Unable to SSH into the ProxySG appliance

book

Article ID: 167051

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS Secure Web Gateway Virtual Appliance

Issue/Introduction

Unable to SSH into the ProxySG appliance
How come I am unable to SSH into my ProxySG appliance?
 

Resolution

There may be many different reasons why you are unable to SSH into your ProxySG.  Check the following:

  • See if the workstation allows SSH traffic.
  • Make sure any firewall between the workstation and the ProxySG allows SSH traffic
  • Make sure the ProxySG SSH host information is populated and correct.

 

On the ProxySG proper, make sure the SSH V2 information is populated.  If not, then create an SSH v2 key pair.  Here are the steps to verify that this is functioning as expected.

SGOS 6.x - From the Management Console

  1. Go to the Management Console (https://<ip.address.of.proxysg>:8082/ ) and login.
  2. Go to the Configuration tab > Authentication > SSH Inbound Connection 
  3. Look at the box that says "SSHv2 Host Key Pair".  If this box is blank, then click on the "Create" button.  Once the key pair has been created, you should be good to go.  The SSH key pair should start with something such as "ssh-rsa" and then a bunch of random looking text.
  4. Test and make sure you are able to SSH into the device with the new key.  NOTE:  If you receive an error message when attempting to log in to the system after regenerating the host key pair, locate the ssh known hosts file and delete the system's IP address entry.  This course of action may differ depending on the application that you use to connect to the ProxySG.

SGOS 5.x - From the Management Console

  1. Go to the Management Console (https://<ip.address.of.proxysg>:8082/ ) and login.
  2. Go to the Configuration tab > Authentication > Console Access > SSH host tab.
  3. Look at the box that says "SSHv2 Host Key Pair".  If this box is blank, then click on the "Create" button.  Once the key pair has been created, you should be good to go.  The SSH key pair should start with something such as "ssh-rsa" and then a bunch of random looking text.
  4. Test and make sure you are able to SSH into the device with the new key.  NOTE:  If you receive an error message when attempting to log in to the system after regenerating the host key pair, locate the ssh known hosts file and delete the system's IP address entry.  This course of action may differ depending on the application that you use to connect to the ProxySG.

 

SGOS 4.x - From the Management Console

  1. Go to the Management Console (https://ip.address.of.proxysg>:8082/ ) and login.
  2. Go to the Configuration tab > Services > SSH Console > SSH Host tab.
  3. Look at the box that says "SSH V2".  If it is blank or empty, click on the Create button, the OK button and then the Apply button.
  4. Test and make sure you are able to SSH into the device with the new key.  NOTE:  If you receive an error message when attempting to log in to the system after regenerating the host key pair, locate the ssh known hosts file and delete the system's IP address entry.  This course of action may differ depending on the application that you use to connect to the ProxySG.

 

SGOS 5.x or 4.x - From the command line interface (CLI)

  1. Connect to the serial port of the ProxySG.  If the telnet console has been created and is active, you can telnet into the ProxySG.
  2. Run the following commands:

 

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)ssh-console
ProxySG#(config ssh-console)create host-keypair sshv2
  ok
ProxySG#(config ssh-console)exit
ProxySG#(config)exit
ProxySG#

 

  1. Test and make sure you are able to SSH into the device with the new key.  NOTE:  If you receive an error message when attempting to log in to the system after regenerating the host key pair, locate the ssh known hosts file and delete the system's IP address entry.  This course of action may differ depending on the application that you use to connect to the ProxySG.

 

Checking the ProxySG Sysinfo:

  1. Go to https://<ip.address.of.proxysg>:8082/sysinfo
  2. Search for the following text:

 

!- BEGIN ssh
ssh-console ;mode
delete host-keypair sshv2
exit

 

  1. If the SSH console was deleted, the text above will show up.  If the SSH console is intact, then the above text will not exist in the sysinfo.  So if you search for ssh-console and you do not see a section of text like you see above, then the host key pair is still intact.

Note - When SSH v2 keypair is not present in current config (i.e deleted or not initialized properly) , SGOS may not also populate information correctly over the management console (JAVA UI) , in that case SSH v2 host keypair can’t be created via management console . A serial console connection will be needed with the device to create / renew SSH v2 host keypair and CLI commands shown above can be used.