Solved: Re: SSH not working after upgrade

Lakeram Harrypersaud · ‎03-03-2011

I have an ASA5510 which was running version 8.31. SSH was working fine on version 8.31 but since i upgraded it to version 8.41 the SSH stopped working. I would appreciate if someone can help me?

Thanks,

Lake

PAUL GILBERT ARIAS · ‎03-03-2011

Have you tried re-generating the crypto key?

If not, then please try the following:

crypto key zeroize rsa

then

crypto key generate rsa general-keys modulus 1024

Also, make sure the ssh commands are still in the configuration.

View solution in original post

susreeni · ‎03-04-2011

Thanks for the heads-up Chirag.

Harry informed me that the reload didn't seem to help. Hence, i attempted to zeroise and regenerate the RSA keys on the ASA that was refusing the SSH attempts.

A reload after regenerating the RSA keys eventually fixed the issue.

Apparent Workaround: Regenerate the RSA keys and then reload the firewall.

@Harry: Please do mark the post 'Answered' so that this discussion can be referenced for future use.

Regards,

Sundar Sreenivasan

View solution in original post

PAUL GILBERT ARIAS · ‎03-03-2011

Have you tried re-generating the crypto key?

If not, then please try the following:

crypto key zeroize rsa

then

crypto key generate rsa general-keys modulus 1024

Also, make sure the ssh commands are still in the configuration.

csaxena · ‎03-03-2011

Hello Lakeram

Please follow the check list given in this document to verify we have everyting required for ssh :

https://supportforums.cisco.com/docs/DOC-13012

Cisco TAC is looking into this as few more customers have experienced the same and seems to be a new bug/issue.

Please post the following outputs for further investigation :

1) Sh run ssh //To ensure SSH is enabled & allowed.
2) sh cry mypubkey rsa //To find whether a RSA key-pair is installed.
3) sh asp table socket //To make sure the firewall is listening on TCP 22

If you have a TAC contract with this device , please open a service request or reply back with serial number/cco id. If not, post the outputs here.

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

I

csaxena · ‎03-04-2011

Hello,

Cisco TAC has filed a bug for ASA 8.4.1 stating behaviour "Unable to SSH after upgrade to ASA 8.4.1".

Here is the bug id: CSCtn75060


Possible Unconfirmed Workarounds:
- Reloading the ASA
- Possibly doing a 'shut' and 'no shut' on the interface

Hope this helps. Please reply back if you need any further assistance.

Regards,
Chirag
P.S.: Please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

susreeni · ‎03-04-2011

Thanks for the heads-up Chirag.

Harry informed me that the reload didn't seem to help. Hence, i attempted to zeroise and regenerate the RSA keys on the ASA that was refusing the SSH attempts.

A reload after regenerating the RSA keys eventually fixed the issue.

Apparent Workaround: Regenerate the RSA keys and then reload the firewall.

@Harry: Please do mark the post 'Answered' so that this discussion can be referenced for future use.

Regards,

Sundar Sreenivasan

Maykol Rojas · ‎03-04-2011

Hi Guys,

If I am not mistaken, the Socket stays on close pending, and if you try to enable SSH to another interface it says that the port is already in used, have anybody tried to take out completely the commands and put them back again?

Mike Rojas

Mike

csaxena · ‎03-05-2011

Hi Mike,

Yep, i had tried that for one of the customers but no luck. Re-generating the keys and redoing the config didn't help at all. But for Sundar/Lakeram regenerating the keys and reload together helped. Still there is no confirmed workaround from the developers.

Hope this helps.

Regards,
Chirag

Lakeram Harrypersaud · ‎03-06-2011

I appreciate all your help.

It is now working as per Sundar's email

Thanks,

Lake