06-02-2022 05:55 AM - edited 06-02-2022 06:05 AM
Hi Everyone,
It's the first time I have got into this issue and wonder if any of you have ever experienced the same and maybe have an explanation. We have an ASA firewall that has to be SSH accessible for Cisco Prime on outside interface. SSH access on inside interface works fine.
SSH towards outside interface does not work neither from mentioned Cisco Prime nor other server that is on the same network where Cisco Prime is.
When setting up the session this is observed:
- SSH terminal - after entering the IP only the black screen appears w/o prompt for username / password
- Traffic capture on ASA shows 2 way SSH communication - see attachment
- SSH debug on ASA ends with error: SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"
- Here is the whole debug output:
ASA_xyz/pri/act# debug ssh
debug ssh enabled at level 1
ASA_xyz/pri/act# Device ssh opened successfully.
SSH1: SSH client: IP = '10.65.x.y' interface # = 2
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25
SSH1: send SSH message: outdata is NULL
server version string:SSH-2.0-Cisco-1.25
Device ssh opened successfully.
SSH2: SSH client: IP = '10.65.x.y' interface # = 2
SSH2: starting SSH control process
SSH2: Exchanging versions - SSH-2.0-Cisco-1.25
SSH2: send SSH message: outdata is NULL
server version string:SSH-2.0-Cisco-1.25
SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH1: receive unsuccessful - status 0x00
SSH configurations seems to be OK and is allowed both on outside and inside/mgmt interface. Note that SSH from host on inside/mgmt works fine (inside/mgmt interface is NOT set to be Management):
ASA_xyz/pri/act# sh ssh
Idle Timeout: 20 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes128-gcm@openssh.com aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc chacha20-poly1305@openssh.com
Cipher integrity algorithms enabled: hmac-sha2-256
Hosts allowed to ssh into the system:
172.22.x.y 255.255.255.240 outside
10.65.x.y 255.255.255.255 outside
10.65.x.y 255.255.255.255 outside
10.10.x.y 255.255.255.0 mgmt
Hardware and software version:
- ASA 5516-X
- Software 9.16.2
As always - thanks for your time!
Cheers
/mc
06-04-2022 02:07 PM
@MHM Cisco World hey dont worry we are here to help each other
06-04-2022 02:17 PM
No no at all,
If we not correcting and exchange knowledge with each other how we learn.
08-30-2022 12:24 AM
@Micccc4 did you find a solution to this problem? I have a similar issue.
09-06-2022 05:17 AM
HI @edwardwaithaka - unfortunatelly did manage to fix it before summer and it's waiting now on 'to-do' list. Not sure when I will have time to look at it. Do you experience the same symptoms? Did you manage to fix it? Please share your findings. thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide