10-01-2008 07:21 AM - edited 03-11-2019 06:51 AM
We have our ASA setup with 3 contexts. 1 management and 2 actual firewall contexts. The firewall contexts are working as expected however, we can not connect to the Management Context. I am able to ping the interface but not SSH to it. I have tried enabling telnet to the interface and that does not work either.
While troubleshooting this, we figured out that the only network we can not conenct from is our main network where we would like the firewall management interface to reside (10.16.6.0). I changed the IP of the interface to 192.168.10.11 and moved it to that network and the interface starts working just fine from within that network, but still nothing from 10.16.6.0 can connect. Our next thought was that some other device was blocking the connection, so we took and hooked up a crossover cable to the management interface, assigned it an IP and attempted to connect via the crossover cable and were still denied. To make sure I had it hooked up correctly, I then assigned it a 10.16.8.11 address and connected my laptop up again and I was able to connect just fine.
I figure somewhere down the line it picked up something that is blocking 10.16.6.0 that I can not see. So I went in and unassigned all interfaces from the management context and assigned a new interface. The configuration was reset but I still have the same problem.
I am not able to SSH, Telnet or connect with ASDM into the admin context, only console.
Config Below (I've changed a bunch of it trying to get it to work and haven't had ANY luck):
-------------------
!
hostname dotfw001
names
!
interface Management
nameif Management
security-level 100
ip address 10.16.6.209 255.0.0.0
!
dns server-group DefaultDNS
name-server 10.16.1.9
name-server 10.140.1.9
pager lines 24
logging enable
logging list Failover_Event level warnings class ha
logging buffered notifications
logging trap informational
logging asdm informational
logging mail Failover_Event
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export enable
mtu Management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route Management 0.0.0.0 0.0.0.0 10.16.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server Tacacs protocol tacacs+
aaa authentication enable console Tacacs LOCAL
aaa authentication http console Tacacs LOCAL
aaa authentication serial console Tacacs LOCAL
aaa authentication ssh console Tacacs LOCAL
aaa authentication telnet console Tacacs LOCAL
http server enable
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 Management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Management
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
10-01-2008 01:00 PM
Hi Matt,
Most of your config looks okay to me. I'm not sure if you removed this during your troubleshooting, but ASDM will not work until you add the 'http 0 0 Management' command and possibly the 'asdm image
Have you generated the SSH key with the 'crypto key generate' command?
At this point, I would start enabling some of the debug output when you are trying to connect. Enable syslogs at the debug level and also try 'debug ssh 255' to see if any messages are printed that might give you a clue as to why this is failing.
I would also take a look at the output of 'show ssh sessions', 'show resource usage', 'show proc | i ssh', and even 'debug npshim 15' to see if anything sticks out as being a problem.
Finally, what version of code are you running? There is a bug in 8.1 where there can be significant packet loss on the management interface when you have multiple contexts configured. Unfortunately, I don't have a bug ID handy but you should be able to find it in the Bug Toolkit.
Hope that helps.
-Mike
10-03-2008 04:18 AM
I was afraid you would say it looks good.
The http command I just forgot to put back in once I cleared the config, thats just my fault, I am doing all of my testing with ssl at the moment.
I did regenerate the crypto key at 1024, that did help when I was using a connection other than the management interface. As soon as I went back to the management interface, I tried connecting, it didn't work, I regenerated the key and toggled the ssh command and it didn't work.
show ssh sessions - comes back with nothing. Which makes sense since no one can connect over SSH.
show resource usage - comes back with what I would expect it to, but nothing that jumps out at me (admin context is where I am having the problems):
Resource Current Peak Limit Denied Context
Conns 1 28 unlimited 0 admin
Hosts 2 9 unlimited 0 admin
Xlates 1 4 unlimited 0 Hilltop
Hosts 1 84 unlimited 0 Hilltop
Syslogs [rate] 1 7971 unlimited 0 SOCC
Conns 6679 1244067 unlimited 0 SOCC
Xlates 5783 122499 unlimited 0 SOCC
Hosts 2064 3281 unlimited 0 SOCC
Conns [rate] 430 30206 unlimited 0 SOCC
Inspects [rate] 106 13728 unlimited 0 SOCC
show proc | i ssh - not sure what this should return:
Mwe 08bdbf51 317293d4 313b5ce8 1 31727720 6744/8192 listen/ssh
Mwe 08b974db 381f5cbc 09ce71ec 7 381f3e18 6408/8192 ssh/timer
We are running 8.1(1). I don't really see anything more recent to download than 8.1(1). Is there a more recent software version out there?
10-03-2008 04:42 AM
I forgot to throw it out there that I did capture packets coming into the ASA (using the capture command in the ASA). When I do this, I never see the SSL packets even hit the ASA. The pings hit it just fine and show up in the capture information. This has been done over the network and with a crossover cable connected directly to the device.
Needless to say, I am confused.
10-24-2008 06:53 AM
Unfortunitly I could find no other answer to this question. I ended up rebooting the firewall on one of our maintenance nights. The reboot has fixed the issue.
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide