cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1866
Views
0
Helpful
8
Replies

ASA5520 - can't connect with putty

Alex Sykes
Level 1
Level 1

Hi folks,

A bit of a strange one I'm hoping some of you may have come across before.

When I try to SSH (putty) onto our Cisco ASA5520 (8.4.2), more often that not I get an 'Access denied' message when I enter the password which I'm 100% sure is correct.

I enter the password three times until it disconnects me.  I then have to close the putty session (numerous times on occassions) and start again and then I can connect (if I'm lucky).

This is from the Putty event log:

2013-04-11 11:53:15 Sent password

2013-04-11 11:53:15 Access denied

Are there logs I can check when successfully connected to the firewall?

Thanks

Alex

8 Replies 8

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Alex,

yes,

are you using any external database for authentication.. if not just use

debug aaa authentication and try to login,

post the results

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Many thanks for your reply.

We have local authentication on our firewall, however, when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic and I can't find a way to stop it and, therefore, I cannot enter the command you suggested.

This only happens via console - not remote ssh (when I eventually connect).

Are there any historical logs I can check when successfully conntect using ssh?

We have two 5520s in a HA pair and I can make the stand-by firewall the primary one, and the same problems occurs - cannot ssh using putty and when using colsole cable contstant scrolling of firewall traffic.

This is very odd behaviour.  Would something like a memory leak cause these issues?

Kind regards

Alex

when I connect my laptop using the console cable, the screen is constantly scrolling with firewall traffic

That means that debugging/informational logging is enabled. You, after successful connection throug ssh, first disable the console logging using no logging console. After that, disconnect from ssh, connect to console, enable

debug aaa authentication, connect again through ssh and see what's happening.

Are there any historical logs I can check when successfully conntect using ssh?

Yes, you can enable logging to buffer, i.e. logging buffer debugging. The log will be saved to the buffer and you'll be able to see it later. Alternatively you can save logs to any syslog servers, but i don't think you need it here)

Hi Andrew,

Thanks for all the info - it is very much appreciated.

I had to send the 'no logging console' command from the ASDM because I still can't get ssh access.

However, once that was done, I ran the 'debug aaa authentication' command and got a 'Resetting 10.116.0.3's numtries' message.  That IP is our ACS, so I'll start looking there.

Thanks again for your help.

Regards

Alex

Hello,

You said it was local authentication and now you are dealing with an ACS problem, you can share the asa setup to review it ,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

Please accept my apologies - I didn't realise the ACS was used for this authentication.  I'm very new to Cisco products and I'm having difficulty learning on a production network.

Attached is the ASA config as requested.

Also, the ACS has the following messages in the logs:

Failure Reason > Authentication Failure Code Lookup

Failure Reason : 22056 Subject not found in the applicable identity store(s).

The help I'm receiving really is appreciated.

Regards

Alex

Hello Alex,

Does not look like the SSH sessions are being sent to the AAA server for authentication it's being authenticated locally,

can you add :

username cisco password cisco

An try to authenticate as a test with those

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

I've managed to find a workaround by setting SSH authentication to local only - not ACS.

Thanks for you time and effort in helping me with this problem.

Regards

Alex

Review Cisco Networking for a $25 gift card