cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1045
Views
2
Helpful
8
Replies

ASA Upgrade, lost ssh access

zietgiestt
Level 1
Level 1

Hello,

I just upgraded a cisco ASA 5506 from 9.6-9.16(4)57 and I cannot ssh into it any longer.

Get an error: "server unexpectedly closed the network connection"

I can access via asdm.

I have ssh enabled and I have ssh allowed form only 2 machines (a local server and my laptop).

I'm thinking I need to generate a new crypto key.

My question is, if I do generate a new cry key, will that break my ipsec tunnels?

 

Thanks,

1 Accepted Solution

Accepted Solutions

zietgiestt
Level 1
Level 1

Thanks for the replies MHM & Marvin.

I figured it out...had an too old a version of putty. updated my putty client and connected just fine.

I guess the silver lining is I have better ciphers now that I've changed all my ssh settings.


Thanks for the help...

View solution in original post

8 Replies 8

Tunnel use rsa as auth?

If not I dont see anything between re-key the ssh and ipsec vpn

MHM

tunnels use pre-shared keys. so I should be good to rekey?

For my view there is no issue at all' if you  want I can check by lab abd update you.

MHM

I don't think that would be necessary but thanks for offering.

would you agree with me upgrading to such a jump would require a rekey to regain ssh access, due to the deprecated encryption not allowed on 9.16?

You should not NORMALLY have to generate a new RSA key (which is used for ssh, completely separate from the preshared keys used by any IPsec VPNs).

However, there is a change in behavior noted with 9.16 specifically as follows:

" SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release."

Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/release/notes/asarn916.html

zietgiestt
Level 1
Level 1

Thanks for the replies MHM & Marvin.

I figured it out...had an too old a version of putty. updated my putty client and connected just fine.

I guess the silver lining is I have better ciphers now that I've changed all my ssh settings.


Thanks for the help...

Thanks alot for update us

I was waiting run some lab test change cipher with same rsa key.

But you short the way.

Thanks 

Have a nice day 

MHM

Good to hear you are back in via ssh. Besides supporting newer algorithms, any version of Putty before earlier this year (0.80 or older) should be updated in any event due to a critical vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-31497

Review Cisco Networking for a $25 gift card