Solved: Unable to Access Management Interface

mario11584 · ‎06-27-2013

Looked around the forums but couldn't find a clear answer. I just recently installed an ASA 5510. I am unable to get access to the Management interface. It lives on a VLAN dedicated to managing network devices. I have access to other devices on this VLAN from other VLANs on the network. I've gone through the configs in the config guide to get SSH access enabled and I haven't had any luck. I have attached a running-config for reference. Any thoughts or ideas?

Jouni Forss · ‎06-28-2013

Hi,

Actually I might have been wrong about this.

When were dealing with connections coming towads the ASA itself (its interface) then it would seem that the connection works just fine. I for example configured a loopback interface on my LAN router and configured a specific route towards my WLAN interface and less specific route towards the LAN interface and was able to telnet to the ASA from the router with the loopback interface IP address as the source wihtout any problems

Though in a situation where you had traffic destined through the ASA to the destination network 10.141.0.0/24 for example then the traffic would be forwarded to the "inside" interface since it has the more specific route.

Have you monitored the device logs while attempting to connect to the "management" interface

Have you been able to ping the "management" interface?

Have you gone through the whole path between the source and destination and confirmed that everything is ok?

You can check the ports on which the ASA is listening on with the command

show asp table socket

This also shows active connections to the ASA itself

- Jouni

View solution in original post

Jouni Forss · ‎06-28-2013

Hi,

Would have to know what the source address for the management connection is.

You seem to have overlapping routes on the asa towards both "management" and "inside". So considering that one issue might be return routing.

route management 10.141.0.0 255.255.0.0 10.129.0.1 1

route inside 10.141.0.0 255.255.255.0 10.128.0.2 1

If the managing host is in the network 10.141.0.0/24 the connections from management connections will fail. If the connections are coming from any other subnet of the bigger subnet 10.141.0.0/16 then routing should be fine atleast.

Are you saying that neither ASDM or SSH works when connecting to the "management" interfaces IP address?

- Jouni

mario11584 · ‎06-28-2013

Hi,

Thanks for the reply. To answer your questions I currently don't have access to the management interface when I attempt to use ASDM or SSH. I do however have access using the inside interface. But that is just temporary until I get the management interface working.

We have a supernet of 10.128.0.0\9. That is subnetted into over a dozen VLANs on a Layer 3 Brocade switch. Most of the VLANs have virtual interfaces on the switch where all the routing is taking place. This ASA management interface lives on the 10.129.0.0\16 subnet. It's default gateway should be 10.129.0.1. My traffic to the management interface is coming from 10.141.0.0\24.

Concerning the overlapping routes, I guess I am still a little confused though with how routing is configured on an ASA. So to me this configuration, route management 10.141.0.0 255.255.0.0 10.129.0.1 1, says to route traffic from the management interface destined to 10.141.0.0\16 to the interface 10.129.0.1 with an AD of 1. This is why I have overlapping routes because I have traffic from different interfaces that go to different default gateways. The interfaces both live on different VLANs.

Any clarification and schooling is welcome.

Jouni Forss · ‎06-28-2013

Hi,

Actually I might have been wrong about this.

When were dealing with connections coming towads the ASA itself (its interface) then it would seem that the connection works just fine. I for example configured a loopback interface on my LAN router and configured a specific route towards my WLAN interface and less specific route towards the LAN interface and was able to telnet to the ASA from the router with the loopback interface IP address as the source wihtout any problems

Though in a situation where you had traffic destined through the ASA to the destination network 10.141.0.0/24 for example then the traffic would be forwarded to the "inside" interface since it has the more specific route.

Have you monitored the device logs while attempting to connect to the "management" interface

Have you been able to ping the "management" interface?

Have you gone through the whole path between the source and destination and confirmed that everything is ok?

You can check the ports on which the ASA is listening on with the command

show asp table socket

This also shows active connections to the ASA itself

- Jouni

mario11584 · ‎06-28-2013

Thanks again for your help. With your help I was able to figure out what the problem was, my stupidity and fat fingers. The logs didn't show any traffic to 10.129.0.51 which was supicious. There was plenty of activity to the inside interface. So I tried pinging the management interface from another device on the same VLAN and nothing. So I double checked to make sure that interface was on the correct VLAN and it wasn't. It was on VLAN 1299 and not VLAN 129. This is in part the silly way a vlan is configured and managed and a port assigned to a VLAN on a Brocade. My bad. Thanks again for your help!

Problem solved!