Discovered an issue during the initial autodiscovery process of an IOS-XR device when using multiple sets of credentials in Netshot.
There isn't any waiting period or timeout in between failed logon attempts before Netshot attempts with the next username/password. This means that if you have a low RTT between your Netshot server and the device, you might get multiple login attempts happening in under one second.
IOS-XR has a default rate-limit of incoming SSH sessions of 60 attempts per minute (despite being configured in minute, the implementation of the rate-limit is per second), effectively only allowing one session per second. If Netshot's subsequent login attempt happen fast enough, it will result in the socket being reset, and the autodiscovery process fails.
I think it would be good if we can implement a waiting period between the different login attempts in Netshot.
Snapshot debug log:
[INFO] Snapshot task for device [NONAME] (1.2.3.4).
[INFO] Auto-trying SSH with credentials Core-1.
[WARN] Authentication failed using SSH credential set Core-1.
[INFO] Auto-trying SSH with credentials Core-2.
[WARN] Unable to open an SSH socket to 1.2.3.4:0: Session.connect: java.net.SocketException: Connection reset
[ERROR] Error while taking the snapshot: Couldn't find valid credentials.
Workaround 1:
Configure the device in Netshot manually. Select which credentials to use for SSH authentication.
Workaround 2:
Raise the IOS-XR rate-limit to allow for more connections, (using a value over 120):
#ssh server rate-limit ?
<1-6000> Limit in term of number of request per minute (default 60)
Discovered an issue during the initial autodiscovery process of an IOS-XR device when using multiple sets of credentials in Netshot.
There isn't any waiting period or timeout in between failed logon attempts before Netshot attempts with the next username/password. This means that if you have a low RTT between your Netshot server and the device, you might get multiple login attempts happening in under one second.
IOS-XR has a default rate-limit of incoming SSH sessions of 60 attempts per minute (despite being configured in minute, the implementation of the rate-limit is per second), effectively only allowing one session per second. If Netshot's subsequent login attempt happen fast enough, it will result in the socket being reset, and the autodiscovery process fails.
I think it would be good if we can implement a waiting period between the different login attempts in Netshot.
Snapshot debug log:
Workaround 1:
Configure the device in Netshot manually. Select which credentials to use for SSH authentication.
Workaround 2:
Raise the IOS-XR rate-limit to allow for more connections, (using a value over 120):