topic Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A in Network Security

After upgrade of ASA from 9.12 to 9.18 i cannot access it trough ASDM

tiwang — Mon, 19 Feb 2024 14:00:13 GMT

hi out there

I got a small funny challenge - we have 4 ASA clusters around the world where we have a kit in US and a similar kit in DK - both running on FP21xx with ASA 9.18(3)56.

These clusters has been running ASA 9.12 until recently where i didn't had any problems in accessing them trough the AnyConnect VPN tunnel. But after i have upgraded both clusters to 9.18 i cannot access the "local" here in Denmark trough ASDM remotely - only locally. The cluster in US i have no problem with - neither when connected directly to the cluster remotely or accessing it "internally" trough our Corp network.

I noticed that there is one small difference in the config - on the US cluster i can use any interface for managing the ASA whereas the local in Denmark has the option defined for only using the management interface for ASDM

console timeout 0
management-access management

But - has the "behaviour" of this option changed from the previous version?

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

Marius Gunnerud — Mon, 19 Feb 2024 20:03:21 GMT

Just asking the obvious question, did you also upgrade ASDM image after upgrading the ASA in Denmark?

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang — Mon, 19 Feb 2024 20:21:41 GMT

Yes - same image all over..

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

Marvin Rhoads — Tue, 20 Feb 2024 12:40:24 GMT

There was a new ssh stack introduced in 9.17 that prevents "SSH to a different interface over VPN (management-access)". However, it should only be in effect if explicitly called out.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html

It wouldn't hurt to check on that though....

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang — Tue, 20 Feb 2024 12:56:10 GMT

Hmmm no certainly not - it could be related - I am (of course) using the std. stack
To verify if it could be related currently removed the definition of the management interface - to see if this makes any difference for the access trough the VPN tunnel

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang — Tue, 20 Feb 2024 13:03:05 GMT

and - it does - if "management-access management" is defined i cannot access it trough the VPN tunnel - which until now not has been "blocked" so a bit confusing when you are working the cluster and suddenly it changes behaviour - this can be a bit frustrating since you don't know if you made a mistanke - with 700 active users on it - or it is just by design ....

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tvotna — Tue, 20 Feb 2024 15:11:10 GMT

Few routing changes were introduced on ASA in 9.18.2 when loopback support was added. Unfortunately, all we know is that this created problems: CSCwh53143, but we don't know why and what exact conditions to hit this issue are. So, this may or not be your case. The Command Reference is outdated, although it now mentions Cisco SSH and SNMP limitations, which is good: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_maa-match-d.html#wp6550330920

The bug was fixed in 9.18.4.5, 9.19.1.24, 9.20.2 and above.

HTH

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

hsahman — Thu, 01 Aug 2024 09:27:12 GMT

Hi guys,

I'm at 9.18.4.34 and I'm facing the same issue.. when I connect via remote access vpn, I can't access the ASA via ASDM. Previously on 9.16.x this was working...
Is there an workaround to make it accessable again? This is kinda annoying for the administation.

Thanks

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang — Thu, 01 Aug 2024 11:55:06 GMT

well - if "management-access management" is defined i cannot access it trough the VPN tunnel..

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

hsahman — Thu, 01 Aug 2024 12:30:27 GMT

Thanks tiwang,

but if you don't define this than management-access is allowed from all interfaces? This means also from the Outside?

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang — Thu, 01 Aug 2024 12:54:40 GMT

i don't disagree but this can you handle with access-lists

Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

hsahman — Fri, 02 Aug 2024 09:27:14 GMT

That's what I thought... it's just a little bit frustrating that Cisco does such a change without really describing it... at least I didn't find any notes.
thanks guys