SSH Connection Error To Cisco ASA Firewall

edledge Cisco logo

Scenario:
Make
: Cisco ASA
Model
: All Cisco Firewall Models [ASA 5506-X, ASA 5506 W-X, ASA 5508-X etc]
Mode: CLI (Command Line Interface)
Description: In this article, we will discuss the cause and its solution to the issue when we get an error while doing SSH onto the Cisco ASA Firewall.

Problem

Sometimes when we SSH onto a Cisco Firewall we get an error “Server unexpectedly closed network connection” and SSH access gets failed as shown below.

SSH Error

There could be many reasons behind the issue but we generally get this error because either SSH is not configured on the ASA or SSH is configured but services are not responding. We could also get the error if the source from where we are trying to SSH onto the ASA is not allowed or whitelisted for SSH connections to the Firewall.

Solution

As mentioned above there could be many reasons behind the issue of connection error. Some of the most common reason and its solution is mentioned below.

1. Reachability
Ping the ASA from the source you are trying to SSH and ensure the device is reachable or pinging. Assuming ICMP is allowed.

2. SSH Configuration
Check if SSH is configured onto the Firewall. To check the SSH status, execute the command on the ASA as shown below.

edledge-asa# sh run ssh
ssh stricthostkeycheck
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1

If SSH is not configured then Configure SSH on ASA to get SSH access working.

3. Subnets Allowed For SSH Connection
Ensure the source from where you are trying to SSH is allowed for connection.

edledge-asa# sh run ssh
ssh stricthostkeycheck
ssh 10.1.1.0 255.255.255.0 inside

4. Management Interface
Check and ensure the management interface is configured.

edledge-asa# sh run management-access
management-access inside

5. RSA Key
Change the RSA key String to 2048 bit. It is advisable to use the 2048 bit.

edledge-asa#conf t
edledge-asa(config)# crypto key generate rsa modulus 2048
INFO: The name for the keys will be:
Keypair generation process begin. Please wait.....

If all above mentioned 5 points are good and SSH is configured correctly then try the last option to reboot the ASA so that all services will get restart.

6. Reboot
Reload the ASA unit and try again. Reload both units if firewalls are in high-availability mode.

One of the above mentioned 6 steps will surely resolve the SSH connection issue. Like the SSH issue sometimes the ASA complains about the Unsupported SFR Module, refer to the attached link for more details. Also If you are facing an issue in TFTP connection to ASA or unwanted fail-over of ASA refer to the attached links.

Source: Cisco, Knowledge Base, Lab

EA00053

Leave a Reply

Your email address will not be published.