Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

2 x ASA 5505, but can't SSH to 1 from remote location

We have 2 ASA 5505 devices used to create a VPN to a client. Whilst there are 2 ASAs, only one is used at any time; the other is configured identially as a hardware backup.

Their startup-config files only differ in the hostname.

Remote SSH access to the ASA from several static IP addresses has been enabled on the outside interface. We can connect succssfully via SSH from a remote IP when one of them is used, but when it's replaced with the backup ASA, attempting to SSH to it results in the message "Server unexpectedly closed network connection".

SSHing to either ASA works fine via the inside interface.

The boxes are outside our firewall, and so traffic to it isn't being restricted by that.

Can anyone please suggest what might be causing this? Thanks for your help.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: 2 x ASA 5505, but can't SSH to 1 from remote location

Hi,

Please double check if you have allowed access for your IP address:

ssh a.b.c.d 255.255.255.255 outside

assuming a.b.c.d is your IP address. Also, do you have "aaa authen ssh console LOCAL" and rsa keys generated "show crypto key mypubkey rsa".

Please paste the logs you get on that ASA when trying to SSH to it.

Regards,

Prapanch

3 REPLIES
Cisco Employee

Re: 2 x ASA 5505, but can't SSH to 1 from remote location

Hi,

Please double check if you have allowed access for your IP address:

ssh a.b.c.d 255.255.255.255 outside

assuming a.b.c.d is your IP address. Also, do you have "aaa authen ssh console LOCAL" and rsa keys generated "show crypto key mypubkey rsa".

Please paste the logs you get on that ASA when trying to SSH to it.

Regards,

Prapanch

Community Member

Re: 2 x ASA 5505, but can't SSH to 1 from remote location

Thank you, Prapanch... that was the shove in the right direction I needed.

It dawned on me afterwards that someone had initially configured one of the ASAs, and that we'd subsequently purchased the second. He must have generated the RSA key. Because the key doesn't appear in the startup-config, I had assumed both boxes were configured identically, but the second box didn't have the RSA key.

Running the crypto key generate rsa modulus 1024 on the second ASA enabled SSH connections from the remote location.

The reason why I thought we had SSH working to both boxes locally was because I had misread the connection details in PuTTY, and was in fact making a Telnet connection to them when I'd thought it was an SSH connection.

Thank you for your time & help!

Cisco Employee

Re: 2 x ASA 5505, but can't SSH to 1 from remote location

Hey Aidan,

Glad to know that it's working!!

Regards,

Prapanch

3242
Views
0
Helpful
3
Replies
CreatePlease to create content