Showing results for 
Search instead for 
Did you mean: 

Attempting to Create User with Password Authentication via SSH on Cisco ASA


Hi All,


I am creating a new user with privilege level of 15 on my ASA using the ASDM client. When, attempting to authentication using SSH and a password for the SSH session (note: no keys are installed), I receive the following error, indicating an issue with AAA permissions on the Local server:


SSH session from on interface inside for user “Unknown” disconnected by SSH server, reason: “Internal error” (0x00)


At this point, I have verified my ssh settings, (host is allowed to my inside interface), SSH is enabled for AAA authentication on the local server, and the username has all of the privileges. I am lost, as all of the comments online seem to be mentioning an RSA key, of which i am not using. 

4 Replies 4

VIP Mentor VIP Mentor
VIP Mentor


 - Check if a number of items of this thread  can be helpful :


-- ' A nun once asked a penguin ' do you think the earth is flat ? ; the penguin replied :
Madam, it all depends , in Riemann geometries the earth can be perfectly flat! The nun thanked him , he tripped and fell forward : the poor animal had forgotten that he might be living in a Riemann geometry too!


Ensure you have licensing to enable 3DES-AES encryption.

I am not clear whether this is an issue about terminology or is about something else. But I note this comment "seem to be mentioning an RSA key, of which i am not using." SSH inherently uses an encryption key which is commonly referred to as an RSA key. Perhaps we should ask about this ASA and how SSH was configured. How was the encryption key generated?


I also note that in the error message it includes "for user “Unknown”". Is there perhaps a mismatch between the user name entered on the SSH request and what is configured on the ASA?




This error is often related to SSH cipher algorithm mismatch. The "uknown user" part sends people down the wrong path when troubleshooting - myself included!

Do a "show ssh" on the ASA side to verify which algos are available to you and make sure they match the client side.

For example, I wanted to copy an ASDM file from a new ASA to an older 5510... the secure copy would not work and threw the same error as you were seeing. The older ASA only supported hmac-sha1 and hmac-sha1-96 for cipher integrity. 

I configured the older (and insecure) HMAC on the newer ASA **temporarily* to transfer the file in question.
ASA5545-X/pri(config)# ssh cipher integrity custom hmac-sha1-96
WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.

The SCP then worked and I removed the deprecated cipher from the new ASA configuration.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers