401 forbidden on ASDM

Unanswered Question
Mar 22nd, 2010

I can get to the untrusted certificate on https....coming from my address 192.168.133.205..but i get denied

am i being denied by access list?..I dont see how since intital SSL begins..

these are the log from the ASA---10.11.24.11 is the ip of one of the contexts

interface GigabitEthernet0/1.124
vlan 124
nameif Inside
security-level 100
ip address 10.11.24.11 255.255.255.0

http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 Inside

Mar 22 2010 16:05:34: %ASA-6-725001: Starting SSL handshake with client Inside:1
92.168.133.205/24368 for TLSv1 session.
Mar 22 2010 16:05:34: %ASA-6-725003: SSL client Inside:192.168.133.205/24368 req
uest to resume previous session.
Mar 22 2010 16:05:34: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/24368
Mar 22 2010 16:05:34: %ASA-6-725007: SSL session with client Inside:192.168.133.
205/24368 terminated.
Mar 22 2010 16:05:34: %ASA-6-302014: Teardown TCP connection 336585 for Inside:1
92.168.133.205/24368 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 22 2010 16:05:34: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.2
05/24368 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 22 2010 16:05:34: %ASA-7-710005: TCP request discarded from 192.168.133.205/
24368 to Inside:10.11.24.11/443

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kureli Sankar Mon, 03/22/2010 - 14:30

Issue "sh asp table socket" and make sure it is listening on port 443.

If not just issue

conf t

no http server en

http server en

Then issue "sh asp table socket" and see if it is listening again and then launch asdm again.

Also issue "sh ver" and make sure an appropriate asdm image matching the OS is loaded.

-KS

nygenxny123 Tue, 03/23/2010 - 07:39

hmm ok..tried the above..same results..

# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)

SSL       00aec0af  10.1.1.15:443               0.0.0.0:*               LISTEN
SSL       00aee5ef  10.11.24.11:443             0.0.0.0:*               LISTEN

Mar 23 2010 09:31:49: %ASA-6-725001: Starting SSL handshake with client Inside:
92.168.133.205/27880 for TLSv1 session.
Mar 23 2010 09:31:49: %ASA-6-725003: SSL client Inside:192.168.133.205/27880 re
uest to resume previous session.
Mar 23 2010 09:31:49: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/27880
Mar 23 2010 09:31:49: %ASA-6-725007: SSL session with client Inside:192.168.133
205/27880 terminated.
Mar 23 2010 09:31:49: %ASA-6-302014: Teardown TCP connection 361546 for Inside:
92.168.133.205/27880 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 23 2010 09:31:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.
05/27880 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 23 2010 09:31:49: %ASA-7-710005: TCP request discarded from 192.168.133.205
27880 to Inside:10.11.24.11/443
Mar 23 2010 09:31:50: %ASA-6-302013: Built inbound TCP connection 361547 for In
ide:192.168.133.205/27881 (192.168.133.205/27881) to identity:10.11.24.11/443 (
0.11.24.11/443)
Mar 23 2010 09:31:50: %ASA-6-725001: Starting SSL handshake with client Inside:
92.168.133.205/27881 for TLSv1 session.
Mar 23 2010 09:31:50: %ASA-6-725003: SSL client Inside:192.168.133.205/27881 re
uest to resume previous session.
Mar 23 2010 09:31:50: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/27881
Mar 23 2010 09:31:50: %ASA-6-725007: SSL session with client Inside:192.168.133
205/27881 terminated.
Mar 23 2010 09:31:50: %ASA-6-302014: Teardown TCP connection 361547 for Inside:
92.168.133.205/27881 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 23 2010 09:31:50: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.
05/27881 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 23 2010 09:31:50: %ASA-7-710005: TCP request discarded from 192.168.133.205
27881 to Inside:10.11.24.11/443

Shrikant Sundaresh Mon, 04/04/2011 - 04:23

Kindly follow the Troubleshooting method, mentioned in this link:

https://supportforums.cisco.com/docs/DOC-15016

I feel that the connection is being terminated since ASDM image is missing in flash, or not mentioned in config.

Also please try accessing it with https:///admin and https:///

Hope this helps.

-Shrikant

PS: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks.

Hi Shrikant

Thank you for the link, I have tried accessing the context with the name at the end of the http string to no avail.

I am not to sure what the issue is here as I am able to access the ASA context from the outside interface always but get this error on the inside interface.

Apr 01 2011 10:59:28: %ASA-7-609001: Built local-host identity:192.168.1.1
Apr 01 2011 10:59:28: %ASA-6-302013: Built inbound TCP connection 31132166 for INSIDE:192.168.1.16/49765 (192.168.1.16/49765) to identity:192.168.1.1/443 (192.168.1.1/443)
Apr 01 2011 10:59:28: %ASA-7-725010: Device supports the following 4 cipher(s).
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[1] : RC4-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[2] : AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[3] : AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725008: SSL client INSIDE:192.168.1.16/49765 proposes the following 11 cipher(s).
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[2] : AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[6] : RC4-MD5
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[7] : RC4-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[8] : AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[11] : DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client INSIDE:192.168.1.16/49765
Apr 01 2011 10:59:28: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert bad certificate
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443
Apr 01 2011 10:59:28: %ASA-6-302014: Teardown TCP connection 31132166 for INSIDE:192.168.1.16/49765 to identity:192.168.1.1/443 duration 0:00:00 bytes 524 TCP Reset by appliance
Apr 01 2011 10:59:28: %ASA-7-609002: Teardown local-host identity:192.168.1.1 duration 0:00:00
Apr 01 2011 10:59:28: %ASA-6-106015: Deny TCP (no connection) from 192.168.1.16/49765 to 192.168.1.1/443 flags RST  on interface INSIDE
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443
Apr 01 2011 10:59:28: %ASA-6-106015: Deny TCP (no connection) from 192.168.1.16/49765 to 192.168.1.1/443 flags RST  on interface INSIDE
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443

I am also not to sure about the certificate error as SSH always works and so does the ASDM on the outside interface.

Regrads MJ

Shrikant Sundaresh Tue, 04/05/2011 - 15:38

Hi MJ,

I did some research on the error message you are getting, and I would like to suggest trying the following:

1. enable lower SSL versions on the browser as well.

2. try doing "no http server enable" followed by "http server enable 10000" and try accessing it using: https://ip_address:10000 and see if it works.

You can use any port other than 443. I randomly chose 10000.

3. if the ASA is in high availability, could you check if ASDM access to the standby unit works fine?

4. very last resort: reboot the current active device and check if this resolves the issue. (it might become standby if failover is present. make it active again.)

Is the inside interface shared among multiple contexts? If so does the interface have unique mac addresses in the various contexts?

-Shrikant

Actions

This Discussion