01-08-2024 11:57 AM
Asa (asaV) does not appear to be listening on port 22 after the update. (sh asp table socket)
---Before update
fips enable
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh key-exchange group dh-group14-sha256
---Now in updated config
fips enable
ssh stack ciscossh
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh cipher integrety fips
ssh key-exchange group dh-group14-sha1
01-08-2024 11:59 AM
verified it worked before update. Other note: This is the "secondary" unit in a Virtual ASA pair.
ASDM access is still working.
01-08-2024 12:19 PM
setting "no ssh stack ciscossh" fixed the problem
01-09-2024 03:18 AM
By default, the ASA uses a proprietary SSH stack. You can choose to enable the CiscoSSH stack instead, which is based on OpenSSH. The default stack continues to be the ASA stack. Cisco SSH supports:
FIPS compliance
Regular updates, including updates from Cisco and the open source community
Note that the Cisco SSH stack does not support:
SSH to a different interface over VPN (management-access)
EDDSA key pair
RSA key pair in FIPS mode
If you need these features, you should continue to use the ASA SSH stack.
There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command.
10-24-2024 04:53 AM - edited 10-24-2024 04:54 AM
Apparently Cisco switched the CiscoSSH stack to the default in 9.19(1), after adding it in 9.17(1), so an upgrade to 9.20 would have been affected by this change in the default.
And given that the config indicates that FIPS mode was enabled, I would assume that an RSA key was being used, which is listed as unsupported in combination with the CiscoSSH stack and FIPS.
01-09-2024 01:49 PM
I'll take a look at that. But have another issue to deal with. Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202. Worked fine on the backup asa. But on the active one, Cannot use ASDM. Goes through the log in process, and then I got an "ASDM cannot be loaded, hostname wrong". Everything looked good from SSHing into it, so I did a reload. And now I get "The certificate present in this device is not valid. Certificate date is Expired...." The Date on the ASA is fine. it has the same certificates and CA certs as did the backup. None of which show as expired. So I reverted back and will deal with it later. Pretty sure ASDM 7202 should work with the 9.16 version.
12-10-2024 07:16 AM
The command "no ssh stack ciscossh" fixed the problem for me. You can run the command out if you have ASDM running. Or use the console. Where one has a problem, so does another.
On the newer versions of code for ssl (ASDM), you may have to turn on sslv3: ssl server-version tlsv1.3 in your ssl trustpoint.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide