Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

ssh connection to pix fails

Hi community,

We got a Cisco Secure PIX Firewall 535 release 6.0 (1) witha a failover configuration. We configured ssh but sometimes it appens that we're no more able to get access to it, seemly without any explanation. With the Pix Device Manager we can access it and see that the access list is right and that there are not ssh session pendings. We experienced that after a reboot, the standby device becomes active and the ssh access is newly available.

Any help is appreciating.

$ ssh -l pix -c des 10.0.0.1

ssh: connect to address 10.0.0.1 port 22: Connection refused

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: ssh connection to pix fails

SSH to a PIX failover pair will not really work. The trouble is that after failover, the standby PIX assumes the IP and MAC addresses of the primary. The PIX however, are going to have a different set of public/private key pairs that are used for the SSH session. Your SSH client tries to use the public key of the primary PIX cause that's the IP address it knows about, but it doesn't work because it's actually connecting to the secondary PIX (because of the reboot and the IP address changeover).

In short, it doesn't work.

New Member

Re: ssh connection to pix fails

Thank you for yor reply, but maybe I need to explain more precisely what I mean. I'm not just rebooting the pix and trying to get ssh access to the standby device which is become active; after a first reboot tha makes the standby as active, a new reboot will make active the original device, and in this way ssh works just fine. This is not a solution to a real problem: by the PDM there's no ssh pending session, but if I 'ssh' to the pix from a unix shell and then take a look to the PDM logging, I receive a message of 'ssh sessions exceided' while there're no ssh sessions. The only way to bypass this, is to do what I mentioned above.

Thanks anyway

384
Views
0
Helpful
2
Replies