Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
2
Helpful
4
Replies

Lost SSH access to ASA after upgrading from 9.15(1)1 to 9.20(2)2

debbiebeitler
Level 1
Level 1

‎01-08-2024 11:57 AM

Asa (asaV) does not appear to be listening on port 22 after the update. (sh asp table socket)

---Before update
fips enable
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh key-exchange group dh-group14-sha256

---Now in updated config
fips enable
ssh stack ciscossh
ssh stricthostkeycheck
ssh timeout 10
ssh version 2
ssh cipher encryption fips
ssh cipher integrety fips
ssh key-exchange group dh-group14-sha1

Labels:
0 Helpful
4 Replies 4

debbiebeitler
Level 1
Level 1

‎01-08-2024 11:59 AM

verified it worked before update.  Other note: This is the "secondary" unit in a Virtual ASA pair.

ASDM access is still working.

0 Helpful

debbiebeitler
Level 1
Level 1

‎01-08-2024 12:19 PM

setting "no ssh stack ciscossh" fixed the problem

Ruben Cocheno
Spotlight
Spotlight

‎01-09-2024 03:18 AM

@debbiebeitler 

  • By default, the ASA uses a proprietary SSH stack. You can choose to enable the CiscoSSH stack instead, which is based on OpenSSH. The default stack continues to be the ASA stack. Cisco SSH supports:

    • FIPS compliance

    • Regular updates, including updates from Cisco and the open source community

    Note that the Cisco SSH stack does not support:

    • SSH to a different interface over VPN (management-access)

    • EDDSA key pair

    • RSA key pair in FIPS mode

    If you need these features, you should continue to use the ASA SSH stack.

    There is a small change to SCP functionality with the CiscoSSH stack: to use the ASA copy command to copy a file to or from an SCP server, you have to enable SSH access on the ASA for the SCP server subnet/host using the ssh command.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/
0 Helpful

debbiebeitler
Level 1
Level 1

‎01-09-2024 01:49 PM

I'll take a look at that.  But have another issue to deal with.  Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202.  Worked fine on the backup asa.  But on the active one, Cannot use ASDM.  Goes through the log in process, and then I got an "ASDM cannot be loaded, hostname wrong".  Everything looked good from SSHing into it, so I did a reload.  And now I get "The certificate present in this device is not valid. Certificate date is Expired...."  The Date on the ASA is fine.  it has the same certificates and CA certs as did the backup.  None of which show as expired.  So I reverted back and will deal with it later.  Pretty sure ASDM 7202 should work with the 9.16 version.

Customers Also Viewed These Support Documents