05-23-2008 01:26 AM - edited 03-11-2019 05:48 AM
Hi,
I'm unable to ssh into our fwsm today - there's nothing in the logs and all ssh commmands are still present - we've had this before and I have to re-generate the rsa key, and I'm fairly certain that's what I need to do now but the old ca commands that I used have been depreciated (fwsm 3.1) so I just wanted to check that I'm doing the right thing! Here's what I'm planning on:
crypto key zeroize rsa
WARNING: All RSA keys will be removed.
WARNING: All device certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
crypto key generate rsa general-keys modulus 1024
Does this look right?
Thanks,
J
Solved! Go to Solution.
05-23-2008 08:15 AM
Hi J,
Hmmmm, it can be a bug. I did some research and I found the following:
Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.
HTH,
John
05-23-2008 05:00 AM
and you have the domain name configured also? then the above commands are OK.
Are you wr mem once the key has been generated? has the FWSM or 65xx reloaded?
05-23-2008 06:22 AM
Thanks for your response. Actually doing that didn't help - still connection refused.
Any ideas????
I did write mem, and also neither has rebooted.
Thanks, J
05-23-2008 06:32 AM
Hi J,
What do you get in the output of:
'sh crypto key mypubkey rsa'
Moreover, what do you get in the output of 'sh run ssh'?
Thanks.
John
05-23-2008 06:46 AM
Hi John,
Thank you -
fwsm# sh crypto key mypubkey rsa
Key pair was generated at: 13:52:06 UTC May 23 2008
Key name:
Usage: General Purpose Key
Modulus Size (bits): 1024
Key Data:
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d97565
428234d5 b58e49d8 2d2ac0b9 08c97e48 f7637111 2287ee58 dfd09941 cb2f87ba
c0d0dcc0 571cf5d9 7d1e97f0 616cd2ea 9429cc6c 3afa975e 86a4d007 c44a61f7
3e905ffb 39ad9e07 8f74393d 0bad0c1d fd7eae2c c095260c 9ea22c73 21e3e151
0a7a4dc0 cad2b173 3097595e f5998cb6 7e6ded99 81ddc892 e6963980 bb020301 0001
fwsm# sh run ssh
ssh 1.1.1.1 255.255.255.255 wireless
ssh office 255.255.255.0 inside
ssh timeout 15
ssh version 2
Regards,
J
05-23-2008 06:51 AM
Hi J,
I guess you are trying to ssh to the FWSM either via the inside or the wireless interface. Can you please confirm that in the first case your IP is within the office subnet and in the second that you are coming from the 1.1.1.1 host?
Moreover, a good idea would be to enable debug ssh 100 on the FWSM, along with loggin in debug level, try to connect and see what you are getting there.
Finally, you will need the following line:
"aaa authentication ssh console LOCAL" along with a username/password.
Thanks.
John
05-23-2008 07:39 AM
Thanks John,
Actually I have that auth line in already, it just didn't show up in the command.
I turned on debugging and this came up:
2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710002: tcp access permitted from x.x.x.x/20067308 to inside:x.x.x.x/ssh
2008-05-23 16:22:25 Local4.Info x.x.x.x May 23 2008 15:03:26: %FWSM-6-302013: Built inbound TCP connection 0 for inside:x.x.x.x/3739 (10.3.80.100/3739) to inside:x.x.x.x/22 (x.x.x.x/22)
2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710004: TCP connection limit exceeded from x.x.x.x/3739 to inside:x.x.x.x/ssh
I found this http://www.conft.com/en/US/docs/security/asa/asa80/system/message/logmsgs.pdf saying that I need to issue a kill command, but I can see any connections when I run a who (think this might only work for telnet?). Also I can't see any locally-destined traffic when I run show conn all.
Any ideas would be much appreciated.
Thanks,
J
05-23-2008 08:15 AM
Hi J,
Hmmmm, it can be a bug. I did some research and I found the following:
Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.
HTH,
John
05-27-2008 03:10 AM
Thank you John, that's very helpful indeed. I will reload for now and look at upgrading.
J
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide