tunnels use pre-shared keys. so I should be good to rekey?

For my view there is no issue at all' if you  want I can check by lab abd update you.

MHM

I don't think that would be necessary but thanks for offering.

would you agree with me upgrading to such a jump would require a rekey to regain ssh access, due to the deprecated encryption not allowed on 9.16?

You should not NORMALLY have to generate a new RSA key (which is used for ssh, completely separate from the preshared keys used by any IPsec VPNs).

However, there is a change in behavior noted with 9.16 specifically as follows:

" SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release."

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

Thanks alot for update us

I was waiting run some lab test change cipher with same rsa key.

But you short the way.

Thanks 

Have a nice day 

MHM

Good to hear you are back in via ssh. Besides supporting newer algorithms, any version of Putty before earlier this year (0.80 or older) should be updated in any event due to a critical vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-31497

Marvin,

I was trying to understand what fixes this issue.  I upgraded from 9.12.4 to 9.16.4 and ssh worked at first and then all I get is Connection reset by peer.  I can use ASDM just fine.  It's the ssh that fails now.
This is what I have for ssh config. 

ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
ssh key-exchange hostkey rsa
ssh x.x.x.x 255.255.255.255 outside

This is the command I ran after zeroing the rsa key.
crypto key generate rsa modulus 3072 noconfirm.

I have tried this with ecdsa too using this command
crypto key generate ecdsa elliptic-curve 384 noconfirm

All commands have been run via cli in ASDM.

I am using both Putty and SecureCRT.

Help if you can.

Ken

@kcousino123 did you check your versions? Old Putty or SecureCRT can both fail to support the latest ssh kex algorithms.

I also see you allow ssh from only one address on the outside. Is that the source where you see the issue and are you trying to ssh to the outside interface?

@Marvin Rhoads , I do have current versions of both software running.  I have multiple public IPs for this access but only showed one for the chat.  Also, for the testing, I have it open to 0.0.0.0.  I am trying to connect to the outside interface.  Here is the really weird thing, I actually upgraded 6 5506 firewalls, and with 5 SSH doesn't work now but for one it still works.  I compared those configs and there isn't anything different.  I wondered if there was a better version of the software that I should migrate to or is this issue the same moving forward.

Do you have any other NATs that possibly use the interface address for port 22?

@Marvin Rhoads , no I don't have any other NATs.  One of the things I wondered is if it might have something to do with the chipset version on the firewall.
Do you know if this issue is on newer version of the software?

@kcousino123 please check the following and share the output on one of your non-working firewalls:

show asp table socket | include ssh