topic Re: Unable to ssh into cisco ASA 5505 with IOS version 8.3(2) in Network Security

Unable to ssh into cisco ASA 5505 with IOS version 8.3(2)

manish_3191 — Fri, 21 Feb 2020 12:11:51 GMT

Hi All,

I have upgraded the ios version of my cisco ASA to 8.3(2) recently and since then i am facing the ssh issue.

I have the below config for ssh.

aaa authentication ssh console LOCAL

username engineers password wsOWoGdUuQ.XK65Z encrypted privilege 15
username netmri password AY9vCBN70C0qV1Jz encrypted privilege 15

ssh 0.0.0.0 0.0.0.0 Inside
ssh 0.0.0.0 0.0.0.0 Outside
ssh version 2
ssh timeout 60
crypto key generate rsa modulus 1024

NAT re-design with IOS 8.3(2) version

object network INSIDE-NAT
subnet 0.0.0.0 0.0.0.0
nat(inside,outside) dynamic interface

object network EXEMPT-NAT-HZ
subnet 10.36.128.0 255.255.240.0

object network EXEMPT-NAT-BJ
subnet 10.36.96.0 255.255.248.0

object network EXEMPT-NAT-SH
subnet 10.36.104.0 255.255.248.0

object network EXEMPT-NAT-sps1team
host 10.2.41.32

nat (inside,outside) 1 source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2
nat (inside,outside) 1 source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static NDC-Access NDC-Access
nat (inside,outside) 1 source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static China-UAT-systems-Access China-UAT-systems-

Access
nat (inside,outside) 1 source static EXEMPT-NAT-HZ EXEMPT-NAT-HZ destination static EXEMPT-NAT-BJ EXEMPT-NAT-BJ
nat (inside,outside) 1 source static EXEMPT-NAT-HZ EXEMPT-NAT-HZ destination static EXEMPT-NAT-SH EXEMPT-NAT-SH
nat (inside,outside) 1 source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static EXEMPT-NAT-sps1team EXEMPT-NAT-sps1team

Can someone please guide me on this?

Thanks

Manish

Re: Unable to ssh into cisco ASA 5505 with IOS version 8.3(2)

fadlouni — Mon, 27 Dec 2010 12:49:32 GMT

Hi.

can you provide the following:

1- what logs does the asa generate when you try to ssh? make sure logging is enabled and it's either sent to buffer or syslog.

2- enable debug ssh on the console, then send the output when you try to ssh.

3- provide output of:

-show ssh

-show ssh session

-show proc | i ssh

Regards,

Fadi.

Re: Unable to ssh into cisco ASA 5505 with IOS version 8.3(2)

manish_3191 — Wed, 29 Dec 2010 06:27:56 GMT

Hi,

Thanks for your response.I have enabled the logging and tried to capture debug message as well.

SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-sha1 none
SSH2: kex: server->client aes128-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(oracle): user authen method is 'use AAA', aaa server group ID = 1

SSH2 0: authentication failed for oracle
SSH2 0: Received disconnect from remote: 11: Bye ByeSSH0: Session disconnected by SSH server - error 0x00 "Internal error"
Device ssh opened successfully.
SSH0: SSH client: IP = '188.127.238.77' interface # = 3
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-2.0-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-libssh-0.1

client version string:SSH-2.0-libssh-0.1SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 3150 ms

SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-sha1 none
SSH2: kex: server->client aes128-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(test): user authen method is 'use AAA', aaa server group ID = 1

SSH2 0: authentication failed for test
SSH2 0: Received disconnect from remote: 11: Bye ByeSSH0: Session disconnected by SSH server - error 0x00 "Internal error"

CHCC-FWA-ASA-1# sh proc | inc ssh
Mwe 08cc7794 c6aac6bc c9e3d610 377 c6aaa908 6872/8192 listen/ssh
Mwe 08c7a1cb cabf9794 09fbde4c 2 cabf7900 5852/8192 ssh/timer

CHCC-FWA-ASA-1# sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2
0.0.0.0 0.0.0.0 Inside
0.0.0.0 0.0.0.0 Outside

It says authentication failed. I have configured the Username and password on ASA and enabled aaa authentication ssh console local but not sure why its failing.

Please guide.

Thanks

Manish S.

Re: Unable to ssh into cisco ASA 5505 with IOS version 8.3(2)

fadlouni — Wed, 29 Dec 2010 10:12:47 GMT

if it's saying authentication failed, most likely there is a username/password problem.

maybe your password has some special characters that your ssh application is not encoding properly?

can you try it with a temporary simple username and password with no special characters. something like cisco/cisco . if it works, then we know something is wrong with your local account. don't forget to remove the cisco username afterwards.

Regards,

Fadi.