I can no longer SSH to a primary active firewall. It had all of a sudden stopped working. However I am able to SSH to the secondary standby firewall without any problems. I did try to regenerate the RSA key on the primary fw, but still unable to connect. The only way I can connect to it is by using telnet.
I ran the "show asp table socket" command and I'm seeing port 22 listening on the primary IP address (not the standby), foreign address is 0.0.0.0:*.
I did a packet capture on port 22 on the inside inside, seeing my request hit the fw and then right away a reset back from the fw.
Does anyone know if I'm hitting a bug in the software version I'm running? Or what else can I check before rebooting the primary fw?
Only bug related to management connections I have run into was with 8.2(1) or 8.2(2) where a single Failover event of the firewall pair would cause problems with the management connections.
Have you tried changing the active firewall or is it too risky/problematic considering the network?
The bug I mentioned was this i guess (just looked in the Bug Toolkit)
ASA 8.2.3 may not accept management connections after failover.
Symptom: ASA may not accept new management connections even though everything is properly configured. SSH and ASDM may fail when connecting to the inside interface while working when connecting to the outside and DMZ interfaces. All management connections work to the standby unit if this is a failover pair. Conditions: This was first found on ASA 8.2.3 and after failover. Workaround: Downgrade to previous version of code.
I can't see your software version in the list "Fixed In". Though I think we still have Failover pairs in same software level as yours and havent run into this problem after the last (and only time so far) time. And one would think that the newer version (compared to 8.2(3)) would fix the problem.
I failed it over and the SSH works now. I'll wait and see if it occurs again. Is there a version of the 8.2.x that's stable where this doesn't happen? I went with 8.2.x code so I can have the latest VPN features as I'm using the ASA5520 only for VPN endpoints. I don't want to have to downgrade back to 7.2.5(GD). This bug seems to be a common problem with a lot of the 8.x versions.
We ran into the SSH management problem after Failover on a ASA pair that were running 8.2(1)
We updated the pair to 8.2(2) which it has been ever since without problems
But then again, on another customer we ran into a problem with software 8.2(2) which encountered a bug where ASA wouldnt forward traffic anymore to a L2L VPN connection.Specifically the customer had 2 networks that connected to remote site. Other ones traffic worked flawlesly, others traffic either got dropped on the ASA or "thrown" straight to Internet without encryption/encapsulation.
The L2L VPN problem was corrected by doing simple Failover. Though we updated to 8.2(5) which has worked fine ever since.
Our other customer has 8.2 software and almost 20 L2L VPNs and has yet to face similiar problem with same software so its either really really random or the ASA hardware model (customers have different hw model of ASAs) has something to do with it...can' really say for sure.
And if the above wasn't enough confusing for you We also have a failover pair running still in 8.2(1) which hasnt faced this SSH management problem even when failover happens either because of manual failover or failover because of network connectivity problem.
It sounds like any of the 8x code is very buggy still. I'm going to proceed and downgrade back to 7.2.5(GD). We don't run into any of these problems and it seems to be a very stable code. We just won't get the other features and the use of the higher ASDM versions in the 8x.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :