08-03-2017 01:57 PM
Hello!
I have several ASA5525Xs that I am in the process of trying to patch from ASA version 9.1(7)4 and ASDM version 7.5(2)153 to ASA version 9.4(4.5) and ASMD version 7.6(2) respectively. The issue I am having is that the ASA and ASDM upgrade will apply with no issue but whenever access is attempted through either the existing installed version of ASDM or by browsing to the https://ASA_MGMT_IP/admin web page no connection is established. Multiple browsers, Firefox v52, v50, IE11.0.9600, and Firefox on RHEL 6.8 Firefox v48, all give the same error, web page can not be displayed. I have tried to change the port the HTTP server is enabled on, no change. Everything will connect fine with no issues as long as there is no config loaded. Once I put in the config to run my IPsec site-to-site VPN I lose access to the page. I am attempting access through the management port. Any ideas what in the VPN config could be causing a loss of connection to the web page?
08-03-2017 06:58 PM
Is it only https that you lose or is ssh connectivity also affected?
08-04-2017 11:27 AM
Only HTTPS traffic is affected.
08-03-2017 09:45 PM
Hi,
Can you share the config which leads to this issue?
Regards,
Aditya
Please rate helpful and mark correct answers
08-04-2017 01:34 PM
08-04-2017 08:14 PM
What is the source address from which you are trying to access ASDM?
Have you tried connecting directly to the management interface (or subnet) and connecting?
Also, your trustpoint setup looks odd. I don't see the certificates. Can you remove the following and try again:
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=host,CN=Switch keypair ASDM_LAUNCHER crl configure crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 quit
08-07-2017 01:56 PM
I have tried both from 230.x directly connected to the management interface and from 231.x which is not directly connected and no access from either.
The certificates are there but were scrubbed out before posting. I have deleted them and no access is available whether they are there or not.
08-07-2017 07:30 PM
Confirm the ASA is listening on port 443 as follows:
show asp table socket | i LISTEN | SSL
Have you tried a packet capture when you are directly connected and making the attempt?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide