No SSH After Upgrading to 8.4

There are several changes when an ASA is upgraded from 8.2 to 8.4(2). The most notable of these are the ones dealing with the syntax of the NAT configuration. However, there is another gotcha that you might not be expecting. SSH will no longer work with the default username of “pix” like it did prior to the upgrade. This article addresses the simple configuration task of rectifying this issue. Ideally, these tasks would be performed prior to an upgrade to avoid the loss of remote connectivity.

In versions prior to 8.4, the ASA was configured for SSH with the following commands.

ciscoasa(config)# crypto key generate rsa
ciscoasa(config)# passwd <some password>
ciscoasa(config)# ssh x.x.x.x y.y.y.y <interface>

The above configuration does the following:

  1. Generates a key pair
  2. Sets a password
  3. Specifies the interface and SSH Client Source addresses that are acceptable

What is left out of the above is the username. SSH requires a username, unless the user is authenticating themself using an RSA public key. In the configuration above, the default username of “pix” can be sent to the ASA from the SSH client. Version 8.4(2) no longer allows the default username.

To resolve this issue, another authentication method must be configured. To emulate the pre-8.4 behavior, the following can be configured.

ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# username pix password <some password>

If this happens to be a fresh 8.4(2) configuration, as opposed to a migrated configuration, the key pair still needs to be generated and ssh permitted on the interface.

ciscoasa(config)# crypto key generate rsa
ciscoasa(config)# ssh x.x.x.x y.y.y.y <interface>

If this is an 8.4(2) or greater implementation that is an upgrade of an ASA that already accepts SSH, there is no need for the above two commands. There would only be a need to enter the username and LOCAL aaa authentication method. Ideally, this would be done prior to an upgrade to avoid any issues with accessing the device remotely.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Other and tagged . Bookmark the permalink.

3 Responses to No SSH After Upgrading to 8.4

  1. Shoaib Merchant says:

    But that’s the case only when we’re using the default username of ‘pix’, right? In our organization we are using TACACs credentials to ssh into cpe devices from a jump host. So after migrating from 8.2 to 8.4(2) there won’t be any issues in this scenario. Am I correct in understanding this?

    There’s a project coming up for migrating more than 100 ASA’s from 8.2 to 8.4(2). And now I’m so sure that there’s going to be at least one of them with this SSH issue. 😀

  2. Pingback: Internets of Interest for 25th January 2012 — My EtherealMind

Comments are closed.