Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4659
Views
0
Helpful
8
Replies

unable to SSH to CISCO ASA ( ASA software running on FTD-2110 Appliance)

ariel2424
Level 1
Level 1

‎03-04-2019 02:02 AM - edited ‎02-21-2020 08:53 AM

Hello Everyone.  

I have installed CISCO ASA Version 9.10(1).11 on a FTD-2110 appliance. 

This appliance answer on both 192.168.45.1 and 192.168.45.45. 

To get to the firepower software you go to 192.168.45.45(then from there you can access the asa) or to get straight to asa you can open ASDM and connect to 192.168.45.1. 

HTTP and ASDM works, SSH isn't. 

I have configured SSH as shown in Cisco documentation and it's doesn't work.

tried to solve this myself with no success. 

 

Related Configuration: 

ciscoasa(config)# show running-config all ssh
ssh stricthostkeycheck
ssh 192.168.45.0 255.255.255.0 management
ssh timeout 5
ssh version 2
ssh cipher encryption medium
ssh cipher integrity medium
ssh key-exchange group dh-group1-sha1

 

Local Username was configured and the following command 

aaa authentication ssh console LOCAL

 I see the Drops on ASDM ( ssh access file show the drops on ASDM). 

Anybody come across this and solve this? 

Thanks. 

 

 

Preview file
15 KB
0 Helpful
8 Replies 8

Sheraz.Salim
VIP
VIP

‎03-04-2019 02:28 AM

have to define a local user on ASA.

 

username admin priv 15 password cisco123

please do not forget to rate.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-04-2019 02:54 AM

Did you generate an rsa key?

conf t
crypto key generate rsa mod 2048
end
0 Helpful

Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎03-04-2019 03:53 AM - edited ‎03-04-2019 03:54 AM

@Marvin Rhoads 

if https is working as it was confirmed that he had access to ASDM than it means the key are generated.

i am curious how is is accessing the ASDM. i am under the impression the ASDM is access able if you only enable the https only.

 

!

http server enable

http 0.0.0.0 0.0.0.0 mgmt

!

now if these above command are configured he will have access to ASDM even without doing the config of local username. having said that if you check the logs he showed. their is unknow username. which point there is no local database configured

 

please do not forget to rate.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Sheraz.Salim

‎03-04-2019 04:06 AM

@Sheraz.Salim - good point.

 

I have also seen users lately using old putty clients and newer ASA software whereby the ssh negotiation fails due to lack of support for newer key exchanges in the library used by the client software. That problem would affect ssh but not ASDM (which uses ssl/tls libraries included in the end user's Java installation).

0 Helpful

ariel2424
Level 1
Level 1
In response to Marvin Rhoads

‎03-04-2019 05:25 AM

Hi Marvin, 

I'm using the latest Putty version. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ariel2424

‎03-04-2019 06:59 AM

OK - good to know. 

I'd try a packet capture during an attempted connection to see what's going on. Open it up in Wireshark and have a look at the back and forth.

0 Helpful

ariel2424
Level 1
Level 1
In response to Sheraz.Salim

‎03-04-2019 05:23 AM

Hi, 

As a mention previously Local username and password is defined. I don't know why this error appeared 

http server is enable by default on the ASA. 

 

 

0 Helpful

mbilgrav
Level 3
Level 3

‎06-21-2019 02:56 AM

YES !
Had the issue last year: from my notes:
I had SSH issues in 9.9.1 plain vanilla
I then Upgraded to 9.9.1.3 interim, only to hit a new failover bug
I then upgraded to 9.9.1.4 interim … and be happy !

The SSH issue could as workaround be fixed by reload, this was before I upgraded
sad if the bug has been drop over in the 9.10 track ... try get the latest Interim and upgrade the bundle
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card