Frequent Contributor.. Tom Claussen Frequent Contributor..
Frequent Contributor..
256 views

snapshot of cisco ASA5585

Using NA V10.30 and am unable to make an ssh connection to out Cisco ASA FW's. We can connect to the FW from the Linux server NA is hosted on, but not from the application. 

We think it may be related to the FIPS mode that gets installed with NA 10.+. We have disabled the use FIPS for device communications, but we have had to add device-specific settings like prefferredHEK diffie-hellman-group14-sha1 to work with Cisco ASR's for example.

Anyone had this same issue?

0 Likes
2 Replies
Chris_Powers Acclaimed Contributor.
Acclaimed Contributor.

Re: snapshot of cisco ASA5585

Perhaps.  I've seen an issue where certain settings (in our case, access variables) will cause the task to get a stack trace and it bails on whatever function is running.  

keyboard_interactive_primary set to true

So, for CLI discovery, you'll exit that and move to the next option or for snapshots, you just fail.  

But, if the rule tested or device doesn't have this setting, there's no problem.   

If you run the snapshot in the jboss_wrapper, do you see  a error?  Maybe re-run the task, turn up logging for /device/session/ssh and see if you see anything "interesting" in the jboss_wrapper, though, in our case, other than seeing the stack trace, we didn't see the details we were hoping for.  

 

0 Likes
Frequent Contributor.. Tom Claussen Frequent Contributor..
Frequent Contributor..

Re: snapshot of cisco ASA5585

Been looking at trace dumps for awhile now. We have several ASA 5585's and are using the management interface set to management-oly. You can ssh to them from the linux server, from PuTTY ona couple of Windows terminal servers etc. As long as the IP is in the ssh access list on the FW it works. NAS itself gets the connection timeout.

Seems like there may be an issue with the password file settings since we have many groups in there. These systems are in an integration facality, so we see 100's of different devices and software cnfigurations.

Las time we chased this down on new Cisco ASR's like the 9900 series it was a crypto key problem. That showed up in the log files though.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.