topic Re: Concurrent SSH session in Cisco ASA in Network Security

Concurrent SSH session in Cisco ASA

NeWGuy1109 — Mon, 19 Aug 2019 16:41:00 GMT

Hello,

Is there any way to increase the limit of 5 concurrent ssh sessions in a Cisco ASA ?

I have tried increasing the quota-management session limit but still the ssh sessions are limited to 5.

Thanks.

Re: Concurrent SSH session in Cisco ASA

Marvin Rhoads — Tue, 20 Aug 2019 05:24:19 GMT

I don't believe so.

As noted in the other thread you posted on, the quota-management command doesn't change the ssh session limit per se.

Re: Concurrent SSH session in Cisco ASA

Afolarin Omole — Wed, 21 Aug 2019 11:13:10 GMT

@NeWGuy1109

Have you try using the ASA MPF to set the connection , the syntax is straight forward just like the MQC in normal ios , here you can set maximum connection for ASA management.

MQC syntax :

class-map to classify traffic flow

policy-map to action the classified traffic flow

service-policy to bind the above / implement it on the interesting interface.

Let me know if this help .

Re: Concurrent SSH session in Cisco ASA

Marvin Rhoads — Wed, 21 Aug 2019 21:06:20 GMT

It doesn't work even when using MPF. The limit for a single context ASA is 5 simultaneous ssh sessions. I believe the documentation suggesting otherwise is unclear in that it is meant for multiple context ASAs.

I just labbed it and the limit does not change with "quota management-session 10" or even when doing:

class-map type management MGMT_CMAP
match port tcp eq ssh
!
policy-map MGMT_PMAP
class MGMT_CMAP
  set connection conn-max 10
!
service-policy MGMT_PMAP interface inside

Re: Concurrent SSH session in Cisco ASA

Afolarin Omole — Thu, 22 Aug 2019 09:03:19 GMT

@Marvin Rhoads

Now what you've done is the right syntax , I haven't try to increase ssh session before but I always like to make use of possibility before concluding on the documentation direction.

Your Configuration is only matching on TCP Port 22 according to your command, I wanted to just agreed this might be a deadlock stuff , but I had to think of the way ASA handle FTP traffic when in passive , and the way ASA handle traceroute as well. I believe you are familiar with the afore-mentioned protocol (FTP & Traceroute)

In the case of FTP , when you check default inspection , you can see ASA is inspecting FTP but technically ASA will deny FTP in passive mode due to variation in outbound ports and inbound port ( check FTP order of operation on this)

In the case of traceroute , cisco uses unix based whilst Window machine doesn't, the mode of manually placing exception for this protocol is different when it comes to where the traffic is been generated from. In IOS / UNIX based UDP is use as outbound and return traffic is TCP ( do you see different) , this is why traceroute packet get drop until you manually inspect this via MPF.

On Windows Machine it uses TCP as outbound and the return packet consist of two different ICMP code traffic.

With your configuration , even if this is not possible I guess you still haven't done the manual inspection properly in terms of what your class-map is matching or inspecting.

The logic before using MPF is to check :

ASA logs via buffer or console when not production device
sh conn all

The above guidance will tell you what is seen outbound and what is seen inbound , as we know ASA is stateful behaviour , it will expect the outbound traffic to be the same with inbound , but in the case of non standard protocol we need manually exception by looking into logs / connection details to get this right.

Please let see if this work....