Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3367
Views
0
Helpful
8
Replies

ASA 5510 Upgrade to 8.4.1 Lost SSH

tjryberg
Level 1
Level 1

‎02-17-2011 07:07 AM

Recently upgraded two 5510s configured in Active/Standby from IOS 8.2 to 8.4.
Prior to the upgrade, I had SSH access, but no longer. Looking over my config, it looks like I'm missing telling ssh to allow through.

Result of the command: "SH SSH"

Timeout: 5 minutes
Versions allowed: 1 and 2

When trying to enter ssh 0.0.0.0 0.0.0.0 outside, it comes back with:

ERROR: Unable to configure service on port 22, on interface 'outside'. This port is currently in use by another feature
Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>
[no] ssh timeout <number>
[no] ssh version 1|2
[no] ssh scopy enable
show ssh [sessions [<client_ip>]]
ssh disconnect <session_id>
show running-config [all] ssh
clear configure ssh

It appears that SOMETHING is listening on 22

Protocol Socket Local Address Foreign Address State
TCP 0002871f [OUTSIDE IP OMITTED]:22 0.0.0.0:* LISTEN
SSL 0249946f [OUTSIDE IP OMITTED]:443 0.0.0.0:* LISTEN
SSL 02724598 [OUTSIDE IP OMITTED]:443 [OMITTED].1:18397 ESTAB
SSL 02735c08 [OUTSIDE IP OMITTED]:443 [OMITTED].1:49547 ESTAB
SSL 030be848 [OUTSIDE IP OMITTED]:443 [OMITTED].1:35678 ESTAB


I've hopping that it's just something simple that I've missed, but have beaten my head on it for so long that I'm not seeing it.

Whole Config:
: Saved
:
ASA Version 8.4(1)
!
firewall transparent
hostname [OMITTED]
enable password hQeQwqdgfeBvU/IT encrypted
passwd Aek.dNhic4ap/KRp encrypted
names
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
name [OMITTED]
!
interface Ethernet0/0
speed 1000
duplex full
nameif outside
bridge-group 1
security-level 0
!
interface Ethernet0/1
nameif inside
bridge-group 1
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
description LAN Failover Interface
!
interface Management0/0
nameif management
security-level 0
management-only
!
interface BVI1
ip address [OMITTED]
!
banner login Unauthorized access is prohibited. Voilators will be prosecuted.
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone EST -5
object-group network [OMITTED]
description [OMITTED]
network-object host [OMITTED]
network-object host [OMITTED]
network-object host [OMITTED]
network-object host [OMITTED]
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network staging-web-servers
description Staging Web Servers
network-object host vps-web1
network-object host vps-web2
object-group network staging-sql-servers
description Staging SQL Servers
network-object host vps-sql1
network-object host vps-sql2
object-group network production-web-servers
description Production Web Servers
network-object host web1
network-object host web2
network-object host web3
network-object host web4
object-group network production-sql-servers
description Production SQL Servers
network-object host sql1
network-object host sql2
object-group service filezilla tcp
port-object eq ftp
port-object range 20000 21000
object-group network ftp-servers
description Staging and Production FTP Servers
network-object host vps-web1
network-object host web1
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in remark [OMITTED]
access-list outside_access_in extended permit ip object-group [OMITTED] any
access-list outside_access_in extended permit tcp any interface outside eq ssh
access-list outside_access_in remark RDP from everywhere NOT GOOD
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in remark HTTP and HTTPS to Staging Web Servers
access-list outside_access_in extended permit tcp any object-group staging-web-servers object-group DM_INLINE_TCP_1
access-list outside_access_in remark HTTP and HTTPS to Production Web Servers
access-list outside_access_in extended permit tcp any object-group production-web-servers object-group DM_INLINE_TCP_1
access-list outside_access_in remark FTP to web1 and vps-web1
access-list outside_access_in extended permit tcp any object-group ftp-servers object-group filezilla
access-list outside_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit ip any any log debugging
pager lines 24
logging enable
logging standby
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface Failover Ethernet0/3
failover key *****
failover replication http
failover mac address Ethernet0/0 f866.f2b1.5362 f866.f2b1.5330
failover interface ip Failover 192.168.1.2 255.255.255.0 standby 192.168.1.1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 [OMITTED] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
snmp-server host outside [OMITTED] poll community *****
snmp-server host outside [OMITTED] poll community *****
snmp-server host inside [OMITTED] poll community *****
snmp-server host outside [OMITTED] poll community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username root password uDjpCz4hUzIDq4kM encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c39ef12d8d165c020f301b9f289e2167
: end

Cheers!

Labels:
0 Helpful
8 Replies 8

tjryberg
Level 1
Level 1

‎02-17-2011 10:00 AM

UPDATE

FYI, I ran "ssh 0.0.0.0 0.0.0.0 inside" and can SSH from behind them, but still want external SSH access.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to tjryberg

‎02-17-2011 02:46 PM

The evidence so far points me to believe that it might be a new bug in version 8.4.1.

My suggestion would be to open a TAC case to get it further investigated.

0 Helpful

Fernando Huapaya Silva
Level 1
Level 1

‎04-08-2011 04:37 PM

Hi Ted , i have a similar problem, how do you solve it ? do you open a tac case?.

regards.

Fernando

0 Helpful

tjryberg
Level 1
Level 1
In response to Fernando Huapaya Silva

‎04-08-2011 05:32 PM

Hello Fernando,

Cisco and I played around with it for a bit, and then sent me 8.4.1.3 of the IOS, and it looked as if it resolved it. But I've discovered that, after awhile, the problem reoccurs. The only solution I found was to reboot the device.

I put a work-around in where I granted access to a device on the inside int of the firewall, which has an SSH client on it. So I remote to a device behind the firewall, then connect via SSH to the inside interface. Not elegant, but this works everytime.

0 Helpful

pdesch
Level 1
Level 1
In response to tjryberg

‎04-15-2011 07:19 AM

For what it's worth, we're having the exact same problem. Hopefully this gets fixed soon. I haven't seen any new releases in the download center.

0 Helpful

MarianMontsko
Level 1
Level 1
In response to pdesch

‎04-22-2011 07:22 AM

Same problem for me Firewall are in HA in my case. No workaround found yet.

0 Helpful

rsmith
Level 4
Level 4

‎07-12-2011 11:03 PM

I have this same problem too.  Any solutions?

0 Helpful

Nicolas Fournier
Cisco Employee
Cisco Employee
In response to rsmith

‎07-14-2011 03:21 PM

Hi All,

Those symptoms are matching the following bug: CSCtn75060 Unable to SSH to ASA after upgrade to version 8.4.

You can have a look at it's description from the following link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn75060

As you can see there, it should be fixed as from 8.4(1.2) so if you upgrade to 8.4(2), you should have the fix.

This version is available from

http://www.cisco.com/cisco/software/release.html?mdfid=279916880&flowid=4820&softwareid=280775065&release=8.4.2.ED&rellifecycle=&relind=AVAILABLE&reltype=latest

If you still run into the issue afterwards, a TAC case would be appropriate to verify that the bug was completely fixed.

Regards,

Nicolas

0 Helpful
Customers Also Viewed These Support Documents