asdm via vpn keeps on hanging/freezing???

Unanswered Question
Jul 4th, 2008

I've set up my ASA 5510 FW so that after I VPN in, I can access the ASA by ASDMing into the inside interface (172.17.193.1).

For some reason this is what happens:

1. I open up my VPN client on my workstation and connect to the outside interface of the ASA.

1. After connected, for ping testing purposes, I open up command prompt and did a "ping 172.17.193.1 -t", which is the inside interface of asa.

3. I launch ASDM client.

4. ASDM loads up until it hit 17%...at which point I get an Error window "ASDM is temporarily unable to contact the firewall". At this point, my ping test is now giving me Request Time Out. I click OK on the Error window.

5. The ping test changes from RTO back to successful ping. ASDM continues loading up until the device dashboard tab with the asdm syslog messages show up.

6. ASDM then hangs, and the ping test goes to RTO again.

7. ASDM hangs (can't click on it, can't close it down, etc) for about 2 min before it comes back alive. The ping test goes back to ping successful.

Anyone have an idea why it does that?

If I load up SSH to 172.17.193.1 by itself, it's fine.

If ASDM is hanging and I load up SSH, SSH obviously cannot connect.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
support.edm Fri, 07/04/2008 - 09:56

ciscoasa# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password xxx

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address outside_ip 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.17.193.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

access-list split_tunnel_list standard permit 172.17.193.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.17.193.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list admin_access_thru_vpn extended permit ip 192.168.10.0 255.255.255.0 host 172.17.193.1

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool 192.168.10.101-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.17.193.0 255.255.255.0

access-group admin_access_thru_vpn in interface outside

route outside 0.0.0.0 0.0.0.0 gw_ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

http 172.17.193.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh scopy enable

ssh 172.17.193.0 255.255.255.0 inside

ssh 192.168.10.0 255.255.255.0 inside

ssh timeout 60

console timeout 0

management-access inside

support.edm Fri, 07/04/2008 - 09:56

dhcpd address 172.x.x.101-172.17.193.254 inside

dhcpd dns dns1_ip dns2_ip interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

ntp server 67.x.x.78 source outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username admin password xxxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

username vpnuser1 password xxx encrypted

username vpnuser1 attributes

vpn-group-policy vpnuserspolicy

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

Actions

This Discussion