IPS 7.2 SSHv2 Access to ASA 9.1.2

rmeans · ‎07-08-2013

I am trying to have my IPS (7.2) access my ASA 9.1.2. I am getting an error. I haven't been able to find the exact problem nor any solutions.

ASA config

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group14-sha1

ASA debug

Device ssh opened successfully.

SSH1: SSH client: IP = '192.168.251.18' interface # = 3

SSH: host key initialised

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)

SSH1: client version is - SSH-2.0-OpenSSH_5.9

client version string:SSH-2.0-OpenSSH_5.9

SSH2 1: SSH2_MSG_KEXINIT sent

SSH2 1: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-sha1 none

SSH2: kex: server->client aes128-cbc hmac-sha1 none

SSH2 1: expecting SSH2_MSG_KEXDH_INIT

SSH2 1: SSH2_MSG_KEXDH_INIT received

SSH2 1: signature length 271

SSH2: kex_derive_keys complete

SSH2 1: newkeys: mode 1

SSH2 1: SSH2_MSG_NEWKEYS sent

SSH2 1: waiting for SSH2_MSG_NEWKEYS

SSH2 1: newkeys: mode 0

SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(networkIPS): user authen method is 'use AAA', aaa server group ID = 4

SSH(networkIPS): user authen method is 'use AAA', aaa server group ID = 4

SSH2 1: authentication successful for networkIPS

SSH2 1: channel open request

SSH2 1: pty-req request

SSH2 1: requested tty: vt102, height 0, width 0

SSH2 1: shell request

SSH2 1: shell message received

SSH2 1: Received disconnect from remote: 11: disconnected by userSSH1: Session disconnected by SSH server - error 0x00 "Internal error"

ideas?

rmeans · ‎07-17-2013

The issue is with the ASA banners; a combination of banner length and/or type. I have 3 ASA. I use a combination of login and motd banners. I have reset the banner for each device. Host blocks (shun) is working as expected.

Works

lbjvpnfw# show run banner

banner login *****************************************************************

banner login * Unauthorized use is prohibited by law. *

banner login * Use of a computer, access to data stored by a computer, *

banner login * or knowingly giving a password or personal ID without *

banner login * effective consent is a class A misdemeanor. *

banner login *****************************************************************

fails

lbjinetfw# show run banner

banner login *****************************************************************

banner login * Unauthorized use is prohibited by law. *

banner login * Use of a computer, access to data stored by a computer, *

banner login * or knowingly giving a password or personal ID without *

banner login * effective consent is a class A misdemeanor. *

banner login *****************************************************************

banner motd *****************************************************************

banner motd * Unauthorized use is prohibited by law. *

banner motd * Use of a computer, access to data stored by a computer, *

banner motd * or knowingly giving a password or personal ID without *

banner motd * effective consent is a class A misdemeanor. *

banner motd *****************************************************************

Success but logs sometimes show failure

fw-nsoc-inet-1# show run banner

banner login WARNING! GOVERNMENT SYSTEM - Unauthorized access prohibited by Public Law - The Computer Fraud and Abuse Act

banner motd WARNING! GOVERNMENT SYSTEM - Unauthorized access prohibited by Public Law - The Computer Fraud and Abuse Act