Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1238
Views
0
Helpful
4
Replies

Can't connect ASDM from remote site.

msompong1
Level 1
Level 1

‎07-16-2019 07:52 PM

Hi All,

I've setup the Cisco ASA 5506x firewall with the simple connection.

- outsite interface connect to internet.

- inside interface connect to my production.

- P2P interface connect to the existing network.

 

My problem is I can't access the ASDM from network behind the P2P link , I've found the log in ASA about my source IP and the service 443 but ASDM client show "Unable to lunch device manager from xx.xx.xx.xx"

But when I tried from inside network the ASDM  can lunch as expected.

 

I've enable the source network for access ASA as below.

http server enable
http 192.168.140.0 255.255.255.0 inside
http 10.196.0.0 255.255.0.0 P2P

 

And the routing also have 

route P2P 10.196.0.0 255.255.0.0 10.196.7.1 

 

Please help to advice and thank you in advance.

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-16-2019 08:23 PM

Is it possible that your traffic arriving via the P2P link is being NATted along the way? You can test this by temporarily changing your current:

http 10.196.0.0 255.255.0.0 P2P

to

http 0.0.0.0 0.0.0.0 P2P

If it works with that then check your ASA/ASDM logs to see the actual incoming address of the connections and update the http statement accordingly.

0 Helpful

GRANT3779
Spotlight
Spotlight

‎07-17-2019 12:48 AM

Hi There, I had a very similar issue recently but asdm access was an issue across a 4G WAN link. Out of interest, can you SSH to the ASA across the P2P?
My problem was MTU/Fragmentation or lack of. I had to add tcp miss-adjust on the WAN interfaces. I only knew this was the issue after running some packet captures to see what was going on.
May be unrelated to your issue but thought I would make you aware.
0 Helpful

msompong1
Level 1
Level 1

‎07-25-2019 01:04 AM

Hi All,

Thank you for your reply.

I have the more detail to update my current connection show as below

 

My Client ----> L3 switch ----> Checkpoint Firewall x2 (Clustered) ---->Cisco ASA----> Network 

 

After I've use the wiresharsk captured the traffic  between Checkpoint and ASA I have found some thing.

 

For the ASA with 9.6(1) firmware (this version is working as expected)

Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint real MAC address as destination.

 

For the ASA with 9.9(2) firmware (this version is not working)

Checkpoint will forward traffic to ASA with it real physical MAC address as source and ASA reply with the CheckPoint Virtual MAC address as destination. That is why the communication cannot established.

So How can I do on the configuration of 9.9(2) firmware ? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to msompong1

‎07-25-2019 04:23 AM

From your latest description and the analysis you've done, this sounds like a bug. Are you running the latest interim release of 9.9(2)?

That would currently be 9.9(2)52 found here:

https://software.cisco.com/download/home/286283326/type/280775065/release/9.9.2%20Interim

If you are already running the latest interim then I would advise opening a TAC case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card