01-30-2013 05:52 PM - edited 03-11-2019 05:54 PM
Hi there
I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
TIA
Sent from Cisco Technical Support iPhone App
Solved! Go to Solution.
01-31-2013 02:33 AM
I think this is a "known" issue. I had this ssh issue several years on a Pix525 (telnet worked but not ssh) on the "inside" interface. SSH was working before on the "inside" interface for a long time and all of the sudden, it just stopped working
After 3 months of troubleshooting with TAC, it went nowhere and I had to reboot the Pix to fix the issue. TAC was not helpful at all.
You can either waste a lot time with TAC or just reboot the box. 99.99% of the time, a reboot will fix it. Remember, sometime the ASA box behaves just like Microsoft Windows
01-30-2013 07:15 PM
Can you pls share the config, and also advise which ip you are trying to ssh to the inside interface from?
01-30-2013 08:00 PM
Hi there,
Here it is -
interface Ethernet0/1
switchport access vlan 2
speed 100
duplex full
interface Vlan2
description INSIDE
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
ssh 192.168.1.0 255.255.255.0 INSIDE
Trying to ssh from the L3 switch directly connected to the inside interface.
Thanks -
01-30-2013 09:33 PM
Hello Naresh,
Share the following
cap asp type asp-drop all circular-buffer
cap capin interface inside match tcp x.x.x.x (switch ip address) 192.168.1.1 eq 22
Then try to connect and share the whole output of
show cap capin
show cap asp | include x.x.x.x (Switch Ip)
Can you ping the Switch interface from the ASA?
Can you ping the ASA from the switch?
Regards
01-30-2013 10:04 PM
Hi there,
Here it is -
asa01(config)# sh cap capin
4 packets captured
1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4 packets shown
asa01(config)#
asa01(config)# sh cap asp
0 packet captured
0 packet shown
asa01(config)#
Can you ping the Switch interface from the ASA? - Yes
Can you ping the ASA from the switch? - Yes
01-30-2013 10:47 PM
Maybe your problem has something to do with incompartability of ssh versions (1,2) current/allowed key size or smth between an ASA and your switch . Try to regenerate keys with greater/lower modulus size, check ssh version on a switch, try to connect not from a sitch but from some ssh-client.
01-30-2013 10:56 PM
Andrew,
Thanks for your ideas. I reduced key size from 2k to 1k but it still didn't work. From same switch I can ssh to ASA's public IP but I tried from ssh client on a server but encountered same issue.
Naresh
01-30-2013 11:24 PM
What is the ASA version?
01-31-2013 02:33 AM
I think this is a "known" issue. I had this ssh issue several years on a Pix525 (telnet worked but not ssh) on the "inside" interface. SSH was working before on the "inside" interface for a long time and all of the sudden, it just stopped working
After 3 months of troubleshooting with TAC, it went nowhere and I had to reboot the Pix to fix the issue. TAC was not helpful at all.
You can either waste a lot time with TAC or just reboot the box. 99.99% of the time, a reboot will fix it. Remember, sometime the ASA box behaves just like Microsoft Windows
01-31-2013 06:40 AM
Adaptive Security Appliance Software Version 8.2(5)
Yes David, that was it. I had seen this with Pix and thought of rebooting but couldn't believe this can happen again. It gave me a lot of headache. Worked after reboot. Thanks so much all.
--Naresh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide