We could not SSH into the ASA after upgrade to new OS 9.18(4)40

bhagawatula · ‎10-04-2024

Hi,

We upgraded a pair of ASAs from version 9.14.3.18 to version 9.18(4)40. After that, we could not SSH into the ASA. At the moment, we can access the firewall via the console.

I turned on debugging on the ASA while I attempted to SSH. The log file indicated that the Reg-mgr limit was reached. I checked with the command 'show ssh sessions,' and there were no SSH connections.

Could you help troubleshoot this issue?

Below is our log file:

olo-fw1/pri/act# SSH_EXT: flow lookup on vPifNum 3
SSH_EXT: flow lookup for 216.x.x.x:22<--->10.0.99.11:1995
SSH_EXT: flow lookup on vPifNum 2
SSH_EXT: flow lookup for 10.0.99.250:22<--->10.0.99.11:1995
SSH_EXT: found the flow
SSH_EXT: connection on vPif inside
SSH_EXT: Registering external ssh/sshd
SSH_EXT: vcid 0, Process type 2
Reg-mgr limit reached, dropping ssh on vcid: 0
SSH_EXT: Response send len 16
SSH_EXT: Connection close on fd: 991300522
SSH_EXT: io callback performing cleanup for fd: 991300522
SSH_EXT: cleanup event for non-session proc

show ssh sessions

colo-fw1/pri/act# sh asp table socket

Protocol Socket State Local Address Foreign Address
SSL 04d61538 LISTEN 10.0.99.250:443 0.0.0.0:*
SSL 005637e8 LISTEN 216.x.x.x:443 0.0.0.0:*
DTLS 0015d658 LISTEN 216.x.x.x:443 0.0.0.0:*
SSL 022a92f8 ESTAB 216.x.x.x:443 193.37.69.199:43308
SSL 02eca868 ESTAB 216.x.x.x:443 185.190.24.177:60097
SSL 00a96a88 ESTAB 216.x.x.x:443 94.232.45.152:53152
SSL 05246b08 ESTAB 216.x.x.x:443 79.110.62.203:57920
SSL 052470c8 ESTAB 216.x.x.x:443

MHM Cisco World · ‎10-04-2024

ssh stack ciscossh <<- check this

MHM

Marvin Rhoads · ‎10-07-2024

Same question posted by a different username:

https://community.cisco.com/t5/network-security/could-not-ssh-to-asa-after-upgrading-os-from-9-14-3-18-to/td-p/5203687

MHM Cisco World · ‎10-07-2024

I think two engineer work on same problem

MHM