There have been several issues with SSH failing to the ASA. Below are the most common issues we see. They are documented along with the version which contains the fix.
Version 8.2.3 and 8.3.2
There are two known bugs that you may run into. If you are running version 8.2.3, then it is recommended to upgrade to version 8.2.4 or later. If you are running 8.3.2, then you need to upgrade to 8.3.2.7 or later.
CSCti72411 ASA 8.2.3 may not accept management connections after failover
Symptom:
ASA may not accept new management connections even though everything is properly configured.
Check: show asp table socket
Example of working one:
Protocol Socket Local Address Foreign Address State
TCP 00c361df 10.134.152.14:22 0.0.0.0:* LISTEN <= SSH socket is here
SSL 00c36f5f 10.134.152.14:443 0.0.0.0:* LISTEN
Example of failing one:
Protocol Socket Local Address Foreign Address State
SSL 0022774f 10.134.152.14:443 0.0.0.0:* LISTEN
<= no SSH socket
Conditions:
This was first found on ASA 8.2.3 and after failover.
Workaround:
Downgrade to previous version of code. (version 8.2.2 is not affected)
Another possible workaround would be to remove and add again ssh/telnet/http network statements.
CSCti43763 (which also fixed CSCti72695) Management connection fail after multiple tries with SNMP connections.
Symptom:
Management connections may fail after multiple tries with SNMP connections in background.
Conditions:
This bug can be identified by doing "show asp table socket"
If you see management connection in a CLOSEWAIT state and then you do "show counters protocol npshim" and see the pending connections counter increment for every management connection attempt then you are hitting this bug.
First found in following scenario: ASDM will fail to load after multiple SNMP and HTTPS requests to the ASA.
Workaround:
Currently, only reloading the ASA resolves the issue.
Version 8.4.1
There is one known bug with SSH that will stop the ASA from accepting management connections even though the socket still appears to be open. This bug is fixed in version 8.4.1.2.
CSCtn75060 Unable to SSH to ASA after upgrade to version 8.4
Symptom:
After upgrade the ASA to 8.4(1), ssh to one or more interfaces are failing. Removing and re-adding the SSH configuration results in the following error message:
ciscoasa(config)# ssh 0 0 outside
ERROR: Unable to configure service on port 22, on interface 'outside'. This port is currently in use by another feature
Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh [sessions [<client_ip>]]
ssh disconnect <session_id>
show running-config [all] ssh
clear configure ssh
Conditions:
Access via ASDM or telnet are unaffected. SSH still may work to other interfaces, but is failing to a specific interface.
Workaround:
Reload the ASA. Untested workaround is shutting down and then restoring the interface.
Related Documents
ASA-PIX/FWSM: Unable to manage the unit via ssh/telnet/asdm
PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example