topic Re: SSH access issue with an ASA 5520 failover pair in Network Security

SSH access issue with an ASA 5520 failover pair

swhite2031 — Fri, 21 Feb 2020 11:12:22 GMT

I have an unusual problem. I am unable to SSH to the primary firewall but I am able to SSH to the secondary. RSA keys are generated, they have been zeroized and re-generated to no avail. The configuration is replicated to both firewalls so I do not believe it is a configuration issue. I have validated the config on both boxes just to be sure. Debug ssh 255 generates no output. The error message I receive from putty is "Server unexpectedly closed network connection". During a failover test I attempted to SSH to the primary (now secondary) and was unsuccessful then as well. I had some crazy thought about load on the box causing an issue. Ok, I admit it I was grasping at straws.. Any help would be greatly appreciated.

Regards,

Steve

Re: SSH access issue with an ASA 5520 failover pair

fberryman — Fri, 09 Jan 2009 15:36:32 GMT

I cant answer your core question yet, but it might help if we agree on terminology. Your primary pix is always the same physical box. Your secondary pix is always the same box, dictated by the license on the box and the serial cable that runs between them. When you switchover, your ACTIVE box changes from one physical box to the other and the original ACTIVE box becomes the STANDBY box. The primary ip address goes with the box that is currently active, as shown by the show failover command output.

Re: SSH access issue with an ASA 5520 failover pair

awysocki — Fri, 09 Jan 2009 19:33:07 GMT

I had this exact problem myself. After failing over to the backup, I just rebooted the problem ASA, and failed back (making it primary again). This seemed to resolve the SSH access issue. I allowed telnet as a temp work around. I am running 7.2(2). I have not seen this problem yet on the 7.2(4) boxes. I have yet to upgrade to 7.2(4) for that box. I know this doesn't help solve the original problem, but it's likely a bug in the code. I imagine TAC would suggest upgrading, unless you are at the latest, in which case maybe worthy of a tac case.

Re: SSH access issue with an ASA 5520 failover pair

Ivan Martinon — Fri, 09 Jan 2009 23:41:56 GMT

Hey,

This is most likely a bug on the code you have, you might be running out of memory for that block or something, I would advise you to go to your TAC rep.

Re: SSH access issue with an ASA 5520 failover pair

jsteffensen — Tue, 12 May 2009 11:10:16 GMT

SSH Access problem on ASA configured with failover is a problem.

Im accessing the ASA with SSH through the VPN tunnel, and as soon as i failover it is no longer possible to access the active firewall using ssh.

Accessing the stand-by firewall by ssh is still no problem.

Im running Software 8.0(4) interim 32.

The only solution to sove this issue is to reboot both firewall's. (both firewalls hast to be booted at the same time)

Greetings

Jarle

Re: SSH access issue with an ASA 5520 failover pair

nomair_83 — Wed, 13 May 2009 19:40:28 GMT

Can u configure virtual mac-address for failover and then try?

Re: SSH access issue with an ASA 5520 failover pair

toprock1970 — Thu, 11 Feb 2010 18:10:30 GMT

Hi guys,

I'm have the exact same issue using ASA 5510 version 7.0(8).

Has anyone got a definative solution or should I raise this with Tac?