01-04-2024 05:42 AM
Hello,
I use ASA with several site-to-site VPNs, everything works correctly (vpn ikev1/ikev2, ssh, asdm, ...)
I noticed that access to the page https://public_IP (outside interface) is open and displays "File not found"
My question :
- Why does it display "File not found"?
- "File not found" = client software file (anyconnect-...-k9.pkg)?
- possible to disable http service on the outside interface, without impacting existing site-to-site VPNs?
# sh run | i http
http server enable
http local_ip 255.255.255.0 management
#sh asp table socket
SSL 08648f48 LISTEN public_IP:443 0.0.0.0:*
#sh run | i 443
crypto ikev2 enable outside client-services port 443
#webvpn
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect-essentials
cache
disable
error-recovery disable
Thank you
Solved! Go to Solution.
01-04-2024 06:52 AM
Remove "client-services port 443" from "crypto ikev2 enable outside client-services port 443". This is only needed for AnyConnect IKEv2 access.
01-04-2024 06:32 AM
what is ikev2 config you use in ASA
01-04-2024 06:52 AM
Remove "client-services port 443" from "crypto ikev2 enable outside client-services port 443". This is only needed for AnyConnect IKEv2 access.
01-04-2024 07:08 AM
Hello,
Thank you for your reply
@MHM Cisco World, what do you mean?
@tvotna, so, if I delete client-services port 443, I will not have access to the http web interface?
Thank you
01-04-2024 07:23 AM
what I meaning is you run IKEv2 remote access or Site-to-Site?
MHM
01-04-2024 07:29 AM
The device will stop listening for TCP/443 on the outside interface. ASDM will continue working on the management interface.
01-04-2024 07:38 AM
even so share the config
why Anyconnect IKEv2 use 443 port !!!!!
it use IKEV2 so it must be 50/500/4500 not 443
this misconfig or what share config let me check
MHM
01-04-2024 07:42 AM
Thank you @MHM Cisco World & @tvotna
It's ok, I deleted "client-services port 443"
no need anyconnect, only vpn site-to-site (ikev1/ikev2) in my case.
Thank you very much
01-04-2024 07:49 AM
#sh asp table socket
SSL 08648f48 LISTEN public_IP:443 0.0.0.0:* <<- this not IKEv2 anyconnect, this for WebVPN.
and your HTTP (ASDM) is run for mgmt interface only not the OUTside
So make double check
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide