Solved: Can't SSH anymore to Firepower device onto the management interface

MXUser · ‎08-07-2023

Hi

I have an FMC managed 1140 device on FTD 7.2.4, as of this morning I was able to SSH to it on the management interface, now I am not able to SSH, I also added a policy to try to SSH via the other interfaces but without luck, this is what I get:

kex_exchange_identification: Connection closed by remote host

there is a script running in the background to fix a S2S session reestablishing every hour and it uses SSH to that management interface.. it stopped working this morning, the script do close the ssh session/connection, so cleanup is done..

Questions:
- How to troubleshoot SSH connections ? I have serial console access.
- How to see if the SSH daemon is running or probably crashed if resources sessions are not properly release? possibility..

Thanks

Marvin Rhoads · ‎08-07-2023

There is a monitoring daemon that watches the sshd listener. It is supposed to restart the listener if it finds it to not be listening.

> expert
admin@ftdv-1:~$ sudo su -
Password: 
root@ftdv-1:~# ps -ef | grep ssh
root      3574  3531  0 Jul24 ?        00:01:19 /bin/sh /etc/init.d/sshd monitor
root     24401     1  0 Jul24 ?        00:00:00 sshd: /usr/sbin/sshd [listener] 0 of 100-100 startups
root     28638 24401  0 17:17 ?        00:00:00 sshd: admin [priv]
admin    28647 28638  0 17:17 ?        00:00:00 sshd: admin@pts/0
root     28804 28749  0 17:17 pts/0    00:00:00 grep --color=auto ssh
root@ftdv-1:~#

You can trigger it manually as follows:

/etc/init.d/ssh {start|stop|status|reload|force-reload|restart|monitor}

View solution in original post

Marvin Rhoads · ‎08-07-2023

Opening a TAC case would provide the best outcome for a problem such as this.

If you are not able to do so or just want to check for yourself, you could probably go into expert mode on the managed ftd and check for the listener on tcp/22 using netstat. You might also capture logs with "pigtail -all" (also done from expert mode) while trying to connect via ssh.

MXUser · ‎08-07-2023

Hi Marvin.. thanks
I will inform Cisco.. but strange as it is Linux/Unix based, there should be a servicectl somewhere..

Marvin Rhoads · ‎08-07-2023

There is a monitoring daemon that watches the sshd listener. It is supposed to restart the listener if it finds it to not be listening.

> expert
admin@ftdv-1:~$ sudo su -
Password: 
root@ftdv-1:~# ps -ef | grep ssh
root      3574  3531  0 Jul24 ?        00:01:19 /bin/sh /etc/init.d/sshd monitor
root     24401     1  0 Jul24 ?        00:00:00 sshd: /usr/sbin/sshd [listener] 0 of 100-100 startups
root     28638 24401  0 17:17 ?        00:00:00 sshd: admin [priv]
admin    28647 28638  0 17:17 ?        00:00:00 sshd: admin@pts/0
root     28804 28749  0 17:17 pts/0    00:00:00 grep --color=auto ssh
root@ftdv-1:~#

You can trigger it manually as follows:

/etc/init.d/ssh {start|stop|status|reload|force-reload|restart|monitor}

MXUser · ‎08-07-2023

Hi Marvin

Seems the monitor process is not running..

MXUser · ‎08-07-2023

Yeah, I did manage to restart the SSHD service.. did post here with commands, but for an odd reason got blocked on the forum.. likely thought I was trying to inject it..will need to see how to pass commands without it blocking my access

@MXUser wrote:
Hi
I have an FMC managed 1140 device on FTD 7.2.4, as of this morning I was able to SSH to it on the management interface, now I am not able to SSH, I also added a policy to try to SSH via the other interfaces but without luck, this is what I get:
kex_exchange_identification: Connection closed by remote host
there is a script running in the background to fix a S2S session reestablishing every hour and it uses SSH to that management interface.. it stopped working this morning, the script do close the ssh session/connection, so cleanup is done..
Questions:
- How to troubleshoot SSH connections ? I have serial console access.
- How to see if the SSH daemon is running or probably crashed if resources sessions are not properly release? possibility..

Thanks

1EyedJoe · ‎02-25-2024

The 7.2 documentation says the service is started by default, but it was not on my FTDv.