[c-nsp] SSH failing on multiple context ASA

Ryan West rwest at zyedge.com
Tue Nov 9 14:23:13 EST 2010



>> On Tue, 2010-11-09 at 13:35 +0000, Matthew Melbourne wrote:
>>> We're using a pairs of ASA5550s in a hosting environment to provide 
>>> contexts to end-users. The ASAs are running 8.2(3)5 and it would 
>>> appear that SSH periodically fails on some contexts. The temporary 
>>> fix is to issue "no ssh <network> <mask> <interface>" then "ssh 
>>> <network> <mask> <interface>" and SSH access comes back. In a failure 
>>> scenario, port 22 still appears to be open.
>>
>> Out of curiosity: How does it fail? Does it send you an SSH banner (e.g.
>> "SSH-1.99-Cisco-1.25") if you connect to port 22? Or is it stuck after 
>> open, never sending a banner?
>>
>> We're not using 8.x yet, and I haven't seen the symptom on 7.2.
>
>I have never seen it with 8.2(2) on many models (more than 30). Soon as I put 8.2.(3) on an asa5505 happened within 48 hrs on the 1 unit. Only way to get back in was a reset.
>
>You can telnet to port 22 and see the port connected, but no banner is issued.

Seeing the same on a 8.2(3) pair that started after the upgrade as well.  Strange thing is I could fail between the two and SSH to the secondary with no issues.  ASDM to use CLI to add and remove the affected line fixed it.  Seemed to be an IP specific SSH block.  Has anyone checked out 'show asp drop' when it's happening to see if the block is reported there.  Thanks to the OP for the workaround.

-ryan



More information about the cisco-nsp mailing list