Announcement

Collapse
No announcement yet.

New ASA 5505 install

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New ASA 5505 install

    Hello
    I have just recently installed a Cisco ASA. this is in a remote office and everything works great BUT I can not ssh into the device over the tunnel. i get the error: Network Error: Software caused connection abort

    Anyone offer some help on this?

    North

  • #2
    Re: New ASA 5505 install

    May help
    management-access command
    http://www.cisco.com/en/US/docs/secu...html#wp1137951


    also:
    http://the.earth.li/~sgtatham/putty/...Chapter10.html
    10.11 "Network error: Software caused connection abort"
    In modern versions of PuTTY, you should not see this error.
    Windows's documentation about this error condition is not very good, but as far as we can tell, this error occurs when PuTTY is listening on a port, another program makes a connection to that port, but closes the connection so fast that PuTTY has no time to answer it.
    PuTTY only ever listens on a port when it is doing local-to-remote port forwarding (see section 3.5); and if an incoming connection on that port receives this error, PuTTY should simply close the connection and continue without error.
    If you see this error in PuTTY 0.53 or above, we would welcome a report of the circumstances.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: New ASA 5505 install

      Andy
      thanks for those links. i am still having this issue. i am able to log into everything past the asa and even log into a server on the remote end and ssh into asa but not at the main office.


      any other ideas?

      Comment


      • #4
        Re: New ASA 5505 install

        Based on your reply, its sounds like you have the LAN2LAN attributes configured correctly, but...

        Have you specified valid hosts or network addresses permitted to connect via ssh?

        Code:
        ASA(config)#ssh 10.10.10.10 255.255.255.255 inside
        In your "Traffic2Encrypt" ACL (interesting traffic), do you permit (encrypt) your ssh client access to the inside interface?

        How about the reply packets to/from ssh client to inside interface addres, are they being encrypted/decrypted? "show crypro ipsec sa"

        Does your username have the proper priviledges?

        Thats all I can think of

        Comment


        • #5
          Re: New ASA 5505 install

          yes i do have
          ssh x.x.x.x 255.255.255.0 inside

          and i do have my encrypted traffic acl
          access-list crypto10 extended permit ip object-group YOUNLocal any

          when i do a debug ssh i get this:
          SSH2: TCP read failed, error code = 0x86300003 "TCP connection closed"
          SSH2: receive SSH message: [no message ID: variable *data is NULL]
          SSH2: receive unsuccessful - status 0x03
          SSH2: Session disconnected by SSH server - error 0x03 "TCP connection closed"
          Device ssh opened successfully.
          SSH2: SSH client: IP = '172.x.x.x' interface # = 1
          SSH: host key initialised
          SSH2: starting SSH control process
          SSH2: Exchanging versions - SSH-2.0-Cisco-1.25
          SSH2: send SSH message: outdata is NULL
          server version string:SSH-2.0-Cisco-1.25SSH2: TCP read failed, error code = 0x86300000 "TCP connection timeout"
          SSH2: receive SSH message: [no message ID: variable *data is NULL]
          SSH2: receive unsuccessful - status 0x00
          SSH2: Session disconnected by SSH server - error 0x00 "TCP connection timeout"

          Comment


          • #6
            Re: New ASA 5505 install

            I believe I have been having this same issue on my 5520. I am able to SSH to the local ASA, but not the ASA on the other side of the Lan-to-Lan tunnel. I am able to SSH and RDP into all devices beyond the remote ASA. If I RDP into a system on the other side of the tunnel, I am able to SSH into the remote ASA.

            Previously I was running 7.2(4) and not having this issue. This last week I upgraded to 8.0(4) with no other configuration changes and this issue creeped up.
            Last edited by bcyeager; 1st February 2009, 02:23.

            Comment


            • #7
              Re: New ASA 5505 install

              Interesting that you could connect prior to 8.0.4 upgrade.

              FWIW: I too run 8.0.4 on my ASA5520 and do NOT have problems connecting to the inside interface IP address of the ASA via ssh from my home office computer which sits on the other side of a L2L tunnel.

              All I can add at this point is to check the "crypto ipsec sa" assigned to your peer and make sure the inside ip address of the ASA is part of network addresses permitted across the tunnel. NOTE: This check needs to be done at both ends of the tunnel.

              Example:

              The inside IP address of my ASA is 10.10.1.5/24, the IP address of my home office computer is 192.168.80.19/29.

              xx.xx.xx.xx is the public IP of my 871 router which initiates the L2L tunnel
              yy.yy.yy.yy is the public outside ip address of my ASA

              Code:
               
              ASA5520# sh crypto ipsec sa peer xx.xx.xx.xx
              peer address: xx.xx.xx.xx
                  Crypto map tag: dynmap, seq num: 1, local addr: yy.yy.yy.yy
                  local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
                  remote ident (addr/mask/prot/port): (192.168.80.16/255.255.255.248/0/0)
                    current_peer: xx.xx.xx.xx
                   #pkts encaps: 4378, #pkts encrypt: 4377, #pkts digest: 4377
                   #pkts decaps: 4585, #pkts decrypt: 4585, #pkts verify: 4585
                    #pkts compressed: 0, #pkts decompressed: 0
                    #pkts not compressed: 4379, #pkts comp failed: 0, #pkts decomp failed: 0
                    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
                    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
                    #send errors: 0, #recv errors: 0
               
              CISCO871# sh crypto ipsec sa peer yy.yy.yy.yy
                 local  ident (addr/mask/prot/port): (192.168.80.16/255.255.255.248/0/0)
                 remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
                 current_peer yy.yy.yy.yy port 4500
                   PERMIT, flags={origin_is_acl,}
                  #pkts encaps: 5096, #pkts encrypt: 5096, #pkts digest: 5096
                  #pkts decaps: 4693, #pkts decrypt: 4693, #pkts verify: 4693
                  #pkts compressed: 0, #pkts decompressed: 0
                  #pkts not compressed: 0, #pkts compr. failed: 0
                  #pkts not decompressed: 0, #pkts decompress failed: 0
                  #send errors 1, #recv errors 0
              I have underlined the relevant parts of the output. Note that my home office computer ip address and the inside ip address of the ASA is part of the network addresses that is being encrypted/decrypted.

              Also, does your NAT exclusion configuration at both ends match what is being encrypted/decrypted? Could be that your ACL for encrytping traffic is correct, but you forgot to add this ACL to the NAT exclusion. Especially at the remote end. In my case the 871 overload statement for interface F4

              Comment


              • #8
                Re: New ASA 5505 install

                moved to cisco security.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: New ASA 5505 install

                  i had the opposite results. i was on ver 7.x and upgraded to 8.04 and my problem was gone.

                  Comment


                  • #10
                    Re: New ASA 5505 install

                    I was able to resolve the issue with this:

                    http://supportwiki.cisco.com/ViewWik...memory_upgrade

                    And then afterwards I removed the ssh x.x.x.x x.x.x.x inside line for the subnets that didn't have access and re-added them.

                    Comment


                    • #11
                      Re: New ASA 5505 install

                      Good find!
                      Will have to remember that one, thanks for posting.
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment

                      Working...
                      X