Hey Everyone,
I'm at my wits end with an issue I'm facing at the moment, and four hours with Cisco TAC hasn't helped. I'd like to submit it here for anyone that might have some insight, and any/all help is greatly appreciated.
I'm finishing up a project right now for a customer that is turning up a new remote office. It's a small site, consisting only of two stacked Cisco 9302 Catalyst switches acting as it's core, a FortiWifi device that is ONLY being used for Wi-Fi (long story, Cisco WLCs are on backorder), and a pair of HA Palo-Alto Firewalls on the Edge. The switch stack is where we're facing an issue. Right now, it has 4 user VLANs (Users, WiFi, Guest WiFi, Servers), and a 5th management VLAN. Right now all VLANs are routing traffic correctly, and I can ping each SVI on that switch from everywhere on the network.
However, the one issue I'm facing is the fact that when trying to SSH into the device, we can only access it via the VLAN SVI to which the user is residing. For example, someone residing on the Ethernet VLAN can SSH to the Ethernet SVI, but not the Management one. Another example, I can connect to the Fortigate's web GUI (on the management VLAN) and use the built in CLI to SSH into the switch on the Management VLAN. From a server, I can SSH into the switch using it's Server SVI.
So great, we can hit the switch and can remotely manage it. But we're ripping our hair out trying to figure out why we aren't able to SSH to the management VLAN's SVI IP from everywhere on the network. I'd think it would be a routing issue, perhaps a default gateway command, however normal traffic is going to/from each VLAN without issue. The FortWifi is directly connected to the switch on the Management VLAN, and I can also access that from everywhere. TAC recommended a software update (of course), but that fixed nothing. Looking at debugs, it seems as if the switch is receiving the SSH request, and then shuts it down, leaving us with a "The Sephamore timeout period has expired" message. There are no ACLs blocking SSH access at any point.
I'm currently waiting for my TAC agent to start his day on the West Coast, but if anyone here has any idea of what could be going wrong, I could use another set of eyes.
No comments:
Post a Comment