07-02-2018
02:08 PM
- last edited on
02-21-2020
11:35 PM
by
cc_security_adm
This question has been asked a couple of other times, but no one has ever answered it. I am bringing up an AWS instance running the Cisco ASAv 9.9.2.1 application, but I am unable to ssh into the resulting instance.I am following the instructions provided by Cisco for starting up the instance here: https://aws.amazon.com/marketplace/pp/B00WH2LGM0?ref=cns_srchrow. I have verified the key pair that I am using multiple times, and am able to see my public key is being used by checking the console log of the instance. I am using the ssh command line option "-oKexAlgorithms=+diffie-hellman-group1-sha1". I am logging in as "admin@ip_address". I am not including my own day0 configuration, just letting the instance start up. Every time I try to ssh, I get a request for a password, and nothing works, not hitting enter, or entering a random word
The console log contents are below. I've exhausted the AWS support team -- they have no idea what is wrong. Any ideas would be most helpful.
oader: Platform type set to default Platform ASAv loader: Platform type set to default IO memory blocks requested from bigphys 32bit: 87680 INIT: version 2.88 booting Starting udev Configuring network interfaces... done. Populating dev cache dosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. Starting verification pass. /dev/xvda1: 24 files, 24890/65246 clusters dosfsck(/dev/xvda1) returned 0 Mounting /dev/xvda1 dosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. Starting verification pass. /dev/xvda2: 2 files, 1/2092548 clusters dosfsck(/dev/xvda2) returned 0 Mounting /dev/xvda2 no cdrom devices found info: Running in xenaws virtual environment. Lina to use serial port /dev/ttyS0 for console IO Loading... Starting image verification Hash Computation: [stuff] Computed Hash SHA2: 42aec3a0f215ca357fd5f3587c854f28 26801bf1e9cf4655abc4da7bf75b7fc0 2b00fd7dc3e0fb40710503a41c2b4087 95adc3939f5392d08fe0589d809eff50 Embedded Hash SHA2: 42aec3a0f215ca357fd5f3587c854f28 26801bf1e9cf4655abc4da7bf75b7fc0 2b00fd7dc3e0fb40710503a41c2b4087 95adc3939f5392d08fe0589d809eff50 The digital signature of the running image verified successfully Processor memory: 16642998272 POST started... POST finished, result is 0 (hint: 1 means it failed) Compiled on Thu 05-Apr-18 10:31 PDT by builders SSL Hardware Offload is NOT Enabled ERROR: Failed to initialize Cipher list; cannot open Cipher ID file /mnt/disk0/.private/ctm_supported_ciphers.conf; No such file or directory. Failed to read security parameters - base 0xfff00000 offset 0x400 buf_size 20 secstore_buf_fill: Error reading secure store - buffer 0x51919df0, size 0x14 tag 3 id 0 ASA: Platform type set to default. secstore rcode 1 Failed to read security parameters - base 0x0 offset 0x400 buf_size 20 secstore_buf_fill: Error reading secure store - buffer 0x51919bd0, size 0x14 tag 4 id 0 Could not find /tmp/pci_sorted Total NICs found: 0 WARNING: Attribute already exists in the dictionary. WARNING: Attribute already exists in the dictionary. INFO: Unable to read firewall mode from flash Writing default firewall mode (single) to flash INFO: Unable to read cluster interface-mode from flash Writing default mode "None" to flash Unable to open file: flash:/.private/aws_product_codes, rc -1 Product code file not found: flash:/.private/aws_product_codes Unable to open file: flash:/.private/aws_instance_type, rc -1 Product code file not found: flash:/.private/aws_instance_type Cisco Adaptive Security Appliance Software Version 9.9(2)1 ****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: Cisco Systems, Inc. Error: Platform type has not been configured. Successfully discovered platform. Rebooting to apply the platform type. Process shutdown finished Rebooting... (status 0x9) .. INIT: Switching to runlevel: 6 INIT: Sending processes the TERM signal Stopping Advanced Configuration and Power Interface daemon: no /usr/sbin/acpid found; none killed acpid. Deconfiguring network interfaces... done. Sending all processes the TERM signal... Sending all processes the KILL signal... Deactivating swap... Unmounting local filesystems... Rebooting... Platform ASAv IO memory blocks requested from bigphys 32bit: 87680 INIT: version 2.88 booting Starting udev Configuring network interfaces... done. Populating dev cache dosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. Starting verification pass. /dev/xvda1: 24 files, 24890/65246 clusters dosfsck(/dev/xvda1) returned 0 Mounting /dev/xvda1 dosfsck 2.11, 12 Mar 2005, FAT32, LFN Starting check/repair pass. Starting verification pass. /dev/xvda2: 28 files, 43/2092548 clusters dosfsck(/dev/xvda2) returned 0 Mounting /dev/xvda2 no cdrom devices found Info: Encrypted disk file system created & mounted successfully udhcpc (v1.21.1) started Sending discover... Sending select for 10.0.90.194... Lease of 10.0.90.194 obtained, lease time 3600 /etc/udhcpc.d/50default: Adding DNS 10.0.0.2 Day0 Config: Interface Addresses: 0 10.0.90.194 10.0.80.0/20 Instance Type: m4.xlarge Public Key: ssh-rsa [my valid public key] udhcpc (v1.21.1) started Sending discover... Sending select for 10.0.90.194... Lease of 10.0.90.194 obtained, lease time 3600 /etc/udhcpc.d/50default: Adding DNS 10.0.0.2 Unicasting a release of 10.0.90.194 to 10.0.80.1 Sending release... Entering released state day0_net_config_populate() day_all_config_sanitize() info: Running in xenaws virtual environment. Lina to use serial port /dev/ttyS0 for console IO Loading... Starting image verification Hash Computation: [stuff] Computed Hash SHA2: 42aec3a0f215ca357fd5f3587c854f28 26801bf1e9cf4655abc4da7bf75b7fc0 2b00fd7dc3e0fb40710503a41c2b4087 95adc3939f5392d08fe0589d809eff50 Embedded Hash SHA2: 42aec3a0f215ca357fd5f3587c854f28 26801bf1e9cf4655abc4da7bf75b7fc0 2b00fd7dc3e0fb40710503a41c2b4087 95adc3939f5392d08fe0589d809eff50 The digital signature of the running image verified successfully Processor memory: 16642998272 POST started... POST finished, result is 0 (hint: 1 means it failed) Compiled on Thu 05-Apr-18 10:31 PDT by builders SSL Hardware Offload is NOT Enabled Total NICs found: 1 WARNING: Attribute already exists in the dictionary. WARNING: Attribute already exists in the dictionary. Product code file found, Read buffer: 80uds1joqwlz35hw1lx5h1bcc Instance file found, Read buffer: m4.xlarge Cisco Adaptive Security Appliance Software Version 9.9(2)1 ****************************** Warning ******************************* This product contains cryptographic features and is subject to United States and local country laws governing, import, export, transfer, and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute, or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return the enclosed items immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: Cisco Systems, Inc. NFO: The name for the keys will be: <Default-RSA-Key> Keypair generation process begin. Please wait... *** Output from config line 8, "crypto key generate rsa ..." WARNING: This command will not take effect until interface 'management' has been assigned an IPv4 address WARNING: SSH version 1 is not secure. It is recommended that only SSH version 2 be used. SSH version 1 support will be removed in a future release. *** Output from config line 9, "ssh 0 0 management" Cryptochecksum (changed): 3b9b2dd8 e8bc120c 9af74f0c 4a825522 INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands ERROR: Inspect configuration of this type exists, first remove that configuration and then add the new configuration INFO: converting 'fixup protocol ftp 21' to MPF commands INFO: converting 'fixup protocol h323_h225 1720' to MPF commands INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands INFO: converting 'fixup protocol ip-options 1' to MPF commands INFO: converting 'fixup protocol netbios 137-138' to MPF commands INFO: converting 'fixup protocol rsh 514' to MPF commands INFO: converting 'fixup protocol rtsp 554' to MPF commands INFO: converting 'fixup protocol sip 5060' to MPF commands INFO: converting M:convertcPNO: conr2d INFO: c 1nig 'u NO:u6d NOxucNnr' ..................................... INFO: Power-On Self-Test complete. On virtual platforms the SW-DRBG health test will be run twice: INFO: Starting SW-DRBG health test... INFO: SW-DRBG health test passed. INFO: Starting SW-DRBG health test... INFO: SW-DRBG health test passed. Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate... Trustpoint '_SmartCallHome_ServerCA' is a subordinate CA and holds a non self-signed certificate. ser enable_1 loah. oep or '?asFailure contacting AWS server; reason code 2 Setting license params for entitlement update AWS Hourly Licensing: Rate limiting deactivated AWS server successfully contacted
Solved! Go to Solution.
07-03-2018 08:11 AM
Figured this out. The ssh key pair that we were using by default for our AWS instances was not compatible with the key pair type expected by the Cisco OS. We allowed AWS to generate a new key pair when launching the Cisco instance and were able to login using that new key pair.
07-02-2018 06:00 PM
07-02-2018 06:10 PM
Hi Francesco,
Thanks for the advice. Unfortunately that did not work. In addition, the Cisco instructions specifically request that one log in as the user "admin". I would have been happy to get ec2-user working as an alternative, but it also resulted in a ssh password request.
Thanks,
Steve
07-02-2018 06:17 PM
Ok sorry i tried. Because when i read asa aws doc the syntax is the same and you're right they use admin instead of ec2-user.
Also on some posts from community, guys are using the same command as i posted but with user admin and they didn't get password prompt.
If it's not working with aws tac, have you tried Cisco tac?
07-03-2018 08:11 AM
Figured this out. The ssh key pair that we were using by default for our AWS instances was not compatible with the key pair type expected by the Cisco OS. We allowed AWS to generate a new key pair when launching the Cisco instance and were able to login using that new key pair.
04-23-2024 12:33 PM
Could you please explain more, how did you fix that issue?
What did you mean by "We allowed AWS to generate a new key pair when launching the Cisco instance"?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide