Solved: Unable to ssh ASA Management Interface

cisco_lite · ‎01-28-2009

I am able to ping ASA management interface, but I can't ssh into it. Below is the ssh debug output. The key is already been generated on ASA. What could be the reasons for it to fail.

SSH2 0: SSH2_MSG_KEXINIT received

SSH2 0: SSH2_MSG_KEXINIT sent

SSH2: kex: client->server aes256-cbc hmac-sha1 none

SSH2: kex: server->client aes256-cbc hmac-sha1 none

SSH2 0: expecting SSH2_MSG_KEXDH_INIT

SSH2 0: SSH2_MSG_KEXDH_INIT received

SSH2 0: signature length 143

SSH2: kex_derive_keys complete

SSH2 0: newkeys: mode 1

SSH2 0: newkeys: rekeying

SSH2 0: SSH2_MSG_NEWKEYS sent

SSH2 0: waiting for SSH2_MSG_NEWKEYS

SSH2 0: newkeys: mode 0

SSH2 0: newkeys: rekeying

eddie.mitchell · ‎01-28-2009

Have you tried removing the old key via the "crypto key zeroize rsa" command and generating a new one?

I would also make sure you have restricted SSH to the fewest number of source host(s) as possible and require the use of SSH version 2 only.

Hope this helps.

View solution in original post

eddie.mitchell · ‎01-28-2009

Have you tried removing the old key via the "crypto key zeroize rsa" command and generating a new one?

I would also make sure you have restricted SSH to the fewest number of source host(s) as possible and require the use of SSH version 2 only.

Hope this helps.

cisco_lite · ‎01-29-2009

Specific host was missing from the source list.

Thanks.