Cisco ASA 8.4(4) - Management-Access Inside !!!

Unanswered Question
Jun 10th, 2012


I deployed a Cisco ASA Firewall Software Ver 8.4(4). I have created a IPSec Site to Site VPN tunnel. It is a Static to Dynamic IP scenario.

The issue is that, VPN tunnel is working fine but not able to access the firewall from Site-A having static IP address. I have given the "management-access inside" on Site-B firewall and set the ssh/https access for the Site-A local VPN subnet.

Site-B Configuration Sample



Local Subnet =

Remote Subnet =



http inside

http inside


telnet inside

telnet inside


ssh inside

ssh inside


management-access inside



I just want to know that is this a sofware bug or anything else need to be done on cisco ASA with 8.4(4) version. I haved done thousands of time with the previous versions.


Best Regards,

Mubasher Sultan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
craig-allen Sun, 06/10/2012 - 05:45


I've also just upgraded to 8.8.4 (was on 8.4.1) in one of my spoke sites and I'm unable to ping, query via SNMP or SSH from the hub site to the inside interface, syslog is also not working from the spoke site to the hub site via the VPN tunnel.

The strange thing is that TACACS from the spoke to the hub site is still working via the VPN tunnel which also uses the inside interface

So it seems that upgraging to 8.4.4 has broken a few features i.e. ping,snmp, ssh/telnet and syslog that work via the management comand.

Must be a bug!!!!

Mubasher Sultan... Sun, 06/10/2012 - 06:04


It seems a software bug. I am also unable to get ping/ssh/telnet/https response. I can see the ASDM logs that traffic is reaching to the firewall but teardown. I didn't tried with the TACACS+ traffic.

Also, i tried with the packet tracer command,

packet-tracer input inside tcp 1024 23

and found the below as "Type: ipsec-tunnel-flow,  Result: Drop".

Please advise.




kmfranklin Thu, 09/06/2012 - 12:53

In case anyone else is still having this issue, I was finally was able to resolve this issue on our ASAs. It seems that after 8.4.1 (maybe 8.4.2) a "quota" for management connections needs to be defined, it's default is 0.

quota management-session XXX (where XXX is between 0 and 10000)

After issuing that command, everything started reporting normally again. Unfortunately, it appears that you can't issue that command in 8.4.1 prior to upgrading to 8.4.4. Certainly makes this jump more troublesome. 

Javier Portuguez Thu, 09/06/2012 - 14:26


By any chance, did you add the "route-lookup" command at the end of the NAT statement?

* Assuming you are coming over a VPN connection.



kmfranklin Thu, 09/06/2012 - 14:29

Edit: I just upgraded another ASA and didn't make the change to the Quota (just the NAT change) and it worked. Sounds like my original NAT statement may have been my problem.

Message was edited by: Kurtis Franklin

Javier Portuguez Thu, 09/06/2012 - 14:52

Probably... The route-lookup command must be in there.

Please rate any posts you find useful.


alexdelangel Fri, 09/26/2014 - 21:29

Hello friends,

Please, allow me to resurect this old post. Thank you so much for your answer Javier Portuguez, I had the same issue, but with anyconnect sessions. I have added the "route lookup" statement to the nat rule, and now I am able to manage the inside interface of my ASA through anyconnect sessions. I hope you to keep helping a lot of people with your answers.



This Discussion