We were able to ssh into the ASA management interfaces and all of sudden it has stopped working. The ssh client is putty. I ran a debug on the ASA while initiating ssh from putty and following is the output.
ANTIX-ASA/stby# Device ssh opened successfully.
SSH1: SSH client: IP = '192.168.1.50' interface # = 3
SSH: host key initialised
SSH1: starting SSH control process
SSH1: Exchanging versions - SSH-1.99-Cisco-1.25
SSH1: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH1: Session disconnected by SSH serve
According to your troubleshooting steps it seems like your have already ruled out an issue with Putty. As you are trying to connect from behind the FWSM I would check to make sure access-list, NAT etc is configured correctly. Also I would make sure that packets are not trying to flow on an asymetric fashion through the FWSM. I would create a capture on the FWSM and try initiaitng an ssh connection to the ASA from behind the FWSM and see what the FWSM is doing ..
I did a capture on FWSM and below are the few lines. I can notice that the two ends are not agreeing on the window size. My laptop (192.168.1.10) is sending Window size of 65516 and the ASA replying with Window size of 8192 and it continues as such.
I removed the PAT, configured static NAT instead and it worked. Still don't know why.
VLAN1 -> FWSM -> Cat65K -> ASA
The source IP of the host in VLAN1 was PAT'ed on the SVI of Cat65K. It was working till recently and then stopped. But would could be the probable reasons for the NAT to work and not PAT via overload on the SVI of Cat65K.
With PAT the initial translation does happen successfully, the NAT table is updated, server/client ssh hello happens, debug ip nat shows that PAT is working correctly without any errors but then somewhere in between the Cat65K does not NAT anymore and then resumes after certain retransmission packets, and then DUP/ACK takes place and ssh session doesn't get established.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :