Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
10
Helpful
2
Replies

NAT'ed SSH session to C9300 gets reset by unexpected RST flag

andy!doesnt!like!uucp
Spotlight
Spotlight

‎07-02-2021 10:41 AM - edited ‎07-02-2021 11:25 AM

hi gladiators

i've setup where i can only have NAT'ed TCP(SSH) session to C9300 (16.12.2) between VLAN 10 (l.s. 10.60.30.20/24) to VLAN 20 (l.s. 10.100.50.254/24) where SRC & DST correspondingly live separated by FW (ASA).

the quest is i can login to DST from SRC via SSH but all sessions get dropped from DST by RST flag just in few seconds (couple of tens). from user perspective it looks like obtaining prompt from DST, entering password & then trying to enter "enable" followed by enable password. rarely i can even catch enable prompt. it never lasts more than ~10 secs.

my Q is why with this conditions DST sends RST? capture from ASA with translated session from egress intf is attached.

help...

Labels:
Preview file
6 KB
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-02-2021 10:52 AM

From what device this Logs from ?

 

how about login from same network ? is that works ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

andy!doesnt!like!uucp
Spotlight
Spotlight
In response to balaji.bandi

‎07-02-2021 11:14 AM - edited ‎07-03-2021 05:05 AM

it's capture from ASA' DST-facing interface. both SRC & DST live in directly attached to FW VLANs.

no way to login from the same with DST subnet (only from ASA but it lacks ssh|telent client features). that's why NAT is configured to hide SRC behind IP on FW' IP in VLAN 40

debug ip ssh client output from SRC:

004136: Jul 3 12:01:01.300: SSH CLIENT0: protocol version id is - SSH-1.99-Cisco-1.25
004137: Jul 3 12:01:01.300: SSH CLIENT0: protocol version exchange successful
004138: Jul 3 12:01:01.301: SSH2 CLIENT 0: Using kex_algo = diffie-hellman-group-exchange-sha1
004139: Jul 3 12:01:01.384: SSH CLIENT0: key exchange successful and encryption on
004140: Jul 3 12:01:01.386: SSH2 CLIENT 0: using method keyboard-interactive authentication
004141: Jul 3 12:01:03.020: SSH2 CLIENT 0: SSH2_MSG_USERAUTH_SUCCESS message received
004142: Jul 3 12:01:03.020: SSH CLIENT0: user authenticated
004143: Jul 3 12:01:03.021: SSH2 CLIENT 0: pty-req request sent
004144: Jul 3 12:01:03.022: SSH2 CLIENT 0: shell request sent
004145: Jul 3 12:01:03.023: SSH CLIENT0: session open
004146: Jul 3 12:01:03.224: SSH CLIENT0: Session disconnected - error 0x07

Customers Also Viewed These Support Documents