I upgraded all my firewalls from 9.4 to 9.8(4)12. They are running in single context routed mode. I disabled the rest-api agent, as per the upgrade instructions, while doing the upgrade. After upgrading the OS, I upgraded the Rest API package to asa-restapi-7131-lfbff-k8.SPA. the file passes the verification check. Cisco Don't seem to have bothered to update any of the guide docs for this version
I have enabled the api again with no errors, but it does not work properly. I have two primary problems:
It no longer works with TACACS, where as it previously did. The TACACS server has the enable_1 user, as required. If I disable TACACS and only do local auth for http I can authenticate, but the API does not work properly. It doesn't seem to pass the username and password through correctly from the Rest API agent web server to the aaa process. The tacacs logs just show password incorrect. it definitely is not, as I log in to ssh with the same password.
Another example of weirdness: If I go to the https://firewall/doc/ I get a skeleton page with no information populated.
If I try and use the RESTClient addon for Firefox to get a page, even with the basic auth authentication set, I just get a response page asking for my credentials.
<FORM METHOD=POST autocomplete=new-password style="max-width:300px;margin:auto"><HEAD><TITLE>Authorization Required</TITLE></HEAD><H2>Authorization Required!</H2><label for=user>Username</label><br><input id=user name=username type=text><br><label for=pass>Password</label><br><input id=pass name=password type=password><br><INPUT TYPE=HIDDEN NAME=csrf_token VALUE="b54313a25468d6854351a3218b3613512f321321"> <INPUT TYPE=submit VALUE=submit> </FORM>
If I go to the same api url in a normal browser window, I get prompted with the authentication credentials page, which then gives me Invalid request content-type:application/x-www-form-urlencoded
