https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4399471#M1080612 <P>I am assuming you also created a local username:</P><P>&nbsp;</P><P>add these 2 commands:</P><P>aaa authentication http console LOCAL</P><P>aaa authentication ssh console LOCAL</P> Fri, 07 May 2021 17:16:09 GMT pjweintraub0206 2021-05-07T17:16:09Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314601#M1079670 <P>Here is part of the config:</P><P>new firewall (without config )</P><P>Just Ip management</P><P>&nbsp;</P><P>&nbsp;ASA Version 9.15(1)1</P><P>&nbsp;</P><P>ssh stricthostkeycheck<BR />ssh timeout 5<BR />ssh version 2<BR />ssh key-exchange group dh-group14-sha1<BR />ssh 0.0.0.0 0.0.0.0 mgmt</P><P>!<BR />interface Management1/1<BR />management-only<BR />nameif mgmt<BR />security-level 0<BR />ip address 172.29.100.71 255.255.255.0</P><P>&nbsp;</P><P>&nbsp;</P><P>Source (PING etc )</P><P>&nbsp;</P><P>ping 172.29.100.71<BR />PING 172.29.100.71 (172.29.100.71) 56(84) bytes of data.<BR />64 bytes from 172.29.100.71: icmp_seq=1 ttl=254 time=0.461 ms<BR />64 bytes from 172.29.100.71: icmp_seq=2 ttl=254 time=0.672 ms<BR />64 bytes from 172.29.100.71: icmp_seq=3 ttl=254 time=0.520 ms<BR />^C64 bytes from 172.29.100.71: icmp_seq=4 ttl=254 time=0.590 ms</P><P>&nbsp;</P><P><STRONG>ssh -l xxxxx 172.29.100.71</STRONG><BR /><STRONG>Connection closed by 172.29.100.71</STRONG></P><P>&nbsp;</P><P>sh ssh<BR />Idle Timeout: 5 minutes<BR />Version allowed: 2<BR />Cipher encryption algorithms enabled: aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc<BR />Cipher integrity algorithms enabled: hmac-sha2-256</P><P>Hosts allowed to ssh into the system:<BR />0.0.0.0 0.0.0.0 mgmt<BR />FW04#</P><P>&nbsp;</P><P>What am I missing?</P> Fri, 26 Mar 2021 16:30:19 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314601#M1079670 Alex Ribas 2021-03-26T16:30:19Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314603#M1079671 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a>&nbsp;</P> <P>Have you run generated an RSA key pair? If not run "<STRONG>crypto key generate rsa modulus 2048</STRONG>"</P> Fri, 26 Mar 2021 16:33:57 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314603#M1079671 Rob Ingram 2021-03-26T16:33:57Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314605#M1079672 <P>Yes I did</P><P>crypto key generate rsa general-keys modulus 2048<BR />WARNING: You have a RSA keypair already defined named &lt;Default-RSA-Key&gt;.</P><P>&nbsp;</P><P>Many times</P><P>&nbsp;</P> Fri, 26 Mar 2021 16:35:50 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314605#M1079672 Alex Ribas 2021-03-26T16:35:50Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314608#M1079673 <P>crypto key generate rsa modulus 2048<BR />INFO: The name for the keys will be: &lt;Default-RSA-Key&gt;<BR /><STRONG>Keypair generation process begin. Please wait...</STRONG><BR />FW04(config)#</P> Fri, 26 Mar 2021 16:48:51 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314608#M1079673 Alex Ribas 2021-03-26T16:48:51Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314612#M1079674 <P>The ASA is possibly missing a route back to the network that you're accessing the ASA on. I'd check that.&nbsp;</P><P>&nbsp;</P><P>&nbsp;Type in show management-access.. if it returns nothing then use:&nbsp; management-access management (to manage from management interface) or the interface might be shut down.&nbsp;&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>C</P> Fri, 26 Mar 2021 16:54:11 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314612#M1079674 chadbaird2431 2021-03-26T16:54:11Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314622#M1079676 <P>&nbsp;</P><P>I Think this is issue</P><P>ssh admfw@172.29.100.71<BR />The authenticity of host '172.29.100.71 (172.29.100.71)' can't be established.<BR />RSA1 key fingerprint is 6b:00:4f:d4:6f:fe:53:8a:48:49:60:28:08:7c:64:8c.<BR />Are you sure you want to continue connecting (yes/no)? yes<BR />Warning: Permanently added '172.29.100.71' (RSA1) to the list of known hosts.<BR />Selected cipher type &lt;unknown&gt; not supported by server</P><P>&nbsp;</P><P><BR />.</P><P>Licensed features for this platform:<BR />Maximum Physical Interfaces : Unlimited perpetual<BR />Maximum VLANs : 150 perpetual<BR />Inside Hosts : Unlimited perpetual<BR />Failover : Active/Active perpetual<BR />Encryption-DES : Enabled perpetual<BR />Encryption-3DES-AES : Disabled perpetual<BR />Security Contexts : 2 perpetual<BR />Carrier : Disabled perpetual<BR />AnyConnect Premium Peers : 4 perpetual<BR />AnyConnect Essentials : Disabled perpetual<BR />Other VPN Peers : 300 perpetual<BR />Total VPN Peers : 300 perpetual<BR />AnyConnect for Mobile : Disabled perpetual<BR />AnyConnect for Cisco VPN Phone : Disabled perpetual<BR />Advanced Endpoint Assessment : Disabled perpetual<BR />Shared License : Disabled perpetual<BR />Total TLS Proxy Sessions : 1000 perpetual<BR />Botnet Traffic Filter : Disabled perpetual<BR />Cluster : Disabled perpetual<BR />VPN Load Balancing : Enabled perpetual</P><P>Serial Number: xxxxxxxxxxx<BR />Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000<BR />Configuration register is 0x1<BR />Image type : Release<BR />Key Version : A</P><P><BR />FW04(config)# sh ssh<BR />Idle Timeout: 5 minutes<BR />Versions allowed: 1 and 2<BR />Cipher encryption algorithms enabled: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr<BR />Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96</P> Fri, 26 Mar 2021 17:14:11 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314622#M1079676 Alex Ribas 2021-03-26T17:14:11Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314625#M1079677 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/89946">@Alex Ribas</a>&nbsp;</P> <P>Encryption-3DES-AES : <STRONG>Disabled</STRONG></P> <P>&nbsp;</P> <P>You don't have the 3DES license so you cannot SSH to the ASA. You'll need to go <A href="https://software.cisco.com/software/swift/lrp/#/pak" target="_blank">https://software.cisco.com/software/swift/lrp/#/pak</A> and request an activation key (free).</P> <P>&nbsp;</P> Fri, 26 Mar 2021 17:22:09 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4314625#M1079677 Rob Ingram 2021-03-26T17:22:09Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4399471#M1080612 <P>I am assuming you also created a local username:</P><P>&nbsp;</P><P>add these 2 commands:</P><P>aaa authentication http console LOCAL</P><P>aaa authentication ssh console LOCAL</P> Fri, 07 May 2021 17:16:09 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4399471#M1080612 pjweintraub0206 2021-05-07T17:16:09Z https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4400117#M1080633 <P>crypto key zeroize rsa<BR />crypto key generate rsa modulus 2048</P><P>&nbsp;</P><P>username ssh password<BR />ssh 172.29.100.0 255.255.255.0 mgmt</P><P>&nbsp;</P><P>--</P><P>regards</P><P>Mauri</P> Mon, 10 May 2021 08:36:26 GMT https://community.cisco.com/t5/network-security/ssh-connection-problem-on-asa-management-interface/m-p/4400117#M1080633 Maurizio Caloro 2021-05-10T08:36:26Z