https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144827#M416564 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>Are you running in failover? You might want to remove the SSH commands from the ASA and re-add them. I strongly suggest you to try that. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Wed, 27 Mar 2013 22:40:37 GMT julomban 2013-03-27T22:40:37Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144821#M416547 <P>Good Afternoon,</P><P></P><P>We are having issues with SSH to our ASA 5510 after upgrading to 8.4.5.</P><P></P><P>This is the SSH Debug logs we get:</P><P></P><P>Mwe 0x08eff6e8 0xad5ed19c 0xad5e93b4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2 0xad5e9460 14888/16384 listen/ssh<BR />ASA-USNOR-01# Device ssh opened successfully.<BR />SSH0: SSH client: IP = '172.16.10.8'&nbsp; interface # = 4<BR />SSH: host key initialised<BR />SSH0: starting SSH control process<BR />SSH-1031171653: Exchanging versions - SSH-2.0-Cisco-1.25</P><P>SSH-1031171653: send SSH message: outdata is NULL</P><P>server version string:SSH-2.0-Cisco-1.25SSH-1031171653: receive SSH message: 83 (83)<BR />SSH-1031171653: client version is - SSH-2.0-PuTTY_Release_0.62</P><P>client version string:SSH-2.0-PuTTY_Release_0.62SSH0: begin server key generation<BR />SSH0: complete server key generation, elapsed time = 520 ms</P><P>SSH2 -1031171653: SSH2_MSG_KEXINIT sent<BR />SSH2 -1031171653: SSH2_MSG_KEXINIT received<BR />SSH2: kex: client-&gt;server aes256-cbc hmac-sha1 none<BR />SSH2: kex: server-&gt;client aes256-cbc hmac-sha1 none<BR />SSH2 -1031171653: expecting SSH2_MSG_KEXDH_INIT<BR />SSH2 -1031171653: SSH2_MSG_KEXDH_INIT received<BR />SSH2 -1031171653: signature length 271<BR />SSH2: kex_derive_keys complete<BR />SSH2 -1031171653: newkeys: mode 1<BR />SSH2 -1031171653: SSH2_MSG_NEWKEYS sent<BR />SSH2 -1031171653: waiting for SSH2_MSG_NEWKEYS<BR />SSH2 -1031171653: newkeys: mode 0<BR />SSH2 -1031171653: SSH2_MSG_NEWKEYS received<BR />SSH2 -1031171653: authentication failed for&nbsp; (code=1)SSH-1031171653: Session disconnected by SSH server - error 0x0d "Rejected by server"</P><P></P><P></P><P></P><P>The correct ACL's are set, etc.</P><P></P><P>Any thoughts?</P> Fri, 21 Feb 2020 12:51:18 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144821#M416547 IT Services 2020-02-21T12:51:18Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144822#M416550 <HTML><HEAD></HEAD><BODY><P>Seems like the authentication part is failing based on the debug output above.</P><P></P><P>Are you authenticating locally for the SSH session or via Radius/Tacacs?</P><P></P><P>If it's via Radius or Tacacs, can you please check to see if you can authenticate from the ASA using the "test" command.</P></BODY></HTML> Fri, 22 Mar 2013 04:33:21 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144822#M416550 Jennifer Halim 2013-03-22T04:33:21Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144823#M416553 <HTML><HEAD></HEAD><BODY><P> Hi Jennifer,</P><P></P><P>Thanks for the reply. It is not giving me the chance to even authenticate. It refuses the connection the second the login prompt shows.</P><P></P><P>I have tried both RADIUS and LOCAL authentication to no avail.</P><P></P><P>I am just looking for an idea other than rebooting the ASA, which might be my last resort.</P></BODY></HTML> Fri, 22 Mar 2013 12:43:42 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144823#M416553 IT Services 2013-03-22T12:43:42Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144824#M416555 <HTML><HEAD></HEAD><BODY><P>base on the information, unfortunately rebooting will be the best bet.</P></BODY></HTML> Fri, 22 Mar 2013 21:31:36 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144824#M416555 Jennifer Halim 2013-03-22T21:31:36Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144825#M416558 <HTML><HEAD></HEAD><BODY><P>Have you tried regeneration of your RSA key on the ASA? ("crypto key generate rsa").</P><P></P><P>Also verify you still have ssh allowed on the target interface from your host network.</P></BODY></HTML> Sun, 24 Mar 2013 18:43:11 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144825#M416558 Marvin Rhoads 2013-03-24T18:43:11Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144826#M416561 <HTML><HEAD></HEAD><BODY><P> Yes all this has been done and verified. I even tried changing the key size.</P></BODY></HTML> Wed, 27 Mar 2013 17:14:17 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144826#M416561 IT Services 2013-03-27T17:14:17Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144827#M416564 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>Are you running in failover? You might want to remove the SSH commands from the ASA and re-add them. I strongly suggest you to try that. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Wed, 27 Mar 2013 22:40:37 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144827#M416564 julomban 2013-03-27T22:40:37Z https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144828#M416567 <P>I know this is very old, but just had the same issue and found this post when I searched the error.</P> <P></P> <P>The issue is aaa authentication, see log below</P> <P></P> <P>%ASA-6-605004: Login denied from 192.168.199.201/55819 to management:192.168.199.100/ssh for user "*****"<BR />%ASA-6-315011: SSH session from 192.168.199.201 on interface management for user "*****" disconnected by SSH server, reason: "Rejected by server" (0x0d)<BR />%ASA-6-302014: Teardown TCP connection 44 for management:192.168.199.201/55819 to identity:192.168.199.100/22 duration 0:00:55 bytes 1159 TCP FINs<BR />%ASA-5-111008: User 'enable_15' executed the 'aaa authentication ssh console LOCAL' command.<BR />%ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.199.201, executed 'aaa authentication ssh console LOCAL'<BR />%ASA-6-302013: Built inbound TCP connection 45 for management:192.168.199.201/55989 (192.168.199.201/55989) to identity:192.168.199.100/22 (192.168.199.100/22)<BR />%ASA-6-113012: AAA user authentication Successful : local database : user = cisco</P> <P></P> <P>Adding the following to config resolves the issue&nbsp;:&nbsp;</P> <P>aaa authentication ssh console LOCAL</P> Tue, 31 May 2016 20:06:11 GMT https://community.cisco.com/t5/network-security/problem-with-asa-ssh-after-8-4-5-upgrade/m-p/2144828#M416567 NeilGouws 2016-05-31T20:06:11Z