I am facing a new issue here.
I have configured Clientless SSL VPN for access to ASA 5540 internal network.
Still I am unable to take ssh to my core switch( I do get logs on debug ip ssh, as posted below):
006365: Nov 1 18:35:50.655 IST: SSH2 0: send: len 160 (includes padlen 6)
006366: Nov 1 18:35:50.655 IST: SSH2 0: done calc MAC out #76
006367: Nov 1 18:35:50.843 IST: SSH1: protocol version id is - SSH-2.0-SSH/JTA (c) Marcus Meissner, Matthias L. Jugel
006368: Nov 1 18:35:50.843 IST: SSH2 1: send: len 280 (includes padlen 4)
006369: Nov 1 18:35:50.843 IST: SSH2 1: SSH2_MSG_KEXINIT sent
006370: Nov 1 18:35:50.883 IST: SSH2 1: ssh_receive: 136 bytes received
006371: Nov 1 18:35:50.883 IST: SSH2 1: input: packet len 136
006372: Nov 1 18:35:50.883 IST: SSH2 1: partial packet 8, need 128, maclen 0
006373: Nov 1 18:35:50.883 IST: SSH2 1: input: padlen 4
006374: Nov 1 18:35:50.883 IST: SSH2 1: received packet type 20
006375: Nov 1 18:35:50.883 IST: SSH2 1: SSH2_MSG_KEXINIT received
006376: Nov 1 18:35:50.883 IST: SSH2 1: no matching cipher found: client none server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
006377: Nov 1 18:35:50.987 IST: SSH1: Session disconnected - error 0x00
006378: Nov 1 18:35:51.667 IST: SSH2 0: send: len 768 (includes padlen 13)
006379: Nov 1 18:35:51.667 IST: SSH2 0: done calc MAC out #77
006380: Nov 1 18:35:52.675 IST: SSH2 0: send: len 432 (includes padlen 6)
006381: Nov 1 18:35:52.675 IST: SSH2 0: done calc MAC out #78
Are you able to ssh from any other ssh clients to your core switch fine besides when you webvpn? if so I assume you are using ssh plug-in to ssh into your core switch from when in WebVPN , have you checked the version of ssh plug-in you are using in the firewall to ensure there us no bugs listed for ssh ?
I am able to ssh from other clients into core. The issue arises only when I login through SSL VPN. My network otherwise is in production. The only change Ive made is creating the SSL VPN as I have to hand it over to maintenance team. But due to this ssh issue, I am unable to proceed with the handover.
This seems to be a client server ssh issue.
The client(which is my ASA inside IP-i checked the logs for the connection teardown) is having no encryption algorithm as can be seen from above output.
This is thwarting the login i suppose.
Hi Arun ,
Thanks for update, if you look at the ssh debug "no matching cipher found: client none server aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc "
On the SSH clinet side there is no matching encryption algorythm presented to the server , whereas the server supports aes128,3des etc.. I suspect it could be your ssh client version plugin, this is why we should check the ssh-plug version in in your firewall .
Just to be sure I understand, you SSL WEBVPN in , then you use the ssh:// from your WEBVPN portal? as shown in attachment ? if so try using an updated version of ssh plug-in to rule out issues with your current ssh client in firewall.