Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2326
Views
0
Helpful
1
Replies

OpenSSL issue. Getting "connection reset by peer" when connecting via ASA.

Not applicable

‎05-11-2017 08:03 PM - last edited on ‎03-12-2019 02:21 AM by

Work Flow MAP

Inside Network ------ ASA 5585 ----- Externet Network

When I do a ssh to an externet host from my inside network using the command:

ssh username@hostname -v 

I get the following output

OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to lxplus.cern.ch [188.184.88.224] port 22.
debug1: Connection established.
debug1: identity file /home/usmaan/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/usmaan/.ssh/id_rsa-cert type -1
debug1: identity file /home/usmaan/.ssh/id_dsa type 2
debug1: key_load_public: No such file or directory
debug1: identity file /home/usmaan/.ssh/id_dsa-cert type -1
debug1: identity file /home/usmaan/.ssh/id_ecdsa type 3
debug1: key_load_public: No such file or directory
debug1: identity file /home/usmaan/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/usmaan/.ssh/id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/usmaan/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2
ssh_exchange_identification: read: Connection reset by peer

do we need to make some chages on ASA, as I am able to connect to the host from a outside network (without ASA 5585)

Please help me resolving this issue.

Labels:
0 Helpful
1 Reply 1

Ajay Saini
Level 7
Level 7

‎05-12-2017 05:42 AM

Hello,

This is encrypted traffic, I would not expect ASA to know whatever is going on inside the stream. Unless ASA is able to decrypt the traffic with firepower module etc, this looks like a client/server issue. There are a couple of 'No such file or directory' in the logs attached and also the connection is being reset by peer(server). 

Since you might be connecting through ASA PAT ip address, that ip might not be allowed at the server or being blacklisted. You can also take captures on the server side to see whats happening.

You can also try comparing the host side captures(working vs non-working).

-AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card