suddenly cant do ssh to ASA box

kthned · ‎04-25-2016

Hi

I have 2xASA 5585 configured with multiple context running 9.4 (1) code base. During weekend, suddenly I missed ssh to the active ASA.

ssh ASA.ip

ssh_exchange_identification: Connection closed by remote host

debug ssh on the firewall gives

Device ssh opened successfully.
SSH1: SSH client: IP = 'x.x.x.x' interface # = 262147
SSH: unable to retrieve default host public key. Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

sh crypto key mypubkey rsa
Key pair was generated at: 09:15:48 CEDT Oct 8 2012
Key name: <Default-RSA-Key>
Usage: General Purpose Key
Modulus Size (bits): 2048
Key Data:

I have already a ssh-public-rsa key. But when I re-created it still failing...

crypto key generate rsa modulus 2048
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: yes
Keypair generation process begin. Please wait...
% Attempt to generate RSA keys failed:

Two questions !

1. Any clue why I missed ssh service... Also can not connect via ASDM... is it due to old RSA key generated Oct 8 2012 ? BUG ?

2. Shall zerioze the ssh do the job ?

Thanks in advance !

//Umair

Marvin Rhoads · ‎04-25-2016

Was there perhaps a failover event and the secondary active unit does not have an RSA key?

"show failover history" and check for recent failover.

I'd open a TAC case if 30 minutes of checking didn't reveal an obvious answer.

Marius Gunnerud · ‎04-25-2016

have you made sure that all relevant ssh and aaa config is present. Perhaps someone has removed the config by accident.

show run ssh

show run aaa

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

kthned · ‎04-26-2016

Nothing change on the ssh or aaa configuratuions :(

Aditya Ganjoo · ‎04-26-2016

Hi,

Since you have lost access to ASDM as well it seems some piece of config is missing.

Could you share the config of the active ASA ?

Regards,

Aditya

kthned · ‎04-26-2016

Here is the ssh config from active context

/admin/act(config)# sh running-config ssh

ssh stricthostkeycheck
ssh 172.32.17.0 255.255.255.0 outside
ssh timeout 15
ssh key-exchange group dh-group1-sha1

Interestingly ASA is listening to the ports

admin/act(config)# show asp table socket

Protocol Socket State Local Address Foreign Address

TCP 02f2f108 LISTEN 172.18.10.39:22 0.0.0.0:*

SSL 02f2f6c8 LISTEN 172.18.10.39:443 0.0.0.0:*

Aditya Ganjoo · ‎04-26-2016

Do you see username prompt when you do SSH ?

Please share the output of show run all ssl ?

kthned · ‎04-26-2016

it actually gives the same output.

As I wrote earlier... when I ssh to asa... the response is the following and i did not get any prompt. Generating the key also failed as discussed in the first post.

ssh ASA.ip

ssh_exchange_identification: Connection closed by remote host

admin/act# sh running-config all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2

kthned · ‎04-26-2016

Hi Aditya

I think ASA is hit by the

ASA5585 ASA-3-402148: CRYPTO: Random Number Generator error

CSCuw36581

sh log gives exactly the same error, started just today !

Aditya Ganjoo · ‎04-26-2016

Hi,

Yes if you are seeing this log message then in most cases the device has to be replaced.

Could you please upgrade the box to latest interim version of 9.5.2 code which would be asa952-6-smp-k8.bin ?

Regards,

Aditya

Please rate helpful posts.

kthned · ‎04-27-2016

Hi Aditya

Thanks for your response... what do mean by " device has to be replaced."

Do you have any idea why that happens ? is it a hardware failure ?

Shall I go for restart first ?

Aditya Ganjoo · ‎04-27-2016

Hi,

By replacing device I mean get a RMA for this ASA if you a valid contract with Cisco.

Before that I would request you to upgrade to the asa952-6-smp-k8.bin and check, if it does not fix it then please go ahead with the RMA option.

Regards,

Aditya

kthned · ‎04-27-2016

Hi again

Thanks for your help.

Actually the bug fixed in this version does not point to my specific problem. However they say for SSL fixes. I have two firewalls and both have the same ssh problem. Infact the standby firewall is accessible via https (ASDM) but not ssh which is the complete opposite of whats written in CSCux45179

3) Can't login to ASDM
4) SSH management is operational, however.

Tristan Cober · ‎04-27-2016

Can you check the DMA pool stats from show memory detail? Were you getting any alarms about low memory?

kthned · ‎04-26-2016

it actually gives the same output.

As I wrote earlier... when I ssh to asa... the response is the following and i did not get any prompt. Generating the key also failed as discussed in the first post.

ssh ASA.ip

ssh_exchange_identification: Connection closed by remote host

admin/act# sh running-config all ssl
ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group2
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2