Cannot Launch ASDM from ASA 5505

marioderosa2008 · ‎01-04-2010

Hi all,

recently, ater successfully connecting the VPN to the ASA 5505, I am unable to then launch the ASDM client meaning that I can only SSH in to the unit.

I found an old post from 2008 and replied to that also to get some help. It refers to an article talking about it is not possible to enable https server and webvpn on the same interface.

Well I am running ASA 8.0(4) so this restriction does not apply.

Can anyone point me in the right direction for investigating this?

Mario

mlatham67 · ‎01-04-2010

Hi,

all you need to do is change the asdm port.

http server enable *****new port*** eg: 8443

Then open as follows:

https://xx.xx.xx.xx:8443

Regards

marioderosa2008 · ‎01-04-2010

hi,

i will try that as a work around but my query is that nothing has changed for this to stop working and the version of ASA software I am running allows me to run both ASDM & webvpn o the same interface using 443.

It ws working couple of weeks ago, and now is not.

Without rebooting the unit to see if that solves it, is there any kind of logging / debugging available to view?

Mario

Kureli Sankar · ‎01-04-2010

Try https://ip_address/admin

or you can move the port to 8443 or some other port suggested by mlatham67.

-KS

marioderosa2008 · ‎01-04-2010

Thanks for the reply Kusan,

unfortunately, the url does not work. It simply does not display the web page. Almost as if like there is an issue with the HTTP server side of things.

are there no debug commands that I can use to see if the ASA throws up any errors when trying to connect the ASDM client?

I'll try and change the port number, even though I am reluctant to as it was working fine as I said before.

If that fails, i'll have to restart the unit I feel.

any more assistance appreciated.

Mario De Rosa

francisco_1 · ‎01-04-2010

To ASDM make sure when you vpn in you are connecting to the private IP address of the ASA not the public and your vpn group policy allows the connection.

Add this:

conf t
management-access inside

Also make sure you vpn address is not restricted to manage ASA

http x.x.x.x 255.255.255.0 inside

As far as i know you dont need to change any port for ASDM to work!

see this on how to modify your group policy if you have to http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080702992.shtml

Good luck

Francisco.

Kureli Sankar · ‎01-04-2010

Pls. copy and paste the output of

sh run http

sh asp table socket

You should see in the logs what is happening.

conf t

logging enable

loggin buffered 7

exit

sh logg | i x.x.x.x

where x.x.x.x is the ip address of the client that you are using to manage the ASA.

-KS

marioderosa2008 · ‎01-04-2010

Thanks for your posts guys...

sh run http

LONFW# sh run http
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside

login as: emperor
emperor@192.168.10.250's password:
Type help or '?' for a list of available commands.
LONFW> ena
Password: *******
LONFW# sh run
LONFW# sh run http
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside

LONFW# sh asp table socket

Protocol Socket    Local Address               Foreign Address         State
TCP       0004b7e4 192.168.10.250:22           0.0.0.0:*               LISTEN
TCP       000684fc 217.20.20.227:22            0.0.0.0:*               LISTEN
SSL       000a13b4 217.20.20.227:443           0.0.0.0:*               LISTEN
DTLS      000cc2d4 217.20.20.227:443           0.0.0.0:*               LISTEN
SSL       000e4d2c 192.168.10.250:993          0.0.0.0:*               LISTEN
SSL       0011caec 217.20.20.227:993           0.0.0.0:*               LISTEN
SSL       00120f64 192.168.10.250:995          0.0.0.0:*               LISTEN
SSL       00148cc4 217.20.20.227:995           0.0.0.0:*               LISTEN
SSL       0016685c 192.168.10.250:988          0.0.0.0:*               LISTEN
SSL       0019fe5c 217.20.20.227:988           0.0.0.0:*               LISTEN
SSL       6de48634 192.168.10.250:443          0.0.0.0:*               LISTEN
TCP       6de906cc 192.168.10.250:22           192.168.101.6:56318     ESTAB
LONFW#

for your info... we have 2 IPSec site 2 Site VPNs and then a number of Remote IPSec VPNs

Thanks guys!!

Mario

marioderosa2008 · ‎01-04-2010

I am trying to view the log but it seems that there is so much in there that I do not get any

results when trying to filter by the IP of the machine that I am running the

ASDM on.

I'll keep trying to see if i manage to see any entries in there which will be of any use.

Thanks again

Mario

Kureli Sankar · ‎01-04-2010

I tried the following from cisco.

https://217.20.20.227/admin

and its works great. I got a login prompt.

ASDM is working as expected.

If you are trying to reach it from the remote network via VPN then you need this line.

management-access inside

and then you can use the https://192.168.10.250

-KS

marioderosa2008 · ‎01-04-2010

%ASA-6-302015: Built inbound UDP connection 7953706 for outside:192.168.101.6/55057 (192.168.101.6/55057) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302015: Built inbound UDP connection 7953711 for outside:192.168.101.6/55057 (192.168.101.6/55057) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953712 for outside:192.168.101.6/51190 (192.168.101.6/51190) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953711 for outside:192.168.101.6/55057 (192.168.101.6/55057) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953712 for outside:192.168.101.6/51190 (192.168.101.6/51190) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953711 for outside:192.168.101.6/55057 to inside:ED-DHWINS/53 duration 0:00:00 bytes 155 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953712 for outside:192.168.101.6/51190 to inside:ED-DHWINS/53 duration 0:00:00 bytes 147 (svc_cisco)
%ASA-6-302015: Built outbound UDP connection 7953715 for outside:192.168.101.6/6004 (192.168.101.6/6004) to inside:192.168.10.6/45803 (192.168.10.6/45803)

%ASA-6-302016: Teardown UDP connection 7953004 for outside:192.168.101.6/6004 to inside:192.168.10.6/45740 duration 0:02:01 bytes 8
%ASA-6-302016: Teardown UDP connection 7953004 for outside:192.168.101.6/6004 to inside:192.168.10.6/45740 duration 0:02:01 bytes 8
%ASA-6-302015: Built inbound UDP connection 7953767 for outside:192.168.101.6/60198 (192.168.101.6/60198) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302015: Built inbound UDP connection 7953772 for outside:192.168.101.6/60198 (192.168.101.6/60198) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953773 for outside:192.168.101.6/65513 (192.168.101.6/65513) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953772 for outside:192.168.101.6/60198 to inside:ED-DHWINS/53 duration 0:00:00 bytes 159 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953773 for outside:192.168.101.6/65513 to inside:ED-DHWINS/53 duration 0:00:00 bytes 151 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953773 for outside:192.168.101.6/65513 to inside:ED-DHWINS/53 duration 0:00:00 bytes 151 (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953774 for outside:192.168.101.6/52275 (192.168.101.6/52275) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953777 for outside:192.168.101.6/52275 (192.168.101.6/52275) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953778 for outside:192.168.101.6/64497 (192.168.101.6/64497) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953777 for outside:192.168.101.6/52275 to inside:ED-DHWINS/53 duration 0:00:00 bytes 159 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953778 for outside:192.168.101.6/64497 to inside:ED-DHWINS/53 duration 0:00:00 bytes 151 (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953777 for outside:192.168.101.6/52275 (192.168.101.6/52275) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953778 for outside:192.168.101.6/64497 (192.168.101.6/64497) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953777 for outside:192.168.101.6/52275 to inside:ED-DHWINS/53 duration 0:00:00 bytes 159 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953778 for outside:192.168.101.6/64497 to inside:ED-DHWINS/53 duration 0:00:00 bytes 151 (svc_cisco)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302015: Built inbound UDP connection 7953799 for outside:192.168.101.6/50605 (192.168.101.6/50605) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302015: Built inbound UDP connection 7953799 for outside:192.168.101.6/50605 (192.168.101.6/50605) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302020: Built outbound ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/0
%ASA-6-302015: Built inbound UDP connection 7953802 for outside:192.168.101.6/50605 (192.168.101.6/50605) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953803 for outside:192.168.101.6/62357 (192.168.101.6/62357) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953802 for outside:192.168.101.6/50605 to inside:ED-DHWINS/53 duration 0:00:00 bytes 149 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953803 for outside:192.168.101.6/62357 to inside:ED-DHWINS/53 duration 0:00:00 bytes 141 (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953808 for outside:192.168.101.6/60024 (192.168.101.6/60024) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953808 for outside:192.168.101.6/60024 (192.168.101.6/60024) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953813 for outside:192.168.101.6/60024 (192.168.101.6/60024) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953814 for outside:192.168.101.6/64748 (192.168.101.6/64748) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953813 for outside:192.168.101.6/60024 to inside:ED-DHWINS/53 duration 0:00:00 bytes 149 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953814 for outside:192.168.101.6/64748 to inside:ED-DHWINS/53 duration 0:00:00 bytes 141 (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953808 for outside:192.168.101.6/60024 (192.168.101.6/60024) to inside:192.168.10.8/53 (192.168.10.8/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953813 for outside:192.168.101.6/60024 (192.168.101.6/60024) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302015: Built inbound UDP connection 7953814 for outside:192.168.101.6/64748 (192.168.101.6/64748) to inside:ED-DHWINS/53 (ED-DHWINS/53) (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953813 for outside:192.168.101.6/60024 to inside:ED-DHWINS/53 duration 0:00:00 bytes 149 (svc_cisco)
%ASA-6-302016: Teardown UDP connection 7953814 for outside:192.168.101.6/64748 to inside:ED-DHWINS/53 duration 0:00:00 bytes 141 (svc_cisco)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.101.6/0 gaddr 192.168.10.8/0 laddr 192.168.10.8/

My machine is the 192.168.101.6 address and the ASA is 192.168.10.250 but I cannot see any entries in there refering to HTTP requests.

Confused!

Mario

marioderosa2008 · ‎01-04-2010

Thanks for all your help so far...

I have that line in my config so it should work from the 192.168.101.0/24 (VPN) network.

Do you have any idea why I do not seem to be able to get to that login page the same way I can from a server on the LAN (192.168.10.0/24) and from the web???

Mario

marioderosa2008 · ‎01-04-2010

Hi,

i have been searching the logs for any denied traffic from the VPN network when trying to launch the ASDM and i have not come accross anything.

I am really at a loss.

I'll try and launch the ASDM from the web and monitor the syslog messages to see if that tells me anything as it is easier doing that than using the CLI for searching the logs.

Mario

marioderosa2008 · ‎01-04-2010

Further update...

I have been monitoring syslog messages which do not show any traffic being denied.

This is really odd. It works internaly and from the web but not from a VPN client.

Please let me know anything else you need me to show you from my config to help resolve this issue.

Mario

Kureli Sankar · ‎01-04-2010

Did you add "management-access inside"?

Once done pls. try to asdm to https://192.168.10.250 or htts://192.168.10.250/admin

watch the logs immediately "sh logg | i 192.168.101.6"

-KS