topic Re: Cannot access ASDM and SSH in Network Security

Cannot access ASDM and SSH

mikedelafield — Mon, 11 Mar 2019 16:46:33 GMT

All of a sudden today I can no longer access ASDM and SSH on my firewall.

Console login and even telnet work fine.

This is not a permissions problem

http server enable is there

and appropriate HTTP and SSH permissions are in place

It has literally just happened overnight.

We are using ASA 8.0.3 and ASDM 6.1.5 and SSH v1 and v2.

I was wondering if it was a known bug similar to the 366 day bug on ASDM 6.1.3.

It is just strange that it also effects SSH this time as if its some kind of SSL/SSH/certificate bug.

Can someone please help?

I'd prefer not to reboot if I can.

HELP!

Re: Cannot access ASDM and SSH

resoares — Tue, 08 Dec 2009 18:25:00 GMT

Hi,

Try to zeroize the crypto keys as follows:

crpto key zeroize rsa

Br,

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 09:54:20 GMT

Good plan and I was confident but no joy

I don't understand what has happened to be honest.

Telnet and serial access are okay, but ASDM and SSH are out.

I've tried no http server enable; http server enable

I've reset all the keys on the firewall and the client

I've done shut/no shut on the management interface

Whats going on!

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 10:42:53 GMT

If i telnet to the firewall on port 22 I get the following....

SSH-2.0-Cisco-1.25

But I cannot connect via SSH

Everything looks fine

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 10:55:06 GMT

On the SSH connection I get the following messages;

2009-12-09 10:50:40 Local4.Info 192.168.1.239 Dec 09 2009 10:50:15: %ASA-6-315011: SSH session from 10.101.5.13 on interface inside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

2009-12-09 10:50:40 Local4.Info 192.168.1.239 Dec 09 2009 10:50:15: %ASA-6-106015: Deny TCP (no connection) from 10.101.5.13/2207 to 172.20.3.1/22 flags FIN ACK on interface inside

On the TLS connection I get the following message;

2009-12-09 10:50:46 Local4.Info 192.168.1.239 Dec 09 2009 10:50:21: %ASA-6-725001: Starting SSL handshake with client inside:10.101.5.13/2209 for TLSv1 session.

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 11:12:53 GMT

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-PuTTY_Release_0.60

client version string:SSH-2.0-PuTTY_Release_0.60SSH1: begin server key generatio
n
SSH1: complete server key generation, elapsed time = 910 ms

SSH2 1: SSH2_MSG_KEXINIT sent
SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: Generate DH key operation failed.

SSH2 0: DH key generation failed. status 255SSH1: Session disconnected by SSH se
rver - error 0x00 "Internal error"

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 12:10:13 GMT

As for ASDM I get the following error in the Java console

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

I cannot find any means to debug the firewall itself for ASDM logon.

Anyone have any ideas?

Re: Cannot access ASDM and SSH

resoares — Wed, 09 Dec 2009 14:53:05 GMT

Hi,

Take a look at the following bug id CSCsh91747 at:

http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs

You must use your cco id account.

Br,

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 15:14:07 GMT

Hi thanks for that i've passed the information on to TAC.

I'm not sure if its 100% related thats the thing.

I've done a bit further debug and i've noticed the following error when re-starting http server enable

"Could not start admin"

According to this guy on tektips he has had the same problem

http://www.tek-tips.com/viewthread.cfm?qid=1419872&page=1

He mentioned speaking to Cisco but did not provide a solution.

I think tonight i'll reload and upgrade to 8.0.4, however i'd prefer to fix without a reload as if this happens in a remote site i'm screwed!

Re: Cannot access ASDM and SSH

resoares — Wed, 09 Dec 2009 15:26:00 GMT

Yes, sounds good and probably your issue will be fixed with 8.0.4.

Br,

Re: Cannot access ASDM and SSH

mikedelafield — Wed, 09 Dec 2009 15:29:49 GMT

This looks like the bug although my initial problem was not adding a host as it was already added

CSCsx95377

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsx95377

Gonna skip 8.0.4 and upgrade to 8.0.5 instead based on that!

Re: Cannot access ASDM and SSH

resoares — Wed, 09 Dec 2009 15:42:00 GMT

So, it is definetly not your issue. Do you have webvpn? If you have probably you are hitting the previous one that I've sent you earlier.

br,

Cannot access ASDM and SSH

arjunsrsh — Fri, 08 Feb 2013 19:25:15 GMT

Have faced the same issue with one ASA firewall , so we tried to generate the crypto key manually and it worked.... Not sure whether this will be the proper solution , but for us it worked.

I could connect via asdm

lmediavilla — Fri, 13 Nov 2015 10:04:30 GMT

I could connect via asdm adding this and sotp/start http service

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

You are correct that your

Raul Ricano — Thu, 14 Jan 2016 23:37:53 GMT

You are correct that your command fixes that problem. However I have the same issue right now running Version 9.2(4) code and can't enable rc4 or 3des encryption or will fail PCI Audits. I will try and post back if I get this working with TLSv1.0+ only and ssl encryption aes256-sha1 dhe-aes256-sha1

-Raul