topic Re: Unable to SSH to ASA 5525-X in Network Security

Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 08:27:04 GMT

Hi,

I have four admin users on my ASA all with level 15 access but not of them are able to SSH to my device.

I have checked SSH settings and it is allowed.

Is there anything I could have overlooked? I'm sure this has worked in the past as the device is over 5 years old.

Thanks in advance.

Re: Unable to SSH to ASA 5525-X

Rob Ingram — Fri, 20 Aug 2021 08:53:40 GMT

Hi @BeckyBoo123

Are the users even prompted to authenticate?

If not it could be you are connecting from a network/IP address that is not permitted to SSH to the ASA. See this really old guide

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/69373-ssh-inside-out-pix7x.html

See the section of the guide "Configuration with ASDM 6.x" - step number 6. From here you need to define the networks/ip addresses permitted to connect to the ASA using ssh.

HTH

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 09:16:40 GMT

check is this lines there in command level :

ssh version 2

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside (this is not required, in case you coming from outside)
ssh timeout 60

May be also worth zeroinf RSA SSH from console : (make sure you understand the below command, it will remove all kkeys)

coonf t

crypto key zero noconfirm

crypto key generate rsa no confirm

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 09:19:05 GMT

Hi @Rob Ingram

Thank you for the swift reply!

No, no authentication prompt at all is being received. Just says "Server unexpectedly closed network connection".

I've checked the settings that you mentioned and all looks good.

I am also seeing the following message when I try to connect:

%ASA-6-106015: Deny TCP (no connection) from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name.
The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet.

A quick Google of this error seems rather complex.

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 09:32:28 GMT

ASA-6-106015: Deny TCP (no connection) from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name.

Looks for me this is Routing issue. what is your client IP address ?

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 10:05:07 GMT

Hi @balaji.bandi

I think you may be right. My client IP is 10.11.9.204 and that appears in the log entry.

I am unable to SSH to the device from where I am to check if the lines you asked about are present.

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 10:17:15 GMT

Is this only device, you need to find any other device with different IP can able to SSH, or we need to get in to Console to pull the information.

Note : i saw ASDM picture, are you able to use ASDM ? (from the IP mentioned ?)

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 10:42:43 GMT

@balaji.bandi I have just tried to connect from another device (which is actually on the same network) and that too fails.

Yes I am able to access everything on the ASDM from my IP.

Re: Unable to SSH to ASA 5525-X

Milos_Jovanovic — Fri, 20 Aug 2021 10:56:27 GMT

Hi @BeckyBoo123,

Could you please check the output (from console) of the 'show asp table socket'? We expect to see that device is listening on TCP/22?

Please also check the outputs:

'show run ssh', which should display SSH configuration
'show run aaa', to confirm authentication for SSH is configured
'show crypto key mypubkey rsa', to confirm that your SSH keys are present

BR,

Milos

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 11:27:46 GMT

@Milos_Jovanovic Sorry but the ASA is physically in a different location. I cannot console in at the moment. That may be the only option I have though if I can't get to the bottom of it.

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 11:34:21 GMT

From ASDM (not sure what version you have ) - you can use tools --> command line intercce you can issue the commands people requested.

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 11:40:07 GMT

@balaji.bandi @Milos_Jovanovic

Sorry I forgot I could do that!

Result of the command: "show run ssh"

ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 LAN
ssh timeout 60
ssh key-exchange group dh-group14-sha1



Result of the command: "show run aaa"

aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 



Result of the command: "show crypto key mypubkey rsa"

The command has been sent to the device

Hmm, does this mean my key is missing?

Re: Unable to SSH to ASA 5525-X

Milos_Jovanovic — Fri, 20 Aug 2021 11:53:41 GMT

@BeckyBoo123,

I believe you are missing RSA keys, which are mandatory for SSH. Try with 'crypto key generate rsa modulus 2048', and try SSH after.

BR,

Milos

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 11:55:04 GMT

Result of the command: "show crypto key mypubkey rsa"

Looks like a catch here, may be since you mentioned it was working several years and broken, worth re-key

or take show run (output and check)

Re: Unable to SSH to ASA 5525-X

BeckyBoo123 — Fri, 20 Aug 2021 12:08:58 GMT

@Milos_Jovanovic @balaji.bandi @Rob Ingram

I recreated the key and all works perfectly now!

Thank you all do much, I probably should have tested that first.

Re: Unable to SSH to ASA 5525-X

balaji.bandi — Fri, 20 Aug 2021 12:15:16 GMT

Glad to know our suggestion helped here , we mark as resolved.