Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3405
Views
5
Helpful
4
Replies

ASA-AWS unable to ssh into new instance

Go to solution
Stephen Mytyk
Level 1
Level 1

‎07-02-2018 02:08 PM - last edited on ‎02-21-2020 11:35 PM by Community Manager

This question has been asked a couple of other times, but no one has ever answered it. I am bringing up an AWS instance running the Cisco ASAv 9.9.2.1 application, but I am unable to ssh into the resulting instance.I am following the instructions provided by Cisco for starting up the instance here: https://aws.amazon.com/marketplace/pp/B00WH2LGM0?ref=cns_srchrow. I have verified the key pair that I am using multiple times, and am able to see my public key is being used by checking the console log of the instance. I am using the ssh command line option "-oKexAlgorithms=+diffie-hellman-group1-sha1". I am logging in as "admin@ip_address". I am not including my own day0 configuration, just letting the instance start up. Every time I try to ssh, I get a request for a password, and nothing works, not hitting enter, or entering a random word

 

The console log contents are below. I've exhausted the AWS support team -- they have no idea what is wrong. Any ideas would be most helpful.

 

 

oader: Platform type set to default
Platform ASAv
loader: Platform type set to default
IO memory blocks requested from bigphys 32bit: 87680

INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/xvda1: 24 files, 24890/65246 clusters
dosfsck(/dev/xvda1) returned 0
Mounting /dev/xvda1
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/xvda2: 2 files, 1/2092548 clusters
dosfsck(/dev/xvda2) returned 0
Mounting /dev/xvda2
no cdrom devices found
info: Running in xenaws virtual environment.
Lina to use serial port /dev/ttyS0 for console IO


Loading...

Starting image verification
Hash Computation:  [stuff]
Computed Hash   SHA2: 42aec3a0f215ca357fd5f3587c854f28
                      26801bf1e9cf4655abc4da7bf75b7fc0
                      2b00fd7dc3e0fb40710503a41c2b4087
                      95adc3939f5392d08fe0589d809eff50

Embedded Hash   SHA2: 42aec3a0f215ca357fd5f3587c854f28
                      26801bf1e9cf4655abc4da7bf75b7fc0
                      2b00fd7dc3e0fb40710503a41c2b4087
                      95adc3939f5392d08fe0589d809eff50

The digital signature of the running image verified successfully
Processor memory:  16642998272
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Compiled on Thu 05-Apr-18 10:31 PDT by builders
SSL Hardware Offload is NOT Enabled
ERROR: Failed to initialize Cipher list; cannot open Cipher ID file /mnt/disk0/.private/ctm_supported_ciphers.conf; No such file or directory.
Failed to read security parameters - base 0xfff00000 offset 0x400 buf_size 20
secstore_buf_fill: Error reading secure store -  buffer 0x51919df0, size 0x14 tag 3 id 0
ASA: Platform type set to default. secstore rcode 1
Failed to read security parameters - base 0x0 offset 0x400 buf_size 20
secstore_buf_fill: Error reading secure store -  buffer 0x51919bd0, size 0x14 tag 4 id 0
Could not find /tmp/pci_sorted

Total NICs found: 0
WARNING: Attribute already exists in the dictionary.
WARNING: Attribute already exists in the dictionary.

INFO: Unable to read firewall mode from flash
       Writing default firewall mode (single) to flash

INFO: Unable to read cluster interface-mode from flash
        Writing default mode "None" to flash
Unable to open file: flash:/.private/aws_product_codes, rc -1
Product code file not found: flash:/.private/aws_product_codes
Unable to open file: flash:/.private/aws_instance_type, rc -1
Product code file not found: flash:/.private/aws_instance_type

Cisco Adaptive Security Appliance Software Version 9.9(2)1

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
                Cisco Systems, Inc.
Error: Platform type has not been configured.

 Successfully discovered platform.  Rebooting to apply the platform type.
Process shutdown finished
Rebooting... (status 0x9)
..

INIT: Switching to runlevel: 6


INIT: Sending processes the TERM signal

Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed
acpid.
Deconfiguring network interfaces... done.
Sending all processes the TERM signal...
Sending all processes the KILL signal...
Deactivating swap...
Unmounting local filesystems...
Rebooting... Platform ASAv
IO memory blocks requested from bigphys 32bit: 87680

INIT: version 2.88 booting

Starting udev
Configuring network interfaces... done.
Populating dev cache
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/xvda1: 24 files, 24890/65246 clusters
dosfsck(/dev/xvda1) returned 0
Mounting /dev/xvda1
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
Starting check/repair pass.
Starting verification pass.
/dev/xvda2: 28 files, 43/2092548 clusters
dosfsck(/dev/xvda2) returned 0
Mounting /dev/xvda2
no cdrom devices found
Info: Encrypted disk file system created & mounted successfully

udhcpc (v1.21.1) started
Sending discover...
Sending select for 10.0.90.194...
Lease of 10.0.90.194 obtained, lease time 3600
/etc/udhcpc.d/50default: Adding DNS 10.0.0.2
Day0 Config:

Interface Addresses:
0 10.0.90.194 10.0.80.0/20

Instance Type:  m4.xlarge
Public Key:  ssh-rsa [my valid public key]

udhcpc (v1.21.1) started
Sending discover...
Sending select for 10.0.90.194...
Lease of 10.0.90.194 obtained, lease time 3600
/etc/udhcpc.d/50default: Adding DNS 10.0.0.2
Unicasting a release of 10.0.90.194 to 10.0.80.1
Sending release...
Entering released state
day0_net_config_populate()

day_all_config_sanitize()

info: Running in xenaws virtual environment.
Lina to use serial port /dev/ttyS0 for console IO


Loading...

Starting image verification
Hash Computation:    [stuff]
Computed Hash   SHA2: 42aec3a0f215ca357fd5f3587c854f28
                      26801bf1e9cf4655abc4da7bf75b7fc0
                      2b00fd7dc3e0fb40710503a41c2b4087
                      95adc3939f5392d08fe0589d809eff50

Embedded Hash   SHA2: 42aec3a0f215ca357fd5f3587c854f28
                      26801bf1e9cf4655abc4da7bf75b7fc0
                      2b00fd7dc3e0fb40710503a41c2b4087
                      95adc3939f5392d08fe0589d809eff50

The digital signature of the running image verified successfully
Processor memory:  16642998272
POST started...
POST finished, result is 0 (hint: 1 means it failed)

Compiled on Thu 05-Apr-18 10:31 PDT by builders
SSL Hardware Offload is NOT Enabled

Total NICs found: 1
WARNING: Attribute already exists in the dictionary.
WARNING: Attribute already exists in the dictionary.
Product code file found, Read buffer: 80uds1joqwlz35hw1lx5h1bcc
Instance file found, Read buffer: m4.xlarge

Cisco Adaptive Security Appliance Software Version 9.9(2)1

  ****************************** Warning *******************************
  This product contains cryptographic features and is
  subject to United States and local country laws
  governing, import, export, transfer, and use.
  Delivery of Cisco cryptographic products does not
  imply third-party authority to import, export,
  distribute, or use encryption. Importers, exporters,
  distributors and users are responsible for compliance
  with U.S. and local country laws. By using this
  product you agree to comply with applicable laws and
  regulations. If you are unable to comply with U.S.
  and local laws, return the enclosed items immediately.

  A summary of U.S. laws governing Cisco cryptographic
  products may be found at:
                Cisco Systems, Inc.
NFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
*** Output from config line 8, "crypto key generate rsa ..."
WARNING: This command will not take effect until interface 'management' has been assigned an IPv4 address

WARNING:
SSH version 1 is not secure.
It is recommended that only SSH version 2 be used.
SSH version 1 support will be removed in a future release.

*** Output from config line 9, "ssh 0 0 management"

Cryptochecksum (changed): 3b9b2dd8 e8bc120c 9af74f0c 4a825522
INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands
ERROR: Inspect configuration of this type exists, first remove
that configuration and then add the new configuration
INFO: converting 'fixup protocol ftp 21' to MPF commands
INFO: converting 'fixup protocol h323_h225 1720' to MPF commands
INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands
INFO: converting 'fixup protocol ip-options 1' to MPF commands
INFO: converting 'fixup protocol netbios 137-138' to MPF commands
INFO: converting 'fixup protocol rsh 514' to MPF commands
INFO: converting 'fixup protocol rtsp 554' to MPF commands
INFO: converting 'fixup protocol sip 5060' to MPF commands
INFO: converting M:convertcPNO: conr2d
INFO: c 1nig 'u NO:u6d
NOxucNnr'
.....................................
INFO: Power-On Self-Test complete.

On virtual platforms the SW-DRBG health test will be run twice:
INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate...

Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate.
ser enable_1 loah. oep or '?asFailure contacting AWS server; reason code 2
Setting license params for entitlement update
AWS Hourly Licensing: Rate limiting deactivated
AWS server successfully contacted

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Mytyk
Level 1
Level 1

‎07-03-2018 08:11 AM

Figured this out. The ssh key pair that we were using by default for our AWS instances was not compatible with the key pair type expected by the Cisco OS. We allowed AWS to generate a new key pair when launching the Cisco instance and were able to login using that new key pair.

View solution in original post

4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎07-02-2018 06:00 PM

Hi

I'm not a AWS expert but I give it a try based on my experience using CSR1000v (sorry never get the chance yet to have ASA or FTD on AWS).
Normally you have to setup your key-pair and you said you've done it.
Afterwards, you can connect on the device (at least on csr) using the following default command:
ssh -i "xxxx.pem" ec2-user@Public-IP
Using this command and pem cert you should be able to connect to your device without getting prompted for a password.

Sorry if this doesn't help, again just done lot of CSRs and this the way it works.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Stephen Mytyk
Level 1
Level 1
In response to Francesco Molino

‎07-02-2018 06:10 PM

Hi Francesco,

 

Thanks for the advice. Unfortunately that did not work. In addition, the Cisco instructions specifically request that one log in as the user "admin". I would have been happy to get ec2-user working as an alternative, but it also resulted in a ssh password request.

 

Thanks,

Steve

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Stephen Mytyk

‎07-02-2018 06:17 PM

Ok sorry i tried. Because when i read asa aws doc the syntax is the same and you're right they use admin instead of ec2-user.

Also on some posts from community, guys are using the same command as i posted but with user admin and they didn't get password prompt.

 

If it's not working with aws tac, have you tried Cisco tac?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Stephen Mytyk
Level 1
Level 1

‎07-03-2018 08:11 AM

Figured this out. The ssh key pair that we were using by default for our AWS instances was not compatible with the key pair type expected by the Cisco OS. We allowed AWS to generate a new key pair when launching the Cisco instance and were able to login using that new key pair.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card