Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
1
Helpful
8
Replies

ASA Question

Go to solution
cisco.13
Level 1
Level 1

‎01-04-2024 05:42 AM

Hello,
I use ASA with several site-to-site VPNs, everything works correctly (vpn ikev1/ikev2, ssh, asdm, ...)
I noticed that access to the page https://public_IP (outside interface) is open and displays "File not found"

My question :
- Why does it display "File not found"?
- "File not found" = client software file (anyconnect-...-k9.pkg)?
- possible to disable http service on the outside interface, without impacting existing site-to-site VPNs?

# sh run | i http
http server enable
http local_ip 255.255.255.0 management

#sh asp table socket
SSL 08648f48 LISTEN public_IP:443 0.0.0.0:*

#sh run | i 443
crypto ikev2 enable outside client-services port 443

#webvpn
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect-essentials
 cache
  disable
 error-recovery disable

Thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎01-04-2024 06:52 AM

Remove "client-services port 443" from "crypto ikev2 enable outside client-services port 443". This is only needed for AnyConnect IKEv2 access.

 

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎01-04-2024 06:32 AM

what is ikev2 config you use in ASA

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight

‎01-04-2024 06:52 AM

Remove "client-services port 443" from "crypto ikev2 enable outside client-services port 443". This is only needed for AnyConnect IKEv2 access.

 

Go to solution
cisco.13
Level 1
Level 1

‎01-04-2024 07:08 AM

Hello,
Thank you for your reply
@MHM Cisco World, what do you mean?
@tvotna, so, if I delete client-services port 443, I will not have access to the http web interface?
Thank you

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cisco.13

‎01-04-2024 07:23 AM

what I meaning is you run IKEv2 remote access or Site-to-Site?
MHM

0 Helpful

Go to solution
tvotna
Spotlight
Spotlight
In response to cisco.13

‎01-04-2024 07:29 AM

The device will stop listening for TCP/443 on the outside interface. ASDM will continue working on the management interface.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-04-2024 07:38 AM

even so share the config 
why Anyconnect IKEv2 use 443 port !!!!!
it use IKEV2 so it must be 50/500/4500 not 443 
this misconfig or what share config let me check 
MHM

0 Helpful

Go to solution
cisco.13
Level 1
Level 1

‎01-04-2024 07:42 AM

Thank you @MHM Cisco World & @tvotna 
It's ok, I deleted "client-services port 443"
no need anyconnect, only vpn site-to-site (ikev1/ikev2) in my case.
Thank you very much

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cisco.13

‎01-04-2024 07:49 AM

#sh asp table socket
SSL 08648f48 LISTEN public_IP:443 0.0.0.0:* <<- this not IKEv2 anyconnect, this for WebVPN. 
and your HTTP (ASDM) is run for mgmt interface only not the OUTside 

So make double check 
Have a nice day 
MHM

0 Helpful
Customers Also Viewed These Support Documents