Solved: Can't log into remote ASA5505 on code 8.0.5

Tod Larson · ‎01-06-2011

I have 2 ASA5505 firewalls deployed, 1 at the data center (code v8.0.3) and 1 at a remote location (code v8.0.2). The remote location has 2 PCs that connect back to the data center to access the directory services, exchange, file servers, etc. The ASA5505 firewalls are configured for a site to site VPN.

We were having stability issues with the remote ASA so we decided to upgrade the code as a first step.

We updated the data center to 8.0.5 and all was well. I data was flowing and I could get into both ASAs from the data center via ASDM and ssh.

Then I updated the remote location to 8.0.5. Now I can't ASDM or ssh into either ASA unless I'm at that specific site. PCs are still able to connect their servers.

I am unable to ping, telnet, ssh or ASDM into the inside vlan ip address while I am at the other site. I can see in the logs inbound connections being built on the distant firewall but it doesn't build a new outbound connection to reply traffic.

Did 8.0.5 do something to block management connections from the outside?

Marvin Rhoads · ‎02-08-2012

That's an odd one, thanks for sharing the solution!

View solution in original post

Jennifer Halim · ‎01-06-2011

Do you have the command "management-access inside" configured?

Tod Larson · ‎01-07-2011

That sort of worked. I didn't have "management-access inside" configures. I added that command to both ASAs, but now I can only ssh into the remote ASA. I still can't ASDM into the remote ASA.

Any further guidance?

Jennifer Halim · ‎01-07-2011

Great.. we are 1 step ahead.

For ASDM, please run "sh run http", and see if the ip address of the remote subnet where you are trying to connect from is in the config.

Format:

http inside

Hope that helps.

Tod Larson · ‎01-07-2011

Here's the output of "sh run http"

http server enable

http 0.0.0.0 0.0.0.0 inside

I'm trying to asdm in from the 10.1.4.0 network so that looks good.

Still no joy. ASDM just spins saying "Connecting to Device. Please wait..." until I red-X the window.

Thank you.

Jennifer Halim · ‎01-07-2011

And assuming that you already have ASDM image in that ASA, what is the version of ASDM installed?

Can you share config from both end pls?

Tod Larson · ‎02-08-2012

We finally found the answer.

The service provider was dropping any packets larger than 1340 bytes. There was no ICMP fragmentation needed message coming back or anything. We have GRE tunnel sourced on internal routers with MTU of 1300 and all customer traffic was using this GRE so they weren't ever affected. The ASDM traffic does not use the GRE tunnel so it was being dropped. Normal SSH traffic must be small in nature so it wasn't affected.

I set the following on both my ASAs.

mtu outside 1330

mtu inside 1330

Now I can ASDM into the remote site. Finally! It's nice to finally and positively fix a long standing, thorn in the side, low priority issue.

Marvin Rhoads · ‎02-08-2012

That's an odd one, thanks for sharing the solution!