SSH stopped working on ASA5520

Unanswered Question
Mar 28th, 2012
User Badges:

Hello everyone,


I can no longer SSH to a primary active firewall. It had all of a sudden stopped working.  However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.


I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*.

I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.


version 8.2.(5)

model ASA5520


Does anyone know if I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Wed, 03/28/2012 - 13:43
User Badges:
  • Super Bronze, 10000 points or more

Hi,


Only bug related to management connections I have run into was with 8.2(1) or 8.2(2) where a single Failover event of the firewall pair would cause problems with the management connections.


Have you tried changing the active firewall or is it too risky/problematic considering the network?



The bug I mentioned was this i guess (just looked in the Bug Toolkit)



CSCti72411


ASA 8.2.3 may not accept management connections after failover.
Symptom:
ASA may not accept new management connections even though everything is
properly configured. SSH and ASDM may fail when connecting to the inside
interface while working when connecting to the outside and DMZ interfaces. All
management connections work to the standby unit if this is a failover pair.



Conditions:
This was first found on ASA 8.2.3 and after failover.


Workaround:
Downgrade to previous version of code.


I can't see your software version in the list "Fixed In". Though I think we still have Failover pairs in same software level as yours and havent run into this problem after the last (and only time so far) time. And one would think that the newer version (compared to 8.2(3)) would fix the problem.


Fixed-In

Fixed-in


8.2(3.5)

8.2(4)

8.3(2.5)

8.4(1)

100.7(9.1)M

100.5(5.40)M

100.7(0.54)M

100.7(5.18)M

8.2(3.104)

8.2(3.220)

100.7(6.6)M

100.7(8.1)M

8.4(0.99)

8.1(2.49)

8.6(0.0)


johng231 Thu, 03/29/2012 - 06:36
User Badges:

I failed it over and the SSH works now. I'll wait and see if it occurs again. Is there a version of the 8.2.x that's stable where this doesn't happen? I went with 8.2.x code so I can have the latest VPN features as I'm using the ASA5520 only for VPN endpoints. I don't want to have to downgrade back to 7.2.5(GD). This bug seems to be a common problem with a lot of the 8.x versions.

Jouni Forss Thu, 03/29/2012 - 06:58
User Badges:
  • Super Bronze, 10000 points or more

Hi,



We ran into the SSH management problem after Failover on a ASA pair that were running 8.2(1)


We updated the pair to 8.2(2) which it has been ever since without problems



But then again, on another customer we ran into a problem with software 8.2(2) which encountered a bug where ASA wouldnt forward traffic anymore to a L2L VPN connection.Specifically the customer had 2 networks that connected to remote site. Other ones traffic worked flawlesly, others traffic either got dropped on the ASA or "thrown" straight to Internet without encryption/encapsulation.


The L2L VPN problem was corrected by doing simple Failover. Though we updated to 8.2(5) which has worked fine ever since.


Our other customer has 8.2 software and almost 20 L2L VPNs and has yet to face similiar problem with same software so its either really really random or the ASA hardware model (customers have different hw model of ASAs) has something to do with it...can' really say for sure.



And if the above wasn't enough confusing for you We also have a failover pair running still in 8.2(1) which hasnt faced this SSH management problem even when failover happens either because of manual failover or failover because of network connectivity problem.

johng231 Thu, 03/29/2012 - 07:24
User Badges:

It sounds like any of the 8x code is very buggy still. I'm going to proceed and downgrade back to 7.2.5(GD). We don't run into any of these problems and it seems to be a very stable code. We just won't get the other features and the use of the higher ASDM versions in the 8x.


Thanks.

johng231 Thu, 04/05/2012 - 06:12
User Badges:

Just want to let everyone know it happened again on version 8.2.5. The problem is also with 8.2.5 now. I've opened up a case about this. I'll downgrade back to 7.2.5(GD).

Jouni Forss Thu, 04/05/2012 - 06:17
User Badges:
  • Super Bronze, 10000 points or more

Hi,


How about trying software 8.2(4) thats listed in the "Fixed in" that I copied earlier?


Or is the software available for download even. Atleast we dont have it on any ASA.


- Jouni

Actions

This Discussion