SSH console towards ASA doesn't prompt for username/password

Micccc4 · ‎06-02-2022

Hi Everyone,

It's the first time I have got into this issue and wonder if any of you have ever experienced the same and maybe have an explanation. We have an ASA firewall that has to be SSH accessible for Cisco Prime on outside interface. SSH access on inside interface works fine.

SSH towards outside interface does not work neither from mentioned Cisco Prime nor other server that is on the same network where Cisco Prime is.

When setting up the session this is observed:

- SSH terminal - after entering the IP only the black screen appears w/o prompt for username / password

- Traffic capture on ASA shows 2 way SSH communication - see attachment

- SSH debug on ASA ends with error: SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"

- Here is the whole debug output:

ASA_xyz/pri/act# debug ssh

debug ssh enabled at level 1

ASA_xyz/pri/act# Device ssh opened successfully.

SSH1: SSH client: IP = '10.65.x.y' interface # = 2

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25

Device ssh opened successfully.

SSH2: SSH client: IP = '10.65.x.y' interface # = 2

SSH2: starting SSH control process

SSH2: Exchanging versions - SSH-2.0-Cisco-1.25

SSH2: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25

SSH1: Session disconnected by SSH server - error 0x6e "Time-out activated"

SSH1: receive SSH message: [no message ID: variable *data is NULL]

SSH1: receive unsuccessful - status 0x00

SSH configurations seems to be OK and is allowed both on outside and inside/mgmt interface. Note that SSH from host on inside/mgmt works fine (inside/mgmt interface is NOT set to be Management):

ASA_xyz/pri/act# sh ssh
Idle Timeout: 20 minutes
Version allowed: 2
Cipher encryption algorithms enabled: aes128-gcm@openssh.com aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc chacha20-poly1305@openssh.com
Cipher integrity algorithms enabled: hmac-sha2-256

Hosts allowed to ssh into the system:
172.22.x.y 255.255.255.240 outside
10.65.x.y 255.255.255.255 outside
10.65.x.y 255.255.255.255 outside
10.10.x.y 255.255.255.0 mgmt

Hardware and software version:

- ASA 5516-X

- Software 9.16.2

As always - thanks for your time!

Cheers

/mc

MHM Cisco World · ‎06-02-2022

do packet-tracer for SSH and see if there is any ACL or NAT deny the traffic.

do you try this if you want OUT to be SSH

ssh x.x.x.x y.y.y.y outside

Micccc4 · ‎06-02-2022

thanks @MHM Cisco World - yes SSH is enabled on Outside interface and attached screenshot shows packet capture on ingress/outside. there is a 2-way communication going on.. What I will definitely do next time I am on customer network will be to run packet capture on server itself.. But again, it looks like traffic is going back and forth..

MHM Cisco World · ‎06-03-2022

""Note: In general, if any interface that has a security level of zero or lower than any other interface, the ASA does not allow Telnet to that interface.""

So TRY solution
config any other interface "dummy interface" and make it level 0, config the outside interface with 10 and try again.

Sheraz.Salim · ‎06-04-2022

@MHM Cisco World The statement you made is completely wrong.

To the box connection is competely different compare to the through the box. To the box connection does not have to do anything with security-level.

In case of SSH issue the user is connection from outside interface/mgmt interface. Mgmt is working fine but having issue with outside interface.

@Micccc4 is trying to connect to Outside interface. s/he is not on through the box. Its to the box.

Wrong Statement ""Note: In general, if any interface that has a security level of zero or lower than any other interface, the ASA does not allow Telnet to that interface.""

please do not forget to rate.

MHM Cisco World · ‎06-04-2022

he enable SSH on outside, so which one he is
to the box
or
through the box??

Sheraz.Salim · ‎06-04-2022

To the Box.

please do not forget to rate.

Micccc4 · ‎06-04-2022

Thanks for discussion @Sheraz.Salim and @MHM Cisco World . Yes - I am aware of the problematic when the SSH should go trhough the ASA (meaning initiated from outside - first passing outside interface and then terminating on e.g. inside interface) - that would not work. But here it's as you have concluded - to the box - meaning from outside and terminating on outside interface. I am planning to work further on that tomorrow.. will keep you updated

Sheraz.Salim · ‎06-04-2022

@Micccc4 This is correct your understanding is right TO-THE-BOX. Keep me posted how it goes.

please do not forget to rate.

Sheraz.Salim · ‎06-02-2022

Once the SSH client and the ASA have established the SSH connection successfully, the ASA will keep track of activity from the SSH client. As soon as the SSH client is idle for longer than the configured timeout period, the ASA disconnects the SSH client Time-out activated

Since when you having this issue? is any software upgrade performed and you having this issues?

Your attachment capture is not very clear. however, I guess you can see (3-way handshake) the TCP-SYN and SYN-ACK and later with ACK-RST from ASA to client (outside interface).

as this is a TO-THE-BOX connection instead of THROUGH-THE-BOX. I shall advise you to do few things to test and pinpoint the issue. (Packet trace wont be helpful as its to the box connection coming in).

1. Create a new RSA keys with 2048. once created delete the old RSA keys.

2. lower down your ssh cipher encryption (either low or medium)

test it observer it

From outside subnet try diffrent SSH client and observe what does the logs says.

plus one more thing (I do no think the ASA is drop the packet) but you can capture the ASP drop (create a captuer ASP type asp-drop)

please do not forget to rate.

Micccc4 · ‎06-04-2022

this is customers ASA and apparently that SSH towards outside interface did never work for them and for that reason they did not yet onboard that ASA to cisco Prime (Prime is on outside network). We did first the software upgrade and then started to look at that SSH issue... I am going to try your tips above and report. Thanks a lot for looking at it @Sheraz.Salim

Sheraz.Salim · ‎06-04-2022

@Micccc4 prior to upgrade of the software outside SSH was accessible for Prime or it was always the issue with old software? Is there any IPS in between the ASA outside interface?

please try to follow my first post to get it work around this issue. If this never worked it could be you can fine tune the SSH encryption settings.

please do not forget to rate.

MHM Cisco World · ‎06-04-2022

@Micccc4 @Sheraz.Salim
My statement is from Cisco below doc. and the workaround is config interface dummy with level 0 and config out with level above 0.

""Note: In general, if any interface that has a security level of zero or lower than any other interface, the ASA does not allow Telnet to that interface.""

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118075-configure-asa-00.pdf

Sheraz.Salim · ‎06-04-2022

The document you posted is not relevent to this problem. The document just mentioned how to enable SSH on the interface inside and outside.

please do not forget to rate.

MHM Cisco World · ‎06-04-2022

@Sheraz.Salim

Anyway friend, I see this note in doc. And I was excited to share it, since he mention that he enable ssh on outisde and not work.

May be I am wrong and this for other case not this case.

Regarding my friend.