I was upgrading an a Cisco 2811 remotely from 12.4(24)T8 to 15.1(4)M8. The Tunnel is was using for management was part of a VRF.
interface Tunnel9 ... vrf forwarding management-vrf ...
After the upgrade I was able to ping the router remotely but wasn’t able to get an SSH connection. From the steppingstone I was using I got:
[peter@steppingstone-server:~]$ ssh 192.168.1.1 ssh: connect to host 192.168.1.1 port 22: Connection refused
Luckily I had the possibility to reach the router via another way. When I was logged in and did some searching I found out that in this newer release you need the append the optional vrf-also keyword at the end of the access-class <acl-number> in command. The keyword allows incoming connections from interfaces that belong to a VRF. See the cisco site for more information about this command.
So to get the remote management fixed I just needed to configure:
cisco-2811(config)#line vty 0 15 cisco-2811(config-line)#access-class 23 in vrf-also
Your vty configuration should look something like:
line vty 0 4 access-class 23 in vrf-also exec-timeout 120 0 privilege level 15 logging synchronous login local transport input ssh line vty 5 7 access-class 23 in vrf-also exec-timeout 120 0 privilege level 15 logging synchronous login local transport input ssh line vty 8 15 access-class 23 in vrf-also exec-timeout 15 0 privilege level 15 logging synchronous login local transport input ssh
Thanks for the tip. Most sources on the net don’t mention the need to do this for management on vrf.