Solved: can't SSH to inside interface on ASA

naresh.narang · ‎01-30-2013

Hi there

I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?

TIA

Sent from Cisco Technical Support iPhone App

david.tran · ‎01-31-2013

I think this is a "known" issue. I had this ssh issue several years on a Pix525 (telnet worked but not ssh) on the "inside" interface. SSH was working before on the "inside" interface for a long time and all of the sudden, it just stopped working

After 3 months of troubleshooting with TAC, it went nowhere and I had to reboot the Pix to fix the issue. TAC was not helpful at all.

You can either waste a lot time with TAC or just reboot the box. 99.99% of the time, a reboot will fix it. Remember, sometime the ASA box behaves just like Microsoft Windows

View solution in original post

Jennifer Halim · ‎01-30-2013

Can you pls share the config, and also advise which ip you are trying to ssh to the inside interface from?

naresh.narang · ‎01-30-2013

Hi there,

Here it is -

interface Ethernet0/1

switchport access vlan 2

speed 100

duplex full

interface Vlan2

description INSIDE

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

ssh 192.168.1.0 255.255.255.0 INSIDE

Trying to ssh from the L3 switch directly connected to the inside interface.

Thanks -

Julio Carvajal · ‎01-30-2013

Hello Naresh,

Share the following

cap asp type asp-drop all circular-buffer

cap capin interface inside match tcp x.x.x.x (switch ip address) 192.168.1.1 eq 22

Then try to connect and share the whole output of

show cap capin

show cap asp | include x.x.x.x (Switch Ip)

Can you ping the Switch interface from the ASA?

Can you ping the ASA from the switch?

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

naresh.narang · ‎01-30-2013

Hi there,

Here it is -

asa01(config)# sh cap capin

4 packets captured

1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128

4 packets shown

asa01(config)#

asa01(config)# sh cap asp

0 packet captured

0 packet shown

asa01(config)#

Can you ping the Switch interface from the ASA? - Yes

Can you ping the ASA from the switch? - Yes

Andrew Phirsov · ‎01-30-2013

Maybe your problem has something to do with incompartability of ssh versions (1,2) current/allowed key size or smth between an ASA and your switch . Try to regenerate keys with greater/lower modulus size, check ssh version on a switch, try to connect not from a sitch but from some ssh-client.

naresh.narang · ‎01-30-2013

Andrew,

Thanks for your ideas. I reduced key size from 2k to 1k but it still didn't work. From same switch I can ssh to ASA's public IP but I tried from ssh client on a server but encountered same issue.

Naresh

Jennifer Halim · ‎01-30-2013

What is the ASA version?

david.tran · ‎01-31-2013

I think this is a "known" issue. I had this ssh issue several years on a Pix525 (telnet worked but not ssh) on the "inside" interface. SSH was working before on the "inside" interface for a long time and all of the sudden, it just stopped working

After 3 months of troubleshooting with TAC, it went nowhere and I had to reboot the Pix to fix the issue. TAC was not helpful at all.

You can either waste a lot time with TAC or just reboot the box. 99.99% of the time, a reboot will fix it. Remember, sometime the ASA box behaves just like Microsoft Windows

naresh.narang · ‎01-31-2013

Adaptive Security Appliance Software Version 8.2(5)

Yes David, that was it. I had seen this with Pix and thought of rebooting but couldn't believe this can happen again. It gave me a lot of headache. Worked after reboot. Thanks so much all.

--Naresh