cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
552
Views
0
Helpful
1
Replies
Highlighted
Beginner

Cannot manage ASA via new Anyconnect VPN

Hi

 

I have a customer who is migrating from one ISP to another on their ASA.  Both internet links are up but they are using the new provider, let's call them ISP-B, for all traffic.

 

We have an Anyconnect VPN on the old connection via ISP-A and are intending turning that off and moving the VPN completely to the new ISP-B connection.

 

When we connect to the original VPN we can manage the ASA via the inside address on ASDM, telnet and SSH.  When we connect via the new VPN on ISP-B we can connect to every device inside but cannot get to the ASA via the inside address on ASDM, telnet or SSH.

 

When I connect to the ASDM on the old connection and watch the log of an attempt via the new connection the initial SYN gets to the ASA but nothing else happens.

 

Both VPN's are set up the same except connections via ISP-A uses address pool A and via ISP-B uses Pool-B.  Routing is setup to route these pools out the correct interface.  So in short, via ISP-B I can connect to corporate stuff through the firewall but cannot connect to the firewall. 

 

Both VPN's use the same group policy settings with the exception of the address pools.

The ASA is setup to allow ASDM, tellnet and SSH via 0.0.0.0 0.0.0.0 inside

Management interface is the inside

Authentication is local in both cases.

I connect via the same laptop to the successful VPN and the failing VPN.

I have 2 connection profiles such that connecting via ISP-A will get an address from Pool-A and via ISP-B will get an address via Pool-B.

 

It's difficult to get packet captures etc via the VPN to get more evidence but on the ASDM launcher I see the following with a successful connection.

 

----------------------------------------------------
Application Logging Started at Mon Jan 19 20:08:28 GMT 2015
---------------------------------------------
Local Launcher Version = 1.5.71
Local Launcher Version Display = 1.5(71)
OK button clicked
Trying for ASDM Version file; url = https://192.xxx.xxx.xxx/admin/
Server Version = 7.1(3)
Server Launcher Version = 1.5.64, size = 770048 bytes
Launcher version checking is successful.
invoking SGZ Loader..
Cache location = C:/Users/xxxxxxxxxxx/.asdm/cache
isUnlimitedKBytesSALifetimeSupported: true
HomeStatusPanel init 0
isUnlimitedKBytesSALifetimeSupported: true
isUnlimitedKBytesSALifetimeSupported: true

 

And I see the following when the connection fails on the ISP-B VPN.

 

----------------------------------------------------
Application Logging Started at Mon Jan 19 20:11:44 GMT 2015
---------------------------------------------
Local Launcher Version = 1.5.71
Local Launcher Version Display = 1.5(71)
OK button clicked
Info: Pre-login banner not supported at https://192.xxx.xxx.xxx/admin/login_banner
Trying for ASDM Version file; url = https://192.xxx.xxx.xxx/admin/
No version file found
Trying for IDM. url=https://192.xxx.xxx.xxx/idm/idm.jnlp/
[Fatal Error] :6:3: The element type "br" must be terminated by the matching end-tag "</br>".
org.xml.sax.SAXParseException: The element type "br" must be terminated by the matching end-tag "</br>".
    at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(Unknown Source)
    at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(Unknown Source)
    at javax.xml.parsers.DocumentBuilder.parse(Unknown Source)
    at com.cisco.launcher.s.a(Unknown Source)
    at com.cisco.launcher.s.for(Unknown Source)
    at com.cisco.launcher.s.new(Unknown Source)
    at com.cisco.launcher.s.access$000(Unknown Source)
    at com.cisco.launcher.s$2.a(Unknown Source)
    at com.cisco.launcher.g$2.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

 

 

Any help would be greatly appreciated.

 

Stuart.

1 REPLY 1
Highlighted
Beginner

I've done a bit more troubleshooting on this.  Even though I could connect to the ASDM via the VPN on the original ISP link I couldn't on the new one. 

As a test I changed the ASDM port and it started working.  I found this might have been needed by trying to browse to the ASDM via the inside interface over Anyconnect and I was presented with the Anyconnect clientless login screen even though Anyconnect is not enabled on the inside interface.  So that made me change the port to 4443 and it started working.  Strangely though I still can't get telnet or ssh working.  A wireshark shows a SYN sent from my laptop but it never gets a response.  Very strange.  I even turned off Anyconnect on the original ISP interface and still no change.

 

Stuart.