Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
5
Helpful
2
Replies

SSH to FMC managed ASA5506-X running FTD stopped working?

andrew.butterworth
Level 7
Level 7

‎05-14-2020 07:53 AM - edited ‎05-14-2020 08:03 AM

I have an ASA5506-X that has been reimaged with FTD code - running the latest 6.2.3.15 version.

It is managed by a FMC that has been upgraded to 6.6.  It is working and I can manage it via the FMC, however SSH has stopped working to any of the interfaces.  It was working previously and I am not sure what has happened to stop it working.

 

I only wish to SSH to the management interface (br1) but I just get connection refused.  The SSH access-list is configured for to allow connections from anywhere (configure ssh-access-list 0.0.0.0/0,::/0).  I have tried to SSH using its IPv4 & IPv6 addresses but just get connection refused.  Luckily I have an async terminal server so have a console connection via reverse telnet (perfect use for an ancient 2511 I still have..).  I have reset the management interface IPv4 address and also changed the SSH access-list in the hope that it would kick it into life - however no luck so far.

 

I have added a SSH rule to permit SSH connections to any of the data interfaces, however this doesn't work either and I get the same 'connection refused'.  It looks like the SSH daemon

has stopped?  If I access expert mode and issue the command 'netstat -a' I can't see it listening on TCP/22 on either TCP or TCP6.  If I issue this command on a FTDv I also have I can see it listening on TCP/22 (tcp *:ssh & tcp6 [::]:ssh)

If I attempt restart the ssh daemon I get this:

asa5506-ftd:~$ service sshd restart

/etc/ssh/sshd_config: line 23: Bad configuration option: CiscoSSHCommonCriteriaMode

/etc/ssh/sshd_config: line 37: Bad configuration option: CiscoSSHFipsMode

/etc/ssh/sshd_config: terminating, 2 bad configuration options

 

So I think there is some corruption somewhere...

 

Any ideas how I fix this without re-imaging it?

 

 

Labels:
0 Helpful
2 Replies 2

andrew.butterworth
Level 7
Level 7

‎05-14-2020 09:16 AM

Hmm, fixed it but think I've found a bug with FMC 6.6 when handling older FTDs.....

 

I managed to su to root and edit the /etc/ssh/sshd_config file and comment out the offending two lines:

 

CiscoSSHCommonCriteriaMode no

CiscoSSHFipsMode no

 

Now the ssh daemon will start and I can ssh to it OK.

 

What I think is happening is the FMC is adding these two lines to the sshd_config file and the ssh daemon version in FTD 6.2 doesn't support them and bails.

 

Oh dear.

 

Edit:  Bug ID: CSCvs84578

 

 

 

Mohammed al Baqari
Level 11
Level 11

‎05-14-2020 12:05 PM

This is a know bug in 6.2.3.15. Look at cisco download page, there is a
patch which cisco released for this. Apply it from FMC to FTD and reload
the unit.

***** please remember to rate useful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card