5506X ASDM to Inside over Site-to-Site

Report Inappropriate Content · ‎05-30-2017

Hello,

We have an ASA5506X running ASA 9.81 and ASDM 7.8(1) that has a Site-to-Site VPN to another ASA. The Tunnel is working great, no issues.Problem is when it comes to ASDM of the remote device.

I am behind ASA#1(10.x.0.0) and I am trying to manage ASA#2(10.x.2.0) via ASDM, it fails on both inside and outside interfaces.

On Outside interface, we have proper rules, I see this in the log:

%ASA-6-725001: Starting SSL handshake with client outside:131.x.x.x/39815 to 208.x.x.x/443 for TLS session

%ASA-6-302013: Built inbound TCP connection 1749557 for outside:131.x.x.x/62975 (131.x.x.x/62975) to identity:208.x.x.x/443 (208.x.x.x/443)

%ASA-6-302014: Teardown TCP connection 1749557 for outside:131.x.x.x/62975 to identity:208.x.x.x/443 duration 0:00:01 bytes 7 TCP FINs

Browsing to https://208.x.x.x gives a NET::ERR_CERT_AUTHORITY_INVALID

When we try to ASDM to inside(has correct rules), we see this:

%ASA-6-302013: Built inbound TCP connection 1751992 for outside:10.x.0.104/9046 (10.x.0.104/9046) to identity:10.x.2.1/443 (10.x.2.1/443)

Then it just times out. Browsing to https://10.x.2.1 <-fails,Page Cannot be Displayed

Now were using the Bridge-Group (BV1) as we need multiple switchports. So when we use Management-Access we choose the BV group name (inside). This allows ICMP to Inside IP no problem, but ASDM still fails. I watch logs and I see the connection coming in, but nothing after.

If I change 'management-access inside' to 'management-acess inside_1' we get %ASA-6-110002: Failed to locate egress interface for TCP from outside:10.x.0.104/8673 to 10.x.2.1/443 and ICMP stops. So its safe to assume the interface needs to be the BV group (Inside).

Now the ONLY way we have been able to do ASDM is to do the following:

no http server enable

http server enable 8081

We can now connect to the OUTSIDE IP on Port 8081 and manage via ASDM. However, Inside still does not work.

Rahul Govindan · ‎05-30-2017

When you have "management-access inside" set, what is your http config? You also have to add "http 10.x.0.0 255.255.255.0 inside" to allow you to manage the ASDM from that source ip address range. Since you are able to ping the ASA#2 inside interface, reachability between your PC and ASA#2 seems to be correct. So in your case, the config should look like:

management-access inside
http server enable
http 10.x.0.0 255.255.255.0 inside

Report Inappropriate Content · ‎05-31-2017

Hi Rahul,

Now here is where its interesting, you can't do that cmd, you get this:

asa5506(config)# http 10.x.0.0 255.0.0.0 inside
ERROR: % Ambiguous command: "http 10.x.0.0 255.0.0.0 inside"

Only thing that works is doing all the interfaces directly, it does not accept the bridge-group:

http 10.x.0.0 255.0.0.0 inside_1
http 10.x.0.0 255.0.0.0 inside_2
http 10.x.0.0 255.0.0.0 inside_3
http 10.x.0.0 255.0.0.0 inside_4
http 10.x.0.0 255.0.0.0 inside_5
http 10.x.0.0 255.0.0.0 inside_6

Thats why I am wondering if this is a bug...

giampaolo.trenta · ‎06-12-2017

Same problem.. It seem that the Bridge Group functionality is some kind of hack which is not carefully integrated with established functionality. And that some configurations must be replicated for each physical interface in the bridge group is very ugly. The ASA5506 is causing me issues from the very first moment where the good old ASA5505 beside the 100mbit limitation is doing a good job.. It is frustrating

Report Inappropriate Content · ‎07-04-2017

TAC Case Open, number is: 682626980

Report Inappropriate Content · ‎07-10-2017

Its now listed as a BUG, with no fix as of yet.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve82307/?reffering_site=dumpcr

Rahul Govindan · ‎07-10-2017

Thanks for reverting back with this information.