Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19328
Views
30
Helpful
7
Replies

File Transfer using Secure Copy Server on Cisco ASA 5510

magurwara
Level 1
Level 1

‎11-14-2008 05:54 AM - edited ‎03-11-2019 07:13 AM

I have SSH and SCP enabled on the ASA 5510. I can SSH fine into the device. However, I cannot copy files to the device usng WinSCP. Used all options but nothign seems to work. I see the log authentication successful, but then WinSCP reports no response from ASA.

Any idea?

1 person had this problem
Labels:
0 Helpful
7 Replies 7

risenshine4th
Level 1
Level 1

‎11-14-2008 01:12 PM

I would review the ports being used and use a packet sniffer like wireshark to see what traffic is really doing.

0 Helpful

magurwara
Level 1
Level 1
In response to risenshine4th

‎11-14-2008 06:35 PM

wireshark doesn't tell much as after SSH is established, packets are encrypted. I have used debug ssh on the ASA console to see what goes on.

SSH is established correctly and user is authenticated...

SSH2 2: authentication successful for xxxx

SSH2 2: channel open request

SSH2 2: exec request

No activity after the "exec request"

If I enable shell selection in WinScp then the exec request is replaced by "shell request". In either case nothing proceeds beyond that message and finally the following message:

SSH2: receive SSH message: [no message ID: variable *data is NULL]

SSH2: Session disconnected by SSH server - error 0x00 "Internal error"

Q. Should the iniial SSH session land the user in privileged exec mode for this to work?

0 Helpful

cvestal11
Level 1
Level 1

‎02-25-2011 08:41 AM

I'm having the same problem

0 Helpful

mirober2
Cisco Employee
Cisco Employee
In response to cvestal11

‎02-26-2011 05:47 AM

Hello,

This happens due to the way that WinSCP tries to get a shell to do things like directory listings. The ASA's SCP server doesn't support this:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1510629

There is no directory support in this implementation of SCP, limiting remote client access to the adaptive security appliance internal files.

I'm not sure if there is a way to disable this functionality for WinSCP, but you can use something like 'pscp' on Windows (or 'scp' on Linux/Mac) to copy the files you need. The syntax would look something like this:

pscp @:

Hope that helps.

-Mike

cvestal11
Level 1
Level 1
In response to mirober2

‎02-26-2011 06:14 AM

Now, in my particular application and situation, what I found to be a just as good as alternative was using the latest ASDM.  Tools menu and File Mangement.

Worked great

0 Helpful

10071987S5
Level 1
Level 1
In response to cvestal11

‎12-17-2013 02:49 AM

What if asdm image is corrupted..

0 Helpful

Brandon Hunter
Level 1
Level 1
In response to mirober2

‎05-08-2017 06:21 PM

pscp worked for me as well:

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

From the CLI (I happened to use PowerShell), I changed my working directory to that which contained my files to be transfered. I then entered the syntax as below:

PS C:\Users\myusername\Downloads> .\pscp.exe .\asa971-4-lfbff-k8.SPA myasausername@172.30.0.1:asa971-4-lfbff-k8.SPA
The first key-exchange algorithm supported by the server is
diffie-hellman-group1-sha1, which is below the configured warning threshold.
Continue with connection? (y/n) y
plsadmin@172.30.0.1's password:

(My transfer began immediately afterward):


asa971-4-lfbff-k8.SPA | 2208 kB | 7.2 kB/s | ETA: 04:01:35 | 2%

Note: It may take a while to transfer but I'm pretty sure that's just a limitation of the protocol. Also if you're working within the legacy Windows command-line just remove the .\ from your command syntax and you should be fine.

PS- Don't forget to enable SSH Secure Copy capabilities in the ASA (conf t > ssh scopy enable)

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card