We have our ASA setup with 3 contexts. 1 management and 2 actual firewall contexts. The firewall contexts are working as expected however, we can not connect to the Management Context. I am able to ping the interface but not SSH to it. I have tried enabling telnet to the interface and that does not work either.
While troubleshooting this, we figured out that the only network we can not conenct from is our main network where we would like the firewall management interface to reside (10.16.6.0). I changed the IP of the interface to 192.168.10.11 and moved it to that network and the interface starts working just fine from within that network, but still nothing from 10.16.6.0 can connect. Our next thought was that some other device was blocking the connection, so we took and hooked up a crossover cable to the management interface, assigned it an IP and attempted to connect via the crossover cable and were still denied. To make sure I had it hooked up correctly, I then assigned it a 10.16.8.11 address and connected my laptop up again and I was able to connect just fine.
I figure somewhere down the line it picked up something that is blocking 10.16.6.0 that I can not see. So I went in and unassigned all interfaces from the management context and assigned a new interface. The configuration was reset but I still have the same problem.
I am not able to SSH, Telnet or connect with ASDM into the admin context, only console.
Config Below (I've changed a bunch of it trying to get it to work and haven't had ANY luck):
ip address 10.16.6.209 255.0.0.0
dns server-group DefaultDNS
pager lines 24
logging list Failover_Event level warnings class ha
Most of your config looks okay to me. I'm not sure if you removed this during your troubleshooting, but ASDM will not work until you add the 'http 0 0 Management' command and possibly the 'asdm image ' command.
Have you generated the SSH key with the 'crypto key generate' command?
At this point, I would start enabling some of the debug output when you are trying to connect. Enable syslogs at the debug level and also try 'debug ssh 255' to see if any messages are printed that might give you a clue as to why this is failing.
I would also take a look at the output of 'show ssh sessions', 'show resource usage', 'show proc | i ssh', and even 'debug npshim 15' to see if anything sticks out as being a problem.
Finally, what version of code are you running? There is a bug in 8.1 where there can be significant packet loss on the management interface when you have multiple contexts configured. Unfortunately, I don't have a bug ID handy but you should be able to find it in the Bug Toolkit.
The http command I just forgot to put back in once I cleared the config, thats just my fault, I am doing all of my testing with ssl at the moment.
I did regenerate the crypto key at 1024, that did help when I was using a connection other than the management interface. As soon as I went back to the management interface, I tried connecting, it didn't work, I regenerated the key and toggled the ssh command and it didn't work.
show ssh sessions - comes back with nothing. Which makes sense since no one can connect over SSH.
show resource usage - comes back with what I would expect it to, but nothing that jumps out at me (admin context is where I am having the problems):
Resource Current Peak Limit Denied Context
Conns 1 28 unlimited 0 admin
Hosts 2 9 unlimited 0 admin
Xlates 1 4 unlimited 0 Hilltop
Hosts 1 84 unlimited 0 Hilltop
Syslogs [rate] 1 7971 unlimited 0 SOCC
Conns 6679 1244067 unlimited 0 SOCC
Xlates 5783 122499 unlimited 0 SOCC
Hosts 2064 3281 unlimited 0 SOCC
Conns [rate] 430 30206 unlimited 0 SOCC
Inspects [rate] 106 13728 unlimited 0 SOCC
show proc | i ssh - not sure what this should return:
I forgot to throw it out there that I did capture packets coming into the ASA (using the capture command in the ASA). When I do this, I never see the SSL packets even hit the ASA. The pings hit it just fine and show up in the capture information. This has been done over the network and with a crossover cable connected directly to the device.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...