cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4516
Views
5
Helpful
4
Replies

Attempting to Create User with Password Authentication via SSH on Cisco ASA

tde23
Level 1
Level 1

Hi All,

 

I am creating a new user with privilege level of 15 on my ASA using the ASDM client. When, attempting to authentication using SSH and a password for the SSH session (note: no keys are installed), I receive the following error, indicating an issue with AAA permissions on the Local server:

 

SSH session from 192.168.109.77 on interface inside for user “Unknown” disconnected by SSH server, reason: “Internal error” (0x00)

 

At this point, I have verified my ssh settings, (host is allowed to my inside interface), SSH is enabled for AAA authentication on the local server, and the username has all of the privileges. I am lost, as all of the comments online seem to be mentioning an RSA key, of which i am not using. 

4 Replies 4

marce1000
VIP
VIP

 

 - Check if a number of items of this thread  can be helpful :

          https://community.cisco.com/t5/network-security/sudden-problem-with-ssh-into-asa-5505-when-using-version-2/td-p/3076528

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

prstormtrooper
Level 1
Level 1

Ensure you have licensing to enable 3DES-AES encryption.

I am not clear whether this is an issue about terminology or is about something else. But I note this comment "seem to be mentioning an RSA key, of which i am not using." SSH inherently uses an encryption key which is commonly referred to as an RSA key. Perhaps we should ask about this ASA and how SSH was configured. How was the encryption key generated?

 

I also note that in the error message it includes "for user “Unknown”". Is there perhaps a mismatch between the user name entered on the SSH request and what is configured on the ASA?

HTH

Rick

ccie4297
Level 1
Level 1

This error is often related to SSH cipher algorithm mismatch. The "uknown user" part sends people down the wrong path when troubleshooting - myself included!

Do a "show ssh" on the ASA side to verify which algos are available to you and make sure they match the client side.

For example, I wanted to copy an ASDM file from a new ASA to an older 5510... the secure copy would not work and threw the same error as you were seeing. The older ASA only supported hmac-sha1 and hmac-sha1-96 for cipher integrity. 

I configured the older (and insecure) HMAC on the newer ASA **temporarily* to transfer the file in question.
ASA5545-X/pri(config)# ssh cipher integrity custom hmac-sha1-96
WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.

The SCP then worked and I removed the deprecated cipher from the new ASA configuration.

 

Review Cisco Networking for a $25 gift card