cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2156
Views
0
Helpful
11
Replies

After Upgrade the ASA5505 with 8.2.3,Not able to get the SSH connection

chirag3737
Level 1
Level 1

Hello All,

This is third time I open case open to the Cisco about I am not able to get the SSH connection from ASA 5505 after upgrade the IOS 8.2.3 and Device Manager 6.3.3 from the older IOS 7.2.4 and device manager 5.2.4.

Let me give you brife idea,

I am working in MNC and we have more than 30 office around the world.We have all offices have ASA5505 which we upgrade 3 years before and Now We are in procession to upgrade the IOS on all ASA5505 to all 30 offices.

But after I upgrade the 10 offices and relieze that not able to get SSH connection to ASA5505 with new IOS 8.2.3.I opened the 2 times case and call the Cisco Technical but no luck so far.

If anyone have same issue or experience,Please share with me.

Thank you in advance.

Chirag Dobariya

3 Accepted Solutions

Accepted Solutions

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Chirag,

ASA 8.2.3 has a bug with SSH connections not working. I dont have a link to the bug at the moment, but I remember it well.

To know you are hitting the bug, do the following:

Check the output of "show asp table socket", and see if the ASA is listening on port 22 of the interface ip's for which ssh is enabled.

If it isn't listening, but the SSH config is present, then you are hitting this bug.

The workaround is to remove the SSH config and put it back in.

"no ssh "  for each ssh line that is present.

Follow this with "ssh for each ssh line that should be there.

This will get SSH running for now.

When I find the exact bug id, I will attach the link here. The versions in which this bug is fixed would be mentioned in that link. And you can proceed upgrading the other 20 ASAs to that version instead.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Hey Chirag,

Here is the link to the bug: CSCti72411


The bug has been fixed in version 8.2.4.

The notes in the link clearly tell you what to look for to see if you are hitting the bug. Its essentially the same that I mentioned earlier.

Ignore the workaround note to downgrade to the earlier version, since it was put in before the bug was fixed.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

Hi Chirag,

The call home functionality is a new  feature which allows you to configure the ASA to send various types of  information directly to your email.

If you don't need this  functionality, then you can go ahead and remove the relevant  configuration. It won't have any impact on performance of the ASA.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

View solution in original post

11 Replies 11

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Chirag,

ASA 8.2.3 has a bug with SSH connections not working. I dont have a link to the bug at the moment, but I remember it well.

To know you are hitting the bug, do the following:

Check the output of "show asp table socket", and see if the ASA is listening on port 22 of the interface ip's for which ssh is enabled.

If it isn't listening, but the SSH config is present, then you are hitting this bug.

The workaround is to remove the SSH config and put it back in.

"no ssh "  for each ssh line that is present.

Follow this with "ssh for each ssh line that should be there.

This will get SSH running for now.

When I find the exact bug id, I will attach the link here. The versions in which this bug is fixed would be mentioned in that link. And you can proceed upgrading the other 20 ASAs to that version instead.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Hey Chirag,

Here is the link to the bug: CSCti72411


The bug has been fixed in version 8.2.4.

The notes in the link clearly tell you what to look for to see if you are hitting the bug. Its essentially the same that I mentioned earlier.

Ignore the workaround note to downgrade to the earlier version, since it was put in before the bug was fixed.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Thank you Shrikant for your qucik helpful reply.I will try and let you know.

I have also one more question in this new version come with extra details(See below). As my understanding this is only for subscibe alert or email to cisco.What do you think ? for my sites I don't think so I need it.Can I delete those configuration after upgrade with new version? OR I have to keep that.It took long config file to see on each and every device.

"call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily"

Thank you,

Chirag Dobariya

Hi Chirag,

The call home functionality is a new  feature which allows you to configure the ASA to send various types of  information directly to your email.

If you don't need this  functionality, then you can go ahead and remove the relevant  configuration. It won't have any impact on performance of the ASA.

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks.

Many thanks for give me the Quick reply.

Do you know anyone has idea about the CVO? I also have to implement to our 20 other sites.

I am really appreciated to you.

Thank you,

Chirag Dobariya

Hello Shrikant,

I really need you help. after read your reply I just upgrade the my Lab box from 8.2.3 to 8.2.4 on last week. Now I am not able to ping that box.everything is working fine on last week and couple of days today.but today i got netcool alert and I am not able to get SSH or Ping to the box. But I did console and I saw all Ethernets and Vlans ports are Up and running.

Is there any other bug in this 8.2.4 version which fix the SSH but broke the ICMP after couple of days?

Could you please clarify me because I already implement one of our production site on yesterday? and it is working fine till now. I don't know how long??

I am waiting for your reply.

Thank you very much in advance.

I would be appreciated to you.

Thank you,

Chirag Dobariya

Hi Chirag,

If i understand you correctly, two days after upgrading the lab box to 8.2.4, you are unable to ping it.

I think we would need to troubleshoot that box separately, and it should not be hitting any bug.

Kindly check the following:

1. Run captures on the interface your PC is connected to, and check if the icmp request reaches the ASA.

2. See if the PC's default gateway is configured correctly.

3. See if pinging the interface is allowed in the config.

4. You can also run "debug icmp trace" to see any icmp messages passing through.

Please let me know if you find something from any of these steps.

-Shrikant

I followed your instruction below.

I direct connect my laptop to the ASA and I got the ip address from ASA via DHCP.But I am not able to ping the gateway.

and I saw following logs on ASA

ay 26 2011 02:37:18: %ASA-3-313001: Denied ICMP type=3, code=2 from 10.230.196.

2 on interface inside

May 26 2011 02:37:21: %ASA-4-313005: No matching connection for ICMP error messa

ge: icmp src inside:10.230.196.2 dst identity:10.230.196.1 (type 3, code 2) on i

nside interface.  Original IP payload: icmp src 10.230.196.1 dst 10.230.196.2 (t

ype 0, code 0).

May 26 2011 02:37:21: %ASA-3-313001: Denied ICMP type=3, code=2 from 10.230.196.

2 on interface inside

May 26 2011 02:37:27: %ASA-4-313005: No matching connection for ICMP error messa

ge: icmp src inside:10.230.196.2 dst identity:10.230.196.1 (type 3, code 2) on i

nside interface.  Original IP payload: icmp src 10.230.196.1 dst 10.230.196.2 (t

ype 0, code 0).

May 26 2011 02:37:27: %ASA-3-313001: Denied ICMP type=3, code=2 from 10.230.196.

2 on interface inside

My machine ip address is 10.230.196.2 and ASA ip address is 10.230.196.1.

Can you please help me on that?

Thank you in advance...

Hi Chirag,

Kindly post the outputs of "show run | in icmp", and "show shun".

I have a feeling the ip address of the PC is either shunned, OR, icmp is not allowed to the ASA's interface.

-Shrikant

Hi Chirag,

Do " show run icmp" and if this command is not present then add it :

icmp permit any

it should work after that.

Thanks,

Varun

Thanks,
Varun Rao

Hello

I got this output after follow your instructions

show run | in icmp

access-list inner extended permit icmp any xx.xx.xx.xx 255.255.xx.xx echo-r

eply

access-list inner extended permit icmp any any time-exceeded

access-list inner extended permit icmp any any unreachable

access-list inner extended permit icmp any any source-quench

icmp unreachable rate-limit 1 burst-size 1

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

And Still get same thing

ay 26 2011 04:11:25: %ASA-4-313005: No matching connection for ICMP error messa

ge: icmp src inside:10.230.196.2 dst identity:10.230.196.1 (type 3, code 2) on i

nside interface.  Original IP payload: icmp src 10.230.196.1 dst 10.230.196.2 (t

ype 0, code 0).

May 26 2011 04:11:25: %ASA-3-313001: Denied ICMP type=3, code=2 from 10.230.196.

2 on interface inside

Where my PC is 10.230.196.2 and ASA 10.230.196.1 it is gateway.

Please help on me....

Review Cisco Networking for a $25 gift card