Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4069
Views
5
Helpful
4
Replies

Attempting to Create User with Password Authentication via SSH on Cisco ASA

tde23
Level 1
Level 1

‎06-01-2020 12:52 PM

Hi All,

 

I am creating a new user with privilege level of 15 on my ASA using the ASDM client. When, attempting to authentication using SSH and a password for the SSH session (note: no keys are installed), I receive the following error, indicating an issue with AAA permissions on the Local server:

 

SSH session from 192.168.109.77 on interface inside for user “Unknown” disconnected by SSH server, reason: “Internal error” (0x00)

 

At this point, I have verified my ssh settings, (host is allowed to my inside interface), SSH is enabled for AAA authentication on the local server, and the username has all of the privileges. I am lost, as all of the comments online seem to be mentioning an RSA key, of which i am not using. 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

marce1000
VIP
VIP

‎06-02-2020 12:27 AM

 

 - Check if a number of items of this thread  can be helpful :

          https://community.cisco.com/t5/network-security/sudden-problem-with-ssh-into-asa-5505-when-using-version-2/td-p/3076528

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

prstormtrooper
Level 1
Level 1

‎03-29-2021 12:55 PM

Ensure you have licensing to enable 3DES-AES encryption.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to prstormtrooper

‎03-31-2021 02:34 AM

I am not clear whether this is an issue about terminology or is about something else. But I note this comment "seem to be mentioning an RSA key, of which i am not using." SSH inherently uses an encryption key which is commonly referred to as an RSA key. Perhaps we should ask about this ASA and how SSH was configured. How was the encryption key generated?

 

I also note that in the error message it includes "for user “Unknown”". Is there perhaps a mismatch between the user name entered on the SSH request and what is configured on the ASA?

HTH

Rick
0 Helpful

ccie4297
Level 1
Level 1

‎12-05-2022 08:30 AM

This error is often related to SSH cipher algorithm mismatch. The "uknown user" part sends people down the wrong path when troubleshooting - myself included!

Do a "show ssh" on the ASA side to verify which algos are available to you and make sure they match the client side.

For example, I wanted to copy an ASDM file from a new ASA to an older 5510... the secure copy would not work and threw the same error as you were seeing. The older ASA only supported hmac-sha1 and hmac-sha1-96 for cipher integrity. 

I configured the older (and insecure) HMAC on the newer ASA **temporarily* to transfer the file in question.
ASA5545-X/pri(config)# ssh cipher integrity custom hmac-sha1-96
WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.

The SCP then worked and I removed the deprecated cipher from the new ASA configuration.

 

Customers Also Viewed These Support Documents