We have an ASA5506X running ASA 9.81 and ASDM 7.8(1) that has a Site-to-Site VPN to another ASA. The Tunnel is working great, no issues.Problem is when it comes to ASDM of the remote device.
I am behind ASA#1(10.x.0.0) and I am trying to manage ASA#2(10.x.2.0) via ASDM, it fails on both inside and outside interfaces.
On Outside interface, we have proper rules, I see this in the log:
%ASA-6-725001: Starting SSL handshake with client outside:131.x.x.x/39815 to 208.x.x.x/443 for TLS session
%ASA-6-302013: Built inbound TCP connection 1749557 for outside:131.x.x.x/62975 (131.x.x.x/62975) to identity:208.x.x.x/443 (208.x.x.x/443)
%ASA-6-302014: Teardown TCP connection 1749557 for outside:131.x.x.x/62975 to identity:208.x.x.x/443 duration 0:00:01 bytes 7 TCP FINs
Browsing to https://208.x.x.x gives a NET::ERR_CERT_AUTHORITY_INVALID
When we try to ASDM to inside(has correct rules), we see this:
%ASA-6-302013: Built inbound TCP connection 1751992 for outside:10.x.0.104/9046 (10.x.0.104/9046) to identity:10.x.2.1/443 (10.x.2.1/443)
Then it just times out. Browsing to https://10.x.2.1 <-fails,Page Cannot be Displayed
Now were using the Bridge-Group (BV1) as we need multiple switchports. So when we use Management-Access we choose the BV group name (inside). This allows ICMP to Inside IP no problem, but ASDM still fails. I watch logs and I see the connection coming in, but nothing after.
If I change 'management-access inside' to 'management-acess inside_1' we get %ASA-6-110002: Failed to locate egress interface for TCP from outside:10.x.0.104/8673 to 10.x.2.1/443 and ICMP stops. So its safe to assume the interface needs to be the BV group (Inside).
Now the ONLY way we have been able to do ASDM is to do the following:
no http server enable
http server enable 8081
We can now connect to the OUTSIDE IP on Port 8081 and manage via ASDM. However, Inside still does not work.