topic Re: Try re-generating the SSH key in Network Security

Sudden problem with SSH into ASA-5505 when using version 2

baskervi — Tue, 12 Mar 2019 08:51:20 GMT

A customer of mine has an ASA-5505 running 8.2(5)59, and it's been configured for at least a couple years as SSH version 2. I provide this customer with remote support, and SSH has always been restricted to specific IP addresses. About 2 or 3 weeks ago, all of a sudden I couldn't log in with SSH using putty remotely, so I VPN and connect to the internal servers, and the SSH client won't connect either. Given I'm 2.25 hours away, I had telnet opened up internally, so I at least have a way to access it. When I telnet to port 22, the ASA responds with "SSH-2.0-Cisco-1.25". Using putty or any other SSH client, the SSH client responds instantly with something along the lines of "Server unexpectedly closed network connection." I can't even attempt to login. If I change SSH to version 1, it works just fine. Does anyone have any thoughts on this? Thanks

Try re-generating the SSH key

Philip D'Ath — Tue, 31 Jan 2017 02:27:48 GMT

Try re-generating the SSH key. Something like:

crypto key generate rsa general-keys modulus 4096

Failing that try rebooting the ASA.

Failing that, make sure you are using an up to date version of PuTTY, and enable stronger keys on the ASA with (your software might be too old for this):

sh key-exchange group dh-group14-sha1

Philip, thanks very much for

baskervi — Tue, 31 Jan 2017 14:22:22 GMT

Philip, thanks very much for the reply. The first thing I tried was to regenerate the keys but that didn't help. I rebooted the ASA, which didn't help the problem, and the ssh key-exchange command isn't available on this version of software. I'll update the software today and see if that helps. Take care.

If you issue the command sh

Marius Gunnerud — Tue, 31 Jan 2017 18:03:09 GMT

If you issue the command sh ssh what is the output? does it show something like the following?

ciscoasa# sh ssh
Timeout: 15 minutes
Versions allowed: 1 and 2

Are you just having issues with SSH or is ASDM also affected?

Have you checked the log? is there anything out of the ordinary there?

Do a debug ssh and then establish another session using ssh and check the output.

Please remember to select a correct answer and rate helpful posts

SORD-asa# sh sshTimeout: 30

baskervi — Wed, 01 Feb 2017 00:54:07 GMT

SORD-asa# sh ssh
Timeout: 30 minutes
Version allowed: 2
172.31.1.0 255.255.255.0 inside
x.x.x.x 255.255.255.255 outside

I'm not sure if asdm is affected. The software isn't installed at this point.

Regarding the logs, here is the only entry:

Jan 31 2017 02:09:39: %ASA-6-315011: SSH session from x.x.x.x on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

I should have thought of debugging this, but here is the output:

SSH2 0: DH shared secret computation failed, status 255SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

There is a recent bug reported for 8.4(0.2), but it's a little different from this:

https://supportforums.cisco.com/discussion/10791491/cannot-access-asdm-and-ssh

That sounds bad. I would

Philip D'Ath — Wed, 01 Feb 2017 00:57:01 GMT

That sounds bad. I would definitely upgrade the main ASA software.

I put later firmware on the

baskervi — Wed, 01 Feb 2017 01:13:24 GMT

I put later firmware on the ASA earlier today, but I was concerned that if there was a hardware problem, I'd be out of luck since the site is over 2 hours away. I just rebooted, and it came up fine with 9.1(7.12). Thanks for everyone's input.

Re: Try re-generating the SSH key

clyde.a.huffman.ctr@mail.mil — Thu, 30 May 2019 13:34:37 GMT

Suddenly, SSH failed from an internal Ubuntu server - see the following error. SSHed to my internal aserver (Mint) and ssh worked. Set # debug ssh, and ssh from all internal servers started working....WHAT HAPPENED???

Stopped debug and ssh still works???

I've had issues with hash keys from Linux but not from Windows. Had to put this in .ssh/config file to get to my switches on 10.10.10.0:

aserver@DESK ~/.ssh $ ls
config known_hosts known_hosts.old test3 test4
aserver@DESK ~/.ssh $ cat config
Host local1
HostName 10.10.10.3
KexAlgorithms=+diffie-hellman-group1-sha1

Host local2
HostName 10.10.10.4
KexAlgorithms=+diffie-hellman-group1-sha1

Host local3
HostName 10.10.10.5
KexAlgorithms=+diffie-hellman-group1-sha1

Host local4
HostName 10.10.10.6
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.3
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.4
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.5
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.6
KexAlgorithms=+diffie-hellman-group1-sha1

SSH ERROR from ASA 5520 LOG

May 30 2019 12:44:31: %ASA-6-315011: SSH session from 192.168.168.220 on interface inside for user "*****" disconnected by SSH server, reason: "Internal error" (0x00)

Re: Try re-generating the SSH key

UmeshBhambri — Tue, 24 Sep 2019 08:32:13 GMT

I am also getting the same error

<166>%ASA-6-315011: SSH session from 10.10.10.10 on interface for user "*****" disconnected by SSH server, reason: "Time-out activated" (0x6e)

Please help !!!!