Hello friends,Please, allow

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) · ‎06-10-2012

Hi,

I deployed a Cisco ASA Firewall Software Ver 8.4(4). I have created a IPSec Site to Site VPN tunnel. It is a Static to Dynamic IP scenario.

The issue is that, VPN tunnel is working fine but not able to access the firewall from Site-A having static IP address. I have given the "management-access inside" on Site-B firewall and set the ssh/https access for the Site-A local VPN subnet.

Site-B Configuration Sample

-----------------------------------------

!

Local Subnet = 10.151.16.0 255.255.254.0

Remote Subnet = 172.22.0.0 255.255.0.0

==============================

!

http 10.151.16.0 255.255.254.0 inside

http 172.22.0.0 255.255.0.0 inside

!

telnet 10.151.16.0 255.255.254.0 inside

telnet 172.22.0.0 255.255.0.0 inside

!

ssh 10.151.16.0 255.255.254.0 inside

ssh 172.22.0.0 255.255.0.0 inside

!

management-access inside

!

I just want to know that is this a sofware bug or anything else need to be done on cisco ASA with 8.4(4) version. I haved done thousands of time with the previous versions.

Thanks,

Best Regards,

Mubasher Sultan

craig-allen · ‎06-10-2012

Hello,

I've also just upgraded to 8.8.4 (was on 8.4.1) in one of my spoke sites and I'm unable to ping, query via SNMP or SSH from the hub site to the inside interface, syslog is also not working from the spoke site to the hub site via the VPN tunnel.

The strange thing is that TACACS from the spoke to the hub site is still working via the VPN tunnel which also uses the inside interface

So it seems that upgraging to 8.4.4 has broken a few features i.e. ping,snmp, ssh/telnet and syslog that work via the management comand.

Must be a bug!!!!

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) · ‎06-10-2012

Hi,

It seems a software bug. I am also unable to get ping/ssh/telnet/https response. I can see the ASDM logs that traffic is reaching to the firewall but teardown. I didn't tried with the TACACS+ traffic.

Also, i tried with the packet tracer command,

packet-tracer input inside tcp 172.22.2.222 1024 10.151.16.1 23

and found the below as "Type: ipsec-tunnel-flow, Result: Drop".

Please advise.

Thanks,

Regard,

Mubasher

Kurtis Franklin · ‎09-06-2012

In case anyone else is still having this issue, I was finally was able to resolve this issue on our ASAs. It seems that after 8.4.1 (maybe 8.4.2) a "quota" for management connections needs to be defined, it's default is 0.

quota management-session XXX (where XXX is between 0 and 10000)

After issuing that command, everything started reporting normally again. Unfortunately, it appears that you can't issue that command in 8.4.1 prior to upgrading to 8.4.4. Certainly makes this jump more troublesome.

Javier Portuguez · ‎09-06-2012

Hi,

By any chance, did you add the "route-lookup" command at the end of the NAT statement?

* Assuming you are coming over a VPN connection.

Thanks.

Portu.

Kurtis Franklin · ‎09-06-2012

Edit: I just upgraded another ASA and didn't make the change to the Quota (just the NAT change) and it worked. Sounds like my original NAT statement may have been my problem.

Message was edited by: Kurtis Franklin

Javier Portuguez · ‎09-06-2012

Probably... The route-lookup command must be in there.

Please rate any posts you find useful.

Thanks.

alexdelangel · ‎09-26-2014

Hello friends,

Please, allow me to resurect this old post. Thank you so much for your answer Javier Portuguez, I had the same issue, but with anyconnect sessions. I have added the "route lookup" statement to the nat rule, and now I am able to manage the inside interface of my ASA through anyconnect sessions. I hope you to keep helping a lot of people with your answers.

Regards!

Cisco ASA 8.4(4) - Management-Access Inside !!!