https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013880#M937296 <HTML><HEAD></HEAD><BODY><P>Thanks for your response. Actually doing that didn't help - still connection refused. </P><P></P><P>Any ideas????</P><P></P><P>I did write mem, and also neither has rebooted.</P><P></P><P>Thanks, J</P></BODY></HTML> Fri, 23 May 2008 13:22:13 GMT jigsaw2026 2008-05-23T13:22:13Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013878#M937287 <P>Hi,</P><P></P><P>I'm unable to ssh into our fwsm today - there's nothing in the logs and all ssh commmands are still present - we've had this before and I have to re-generate the rsa key, and I'm fairly certain that's what I need to do now but the old ca commands that I used have been depreciated (fwsm 3.1) so I just wanted to check that I'm doing the right thing! Here's what I'm planning on:</P><P></P><P>crypto key zeroize rsa</P><P></P><P>WARNING: All RSA keys will be removed.</P><P>WARNING: All device certs issued using these keys will also be removed.</P><P></P><P>Do you really want to remove these keys? [yes/no]: yes</P><P></P><P></P><P>crypto key generate rsa general-keys modulus 1024</P><P></P><P>Does this look right?</P><P></P><P>Thanks,</P><P>J</P> Mon, 11 Mar 2019 12:48:51 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013878#M937287 jigsaw2026 2019-03-11T12:48:51Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013879#M937292 <HTML><HEAD></HEAD><BODY><P>and you have the domain name configured also? then the above commands are OK.</P><P></P><P>Are you wr mem once the key has been generated? has the FWSM or 65xx reloaded?</P></BODY></HTML> Fri, 23 May 2008 12:00:39 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013879#M937292 andrew.prince 2008-05-23T12:00:39Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013880#M937296 <HTML><HEAD></HEAD><BODY><P>Thanks for your response. Actually doing that didn't help - still connection refused. </P><P></P><P>Any ideas????</P><P></P><P>I did write mem, and also neither has rebooted.</P><P></P><P>Thanks, J</P></BODY></HTML> Fri, 23 May 2008 13:22:13 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013880#M937296 jigsaw2026 2008-05-23T13:22:13Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013881#M937300 <HTML><HEAD></HEAD><BODY><P>Hi J,</P><P></P><P>What do you get in the output of:</P><P>'sh crypto key mypubkey rsa'</P><P></P><P>Moreover, what do you get in the output of 'sh run ssh'?</P><P></P><P>Thanks.</P><P>John</P></BODY></HTML> Fri, 23 May 2008 13:32:54 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013881#M937300 jkampane 2008-05-23T13:32:54Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013882#M937305 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>Thank you -</P><P></P><P>fwsm# sh crypto key mypubkey rsa</P><P>Key pair was generated at: 13:52:06 UTC May 23 2008</P><P>Key name: <DEFAULT-RSA-KEY></DEFAULT-RSA-KEY></P><P> Usage: General Purpose Key</P><P> Modulus Size (bits): 1024</P><P> Key Data:</P><P></P><P> 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d97565</P><P> 428234d5 b58e49d8 2d2ac0b9 08c97e48 f7637111 2287ee58 dfd09941 cb2f87ba</P><P> c0d0dcc0 571cf5d9 7d1e97f0 616cd2ea 9429cc6c 3afa975e 86a4d007 c44a61f7</P><P> 3e905ffb 39ad9e07 8f74393d 0bad0c1d fd7eae2c c095260c 9ea22c73 21e3e151</P><P> 0a7a4dc0 cad2b173 3097595e f5998cb6 7e6ded99 81ddc892 e6963980 bb020301 0001</P><P></P><P>fwsm# sh run ssh</P><P>ssh 1.1.1.1 255.255.255.255 wireless</P><P>ssh office 255.255.255.0 inside</P><P>ssh timeout 15</P><P>ssh version 2</P><P></P><P>Regards,</P><P>J</P><P></P><P></P></BODY></HTML> Fri, 23 May 2008 13:46:56 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013882#M937305 jigsaw2026 2008-05-23T13:46:56Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013883#M937310 <HTML><HEAD></HEAD><BODY><P>Hi J,</P><P></P><P>I guess you are trying to ssh to the FWSM either via the inside or the wireless interface. Can you please confirm that in the first case your IP is within the office subnet and in the second that you are coming from the 1.1.1.1 host?</P><P></P><P>Moreover, a good idea would be to enable debug ssh 100 on the FWSM, along with loggin in debug level, try to connect and see what you are getting there.</P><P></P><P>Finally, you will need the following line:</P><P>"aaa authentication ssh console LOCAL" along with a username/password.</P><P></P><P>Thanks.</P><P>John</P></BODY></HTML> Fri, 23 May 2008 13:51:20 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013883#M937310 jkampane 2008-05-23T13:51:20Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013884#M937313 <HTML><HEAD></HEAD><BODY><P>Thanks John,</P><P></P><P>Actually I have that auth line in already, it just didn't show up in the command.</P><P></P><P>I turned on debugging and this came up:</P><P></P><P>2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710002: tcp access permitted from x.x.x.x/20067308 to inside:x.x.x.x/ssh</P><P>2008-05-23 16:22:25 Local4.Info x.x.x.x May 23 2008 15:03:26: %FWSM-6-302013: Built inbound TCP connection 0 for inside:x.x.x.x/3739 (10.3.80.100/3739) to inside:x.x.x.x/22 (x.x.x.x/22)</P><P>2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710004: TCP connection limit exceeded from x.x.x.x/3739 to inside:x.x.x.x/ssh</P><P></P><P>I found this <A class="jive-link-custom" href="http://www.conft.com/en/US/docs/security/asa/asa80/system/message/logmsgs.pdf" target="_blank">http://www.conft.com/en/US/docs/security/asa/asa80/system/message/logmsgs.pdf</A> saying that I need to issue a kill command, but I can see any connections when I run a who (think this might only work for telnet?). Also I can't see any locally-destined traffic when I run show conn all.</P><P></P><P>Any ideas would be much appreciated.</P><P></P><P>Thanks,</P><P>J</P><P></P><P></P><P></P><P></P></BODY></HTML> Fri, 23 May 2008 14:39:52 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013884#M937313 jigsaw2026 2008-05-23T14:39:52Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013885#M937318 <HTML><HEAD></HEAD><BODY><P>Hi J,</P><P></P><P>Hmmmm, it can be a bug. I did some research and I found the following:</P><P><A class="jive-link-custom" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsd67334" target="_blank">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsd67334</A></P><P></P><P>Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Fri, 23 May 2008 15:15:32 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013885#M937318 jkampane 2008-05-23T15:15:32Z https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013886#M937321 <HTML><HEAD></HEAD><BODY><P>Thank you John, that's very helpful indeed. I will reload for now and look at upgrading.</P><P></P><P>J</P></BODY></HTML> Tue, 27 May 2008 10:10:23 GMT https://community.cisco.com/t5/network-security/ssh-connection-refused-fwsm/m-p/1013886#M937321 jigsaw2026 2008-05-27T10:10:23Z