cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6193
Views
15
Helpful
7
Replies

Cisco ASA 8.4(4) - Management-Access Inside !!!

Hi,

I deployed a Cisco ASA Firewall Software Ver 8.4(4). I have created a IPSec Site to Site VPN tunnel. It is a Static to Dynamic IP scenario.

The issue is that, VPN tunnel is working fine but not able to access the firewall from Site-A having static IP address. I have given the "management-access inside" on Site-B firewall and set the ssh/https access for the Site-A local VPN subnet.

Site-B Configuration Sample

-----------------------------------------

!

Local Subnet = 10.151.16.0 255.255.254.0

Remote Subnet = 172.22.0.0 255.255.0.0

==============================

!

http 10.151.16.0 255.255.254.0 inside

http 172.22.0.0 255.255.0.0 inside

!

telnet 10.151.16.0 255.255.254.0 inside

telnet 172.22.0.0 255.255.0.0 inside

!

ssh 10.151.16.0 255.255.254.0 inside

ssh 172.22.0.0 255.255.0.0 inside

!

management-access inside

!

                 

I just want to know that is this a sofware bug or anything else need to be done on cisco ASA with 8.4(4) version. I haved done thousands of time with the previous versions.

Thanks,

Best Regards,

Mubasher Sultan

7 Replies 7

craig-allen
Level 1
Level 1

Hello,

I've also just upgraded to 8.8.4 (was on 8.4.1) in one of my spoke sites and I'm unable to ping, query via SNMP or SSH from the hub site to the inside interface, syslog is also not working from the spoke site to the hub site via the VPN tunnel.

The strange thing is that TACACS from the spoke to the hub site is still working via the VPN tunnel which also uses the inside interface

So it seems that upgraging to 8.4.4 has broken a few features i.e. ping,snmp, ssh/telnet and syslog that work via the management comand.

Must be a bug!!!!

Hi,

It seems a software bug. I am also unable to get ping/ssh/telnet/https response. I can see the ASDM logs that traffic is reaching to the firewall but teardown. I didn't tried with the TACACS+ traffic.

Also, i tried with the packet tracer command,

packet-tracer input inside tcp 172.22.2.222 1024 10.151.16.1 23

and found the below as "Type: ipsec-tunnel-flow,  Result: Drop".

Please advise.

Thanks,

Regard,

Mubasher

Kurtis Franklin
Level 1
Level 1

In case anyone else is still having this issue, I was finally was able to resolve this issue on our ASAs. It seems that after 8.4.1 (maybe 8.4.2) a "quota" for management connections needs to be defined, it's default is 0.

quota management-session XXX (where XXX is between 0 and 10000)

After issuing that command, everything started reporting normally again. Unfortunately, it appears that you can't issue that command in 8.4.1 prior to upgrading to 8.4.4. Certainly makes this jump more troublesome. 

Hi,

By any chance, did you add the "route-lookup" command at the end of the NAT statement?

* Assuming you are coming over a VPN connection.

Thanks.

Portu.

Edit: I just upgraded another ASA and didn't make the change to the Quota (just the NAT change) and it worked. Sounds like my original NAT statement may have been my problem.

Message was edited by: Kurtis Franklin

Probably... The route-lookup command must be in there.

Please rate any posts you find useful.

Thanks.

Hello friends,

Please, allow me to resurect this old post. Thank you so much for your answer Javier Portuguez, I had the same issue, but with anyconnect sessions. I have added the "route lookup" statement to the nat rule, and now I am able to manage the inside interface of my ASA through anyconnect sessions. I hope you to keep helping a lot of people with your answers.

Regards!

Review Cisco Networking for a $25 gift card