cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7818
Views
5
Helpful
12
Replies

ASA 8.4(2) no management access with VPN (Anyconnect) after upgrade.

Ulrik Thorup
Level 1
Level 1

Hi.

We have an annoying problem which we've been spending some time on now, but we gave up now.

We have a customer who upgraded their ASA5505 from 8.4(1) to 8.4(2). Usually the customer can access the firewall with Anyconnect and manage it with ASDM or SSH from a remote location.

After the upgrade they can still connect with Anyconnect, see the inside network, but can't access the firewall with ASDM or SSH anymore.

We wanted to make a test on our LAB-ASA5505 and made a setup like our customer. We configured Anyconnect access and made sure we could access the firewall with ASDM from a remote location. We made sure we had access from the Anyconnect VPN-Pool 172.16.150.0 and set the management interface. This setup is running fine in version 8.4(1).

http 172.16.150.0 255.255.255.0 inside.30.LAN

management-access inside.30.LAN

Then we make a firmware upgrade to 8.4(2) and then, like our customer, it is not possible to access ASDM on the Anyconnect connection. We have not made any changes in the configuration.

Looking at the difference between the configuration 8.4(1) and 8.4(2) it seems like the firmware upgrade make a few changes.

1) the interface vlan xx's are moved below interface FastEthernetx/x

2) there is a new command "user-identity default-domain LOCAL"

Otherwise the two configurations looks identical.

If we disable "user-identity default-domain LOCAL", it doesn't change anything.

So we are wondering what to do now. Perhaps someone can give us a clue?

We have attached both configurations:

8.4(1) = before.txt

8.4(2) = after.txt

Any help is appreciated.

Thanks in advance.

/Ulrik

1 Accepted Solution

Accepted Solutions

Maykol Rojas
Cisco Employee
Cisco Employee

You are mostlikely hitting bug CSCtr16184

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

Feel free to upgrade, if image is not available, go ahead and open a tac case so we can provide the code.

Mike

Mike

View solution in original post

12 Replies 12

Maykol Rojas
Cisco Employee
Cisco Employee

You are mostlikely hitting bug CSCtr16184

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

Feel free to upgrade, if image is not available, go ahead and open a tac case so we can provide the code.

Mike

Mike

Hi Mike.

Thanks for your quick reply.

I just checked the bug description. Yes, that is exactly what the problem is

I will try to configure the work around and see if we are lucky. Or else ask the customer to downgrade or wait for a new firmware release.

For now - problem enlightened! Thanks!

/Ulrik

Geeez Mike... a bug ? that sucks.

Thanks man, I've been trying to figure out two issues like this. One from this same forum

Jejejejej... No problem, glad I helped

Mike

Mike

Just a follow-up on the VPN issue.

I recieved firmware version 8.4.2.8 from TAC today. It seems like I still have the problem with management access on an Anyconnect VPN connection to the firewall.

I will do some more testing after the weekend.

/Ulrik

Sent from Cisco Technical Support iPhone App

Little more testing done now.

Yes, the problem is solved in firmware 8.4.2.8. Forgot to add "route-lookup" in my first attempt.

Btw., this firmware version has just been officially released by Cisco.

/Ulrik

Thanks Ulrik for your collaboration. This is what makes this community what it iis.

Mike

Mike

I'm having the same problem after upgrading from 8.2(4) to 8.4(2). I cannot ping the inside interface at all. I can access it from the LAN, or anywhere else but not from VPN connection.

Did you tried the recommended workaround?

Mike

Mike

yes, it works now with the workaround. I thought the updated version corrected this problem. that's why i didn't look into that at the beginning.

Thanks.

I encountered the same issue when upgrading from 8.2.4 directly to 8.4.2.8. Even though adding the route-lookup command fixes the issue, I was able to get this working in a lab environment, by adding the command in the console.

This is unacceptable in a real remote office. If you need to upgrade several ASA 5505 firewalls that have a VPN to headquarters, and the only way to access the device via SSH, and ASDM is through the internal interface via the tunnel, you will be locked out of the firewall after the firewall reboots and comes up with 8.4.2.8. The VPN would come up and you would be able to get to the LAN, but not the ASA inside interface. There has to be a fix, especially during the NAT migration.

The bug actually mentions it was resolved in 8.4.2.3, so what could have happened was that the bug came back after the new interim version was released. I have a ticket open with the TAC, so they can find a resolution for this.

Hi,

I just had the same issue with an ASA 5510 running the8.4(6) code.

I used the workaround in the bug id to fix the problem (added the route-lookup keyword in the manual nat statement used by the RA VPN...)

Thanks for the helpful post,

I am surprised that the bug is back, Cisco says that new code is regression tested for all fixed bugs...

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: