https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160005#M368823 <HTML><HEAD></HEAD><BODY><P>Yes we are making progress. You are right, there was a route missing through the inside interface, I can now ping the firewall from the work station (after I've added the route), but I am still unable to ssh to it.</P><P></P><P>Would any debug show me what's happeing?</P></BODY></HTML> Mon, 12 Jan 2009 20:31:04 GMT ronshuster 2009-01-12T20:31:04Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1159999#M368817 <P>This is an easy one, but if you're stuck you're stuck!</P><P></P><P>I am unable to connect to my ASA5520, I get the following message:</P><P></P><P>[SSH] FAIL: No connection could be made because the target machine actively refused it. </P><P></P><P>I have a backdoor to access it and not sure how to clear whatever is there that is not allowing me in.</P><P></P><P>I have ssh &lt;network&gt; &lt;segment&gt; interface</P><P></P><P>Please help.</P> Sun, 10 Mar 2019 23:16:10 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1159999#M368817 ronshuster 2019-03-10T23:16:10Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160000#M368818 <HTML><HEAD></HEAD><BODY><P>Roni</P><P></P><P>My first question would whether you have configured the RSA keys that are required for SSH to work?</P><P>My second question would be whether you have properly configured SSH access? Can you post the output from the ASA of show run | incude ssh</P><P>My third question would be whether you can look on the logs of the ASA and find any messages about the attempt to connect. These might help in identifying the problem.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Thu, 08 Jan 2009 17:41:57 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160000#M368818 Richard Burts 2009-01-08T17:41:57Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160001#M368819 <HTML><HEAD></HEAD><BODY><P>I have the following:</P><P></P><P>crypto key generate rsa modulus 1024</P><P>ssh a.b.c.d 255.255.255.255</P><P></P><P>The routes to the firewall is also ok.</P><P></P><P>But for some reason the firewall will not accept SSH </P><P></P></BODY></HTML> Mon, 12 Jan 2009 18:48:04 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160001#M368819 ronshuster 2009-01-12T18:48:04Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160002#M368820 <HTML><HEAD></HEAD><BODY><P>Roni</P><P></P><P>It looks like you have answered my first question and that RSA keys have been generated. </P><P></P><P>You have answered only part of my second question. You have shown the ssh a.b.c.d which enable SSH for that address but have not indicated on which interface you have enabled it. And you have not told us to which interface you are attempting to SSH.</P><P></P><P>And you have not answered my third question, which is perhaps most likely to show us the problem. Can you attempt SSH and then quickly look in the logs of the ASA and see what it has to say about the attempt to SSH?</P><P></P><P>HTH</P><P></P><P>Rick</P><P></P></BODY></HTML> Mon, 12 Jan 2009 19:01:01 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160002#M368820 Richard Burts 2009-01-12T19:01:01Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160003#M368821 <HTML><HEAD></HEAD><BODY><P>Sorry...</P><P>I just opened up ssh completely:</P><P></P><P>ssh 0.0.0.0 0.0.0.0 Inside</P><P>I am attempting to ssh to the INSIDE interface and I am coming from the INSIDE interface</P><P></P><P>I opened everything for all incoming traffic to the INSIDE interface</P><P></P><P>access-list inside_access_in extended permit ip any any</P><P>access-group inside_access_in in interface Inside </P><P></P><P>logs: in fact I did see something on the log, here it is:</P><P></P><P>Jan 12 2009 12:43:08: %ASA-1-106021: Deny TCP reverse path check from 10.0.107.8</P><P> to 192.168.230.2 on interface Inside </P><P>(107.8 is my address)</P><P></P><P>I just removed ip verify reverse-path interface Inside and I am still unable to access it with SSH but this time it is not timing out right away.</P></BODY></HTML> Mon, 12 Jan 2009 20:09:41 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160003#M368821 ronshuster 2009-01-12T20:09:41Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160004#M368822 <HTML><HEAD></HEAD><BODY><P>Roni</P><P></P><P>This is making progress <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Obviously your PC has a valid routed path to the ASA. Does the ASA have a valid routed path back to your PC? (the reverse path check issue suggests that the ASA does not have a route to your address through the inside interface).</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 12 Jan 2009 20:20:37 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160004#M368822 Richard Burts 2009-01-12T20:20:37Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160005#M368823 <HTML><HEAD></HEAD><BODY><P>Yes we are making progress. You are right, there was a route missing through the inside interface, I can now ping the firewall from the work station (after I've added the route), but I am still unable to ssh to it.</P><P></P><P>Would any debug show me what's happeing?</P></BODY></HTML> Mon, 12 Jan 2009 20:31:04 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160005#M368823 ronshuster 2009-01-12T20:31:04Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160006#M368824 <HTML><HEAD></HEAD><BODY><P>Here's a capture:</P><P></P><P>10.0.107.8 is my workstation</P><P>192.168.230.2 is the INSIDE of the fw</P><P></P><P>6 packets captured</P><P> 1: 13:18:06.783559 10.0.107.8.3107 &gt; 192.168.230.2.22: S 3573581954:3573581954(0) win 64512 <MSS 1460=""></MSS></P><P> 2: 13:18:06.783605 192.168.230.2.22 &gt; 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192 <MSS 1380=""></MSS></P><P> 3: 13:18:09.763113 10.0.107.8.3107 &gt; 192.168.230.2.22: S 3573581954:3573581954(0) win 64512 <MSS 1460=""></MSS></P><P> 4: 13:18:09.763159 192.168.230.2.22 &gt; 10.0.107.8.3107: S 4117345141:4117345141(0) ack 3573581955 win 8192 <MSS 1380=""></MSS></P><P> 5: 13:18:15.698404 10.0.107.8.3107 &gt; 192.168.230.2.22: S 3573581954:3573581954(0) win 64512 <MSS 1460=""></MSS></P><P> 6: 13:18:15.698450 192.168.230.2.22 &gt; 10.0.107.8.3107: S 4133945093:4133945093(0) ack 3573581955 win 8192 <MSS 1380=""> </MSS></P><P></P><P>what debug do you recommend to run? </P></BODY></HTML> Mon, 12 Jan 2009 20:43:00 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160006#M368824 ronshuster 2009-01-12T20:43:00Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160007#M368825 <HTML><HEAD></HEAD><BODY><P>Roni</P><P></P><P>I would start with debug ssh and see what it tells you.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 12 Jan 2009 20:54:00 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160007#M368825 Richard Burts 2009-01-12T20:54:00Z https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160008#M368826 <HTML><HEAD></HEAD><BODY><P>Roni</P><P></P><P>Another thought occurs to me about possible issues with SSH access. Have you configured authentication for SSH? Authentication could be done using an external authentication server or could be done with local authentication (which also requires configuration of a local user ID and password). </P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Mon, 12 Jan 2009 21:44:32 GMT https://community.cisco.com/t5/network-access-control/can-t-connect-to-asa5520/m-p/1160008#M368826 Richard Burts 2009-01-12T21:44:32Z