Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5890
Views
15
Helpful
8
Replies

ssh connection problem on ASA management interface

Alex Ribas
Level 1
Level 1

‎03-26-2021 09:30 AM

Here is part of the config:

new firewall (without config )

Just Ip management

 

 ASA Version 9.15(1)1

 

ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
ssh 0.0.0.0 0.0.0.0 mgmt

!
interface Management1/1
management-only
nameif mgmt
security-level 0
ip address 172.29.100.71 255.255.255.0

 

 

Source (PING etc )

 

ping 172.29.100.71
PING 172.29.100.71 (172.29.100.71) 56(84) bytes of data.
64 bytes from 172.29.100.71: icmp_seq=1 ttl=254 time=0.461 ms
64 bytes from 172.29.100.71: icmp_seq=2 ttl=254 time=0.672 ms
64 bytes from 172.29.100.71: icmp_seq=3 ttl=254 time=0.520 ms
^C64 bytes from 172.29.100.71: icmp_seq=4 ttl=254 time=0.590 ms

 

ssh -l xxxxx 172.29.100.71
Connection closed by 172.29.100.71

 

sh ssh
Idle Timeout: 5 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc
Cipher integrity algorithms enabled: hmac-sha2-256

Hosts allowed to ssh into the system:
0.0.0.0 0.0.0.0 mgmt
FW04#

 

What am I missing?

0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎03-26-2021 09:33 AM

Hi @Alex Ribas 

Have you run generated an RSA key pair? If not run "crypto key generate rsa modulus 2048"

0 Helpful

Alex Ribas
Level 1
Level 1
In response to Rob Ingram

‎03-26-2021 09:35 AM

Yes I did

crypto key generate rsa general-keys modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

 

Many times

 

0 Helpful

Alex Ribas
Level 1
Level 1
In response to Rob Ingram

‎03-26-2021 09:48 AM

crypto key generate rsa modulus 2048
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
FW04(config)#

0 Helpful

chadbaird2431
Level 1
Level 1

‎03-26-2021 09:53 AM - edited ‎03-26-2021 09:54 AM

The ASA is possibly missing a route back to the network that you're accessing the ASA on. I'd check that. 

 

 Type in show management-access.. if it returns nothing then use:  management-access management (to manage from management interface) or the interface might be shut down.  

 

 

 

 

 

C

0 Helpful

Alex Ribas
Level 1
Level 1
In response to chadbaird2431

‎03-26-2021 10:14 AM

 

I Think this is issue

ssh admfw@172.29.100.71
The authenticity of host '172.29.100.71 (172.29.100.71)' can't be established.
RSA1 key fingerprint is 6b:00:4f:d4:6f:fe:53:8a:48:49:60:28:08:7c:64:8c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.29.100.71' (RSA1) to the list of known hosts.
Selected cipher type <unknown> not supported by server

 


.

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
VPN Load Balancing : Enabled perpetual

Serial Number: xxxxxxxxxxx
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1
Image type : Release
Key Version : A


FW04(config)# sh ssh
Idle Timeout: 5 minutes
Versions allowed: 1 and 2
Cipher encryption algorithms enabled: aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
Cipher integrity algorithms enabled: hmac-sha1 hmac-sha1-96

0 Helpful

Rob Ingram
VIP
VIP
In response to Alex Ribas

‎03-26-2021 10:22 AM

@Alex Ribas 

Encryption-3DES-AES : Disabled

 

You don't have the 3DES license so you cannot SSH to the ASA. You'll need to go https://software.cisco.com/software/swift/lrp/#/pak and request an activation key (free).

 

pjweintraub0206
Level 1
Level 1

‎05-07-2021 10:16 AM

I am assuming you also created a local username:

 

add these 2 commands:

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

Maurizio Caloro
Level 1
Level 1

‎05-10-2021 01:36 AM

crypto key zeroize rsa
crypto key generate rsa modulus 2048

 

username ssh password
ssh 172.29.100.0 255.255.255.0 mgmt

 

--

regards

Mauri

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card