ssh connection refused - fwsm

Answered Question
May 23rd, 2008
User Badges:


I'm unable to ssh into our fwsm today - there's nothing in the logs and all ssh commmands are still present - we've had this before and I have to re-generate the rsa key, and I'm fairly certain that's what I need to do now but the old ca commands that I used have been depreciated (fwsm 3.1) so I just wanted to check that I'm doing the right thing! Here's what I'm planning on:

crypto key zeroize rsa

WARNING: All RSA keys will be removed.

WARNING: All device certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

crypto key generate rsa general-keys modulus 1024

Does this look right?



Correct Answer by jkampane about 9 years 1 month ago

Hi J,

Hmmmm, it can be a bug. I did some research and I found the following:

Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jigsaw2026 Fri, 05/23/2008 - 06:22
User Badges:

Thanks for your response. Actually doing that didn't help - still connection refused.

Any ideas????

I did write mem, and also neither has rebooted.

Thanks, J

jkampane Fri, 05/23/2008 - 06:32
User Badges:
  • Cisco Employee,

Hi J,

What do you get in the output of:

'sh crypto key mypubkey rsa'

Moreover, what do you get in the output of 'sh run ssh'?



jigsaw2026 Fri, 05/23/2008 - 06:46
User Badges:

Hi John,

Thank you -

fwsm# sh crypto key mypubkey rsa

Key pair was generated at: 13:52:06 UTC May 23 2008

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d97565

428234d5 b58e49d8 2d2ac0b9 08c97e48 f7637111 2287ee58 dfd09941 cb2f87ba

c0d0dcc0 571cf5d9 7d1e97f0 616cd2ea 9429cc6c 3afa975e 86a4d007 c44a61f7

3e905ffb 39ad9e07 8f74393d 0bad0c1d fd7eae2c c095260c 9ea22c73 21e3e151

0a7a4dc0 cad2b173 3097595e f5998cb6 7e6ded99 81ddc892 e6963980 bb020301 0001

fwsm# sh run ssh

ssh wireless

ssh office inside

ssh timeout 15

ssh version 2



jkampane Fri, 05/23/2008 - 06:51
User Badges:
  • Cisco Employee,

Hi J,

I guess you are trying to ssh to the FWSM either via the inside or the wireless interface. Can you please confirm that in the first case your IP is within the office subnet and in the second that you are coming from the host?

Moreover, a good idea would be to enable debug ssh 100 on the FWSM, along with loggin in debug level, try to connect and see what you are getting there.

Finally, you will need the following line:

"aaa authentication ssh console LOCAL" along with a username/password.



jigsaw2026 Fri, 05/23/2008 - 07:39
User Badges:

Thanks John,

Actually I have that auth line in already, it just didn't show up in the command.

I turned on debugging and this came up:

2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710002: tcp access permitted from x.x.x.x/20067308 to inside:x.x.x.x/ssh

2008-05-23 16:22:25 Local4.Info x.x.x.x May 23 2008 15:03:26: %FWSM-6-302013: Built inbound TCP connection 0 for inside:x.x.x.x/3739 ( to inside:x.x.x.x/22 (x.x.x.x/22)

2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710004: TCP connection limit exceeded from x.x.x.x/3739 to inside:x.x.x.x/ssh

I found this saying that I need to issue a kill command, but I can see any connections when I run a who (think this might only work for telnet?). Also I can't see any locally-destined traffic when I run show conn all.

Any ideas would be much appreciated.



jigsaw2026 Tue, 05/27/2008 - 03:10
User Badges:

Thank you John, that's very helpful indeed. I will reload for now and look at upgrading.



This Discussion