cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9558
Views
0
Helpful
8
Replies

ssh connection refused - fwsm

jigsaw2026
Level 1
Level 1

Hi,

I'm unable to ssh into our fwsm today - there's nothing in the logs and all ssh commmands are still present - we've had this before and I have to re-generate the rsa key, and I'm fairly certain that's what I need to do now but the old ca commands that I used have been depreciated (fwsm 3.1) so I just wanted to check that I'm doing the right thing! Here's what I'm planning on:

crypto key zeroize rsa

WARNING: All RSA keys will be removed.

WARNING: All device certs issued using these keys will also be removed.

Do you really want to remove these keys? [yes/no]: yes

crypto key generate rsa general-keys modulus 1024

Does this look right?

Thanks,

J

1 Accepted Solution

Accepted Solutions

Hi J,

Hmmmm, it can be a bug. I did some research and I found the following:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd67334

Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.

HTH,

John

View solution in original post

8 Replies 8

andrew.prince
Level 10
Level 10

and you have the domain name configured also? then the above commands are OK.

Are you wr mem once the key has been generated? has the FWSM or 65xx reloaded?

Thanks for your response. Actually doing that didn't help - still connection refused.

Any ideas????

I did write mem, and also neither has rebooted.

Thanks, J

Hi J,

What do you get in the output of:

'sh crypto key mypubkey rsa'

Moreover, what do you get in the output of 'sh run ssh'?

Thanks.

John

Hi John,

Thank you -

fwsm# sh crypto key mypubkey rsa

Key pair was generated at: 13:52:06 UTC May 23 2008

Key name:

Usage: General Purpose Key

Modulus Size (bits): 1024

Key Data:

30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d97565

428234d5 b58e49d8 2d2ac0b9 08c97e48 f7637111 2287ee58 dfd09941 cb2f87ba

c0d0dcc0 571cf5d9 7d1e97f0 616cd2ea 9429cc6c 3afa975e 86a4d007 c44a61f7

3e905ffb 39ad9e07 8f74393d 0bad0c1d fd7eae2c c095260c 9ea22c73 21e3e151

0a7a4dc0 cad2b173 3097595e f5998cb6 7e6ded99 81ddc892 e6963980 bb020301 0001

fwsm# sh run ssh

ssh 1.1.1.1 255.255.255.255 wireless

ssh office 255.255.255.0 inside

ssh timeout 15

ssh version 2

Regards,

J

Hi J,

I guess you are trying to ssh to the FWSM either via the inside or the wireless interface. Can you please confirm that in the first case your IP is within the office subnet and in the second that you are coming from the 1.1.1.1 host?

Moreover, a good idea would be to enable debug ssh 100 on the FWSM, along with loggin in debug level, try to connect and see what you are getting there.

Finally, you will need the following line:

"aaa authentication ssh console LOCAL" along with a username/password.

Thanks.

John

Thanks John,

Actually I have that auth line in already, it just didn't show up in the command.

I turned on debugging and this came up:

2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710002: tcp access permitted from x.x.x.x/20067308 to inside:x.x.x.x/ssh

2008-05-23 16:22:25 Local4.Info x.x.x.x May 23 2008 15:03:26: %FWSM-6-302013: Built inbound TCP connection 0 for inside:x.x.x.x/3739 (10.3.80.100/3739) to inside:x.x.x.x/22 (x.x.x.x/22)

2008-05-23 16:22:25 Local4.Debug x.x.x.x May 23 2008 15:03:26: %FWSM-7-710004: TCP connection limit exceeded from x.x.x.x/3739 to inside:x.x.x.x/ssh

I found this http://www.conft.com/en/US/docs/security/asa/asa80/system/message/logmsgs.pdf saying that I need to issue a kill command, but I can see any connections when I run a who (think this might only work for telnet?). Also I can't see any locally-destined traffic when I run show conn all.

Any ideas would be much appreciated.

Thanks,

J

Hi J,

Hmmmm, it can be a bug. I did some research and I found the following:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd67334

Maybe you can try to upgrade, or you can open a TAC case in order to further investigate.

HTH,

John

Thank you John, that's very helpful indeed. I will reload for now and look at upgrading.

J

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: