Showing results for 
Search instead for 
Did you mean: 


Unable to access ASA 5520 using HTTP/HTTPS

I was unable to access my ASA 5520 using HTTP/HTTPS even on the management interface. I had upgrade the ASA IOS to asa832-k8.bin and ASDM to asdm-634-53.bin. But, the issue still the same.

My browser show the error message as attach image.

PGA-Firewall-02# sh run
: Saved
ASA Version 8.3(2)
hostname PGA-Firewall-02
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
nameif public
security-level 0
ip address
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description LAN Failover Interface
interface Management0/0
nameif management
security-level 100
ip address
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup public
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network my-inside-net
access-list LAN_access_in extended permit ip any any
pager lines 24
mtu public 1500
mtu inside 1500
mtu management 1500
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover interface ip failover standby

icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
object network my-inside-net
nat (inside,public) dynamic interface
access-group LAN_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 7070
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd dns interface management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password 4PtuJu0EMPs1UXfw encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
service-policy global_policy global
prompt hostname context
profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Herbert Baerten
Cisco Employee

Hi Vincent,

Most commonly this is because the ASA does not have a 3DES/AES license , please check "show version | incl 3DES".

If this says "disabled" then go to to request a license (should be free of charge, but can only be requested if you are not in any country to which the US has export restrictions).




After i apply the license i get from Cisco and it still don't work. i had attached the sh run and sh tech for both units. Please kindly advice.


Anyone facing the same issue as mine? Anyone know about the root cause of this issue?


Perhaps there is something more complicated involved here that I have not yet recognized. But I see some fairly simple things that may explain your difficulty.

First let us look at what is allowed to use the HTTP access:

http management

This says that any source address is permitted to access the management address. And the management address is But in the examples of the error messages that were in your post they were not attempting to access

So my first suggestion is to ask what happens if you attempt HTTP/STTPS to rather than to some other address in that subnet.

My second suggestion is to ask where you are attempting HTTP/HTTPS access from? Does your source have network connectivity to connecting on the management interface (not on the inside interface)?

My third suggestion would be to suggest that you enable HTTP/HTTPS access to the Inside interface address from source addresses of the inside network.

http inside

Give these a try and let us know what happens.






The print screen i attached was when i access to the management interface of Firewall-02 which it management interface IP address is I had tried to access to both firewall 1 and firewall-2 management interface after applied the ASA 3DES license key which i get from Cisco. The result was the same. I don't know whether is my configuration issue or other unknown issue.

I had attached the diagram of the network  which shown how the connection of firewall. Meanwhile i also hope that someone can teach me on how to configure HA using command line as at the moment i can't the ASDM. I had search on Cisco website and they mention about context. I got few question for that as below:

1. What is it about?

2. Why we need to create 2 context in 1 firewall?

Many thanks in advance.

Hi Vincent,

The issue is not that complex, and is frequently encountered.

Please refer to this document I wrote on troubleshooting ASDM access, as you are facing the exact same issue.

Hope this helps.


P.S.: Please mark the question resolved, if it has been answered. Do rate helpful posts. Thanks

Hi Shrikant Sundaresh,

I will try the recommendation solution in your post and will update you whether it work or not as the firewall is install at project side far from my current location. I will only go there again in 2 week time. Anyway, many thanks in advance.

Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad