Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17955
Views
5
Helpful
6
Replies

401 forbidden on ASDM

nygenxny123
Level 1
Level 1

‎03-22-2010 02:19 PM - edited ‎03-11-2019 10:24 AM

I can get to the untrusted certificate on https....coming from my address 192.168.133.205..but i get denied

am i being denied by access list?..I dont see how since intital SSL begins..

these are the log from the ASA---10.11.24.11 is the ip of one of the contexts

interface GigabitEthernet0/1.124
vlan 124
nameif Inside
security-level 100
ip address 10.11.24.11 255.255.255.0

http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 Inside

Mar 22 2010 16:05:34: %ASA-6-725001: Starting SSL handshake with client Inside:1
92.168.133.205/24368 for TLSv1 session.
Mar 22 2010 16:05:34: %ASA-6-725003: SSL client Inside:192.168.133.205/24368 req
uest to resume previous session.
Mar 22 2010 16:05:34: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/24368
Mar 22 2010 16:05:34: %ASA-6-725007: SSL session with client Inside:192.168.133.
205/24368 terminated.
Mar 22 2010 16:05:34: %ASA-6-302014: Teardown TCP connection 336585 for Inside:1
92.168.133.205/24368 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 22 2010 16:05:34: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.2
05/24368 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 22 2010 16:05:34: %ASA-7-710005: TCP request discarded from 192.168.133.205/
24368 to Inside:10.11.24.11/443

Labels:
0 Helpful
6 Replies 6

Kureli Sankar
Cisco Employee
Cisco Employee

‎03-22-2010 02:30 PM

Issue "sh asp table socket" and make sure it is listening on port 443.

If not just issue

conf t

no http server en

http server en

Then issue "sh asp table socket" and see if it is listening again and then launch asdm again.

Also issue "sh ver" and make sure an appropriate asdm image matching the OS is loaded.

-KS

0 Helpful

nygenxny123
Level 1
Level 1
In response to Kureli Sankar

‎03-23-2010 07:39 AM

hmm ok..tried the above..same results..

# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)

SSL       00aec0af  10.1.1.15:443               0.0.0.0:*               LISTEN
SSL       00aee5ef  10.11.24.11:443             0.0.0.0:*               LISTEN

Mar 23 2010 09:31:49: %ASA-6-725001: Starting SSL handshake with client Inside:
92.168.133.205/27880 for TLSv1 session.
Mar 23 2010 09:31:49: %ASA-6-725003: SSL client Inside:192.168.133.205/27880 re
uest to resume previous session.
Mar 23 2010 09:31:49: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/27880
Mar 23 2010 09:31:49: %ASA-6-725007: SSL session with client Inside:192.168.133
205/27880 terminated.
Mar 23 2010 09:31:49: %ASA-6-302014: Teardown TCP connection 361546 for Inside:
92.168.133.205/27880 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 23 2010 09:31:49: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.
05/27880 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 23 2010 09:31:49: %ASA-7-710005: TCP request discarded from 192.168.133.205
27880 to Inside:10.11.24.11/443
Mar 23 2010 09:31:50: %ASA-6-302013: Built inbound TCP connection 361547 for In
ide:192.168.133.205/27881 (192.168.133.205/27881) to identity:10.11.24.11/443 (
0.11.24.11/443)
Mar 23 2010 09:31:50: %ASA-6-725001: Starting SSL handshake with client Inside:
92.168.133.205/27881 for TLSv1 session.
Mar 23 2010 09:31:50: %ASA-6-725003: SSL client Inside:192.168.133.205/27881 re
uest to resume previous session.
Mar 23 2010 09:31:50: %ASA-6-725002: Device completed SSL handshake with client
Inside:192.168.133.205/27881
Mar 23 2010 09:31:50: %ASA-6-725007: SSL session with client Inside:192.168.133
205/27881 terminated.
Mar 23 2010 09:31:50: %ASA-6-302014: Teardown TCP connection 361547 for Inside:
92.168.133.205/27881 to identity:10.11.24.11/443 duration 0:00:00 bytes 504 TCP
Reset-O
Mar 23 2010 09:31:50: %ASA-6-106015: Deny TCP (no connection) from 192.168.133.
05/27881 to 10.11.24.11/443 flags FIN ACK  on interface Inside
Mar 23 2010 09:31:50: %ASA-7-710005: TCP request discarded from 192.168.133.205
27881 to Inside:10.11.24.11/443

0 Helpful

mj11
Level 3
Level 3
In response to nygenxny123

‎04-04-2011 03:02 AM

Hi

I know this is an old message, I was hoping you were able to share if you fixed this issue as I think I am seeing the same problem and I am unable to find any information on the problem.

Regards

MJ

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to mj11

‎04-04-2011 04:23 AM

Kindly follow the Troubleshooting method, mentioned in this link:

https://supportforums.cisco.com/docs/DOC-15016

I feel that the connection is being terminated since ASDM image is missing in flash, or not mentioned in config.

Also please try accessing it with https:///admin and https:///

Hope this helps.

-Shrikant

PS: Please mark the question resolved if it has been answered. Do rate helpful posts. Thanks.

mj11
Level 3
Level 3
In response to Shrikant Sundaresh

‎04-05-2011 02:37 PM

Hi Shrikant

Thank you for the link, I have tried accessing the context with the name at the end of the http string to no avail.

I am not to sure what the issue is here as I am able to access the ASA context from the outside interface always but get this error on the inside interface.

Apr 01 2011 10:59:28: %ASA-7-609001: Built local-host identity:192.168.1.1
Apr 01 2011 10:59:28: %ASA-6-302013: Built inbound TCP connection 31132166 for INSIDE:192.168.1.16/49765 (192.168.1.16/49765) to identity:192.168.1.1/443 (192.168.1.1/443)
Apr 01 2011 10:59:28: %ASA-7-725010: Device supports the following 4 cipher(s).
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[1] : RC4-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[2] : AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[3] : AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[4] : DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725008: SSL client INSIDE:192.168.1.16/49765 proposes the following 11 cipher(s).
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[2] : AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[6] : RC4-MD5
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[7] : RC4-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[8] : AES128-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725011: Cipher[11] : DES-CBC3-SHA
Apr 01 2011 10:59:28: %ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client INSIDE:192.168.1.16/49765
Apr 01 2011 10:59:28: %ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert bad certificate
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443
Apr 01 2011 10:59:28: %ASA-6-302014: Teardown TCP connection 31132166 for INSIDE:192.168.1.16/49765 to identity:192.168.1.1/443 duration 0:00:00 bytes 524 TCP Reset by appliance
Apr 01 2011 10:59:28: %ASA-7-609002: Teardown local-host identity:192.168.1.1 duration 0:00:00
Apr 01 2011 10:59:28: %ASA-6-106015: Deny TCP (no connection) from 192.168.1.16/49765 to 192.168.1.1/443 flags RST  on interface INSIDE
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443
Apr 01 2011 10:59:28: %ASA-6-106015: Deny TCP (no connection) from 192.168.1.16/49765 to 192.168.1.1/443 flags RST  on interface INSIDE
Apr 01 2011 10:59:28: %ASA-7-710005: TCP request discarded from 192.168.1.16/49765 to INSIDE:192.168.1.1/443

I am also not to sure about the certificate error as SSH always works and so does the ASDM on the outside interface.

Regrads MJ

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to mj11

‎04-05-2011 03:38 PM

Hi MJ,

I did some research on the error message you are getting, and I would like to suggest trying the following:

1. enable lower SSL versions on the browser as well.

2. try doing "no http server enable" followed by "http server enable 10000" and try accessing it using: https://ip_address:10000 and see if it works.

You can use any port other than 443. I randomly chose 10000.

3. if the ASA is in high availability, could you check if ASDM access to the standby unit works fine?

4. very last resort: reboot the current active device and check if this resolves the issue. (it might become standby if failover is present. make it active again.)

Is the inside interface shared among multiple contexts? If so does the interface have unique mac addresses in the various contexts?

-Shrikant

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card