Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
18392
Views
9
Helpful
0
Comments

Known issues with SSH on the ASA

brquinn
Level 1
Level 1

‎05-11-2011 09:59 AM - edited ‎03-08-2019 06:41 PM

 

 

There have been several issues with SSH failing to the ASA. Below are the most common issues we see. They are documented along with the version which contains the fix.

 

Version 8.2.3 and 8.3.2

 

There are two known bugs that you may run into. If you are running version 8.2.3, then it is recommended to upgrade to version 8.2.4 or later. If you are running 8.3.2, then you need to upgrade to 8.3.2.7 or later.

 

CSCti72411 ASA 8.2.3 may not accept management connections after failover

 

Symptom:
ASA may not accept new management connections even though everything is properly configured.

 

Check: show asp table socket

 

Example of working one:

Protocol  Socket    Local Address               Foreign Address         State

TCP       00c361df  10.134.152.14:22            0.0.0.0:*               LISTEN  <= SSH socket is here
SSL       00c36f5f  10.134.152.14:443           0.0.0.0:*               LISTEN


Example of failing one:
Protocol  Socket    Local Address               Foreign Address         State
SSL       0022774f  10.134.152.14:443           0.0.0.0:*               LISTEN
                                                                                  <= no SSH socket

Conditions:
This was first found on ASA 8.2.3 and after failover.

 

Workaround:
Downgrade to previous version of code. (version 8.2.2 is not affected)
Another possible workaround would be to remove and add again ssh/telnet/http network statements.

 

CSCti43763 (which also fixed CSCti72695) Management connection fail after multiple tries with SNMP connections.

 

Symptom:
Management connections may fail after multiple tries with SNMP connections in background.

 

Conditions:

This bug can be identified by doing "show asp table socket"
If you see management connection in a CLOSEWAIT state and then you do "show counters protocol npshim" and see the pending connections counter increment for every management connection attempt then you are hitting this bug.


First found in following scenario: ASDM will fail to load after multiple SNMP and HTTPS requests to the ASA.

 

Workaround:
Currently, only reloading the ASA resolves the issue.

 

 

Version 8.4.1

 

There is one known bug with SSH that will stop the ASA from accepting management connections even though the socket still appears to be open. This bug is fixed in version 8.4.1.2.

 

CSCtn75060 Unable to SSH to ASA after upgrade to version 8.4

 

Symptom:

After upgrade the ASA to 8.4(1), ssh to one or more interfaces are failing. Removing and re-adding the SSH configuration results in the following error message:

 

ciscoasa(config)# ssh 0 0 outside

ERROR: Unable to configure service on port 22, on interface 'outside'. This port is currently in use by another feature

Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>

[no] ssh timeout <number>

[no] ssh version 1|2

[no] ssh scopy enable

show ssh [sessions [<client_ip>]]

ssh disconnect <session_id>

show running-config [all] ssh

clear configure ssh

 

Conditions:

Access via ASDM or telnet are unaffected. SSH still may work to other interfaces, but is failing to a specific interface.

 

Workaround:

Reload the ASA.  Untested workaround is shutting down and then restoring the interface.

 

Related Documents

 

ASA-PIX/FWSM: Unable to manage the unit via ssh/telnet/asdm

PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents