08-31-2011 11:07 AM - edited 03-11-2019 02:19 PM
Hi.
We have an annoying problem which we've been spending some time on now, but we gave up now.
We have a customer who upgraded their ASA5505 from 8.4(1) to 8.4(2). Usually the customer can access the firewall with Anyconnect and manage it with ASDM or SSH from a remote location.
After the upgrade they can still connect with Anyconnect, see the inside network, but can't access the firewall with ASDM or SSH anymore.
We wanted to make a test on our LAB-ASA5505 and made a setup like our customer. We configured Anyconnect access and made sure we could access the firewall with ASDM from a remote location. We made sure we had access from the Anyconnect VPN-Pool 172.16.150.0 and set the management interface. This setup is running fine in version 8.4(1).
http 172.16.150.0 255.255.255.0 inside.30.LAN
management-access inside.30.LAN
Then we make a firmware upgrade to 8.4(2) and then, like our customer, it is not possible to access ASDM on the Anyconnect connection. We have not made any changes in the configuration.
Looking at the difference between the configuration 8.4(1) and 8.4(2) it seems like the firmware upgrade make a few changes.
1) the interface vlan xx's are moved below interface FastEthernetx/x
2) there is a new command "user-identity default-domain LOCAL"
Otherwise the two configurations looks identical.
If we disable "user-identity default-domain LOCAL", it doesn't change anything.
So we are wondering what to do now. Perhaps someone can give us a clue?
We have attached both configurations:
8.4(1) = before.txt
8.4(2) = after.txt
Any help is appreciated.
Thanks in advance.
/Ulrik
Solved! Go to Solution.
08-31-2011 11:16 AM
You are mostlikely hitting bug CSCtr16184
Feel free to upgrade, if image is not available, go ahead and open a tac case so we can provide the code.
Mike
08-31-2011 11:16 AM
You are mostlikely hitting bug CSCtr16184
Feel free to upgrade, if image is not available, go ahead and open a tac case so we can provide the code.
Mike
08-31-2011 11:29 AM
Hi Mike.
Thanks for your quick reply.
I just checked the bug description. Yes, that is exactly what the problem is
I will try to configure the work around and see if we are lucky. Or else ask the customer to downgrade or wait for a new firmware release.
For now - problem enlightened! Thanks!
/Ulrik
08-31-2011 11:52 AM
Geeez Mike... a bug ? that sucks.
Thanks man, I've been trying to figure out two issues like this. One from this same forum
08-31-2011 12:12 PM
Jejejejej... No problem, glad I helped
Mike
09-01-2011 01:09 PM
Just a follow-up on the VPN issue.
I recieved firmware version 8.4.2.8 from TAC today. It seems like I still have the problem with management access on an Anyconnect VPN connection to the firewall.
I will do some more testing after the weekend.
/Ulrik
Sent from Cisco Technical Support iPhone App
09-04-2011 05:34 AM
Little more testing done now.
Yes, the problem is solved in firmware 8.4.2.8. Forgot to add "route-lookup" in my first attempt.
Btw., this firmware version has just been officially released by Cisco.
/Ulrik
09-04-2011 08:32 AM
Thanks Ulrik for your collaboration. This is what makes this community what it iis.
Mike
11-02-2011 04:32 PM
I'm having the same problem after upgrading from 8.2(4) to 8.4(2). I cannot ping the inside interface at all. I can access it from the LAN, or anywhere else but not from VPN connection.
11-02-2011 04:48 PM
Did you tried the recommended workaround?
Mike
11-03-2011 05:32 AM
yes, it works now with the workaround. I thought the updated version corrected this problem. that's why i didn't look into that at the beginning.
Thanks.
11-03-2011 08:45 AM
I encountered the same issue when upgrading from 8.2.4 directly to 8.4.2.8. Even though adding the route-lookup command fixes the issue, I was able to get this working in a lab environment, by adding the command in the console.
This is unacceptable in a real remote office. If you need to upgrade several ASA 5505 firewalls that have a VPN to headquarters, and the only way to access the device via SSH, and ASDM is through the internal interface via the tunnel, you will be locked out of the firewall after the firewall reboots and comes up with 8.4.2.8. The VPN would come up and you would be able to get to the LAN, but not the ASA inside interface. There has to be a fix, especially during the NAT migration.
The bug actually mentions it was resolved in 8.4.2.3, so what could have happened was that the bug came back after the new interim version was released. I have a ticket open with the TAC, so they can find a resolution for this.
06-11-2013 09:10 AM
Hi,
I just had the same issue with an ASA 5510 running the8.4(6) code.
I used the workaround in the bug id to fix the problem (added the route-lookup keyword in the manual nat statement used by the RA VPN...)
Thanks for the helpful post,
I am surprised that the bug is back, Cisco says that new code is regression tested for all fixed bugs...
Patrick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: