ASA SSH issues

icecream-guy · March 16, 2016, 09:27:21 AM

For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."

with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).

but have not been able to find a way to clear these inactive connections. any ideas?

deanwebb · March 16, 2016, 09:38:54 AM

Log in to ASDM and run the CLI commands via that interface.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116404-problemsolution-product-00.html says how to show and kill those ssh sessions.

GeorgeS · March 16, 2016, 09:55:46 AM

something else that it may help you is to remove the configuration for ssh and re add it

icecream-guy · March 16, 2016, 10:14:58 AM

Quote from: ristau5741 on March 16, 2016, 09:27:21 AM
For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."

with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).

but have not been able to find a way to clear these inactive connections. any ideas?

well that aint' it, back to research...

icecream-guy · March 16, 2016, 10:23:26 AM

Quote from: ristau5741 on March 16, 2016, 10:14:58 AM
Quote from: ristau5741 on March 16, 2016, 09:27:21 AM
For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."

with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).

but have not been able to find a way to clear these inactive connections. any ideas?

well that aint' it, back to research...

maybe so, if we do a show ssh sessions from within the context none are listed,

Code Select


FLUFFY_KITTY/pri/act# show ssh sessions
FLUFFY_KITTY/pri/act#

if we do a show resource usage ssh from the admin context

Code Select


PITFW/pri/act# show resource usage resource ssh 
Resource                 Current        Peak      Limit        Denied Context
SSH Client                     4           5          5             0 FLUFFY_KITTY
SSH Server                     4           5          5             6 FLUFFY_KITTY
SSH Client                     5           5          5             0 HAIRY_DOG
SSH Server                     5           5          5             5 HAIRY_DOG

Note that SSH to FLUFFY_KITTY works, SSH to HAIRY_DOG does not

deanwebb · March 16, 2016, 10:56:01 AM

icecream-guy · March 16, 2016, 11:12:12 AM

Quote from: deanwebb on March 16, 2016, 10:56:01 AM

Yer not being real relevant today. With the reference to using ASDM ( which we can because the firewall contexts will not support two factor authentication (which we have had a feature request in for over a year (which is not a priority for Cisco, Since they'd have to rewrite the entire code to support it)). Reference to some obscure IPX/CX module ( who uses Cisco products for IPS anyway??) and rebooting a production firewall??? (when we can't even get a window to reload it to upgrade to fix a bug). I'm looking for some helpful advice....and don't say open a TAC case, since I'm doing that now.

Otanx · March 16, 2016, 11:34:27 AM

Regen RSA keys?

crypto key gen rsa gen mod 2048

-Otanx

icecream-guy · March 16, 2016, 12:44:30 PM

Quote from: Otanx on March 16, 2016, 11:34:27 AM
Regen RSA keys?

crypto key gen rsa gen mod 2048

-Otanx

did that, tried SSHv1 and SSHv2, enable/disable stricthostcheck as well

TAC is now informed and a await the bug identifier.

deanwebb · March 16, 2016, 12:49:01 PM

Well, rebooting would clear all the sessions... just sayin'.

Dieselboy · March 16, 2016, 07:49:01 PM

Is the issue on the standby asa too? If not then fail active on the standby context, then reload standby? I guess you've probably already tried that.

icecream-guy · March 18, 2016, 08:01:23 AM

Quote from: Dieselboy on March 16, 2016, 07:49:01 PM
Is the issue on the standby asa too? If not then fail active on the standby context, then reload standby? I guess you've probably already tried that.

yes. it's on both, I haven't heard back from TAC. but was OOO yesterday. need to follow up today.

routerdork · March 18, 2016, 08:14:34 AM

I found this command helpful when troubleshooting an ASDM won't launch issue. That is if you can run it somewhere. In my case it is showing that my ASA is listening on the outside, inside, and a fiber link for both SSH and ASDM connections. And that two of us are connected on the inside using ASDM and SSH. If you run it and one doesn't show then you found a problem. In my case the connections for ASDM weren't listening so I had to remove HTTP and then re-add it to the config which fixed the listening issue.

Code Select

ASA# show asp table socket


Protocol  Socket    Local Address               Foreign Address         State
TCP       000a655f  1.2.3.4:22           0.0.0.0:*               LISTEN
SSL       000a84df  1.2.3.4:8000         0.0.0.0:*               LISTEN
TCP       000b61cf  172.30.0.253:22             0.0.0.0:*               LISTEN
SSL       000ba08f  172.30.0.253:8000           0.0.0.0:*               LISTEN
TCP       000c4bbf  10.254.254.13:22            0.0.0.0:*               LISTEN
SSL       000cdbbf  10.254.254.13:8000          0.0.0.0:*               LISTEN
SSL       074820f8  10.254.254.13:8000          172.31.1.186:64087      ESTAB
SSL       074a2158  10.254.254.13:8000          172.31.1.186:64091      ESTAB
TCP       0770fd78  10.254.254.13:22            172.31.1.206:64624      ESTAB

icecream-guy · March 18, 2016, 09:51:29 AM

TAC identified Bug ID CSCts72188 "SSH process may exist after being orphaned from SSH session"