Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
4
Replies

5580 Cannot Connect to Management Context

matt.karsten
Level 1
Level 1

‎10-01-2008 07:21 AM - edited ‎03-11-2019 06:51 AM

We have our ASA setup with 3 contexts. 1 management and 2 actual firewall contexts. The firewall contexts are working as expected however, we can not connect to the Management Context. I am able to ping the interface but not SSH to it. I have tried enabling telnet to the interface and that does not work either.

While troubleshooting this, we figured out that the only network we can not conenct from is our main network where we would like the firewall management interface to reside (10.16.6.0). I changed the IP of the interface to 192.168.10.11 and moved it to that network and the interface starts working just fine from within that network, but still nothing from 10.16.6.0 can connect. Our next thought was that some other device was blocking the connection, so we took and hooked up a crossover cable to the management interface, assigned it an IP and attempted to connect via the crossover cable and were still denied. To make sure I had it hooked up correctly, I then assigned it a 10.16.8.11 address and connected my laptop up again and I was able to connect just fine.

I figure somewhere down the line it picked up something that is blocking 10.16.6.0 that I can not see. So I went in and unassigned all interfaces from the management context and assigned a new interface. The configuration was reset but I still have the same problem.

I am not able to SSH, Telnet or connect with ASDM into the admin context, only console.

Config Below (I've changed a bunch of it trying to get it to work and haven't had ANY luck):

-------------------

!

hostname dotfw001

names

!

interface Management

nameif Management

security-level 100

ip address 10.16.6.209 255.0.0.0

!

dns server-group DefaultDNS

name-server 10.16.1.9

name-server 10.140.1.9

pager lines 24

logging enable

logging list Failover_Event level warnings class ha

logging buffered notifications

logging trap informational

logging asdm informational

logging mail Failover_Event

logging permit-hostdown

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export enable

mtu Management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route Management 0.0.0.0 0.0.0.0 10.16.6.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server Tacacs protocol tacacs+

aaa authentication enable console Tacacs LOCAL

aaa authentication http console Tacacs LOCAL

aaa authentication serial console Tacacs LOCAL

aaa authentication ssh console Tacacs LOCAL

aaa authentication telnet console Tacacs LOCAL

http server enable

no snmp-server location

no snmp-server contact

telnet 0.0.0.0 0.0.0.0 Management

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Management

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Labels:
0 Helpful
4 Replies 4

robertson.michael
Level 3
Level 3

‎10-01-2008 01:00 PM

Hi Matt,

Most of your config looks okay to me. I'm not sure if you removed this during your troubleshooting, but ASDM will not work until you add the 'http 0 0 Management' command and possibly the 'asdm image ' command.

Have you generated the SSH key with the 'crypto key generate' command?

At this point, I would start enabling some of the debug output when you are trying to connect. Enable syslogs at the debug level and also try 'debug ssh 255' to see if any messages are printed that might give you a clue as to why this is failing.

I would also take a look at the output of 'show ssh sessions', 'show resource usage', 'show proc | i ssh', and even 'debug npshim 15' to see if anything sticks out as being a problem.

Finally, what version of code are you running? There is a bug in 8.1 where there can be significant packet loss on the management interface when you have multiple contexts configured. Unfortunately, I don't have a bug ID handy but you should be able to find it in the Bug Toolkit.

Hope that helps.

-Mike

0 Helpful

matt.karsten
Level 1
Level 1
In response to robertson.michael

‎10-03-2008 04:18 AM

I was afraid you would say it looks good.

The http command I just forgot to put back in once I cleared the config, thats just my fault, I am doing all of my testing with ssl at the moment.

I did regenerate the crypto key at 1024, that did help when I was using a connection other than the management interface. As soon as I went back to the management interface, I tried connecting, it didn't work, I regenerated the key and toggled the ssh command and it didn't work.

show ssh sessions - comes back with nothing. Which makes sense since no one can connect over SSH.

show resource usage - comes back with what I would expect it to, but nothing that jumps out at me (admin context is where I am having the problems):

Resource Current Peak Limit Denied Context

Conns 1 28 unlimited 0 admin

Hosts 2 9 unlimited 0 admin

Xlates 1 4 unlimited 0 Hilltop

Hosts 1 84 unlimited 0 Hilltop

Syslogs [rate] 1 7971 unlimited 0 SOCC

Conns 6679 1244067 unlimited 0 SOCC

Xlates 5783 122499 unlimited 0 SOCC

Hosts 2064 3281 unlimited 0 SOCC

Conns [rate] 430 30206 unlimited 0 SOCC

Inspects [rate] 106 13728 unlimited 0 SOCC

show proc | i ssh - not sure what this should return:

Mwe 08bdbf51 317293d4 313b5ce8 1 31727720 6744/8192 listen/ssh

Mwe 08b974db 381f5cbc 09ce71ec 7 381f3e18 6408/8192 ssh/timer

We are running 8.1(1). I don't really see anything more recent to download than 8.1(1). Is there a more recent software version out there?

0 Helpful

matt.karsten
Level 1
Level 1
In response to matt.karsten

‎10-03-2008 04:42 AM

I forgot to throw it out there that I did capture packets coming into the ASA (using the capture command in the ASA). When I do this, I never see the SSL packets even hit the ASA. The pings hit it just fine and show up in the capture information. This has been done over the network and with a crossover cable connected directly to the device.

Needless to say, I am confused.

0 Helpful

matt.karsten
Level 1
Level 1
In response to matt.karsten

‎10-24-2008 06:53 AM

Unfortunitly I could find no other answer to this question. I ended up rebooting the firewall on one of our maintenance nights. The reboot has fixed the issue.

Matt

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card