ASA5505 - connection reset when trying to SSH over IPSEC tunnel

Answered Question
Feb 21st, 2008

Hi,

Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.

Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.

I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)

Config (minus irrelevant sensitive information) is attached for reference.

Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.

Any help gratefully received! :)

Thanks,

Daz

I have this problem too.
0 votes
Correct Answer by athukral about 2 years 10 months ago

Hello Darren,

Please mark it as answered, if your querry is resolved. Appreciate your time!

Regards,

Ankur Thukral

Community Manager- Security & VPN

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
daz@jpci.net Thu, 02/21/2008 - 07:32

Not sure if this is relevant but these appear to be the pertinent lines from my debug log when I try and make a connection from my PC at the remote end of the tunnel (10.0.0.125) to the ASA (10.27.0.1):

%ASA-5-713120: Group = x.x.196.101, IP = x.x.196.101, PHASE 2 COMPLETED (msgid=3f6ca37a)

%ASA-7-710005: UDP request discarded from vorniz/50939 to inside:10.27.0.255/3052

%ASA-7-609001: Built local-host outside:10.0.0.125

%ASA-7-609001: Built local-host NP Identity Ifc:10.27.0.1

%ASA-6-302013: Built inbound TCP connection 824 for outside:10.0.0.125/2550 (10.0.0.125/2550) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)

%ASA-6-302014: Teardown TCP connection 824 for outside:10.0.0.125/2550 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

It would appear that the connection to port 22 (SSH) on the ASA is torn down immediately - hence the "Connection Reset" message.

I can SSH to the internet IP (true outside) of the ASA without issue with just "ssh 255.255.255.255 outside"

daz@jpci.net Thu, 02/21/2008 - 12:37

That fixed it, thanks.

Don't know how I could've missed something so obvious!

daz@jpci.net Fri, 02/22/2008 - 02:51

Looks like I spoke too soon on this.

I haven't changed the config since last night (but the tunnel has been brought down and back up again due to a router reboot) and I'm back to getting instant "Connection resets" when I try and connect to the ASA inside interface IP across the VPN.

Debug log info:

%ASA-6-302014: Teardown TCP connection 18335 for outside:10.0.0.125/3670 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%ASA-7-609002: Teardown local-host outside:10.0.0.125 duration 0:00:00

%ASA-7-609002: Teardown local-host NP Identity Ifc:10.27.0.1 duration 0:00:00

%ASA-7-609001: Built local-host outside:10.0.0.125

%ASA-7-609001: Built local-host NP Identity Ifc:10.27.0.1

%ASA-6-302013: Built inbound TCP connection 18336 for outside:10.0.0.125/3670 (10.0.0.125/3670) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)

%ASA-7-710005: TCP request discarded from 10.0.0.125/3670 to outside:10.27.0.1/22

%ASA-6-302013: Built inbound TCP connection 18337 for outside:10.0.0.125/3671 (10.0.0.125/3671) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)

%ASA-6-302014: Teardown TCP connection 18337 for outside:10.0.0.125/3671 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

%ASA-6-302013: Built inbound TCP connection 18338 for outside:10.0.0.125/3671 (10.0.0.125/3671) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)

%ASA-7-710005: TCP request discarded from 10.0.0.125/3671 to outside:10.27.0.1/22

ssh 10.0.0.0 255.255.255.0 inside IS in the config.

daz@jpci.net Fri, 02/22/2008 - 03:00

Just fixed this myself, the missing line in the config was:

management-access inside

Found this after finding a result on Google about using ASDM. Adding this line allowed me to SSH to the inside interface of the ASA over the IPsec VPN.

Thanks for the help! :)

mahoran Tue, 10/06/2009 - 12:46

It looks like I'm hitting the same problem, although management-interface did not fix it.

At our main site, clients behind a PIX 515 with software version 8.0(2) can connect to the management interface of the an ASA on the other side of a DS3 which is protected by an IPSEC VPN. This ASA has been configured with ssh 0 0 inside and management-interface inside.

Clients at the remote site, local (on the inside interface) or remote, are unable to initiate HTTPS or SSH connections to the PIX. The PIX has been configured with ssh 0 0 inside as well as management-interface inside, but connections are closed when an attempt is made to connect.

cplundberg Fri, 10/23/2009 - 14:13

Having same issue as described above...Remote site connected via VPN tunnel with the following confirmed in config:

!

http Net_10.0.0.0 255.0.0.0 inside

telnet Net_10.0.0.0 255.0.0.0 inside

ssh Net_10.0.0.0 255.0.0.0 inside

management-access inside

!

Version 8.0(4)23

-From main site I can ASDM to ASA, but I can't telnet or SSH direct to it.

6 Oct 23 2009 17:39:56 302014 10.2.0.52 1150 10.8.211.10 22 Teardown TCP connection 4208744 for outside:10.2.0.52/1150 to identity:10.8.211.10/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

6 Oct 23 2009 17:39:56 302014 10.2.0.52 1150 10.8.211.10 22 Teardown TCP connection 4208745 for outside:10.2.0.52/1150 to identity:10.8.211.10/22 duration 0:00:00 bytes 0 TCP Reset-I

phithang Fri, 11/06/2009 - 14:59

I ran into the same problem as well.

What fixed it is to remove the management-access inside command and then re-add it.

Hope that helps.

Correct Answer
athukral Wed, 06/15/2011 - 22:50

Hello Darren,

Please mark it as answered, if your querry is resolved. Appreciate your time!

Regards,

Ankur Thukral

Community Manager- Security & VPN

irfan2dharma Thu, 03/29/2012 - 12:06

Thanks Daz..

i used the same command for my issue, wow, my issue got fixed. i can take a breath now.

"management-access inside"  is good answer to telnet and ssh issue over  ipsec tunnel.

Actions

Login or Register to take actions

This Discussion

Posted February 21, 2008 at 7:24 AM
Stats:
Replies:12 Avg. Rating:
Views:7521 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard