01-06-2011 08:32 AM
I have 2 ASA5505 firewalls deployed, 1 at the data center (code v8.0.3) and 1 at a remote location (code v8.0.2). The remote location has 2 PCs that connect back to the data center to access the directory services, exchange, file servers, etc. The ASA5505 firewalls are configured for a site to site VPN.
We were having stability issues with the remote ASA so we decided to upgrade the code as a first step.
We updated the data center to 8.0.5 and all was well. I data was flowing and I could get into both ASAs from the data center via ASDM and ssh.
Then I updated the remote location to 8.0.5. Now I can't ASDM or ssh into either ASA unless I'm at that specific site. PCs are still able to connect their servers.
I am unable to ping, telnet, ssh or ASDM into the inside vlan ip address while I am at the other site. I can see in the logs inbound connections being built on the distant firewall but it doesn't build a new outbound connection to reply traffic.
Did 8.0.5 do something to block management connections from the outside?
Solved! Go to Solution.
02-08-2012 06:46 PM
That's an odd one, thanks for sharing the solution!
01-06-2011 07:12 PM
Do you have the command "management-access inside" configured?
01-07-2011 01:11 PM
That sort of worked. I didn't have "management-access inside" configures. I added that command to both ASAs, but now I can only ssh into the remote ASA. I still can't ASDM into the remote ASA.
Any further guidance?
01-07-2011 02:18 PM
Great.. we are 1 step ahead.
For ASDM, please run "sh run http", and see if the ip address of the remote subnet where you are trying to connect from is in the config.
Format:
http
Hope that helps.
01-07-2011 02:25 PM
Here's the output of "sh run http"
http server enable
http 0.0.0.0 0.0.0.0 inside
I'm trying to asdm in from the 10.1.4.0 network so that looks good.
Still no joy. ASDM just spins saying "Connecting to Device. Please wait..." until I red-X the window.
Thank you.
01-07-2011 02:27 PM
And assuming that you already have ASDM image in that ASA, what is the version of ASDM installed?
Can you share config from both end pls?
02-08-2012 05:43 PM
We finally found the answer.
The service provider was dropping any packets larger than 1340 bytes. There was no ICMP fragmentation needed message coming back or anything. We have GRE tunnel sourced on internal routers with MTU of 1300 and all customer traffic was using this GRE so they weren't ever affected. The ASDM traffic does not use the GRE tunnel so it was being dropped. Normal SSH traffic must be small in nature so it wasn't affected.
I set the following on both my ASAs.
mtu outside 1330
mtu inside 1330
Now I can ASDM into the remote site. Finally! It's nice to finally and positively fix a long standing, thorn in the side, low priority issue.
02-08-2012 06:46 PM
That's an odd one, thanks for sharing the solution!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide