I know this is very old, but

IT Services · ‎03-20-2013

Good Afternoon,

We are having issues with SSH to our ASA 5510 after upgrading to 8.4.5.

This is the SSH Debug logs we get:

Mwe 0x08eff6e8 0xad5ed19c 0xad5e93b4 2 0xad5e9460 14888/16384 listen/ssh
ASA-USNOR-01# Device ssh opened successfully.
SSH0: SSH client: IP = '172.16.10.8' interface # = 4
SSH: host key initialised
SSH0: starting SSH control process
SSH-1031171653: Exchanging versions - SSH-2.0-Cisco-1.25

SSH-1031171653: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH-1031171653: receive SSH message: 83 (83)
SSH-1031171653: client version is - SSH-2.0-PuTTY_Release_0.62

client version string:SSH-2.0-PuTTY_Release_0.62SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 520 ms

SSH2 -1031171653: SSH2_MSG_KEXINIT sent
SSH2 -1031171653: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 -1031171653: expecting SSH2_MSG_KEXDH_INIT
SSH2 -1031171653: SSH2_MSG_KEXDH_INIT received
SSH2 -1031171653: signature length 271
SSH2: kex_derive_keys complete
SSH2 -1031171653: newkeys: mode 1
SSH2 -1031171653: SSH2_MSG_NEWKEYS sent
SSH2 -1031171653: waiting for SSH2_MSG_NEWKEYS
SSH2 -1031171653: newkeys: mode 0
SSH2 -1031171653: SSH2_MSG_NEWKEYS received
SSH2 -1031171653: authentication failed for (code=1)SSH-1031171653: Session disconnected by SSH server - error 0x0d "Rejected by server"

The correct ACL's are set, etc.

Any thoughts?

Jennifer Halim · ‎03-21-2013

Seems like the authentication part is failing based on the debug output above.

Are you authenticating locally for the SSH session or via Radius/Tacacs?

If it's via Radius or Tacacs, can you please check to see if you can authenticate from the ASA using the "test" command.

IT Services · ‎03-22-2013

Hi Jennifer,

Thanks for the reply. It is not giving me the chance to even authenticate. It refuses the connection the second the login prompt shows.

I have tried both RADIUS and LOCAL authentication to no avail.

I am just looking for an idea other than rebooting the ASA, which might be my last resort.

Jennifer Halim · ‎03-22-2013

base on the information, unfortunately rebooting will be the best bet.

Marvin Rhoads · ‎03-24-2013

Have you tried regeneration of your RSA key on the ASA? ("crypto key generate rsa").

Also verify you still have ssh allowed on the target interface from your host network.

IT Services · ‎03-27-2013

Yes all this has been done and verified. I even tried changing the key size.

julomban · ‎03-27-2013

Hello,

Are you running in failover? You might want to remove the SSH commands from the ASA and re-add them. I strongly suggest you to try that.

Regards,

Juan Lombana

Please rate helpful posts.

NeilGouws · ‎05-31-2016

I know this is very old, but just had the same issue and found this post when I searched the error.

The issue is aaa authentication, see log below

%ASA-6-605004: Login denied from 192.168.199.201/55819 to management:192.168.199.100/ssh for user "*****"
%ASA-6-315011: SSH session from 192.168.199.201 on interface management for user "*****" disconnected by SSH server, reason: "Rejected by server" (0x0d)
%ASA-6-302014: Teardown TCP connection 44 for management:192.168.199.201/55819 to identity:192.168.199.100/22 duration 0:00:55 bytes 1159 TCP FINs
%ASA-5-111008: User 'enable_15' executed the 'aaa authentication ssh console LOCAL' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 192.168.199.201, executed 'aaa authentication ssh console LOCAL'
%ASA-6-302013: Built inbound TCP connection 45 for management:192.168.199.201/55989 (192.168.199.201/55989) to identity:192.168.199.100/22 (192.168.199.100/22)
%ASA-6-113012: AAA user authentication Successful : local database : user = cisco

Adding the following to config resolves the issue :

aaa authentication ssh console LOCAL

Problem with ASA SSH after 8.4.5 upgrade