Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3535
Views
0
Helpful
3
Replies

SSH in ASA 5520 not working even with all configuration in it.

vivekshah666
Level 1
Level 1

‎05-04-2013 06:31 PM - edited ‎03-11-2019 06:38 PM

I am having a wierd case, where in i have a 5520 and i am not able to ssh into that firewall.

When did a capture on that firewall it shows my connection is getting reset as soon as i try to ssh into the box.

Given below is the config for ssh into the firewall.

!

ssh 10.252.253.0 255.255.255.0 inside

ssh 10.114.255.240 255.255.255.255 inside

ssh 169.2.162.75 255.255.255.255 inside

ssh 10.161.85.0 255.255.255.0 inside

ssh 10.161.85.85 255.255.255.255 inside

ssh 10.79.30.81 255.255.255.255 inside

ssh 10.79.30.82 255.255.255.255 inside

ssh 10.79.30.83 255.255.255.255 inside

ssh 10.79.99.111 255.255.255.255 inside

ssh 10.79.99.112 255.255.255.255 inside

ssh 10.6.2.82 255.255.255.255 inside

ssh 10.192.14.6 255.255.255.255 inside

ssh 10.192.14.15 255.255.255.255 inside

ssh 10.255.0.64 255.255.255.192 inside

ssh 10.166.20.128 255.255.255.128 inside

ssh 10.165.240.0 255.255.255.224 inside

ssh timeout 15

ssh version 2

!

also crypto key has been gerated and below is the output for that.

!

Cryptochecksum:26d45134c042538d9b57ad897433ba23

!

I am trying from a 10.252.253.0/24 subnet

and the interface is inside.

!

GigabitEthernet0/0       inside                 10.240.255.250  255.255.255.0   CONFIG

GigabitEthernet0/0.249   bell                   10.240.249.254  255.255.255.0   CONFIG

GigabitEthernet0/1.21    XM                    10.240.21.254   255.255.255.0   manual

GigabitEthernet0/1.104   Qfinity               10.240.1.97     255.255.255.224 CONFIG

GigabitEthernet0/1.250   bell                   10.240.250.254  255.255.255.0   CONFIG

GigabitEthernet0/1.601   HP                   10.240.14.1     255.255.254.0   CONFIG

GigabitEthernet0/1.990   ST                    172.24.133.126  255.255.255.128 manual

GigabitEthernet0/3       FAILOVER               192.168.1.1     255.255.255.0   unset

!

again i can connect to the firewall via https.

Did a capture here is the capture result

*****

   1: 00:38:53.497471 10.252.253.224.49581 > 10.240.255.250.22: S 4272795231:4272795231(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

   2: 00:38:53.497517 10.240.255.250.22 > 10.252.253.224.49581: S 252258861:252258861(0) ack 4272795232 win 8192 <mss 1380>

   3: 00:38:53.524447 10.252.253.224.49581 > 10.240.255.250.22: . ack 252258862 win 64860

   4: 00:38:53.524829 10.240.255.250.22 > 10.252.253.224.49581: FP 252258862:252258862(0) ack 4272795232 win 8192

   5: 00:38:53.524859 10.252.253.224.49581 > 10.240.255.250.22: P 4272795232:4272795279(47) ack 252258862 win 64860

   6: 00:38:53.524905 10.240.255.250.22 > 10.252.253.224.49581: R 252258862:252258862(0) win 8192

   7: 00:38:53.551591 10.252.253.224.49581 > 10.240.255.250.22: . ack 252258863 win 64860

   8: 00:38:53.551683 10.240.255.250.22 > 10.252.253.224.49581: R 252258863:252258863(0) ack 4272795279 win 64860

   9: 00:38:53.551790 10.252.253.224.49581 > 10.240.255.250.22: F 4272795279:4272795279(0) ack 252258863 win 64860

  10: 00:38:53.551851 10.240.255.250.22 > 10.252.253.224.49581: R 252258863:252258863(0) ack 4272795280 win 64860

  11: 00:38:53.551942 10.252.253.224.49581 > 10.240.255.250.22: R 4272795280:4272795280(0) ack 252258863 win 0

************

Also attached is the capture in wireshark format.

***

already tried deleting and re-generating crytpo keys (didnt help) and Do not have any vpn tunnels build on the firewall.

Any ideas whats wrong on it?

****

Also have done a packet tracer on my traffic to the inside ip of the firewall, It is allowed on port 22.

****

1 person had this problem
Labels:
15359647-pcap.zip
0 Helpful
3 Replies 3

krishnanand.yadav
Level 1
Level 1

‎05-04-2013 09:40 PM

1. Connect to the ASA via console and get in configuration mode.

2. You have to configure a hostname and domain name

FIREWALL(config)# hostname XYZ-FIREWALL

XYZ-FIREWALL(config)# domain-name abc.com

3. You will need to generate an RSA Key Pair since this is needed by the SSH protocol which uses SSL. This can be achieved with the following command:

XYZ-FIREWALL(config)# crypto key generate rsa modulus 1024

After issuing this command and hitting enter, you will see something like the following and you will need to wait:

For >= 1024, key generation could take up to several minutes. Please wait……….

4. Next, you will need to save your newly created Keys to flash by typing the following command:

XYZ-FIREWALL # write mem

5. Now, we can tell the ASA exactly which hosts or networks can access the device via SSH. We also need to specify which interface we are allowing access to.

For example, if you have a management PC with internal IP address from 10.240.255.0 and just wanted to allow this subnet to access the ASA on the inside interface, you would issue the following command:

XYZ-FIREWALL(config) #ssh 10.240.255.0  255.255.255.0 inside

6. Enable authentication for the SSH. You can configure LOCAL authentication by configuring a local username/password on the device:

XYZ-FIREWALL(config) # aaa authentication ssh console LOCAL

XYZ-FIREWALL(config) # username xyz password xxxxxxxx encrypted

7. Download a free SSH client (e.g putty) for connecting to the device.

Note:

1. Please note that if you are connecting from inside interface of the firewall for  SSH access. There is no INBOUND ACL blocking your SSH connection.

2. Try creating an ACL to allow access to SSH connection on inside interface

access-list 101 permit tcp ssh any any   --------------and apply it on inside interface in inbound direction

I hope this will help you resolve your issue.

Regards,

Krish

0 Helpful

rkumar5
Level 1
Level 1

‎05-04-2013 11:16 PM

Hi Vivek,

The config seems to be fine

I checked the wire shark capture and could see the TCP hand shake getting completed

However soon after the TCP hand shake gets completed the ASA sends the FIN ACK packet and after that we can see the RST Packet.

It seems to be the software issue on the ASA

Try to gather the debugs for the ssh

debug ssh

And see what's the output you get.

Also check if you have any entry bind on port 22 on that interface

this can be checked using

show xlate | in 22

show asp table socket

show asp table routing

Also send the version of the ASA that is being used

show version

Hope this helps you

0 Helpful

vivekshah666
Level 1
Level 1

‎05-09-2013 10:53 AM

Thanks all for a reply on the issue,

Opened a TAC case with Cisco on this.

They asked for show ssh session output

given below:

**************************

SID Client IP       Version Mode Encryption Hmac     State            Username

0   3027:8ec8:e009:b09:e1c5:4009:e1ab:37cd

                    0.0     -    -          -        Closed           -

1   3027:8ec8:e009:b09:e1c5:4009:e1ab:37cd

                    0.0     -    -          -        Closed           -

2   3027:8ec8:e009:b09:e1c5:4009:e1ab:37cd

                    0.0     -    -          -        Closed           -

3   3027:8ec8:e009:b09:e1c5:4009:e1ab:37cd

                    0.0     -    -          -        Closed           -

4   3027:8ec8:e009:b09:e1c5:4009:e1ab:37cd

                    0.0     -    -          -        Closed           -

*************************
Further they found a bug in the code 8.03 for the 5520 ASA

given below is the URL

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm68097

***

Fix is to reload the firewall, as that will clear the ssh sessions that are already hanging in there.

************************

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card