Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7181
Views
0
Helpful
24
Replies

SSH connections through asa hanging

waqas gondal
Level 1
Level 1

‎01-03-2014 08:18 AM - edited ‎03-11-2019 08:24 PM

Hi,

I have been troubleshooting this intermittent issue with Cisco TAC for about 3 weeks now.

The issue is that when users connect to external servers via ssh whether it is over a VPN or not, the connections hang. The timing is random and is not dependant on anything. After a user connects, the connection will hang and the show local host indicates that the connection is idle.

We are using an ASA 5505 with version 8.4(5) and a 5510 with 8.4(6) at another location with a site-to-site VPN in between them. The users who initiate the ssh connection are behind the 5505 and sometimes connect to servers behind the 5510, those connections also hang randomly.

When we create ssh traffic through the VPN to servers behind the 5510:

The packet captures don't show a reason for the connection to hang, they just show that packets have stopped going through.

Syslog messages show nothing on the 5505 when the connection hangs, syslogs on the 5510 sometimes show the "deny tcp (no connection)"

Any ideas as to what might cause this issue?

Labels:
0 Helpful
24 Replies 24

Julio Carvajal
VIP Alumni
VIP Alumni
In response to cciesec2011

‎01-04-2014 07:37 AM

You can not base that on what the user described.  In order to understand the issue, you need packet capture.

If customer does not provide us access to the box, inputs that we request we got to trust what he says. This is the case!

Now, I do not think you understand what I am saying..

If this were an app issue then the orphaned sessions would exist on both firewalls! Not just on one. As simple as that

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

waqas gondal
Level 1
Level 1
In response to cciesec2011

‎01-04-2014 09:24 AM

Thanks,

This is something I will check.

0 Helpful

Oscar Castillo
Level 1
Level 1

‎01-04-2014 07:08 AM

I had this kind of issue long time ago.

I enabled an inside host to accept ssh connection and the ASA failed to enable it.

I remember that one of the steps that I've done, was.. reconfigure (ssh) the ASA from scratch, and test it many times to make sure, it was working properly.

Crypto, aaa, username, ip, inside/outside... All that.

Then I went to create object, nat (inside, outside) host or subnet, acl then access-group.

That way worked for me, but it tool me 3 days to figure that out.

You could try that, hope it works.

Regards,
Oscar



Sent from Cisco Technical Support iPhone App

0 Helpful

waqas gondal
Level 1
Level 1
In response to Oscar Castillo

‎01-04-2014 09:29 AM

This issue is a little different I think.

My ASA allows the connection through but after a random amount of time the connection hangs.

I do understand your logic though, I have had issues where I simply erased the config, applied it again and everything was functonal.

Thanks for your input,

Waqas

0 Helpful

cciesec2011
Level 3
Level 3
In response to waqas gondal

‎01-04-2014 10:05 AM 

waqas gondal wrote:
My ASA allows the connection through but after a random amount of time the connection hangs.

That's reason why I suggest you turn on ssh keep-alive and see if the issue goes away.  If the issue goes away, then you know it is a firewall issue.

0 Helpful

Jon Are Endrerud
Level 3
Level 3

‎01-04-2014 09:48 AM

When does it hang? Is it possible to use it at all?

Is it after big blocks of text passing through the terminal?

What is the MTU between the ssh server and client?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
0 Helpful

waqas gondal
Level 1
Level 1
In response to Jon Are Endrerud

‎01-04-2014 10:22 AM

When I open an ssh window to any destination through the ASA, it freezes after a random amount of time. It does not matter whether anything is being done through the window. After that it is not possible to use unless the connection is re-initiated.

I will check the MTU on the clients and servers.

Thanks,

Waqas

0 Helpful

Jon Are Endrerud
Level 3
Level 3

‎01-04-2014 10:40 AM

MTU are a know factor when it comes to SSH freeze over VPN, you should also turn on SSH keep alive. What SSH clients are used?

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
0 Helpful

waqas gondal
Level 1
Level 1
In response to Jon Are Endrerud

‎01-04-2014 10:53 AM

SSH clients are putty mostly, but it does not matter what client is used, the connections hang either way.

I am not at the office right now so I cannot check the MTU at the moment.

Here I am gathering notes on things that should be checked.

Thanks,

Waqas

0 Helpful

Jon Are Endrerud
Level 3
Level 3

‎01-04-2014 10:54 AM

Putty has a keep alive setting that you you should check in the options or connection setting box.

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card