https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183818#M358485 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic</PRE><P>That means that debugging/informational logging is enabled. You, after successful connection throug ssh, first disable the console logging using <EM>no logging console.</EM> After that, disconnect from ssh, connect to console, enable </P><P>debug aaa authentication, connect again through ssh and see what's happening.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Are there any historical logs I can check when successfully conntect using ssh?</PRE><P>Yes, you can enable logging to buffer, i.e. <EM>logging buffer debugging. </EM>The log will be saved to the buffer and you'll be able to see it later. Alternatively you can save logs to any syslog servers, but i don't think you need it here)</P></BODY></HTML> Mon, 15 Apr 2013 16:00:04 GMT Andrew Phirsov 2013-04-15T16:00:04Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183815#M358482 <P>Hi folks,</P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>A bit of a strange one I'm hoping some of you may have come across before.</P><P></P><P><SPAN style="font-size: 10pt;">When I try to SSH (putty) onto our Cisco ASA5520 (8.4.2), more often that not I get an 'Access denied' message when I enter the password which I'm 100% sure is correct.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I enter the password three times until it disconnects me.&nbsp; I then have to close the putty session (numerous times on occassions) and start again and then I can connect (if I'm lucky).</SPAN></P><P></P><P>This is from the Putty event log:</P><P></P><P><SPAN style="font-size: 10pt;">2013-04-11 11:53:15 Sent password</SPAN></P><P>2013-04-11 11:53:15 Access denied</P><P></P><P><SPAN style="font-size: 10pt;">Are there logs I can check when successfully connected to the firewall?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks</SPAN></P><P>Alex</P> Tue, 12 Mar 2019 01:26:43 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183815#M358482 Alex Sykes 2019-03-12T01:26:43Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183816#M358483 <HTML><HEAD></HEAD><BODY><P>Hello Alex,</P><P></P><P>yes,</P><P></P><P>are you using any external database for authentication.. if not just use</P><P></P><P>debug aaa authentication and try to login,</P><P></P><P>post the results</P></BODY></HTML> Thu, 11 Apr 2013 17:38:38 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183816#M358483 Julio Carvajal 2013-04-11T17:38:38Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183817#M358484 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Many thanks for your reply.</P><P></P><P>We have local authentication on our firewall, however, when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic and I can't find a way to stop it and, therefore, I cannot enter the command you suggested.</P><P></P><P>This only happens via console - not remote ssh (when I eventually connect).</P><P></P><P>Are there any historical logs I can check when successfully conntect using ssh?</P><P></P><P>We have two 5520s in a HA pair and I can make the stand-by firewall the primary one, and the same problems occurs - cannot ssh using putty and when using colsole cable contstant scrolling of firewall traffic.</P><P></P><P>This is very odd behaviour.&nbsp; Would something like a memory leak cause these issues?</P><P></P><P>Kind regards</P><P>Alex</P></BODY></HTML> Mon, 15 Apr 2013 15:36:45 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183817#M358484 Alex Sykes 2013-04-15T15:36:45Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183818#M358485 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic</PRE><P>That means that debugging/informational logging is enabled. You, after successful connection throug ssh, first disable the console logging using <EM>no logging console.</EM> After that, disconnect from ssh, connect to console, enable </P><P>debug aaa authentication, connect again through ssh and see what's happening.</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">Are there any historical logs I can check when successfully conntect using ssh?</PRE><P>Yes, you can enable logging to buffer, i.e. <EM>logging buffer debugging. </EM>The log will be saved to the buffer and you'll be able to see it later. Alternatively you can save logs to any syslog servers, but i don't think you need it here)</P></BODY></HTML> Mon, 15 Apr 2013 16:00:04 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183818#M358485 Andrew Phirsov 2013-04-15T16:00:04Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183819#M358486 <HTML><HEAD></HEAD><BODY><P>Hi Andrew,</P><P></P><P>Thanks for all the info - it is very much appreciated.</P><P></P><P>I had to send the 'no logging console' command from the ASDM because I still can't get ssh access.</P><P></P><P>However, once that was done, I ran the 'debug aaa authentication' command and got a '<SPAN style="font-size: 10pt;">Resetting 10.116.0.3's numtries' message.&nbsp; That IP is our ACS, so I'll start looking there.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Thanks again for your help.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">Regards</SPAN></P><P><SPAN style="font-size: 10pt;">Alex</SPAN></P></BODY></HTML> Mon, 15 Apr 2013 17:01:25 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183819#M358486 Alex Sykes 2013-04-15T17:01:25Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183820#M358487 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P></P><P>You said it was local authentication and now you are dealing with an ACS problem, you can share the asa setup to review it ,</P><P></P><P>Regards,</P></BODY></HTML> Mon, 15 Apr 2013 18:19:37 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183820#M358487 Julio Carvajal 2013-04-15T18:19:37Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183821#M358488 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P><SPAN style="font-size: 10pt;">Please accept my apologies - I didn't realise the ACS was used for this authentication.&nbsp; I'm very new to Cisco products and I'm having difficulty learning on a production network.</SPAN></P><P><SPAN style="font-size: 10pt;"> </SPAN></P><P>Attached is the ASA config as requested.</P><P></P><P>Also, the ACS has the following messages in the logs:</P><P></P><P><SPAN style="font-size: 10pt;">Failure Reason &gt; Authentication Failure Code Lookup</SPAN></P><P>Failure Reason : 22056 Subject not found in the applicable identity store(s).</P><P></P><P>The help I'm receiving really is appreciated.</P><P></P><P>Regards</P><P>Alex</P></BODY></HTML> Tue, 16 Apr 2013 15:53:30 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183821#M358488 Alex Sykes 2013-04-16T15:53:30Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183822#M358489 <HTML><HEAD></HEAD><BODY><P>Hello Alex,</P><P></P><P>Does not look like the SSH sessions are being sent to the AAA server for authentication it's being authenticated locally,</P><P></P><P>can you add :</P><P>username cisco password cisco</P><P></P><P></P><P>An try to authenticate as a test with those</P></BODY></HTML> Tue, 16 Apr 2013 16:45:28 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183822#M358489 Julio Carvajal 2013-04-16T16:45:28Z https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183823#M358490 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I've managed to find a workaround by setting SSH authentication to local only - not ACS.</P><P></P><P>Thanks for you time and effort in helping me with this problem.</P><P></P><P>Regards</P><P>Alex</P></BODY></HTML> Fri, 19 Apr 2013 15:52:35 GMT https://community.cisco.com/t5/network-security/asa5520-can-t-connect-with-putty/m-p/2183823#M358490 Alex Sykes 2013-04-19T15:52:35Z