Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2854
Views
5
Helpful
18
Replies

SSH console towards ASA doesn't prompt for username/password

Micccc4
Level 1
Level 1

‎06-02-2022 05:55 AM - edited ‎06-02-2022 06:05 AM

Hi Everyone,

It's the first time I have got into this issue and wonder if any of you have ever experienced the same and maybe have an explanation. We have an ASA firewall that has to be SSH accessible for Cisco Prime on outside interface. SSH access on inside interface works fine.

SSH towards outside interface does not work neither from mentioned Cisco Prime nor other server that is on the same network where Cisco Prime is.

 

When setting up the session this is observed:

- SSH terminal - after entering the IP only the black screen appears w/o prompt for username / password

- Traffic capture on ASA shows 2 way SSH communication - see attachment

- SSH debug on ASA ends with error: SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"

- Here is the whole debug output:

 

ASA_xyz/pri/act# debug ssh

debug ssh  enabled at level 1

ASA_xyz/pri/act# Device ssh opened successfully.

SSH1: SSH client: IP = '10.65.x.y'  interface # = 2

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

 

SSH1: send SSH message: outdata is NULL

 

server version string:SSH-2.0-Cisco-1.25

Device ssh opened successfully.

SSH2: SSH client: IP = '10.65.x.y'  interface # = 2

SSH2: starting SSH control process

SSH2: Exchanging versions - SSH-2.0-Cisco-1.25

 

SSH2: send SSH message: outdata is NULL

 

server version string:SSH-2.0-Cisco-1.25

SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"

SSH1: receive SSH message: [no message ID: variable *data is NULL]

SSH1: receive unsuccessful - status 0x00

 

SSH configurations seems to be OK and is allowed both on outside and inside/mgmt interface. Note that SSH from host on inside/mgmt works fine (inside/mgmt interface is NOT set to be Management):

ASA_xyz/pri/act# sh ssh
Idle Timeout: 20 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes128-gcm@openssh.com aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc chacha20-poly1305@openssh.com
Cipher integrity algorithms enabled: hmac-sha2-256

Hosts allowed to ssh into the system:
172.22.x.y 255.255.255.240 outside
10.65.x.y 255.255.255.255 outside
10.65.x.y 255.255.255.255 outside
10.10.x.y 255.255.255.0 mgmt

 

Hardware and software version:

- ASA 5516-X

- Software 9.16.2

 

As always - thanks for your time!

Cheers

/mc

 

Preview file
137 KB
0 Helpful
18 Replies 18

Sheraz.Salim
VIP
VIP
In response to MHM Cisco World

‎06-04-2022 02:07 PM

@MHM Cisco World hey dont worry we are here to help each other and learn from each other. I do not mean to upset/offend you at all. Do not get me in a wrong way.

please do not forget to rate.
0 Helpful

MHM Cisco World
VIP
VIP
In response to Sheraz.Salim

‎06-04-2022 02:17 PM

No no at all,

If we not correcting and exchange knowledge with each other how we learn.

0 Helpful

edwardwaithaka
Level 1
Level 1

‎08-30-2022 12:24 AM

@Micccc4 did you find a solution to this problem? I have a similar issue.

0 Helpful

Micccc4
Level 1
Level 1
In response to edwardwaithaka

‎09-06-2022 05:17 AM

HI @edwardwaithaka - unfortunatelly did manage to fix it before summer and it's waiting now on 'to-do' list. Not sure when I will have time to look at it. Do you experience the same symptoms? Did you manage to fix it? Please share your findings. thx 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card