Solved: Unable to SSH to server from ASA

mahesh18 · ‎04-23-2013

Hi everyone,

ASA has 2 interfaces say x and y.

From interface x when on subnet say 171.31.0.0 mask /24 i am able to ssh server.

ASA shows hit counts.

When on subnet 171.23 ssh does not work.logs shows tcp reset 0 thats from interface y.

both subnets have connection from interface x to server which is on ASA interface y.

I check IP on interface x it shows 171.15.0.0/12.

Thanks

MAhesh

Jouni Forss · ‎04-23-2013

Hi Mahesh,

Could you perhaps share some ASA configurations and/or the logs messages you are seeing?

Are you saying that from the first subnet you get hitcounts in the ACL and the SSH connection through the ASA works? Are you seeing hitcounts on the ACL when connecting from the other subnet behind x?

When you talk about a TCP Reset 0 from the direction of y, it would seem to me that the actual server is not allowing this connection and ASA might not have anything to do with blocking the connection or the connection failing.

Perhaps the actual server has restrictions on where it can be connected from? Like some local software firewall?

- Jouni

View solution in original post

Jouni Forss · ‎04-23-2013

Hi,

Seems to me that the Server to which you are trying to connect with SSH might be terminating the TCP connection.

So I would check if the server settings first to see if its blocking the connection according to some settings or perhaps because of some software firewall.

If you want to get more information about this connection you could do a capture.

access-list SSH-CAPTURE permit ip host 170.30.252.62 host 170.24.156.5

access-list SSH-CAPTURE permit ip host 170.24.156.5 host 170.30.252.62

capture SSH-CAPTURE type raw-data access-list SSH-CAPTURE interface X buffer 1000000 circular-buffer

Then check the capture contents after test with

show capture SSH-CAPTURE

And possinly load the capture to a TFTP server with command

copy /pcap capture:SSH-CAPTURE tftp://x.x.x.x/SSH-CAPTURE.pcap

And you could then attach it to this discussion if needed.

- Jouni

View solution in original post

Jouni Forss · ‎04-23-2013

Hi,

Yes, TCP Reset-O should mean that the TCP Reset came from the host on the interface with the lower "security-level"

TCP Reset-I would mean that the TCP Reset came from the host on the interface with the higher "security-level"

I would imagine that the server might block connection based its own configurations and reset the whole SSH connection attempt. As you can see there is no data transmitted between the hosts as the counter says "0" and also the duration is "0" which means that the connection was resetted pretty much right away when the server received it.

I am not sure what you mean with the ASDM interface thing.

Can you perhaps share some screenshot of what you are seeing? I dont use ASDM that much so cant give you an answer wihtout seeing the actual situation.

My own ASA firewalls ASDM "Home" view lists the ASA interfaces and their IP addresses and network masks.

- Jouni

View solution in original post

Jouni Forss · ‎04-23-2013

Hi,

Yes, the data counter in the Teardown message says that 0 bytes were transmitted on the connection in question before it was teardown from the ASA.

And the duration counter says that the connection was teardown in under a second since it says 0:00:00

Take for example one connection Teardown message from my own ASA

Apr 24 2013 04:21:20 ASA : %ASA-6-302014: Teardown TCP connection 1979132 for WAN:x.x.x.x/443 to LAN:10.0.0.100/61529 duration 0:00:50 bytes 6517 TCP FINs

The duration says that the connection was up for 50 seconds. The other counter also says that 6517 Bytes were transmitted on the TCP connection in question.

If you want to see how much data has been transfered on a connection that is STILL ACTIVE on the ASA then you could use this command. Again using my own ASA as an example

ASA(config)# sh conn long | inc 10.0.0.100

TCP WAN:x.x.x.x/443 (x.x.x.x/443) LAN:10.0.0.100/61472 (y.y.y.y/61472), flags UIO, idle 41s, uptime 13m21s, timeout 1h0m, bytes 64378

10.0.0.100 is my computer

The above for example says that

There is an HTTPS connection from my LAN to the WAN (Internet)
The TCP connection is fully formed because there is TCP flag U
The TCP connection has seen data in both directions. TCP flag I for input and TCP flag O for output
The TCP connection has been up for 13 minutes and 21 seconds
The TCP connection will timeout in 1 hour if there is no traffic
So far 64378 bytes have been transmitted on this TCP connection
The TCP connection has been idle for 41 seconds before this output was taken

You can also use these commands (using my computer IP as example)

show conn long address 10.0.0.100

show local-host 10.0.0.100 detail

- Jouni

View solution in original post

Jouni Forss · ‎04-23-2013

Hi,

I would imagine that you have some "object-group network" or "object network" or some such object used in the ACL and when you keep your mouse over the object it shows the IP address/network configured under it.

I can't really say for sure as I dont use ASDM in general.

- Jouni

View solution in original post

Jouni Forss · ‎04-24-2013

Ok,

Glad its working now.

It seems that the firewall that is between is either an ASA that is configured differently from the default operation OR its a firewall from different manufacturer.

ASA firewalls by default dont send TCP Reset to connections that they block (BUT they can be configured to do this). By default the connection will simply timeout and your ASA would have then seen a Teardown message with SYN Timeout (Instead of TCP Reset-O). Seems that this firewall in between just immediately Resets the TCP connection if its not allowed according to the firewalls rules.

- Jouni

View solution in original post

Jouni Forss · ‎04-23-2013

Hi Mahesh,

Could you perhaps share some ASA configurations and/or the logs messages you are seeing?

Are you saying that from the first subnet you get hitcounts in the ACL and the SSH connection through the ASA works? Are you seeing hitcounts on the ACL when connecting from the other subnet behind x?

When you talk about a TCP Reset 0 from the direction of y, it would seem to me that the actual server is not allowing this connection and ASA might not have anything to do with blocking the connection or the connection failing.

Perhaps the actual server has restrictions on where it can be connected from? Like some local software firewall?

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

ASA has 2 interfaces and when i try from my subnet it works fine.

I can see the hit counts on interface X of ASA.

Connection to server goes out via interface Y of ASA.

When user try from his subnet connection goes via interface X and goes to Server via interface Y of ASA.

I can see in logs TCP connection build up and after a sec i see TCP connection teardown in logs.

It also show TCP Rest O that points to interface Y of ASA where server is connected.

Need to confirm with you if server is not allowing the connection to user subnet or it is ASA?

X interface of ASA when i click on ASDM shows subnet 171.16.10.0/15

Need to know if user IP is included in this subnet?

Thnaks

MAhesh

Jouni Forss · ‎04-23-2013

Hi,

You are giving totally different subnets on both of your posts. It would be easier to see the actual configurations and the logs messages you are seeing. Otherwise we will probably just spend time guessing what is actually happening.

Network 171.16.0.0/15 would mean addresses between 171.16.0.0 - 171.17.255.255

Network 171.15.0.0/12 would mean addresses between 171.0.0.0 - 171.15.255.255

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

I am currently away i will show you log in an hour if you are still awake?

Also will confirm actual subnets.

Thanks

MAhesh

Jouni Forss · ‎04-23-2013

Ok,

Let us know when you get the information.

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

Here are logs of user

MDT 170.31.100.11 %ASA-6-302014: Teardown TCP connection 27307345 for Y:170.24.156.5/22 to X:170.30.252.62/51017 duration 0:00:00 bytes 0 TCP Reset-O

5 170.31.100.11 %ASA-6-302013: Built outbound TCP connection 27307345 for Y:170.24.156.5/22 (170.24.156.5/22) to X:170.30.252.62/51017 (170.30.252.62/51017)

4 170.31.100.11 %ASA-6-302014: Teardown TCP connection 27307276 for Y:170.24.156.5/22 to X:170.30.252.62/51017 duration 0:00:00 bytes 0 TCP Reset-O

3 170.31.100.11 : %ASA-6-302013: Built outbound TCP connection 27307276 for Y:170.24.156.5/22 (170.24.156.5/22) to X:170.30.252.62/51017 (170.30.252.62/51017)

2 170.31.100.11 %ASA-6-302014: Teardown TCP connection 27307257 for Y:170.24.156.5/22 to X:170.30.252.62/51017 duration 0:00:00 bytes 0 TCP Reset-O

1 170.31.100.11 : %ASA-6-302013: Built outbound TCP connection 27307257 for Y:170.24.156.5/22 (170.24.156.5/22) to X:170.30.252.62/51017 (170.30.252.62/51017)

Where 170.30.252.62 is user PC

170.24.156.5 is server IP.

When i click on ASDM interface of FW it shows 170.16.0.0/12.

Thanks

MAhesh

Jouni Forss · ‎04-23-2013

Hi,

Seems to me that the Server to which you are trying to connect with SSH might be terminating the TCP connection.

So I would check if the server settings first to see if its blocking the connection according to some settings or perhaps because of some software firewall.

If you want to get more information about this connection you could do a capture.

access-list SSH-CAPTURE permit ip host 170.30.252.62 host 170.24.156.5

access-list SSH-CAPTURE permit ip host 170.24.156.5 host 170.30.252.62

capture SSH-CAPTURE type raw-data access-list SSH-CAPTURE interface X buffer 1000000 circular-buffer

Then check the capture contents after test with

show capture SSH-CAPTURE

And possinly load the capture to a TFTP server with command

copy /pcap capture:SSH-CAPTURE tftp://x.x.x.x/SSH-CAPTURE.pcap

And you could then attach it to this discussion if needed.

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

So with other subnet it works fine IP of that subnet is 170.31.24.106.

So one thing to confirm with you i read that whenever you get Rest TCP O it means that lower security has terminated

the connection and Y has lower security then X.

So this is always the rule that Rest O comes from the lower security device and culprit is not the firewall?

I will check if i can run packet capture tomorrow?

Jouni when i click on X interface ASDM it shows IP as 170.16.0.0/12 do you why is this?

Thanks

Mahesh

Jouni Forss · ‎04-23-2013

Hi,

Yes, TCP Reset-O should mean that the TCP Reset came from the host on the interface with the lower "security-level"

TCP Reset-I would mean that the TCP Reset came from the host on the interface with the higher "security-level"

I would imagine that the server might block connection based its own configurations and reset the whole SSH connection attempt. As you can see there is no data transmitted between the hosts as the counter says "0" and also the duration is "0" which means that the connection was resetted pretty much right away when the server received it.

I am not sure what you mean with the ASDM interface thing.

Can you perhaps share some screenshot of what you are seeing? I dont use ASDM that much so cant give you an answer wihtout seeing the actual situation.

My own ASA firewalls ASDM "Home" view lists the ASA interfaces and their IP addresses and network masks.

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

When you say Counter says zero does it mean bytes 0?

Also when we have ssh connection established via ASA when all is good then we should see some number in bytes

when connection is established?

Thanks

Mahesh

Jouni Forss · ‎04-23-2013

Hi,

Yes, the data counter in the Teardown message says that 0 bytes were transmitted on the connection in question before it was teardown from the ASA.

And the duration counter says that the connection was teardown in under a second since it says 0:00:00

Take for example one connection Teardown message from my own ASA

Apr 24 2013 04:21:20 ASA : %ASA-6-302014: Teardown TCP connection 1979132 for WAN:x.x.x.x/443 to LAN:10.0.0.100/61529 duration 0:00:50 bytes 6517 TCP FINs

The duration says that the connection was up for 50 seconds. The other counter also says that 6517 Bytes were transmitted on the TCP connection in question.

If you want to see how much data has been transfered on a connection that is STILL ACTIVE on the ASA then you could use this command. Again using my own ASA as an example

ASA(config)# sh conn long | inc 10.0.0.100

TCP WAN:x.x.x.x/443 (x.x.x.x/443) LAN:10.0.0.100/61472 (y.y.y.y/61472), flags UIO, idle 41s, uptime 13m21s, timeout 1h0m, bytes 64378

10.0.0.100 is my computer

The above for example says that

There is an HTTPS connection from my LAN to the WAN (Internet)
The TCP connection is fully formed because there is TCP flag U
The TCP connection has seen data in both directions. TCP flag I for input and TCP flag O for output
The TCP connection has been up for 13 minutes and 21 seconds
The TCP connection will timeout in 1 hour if there is no traffic
So far 64378 bytes have been transmitted on this TCP connection
The TCP connection has been idle for 41 seconds before this output was taken

You can also use these commands (using my computer IP as example)

show conn long address 10.0.0.100

show local-host 10.0.0.100 detail

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

Here is the ASDM

where you see outside - incoming rules you see PC icon just before the IP 192.168.0.0.

When i click on PC icon i see there 170.16.0.0/12 on X interface of ASA

Jouni Forss · ‎04-23-2013

Hi,

I dont really know what is showing such an output.

I cant also see 192.168.0.0 anywhere in the picture.

- Jouni

mahesh18 · ‎04-23-2013

Hi Jouni,

That Pic is from my ASA i gave you as an example on other ASA when i click on screen i see 170.x.x.x/12 subnet.

this is mean to say.

Thanks

Mahesh

Unable to SSH server from ASA