Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1562
Views
0
Helpful
3
Replies

SSH access to a 5516-X running FTD 6.3.0.1 issue (managed by FMC)

Philip Badhams
Level 1
Level 1

‎02-05-2020 09:29 AM - edited ‎02-21-2020 09:53 AM

Hello

We have a mix of 2100 Firepower appliances and ASA5516-X Firewalls running FTD code. Although we are able to ssh to the 2100s no issue we are unable to SSH to the 5516s. Both Firewall models are running in HA pairs (if that matters).

 

I have tried configuring SSH under the platform settings for the 5516 but it did not work. I believe this is only to allow SSH access via the data Interfaces, which is not what we are looking for. We are wanting to SSH to the Management IP, as we do with the 2100s.

 

Is this possible and any advice on how to achieve it would be appreciated?

 

From what reading I have done I get the impression that there is difference in the hardware platforms, despite them running the same FTD code?

 

 

Even when trying to SSH from the Router onsite to the firewall we get "aborted: error status 0".

 

Any input would be appreciated

Thanks in advance.

 

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎02-05-2020 08:41 PM

Hi

Out of the box, ssh should be enabled.
Do you know if ssh has been limited for certain prefixes?

You'll need to connect over console.
Once on CLISH prompt, type connect fxos
Then type scope system
Then scope services
And finally type show
You should see ssh server enabled.
Go back to default clish prompt by exiting fxos.
Type show ssh-access-list to validate you're not filtering ssh access.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Philip Badhams
Level 1
Level 1
In response to Francesco Molino

‎02-07-2020 03:49 AM - edited ‎02-07-2020 05:52 AM

@Francesco Molino wrote:
Hi

Out of the box, ssh should be enabled.
Do you know if ssh has been limited for certain prefixes?

You'll need to connect over console.
Once on CLISH prompt, type connect fxos
Then type scope system
Then scope services
And finally type show
You should see ssh server enabled.
Go back to default clish prompt by exiting fxos.
Type show ssh-access-list to validate you're not filtering ssh access.

I have logged into the CLI but 'connect fxos' does not appear to be a valid command when at the initial > prompt

 

Update 2  - It appers to be  a key exchange mis match between the router from which the FTD ASA is being accessed and the ASA. I came across the folllowing in the router logs.

 

Feb 7 12:34:51.550 GMT: %SSH-3-NO_MATCH: No matching kex algorithm found:

client diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

server diffie-hellman-group-exchange-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256.

 

When trying to SSH from putty on a Win 7 PC on the local LAN it works fine.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to Philip Badhams

‎02-07-2020 07:47 PM

When you type connect followed by ? Sign what do you get?

What router are you using to connect to FTD?
And what version?

You can use the command ip ssh client algorithm to see if algorithm proposed by FTD are supported on your router and force it if needed.

I only have access to firepower devices but no asa. Normally you configure ssh algorithm on fxos environment.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card