topic Re: ASDM connection reset in Network Security

ASDM connection reset

icomparateur — Wed, 13 Mar 2019 00:56:02 GMT

Hello,

I just upgraded my Cisco PIX 515E-R-DMZ with PIX software 8.0(3) : as recommended on http://www.cisco.com/en/US/customer/docs/security/pix/pix80/release/notes/prn803.html I first loaded the PIX 8.0(3) image, then restarted the device to complete with ASDM upgrade. Since the PIX restarted, everytime I try to connect to it, I get a connection reset message :

- Using ASDM Launcher, it says "Unable to launch ASDM from xx.xx.xx.xx Connection reset

- Using HTTPS, by typing https://xx.xx.xx.xx I get a "The connection was reset" message.

It means I cannot access my PIX anymore at this time. Any suggestion?

Thanks.

Re: ASDM connection reset

JORGE RODRIGUEZ — Wed, 02 Jan 2008 00:12:22 GMT

Hi Frederic, this is what I think is happening, you should have tftp both the 8.0(3) as well as the corresponding asdm version for 8.0 into pix then reboot, but because you upgraded the code and not asdm, asdm previous version is having issues loading with the new pix code. If in fact asdm was also upgraded in this process then I would suggest to tftp asdm image again into pix.. let us know if you need fruther assistance..

Rgds

Jorge

Re: ASDM connection reset

Alan Huseyin Kayahan — Wed, 02 Jan 2008 04:31:36 GMT

Hi Frederic

First, uninstall any previous version of ASDM from your PC

Then in CLI, type dir and check the ASDM image name. Then issue the following command

asdm image flash:/xxx.bin

Also make sure http server enable and http server x.x.x.x inside commands are issued

Regards

Re: ASDM connection reset

icomparateur — Wed, 02 Jan 2008 11:21:10 GMT

Ok I could connect using SSH, and copied the correct ADSM bin (6.0.3). The problem still persists, even with that ASDM version. I still get the same messages.

The "show version" command displays :

Cisco PIX Security Appliance Software Version 8.0(3)

Device Manager Version 6.0(3)

Compiled on Tue 06-Nov-07 19:50 by builders

System image file is "flash:/pix.bin"

Config file at boot was "startup-config"

Re: ASDM connection reset

Christopher Dreier — Wed, 02 Jan 2008 14:57:01 GMT

Frederic,

Could your HTTP server possibly have been disabled or enabled on a different port? Maybe the PC that you are trying to access with is not in the http server's acl?

"show run http" will reveal any problems there.

Thanks,

-=Blayne

Re: ASDM connection reset

icomparateur — Wed, 02 Jan 2008 16:54:59 GMT

Ok think I'm finding some clues, thanks everyone for the replies.

Before upgrading, I was always accessing the PIX ASDM through a VPN connection, with the inside interface IP. Seems that the 8.0(3) has screwed something in the config, and that those packets are now dropped.

I added a "http 0.0.0.0 0.0.0.0 outside" (just as a temporarily fix to check), and now I can access the ASDM from outside with no problem, even when I'm not connected to the VPN (by using the outside interface IP)

I would like to access the ASDM using my inside IP (192.168.X.1), once connected to the VPN that has a pool like 192.168.Y.0/24. I've got a rule that says "access-list outside_access_in extended permit ip 192.168.Y.0 255.255.255.0 any". Right now in the ASDM list I've got :

http 0.0.0.0 0.0.0.0 outside

http 192.168.X.0 255.255.255.0 inside

http 192.168.Y.0 255.255.255.0 outside

I'm not sure of the last one: is that correct ?

Re: ASDM connection reset

JORGE RODRIGUEZ — Wed, 02 Jan 2008 17:07:11 GMT

the last one make perfect sence as long as you are comming from the 192.168.Y.0 network

but it should be http 192.168.Y.0 255.255.255.0 inside.

I understand you issue http 0.0.0.0 0.0.0.0 outside but it is best to not use this statament if your outside faces internet public network , instead you can use ssh 0.0.0.0 0.0.0.0 outside if you ever want to connnect to pix from the outside interface.

Rgds

Jorge

Re: ASDM connection reset

icomparateur — Wed, 02 Jan 2008 17:12:11 GMT

I noticed some changes in the config since the upgrade.

Before - PIX 7.0(2)

group-policy AdminAccess attributes

[...]

nac disable

Now - PIX 8.0(3)

nac-policy AdminAccess-nac-framework-create nac-framework

reval-period 36000

sq-period 300

group-policy AdminAccess attributes

[...]

AdminAccess-nac-framework-create

Could the behavior change with my VPN connection be related to that new lines ?

Also noticed that since the upgrade, there is another new line : "dynamic-access-policy-record DfltAccessPolicy"

Re: ASDM connection reset

icomparateur — Wed, 02 Jan 2008 17:24:20 GMT

Thanks Jorge. I changed for "http 192.168.Y.0 255.255.255.0 inside", but still get the "The connection was reset" when trying to connect to https://192.168.X.1 or accessing with ASDM launcher (once connected to the VPN)

The "http 0.0.0.0 0.0.0.0 outside" statement is just as a temporary fix, as I'm not really confortable with the CLI (and Cisco products in general). I'll remove it immediatly after fixing this 🙂

Re: ASDM connection reset

icomparateur — Wed, 02 Jan 2008 17:54:38 GMT

Ok seems that the problem can be fixed by adding the command "management-access inside". That command was not in the previous config, and it was working perfectly without it. Is there any problem / considerations to add that command ?

Other question: can I safely put "nac-settings none" instead of "nac-settings value AdminAccess-nac-framework-create", considering the way the nac policy is defined right now :

nac-policy AdminAccess-nac-framework-create nac-framework

reval-period 36000

sq-period 300

Re: ASDM connection reset

JORGE RODRIGUEZ — Wed, 02 Jan 2008 20:48:56 GMT

Frederic glad you got it resolved with management-access inside, how could I have missed that! this will allow pix management through the vpn tunnel.., this is a good one to remember, I use vpn concentrator instead of asa and vpn ip-pool using external DHCP windows server.

personally have not play with nac in asa, someone may provide you with right answer.

Rgds

Jorge

Re: ASDM connection reset

vrush_192000 — Wed, 23 Jul 2008 02:41:54 GMT

Dear Jorge,

I have the same problem, I am not able to access PIX through ASDM as well as SSH. From inside network we are trying to this access on inside IP address of PIX firewall. Here one more thing It was working till yesterday.

Getting "Unable to luach ASDM from 1.x.x.x. Connection reset" but I can take control of secondary standby PIX firewall.

It is PIX 515E and IOS 7.0.1

Can you plz help in this??

Re: ASDM connection reset

JORGE RODRIGUEZ — Wed, 23 Jul 2008 16:18:58 GMT

Vrushali , will reply through your other thread..