Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1578
Views
10
Helpful
12
Replies

Anyconnect Issues with ASA Management

Azlan.my07
Level 1
Level 1

‎04-23-2022 11:49 AM

Hello everyone. I'm having some problems with the ASA Anyconnect. This is a Firepower 4100 series, and we installed the ASA image and configured the Anyconnect.

We're having trouble connecting Anyconnect after assigning "management-access" to Interface management. For your information, management interface will are using AAA server to interact. We can access it when we set management-access to none, but we can't manage the device ASA via ASDM/SSH after we set to none, even though we had allowed both. but I'm still unable to.

Scenario 1:

After assigning "management-access" to Interface management. I have tried to login anyconnect, after login, its show errors time out. which is we assume ASA unable to communicate to our RADIUS.

 

Scenario 2:

After set management-access to none, we able to connected Anyconnect, but unable to access ASDM/SSH, however, during the user still connected to VPN, I have change management-access to management interface, and we able to access the device, once disconnected, it cannot connect anymore.

 

 

Internally we can access SSH/ASDM, but from Anyconnect we can't.

Do you guys have any idea? Open TAC, but TAC recommend to use Inside interface to management and assign to management-access, as this suggestion we won't agree at all.

 

Thanks

Labels:
12 Replies 12

MHM Cisco World
VIP
VIP

‎04-24-2022 05:51 AM

can I see the Anyconnect NAT exception ? 

0 Helpful

Azlan.my07
Level 1
Level 1
In response to MHM Cisco World

‎04-24-2022 06:26 AM

Hi,

As for now, i don't have any NAT configured. Do i need to configure it? Because this ASA dedicated for anyconnect only.
0 Helpful

Rob Ingram
VIP
VIP
In response to Azlan.my07

‎04-24-2022 07:14 AM

@Azlan.my07 do you have routing setup specifically for the management interface?

Test communication from the mgmt interface to the AAA servers.

Run "show route management-only" and provide the output. This would be a different route to the normal routing table.

Login to AnyConnect with management-access configured and provide the output of "show aaa-server"

 

 

0 Helpful

Azlan.my07
Level 1
Level 1
In response to Rob Ingram

‎04-24-2022 08:13 AM

Hi @Rob Ingram 

 

Yes, I've configured route for management, when I tried to configure management-access without disconnecting my anyconnect, I was able to connect to ASA management but, when I disconnected anyconnect and tried to connect again, it failed.

 

If you want me to show you an aaa-server with management-access configured, I'll have to connect to anyconnect and configure it first, then I'll try to get it.

 

Here is our show run aaa server.

 

aaa-server ServerA (management) host 10.10.10.245
ldap-base-dn DC=ourdomain,DC=Domain,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *********
ldap-login-dn CN=VPN 2 FA,OU=LdapService,DC=exampleMY,DC=Domain,DC=com
server-type microsoft
ldap-attribute-map AD_2FA
aaa-server ServerA protocol ldap

 

Thanks

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Azlan.my07

‎04-24-2022 08:21 AM - edited ‎04-24-2022 08:29 AM

I have Opinion here
ASA-AAA
when there is no management interface the ASA connect to AAA via first IP address of Anyconnect Pool , 

when there is management interface the ASA connect to AAA via management IP


that the issue here I think.

Solve by 
use the Interface that direct connect to AAA not use management interface.

0 Helpful

Azlan.my07
Level 1
Level 1
In response to MHM Cisco World

‎04-24-2022 08:47 AM

Hi @MHM Cisco World 

 

Thank you for your opinion, you mean I can use other interface such as Inside interface to communicate with AAA server? How about NAT exemption you mentioned? 

MHM Cisco World
VIP
VIP
In response to Azlan.my07

‎04-24-2022 08:54 AM

If there is no other NAT as you mention  before and thisASA only for any connect so no need NAT exemption.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Azlan.my07

‎04-24-2022 03:48 PM

Any Update do you reconfig the ASA as I suggest ?

0 Helpful

Azlan.my07
Level 1
Level 1
In response to MHM Cisco World

‎05-09-2022 07:07 PM

@MHM Cisco World No, not yet. I just wanted to let you know that this is a Firepower 4112, so I'm using the ASA image. I can't use the dedicated management interface because it's just for FXOS chasis. So I set the interface eth 1/4 for ASA management, and I found one site that suggested configuring NAT, which I have yet to try.

0 Helpful

Azlan.my07
Level 1
Level 1
In response to MHM Cisco World

‎05-22-2022 11:23 PM

@MHM Cisco World , I have found in the logs below

 

Duplicate TCP SYN from BDC-VPN-In:10.18.23.22/52841 to management:10.18.0.1/80 with different sequence number

 

Do you think this is the issues?

0 Helpful

Rob Ingram
VIP
VIP
In response to Azlan.my07

‎04-24-2022 09:01 AM - edited ‎04-24-2022 09:10 AM

@Azlan.my07 

The management interface does not pass through traffic, so you'd not access that interface directly when connected to the ASA. So I'd expect the trafffic to be routed to the inside interface, hairpin and then access the management interface....assuming it's reachable from the LAN and not an isolated network?

 

Please provide your configuration?

Can you provide your topology diagram?

0 Helpful

Azlan.my07
Level 1
Level 1
In response to Rob Ingram

‎04-24-2022 09:25 AM

Hi @Rob Ingram 

 

I will PM you 

0 Helpful
Customers Also Viewed These Support Documents