Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
15
Helpful
4
Replies

IDS 4.1 shunning on a PIX using ssh don't work

fhilgendorf
Level 1
Level 1

‎10-28-2004 09:25 AM - edited ‎02-20-2020 11:42 PM

I connected an IDS 4.1 Sig 120 with a PIX 6.3(3).

At the IDS I configured the PIX as blocking device using ssh with 3des.

When I try to block manualy a host at the PIX it will not work. No shun entry is set at the PIX.

If I use telnet as protocol it works fine.

It seems to be a problem with ssh at the PIX but if I try to connect to the PIX via ssh with putty it works.

Here some ssh debug from the PIX with a faild connection from IDS:

465: SSH: Device opened successfully.

466: SSH: host key initialised

467: SSH1: SSH client: IP = '192.168.1.125' interface # = 1

468: SSH1: starting SSH control process

469: SSH1: Exchanging versions - SSH-1.5-Cisco-1.25

470: SSH1: send SSH message: outdata is NULL

471: SSH1: receive SSH message: 83 (83)

472: SSH1: client version is - SSH-1.5-OpenSSH_3.7.1p2

473: SSH1: begin server key generation

474: SSH1: complete server key generation, elapsed time = 720 ms

475: SSH1: declare what cipher(s) we support: 0x00 0x00 0x00 0x0c

476: SSH1: send SSH message: SSH_SMSG_PUBLIC_KEY (2)

477: SSH1: SSH_SMSG_PUBLIC_KEY message sent

478: SSH1: TCP read failed, error code = 0x86300003 "TCP connection closed"

479: SSH1: receive SSH message: [no message ID: variable *data is NULL]

480: SSH1: Session disconnected by SSH server - error 0x03 "TCP connection closed"

Any help?

0 Helpful
4 Replies 4

pax_2111
Level 1
Level 1

‎10-28-2004 01:31 PM

Actually I ran into the same problem and coudln't resolve it. I just used telnet.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to pax_2111

‎10-28-2004 02:11 PM

Have you verified that the sensor has the correct SSH key for the Pix. If the Pix has been upgraded or has been re-imaged then the SSH key may have changed. You would need to delete the old SSH key on the sensor and add the new new SSH key for the pix.

You can also check the sensor to see if any errors are being generated when it attempts to connect to the Pix.

Try executing "show event error past 1:00:00" to look at errors within the past hour (you can increase or decrease the time to reduce the amount of data you need to look through).

You may even want to try rebooting the sensor and then executing the above command to see what errors the sensor generated after the reboot.

The error from the sensor should give you information about what the sensor thinks the problem is.

jlively
Cisco Employee
Cisco Employee
In response to marcabal

‎10-29-2004 06:28 AM

The easiest way to make sure you have the correct key is using the sensor cli. First do a conf t. Then do a ssh host-key then accept the key. It should now work

fhilgendorf
Level 1
Level 1
In response to jlively

‎10-29-2004 11:06 AM

Thank you. You are right I forget the ssh key.

The solution at the cli works fine.

Another mistake I had was that I used cryptic passwords (like /&) at the PIX. There seems a problem with converting when I use a german locale in my InternetExplorer.

I use now alphanumeric passwords without that symbols.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card