Unable to access ASA 5520 using HTTP/HTTPS

VincentLong · ‎12-10-2010

I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.

My browser show the error message as attach image.

PGA-Firewall-02# sh run
: Saved
:
ASA Version 8.3(2)
!
hostname PGA-Firewall-02
enable password xxx encrypted
passwd xxx encrypted
names
!
interface GigabitEthernet0/0
nameif public
security-level 0
ip address 192.168.50.6 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.0.6 255.255.0.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description LAN Failover Interface
shutdown
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.80.1 255.255.255.0
management-only
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup public
dns server-group DefaultDNS
name-server 202.188.0.133
name-server 202.188.1.5
name-server 165.21.83.88
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network my-inside-net
subnet 172.16.0.0 255.255.0.0
access-list LAN_access_in extended permit ip any any
pager lines 24
mtu public 1500
mtu inside 1500
mtu management 1500
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover interface ip failover 192.168.100.1 255.255.255.0 standby 192.168.100.2

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
!
object network my-inside-net
nat (inside,public) dynamic interface
access-group LAN_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 7070
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.80.10-192.168.80.254 management
dhcpd dns 8.8.8.8 202.188.0.133 interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxx encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email xxx
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxx
: end
PGA-Firewall-02#

Herbert Baerten · ‎12-12-2010

Hi Vincent,

Most commonly this is because the ASA does not have a 3DES/AES license , please check "show version | incl 3DES".

If this says "disabled" then go to http://www.cisco.com/go/license to request a license (should be free of charge, but can only be requested if you are not in any country to which the US has export restrictions).

hth

Herbert

VincentLong · ‎03-22-2011

Hi,

After i apply the license i get from Cisco and it still don't work. i had attached the sh run and sh tech for both units. Please kindly advice.

VincentLong · ‎04-05-2011

Anyone facing the same issue as mine? Anyone know about the root cause of this issue?

Richard Burts · ‎04-05-2011

Vincent

Perhaps there is something more complicated involved here that I have not yet recognized. But I see some fairly simple things that may explain your difficulty.

First let us look at what is allowed to use the HTTP access:

http 0.0.0.0 0.0.0.0 management

This says that any source address is permitted to access the management address. And the management address is

192.168.80.1. But in the examples of the error messages that were in your post they were not attempting to access 192.168.80.1.

So my first suggestion is to ask what happens if you attempt HTTP/STTPS to 192.168.80.1 rather than to some other address in that subnet.

My second suggestion is to ask where you are attempting HTTP/HTTPS access from? Does your source have network connectivity to 192.168.80.1 connecting on the management interface (not on the inside interface)?

My third suggestion would be to suggest that you enable HTTP/HTTPS access to the Inside interface address from source addresses of the inside network.

http 172.16.0.0 255.255.0.0 inside

Give these a try and let us know what happens.

HTH

Rick

HTH

Rick

VincentLong · ‎04-05-2011

Hi,

The print screen i attached was when i access to the management interface of Firewall-02 which it management interface IP address is 192.168.80.2. I had tried to access to both firewall 1 and firewall-2 management interface after applied the ASA 3DES license key which i get from Cisco. The result was the same. I don't know whether is my configuration issue or other unknown issue.

I had attached the diagram of the network which shown how the connection of firewall. Meanwhile i also hope that someone can teach me on how to configure HA using command line as at the moment i can't the ASDM. I had search on Cisco website and they mention about context. I got few question for that as below:

1. What is it about?

2. Why we need to create 2 context in 1 firewall?

Many thanks in advance.

Shrikant Sundaresh · ‎04-07-2011

Hi Vincent,

The issue is not that complex, and is frequently encountered.

Please refer to this document I wrote on troubleshooting ASDM access, as you are facing the exact same issue.

https://supportforums.cisco.com/docs/DOC-15016#Weak_Encryption

Hope this helps.

-Shrikant

P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks

VincentLong · ‎04-07-2011

Hi Shrikant Sundaresh,

I will try the recommendation solution in your post and will update you whether it work or not as the firewall is install at project side far from my current location. I will only go there again in 2 week time. Anyway, many thanks in advance.

Noman Yousaf · ‎06-14-2023

Hi schrikant, Can you please upload this documents on any other drive. Because i cant access this document on Cisco Page.

Jinu George · ‎07-17-2023

https://community.cisco.com/t5/security-knowledge-base/asdm-access-troubleshooting/ta-p/3122148