Hmm. Do you have any static NATs assuming TCP port 22 on that interface's IP address. I tried OpenSSH to my ASA running 7.2.2, worked fine. Looked like this:
sullivan-asa-01# debug ssh debug ssh enabled at level 1 sullivan-asa-01# Device ssh opened successfully. SSH1: SSH client: IP = 'X.Y.155.32' interface # = 1 SSH: host key initialised SSH1: starting SSH control process SSH1: Exchanging versions - SSH-2.0-Cisco-1.25 SSH1: send SSH message: outdata is NULL server version string:SSH-2.0-Cisco-1.25SSH1: receive SSH message: 83 (83) SSH1: client version is - SSH-2.0-OpenSSH_3.8.1p1 client version string:SSH-2.0-OpenSSH_3.8.1p1SSH1: begin server key generation SSH1: complete server key generation, elapsed time = 590 ms SSH2 1: SSH2_MSG_KEXINIT sent SSH2 1: SSH2_MSG_KEXINIT received SSH2: kex: client->server aes128-cbc hmac-md5 none SSH2: kex: server->client aes128-cbc hmac-md5 none SSH2 1: expecting SSH2_MSG_KEXDH_INIT SSH2 1: SSH2_MSG_KEXDH_INIT received SSH2 1: signature length 271 SSH2: kex_derive_keys complete SSH2 1: newkeys: mode 1 SSH2 1: SSH2_MSG_NEWKEYS sent SSH2 1: waiting for SSH2_MSG_NEWKEYS SSH2 1: newkeys: mode 0 SSH2 1: SSH2_MSG_NEWKEYS receivedSSH(pix): user authen method is 'no AAA', aaa s erver group ID = 0 SSH(pix): user authen method is 'no AAA', aaa server group ID = 0 SSH2 1: authentication successful for pix SSH2 1: channel open request SSH2 1: pty-req request SSH2 1: requested tty: cygwin, height 25, width 80 SSH2 1: shell request Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 [EMAIL PROTECTED] -----Original Message----- From: Bagosi Rómeó [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 10:32 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA SSH problem No, it doesn't worked:( The problem is, that the first time asa permit ssh access to the device, than it discards, and the asa disconnects with 'Internal' or 'Time-out' error. -----Original Message----- From: Church, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 4:17 PM To: Bagosi Rómeó Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA SSH problem My bad, I was thinking of the IOS command, which is in seconds. What if you try adding 'ssh version 2', so that it doesn't try version 1? I think it'll default to AES256 then. Might be worth a try. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 [EMAIL PROTECTED] -----Original Message----- From: Bagosi Rómeó [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 9:48 AM To: Church, Charles Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA SSH problem The 'ssh timeout 5' means 5 minutes timeout. No, I didn't tried another SSH client. I used Debian's default Open SSH Client. My ASA Version is 7.1(2). I've searched for bugs, with Cisco's bug toolkit and I've found a bug similar with my problem, but the workaround didn't helped. -----Original Message----- From: Church, Charles [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 31, 2007 2:30 PM To: Bagosi Rómeó Cc: cisco-nsp@puck.nether.net Subject: RE: [c-nsp] ASA SSH problem 5 seconds seems pretty short for a timeout. Have you tried a different SSH client? What encryption protocol is being used? I use Putty all the time with an ASA, never seen this. What ASA version is it, have you looked for bugs involving SSH? Chuck -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bagosi Rómeó Sent: Tuesday, July 31, 2007 2:35 AM To: Voll, Scott Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] ASA SSH problem Hi! 1. I saved the rsa keys before reload. And after reload i've regenerated and deleted the keys, but doesn't helped. 2. I have the ssh x.x.x.x y.y.y.y outside command. -----Original Message----- From: Voll, Scott [mailto:[EMAIL PROTECTED] Sent: Monday, July 30, 2007 4:44 PM To: Bagosi Rómeó Subject: RE: [c-nsp] ASA SSH problem Two guesses. 1. your RSA key didn't get saved or 2. you don't have SSH allowed from that outside IP address ie. Ssh x.x.x.x y.y.y.y outside. Just my first thoughts. Scott -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bagosi Rómeó Sent: Monday, July 30, 2007 6:45 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] ASA SSH problem Hello Experts! I have a problem connecting to ASA with SSH to the outside interface. My SSH worked, but I've reloaded the ASA (with saved configuration), and now it doesn't works. I want to connect from a Linux Server. The SSH configuration is: aaa authentication ssh console LOCAL username admin password xxxxxx privilege 15 ssh *.*.6.1 255.255.255.255 outside ssh timeout 5 I have public keys generated (using this device for VPN). The debug ssh says: %Device ssh opened successfully. SSH0: SSH client: IP = '*.*.6.1' interfaceS # = 1 SSH: host key initialAised SSH0: starting SSH cont-rol process SSH0: 6Exchanging versions - SSH-1.9-9-Cisco-1.25 SSH0: send SSH message:3 outdata is NU0LL 2 se0rver version s1tring:SSH-1.99-Cisco-1.253: Built inbound TCP connection 59 for outside:*.*.6.1/40706 (*.*.6.1/40706) to NP Identity Ifc:*.*.6.2/22 (*.*.6.2/22) %ASA-7-710002: TCP access permitted from *.*.6.1/40706 to outside:*.*.6.2/ssh SSH0: receive SSH message: 83 (83) SSH0: client version is - SSH-2.0-OpenSSH_3.4p1 client version string:SSH-2.0-OpenSSH_3.4p1SSH0: begin server key generation SSH0: complete server key generation, elapsed time = 770 ms SSH2 0: SSH2_MSG_KEXINIT sent%ASA-7-710005: TCP request discarded from *.*.6.1/40706 to outside:*.*.6.2/22 %ASA-7-710005: TCP request discarded from *.*.6.1/40706 to outside:*.*.6.2/22 %ASA-6-302014: Teardown TCP connection 54 for outside:*.*.6.1/58911 to NP Identity Ifc:*.*.6.2/22 duration 0:10:25 bytes 1438 FIN Timeout %ASA-6-302014: Teardown TCP connection 56 for outside:*.*.6.1/33068 to NP Identity Ifc:*.*.6.2/22 duration 0:08:07 bytes 2490 Connection timeout %SSH0: Session disconneActed by SSH server - error 0x3c "Time-out activated" SSH0: receive SSH message: [no message ID: variable *data is NULL] SA-6-315011: SSH session from *.*.6.1 on interface outside for user "" disconnected by SSH server, reason: "Time-out activated" (0x3c) Now the SSH Server disconnected because of "Time-out activated", but several times disconnects with "Internal Error". What can be the problem? Thanks, Romeo Bagosi _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/