06-01-2020 12:52 PM
Hi All,
I am creating a new user with privilege level of 15 on my ASA using the ASDM client. When, attempting to authentication using SSH and a password for the SSH session (note: no keys are installed), I receive the following error, indicating an issue with AAA permissions on the Local server:
SSH session from 192.168.109.77 on interface inside for user “Unknown” disconnected by SSH server, reason: “Internal error” (0x00)
At this point, I have verified my ssh settings, (host is allowed to my inside interface), SSH is enabled for AAA authentication on the local server, and the username has all of the privileges. I am lost, as all of the comments online seem to be mentioning an RSA key, of which i am not using.
06-02-2020 12:27 AM
- Check if a number of items of this thread can be helpful :
M.
03-29-2021 12:55 PM
Ensure you have licensing to enable 3DES-AES encryption.
03-31-2021 02:34 AM
I am not clear whether this is an issue about terminology or is about something else. But I note this comment "seem to be mentioning an RSA key, of which i am not using." SSH inherently uses an encryption key which is commonly referred to as an RSA key. Perhaps we should ask about this ASA and how SSH was configured. How was the encryption key generated?
I also note that in the error message it includes "for user “Unknown”". Is there perhaps a mismatch between the user name entered on the SSH request and what is configured on the ASA?
12-05-2022 08:30 AM
This error is often related to SSH cipher algorithm mismatch. The "uknown user" part sends people down the wrong path when troubleshooting - myself included!
Do a "show ssh" on the ASA side to verify which algos are available to you and make sure they match the client side.
For example, I wanted to copy an ASDM file from a new ASA to an older 5510... the secure copy would not work and threw the same error as you were seeing. The older ASA only supported hmac-sha1 and hmac-sha1-96 for cipher integrity.
I configured the older (and insecure) HMAC on the newer ASA **temporarily* to transfer the file in question.
ASA5545-X/pri(config)# ssh cipher integrity custom hmac-sha1-96
WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.
The SCP then worked and I removed the deprecated cipher from the new ASA configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide