topic Re: FPR1010 running asa software. ASDM not authenticating from outside in Network Security

FPR1010 running asa software. ASDM not authenticating from outside.

troyb — Wed, 29 Jan 2025 19:34:39 GMT

Has anyone ran into the issue whereby you can use the ASDM on an FPR1010 running asa software from the inside LAN and it works fine, but from outside, it connects but you get a password error? I see this on two different FPR units.

I could understand if it was just not connecting as this would be an issue with the device not setup for remote management. But it is setup and it does connect and it comes back with login failed. Enter username and password.

Units are current on their firmware.

Best,

-Troyb

Re: FPR1010 running asa software. ASDM not authenticating from outside

MHM Cisco World — Wed, 29 Jan 2025 19:41:12 GMT

Can I see aaa config in your ASA

MHM

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Wed, 29 Jan 2025 20:38:46 GMT

aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history

There are aaa servers configured but are only used for VPN, Cisco duo and LDAP.

Re: FPR1010 running asa software. ASDM not authenticating from outside

Sheraz.Salim — Wed, 29 Jan 2025 22:50:29 GMT

hey can you double check if you have enable the http access and also enable at outside interface.

http server enable http <outside-interface-IP> <subnet-mask> <outside-interface>

also I beleive you the problem you're describing, where ASDM works fine from the inside LAN but fails with a password error from the outside, is likely related to the management-access configuration so try this command

management-access inside http server enable http 0.0.0.0 0.0.0.0 outside http 0.0.0.0 0.0.0.0 inside

if you still having issues in that case best is to collect the logs via debugs.

debug aaa authentication debug webvpn 255 ! show logging

Re: FPR1010 running asa software. ASDM not authenticating from outside

MHM Cisco World — Thu, 30 Jan 2025 20:28:19 GMT

Share these

Show run http

Show asp table socket

Debug http 10 <<- this optional

Debug asdm history 10

Capture asdm interface outside match tcp host <asa ip> eq 443 <host ip>

MHM

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Mon, 24 Feb 2025 20:09:11 GMT

Sorry everyone for not replying sooner. Got a bit ill and taken out of service. So it would seem that after updating the firmware on an ASA5506X to the latest version also has created this same problem. Can authenticate from inside and from VPN, but can not authenticate from outside. The outside is permitted and was working before the update. It does connect but just gets a username/password error. I will be doing some debug captures later this week and can post them. But it would seem that password authentication broke with the latest version of the firmware/ASDM.

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Tue, 25 Feb 2025 17:14:20 GMT

Here is a datapoint. I was logged in via ASDM from an machine on the inside and watching the logs. Then while watching the logs, I attempted to connect to the same ASA from a machine on the outside that is in the ASDM allowed IP block with the same username and password that I am using with the one I am logged in with on the inside. It logged the reason as invalid password.

Re: FPR1010 running asa software. ASDM not authenticating from outside

Sheraz.Salim — Tue, 25 Feb 2025 20:07:19 GMT

prior to the upgrade it was working since you done the upgrade its stop working. what were the software of ASA version prior to upgrade and whats the version post upgrade?

also could you confirm you running ASA-5506X or FPR101?

Re: FPR1010 running asa software. ASDM not authenticating from outside

Sheraz.Salim — Tue, 25 Feb 2025 20:13:21 GMT

what is the ASDM version you on and what is the software ASA code running? show your configuration "show run all http"

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Tue, 25 Feb 2025 20:36:24 GMT

On the only working FRP1010, we are running 9.14(2)15 with ASDM 7.14(1). On the FPR1010 units not working, they are running 9.18(4)40 or newer with ASDM 7.22(1). On the 5506x that stopped working after upgrade, it was running 9.8(4)25 and ASDM 7.10(1) and now it is running 9.16(4)76 and ASDM of 7.22(1).

Re: FPR1010 running asa software. ASDM not authenticating from outside

Sheraz.Salim — Tue, 25 Feb 2025 20:44:30 GMT

ASA5506 is EOL/EOS interesting I noted on-ward 9.14 ASDM outside is not working in your case. have you tested doing SSH from outside interface just tying to narrow down the problem.

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Tue, 25 Feb 2025 20:49:08 GMT

Yes. SSH works fine from the outside. It is used by our config backup system. I am able to ssh using my same username and password that works inside via ssh and asdm on the outside with no issues. Just asdm that no longer authenticates.

Re: FPR1010 running asa software. ASDM not authenticating from outside

Sheraz.Salim — Tue, 25 Feb 2025 20:55:05 GMT

thats seem to be some bug behaviour. you can SSH same username and password but when using ASDM you have issue/s. Try using different ASDM version.

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Thu, 27 Feb 2025 23:27:44 GMT

Okay, so here is what I was able to determine. The units (both FPR and 5506x) that are not working are resolved by turning off or removing from the config aaa authentication http console LOCAL resolves the issue. However the ones that were working and running earlier versions have those set and break ASDM if removed. This is the case for all FPR1010 and the 5506X except for one. We have one FPR1010 that is running version 9.16(3)23 and ASDM 7.19(1). This one if this setting is removed, can no longer connect at all via ASMD, not just get a password error.

So this looks like a bug where local authentication setting is reversed for ASDM authentication and is broken all together in the version of firmware or ASDM that is running on the one FPR1010 unit. I should note that SSH seems to work just fine with it enabled and breaks if you disable it, so no consistency in the code it would seem.

@troyb wrote:
Has anyone ran into the issue whereby you can use the ASDM on an FPR1010 running asa software from the inside LAN and it works fine, but from outside, it connects but you get a password error? I see this on two different FPR units.
I could understand if it was just not connecting as this would be an issue with the device not setup for remote management. But it is setup and it does connect and it comes back with login failed. Enter username and password.
Units are current on their firmware.
Best,

-Troyb

Re: FPR1010 running asa software. ASDM not authenticating from outside

s_SiD_s — Fri, 28 Feb 2025 07:01:40 GMT

If you have enabled SSL VPN on device, in that case, you cannot use ASDM to OUTSIDE interface as it uses same 443 port as VPN service.
to fix it, just issue the command - http server enable 8443
and in ASDM use vpn.company.com:8443

Re: FPR1010 running asa software. ASDM not authenticating from outside

troyb — Fri, 28 Feb 2025 17:10:54 GMT

Hello sSiDiUSs,

the Anyconnect secure client service and ASDM are not impacting each other. We have 40+ of the ASAs deployed and 10 FPR1010 units deployed. None have needed the ports changed to use ASDM and Anyconnect. This appears to be a bug in the firmware/ASDM image as inverting the setting for local authentication on the impacted units resolves the issue. The ASDM is using local authentication accounts and the Anyconnect is using radius/LDAP and Duo 2fa authentication. Having the Local authentication set on on these impacted units causes a password error (invalid password from local database) yet if you disable local authentication for the impacted units, Local authentication works for ASDM. Either setting does not impact the Anyconnect service.

However we do have one FPR1010 that is running a version that is between the older ones that work and the ones that have this bug that gets password errors from the local database when enabled and flat out will not connect at all if disabled (Gets connection timed out/No response). So will be upgrading this one unit to the current version which the others are running and verify. If all works with the inverted settings, then will open a bug case with TAC as I will have all the data needed to reproduce.

Thank you for your response.

Best,

-Troy