Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
4
Replies

Unable to ssh VPN ASA while using Full Tunnel RA VPN

Go to solution
mahesh18
Level 6
Level 6

‎01-18-2014 10:32 PM - edited ‎03-11-2019 08:32 PM

HI everyone,

While using full tunnel RA VPN i am unable to ssh the ASA.

Log gives error

Jan 18 2014 23:23:25: %ASA-6-110002: Failed to locate egress interface for TCP from outside:10.0.0.51/55694 to 10.0.0.1/22

Where IP 10.0.0.1 is IP of ASA inside interface.

Also i try to ssh ASA outside interface IP while connected to RA VPN that also does not work.

Also i am assigned IP 10.0.0.51 by ASA IP pool.

I can not ping the Gateway IP of 10.0.0.1?

Is there way i can fix all this?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎01-19-2014 08:09 AM

Have you configured the command managment-access ?  (where interface is the interface you want to use as management interface when connected to the VPN)

ex.

management-access inside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎01-19-2014 10:02 AM

When you connect to the ASA on a RA VPN the management-access command allows you to manage the ASA via a different interface than the one your VPN connects to.  Since you are connecting to the outside interface which most likely has a security level of 0, SSH is not permitted on any interface with a security level of 0.  And therefore you need to have this command to be able to access the device over VPN.

To be able to connect to an IP you need to have reachability to that IP, which is what the management-access command does for the interface that you specify.  One of the features provided by this command is the ability to ping the defined managment interface.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎01-19-2014 08:09 AM

Have you configured the command managment-access ?  (where interface is the interface you want to use as management interface when connected to the VPN)

ex.

management-access inside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎01-19-2014 09:35 AM

Hi Marius,

That command did the magic.

Now from VPN Client PC i can ping the inside interface IP.

I can ssh to ASA.

I can also have asdm access to ASA.

Can you please explain me how ping also to inside IP works now?

C:\Users\manveer>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : cbt.com
   Link-local IPv6 Address . . . . . : fe80::d429:2885:1230:7d4a%24
   IPv4 Address. . . . . . . . . . . : 10.0.0.51
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1

   IPv4 Address. . . . . . . . . . . : 192.168.98.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.98.1

C:\Users\manveer>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=4ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255
Reply from 10.0.0.1: bytes=32 time=2ms TTL=255

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 2ms

C:\Users\manveer>

Regards

Mahesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎01-19-2014 10:02 AM

When you connect to the ASA on a RA VPN the management-access command allows you to manage the ASA via a different interface than the one your VPN connects to.  Since you are connecting to the outside interface which most likely has a security level of 0, SSH is not permitted on any interface with a security level of 0.  And therefore you need to have this command to be able to access the device over VPN.

To be able to connect to an IP you need to have reachability to that IP, which is what the management-access command does for the interface that you specify.  One of the features provided by this command is the ability to ping the defined managment interface.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎01-19-2014 10:19 AM

Hi MArius,

Thanks for sharing the valuable info here.

Best Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card