02-21-2008 07:24 AM - edited 02-21-2020 03:34 PM
Hi,
Just bought myself an ASA5505 to replace a PIX 501, and having transferred over most of the previous config I've managed to get the two IPSEC VPN tunnels working as before.
Unfortunately when I try and SSH to the ASA the connection just resets instantly even when the tunnel is up. It seems as if the ASA is actively refusing the connection, though the log doesn't state this. I had always presumed that traffic over an established IPSEC tunnel was implicitly trusted and not subject to usual access-list rules.
I am unable to SSH to the ASA from the 10.0.0.x range, but I can SSH to a machine on 10.27.0.4 (so I know the tunnel is up and working)
Config (minus irrelevant sensitive information) is attached for reference.
Also - though I'm not sure how relevant it is given the tunnels appear to work - when I enter the line "crypto map meepnet-map interface outside" in config mode the ASA reports "WARNING: The crypto map entry is incomplete!" even though I have supplied the access-list, peer and transform-set variables.
Any help gratefully received! :)
Thanks,
Daz
Solved! Go to Solution.
06-15-2011 10:50 PM
Hello Darren,
Please mark it as answered, if your querry is resolved. Appreciate your time!
Regards,
Ankur Thukral
Community Manager- Security & VPN
02-21-2008 07:32 AM
Not sure if this is relevant but these appear to be the pertinent lines from my debug log when I try and make a connection from my PC at the remote end of the tunnel (10.0.0.125) to the ASA (10.27.0.1):
%ASA-5-713120: Group = x.x.196.101, IP = x.x.196.101, PHASE 2 COMPLETED (msgid=3f6ca37a)
%ASA-7-710005: UDP request discarded from vorniz/50939 to inside:10.27.0.255/3052
%ASA-7-609001: Built local-host outside:10.0.0.125
%ASA-7-609001: Built local-host NP Identity Ifc:10.27.0.1
%ASA-6-302013: Built inbound TCP connection 824 for outside:10.0.0.125/2550 (10.0.0.125/2550) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)
%ASA-6-302014: Teardown TCP connection 824 for outside:10.0.0.125/2550 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
It would appear that the connection to port 22 (SSH) on the ASA is torn down immediately - hence the "Connection Reset" message.
I can SSH to the internet IP (true outside) of the ASA without issue with just "ssh
02-21-2008 12:07 PM
try adding:
ssh 10.0.0.0 255.255.255.0 inside
02-21-2008 12:37 PM
That fixed it, thanks.
Don't know how I could've missed something so obvious!
02-21-2008 12:38 PM
No problem...
That stuff happens to me all the time.
02-22-2008 02:51 AM
Looks like I spoke too soon on this.
I haven't changed the config since last night (but the tunnel has been brought down and back up again due to a router reboot) and I'm back to getting instant "Connection resets" when I try and connect to the ASA inside interface IP across the VPN.
Debug log info:
%ASA-6-302014: Teardown TCP connection 18335 for outside:10.0.0.125/3670 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
%ASA-7-609002: Teardown local-host outside:10.0.0.125 duration 0:00:00
%ASA-7-609002: Teardown local-host NP Identity Ifc:10.27.0.1 duration 0:00:00
%ASA-7-609001: Built local-host outside:10.0.0.125
%ASA-7-609001: Built local-host NP Identity Ifc:10.27.0.1
%ASA-6-302013: Built inbound TCP connection 18336 for outside:10.0.0.125/3670 (10.0.0.125/3670) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)
%ASA-7-710005: TCP request discarded from 10.0.0.125/3670 to outside:10.27.0.1/22
%ASA-6-302013: Built inbound TCP connection 18337 for outside:10.0.0.125/3671 (10.0.0.125/3671) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)
%ASA-6-302014: Teardown TCP connection 18337 for outside:10.0.0.125/3671 to NP Identity Ifc:10.27.0.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
%ASA-6-302013: Built inbound TCP connection 18338 for outside:10.0.0.125/3671 (10.0.0.125/3671) to NP Identity Ifc:10.27.0.1/22 (10.27.0.1/22)
%ASA-7-710005: TCP request discarded from 10.0.0.125/3671 to outside:10.27.0.1/22
ssh 10.0.0.0 255.255.255.0 inside IS in the config.
02-22-2008 03:00 AM
Just fixed this myself, the missing line in the config was:
management-access inside
Found this after finding a result on Google about using ASDM. Adding this line allowed me to SSH to the inside interface of the ASA over the IPsec VPN.
Thanks for the help! :)
10-06-2009 12:46 PM
It looks like I'm hitting the same problem, although management-interface did not fix it.
At our main site, clients behind a PIX 515 with software version 8.0(2) can connect to the management interface of the an ASA on the other side of a DS3 which is protected by an IPSEC VPN. This ASA has been configured with ssh 0 0 inside and management-interface inside.
Clients at the remote site, local (on the inside interface) or remote, are unable to initiate HTTPS or SSH connections to the PIX. The PIX has been configured with ssh 0 0 inside as well as management-interface inside, but connections are closed when an attempt is made to connect.
10-23-2009 02:13 PM
Having same issue as described above...Remote site connected via VPN tunnel with the following confirmed in config:
!
http Net_10.0.0.0 255.0.0.0 inside
telnet Net_10.0.0.0 255.0.0.0 inside
ssh Net_10.0.0.0 255.0.0.0 inside
management-access inside
!
Version 8.0(4)23
-From main site I can ASDM to ASA, but I can't telnet or SSH direct to it.
6 Oct 23 2009 17:39:56 302014 10.2.0.52 1150 10.8.211.10 22 Teardown TCP connection 4208744 for outside:10.2.0.52/1150 to identity:10.8.211.10/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6 Oct 23 2009 17:39:56 302014 10.2.0.52 1150 10.8.211.10 22 Teardown TCP connection 4208745 for outside:10.2.0.52/1150 to identity:10.8.211.10/22 duration 0:00:00 bytes 0 TCP Reset-I
11-06-2009 02:59 PM
I ran into the same problem as well.
What fixed it is to remove the management-access inside command and then re-add it.
Hope that helps.
06-15-2011 02:05 PM
Just run in to the same issue and phithang solution fixed it.
Thanks.
06-15-2011 10:50 PM
Hello Darren,
Please mark it as answered, if your querry is resolved. Appreciate your time!
Regards,
Ankur Thukral
Community Manager- Security & VPN
09-10-2015 10:36 PM
regression bug? May be, 9.5.1, the last version has the same problem. I think it should be corrected. Phithang many thanks!
03-29-2012 12:06 PM
Thanks Daz..
i used the same command for my issue, wow, my issue got fixed. i can take a breath now.
"management-access inside" is good answer to telnet and ssh issue over ipsec tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide