Known issues with SSH on the ASA

Document

May 11, 2011 9:59 AM
May 11th, 2011

There have been several issues with SSH failing to the ASA. Below are the most common issues we see. They are documented along with the version which contains the fix.

Version 8.2.3 and 8.3.2

There are two known bugs that you may run into. If you are running version 8.2.3, then it is recommended to upgrade to version 8.2.4 or later. If you are running 8.3.2, then you need to upgrade to 8.3.2.7 or later.

CSCti72411 ASA 8.2.3 may not accept management connections after failover

Symptom:
ASA may not accept new management connections even though everything is properly configured.

Check: show asp table socket

Example of working one:

Protocol  Socket    Local Address               Foreign Address         State

TCP       00c361df  10.134.152.14:22            0.0.0.0:*               LISTEN  <= SSH socket is here
SSL       00c36f5f  10.134.152.14:443           0.0.0.0:*               LISTEN


Example of failing one:
Protocol  Socket    Local Address               Foreign Address         State
SSL       0022774f  10.134.152.14:443           0.0.0.0:*               LISTEN
                                                                                  <= no SSH socket

Conditions:
This was first found on ASA 8.2.3 and after failover.

Workaround:
Downgrade to previous version of code. (version 8.2.2 is not affected)
Another possible workaround would be to remove and add again ssh/telnet/http network statements.

CSCti43763 (which also fixed CSCti72695) Management connection fail after multiple tries with SNMP connections.

Symptom:
Management connections may fail after multiple tries with SNMP connections in background.

Conditions:

This bug can be identified by doing "show asp table socket"
If you see management connection in a CLOSEWAIT state and then you do "show counters protocol npshim" and see the pending connections counter increment for every management connection attempt then you are hitting this bug.


First found in following scenario: ASDM will fail to load after multiple SNMP and HTTPS requests to the ASA.

Workaround:
Currently, only reloading the ASA resolves the issue.

Version 8.4.1

There is one known bug with SSH that will stop the ASA from accepting management connections even though the socket still appears to be open. This bug is fixed in version 8.4.1.2.

CSCtn75060 Unable to SSH to ASA after upgrade to version 8.4

Symptom:

After upgrade the ASA to 8.4(1), ssh to one or more interfaces are failing. Removing and re-adding the SSH configuration results in the following error message:

ciscoasa(config)# ssh 0 0 outside

ERROR: Unable to configure service on port 22, on interface 'outside'. This port is currently in use by another feature

Usage: [no] ssh {<local_ip>|<hostname>} <mask> <if_name>

[no] ssh timeout <number>

[no] ssh version 1|2

[no] ssh scopy enable

show ssh [sessions [<client_ip>]]

ssh disconnect <session_id>

show running-config [all] ssh

clear configure ssh

Conditions:

Access via ASDM or telnet are unaffected. SSH still may work to other interfaces, but is failing to a specific interface.

Workaround:

Reload the ASA.  Untested workaround is shutting down and then restoring the interface.

Related Documents

ASA-PIX/FWSM: Unable to manage the unit via ssh/telnet/asdm

PIX/ASA 7.x: SSH/Telnet on the Inside and Outside Interface Configuration Example

Average Rating: 4.5 (2 ratings)

Actions

Login or Register to take actions

This Document

Posted May 11, 2011 at 9:59 AM
Stats:
Comments:0 Avg. Rating:4.5
Views:10604 Contributors:0
Shares:0

Related Content

Documents Leaderboard