Posted on 2011-04-25
Last Modified: 2012-05-11
I have a coupkle of ASA's | every so often I cannot get into the ASA via SSH.  I know that SSH works, as after I do a reboot it will work again for a while.

Is there a fix for that?  Else, is there a way to restart some process on the ASA instead of having to reboot it?

Question by:yostnet
    LVL 18

    Accepted Solution

    You're saying it works following a reboot, then stops at some point and doesn't resume until another reboot?  How long does that typically take?   If you're confident of the configuration, it's possibly a bug, but if you post the config (remove public IP addresses) that might help.  You're certain you're not trying to access from a disallowed subnet or host?   What version of code are you running?  Do you have console access to do a debug following the reboot (when it is working) and then again when it's stopped?
    LVL 8

    Expert Comment

    login and check "show ssh session", you might have sessions that are timing out but not being closed down cleanly. theres a limit to the number of sessions, which might be where you have to power cycle or reload to re-gain access.

    if this is whats happening, either monitor it each time you login and, kill the hung sessions (ssh disconnect #, where # is the SID from show ssh session), or login at the console and do the same, when all the ssh sessions are busy.

    Author Comment

    there are no OPEN SESSIONS |  I would be the only guy whom would ssh in.
    LVL 8

    Assisted Solution

    in that case it sounds like a bug. there was a bug in pix 5.1 code (around 2001-2002 time) that sounds very similar to this.

    suggest you "debug ssh", make sure your logging is configured for buffered debugging and buffer size is something reasonable (ie 128k or more, depending on how busy the firewall is and how much logging you normally do). leave the debug running, then next time you find you cant connect, plug in to the console and "show log | i SSH|ssh". you should see something like below:

    hostname# deb ssh
    debug ssh  enabled at level 1
    hostname# Device ssh opened successfully.
    SSH1: SSH client: IP = ''  interface # = 2
    SSH: host key initialised
    SSH1: starting SSH control process
    SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

    SSH1: send SSH message: outdata is NULL

    server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)
    SSH1: client version is - SSH-2.0-OpenSSH_5.5

    client version string:SSH-2.0-OpenSSH_5.5SSH1: begin server key generation
    SSH1: complete server key generation, elapsed time = 680 ms

    SSH2 1: SSH2_MSG_KEXINIT sent
    SSH2 1: SSH2_MSG_KEXINIT received
    SSH2: kex: client->server aes128-cbc hmac-md5 none
    SSH2: kex: server->client aes128-cbc hmac-md5 none
    SSH2 1: expecting SSH2_MSG_KEXDH_INIT
    SSH2 1: SSH2_MSG_KEXDH_INIT received
    SSH2 1: signature length 143
    SSH2: kex_derive_keys complete
    SSH2 1: newkeys: mode 1
    SSH2 1: SSH2_MSG_NEWKEYS sent
    SSH2 1: waiting for SSH2_MSG_NEWKEYS
    SSH2 1: newkeys: mode 0
    SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(username): user authen method is 'use AAA', aaa server group ID = 1
    SSH(username): user authen method is 'use AAA', aaa server group ID = 1

    SSH2 1: authentication successful for username
    SSH2 1: channel open request
    SSH2 1: pty-req request
    SSH2 1: requested tty: xterm, height 50, width 132

    SSH2 1: env request
    SSH2 1: env request
    SSH2 1: env request
    SSH2 1: env request
    SSH2 1: shell request
    SSH2 1: shell message received
    SSH1: Session terminated normally

    in your case, expect to see some indication that things are not normal, perhaps no session ternimation messages, or some error. from there, its most likely a tac case, unless you find some obvious error message.

    fyi, the above is from an asa 5510 with version:
    Cisco Adaptive Security Appliance Software Version 8.2(1)
    and it does not have the problem you are seeing. i have 4 others with the same version in other places and they are all fine.

    Author Closing Comment

    thx everyone

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video discusses moving either the default database or any database to a new volume.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now