Re: ASA 5505 SSH Access

rmeans · ‎08-21-2008

I remotely manage an ASA 5505. In the past, I have been able to access the public interface via SSH. I upgraded the ASA from 8.0.3 to 8.0.4. Since the upgrade, I have not been able to access the ASA public (outside) interface with SSH. I do have ASDM access. From the ASDM, I see the SSH connection has the TCP 3way handshake then the ASA sends a reset. From the logs, I see a Built and Teardown. I have not found any other logs. I have zeroized and regenerated the RSA key. Still no SSH connection.

Ideas?

JORGE RODRIGUEZ · ‎08-21-2008

Sounds like you have already done what is recommended by regenerating RSA keys, have you tried connecting from a different host to rule out ssh client issues. I have also upgraded to 8.0.4 and have seen couple of strange things not exactly related to ssh but waiting for it to happen again to repor it in forum..

Do you still have this statement if using local user databse

aaa authentication ssh console LOCAL

also try a telnet test from the outside host see if you get back screen ok

e.i.

telnet 22

if no joy try disabling and re enable ssh on outside interface

no ssh 255.255.255.255 outside

then re-enter ssh statement

HTH

Jorge

Jorge Rodriguez

robertson.michael · ‎08-28-2008

Hi Rick,

I would also suggest configuring 'debug ssh 255' and watching the output that is generated when you try to connect via SSH. Another one that may shed some light is 'debug npshim 15'. I would recommend enabling these as 2 separate tests (i.e. 'debug ssh 255', test, 'undebug all', 'debug npshim 15', test, 'undebug all').

Take a look through that output and see if it has any explanation as to why the reset is being sent.

Hope that helps.

-Mike

manjesin · ‎08-29-2008

Please try the following:-

* ssh 0.0.0.0 0.0.0.0 outside

just to make sure there is translation device on path connecting to ASA outside interface

* Also regenerate the key

cryto key generate rsa modulus 1024

* Collect "debug ssh 255" that will confirm if any request is reaching ASA or not

* Since you are able to access ASDM. Please check the under device we have ssh option checked for authetication from local database

check for command

aaa authentication ssh console LOCAL

* If there is no user on local database pls use pix as username and cisco as password

and enable password blank .. or use configured password

* If still things not working send the debug outputs and logs while ssh to firewall

Hope this will help

manjeet

rmeans · ‎08-29-2008

I have tried to regen the key (no luck), I have confirmed AAA. I haven't been able to issue any debug commands. I only have ASDM access. The CLI from ASDM doesn't allow debug.

I plan to go to the site later today. I should have console access.

Farrukh Haroon · ‎08-29-2008

Maybe you have some stuck connections, if its not a production box, try a 'clear local-host all'

Regards

Farrukh

rmeans · ‎08-29-2008

I tested one last time before leaving for the new site, SSH access failed. I went to the site. Connected to the internal network and tried to SSH to the ASA inside interface. SSH access worked. I was prompted to accepted the new key and I was in (I had generated a new RSA key the other day). I then remotely connected back to my home network. Connected to the ASA outside interface (SSH). It worked. Again, I was prompted to accept the new key and I was in.

Sadly I didn't capture any debug information. Thank you for the ideas.