topic Re: ASA ssh acess after nusses scan in Network Security

ASA ssh acess after nusses scan

lostngone — Mon, 11 Mar 2019 20:24:43 GMT

I have an 5510 running 8.4(1) I can ssh into the system with no problems until I scan the device with Nessus security scanner. After that I just get timeouts from the client when I try to connect and the only way to fix the problem is to reload the device. I have included 2 syslog dumps one showing ssh into the device before(working) the scan and one after(not working).

I do not have any acls on that int and I have turned off basic threat detection. The devices is still running I can login via the serial console and via ASDM it just appears ssh is someone shutdown or hung.

Does anyone have any ideas?

WORKING

4/21/2011 11:33:43 AM    192.168.11.108    Debug    %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:00:10
4/21/2011 11:33:43 AM    192.168.11.108    Informational    %ASA-6-302014: Teardown TCP connection 50 for testing:192.168.65.106/4462 to identity:192.168.11.108/22 duration 0:00:10 bytes 3691 TCP Reset-O
4/21/2011 11:33:43 AM    192.168.11.108    Informational    %ASA-6-315011: SSH session from 192.168.65.106 on interface testing for user "test" terminated normally
4/21/2011 11:33:40 AM    192.168.11.108    Informational    %ASA-6-605005: Login permitted from 192.168.65.106/4462 to testing:192.168.11.108/ssh for user "leeh"
4/21/2011 11:33:40 AM    192.168.11.108    Informational    %ASA-6-611101: User authentication succeeded: Uname: test
4/21/2011 11:33:40 AM    192.168.11.108    Informational    %ASA-6-611101: User authentication succeeded: Uname: test
4/21/2011 11:33:40 AM    192.168.11.108    Informational    %ASA-6-113008: AAA transaction status ACCEPT : user = test
4/21/2011 11:33:40 AM    192.168.11.108    Informational    %ASA-6-113012: AAA user authentication Successful : local database : user = test
4/21/2011 11:33:33 AM    192.168.11.108    Informational    %ASA-6-302013: Built inbound TCP connection 50 for testing:192.168.65.106/4462 (192.168.65.106/4462) to identity:192.168.11.108/22 (192.168.11.108/22)
4/21/2011 11:33:33 AM    192.168.11.108    Debug    %ASA-7-609001: Built local-host testing:192.168.65.106

___________________

NOT WORKING

4/21/2011 12:38:17 PM    192.168.11.108    Informational    %ASA-6-302014: Teardown TCP connection 86 for testing:192.168.65.106/1954 to identity:192.168.11.108/22 duration 0:05:01 bytes 0 Connection timeout
4/21/2011 12:38:17 PM    192.168.11.108    Debug    %ASA-7-609002: Teardown local-host testing:192.168.65.106 duration 0:05:01
4/21/2011 12:33:15 PM    192.168.11.108    Debug    %ASA-7-609001: Built local-host testing:192.168.65.106
4/21/2011 12:33:15 PM    192.168.11.108    Informational    %ASA-6-302013: Built inbound TCP connection 86 for testing:192.168.65.106/1954 (192.168.65.106/1954) to identity:192.168.11.108/22 (192.168.11.108/22)

Re: ASA ssh acess after nusses scan

Shrikant Sundaresh — Thu, 21 Apr 2011 21:26:30 GMT

Hi,

Could you see the output of "show asp table socket" before and after a nessus scan, to check if ASA is listening on port 22 for the interface you are trying to ssh. Also if it doesn't work after a nessus scan, try removing the ssh related config and put it back, and then check again.

The logs you've put don't help much, since the log shows that it built a connection in the non-working section as well.(last log).

Hope this helps.

-Shrikant

Re: ASA ssh acess after nusses scan

Shrikant Sundaresh — Thu, 21 Apr 2011 21:38:51 GMT

Heym

You might also want to check out the following bug:CSCtl77907

It basically states that in version 8.4.1, if there is a failure to open SSH (probably what happens during the nessus scan), then further connections will also be dropped. The bug is fixed in version 8.4.1.2. You can try upgrading to that and update here, whether it works properly now or not.

Hope this helps.

-Shrikant

P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

Re: ASA ssh acess after nusses scan

lostngone — Fri, 22 Apr 2011 17:33:44 GMT

I finally had a chance to get back to this problem. Thank you for your quick response.

It does indeed look like bug CSCtl77907 I get the exact error reported in the symptom field when I try re-adding the ssh configuration in the device.

I am guessing 8.4(1.2) isn't available yet? I only see 8.4(1) when I log in and go to downloads.

Thank you again, I would have been pulling my hair out trying to figure this one out without your help

Re: ASA ssh acess after nusses scan

brquinn — Fri, 22 Apr 2011 18:08:23 GMT

No 8.4.1.x interims have been publically made available yet. If you open a TAC case, however, the engineer can post the latest build for you.

Thanks,

Brendan