topic Can't SSH anymore to Firepower device onto the management interface in Network Security

Can't SSH anymore to Firepower device onto the management interface

MXUser — Mon, 07 Aug 2023 16:32:56 GMT

I have an FMC managed 1140 device on FTD 7.2.4, as of this morning I was able to SSH to it on the management interface, now I am not able to SSH, I also added a policy to try to SSH via the other interfaces but without luck, this is what I get:

kex_exchange_identification: Connection closed by remote host

there is a script running in the background to fix a S2S session reestablishing every hour and it uses SSH to that management interface.. it stopped working this morning, the script do close the ssh session/connection, so cleanup is done..

Questions:
- How to troubleshoot SSH connections ? I have serial console access.
- How to see if the SSH daemon is running or probably crashed if resources sessions are not properly release? possibility..

Thanks

Re: Can't SSH anymore to Firepower device onto the management interfac

Marvin Rhoads — Mon, 07 Aug 2023 16:58:44 GMT

Opening a TAC case would provide the best outcome for a problem such as this.

If you are not able to do so or just want to check for yourself, you could probably go into expert mode on the managed ftd and check for the listener on tcp/22 using netstat. You might also capture logs with "pigtail -all" (also done from expert mode) while trying to connect via ssh.

Re: Can't SSH anymore to Firepower device onto the management interfac

MXUser — Mon, 07 Aug 2023 17:01:53 GMT

Hi Marvin.. thanks
I will inform Cisco.. but strange as it is Linux/Unix based, there should be a servicectl somewhere..

Re: Can't SSH anymore to Firepower device onto the management interfac

Marvin Rhoads — Mon, 07 Aug 2023 17:23:34 GMT

There is a monitoring daemon that watches the sshd listener. It is supposed to restart the listener if it finds it to not be listening.

> expert admin@ftdv-1:~$ sudo su - Password: root@ftdv-1:~# ps -ef | grep ssh root 3574 3531 0 Jul24 ? 00:01:19 /bin/sh /etc/init.d/sshd monitor root 24401 1 0 Jul24 ? 00:00:00 sshd: /usr/sbin/sshd [listener] 0 of 100-100 startups root 28638 24401 0 17:17 ? 00:00:00 sshd: admin [priv] admin 28647 28638 0 17:17 ? 00:00:00 sshd: admin@pts/0 root 28804 28749 0 17:17 pts/0 00:00:00 grep --color=auto ssh root@ftdv-1:~#

You can trigger it manually as follows:

/etc/init.d/ssh {start|stop|status|reload|force-reload|restart|monitor}

Re: Can't SSH anymore to Firepower device onto the management interfac

MXUser — Mon, 07 Aug 2023 18:27:50 GMT

Yeah, I did manage to restart the SSHD service.. did post here with commands, but for an odd reason got blocked on the forum.. likely thought I was trying to inject it..will need to see how to pass commands without it blocking my access

@MXUser wrote:
Hi
I have an FMC managed 1140 device on FTD 7.2.4, as of this morning I was able to SSH to it on the management interface, now I am not able to SSH, I also added a policy to try to SSH via the other interfaces but without luck, this is what I get:
kex_exchange_identification: Connection closed by remote host
there is a script running in the background to fix a S2S session reestablishing every hour and it uses SSH to that management interface.. it stopped working this morning, the script do close the ssh session/connection, so cleanup is done..
Questions:
- How to troubleshoot SSH connections ? I have serial console access.
- How to see if the SSH daemon is running or probably crashed if resources sessions are not properly release? possibility..

Thanks

Re: Can't SSH anymore to Firepower device onto the management interfac

MXUser — Mon, 07 Aug 2023 18:32:47 GMT

Hi Marvin

Seems the monitor process is not running..

Re: Can't SSH anymore to Firepower device onto the management interfac

1EyedJoe — Sun, 25 Feb 2024 13:15:02 GMT

The 7.2 documentation says the service is started by default, but it was not on my FTDv.