11-24-2008 05:38 AM - edited 03-11-2019 07:17 AM
Hi
I have PIX-515E with:
Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)
I can't connect from host 192.168.2.6 using ssh through VPN to inside interface.
Here you are my running config:
ssh 192.168.2.0 255.255.255.0 inside
management-access inside
In the log I can find this:
Nov 24 2008 13:28:08: %PIX-6-302013: Built inbound TCP connection 527654 for outside:192.168.2.6/1499 (192.168.2.6/1499) to NP Identity Ifc:172.22.1.1/22 (172.22.1.1/22)
Nov 24 2008 13:28:08: %PIX-6-302014: Teardown TCP connection 527654 for outside:192.168.2.6/1499 to NP Identity Ifc:172.22.1.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
An ssh debug:
Device ssh opened successfully.
SSH1: SSH client: IP = '192.168.2.6' interface # = 6
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25
SSH1: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25
SSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH1: receive SSH message: [no message ID: variable *data is NULL]
SSH1: receive unsuccessful - status 0x3c
The same situation is with ASDM.
Other communicaton works well (snmp from this server to PIX works fine).
Could you help me ?
Thanks in advance for help
Tomek
Solved! Go to Solution.
12-02-2008 07:29 AM
Hi,
If you have already checked your configuration and logs and do not see anything wrong with it, then you are most likely running into Bug ID CSCsi79159.
CSCsi79159
Yes
admin connections to PIX with crypto card via management-access fail
The above bug is fixed in 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html
Regards,
Arul
*Pls rate if it helps*
11-24-2008 05:44 AM
Is this issue coming with only one client?
Have you tried clearing the connections on the firewall?
Regards
Farrukh
11-24-2008 06:11 AM
This issue is comming only from this network (192.168.2.0/24) - this is only one network I have to connect from through VPN.
(The same configuration on ASA 5505 in other location works fine.)
I have restarted PIX and nothing ...
regards
Tomek
11-25-2008 12:24 AM
It could be related to TCP normalization (MSS etc.) or MTU issues as well. Have you checked the 'show asp drop' output? Because both ASDM/SSH are TCP based and SNMP is UDP based (which is working fine)>
Regards
Farrukh
11-25-2008 06:25 AM
Hi
I have created capture (capture ssh type asp-drop all) and I didn't find anything about trafic between asa and source host :(
Any other suggestions ?
thx in advance
Tomek
11-26-2008 04:44 AM
Have you tried re-generating your crypto keys??
And then perhaps the Microsoft solution (Reboot) :)
Regards
Farrukh
12-02-2008 06:46 AM
Yes, but new keys did't help and restart neither :(
Any other idea ??
Thanks in advance
Tomek
12-02-2008 07:29 AM
Hi,
If you have already checked your configuration and logs and do not see anything wrong with it, then you are most likely running into Bug ID CSCsi79159.
CSCsi79159
Yes
admin connections to PIX with crypto card via management-access fail
The above bug is fixed in 8.0(4)
http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html
Regards,
Arul
*Pls rate if it helps*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide