Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
3
Replies

SSH and ASDM not accessible

upen desai
Level 1
Level 1

‎09-20-2016 02:07 AM - edited ‎03-12-2019 01:17 AM

hello 

I hope you can help, we have an ASA 5550 model, and SSH & ASDM have been working fine for years now. But all of a sudden they have stop responding. 

The firewall itself is working and still routing traffic to the internet. No ACL were changed on it either.

Can you please advise what troubleshooting i can potentially do from the console cable on the firewall to restart these services again.

many thanks

Labels:
0 Helpful
3 Replies 3

Alex D. Silva Gutierrez
Level 1
Level 1

‎09-20-2016 07:11 AM

Hello Mr. Desai,

Can you post the output of show asp table socket command ?

This command will return what connection the firewall is listening.

Best Regards,

Alex Gutierrez.

0 Helpful

upen desai
Level 1
Level 1
In response to Alex D. Silva Gutierrez

‎09-20-2016 08:11 AM

hello Alex

thank you for coming back to me. I do have access to the console cable to the firewall and did a debug on the SSH service and got the following error.

Lut-ASAFirewall#
Device ssh opened successfully.
SSH1: SSH client: IP = '10.251.251.107' interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL
SSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH1: send unsuccessful - status 0x3c

Lut-ASAFirewall# sh asp drop

Frame drop:
Bad IPSEC NATT packet (bad-ipsec-natt) 2
IPSEC tunnel is down (ipsec-tun-down) 4
Invalid encapsulation (invalid-encap) 19084
Invalid IP header (invalid-ip-header) 16
Invalid TCP Length (invalid-tcp-hdr-length) 38
Invalid UDP Length (invalid-udp-length) 67
No valid adjacency (no-adjacency) 452
No route to host (no-route) 4294
Flow is denied by configured rule (acl-drop) 513815804
Invalid SPI (np-sp-invalid-spi) 15604
First TCP packet not SYN (tcp-not-syn) 4373384
Bad TCP checksum (bad-tcp-cksum) 1
Bad TCP flags (bad-tcp-flags) 621
TCP Dual open denied (tcp-dual-open) 300
TCP data send after FIN (tcp-data-past-fin) 334
TCP failed 3 way handshake (tcp-3whs-failed) 487894
TCP RST/FIN out of order (tcp-rstfin-ooo) 2743470
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 75477
TCP SYNACK on established conn (tcp-synack-ooo) 1105
TCP packet SEQ past window (tcp-seq-past-win) 1456851
TCP invalid ACK (tcp-invalid-ack) 1760
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo) 6
TCP Out-of-Order packet buffer timeout (tcp-buffer-timeout) 1
TCP RST/SYN in window (tcp-rst-syn-in-win) 3281
TCP dup of packet in Out-of-Order queue (tcp-dup-in-queue) 74
TCP packet failed PAWS test (tcp-paws-fail) 71221
CTM returned error (ctm-error) 121
Slowpath security checks failed (sp-security-failed) 612638
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched) 9834
ICMP Error Inspect no existing conn (inspect-icmp-error-no-existing-conn) 52
DNS Inspect invalid packet (inspect-dns-invalid-pak) 7
DNS Inspect invalid domain label (inspect-dns-invalid-domain-label) 304
DNS Inspect packet too long (inspect-dns-pak-too-long) 103668
DNS Inspect id not matched (inspect-dns-id-not-matched) 27824
FP L2 rule drop (l2_acl) 33707
Interface is down (interface-down) 58
Dropped pending packets in a closed socket (np-socket-closed) 1270193

Last clearing: Never

Flow drop:
Need to start IKE negotiation (need-ike) 950
NAT failed (nat-failed) 328720
NAT reverse path failed (nat-rpf-failed) 4
Inspection failure (inspect-fail) 7968106
SSL bad record detected (ssl-bad-record-detect) 2857
SSL handshake failed (ssl-handshake-failed) 6404
SSL malloc error (ssl-malloc-error) 125
SSL received close alert (ssl-received-close-alert) 136

Last clearing: Never
Lut-ASAFirewall#


Lut-ASAFirewall# sh asp table socket


Protocol Socket Local Address Foreign Address State
SSL 0000133f 192.168.1.1:443 0.0.0.0:* LISTEN
SSL 000020af 192.168.252.17:443 0.0.0.0:* LISTEN
TCP 0000459f 192.168.252.17:22 0.0.0.0:* LISTEN
SSL 062a1e5f 192.168.252.17:443 10.2.20.245:55177 ESTAB
SSL 062e1c5f 192.168.252.17:443 10.3.1.114:10016 ESTAB
SSL 062e25cf 192.168.252.17:443 10.3.1.114:10056 ESTAB

please let me know if you need any more information.

many thanks

Upen Desai

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎09-20-2016 11:02 PM

Hi Upen,

Could you share the show memory and show blocks output from the ASA ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card