05-30-2017 10:23 AM
Hello,
We have an ASA5506X running ASA 9.81 and ASDM 7.8(1) that has a Site-to-Site VPN to another ASA. The Tunnel is working great, no issues.Problem is when it comes to ASDM of the remote device.
I am behind ASA#1(10.x.0.0) and I am trying to manage ASA#2(10.x.2.0) via ASDM, it fails on both inside and outside interfaces.
On Outside interface, we have proper rules, I see this in the log:
%ASA-6-725001: Starting SSL handshake with client outside:131.x.x.x/39815 to 208.x.x.x/443 for TLS session
%ASA-6-302013: Built inbound TCP connection 1749557 for outside:131.x.x.x/62975 (131.x.x.x/62975) to identity:208.x.x.x/443 (208.x.x.x/443)
%ASA-6-302014: Teardown TCP connection 1749557 for outside:131.x.x.x/62975 to identity:208.x.x.x/443 duration 0:00:01 bytes 7 TCP FINs
Browsing to https://208.x.x.x gives a NET::ERR_CERT_AUTHORITY_INVALID
When we try to ASDM to inside(has correct rules), we see this:
%ASA-6-302013: Built inbound TCP connection 1751992 for outside:10.x.0.104/9046 (10.x.0.104/9046) to identity:10.x.2.1/443 (10.x.2.1/443)
Then it just times out. Browsing to https://10.x.2.1 <-fails,Page Cannot be Displayed
Now were using the Bridge-Group (BV1) as we need multiple switchports. So when we use Management-Access we choose the BV group name (inside). This allows ICMP to Inside IP no problem, but ASDM still fails. I watch logs and I see the connection coming in, but nothing after.
If I change 'management-access inside' to 'management-acess inside_1' we get %ASA-6-110002: Failed to locate egress interface for TCP from outside:10.x.0.104/8673 to 10.x.2.1/443 and ICMP stops. So its safe to assume the interface needs to be the BV group (Inside).
Now the ONLY way we have been able to do ASDM is to do the following:
no http server enable
http server enable 8081
We can now connect to the OUTSIDE IP on Port 8081 and manage via ASDM. However, Inside still does not work.
05-30-2017 03:27 PM
When you have "management-access inside" set, what is your http config? You also have to add "http 10.x.0.0 255.255.255.0 inside" to allow you to manage the ASDM from that source ip address range. Since you are able to ping the ASA#2 inside interface, reachability between your PC and ASA#2 seems to be correct. So in your case, the config should look like:
management-access inside
http server enable
http 10.x.0.0 255.255.255.0 inside
05-31-2017 07:12 AM
Hi Rahul,
Now here is where its interesting, you can't do that cmd, you get this:
asa5506(config)# http 10.x.0.0 255.0.0.0 inside
ERROR: % Ambiguous command: "http 10.x.0.0 255.0.0.0 inside"
Only thing that works is doing all the interfaces directly, it does not accept the bridge-group:
http 10.x.0.0 255.0.0.0 inside_1
http 10.x.0.0 255.0.0.0 inside_2
http 10.x.0.0 255.0.0.0 inside_3
http 10.x.0.0 255.0.0.0 inside_4
http 10.x.0.0 255.0.0.0 inside_5
http 10.x.0.0 255.0.0.0 inside_6
Thats why I am wondering if this is a bug...
06-12-2017 01:05 PM
Same problem.. It seem that the Bridge Group functionality is some kind of hack which is not carefully integrated with established functionality. And that some configurations must be replicated for each physical interface in the bridge group is very ugly. The ASA5506 is causing me issues from the very first moment where the good old ASA5505 beside the 100mbit limitation is doing a good job.. It is frustrating
07-04-2017 08:36 AM
TAC Case Open, number is: 682626980
07-10-2017 07:56 AM
Its now listed as a BUG, with no fix as of yet.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr
07-10-2017 08:08 AM
Thanks for reverting back with this information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide