https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979892#M149822 <P>hello&nbsp;</P> <P></P> <P>I hope you can help, we have an ASA 5550 model, and SSH &amp; ASDM have been working fine for years now. But all of a sudden they have stop responding.&nbsp;</P> <P>The firewall itself is working and still routing traffic to the internet. No ACL were changed on it either.</P> <P></P> <P>Can you please advise what troubleshooting i can potentially do from the console cable on the firewall to restart these services again.</P> <P>many thanks</P> Tue, 12 Mar 2019 08:17:50 GMT upen desai 2019-03-12T08:17:50Z https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979892#M149822 <P>hello&nbsp;</P> <P></P> <P>I hope you can help, we have an ASA 5550 model, and SSH &amp; ASDM have been working fine for years now. But all of a sudden they have stop responding.&nbsp;</P> <P>The firewall itself is working and still routing traffic to the internet. No ACL were changed on it either.</P> <P></P> <P>Can you please advise what troubleshooting i can potentially do from the console cable on the firewall to restart these services again.</P> <P>many thanks</P> Tue, 12 Mar 2019 08:17:50 GMT https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979892#M149822 upen desai 2019-03-12T08:17:50Z https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979893#M149823 <P><SPAN style="font-size: 10pt;">Hello Mr. Desai,</SPAN></P> <P><SPAN style="font-size: 10pt;">Can you post the output of <STRONG>show asp table socket</STRONG> command ?</SPAN></P> <P><SPAN style="font-size: 10pt;">This command will return what connection the firewall is listening.</SPAN></P> <P><SPAN style="font-size: 10pt;"></SPAN></P> <P><SPAN style="font-size: 10pt;">Best Regards,</SPAN></P> <P><SPAN style="font-size: 10pt;">Alex Gutierrez.</SPAN></P> Tue, 20 Sep 2016 14:11:24 GMT https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979893#M149823 Alex D. Silva Gutierrez 2016-09-20T14:11:24Z https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979894#M149824 <P>hello Alex</P> <P>thank you for coming back to me. I do have access to the console cable to the firewall and did a debug on the SSH service and got the following error.</P> <P></P> <P>Lut-ASAFirewall#<BR />Device ssh opened successfully.<BR />SSH1: SSH client: IP = '10.251.251.107' interface # = 2<BR />SSH: host key initialised<BR />SSH1: starting SSH control process<BR />SSH1: Exchanging versions - SSH-1.99-Cisco-1.25</P> <P>SSH1: send SSH message: outdata is NULL<BR />SSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"<BR />SSH1: send unsuccessful - status 0x3c</P> <P>Lut-ASAFirewall# sh asp drop</P> <P>Frame drop:<BR /> Bad IPSEC NATT packet (bad-ipsec-natt) 2<BR /> IPSEC tunnel is down (ipsec-tun-down) 4<BR /> Invalid encapsulation (invalid-encap) 19084<BR /> Invalid IP header (invalid-ip-header) 16<BR /> Invalid TCP Length (invalid-tcp-hdr-length) 38<BR /> Invalid UDP Length (invalid-udp-length) 67<BR /> No valid adjacency (no-adjacency) 452<BR /> No route to host (no-route) 4294<BR /> Flow is denied by configured rule (acl-drop) 513815804<BR /> Invalid SPI (np-sp-invalid-spi) 15604<BR /> First TCP packet not SYN (tcp-not-syn) 4373384<BR /> Bad TCP checksum (bad-tcp-cksum) 1<BR /> Bad TCP flags (bad-tcp-flags) 621<BR /> TCP Dual open denied (tcp-dual-open) 300<BR /> TCP data send after FIN (tcp-data-past-fin) 334<BR /> TCP failed 3 way handshake (tcp-3whs-failed) 487894<BR /> TCP RST/FIN out of order (tcp-rstfin-ooo) 2743470<BR /> TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 75477<BR /> TCP SYNACK on established conn (tcp-synack-ooo) 1105<BR /> TCP packet SEQ past window (tcp-seq-past-win) 1456851<BR /> TCP invalid ACK (tcp-invalid-ack) 1760<BR /> TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 6<BR /> TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1<BR /> TCP RST/SYN in window (tcp-rst-syn-in-win) 3281<BR /> TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 74<BR /> TCP packet failed PAWS test (tcp-paws-fail) 71221<BR /> CTM returned error (ctm-error) 121<BR /> Slowpath security checks failed (sp-security-failed) 612638<BR /> ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 9834<BR /> ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 52<BR /> DNS Inspect invalid packet (inspect-dns-invalid-pak) 7<BR /> DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 304<BR /> DNS Inspect packet too long (inspect-dns-pak-too-long) 103668<BR /> DNS Inspect id not matched (inspect-dns-id-not-matched) 27824<BR /> FP L2 rule drop (l2_acl) 33707<BR /> Interface is down (interface-down) 58<BR /> Dropped pending packets in a closed socket (np-socket-closed) 1270193</P> <P>Last clearing: Never</P> <P>Flow drop:<BR /> Need to start IKE negotiation (need-ike) 950<BR /> NAT failed (nat-failed) 328720<BR /> NAT reverse path failed (nat-rpf-failed) 4<BR /> Inspection failure (inspect-fail) 7968106<BR /> SSL bad record detected (ssl-bad-record-detect) 2857<BR /> SSL handshake failed (ssl-handshake-failed) 6404<BR /> SSL malloc error (ssl-malloc-error) 125<BR /> SSL received close alert (ssl-received-close-alert) 136</P> <P>Last clearing: Never<BR />Lut-ASAFirewall#</P> <P><BR />Lut-ASAFirewall# sh asp table socket</P> <P><BR />Protocol Socket Local Address Foreign Address State<BR />SSL 0000133f 192.168.1.1:443 0.0.0.0:* LISTEN<BR />SSL 000020af 192.168.252.17:443 0.0.0.0:* LISTEN<BR />TCP 0000459f 192.168.252.17:22 0.0.0.0:* LISTEN<BR />SSL 062a1e5f 192.168.252.17:443 10.2.20.245:55177 ESTAB<BR />SSL 062e1c5f 192.168.252.17:443 10.3.1.114:10016 ESTAB<BR />SSL 062e25cf 192.168.252.17:443 10.3.1.114:10056 ESTAB</P> <P></P> <P>please let me know if you need any more information.</P> <P></P> <P>many thanks</P> <P>Upen Desai</P> Tue, 20 Sep 2016 15:11:30 GMT https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979894#M149824 upen desai 2016-09-20T15:11:30Z https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979895#M149825 <P>Hi <G class="gr_ gr_5 gr-alert gr_spell gr_run_anim ContextualSpelling ins-del multiReplace" id="5" data-gr-id="5">Upen,</G></P> <P></P> <P>Could you share the show memory and show blocks output from the ASA ?</P> <P></P> <P>Regards,</P> <P></P> <P>Aditya</P> <P></P> <P>Please rate helpful posts and mark correct answers.</P> Wed, 21 Sep 2016 06:02:52 GMT https://community.cisco.com/t5/network-security/ssh-and-asdm-not-accessible/m-p/2979895#M149825 Aditya Ganjoo 2016-09-21T06:02:52Z