[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2899
  • Last Modified:


I have a coupkle of ASA's | every so often I cannot get into the ASA via SSH.  I know that SSH works, as after I do a reboot it will work again for a while.

Is there a fix for that?  Else, is there a way to restart some process on the ASA instead of having to reboot it?

  • 2
  • 2
2 Solutions
You're saying it works following a reboot, then stops at some point and doesn't resume until another reboot?  How long does that typically take?   If you're confident of the configuration, it's possibly a bug, but if you post the config (remove public IP addresses) that might help.  You're certain you're not trying to access from a disallowed subnet or host?   What version of code are you running?  Do you have console access to do a debug following the reboot (when it is working) and then again when it's stopped?
login and check "show ssh session", you might have sessions that are timing out but not being closed down cleanly. theres a limit to the number of sessions, which might be where you have to power cycle or reload to re-gain access.

if this is whats happening, either monitor it each time you login and, kill the hung sessions (ssh disconnect #, where # is the SID from show ssh session), or login at the console and do the same, when all the ssh sessions are busy.
yostnetAuthor Commented:
there are no OPEN SESSIONS |  I would be the only guy whom would ssh in.
in that case it sounds like a bug. there was a bug in pix 5.1 code (around 2001-2002 time) that sounds very similar to this.

suggest you "debug ssh", make sure your logging is configured for buffered debugging and buffer size is something reasonable (ie 128k or more, depending on how busy the firewall is and how much logging you normally do). leave the debug running, then next time you find you cant connect, plug in to the console and "show log | i SSH|ssh". you should see something like below:

hostname# deb ssh
debug ssh  enabled at level 1
hostname# Device ssh opened successfully.
SSH1: SSH client: IP = ''  interface # = 2
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-2.0-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83)
SSH1: client version is - SSH-2.0-OpenSSH_5.5

client version string:SSH-2.0-OpenSSH_5.5SSH1: begin server key generation
SSH1: complete server key generation, elapsed time = 680 ms

SSH2 1: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 1: expecting SSH2_MSG_KEXDH_INIT
SSH2 1: SSH2_MSG_KEXDH_INIT received
SSH2 1: signature length 143
SSH2: kex_derive_keys complete
SSH2 1: newkeys: mode 1
SSH2 1: waiting for SSH2_MSG_NEWKEYS
SSH2 1: newkeys: mode 0
SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(username): user authen method is 'use AAA', aaa server group ID = 1
SSH(username): user authen method is 'use AAA', aaa server group ID = 1

SSH2 1: authentication successful for username
SSH2 1: channel open request
SSH2 1: pty-req request
SSH2 1: requested tty: xterm, height 50, width 132

SSH2 1: env request
SSH2 1: env request
SSH2 1: env request
SSH2 1: env request
SSH2 1: shell request
SSH2 1: shell message received
SSH1: Session terminated normally

in your case, expect to see some indication that things are not normal, perhaps no session ternimation messages, or some error. from there, its most likely a tac case, unless you find some obvious error message.

fyi, the above is from an asa 5510 with version:
Cisco Adaptive Security Appliance Software Version 8.2(1)
and it does not have the problem you are seeing. i have 4 others with the same version in other places and they are all fine.
yostnetAuthor Commented:
thx everyone

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now