For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."
with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).
but have not been able to find a way to clear these inactive connections. any ideas?
Log in to ASDM and run the CLI commands via that interface.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116404-problemsolution-product-00.html says how to show and kill those ssh sessions.
something else that it may help you is to remove the configuration for ssh and re add it
Quote from: ristau5741 on March 16, 2016, 09:27:21 AM
For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."
with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).
but have not been able to find a way to clear these inactive connections. any ideas?
well that aint' it, back to research...
Quote from: ristau5741 on March 16, 2016, 10:14:58 AM
Quote from: ristau5741 on March 16, 2016, 09:27:21 AM
For some reason we cannot ssh to some ASA firewall contexts, get "ssh exchange identification: connection closed by remote host."
with a packet capture and other artifacts we determined that all the ssh connections were in use, ( limit of 5) and were not timing out (default of 5 mins).
but have not been able to find a way to clear these inactive connections. any ideas?
well that aint' it, back to research...
maybe so, if we do a show ssh sessions from within the context none are listed,
FLUFFY_KITTY/pri/act# show ssh sessions
FLUFFY_KITTY/pri/act#
if we do a show resource usage ssh from the admin context
PITFW/pri/act# show resource usage resource ssh
Resource Current Peak Limit Denied Context
SSH Client 4 5 5 0 FLUFFY_KITTY
SSH Server 4 5 5 6 FLUFFY_KITTY
SSH Client 5 5 5 0 HAIRY_DOG
SSH Server 5 5 5 5 HAIRY_DOG
Note that SSH to FLUFFY_KITTY works, SSH to HAIRY_DOG does not
:itcrowd:
Quote from: deanwebb on March 16, 2016, 10:56:01 AM
:itcrowd:
Yer not being real relevant today. With the reference to using ASDM ( which we can because the firewall contexts will not support two factor authentication (which we have had a feature request in for over a year (which is not a priority for Cisco, Since they'd have to rewrite the entire code to support it)). Reference to some obscure IPX/CX module ( who uses Cisco products for IPS anyway??) and rebooting a production firewall??? (when we can't even get a window to reload it to upgrade to fix a bug). I'm looking for some helpful advice....and don't say open a TAC case, since I'm doing that now. :boohoo:
Regen RSA keys?
crypto key gen rsa gen mod 2048
-Otanx
Quote from: Otanx on March 16, 2016, 11:34:27 AM
Regen RSA keys?
crypto key gen rsa gen mod 2048
-Otanx
did that, tried SSHv1 and SSHv2, enable/disable stricthostcheck as well
TAC is now informed and a await the bug identifier. :eek:
Well, rebooting would clear all the sessions... just sayin'.
Is the issue on the standby asa too? If not then fail active on the standby context, then reload standby? I guess you've probably already tried that.
Quote from: Dieselboy on March 16, 2016, 07:49:01 PM
Is the issue on the standby asa too? If not then fail active on the standby context, then reload standby? I guess you've probably already tried that.
yes. it's on both, I haven't heard back from TAC. but was OOO yesterday. need to follow up today.
I found this command helpful when troubleshooting an ASDM won't launch issue. That is if you can run it somewhere. In my case it is showing that my ASA is listening on the outside, inside, and a fiber link for both SSH and ASDM connections. And that two of us are connected on the inside using ASDM and SSH. If you run it and one doesn't show then you found a problem. In my case the connections for ASDM weren't listening so I had to remove HTTP and then re-add it to the config which fixed the listening issue.
ASA# show asp table socket
Protocol Socket Local Address Foreign Address State
TCP 000a655f 1.2.3.4:22 0.0.0.0:* LISTEN
SSL 000a84df 1.2.3.4:8000 0.0.0.0:* LISTEN
TCP 000b61cf 172.30.0.253:22 0.0.0.0:* LISTEN
SSL 000ba08f 172.30.0.253:8000 0.0.0.0:* LISTEN
TCP 000c4bbf 10.254.254.13:22 0.0.0.0:* LISTEN
SSL 000cdbbf 10.254.254.13:8000 0.0.0.0:* LISTEN
SSL 074820f8 10.254.254.13:8000 172.31.1.186:64087 ESTAB
SSL 074a2158 10.254.254.13:8000 172.31.1.186:64091 ESTAB
TCP 0770fd78 10.254.254.13:22 172.31.1.206:64624 ESTAB
TAC identified Bug ID CSCts72188 "SSH process may exist after being orphaned from SSH session"