ASA 8.0(3) management over VPN

Unanswered Question
Apr 17th, 2008

I upgraded two PIX 525's from 7.2(1) to 8.0(3) and I can no longer manage them across the VPN tunnels. What changed concerning management between 7.2 and 8.0? I can manage them fine as long as I'm on a machine that is behind the inside interface. All the normal management statements are in place, but no luck from across the tunnel.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Thu, 04/17/2008 - 11:15

Can you ping the inside interface of the ASA over the VPN tunnel? If you can't there may be an issue with split tunnel ACL. Can you post a sanitized copy of the ASA configuration?

jms112080 Thu, 04/17/2008 - 11:17

No, I just noticed that I can't ping the inside interface anymore. This is a Site-to-Site tunnel and those ACL's haven't changed that I can see.

sundar.palaniappan Thu, 04/17/2008 - 11:25

Is the inside interface part of the crypto ACL. Can you ping other hosts on the same subnet across the VPN tunnel?

jms112080 Thu, 04/17/2008 - 11:31

The inside interface is part of the ACL, and no I can no longer ping any host on that subnet across the tunnel.

jms112080 Thu, 04/17/2008 - 11:52

3 Apr 17 2008 12:55:08 713902 Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x4c6cfb8, mess id 0xbe6589f2)!

3 Apr 17 2008 12:55:08 713227 IP = x.x.x.x, Rejecting new IPSec SA negotiation for peer x.x.x.x. A negotiation was already in progress for local Proxy 172.x.x.0/, remote Proxy 10.x.x.0/

Above are debugs from remote PIX.

sundar.palaniappan Fri, 04/18/2008 - 06:10

I haven't seen this error message before. Can you do this.

clear crypto isakmp sa

clear crypto ipsec sa

jakub.moravek Mon, 04/21/2008 - 08:42


I have similar problem. We have ASA 5520. After upgrade to 8.0(3) we are not able manage device using ASDM (across Remote Access VPN). Ssh nad ping works. Any success solving this problem?


This Discussion