Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH problem between PCM3+ and 5406zl

SOLVED
Go to solution
F. SAINT-MICHEL
Occasional Advisor

SSH problem between PCM3+ and 5406zl

Hi all,

Since we updated from PCM2.3+ to PCM3.1+, we have a problem to communicate in SSH mode with our three 5406zl.

When we use "Test Communication Parameters in PCM", the result with SSH is "Failed : Device Unreachable", but in the switch's log a message indicating that a SSH connection is established from the server.

When the parameters in PCM is changed to use the telnet mode, the test is ok.

When the software PuTTY is used from the server where PCM is installed, the ssh connection works fine.

On all other device on our network the SSH mode works fine with the same login/password without problem.

Our three 5406zl are with the firmware K.14.41 and this problem is same on the three device.


Someone had an idea about this problem?

Thanks
F.Saint-Michel
22 REPLIES
Javed Padinhakara
Respected Contributor

Re: SSH problem between PCM3+ and 5406zl

jst give this a try:
if you do not have operator login/password enabled for those 5406's (and have only manager login/password set) do configure operator login/password these devices and provide the same in PCM via "Device Manager > Communication Parameters in PCM".

let know how this goes about?

`Javed
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Hi Javed,

Thanks for your answer but on the three 5406zl I've configured Manager AND Operator login/password.
The test communication in telnet mode with the login/password for Manager and Operator works fine but not in SSH mode, whereas with other software such as PuTTY or with SSH session from Linux server, it works fine.
As if in PCM, a validation of the SSH key was pending as at a first connection using SSH.
Shadow13
Respected Contributor

Re: SSH problem between PCM3+ and 5406zl

Copy the SSH public key of the 5406zl switch to PCM and check.

#show crypto host-public-key

I dont remember exactly If PCM will accept the key or only needs the fingerprint/babble only, you can check on the PCM guide
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Hi Shadow13,

The case that you explain is if you used the SSH authentification key.

In this case, the fingerprint of the device is needed and can be obtained with the command "show crypto host-public-key fingerprint", and the public-key of PCM must be copied by tftp on the device (file procurveSSH2.pub or procurveSSH1.pub in the folder server/config).
I try this solution too but unfortunately the result is same.

Thank you anyway.
Shadow13
Respected Contributor

Re: SSH problem between PCM3+ and 5406zl

What i know that either way the Public key of the Switch must be save in PCM even if the PCM is using username/password combination to authenticate itself to the switch.

The way you mentioned is that when the PCM itself is using private/public combination to authenticate itself to the switch then you need to copy the PCM public key to the switch.

Try to update the PCM to update 2 and check after that.

Also try to remove the SSH key pairs form the switch using the command:
#crypto key zeroize ssh

Then disable SSH, create another crypto key, enable SSH and copy the new public key to PCM.

F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

PCM is already with the update 2.
I tried to remove the SSH key and create another one as you describe.
I agree with you about the way I mentioned in my last message for the SSH Authentication key methode.

For you, the public-key of the device must be save in PCM even when user/password authentification is used. Well! Why not?
But, can you tell me where the device's public-key must be save in PCM ?

However, I don't understand why the SSH mode with user/pwd authentication works fine with the same parameters and same Manager and Operator user name and password on other Procurve devices (2610 / 2520G / 2510 / 2650 / 2848 / 2824), and without save public-key of each device on PCM.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

I am having the exact same problem. I am running 3.1+ all updates on a 2008 x64 bit server. Only happening on my 5406zl switchs went from k14.41 to 14.55 and still no luck.

I only noiticed when I tried to update the software or send a CLI command it would time out and the logs on the switch would show repeated connection attempts using the Operator account. When I right and click and run SSH to the switch from PCM - works striaght away.

I logged a call with Procurve and they told me to go to 14.55 ED still didnt work. no joy.



Shadow13
Respected Contributor

Re: SSH problem between PCM3+ and 5406zl

In the manual it's only mentioned how to copy the key will using the wizard, and also you have to choose key authintication which will require both PCM and the switch to use their public keys to authenticate each others.

Try to delete the device then discover it again and don't use the default settings (uncheck) and put the credintials manually in the wizard and see. if the same issue then check the PCM event logs what errors do you find it might help
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Shadow13 : I don't use the SSH key authentication method. As I mentioned in my first post, PCM is configured with authentication password for the SSH credential to communicate with the 5406zl device.
I've just tried to use the SSH credential with key authentication because the other method doesn't work.

Also, I've already deleted the device then discover it again and defined the communication parameters manually in the wizard, without success.

In the PCM events, I noticed this error message several times :
"Failure in VT discovery for device:. Secondary discovery for device Virus Throttling information failed. This may affect PCM and NI Manager functions that rely on switch virus throttling information. To troubleshoot, Test Communication Parameters in PCM and test Telnet acces to the device."
And the device_IP is the IP address of each three 5406zl.

Trevor : I'm pleased to learn that I'm not alone to have this problem. I was expecting that the latest firmware doesn't provide the solution of this problem.

But, I don't despair to find the solution... one day. The sooner the better, isn't it!
Shadow13
Respected Contributor

Re: SSH problem between PCM3+ and 5406zl

There is a new firmware posted on the website K.14.60 with fixes related to SSH, can you try that and check:

â   SSH (PR_0000045158) â SSH login to the switch might fail.

http://www.procurve.com/customercare/support/software/summarypages/k-j8692-c.htm
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

I am going to apply the code over the weekend and see if it fixes my issue.

I will report back.
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Hello Trevor Commulynx,

Have you been able to apply the code last weekend and it solves the problem?
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

I did not get a chance over the weekend. Hopfully this weekend.

sorry for confusion.

Trev.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

Hi All, K.14.60 doesnt fix it.

I keep getting Unkown Username and or password.

as soon as I switch to Telnet, everything works perfectly.

I have logged a call with HP support- tick/tock/tick/tock.....

Anyone else have any luck?
Javed Padinhakara
Respected Contributor
Solution

Re: SSH problem between PCM3+ and 5406zl

Hello Michel and Trevor..

there were some recent cases, where banner text characters seems to cause corrpution of the logon session from PCM to switch.

with that background in mind, can you check if these 5406zl switches where you are observing the problem have MOTD banner set?. If so can u disable them (command:no banner motd) and try "Test Comm..." operation?.

let me know how this goes about?

`Javed


ps:Noticed that you have joined recently and hence thought will share an important etiquette followed in the forum - assign points on scale (1-10) to people trying to help by answering your queries; its an appreciation for the time they spend in responding to your questions.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

Thanks Javed, I will try the MOTD as I do run it on all the switches being affected.

Also, I have been on these forums for quite some time, just changed jobs and setup new profile. I always give points when someone helps out.

Cheers,

Trevor.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

Removing Banner MOTD fixes it.

ProCurve- Fix Required.

Cheers, I cant assign points because I didnt start the thread,

Trevor.
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Hi all,

After disabling the "banner motd", the ssh connexion from PCM 3 works fine.

I agree with Trevor Commulynx: An update release of switch firmware or a new patch for PCM would be good.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

I have the Patch and it works. Log a call with HP support, it is the CLI patch that has a jar fix in it.

Trev.
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

Thanks Javed for your help.

Trevor...
This patch is it available for version 3.10 of PCM and is it downloadable from ftp.hp.com?
Otherwise, I will log a call with HP support.
Trevor Commulynx
Regular Advisor

Re: SSH problem between PCM3+ and 5406zl

Log a Call with HP, that is what I had to do.

Trev.
F. SAINT-MICHEL
Occasional Advisor

Re: SSH problem between PCM3+ and 5406zl

See javed answer above...