Guest

Preview Tool

Cisco Bug: CSCvs39589 - ASA doesn't honor SSH Timeout When Data Channel is not Negotiated

Last Modified

Jan 23, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.10(1.22) 9.8(4)

Description (partial)

Symptom:
SSH sessions remain open after the SSH configured timeout period.

# show run ssh
ssh timeout 2

#  show conn long detail all protocol tcp port 22

TCP outside: 10.152.200.215/62755 NP Identity Ifc: 10.88.243.64/22,
    flags UOB , idle 51m46s, uptime 51m49s, timeout 1h0m, bytes 1268


The session is in Authenticated state and never reaches SessionStarted state. If the session has more than 55 minutes, rekey has already happened and the session will be now in KeysExchanged state. 

# show ssh sessions

SID Client IP       Version Mode Encryption Hmac     State            Username
0   10.152.200.215  2.0     IN   aes128-ctr sha1     SessionStarted   cisco
                            OUT  aes128-ctr sha1     SessionStarted   cisco
1   10.152.200.215  2.0     IN   aes128-ctr sha1     KeysExchanged    cisco
                            OUT  aes128-ctr sha1     KeysExchanged    cisco
2   10.152.200.215  2.0     IN   aes128-ctr sha1     Authenticated    cisco
                            OUT  aes128-ctr sha1     Authenticated    cisco

Conditions:
SSH Client never sends channel or session requests 

If verbose mode is used in the client (-vv), the last phase seen is the authentication process (password prompt). 

cisco@10.88.243.64's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 10.88.243.64 ([10.88.243.64]:22).
debug2: fd 3 setting TCP_NODELAY
debug1: Entering interactive session.
debug1: pledge: network


A common SSH connection will continue with the channel ID negotiation.

cisco@10.88.243.64's password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 10.88.243.64 ([10.88.243.64]:22).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: pledge: network
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_TERMINAL_VERSION = 3.3.7
debug2: channel 0: request env confirm 0
debug1: Sending env LC_CTYPE = UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_TERMINAL = iTerm2
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 1024 rmax 4096
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.