08-19-2019 09:41 AM
Hello,
Is there any way to increase the limit of 5 concurrent ssh sessions in a Cisco ASA ?
I have tried increasing the quota-management session limit but still the ssh sessions are limited to 5.
Thanks.
08-19-2019 10:24 PM
I don't believe so.
As noted in the other thread you posted on, the quota-management command doesn't change the ssh session limit per se.
08-21-2019 04:13 AM
Have you try using the ASA MPF to set the connection , the syntax is straight forward just like the MQC in normal ios , here you can set maximum connection for ASA management.
MQC syntax :
class-map to classify traffic flow
policy-map to action the classified traffic flow
service-policy to bind the above / implement it on the interesting interface.
Let me know if this help .
08-21-2019 02:05 PM - edited 08-21-2019 02:06 PM
It doesn't work even when using MPF. The limit for a single context ASA is 5 simultaneous ssh sessions. I believe the documentation suggesting otherwise is unclear in that it is meant for multiple context ASAs.
I just labbed it and the limit does not change with "quota management-session 10" or even when doing:
class-map type management MGMT_CMAP match port tcp eq ssh ! policy-map MGMT_PMAP class MGMT_CMAP set connection conn-max 10 ! service-policy MGMT_PMAP interface inside
08-22-2019 02:03 AM
Now what you've done is the right syntax , I haven't try to increase ssh session before but I always like to make use of possibility before concluding on the documentation direction.
Your Configuration is only matching on TCP Port 22 according to your command, I wanted to just agreed this might be a deadlock stuff , but I had to think of the way ASA handle FTP traffic when in passive , and the way ASA handle traceroute as well. I believe you are familiar with the afore-mentioned protocol (FTP & Traceroute)
In the case of FTP , when you check default inspection , you can see ASA is inspecting FTP but technically ASA will deny FTP in passive mode due to variation in outbound ports and inbound port ( check FTP order of operation on this)
In the case of traceroute , cisco uses unix based whilst Window machine doesn't, the mode of manually placing exception for this protocol is different when it comes to where the traffic is been generated from. In IOS / UNIX based UDP is use as outbound and return traffic is TCP ( do you see different) , this is why traceroute packet get drop until you manually inspect this via MPF.
On Windows Machine it uses TCP as outbound and the return packet consist of two different ICMP code traffic.
With your configuration , even if this is not possible I guess you still haven't done the manual inspection properly in terms of what your class-map is matching or inspecting.
The logic before using MPF is to check :
The above guidance will tell you what is seen outbound and what is seen inbound , as we know ASA is stateful behaviour , it will expect the outbound traffic to be the same with inbound , but in the case of non standard protocol we need manually exception by looking into logs / connection details to get this right.
Please let see if this work....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide