Solved: Philip, thanks very much for

baskervi · ‎01-30-2017

A customer of mine has an ASA-5505 running 8.2(5)59, and it's been configured for at least a couple years as SSH version 2. I provide this customer with remote support, and SSH has always been restricted to specific IP addresses. About 2 or 3 weeks ago, all of a sudden I couldn't log in with SSH using putty remotely, so I VPN and connect to the internal servers, and the SSH client won't connect either. Given I'm 2.25 hours away, I had telnet opened up internally, so I at least have a way to access it. When I telnet to port 22, the ASA responds with "SSH-2.0-Cisco-1.25". Using putty or any other SSH client, the SSH client responds instantly with something along the lines of "Server unexpectedly closed network connection." I can't even attempt to login. If I change SSH to version 1, it works just fine. Does anyone have any thoughts on this? Thanks

Philip D'Ath · ‎01-30-2017

Try re-generating the SSH key. Something like:

crypto key generate rsa general-keys modulus 4096

Failing that try rebooting the ASA.

Failing that, make sure you are using an up to date version of PuTTY, and enable stronger keys on the ASA with (your software might be too old for this):

sh key-exchange group dh-group14-sha1

View solution in original post

Marius Gunnerud · ‎01-31-2017

If you issue the command sh ssh what is the output? does it show something like the following?

ciscoasa# sh ssh
Timeout: 15 minutes
Versions allowed: 1 and 2

Are you just having issues with SSH or is ASDM also affected?

Have you checked the log? is there anything out of the ordinary there?

Do a debug ssh and then establish another session using ssh and check the output.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Philip D'Ath · ‎01-30-2017

Try re-generating the SSH key. Something like:

crypto key generate rsa general-keys modulus 4096

Failing that try rebooting the ASA.

Failing that, make sure you are using an up to date version of PuTTY, and enable stronger keys on the ASA with (your software might be too old for this):

sh key-exchange group dh-group14-sha1

baskervi · ‎01-31-2017

Philip, thanks very much for the reply. The first thing I tried was to regenerate the keys but that didn't help. I rebooted the ASA, which didn't help the problem, and the ssh key-exchange command isn't available on this version of software. I'll update the software today and see if that helps. Take care.

Marius Gunnerud · ‎01-31-2017

If you issue the command sh ssh what is the output? does it show something like the following?

ciscoasa# sh ssh
Timeout: 15 minutes
Versions allowed: 1 and 2

Are you just having issues with SSH or is ASDM also affected?

Have you checked the log? is there anything out of the ordinary there?

Do a debug ssh and then establish another session using ssh and check the output.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

baskervi · ‎01-31-2017

SORD-asa# sh ssh
Timeout: 30 minutes
Version allowed: 2
172.31.1.0 255.255.255.0 inside
x.x.x.x 255.255.255.255 outside

I'm not sure if asdm is affected. The software isn't installed at this point.

Regarding the logs, here is the only entry:

Jan 31 2017 02:09:39: %ASA-6-315011: SSH session from x.x.x.x on interface outside for user "" disconnected by SSH server, reason: "Internal error" (0x00)

I should have thought of debugging this, but here is the output:

SSH2 0: DH shared secret computation failed, status 255SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

There is a recent bug reported for 8.4(0.2), but it's a little different from this:

https://supportforums.cisco.com/discussion/10791491/cannot-access-asdm-and-ssh

Philip D'Ath · ‎01-31-2017

That sounds bad. I would definitely upgrade the main ASA software.

baskervi · ‎01-31-2017

I put later firmware on the ASA earlier today, but I was concerned that if there was a hardware problem, I'd be out of luck since the site is over 2 hours away. I just rebooted, and it came up fine with 9.1(7.12). Thanks for everyone's input.

clyde.a.huffman.ctr@mail.mil · ‎05-30-2019

Suddenly, SSH failed from an internal Ubuntu server - see the following error. SSHed to my internal aserver (Mint) and ssh worked. Set # debug ssh, and ssh from all internal servers started working....WHAT HAPPENED???

Stopped debug and ssh still works???

I've had issues with hash keys from Linux but not from Windows. Had to put this in .ssh/config file to get to my switches on 10.10.10.0:

aserver@DESK ~/.ssh $ ls
config known_hosts known_hosts.old test3 test4
aserver@DESK ~/.ssh $ cat config
Host local1
HostName 10.10.10.3
KexAlgorithms=+diffie-hellman-group1-sha1

Host local2
HostName 10.10.10.4
KexAlgorithms=+diffie-hellman-group1-sha1

Host local3
HostName 10.10.10.5
KexAlgorithms=+diffie-hellman-group1-sha1

Host local4
HostName 10.10.10.6
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.3
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.4
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.5
KexAlgorithms=+diffie-hellman-group1-sha1
Host 10.10.10.6
KexAlgorithms=+diffie-hellman-group1-sha1

SSH ERROR from ASA 5520 LOG

May 30 2019 12:44:31: %ASA-6-315011: SSH session from 192.168.168.220 on interface inside for user "*****" disconnected by SSH server, reason: "Internal error" (0x00)

UmeshBhambri · ‎09-24-2019

I am also getting the same error

<166>%ASA-6-315011: SSH session from 10.10.10.10 on interface for user "*****" disconnected by SSH server, reason: "Time-out activated" (0x6e)

Please help !!!!

Sudden problem with SSH into ASA-5505 when using version 2