can't connect to ASA5520

Unanswered Question
Jan 8th, 2009

This is an easy one, but if you're stuck you're stuck!

I am unable to connect to my ASA5520, I get the following message:

[SSH] FAIL: No connection could be made because the target machine actively refused it.

I have a backdoor to access it and not sure how to clear whatever is there that is not allowing me in.

I have ssh <network> <segment> interface

Please help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 01/08/2009 - 09:41


My first question would whether you have configured the RSA keys that are required for SSH to work?

My second question would be whether you have properly configured SSH access? Can you post the output from the ASA of show run | incude ssh

My third question would be whether you can look on the logs of the ASA and find any messages about the attempt to connect. These might help in identifying the problem.



ronshuster Mon, 01/12/2009 - 10:48

I have the following:

crypto key generate rsa modulus 1024

ssh a.b.c.d

The routes to the firewall is also ok.

But for some reason the firewall will not accept SSH

Richard Burts Mon, 01/12/2009 - 11:01


It looks like you have answered my first question and that RSA keys have been generated.

You have answered only part of my second question. You have shown the ssh a.b.c.d which enable SSH for that address but have not indicated on which interface you have enabled it. And you have not told us to which interface you are attempting to SSH.

And you have not answered my third question, which is perhaps most likely to show us the problem. Can you attempt SSH and then quickly look in the logs of the ASA and see what it has to say about the attempt to SSH?



ronshuster Mon, 01/12/2009 - 12:09


I just opened up ssh completely:

ssh Inside

I am attempting to ssh to the INSIDE interface and I am coming from the INSIDE interface

I opened everything for all incoming traffic to the INSIDE interface

access-list inside_access_in extended permit ip any any

access-group inside_access_in in interface Inside

logs: in fact I did see something on the log, here it is:

Jan 12 2009 12:43:08: %ASA-1-106021: Deny TCP reverse path check from

to on interface Inside

(107.8 is my address)

I just removed ip verify reverse-path interface Inside and I am still unable to access it with SSH but this time it is not timing out right away.

Richard Burts Mon, 01/12/2009 - 12:20


This is making progress :)

Obviously your PC has a valid routed path to the ASA. Does the ASA have a valid routed path back to your PC? (the reverse path check issue suggests that the ASA does not have a route to your address through the inside interface).



ronshuster Mon, 01/12/2009 - 12:31

Yes we are making progress. You are right, there was a route missing through the inside interface, I can now ping the firewall from the work station (after I've added the route), but I am still unable to ssh to it.

Would any debug show me what's happeing?

ronshuster Mon, 01/12/2009 - 12:43

Here's a capture: is my workstation is the INSIDE of the fw

6 packets captured

1: 13:18:06.783559 > S 3573581954:3573581954(0) win 64512

2: 13:18:06.783605 > S 4117345141:4117345141(0) ack 3573581955 win 8192

3: 13:18:09.763113 > S 3573581954:3573581954(0) win 64512

4: 13:18:09.763159 > S 4117345141:4117345141(0) ack 3573581955 win 8192

5: 13:18:15.698404 > S 3573581954:3573581954(0) win 64512

6: 13:18:15.698450 > S 4133945093:4133945093(0) ack 3573581955 win 8192

what debug do you recommend to run?

Richard Burts Mon, 01/12/2009 - 13:44


Another thought occurs to me about possible issues with SSH access. Have you configured authentication for SSH? Authentication could be done using an external authentication server or could be done with local authentication (which also requires configuration of a local user ID and password).




This Discussion