SSH to PIX receives RST, ACK

Unanswered Question
Apr 23rd, 2008

We have a number of PIX that seem to have this problem of refusing managment connections from time to time via SSH. The PIX are still responsive to Console access and still function properly as far as passing/blocking regular traffic. I've tried connecting with Putty and with SecureCRT. We are running

6.3(5) on a 525 failover bundle though most places we just have 515s with 6.3(5)


When I build them I use these commands to generate the certificates.


ca zeroize rsa

ca generate rsa key 1024

ca save all


And then define the following statements allowing SSH access from within the inside network to the device.


aaa authentictation ssh console TACACS+ LOCAL

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 20


I've attached a packet capture from my computer as well as from the inside interface of the PIX.


From the firewall if I do a show proc | inc ssh here are the processes that it shows.

Mrd 00103b58 044b53ec 0056ed88 0 044b33fc 8176/8192 ssh_init

Hrd 00303351 03e3ea1c 0056ed38 44121090 03e3e324 1116/2048 listen/ssh_1

Mrd 003f7ded 0420490c 0056ed88 0 04202994 6424/8192 ssh/timer






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Wed, 04/23/2008 - 18:45

Yes, I ran into this issue 1.5 years ago

on a Pix 535. I got the same issue that

you have except that my Pix 535 was running

on version 7.1(2). I was running Active/Standby

configuration at the time. I can ssh into

the standby Pix fine but not the Active Pix.


I opened a TAC case on this issue. It took

cisco TAC about 5 months and numerous debug,

WebEX, desktop sharing, including reboot the

Pix but problem remained. Cisco then

recommended that I RMAed the box which I found

very strange. I left the company shortly so

I never followed up with the request.


You may want open a TAC case with Cisco

for troubleshoot and RMA, if necessary.



Actions

This Discussion