[c-nsp] ASA SSH problem

Tue Jul 31 12:36:32 EDT 2007

Try ssh -c des -1 <ip address>

regards

On 7/31/07, Bagosi Rómeó <Romeo.Bagosi at integris.hu> wrote:
>
> No, it doesn't worked:(
> The problem is, that the first time asa permit ssh access to the device,
> than it discards, and the asa disconnects with 'Internal' or 'Time-out'
> error.
>
> -----Original Message-----
> From: Church, Charles [mailto:cchurch at multimax.com]
> Sent: Tuesday, July 31, 2007 4:17 PM
> To: Bagosi Rómeó
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA SSH problem
>
> My bad, I was thinking of the IOS command, which is in seconds.  What if
> you try adding 'ssh version 2', so that it doesn't try version 1?  I think
> it'll default to AES256 then.  Might be worth a try.
>
>
> Chuck Church
> Principal Network Engineer, CCIE #8776
> Harris Information Technology Services
> EDS Contractor - Navy Marine Corps Intranet (NMCI)
> 1210 N. Parker Rd. | Greenville, SC 29609
> Office: 864-335-9473 | Cell: 864-266-3978
> cchurch at multimax.com
>
> -----Original Message-----
> From: Bagosi Rómeó [mailto:Romeo.Bagosi at integris.hu]
> Sent: Tuesday, July 31, 2007 9:48 AM
> To: Church, Charles
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA SSH problem
>
> The 'ssh timeout 5' means 5 minutes timeout.
> No, I didn't tried another SSH client. I used Debian's default Open SSH
> Client.
> My ASA Version is 7.1(2). I've searched for bugs, with Cisco's bug toolkit
> and I've found a bug similar with my problem, but the workaround didn't
> helped.
>
> -----Original Message-----
> From: Church, Charles [mailto:cchurch at multimax.com]
> Sent: Tuesday, July 31, 2007 2:30 PM
> To: Bagosi Rómeó
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] ASA SSH problem
>
> 5 seconds seems pretty short for a timeout.  Have you tried a different
> SSH client?  What encryption protocol is being used?  I use Putty all the
> time with an ASA, never seen this.  What ASA version is it, have you looked
> for bugs involving SSH?
>
> Chuck
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Bagosi Rómeó
> Sent: Tuesday, July 31, 2007 2:35 AM
> To: Voll, Scott
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] ASA SSH problem
>
> Hi!
>
> 1. I saved the rsa keys before reload. And after reload i've regenerated
> and deleted the keys, but doesn't helped.
> 2. I have the ssh x.x.x.x y.y.y.y outside command.
>
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Monday, July 30, 2007 4:44 PM
> To: Bagosi Rómeó
> Subject: RE: [c-nsp] ASA SSH problem
>
> Two guesses.
>
> 1. your RSA key didn't get saved or
> 2. you don't have SSH allowed from that outside IP address ie. Ssh x.x.x.x
> y.y.y.y outside.
>
> Just my first thoughts.
>
> Scott
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Bagosi Rómeó
> Sent: Monday, July 30, 2007 6:45 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA SSH problem
>
> Hello Experts!
>
> I have a problem connecting to ASA with SSH to the outside interface.
> My SSH worked, but I've reloaded the ASA (with saved configuration), and
> now it doesn't works.
> I want to connect from a Linux Server.
>
> The SSH configuration is:
> aaa authentication ssh console LOCAL
> username admin password xxxxxx privilege 15
> ssh *.*.6.1 255.255.255.255 outside
> ssh timeout 5
>
> I have public keys generated (using this device for VPN).
>
> The debug ssh says:
>
> %Device ssh opened successfully.
> SSH0: SSH client: IP = '*.*.6.1'  interfaceS # = 1
> SSH: host key initialAised
> SSH0: starting SSH cont-rol process
> SSH0: 6Exchanging versions - SSH-1.9-9-Cisco-1.25
> SSH0: send SSH message:3 outdata is NU0LL 2
>
> se0rver version s1tring:SSH-1.99-Cisco-1.253: Built inbound TCP connection
> 59 for outside:*.*.6.1/40706 (*.*.6.1/40706) to NP Identity Ifc:*.*.6.2/22
> (*.*.6.2/22)
>
> %ASA-7-710002: TCP access permitted from *.*.6.1/40706 to
> outside:*.*.6.2/ssh
>
> SSH0: receive SSH message: 83 (83)
> SSH0: client version is - SSH-2.0-OpenSSH_3.4p1
>
> client version string:SSH-2.0-OpenSSH_3.4p1SSH0: begin server key
> generation
> SSH0: complete server key generation, elapsed time = 770 ms
>
> SSH2 0: SSH2_MSG_KEXINIT sent%ASA-7-710005: TCP request discarded from
> *.*.6.1/40706 to outside:*.*.6.2/22
>
> %ASA-7-710005: TCP request discarded from *.*.6.1/40706 to
> outside:*.*.6.2/22
>
> %ASA-6-302014: Teardown TCP connection 54 for outside:*.*.6.1/58911 to NP
> Identity Ifc:*.*.6.2/22 duration 0:10:25 bytes 1438 FIN Timeout
>
> %ASA-6-302014: Teardown TCP connection 56 for outside:*.*.6.1/33068 to NP
> Identity Ifc:*.*.6.2/22 duration 0:08:07 bytes 2490 Connection timeout
>
> %SSH0: Session disconneActed by SSH server - error 0x3c "Time-out
> activated"
> SSH0: receive SSH message: [no message ID: variable *data is NULL]
> SA-6-315011: SSH session from *.*.6.1 on interface outside for user ""
> disconnected by SSH server, reason: "Time-out activated" (0x3c)
>
>
> Now the SSH Server disconnected because of "Time-out activated", but
> several times disconnects with "Internal Error".
>
> What can be the problem?
>
>
> Thanks,
> Romeo Bagosi
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>