Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2849
Views
45
Helpful
4
Replies

Cannot access FXOS CLI via SSH anymore

Chess Norris
Level 4
Level 4

‎03-02-2022 01:01 AM

Hi,

This morning I was trying to SSH into FXOS on two Firepower 4100 devices. I have been able to SSH into those devices before, but it was probably quite a while ago since i did it the last time.

I now get a "The remote system refused the connection" message, when I am trying to use SSH. I still can access the web interface, and I've verified the SSH is enabled and that there are no access rules that would prevent SSH access. 

Is there any other way I can access the CLI? If I SSH directly to the FTD device, it takes me directly to the LINA CLI but I don't have the option to type "connect fxos".

A console connection might be my only option here, but the device is located in another country and it will probably take a while to get someone on site.

 

Thanks 

/Chess

1 person had this problem
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-02-2022 08:20 AM

I can only think that the ssh access list in fxos might have been enabled.

Short of console access, can you try sshing to the chassis management address from an expert mode (Linux shell) session on the FTD instance?

Chess Norris
Level 4
Level 4

‎03-03-2022 01:49 AM

@Marvin Rhoads Thank you for the suggestion. I tried to ssh from FTD expert mode to the chassis management address, but I'm still getting conenction refused. I will wait for console access.

Is the access list in fxos different from the one I see in Chassis manager web gui? The one I have there looks like this:

Capture.JPG

 

 

 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chess Norris

‎03-03-2022 02:00 AM

@Chess Norris the settings you shared are the same as what one would configure from the cli. So that looks good.

If your FTD management address is in the same subnet as the chassis management interface, then a middleware box would not be the problem.

So it's a bit of a mystery still - please let us know what you find out.

councilm
Level 1
Level 1

‎02-23-2023 12:31 PM - edited ‎02-23-2023 12:40 PM

@Chess NorrisDoes the error message include:
Unable to negotiate with <IP Address> port 22: no matching key exchange method found.  Their offer: <cipher>

If so, you may need to explicitly include the "KexAlgorithms" stated in the <cipher>.
Example: ssh -oKexAlgorithms=+diffie-hellman-group14-sha1 <IP Address>

Then later update your ssh-server config via CLI and/or FCM to include additional algorithms.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card