topic Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance) in Network Security

unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

ariel2424 — Fri, 21 Feb 2020 16:53:24 GMT

Hello Everyone.

I have installed CISCO ASA Version 9.10(1).11 on a FTD-2110 appliance.

This appliance answer on both 192.168.45.1 and 192.168.45.45.

To get to the firepower software you go to 192.168.45.45(then from there you can access the asa) or to get straight to asa you can open ASDM and connect to 192.168.45.1.

HTTP and ASDM works, SSH isn't.

I have configured SSH as shown in Cisco documentation and it's doesn't work.

tried to solve this myself with no success.

Related Configuration:

ciscoasa(config)# show running-config all ssh
ssh stricthostkeycheck
ssh 192.168.45.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh cipher encryption medium
ssh cipher integrity medium
ssh key-exchange group dh-group1-sha1

Local Username was configured and the following command

aaa authentication ssh console LOCAL

I see the Drops on ASDM ( ssh access file show the drops on ASDM).

Anybody come across this and solve this?

Thanks.

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

Sheraz.Salim — Mon, 04 Mar 2019 10:28:47 GMT

have to define a local user on ASA.

username admin priv 15 password cisco123

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

Marvin Rhoads — Mon, 04 Mar 2019 10:54:43 GMT

Did you generate an rsa key?

conf t
crypto key generate rsa mod 2048
end

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

Sheraz.Salim — Mon, 04 Mar 2019 11:54:46 GMT

@Marvin Rhoads

if https is working as it was confirmed that he had access to ASDM than it means the key are generated.

i am curious how is is accessing the ASDM. i am under the impression the ASDM is access able if you only enable the https only.

http server enable

http 0.0.0.0 0.0.0.0 mgmt

now if these above command are configured he will have access to ASDM even without doing the config of local username. having said that if you check the logs he showed. their is unknow username. which point there is no local database configured

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

Marvin Rhoads — Mon, 04 Mar 2019 12:06:41 GMT

@Sheraz.Salim - good point.

I have also seen users lately using old putty clients and newer ASA software whereby the ssh negotiation fails due to lack of support for newer key exchanges in the library used by the client software. That problem would affect ssh but not ASDM (which uses ssl/tls libraries included in the end user's Java installation).

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

ariel2424 — Mon, 04 Mar 2019 13:23:21 GMT

Hi,

As a mention previously Local username and password is defined. I don't know why this error appeared

http server is enable by default on the ASA.

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

ariel2424 — Mon, 04 Mar 2019 13:25:26 GMT

Hi Marvin,

I'm using the latest Putty version.

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

Marvin Rhoads — Mon, 04 Mar 2019 14:59:19 GMT

OK - good to know.

I'd try a packet capture during an attempted connection to see what's going on. Open it up in Wireshark and have a look at the back and forth.

Re: unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

mbilgrav — Fri, 21 Jun 2019 09:56:16 GMT

YES !
Had the issue last year: from my notes:
I had SSH issues in 9.9.1 plain vanilla
I then Upgraded to 9.9.1.3 interim, only to hit a new failover bug
I then upgraded to 9.9.1.4 interim … and be happy !

The SSH issue could as workaround be fixed by reload, this was before I upgraded
sad if the bug has been drop over in the 9.10 track ... try get the latest Interim and upgrade the bundle