31
- July
2011
Posted By : Gom Jabbar
Cisco ASA Device Management – SSH Debugging

After setting up debugging on my pet Cisco ASA (with the debug ssh command), I experimented with some SSH connection scenarios and observed what showed up on the console output. Hopefully, this will help you troubleshoot SSH connection problems with the Cisco ASA.

Issue: No RSA Keys on the ASA

When the SSH client tries to open a SSH connection to the Cisco ASA, the ASA needs to identify itself to the client using a host key. This is the RSA public key. If the ASA does not have even the default RSA keypair, this is the console output on the ASA:

Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: unable to retrieve default host public key.  Please create a defauth RSA key pair before using SSH
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Solution: You will have to generate a RSA keypair on the ASA using the crypto key generate rsa command.

Issue: Version Mismatch Between Client & Server #1

If the SSH client only supports SSH-2, but the Cisco ASA is configured to permit only SSH-1, the client will try to open the SSH connection, but will not be able to connect successfully. This is the console output on the ASA:

Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.5-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.5-Cisco-1.25SSH0: receive SSH message: SSH_MSG_NONE (0)
SSH0: Session disconnected by SSH server - error 0x00 "Invalid message length"

Solution: For the client to connect, you either need to permit SSH-2 on the ASA (with the ssh ver 2 command) or use a SSH client that can do SSH-1.

Issue: Version Mismatch Between Client & Server #2

This is the reverse of the first scenario. If the SSH client only supports SSH-1, but the Cisco ASA is configured to permit only SSH-2, the client will try to open the SSH connection, but will not be able to connect successfully. This is the console output on the ASA:

Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-2.0-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH0: receive SSH message: SSH_MSG_NONE (0)
SSH0: Session disconnected by SSH server - error 0x00 "Invalid message length"

Solution: For the client to connect, you either need to permit SSH-1 on the ASA (with the ssh ver 2 command) or use a SSH client that can do SSH-2.

Issue: SSH Ciphers Rejected by Client

When the SSH client opens a connection to the ASA, they negotiate which ciphers to use for data encryption and key exchange. The ASA supports AES and 3DES for data encryption and Diffie-Hellman Group 1 for key exchange. If the SSH client rejects these encryption methods, this is the console output on the ASA:

Device ssh opened successfully.
SSH0: SSH client: IP = '11.11.11.2'  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-2.0-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-2.0-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-PuTTY_Release_0.60

client version string:SSH-2.0-PuTTY_Release_0.60SSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 790 ms

SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes256-cbc hmac-sha1 none
SSH2: kex: server->client aes256-cbc hmac-sha1 none
SSH2 0: expecting SSH2_MSG_KEXDH_INITSSH0: receive SSH message: [no message ID: variable *data is NULL]

SSH2 0: Unexpected message receivedSSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Solution: Configure the SSH client to use AES or 3DES for data encryption and Diffie-Hellman Group 1 for key exchange, or use a SSH client that does.

Issue: SSH Client Rejects Host Fingerprint

When the SSH client opens a connection to the ASA, the ASA presents the client with a fingerprint of its host key. If the client rejects the fingerprint of the host key, the client cannot connect and this is part of the console output on the ASA:

SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYSSSH0: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH0: receive SSH message: [no message ID: variable *data is NULL]

SSH2 0: Unexpected mesg type receivedSSH0: Session disconnected by SSH server - error 0x00 "Internal error"

Solution: For the client to connect, the user needs to accept the host key.

Issue: User Password is Wrong

Once the SSH client and the ASA have established the SSH connection successfully, the user needs to authenticate with the ASA. If the username or the password is incorrect, this is part of the output on the ASA:

SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(pix): user authen method is 'no AAA', aaa server group ID = 0
SSH(pix): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for pixSSH(pix): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for pixSSH(pix): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for pix
SSH2 0: authentication failed for pix (code=1)SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Solution: For the client to connect, the user needs to authenticate with the correct username and password. SSH(pix) means that the user is trying to authenticate with the username “pix“. The user authen method is ‘no AAA’ string shows that the  ASA is not configured to use AAA for authentication. SSH logins can use the default “pix” user account.

Issue: User Account is Wrong or Nonexistent

Once the SSH client and the ASA have established the SSH connection successfully, the user needs to authenticate with the ASA. If the username is incorrect, or does not exist, this is part of the console output on the ASA:

SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(nonesuch): user authen method is 'no AAA', aaa server group ID = 0
SSH(nonesuch): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for nonesuchSSH(nonesuch): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for nonesuchSSH(nonesuch): user authen method is 'no AAA', aaa server group ID = 0

SSH2 0: authentication failed for nonesuch
SSH2 0: authentication failed for nonesuch (code=1)SSH0: Session disconnected by SSH server - error 0x0d "Rejected by server"

Solution: For the client to connect, the user needs to authenticate with the correct username and password. SSH(nonesuch) means that the user is trying to authenticate with the username “nonesuch”, which does not exist on my ASA. The user authen method is ‘no AAA’ string shows that the  ASA is not configured to use AAA for authentication, which needs to be set up for the user to login with anything other than the default “pix” username.

Issue: SSH Session Times Out

Once the SSH client and the ASA have established the SSH connection successfully, the ASA will keep track of activity from the SSH client. As soon as the SSH client is idle for longer than the configured timeout period, the ASA disconnects the SSH client, and this is part of the console output on the ASA:

ciscoasa(config)# SSH0: Session disconnected by SSH server - error 0x3c "Time-out activated"
SSH0: receive SSH message: [no message ID: variable *data is NULL]

Solution: If the idle time is too short, increase the SSH timeout value. The default is 5 (minutes) and the maximum is 60 (minutes).

Issue: Need to Disconnect SSH Client

On the Cisco ASA, you can see which SSH clients have active sessions with the ASA. You can see the IP addresses that they are using, the encryption used, and the username that they have used to login. Just use the show ssh session command:

ciscoasa(config)# sh ssh session

SID Client IP       Version Mode Encryption Hmac     State            Username
0   11.11.11.2      2.0     IN   aes256-cbc sha1     SessionStarted   pix
                            OUT  aes256-cbc sha1     SessionStarted   pix

Solution: To disconnect a SSH session, use the ssh disconnect command, specifying the SSH Session ID. This is the console output on the ASA:

ciscoasa(config)# ssh disconnect 0
ciscoasa(config)# SSH0: Session disconnected by SSH server - error 0x35 "Terminated by operator"
SSH session terminated [0].
SSH0: receive SSH message: [no message ID: variable *data is NULL]

Additional Information:

ssh command in the Cisco ASA 8.4 Command Reference.

show ssh sessions command in the Cisco ASA 8.4 Command Reference.

debug ssh command in the Cisco ASA 8.4 Command Reference.

crypto key generate rsa command in the Cisco ASA 8.4 Command Reference.