cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1181
Views
0
Helpful
2
Replies

ASA disconnects SSH after n characters in n seconds

doli
Level 1
Level 1

I made a bash script to automatically fill an object group on an ASA related to Office365 IPs.

 

The script itself get's the IPs, changes the correct syntax and leaves a text file called outfile.txt which looks something like

 

 

enable
enpass
conf t
object-group network O365
network object 1.1.1.0 255.255.255.0
network object 1.1.2.0 255.255.255.0
....
end
wr mem

and has something along 90 lines of network objects.

 

 

The last thing the script does is to SSH into the ASA and pastes every line with:

 

cat outfile.txt | sshpass -p "pass" ssh user@1.1.1.1

The problem I have now is that the ASA disconnects the session after the script sent ~70,5 lines (disconnects all the time at the same line on "network obje")

________________________________________________________________________

EDIT: In the meantime I found out this probably isn't line related but rather character related

________________________________________________________________________

If I point the script to another server instead of an ASA (tried three different models) the script completes and SSH "pastes" every line till "write mem" and then disconnects, so this obviously isn't a problem with my script or the unix SSH utils.

 

If i copy the txt files content and just paste the in an open session it works flawlessly, but somehow the ASA disconnects my script all the time at the same line.

 

Does anybody know if there are some limitations on commands/second or something and if I could somehow change the value?

 

Output of SSH (with -v option):

abor-asa-01(config-network-object-group)#     network-object 157.55.45.128 25$
labor-asa-01(config-network-object-group)#     network-objedebug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Connection to 192.168.11.162 closed by remote host.
Transferred: sent 6856, received 118064 bytes, in 0.8 seconds
Bytes per second: sent 9031.5, received 155527.1
debug1: Exit status -1

Edit: For anyone interested enough you can try this with generating a file which just has line numbers in it. Many line numbers. Then shoot it to the ASA with the command mentioned above. Something like:

touch lines.txt
for i in {1..100000}; do echo $i >> lines.txt; done
cat lines.txt | sshpass -p "sshpassword" ssh user@ASA

 and I'll promise you it won't run for the whole 100000 commands but rather will kick you completely constant at the same number with a "Connection to ASA closed by remote host."

If ASAs IP is changed to a linux server or something, all 100000 commands get sent.

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

Not sure what causing this issue, i feel some syntax issue here i am guessing.

 

Question :

 

the one working same version of ASA code ?

can you remove that 70 Line and try again ?

 

what is the line 70 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

thanks for your answer, but I'm not really sure what you mean with "the one working same version of ASA code ?"

 

This doesn't work on any ASA I've tried, you can try it too by just making a text file with 1000 some lines and shooting it to the ASA with the command I used, at some point it will kick you before your whole content gets SSHd.

 

can you remove that 70 Line and try again ?

I can but this doesn't matter. Even if the text file is just filled with 150 lines of "foobar" I want to get "ERROR: % Invalid input detected at '^' marker." for 150 times, but I'll only get it n times because the ASA disconnects me after the nth line.

 

For anyone interested you can try this with generating a file which just has line numbers in it. Many line numbers. Then shoot it to the ASA with the command mentioned above. Something like:

touch lines.txt
for i in {1..100000}; do echo $i >> lines.txt; done
cat lines.txt | sshpass -p "sshpassword" ssh user@ASA

 and I'll promise you it won't run for the whole 100000 commands but rather will kick you completely constant at the same number with a "Connection to ASA closed by remote host."

If ASAs IP is changed to a linux server or something, all 100000 commands get sent.

 

So no, this is no syntax issue.

Review Cisco Networking for a $25 gift card