topic Re: ASA Upgrade, lost ssh access in Network Security

ASA Upgrade, lost ssh access

zietgiestt — Wed, 29 May 2024 13:51:05 GMT

Hello,

I just upgraded a cisco ASA 5506 from 9.6-9.16(4)57 and I cannot ssh into it any longer.

Get an error: "server unexpectedly closed the network connection"

I can access via asdm.

I have ssh enabled and I have ssh allowed form only 2 machines (a local server and my laptop).

I'm thinking I need to generate a new crypto key.

My question is, if I do generate a new cry key, will that break my ipsec tunnels?

Thanks,

Re: ASA Upgrade, lost ssh access

MHM Cisco World — Wed, 29 May 2024 14:47:39 GMT

Tunnel use rsa as auth?

If not I dont see anything between re-key the ssh and ipsec vpn

MHM

Re: ASA Upgrade, lost ssh access

zietgiestt — Wed, 29 May 2024 14:49:48 GMT

tunnels use pre-shared keys. so I should be good to rekey?

Re: ASA Upgrade, lost ssh access

MHM Cisco World — Wed, 29 May 2024 14:52:48 GMT

For my view there is no issue at all' if you want I can check by lab abd update you.

MHM

Re: ASA Upgrade, lost ssh access

zietgiestt — Wed, 29 May 2024 15:03:31 GMT

I don't think that would be necessary but thanks for offering.

would you agree with me upgrading to such a jump would require a rekey to regain ssh access, due to the deprecated encryption not allowed on 9.16?

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Wed, 29 May 2024 16:49:04 GMT

You should not NORMALLY have to generate a new RSA key (which is used for ssh, completely separate from the preshared keys used by any IPsec VPNs).

However, there is a change in behavior noted with 9.16 specifically as follows:

" SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release."

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

Re: ASA Upgrade, lost ssh access

zietgiestt — Wed, 29 May 2024 19:18:39 GMT

Thanks for the replies MHM & Marvin.

I figured it out...had an too old a version of putty. updated my putty client and connected just fine.

I guess the silver lining is I have better ciphers now that I've changed all my ssh settings.

Thanks for the help...

Re: ASA Upgrade, lost ssh access

MHM Cisco World — Wed, 29 May 2024 19:23:43 GMT

Thanks alot for update us

I was waiting run some lab test change cipher with same rsa key.

But you short the way.

Thanks

Have a nice day

MHM

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Thu, 30 May 2024 12:40:25 GMT

Good to hear you are back in via ssh. Besides supporting newer algorithms, any version of Putty before earlier this year (0.80 or older) should be updated in any event due to a critical vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-31497

Re: ASA Upgrade, lost ssh access

kcousino123 — Thu, 14 Nov 2024 21:31:38 GMT

Marvin,

I was trying to understand what fixes this issue. I upgraded from 9.12.4 to 9.16.4 and ssh worked at first and then all I get is Connection reset by peer. I can use ASDM just fine. It's the ssh that fails now.
This is what I have for ssh config.

ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh key-exchange hostkey rsa
ssh x.x.x.x 255.255.255.255 outside

This is the command I ran after zeroing the rsa key.
crypto key generate rsa modulus 3072 noconfirm.

I have tried this with ecdsa too using this command
crypto key generate ecdsa elliptic-curve 384 noconfirm

All commands have been run via cli in ASDM.

I am using both Putty and SecureCRT.

Help if you can.

Ken

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Fri, 15 Nov 2024 12:08:30 GMT

@kcousino123 did you check your versions? Old Putty or SecureCRT can both fail to support the latest ssh kex algorithms.

I also see you allow ssh from only one address on the outside. Is that the source where you see the issue and are you trying to ssh to the outside interface?

Re: ASA Upgrade, lost ssh access

kcousino123 — Fri, 15 Nov 2024 15:31:06 GMT

@Marvin Rhoads , I do have current versions of both software running. I have multiple public IPs for this access but only showed one for the chat. Also, for the testing, I have it open to 0.0.0.0. I am trying to connect to the outside interface. Here is the really weird thing, I actually upgraded 6 5506 firewalls, and with 5 SSH doesn't work now but for one it still works. I compared those configs and there isn't anything different. I wondered if there was a better version of the software that I should migrate to or is this issue the same moving forward.

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Sat, 16 Nov 2024 05:46:15 GMT

Do you have any other NATs that possibly use the interface address for port 22?

Re: ASA Upgrade, lost ssh access

kcousino123 — Sun, 17 Nov 2024 01:26:37 GMT

@Marvin Rhoads , no I don't have any other NATs. One of the things I wondered is if it might have something to do with the chipset version on the firewall.
Do you know if this issue is on newer version of the software?

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Mon, 18 Nov 2024 08:08:49 GMT

@kcousino123 please check the following and share the output on one of your non-working firewalls:

show asp table socket | include ssh

Re: ASA Upgrade, lost ssh access

kcousino123 — Mon, 18 Nov 2024 14:25:20 GMT

@Marvin Rhoads , I ran that command and received nothing in response.

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Mon, 18 Nov 2024 14:37:40 GMT

Sorry,It should be:

show asp table socket | include 22

Re: ASA Upgrade, lost ssh access

kcousino123 — Mon, 18 Nov 2024 14:57:39 GMT

@Marvin Rhoads I ran that one and get this.

TCP 12338188 LISTEN x.x.x.x:22 0.0.0.0:* "x.x.x.x is my outside public"
TCP 13bed638 LISTEN x.x.x.x:22 0.0.0.0:* "x.x.x.x is my inside private"

Re: ASA Upgrade, lost ssh access

kcousino123 — Wed, 20 Nov 2024 15:01:03 GMT

@Marvin Rhoads , I did some testing this morning. I downgraded the firewall back to the previous version and SSH started working as expected. I then re-upgraded to the 9.16.4 version. After rebooting I was able to use SSH as expected. The really weird twist, is a couple hours later and SSH doesn't work again.

Re: ASA Upgrade, lost ssh access

Marvin Rhoads — Wed, 20 Nov 2024 15:52:49 GMT

@kcousino123 that sounds suspiciously like some system is logging in remotely and tying up all the available ssh lines. You can check this with "show ssh sessions" command. The default allows 5 ssh sessions to be active at any one time. (Similar to "line vty 0 4" in IOS devices.)