Solved: PIX-515E end problem with ssh conenction through VPN to inside interface

tmowinski · ‎11-24-2008

Hi

I have PIX-515E with:

Cisco PIX Security Appliance Software Version 8.0(2)

Device Manager Version 6.0(2)

I can't connect from host 192.168.2.6 using ssh through VPN to inside interface.

Here you are my running config:

ssh 192.168.2.0 255.255.255.0 inside

management-access inside

In the log I can find this:

Nov 24 2008 13:28:08: %PIX-6-302013: Built inbound TCP connection 527654 for outside:192.168.2.6/1499 (192.168.2.6/1499) to NP Identity Ifc:172.22.1.1/22 (172.22.1.1/22)

Nov 24 2008 13:28:08: %PIX-6-302014: Teardown TCP connection 527654 for outside:192.168.2.6/1499 to NP Identity Ifc:172.22.1.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept

An ssh debug:

Device ssh opened successfully.

SSH1: SSH client: IP = '192.168.2.6' interface # = 6

SSH: host key initialised

SSH1: starting SSH control process

SSH1: Exchanging versions - SSH-1.99-Cisco-1.25

SSH1: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25

SSH1: Session disconnected by SSH server - error 0x3c "Time-out activated"

SSH1: receive SSH message: [no message ID: variable *data is NULL]

SSH1: receive unsuccessful - status 0x3c

The same situation is with ASDM.

Other communicaton works well (snmp from this server to PIX works fine).

Could you help me ?

Thanks in advance for help

Tomek

ajagadee · ‎12-02-2008

Hi,

If you have already checked your configuration and logs and do not see anything wrong with it, then you are most likely running into Bug ID CSCsi79159.

CSCsi79159

Yes

admin connections to PIX with crypto card via management-access fail

The above bug is fixed in 8.0(4)

http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html

Regards,

Arul

*Pls rate if it helps*

View solution in original post

Farrukh Haroon · ‎11-24-2008

Is this issue coming with only one client?

Have you tried clearing the connections on the firewall?

Regards

Farrukh

tmowinski · ‎11-24-2008

This issue is comming only from this network (192.168.2.0/24) - this is only one network I have to connect from through VPN.

(The same configuration on ASA 5505 in other location works fine.)

I have restarted PIX and nothing ...

regards

Tomek

Farrukh Haroon · ‎11-25-2008

It could be related to TCP normalization (MSS etc.) or MTU issues as well. Have you checked the 'show asp drop' output? Because both ASDM/SSH are TCP based and SNMP is UDP based (which is working fine)>

Regards

Farrukh

tmowinski · ‎11-25-2008

Hi

I have created capture (capture ssh type asp-drop all) and I didn't find anything about trafic between asa and source host :(

Any other suggestions ?

thx in advance

Tomek

Farrukh Haroon · ‎11-26-2008

Have you tried re-generating your crypto keys??

And then perhaps the Microsoft solution (Reboot) :)

Regards

Farrukh

tmowinski · ‎12-02-2008

Yes, but new keys did't help and restart neither :(

Any other idea ??

Thanks in advance

Tomek

ajagadee · ‎12-02-2008

Hi,

If you have already checked your configuration and logs and do not see anything wrong with it, then you are most likely running into Bug ID CSCsi79159.

CSCsi79159

Yes

admin connections to PIX with crypto card via management-access fail

The above bug is fixed in 8.0(4)

http://www.cisco.com/en/US/docs/security/pix/pix80/release/notes/pixrn804.html

Regards,

Arul

*Pls rate if it helps*