Re: After upgrade of ASA from 9.12 to 9.18 i cannot access it trough A

tiwang · ‎02-19-2024

hi out there

I got a small funny challenge - we have 4 ASA clusters around the world where we have a kit in US and a similar kit in DK - both running on FP21xx with ASA 9.18(3)56.

These clusters has been running ASA 9.12 until recently where i didn't had any problems in accessing them trough the AnyConnect VPN tunnel. But after i have upgraded both clusters to 9.18 i cannot access the "local" here in Denmark trough ASDM remotely - only locally. The cluster in US i have no problem with - neither when connected directly to the cluster remotely or accessing it "internally" trough our Corp network.

I noticed that there is one small difference in the config - on the US cluster i can use any interface for managing the ASA whereas the local in Denmark has the option defined for only using the management interface for ASDM

console timeout 0
management-access management

But - has the "behaviour" of this option changed from the previous version?

Marius Gunnerud · ‎02-19-2024

Just asking the obvious question, did you also upgrade ASDM image after upgrading the ASA in Denmark?

--
Please remember to select a correct answer and rate helpful posts

tiwang · ‎02-19-2024

Yes - same image all over..

Marvin Rhoads · ‎02-20-2024

There was a new ssh stack introduced in 9.17 that prevents "SSH to a different interface over VPN (management-access)". However, it should only be in effect if explicitly called out.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa917/release/notes/asarn917.html

It wouldn't hurt to check on that though....

tiwang · ‎02-20-2024

Hmmm no certainly not - it could be related - I am (of course) using the std. stack
To verify if it could be related currently removed the definition of the management interface - to see if this makes any difference for the access trough the VPN tunnel

tiwang · ‎02-20-2024

and - it does - if "management-access management" is defined i cannot access it trough the VPN tunnel - which until now not has been "blocked" so a bit confusing when you are working the cluster and suddenly it changes behaviour - this can be a bit frustrating since you don't know if you made a mistanke - with 700 active users on it - or it is just by design ....

tvotna · ‎02-20-2024

Few routing changes were introduced on ASA in 9.18.2 when loopback support was added. Unfortunately, all we know is that this created problems: CSCwh53143, but we don't know why and what exact conditions to hit this issue are. So, this may or not be your case. The Command Reference is outdated, although it now mentions Cisco SSH and SNMP limitations, which is good: https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/I-R/asa-command-ref-I-R/m_maa-match-d.html#wp6550330920

The bug was fixed in 9.18.4.5, 9.19.1.24, 9.20.2 and above.

HTH

hsahman · ‎08-01-2024

Hi guys,

I'm at 9.18.4.34 and I'm facing the same issue.. when I connect via remote access vpn, I can't access the ASA via ASDM. Previously on 9.16.x this was working...
Is there an workaround to make it accessable again? This is kinda annoying for the administation.

Thanks

tiwang · ‎08-01-2024

well - if "management-access management" is defined i cannot access it trough the VPN tunnel..

hsahman · ‎08-01-2024

Thanks tiwang,

but if you don't define this than management-access is allowed from all interfaces? This means also from the Outside?

tiwang · ‎08-01-2024

i don't disagree but this can you handle with access-lists

hsahman · ‎08-02-2024

That's what I thought... it's just a little bit frustrating that Cisco does such a change without really describing it... at least I didn't find any notes.
thanks guys

After upgrade of ASA from 9.12 to 9.18 i cannot access it trough ASDM