cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4023
Views
35
Helpful
15
Replies

Unable to SSH to ASA 5525-X

BeckyBoo123
Beginner
Beginner

Hi,

I have four admin users on my ASA all with level 15 access but not of them are able to SSH to my device.

I have checked SSH settings and it is allowed.

 

SSH.JPG

Is there anything I could have overlooked? I'm sure this has worked in the past as the device is over 5 years old.

 

Thanks in advance.

 

 

1 Accepted Solution

Accepted Solutions

@BeckyBoo123,

I believe you are missing RSA keys, which are mandatory for SSH. Try with 'crypto key generate rsa modulus 2048', and try SSH after.

BR,

Milos

View solution in original post

15 Replies 15

Rob Ingram
VIP Expert VIP Expert
VIP Expert

Hi @BeckyBoo123 

Are the users even prompted to authenticate?

 

If not it could be you are connecting from a network/IP address that is not permitted to SSH to the ASA. See this really old guide

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/69373-ssh-inside-out-pix7x.html

 

See the section of the guide "Configuration with ASDM 6.x" - step number 6. From here you need to define the networks/ip addresses permitted to connect to the ASA using ssh.

 

HTH

 

Hi @Rob Ingram 

 

Thank you for the swift reply!

No, no authentication prompt at all is being received. Just says "Server unexpectedly closed network connection".

 

I've checked the settings that you mentioned and all looks good.

 

ASA.JPG

I am also seeing the following message when I try to connect:

 

%ASA-6-106015: Deny TCP (no connection) from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name.
The ASA discarded a TCP packet that has no associated connection in the ASA connection table. The ASA looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is no existing connection, the ASA discards the packet. 

 A quick Google of this error seems rather complex.

ASA-6-106015: Deny TCP (no connection) from IP_address/port to 
IP_address/port flags tcp_flags on interface interface_name.

Looks for me this is Routing issue.  what is your client IP address ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi @balaji.bandi 

 

I think you may be right. My client IP is 10.11.9.204 and that appears in the log entry.

 

22.JPG

 

I am unable to SSH to the device from where I am to check if the lines you asked about are present.

Is this only device, you need to find any other device with different IP can able to SSH, or we need to get in to Console to pull the information.

 

Note : i saw ASDM picture, are you able to use ASDM ? (from the IP mentioned ?)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi I have just tried to connect from another device (which is actually on the same network) and that too fails.

 

Yes I am able to access everything on the ASDM from my IP.

Hi @BeckyBoo123,

Could you please check the output (from console) of the 'show asp table socket'? We expect to see that device is listening on TCP/22?

Please also check the outputs:

  • 'show run ssh', which should display SSH configuration
  • 'show run aaa', to confirm authentication for SSH is configured
  • 'show crypto key mypubkey rsa', to confirm that your SSH keys are present

BR,

Milos

@Milos_Jovanovic Sorry but the ASA is physically in a different location. I cannot console in at the moment. That may be the only option I have though if I can't get to the bottom of it.

From ASDM (not sure what version you have ) - you can use tools --> command line intercce you can issue the commands people requested.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi @Milos_Jovanovic 

 

Sorry I forgot I could do that!

 

Result of the command: "show run ssh"

ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 LAN
ssh timeout 60
ssh key-exchange group dh-group14-sha1



Result of the command: "show run aaa"

aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 



Result of the command: "show crypto key mypubkey rsa"

The command has been sent to the device

Hmm, does this mean my key is missing?

@BeckyBoo123,

I believe you are missing RSA keys, which are mandatory for SSH. Try with 'crypto key generate rsa modulus 2048', and try SSH after.

BR,

Milos

Result of the command: "show crypto key mypubkey rsa"

Looks like a catch here, may be since you mentioned it was working several years and broken, worth re-key

 

or take show run (output and check)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Milos_Jovanovic @balaji.bandi @Rob Ingram 

 

I recreated the key and all works perfectly now!

Thank you all do much, I probably should have tested that first.

Glad to know our suggestion  helped here , we mark as resolved.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: