You may fail to establish an SSH connection to a Cisco CSR 1000v on Microsoft Azure after you initially deploy the Cisco CSR
1000v, or after you reload or restart the Cisco CSR 1000v. In the Azure portal, the Cisco CSR 1000v is in the running state.
The following three scenarios suggest workarounds for when you fail to connect using SSH.
Scenario 1. Attempted SSH access soon after booting up CSR 1000v.
You may fail to establish an SSH connection if you tried to gain access to the Cisco CSR 1000v soon after boot up. After starting
the deployment of a CSR 1000v, it takes about 5 minutes for SSH connectivity to become available.
Scenario 2. Binding problem in the Microsoft Azure Infrastructure.
Microsoft Azure support recommends that you perform the following steps:
On the Cisco CSR 1000v interface that has a public IP address, reassign the private IP address to a new static IP address
within the subnet.
Open the PowerShell in the Azure portal.
Update the ARM VM.
Refer to this Azure documentation: https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/update-azurermvm?view=azurermps-5.6.0.
In the powershell, enter the following commands:
$vm = Get-AzureRmVM -Name
Update-AzureRmVM -VM $vm
Reset the network interface to which the public IP address is attached.
For further information on resetting the network interface, see: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/reset-network-interface.
Select VM > Networking and select the Network Interface.
Go to IP configurations and select the IP name.
If the private IP address that is assigned to the interface is statically configured, write down the address, for use in
Under "Assignment", click Static.
In the IP address field, use an available IP address. Choose an available IP address within the subnet to which the network
interface is connected.
Click Save and wait for the save to complete.
Retry connecting to the router using SSH.
After you add (or change) a static IP address and gain access to the VM, if the IP address that was originally assigned to
this interface (see step 8.) was statically configured, you can either change the IP address from static to dynamic, or you can reconfigure the IP address
to the original address (the address you noted in step 8).
Scenario 3. Misconfiguration of idle terminal timeouts.
When you start an SSH session to the CSR 1000v, ensure that you do not configure the terminal VTY timeout as infinite—do not
exec-timeout 0 0. Use a non-zero value for the timeout; for example,
exec-timeout 4 0 (this command specifies a timeout of four minutes and zero seconds).
The reason why the
exec-timeout 0 0 command causes an issue is as follows:
Azure enforces a timeout for the console idle period of between 4 and 30 minutes. When the idle timer expires, Azure disconnects
the SSH session. However, the session is not cleared from the point of view of the CSR 1000v, as the timeout was set to infinite
exec-timeout 0 0 configuration command). The disconnection causes a terminal session to be orphaned. The session in the CSR 1000v remains
open indefinitely. If you try to establish a new SSH session, a new virtual terminal session is used. If this pattern continues
to occur, the number of allowed simultaneous terminal sessions is reached and no new sessions can be established.
In addition to configuring the
exec-timeout command correctly, it is also a good practice to delete idle virtual terminal sessions using the commands that are shown
in the following example:
CSRA# show users
Line User Host(s) Idle Location
2 vty 0 cisco idle 00:07:40 22.214.171.124
* 3 vty 1 cisco idle 00:00:00 126.96.36.199
CSRA# clear line 2
If the workarounds in the preceding scenarios are ineffective, as a last resort, you can restart the Cisco CSR 1000v in the