos
Shadow13
Respected Contributor

тАО06-01-2010 01:06 AM

тАО06-01-2010 01:06 AM

Re: SSH problem between PCM3+ and 5406zl

What i know that either way the Public key of the Switch must be save in PCM even if the PCM is using username/password combination to authenticate itself to the switch.

The way you mentioned is that when the PCM itself is using private/public combination to authenticate itself to the switch then you need to copy the PCM public key to the switch.

Try to update the PCM to update 2 and check after that.

Also try to remove the SSH key pairs form the switch using the command:
#crypto key zeroize ssh

Then disable SSH, create another crypto key, enable SSH and copy the new public key to PCM.

0 Kudos
F. SAINT-MICHEL
Occasional Advisor

тАО06-01-2010 01:39 AM

тАО06-01-2010 01:39 AM

Re: SSH problem between PCM3+ and 5406zl

PCM is already with the update 2.
I tried to remove the SSH key and create another one as you describe.
I agree with you about the way I mentioned in my last message for the SSH Authentication key methode.

For you, the public-key of the device must be save in PCM even when user/password authentification is used. Well! Why not?
But, can you tell me where the device's public-key must be save in PCM ?

However, I don't understand why the SSH mode with user/pwd authentication works fine with the same parameters and same Manager and Operator user name and password on other Procurve devices (2610 / 2520G / 2510 / 2650 / 2848 / 2824), and without save public-key of each device on PCM.
0 Kudos
Trevor Commulynx
Regular Advisor

тАО06-01-2010 01:50 AM

тАО06-01-2010 01:50 AM

Re: SSH problem between PCM3+ and 5406zl

I am having the exact same problem. I am running 3.1+ all updates on a 2008 x64 bit server. Only happening on my 5406zl switchs went from k14.41 to 14.55 and still no luck.

I only noiticed when I tried to update the software or send a CLI command it would time out and the logs on the switch would show repeated connection attempts using the Operator account. When I right and click and run SSH to the switch from PCM - works striaght away.

I logged a call with Procurve and they told me to go to 14.55 ED still didnt work. no joy.



0 Kudos
Shadow13
Respected Contributor

тАО06-01-2010 04:18 AM

тАО06-01-2010 04:18 AM

Re: SSH problem between PCM3+ and 5406zl

In the manual it's only mentioned how to copy the key will using the wizard, and also you have to choose key authintication which will require both PCM and the switch to use their public keys to authenticate each others.

Try to delete the device then discover it again and don't use the default settings (uncheck) and put the credintials manually in the wizard and see. if the same issue then check the PCM event logs what errors do you find it might help
0 Kudos
F. SAINT-MICHEL
Occasional Advisor

тАО06-02-2010 04:30 AM

тАО06-02-2010 04:30 AM

Re: SSH problem between PCM3+ and 5406zl

Shadow13 : I don't use the SSH key authentication method. As I mentioned in my first post, PCM is configured with authentication password for the SSH credential to communicate with the 5406zl device.
I've just tried to use the SSH credential with key authentication because the other method doesn't work.

Also, I've already deleted the device then discover it again and defined the communication parameters manually in the wizard, without success.

In the PCM events, I noticed this error message several times :
"Failure in VT discovery for device:. Secondary discovery for device Virus Throttling information failed. This may affect PCM and NI Manager functions that rely on switch virus throttling information. To troubleshoot, Test Communication Parameters in PCM and test Telnet acces to the device."
And the device_IP is the IP address of each three 5406zl.

Trevor : I'm pleased to learn that I'm not alone to have this problem. I was expecting that the latest firmware doesn't provide the solution of this problem.

But, I don't despair to find the solution... one day. The sooner the better, isn't it!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.