hey can you double check if you have enable the http access and also enable at outside interface.

http server enable
http <outside-interface-IP> <subnet-mask> <outside-interface>

 also I beleive you the problem you're describing, where ASDM works fine from the inside LAN but fails with a password error from the outside, is likely related to the management-access configuration so try this command

management-access inside
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside

if you still having issues in that case best is to collect the logs via debugs.

debug aaa authentication
debug webvpn 255
!
show logging

Sorry everyone for not replying sooner. Got a bit ill and taken out of service. So it would seem that after updating the firmware on an ASA5506X to the latest version also has created this same problem. Can authenticate from inside and from VPN, but can not authenticate from outside. The outside is permitted and was working before the update. It does connect but just gets a username/password error. I will be doing some debug captures later this week and can post them. But it would seem that password authentication broke with the latest version of the firmware/ASDM.

Here is a datapoint. I was logged in via ASDM from an machine on the inside and watching the logs. Then while watching the logs, I attempted to connect to the same ASA from a machine on the outside that is in the ASDM allowed IP block with the same username and password that I am using with the one I am logged in with on the inside. It logged the reason as invalid password.

Okay, so here is what I was able to determine. The units (both FPR and 5506x) that are not working are resolved by turning off or removing from the config aaa authentication http console LOCAL resolves the issue. However the ones that were working and running earlier versions have those set and break ASDM if removed. This is the case for all FPR1010 and the 5506X except for one. We have one FPR1010 that is running version 9.16(3)23 and ASDM 7.19(1). This one if this setting is removed, can no longer connect at all via ASMD, not just get a password error.

So this looks like a bug where local authentication setting is reversed for ASDM authentication and is broken all together in the version of firmware or ASDM that is running on the one FPR1010 unit. I should note that SSH seems to work just fine with it enabled and breaks if you disable it, so no consistency in the code it would seem. 

---

@troyb wrote:

Has anyone ran into the issue whereby you can use the ASDM on an FPR1010 running asa software from the inside LAN and it works fine, but from outside, it connects but you get a password error? I see this on two different FPR units.

I could understand if it was just not connecting as this  would be an issue with the device not setup for remote management. But it is setup and it does connect and it comes back with login failed. Enter username and password.

Units are current on their firmware.

Best,

 

-Troyb

---

If you have enabled SSL VPN on device, in that case, you cannot use ASDM to OUTSIDE interface as it uses same 443 port as VPN service.
to fix it, just issue the command - http server enable 8443
and in ASDM use vpn.company.com:8443