Re: SSH/SNMP access to ASA through VTI tunnel

roman.kuchin · ‎12-04-2017

Hi,

my setup is pretty simple:

(LAN1)ASA1 <-IPsec tunnel -> ASA2(LAN2)

Previously, I have IPsec tunnel with Crypto Map and I could connect to ASA2's inside interface with ssh from LAN1.

Now it's ipsec with VTI, nothing else was changed, so all access-rules, nat exemptions, routing, IP addressing stays the same, but I can't access ASA2 inside interface anymore, but LAN2 is accessible without any problem.

May be someone also faced this issue and can share any solution, what needs to be added to config in that situation? Is there any solution at all?

roman.kuchin · ‎12-04-2017

From logs I can see:

%ASA-3-710003: TCP access denied by ACL from <LAN1_IP>/51797 to <VTI_NAME>:<ASA2_IP>/22

It's not interface ACL. That's from Cisco docs:

Error Message %PIX|ASA-3-710003: {TCP|UDP} access denied by ACL from
source_address/source_port to interface_name:dest_address/service

Explanation This message appears when the security appliance denies
an attempt to connect to the interface service.
Recommended Action Use the show http, show ssh, or show telnet
command to verify that the security appliance is configured to permit
the service access from the host or network. If this message appears
frequently, it can indicate an attack.

asa# show ssh

Hosts allowed to ssh into the system:
<LAN1>inside

The problem is that ASA think that I'm connecting not to LAN interface, but to VTI interface! Don't care that I'm specifying LAN2-IP!

command ssh <LAN1> <interface> doesn't allow to put there VTI interface, only physical ones.

Any thoughts what to do?

Zip · ‎12-21-2017

Update to 9.9(1).

yjtsolutions · ‎04-04-2018

Is this confirmed? I didn't see it on the list of fixed bugs in 9.9(1).

hpsisupport · ‎10-12-2018

NOTE: I went to 9.9.2-18 ( and some testing with 9.9.2-25)

I'm seeing spotty effects with SNMP THROUGH VTI-BGP.

Desgin: two separate EIGRP Pools internal : VTI_BGP on firewalls (5506 & 5545) between them.

BGP and EIGRP redistribute.

Effect #1 : SNMP to the MDF switch (direct connected by copper) : The SNMP works RIGHT UP until the BGP session flaps.

WAN flap happens, the BGP session goes down and comes back up (only down 1 minute from ISP latency or such) ....When BGP comes back EIGRP shows the route timer reset to 00:00 .....SNMP DOES NOT WORK NOW:

WORK AROUND : change the IP address(es) we send SNMP toward a DIFFERENT ip address on the same switch: ie. if you have two loop back you just move to the OTHER loopb and the SNMP starts reporting again. HAPPENS again, change back to the Other Loopb and it comes right back.

I've Always seen SNMP as "session-Less" traffic because it is UDP 161 traffic so why would it be affected by a flap.

BUT I'm open to learning more : IS SNMP actually sessionful and it's just initiated with sessionless udp 161 ?

Effect 2: SNMP fails on firewall's Inside IP : Take out "management-interface inside" and then put it back right away....SNMP starts working again: this one bothers me less....but still a quirk.

adam39 · ‎02-26-2020

I had the same issue, switched to a vti and my management access through the tunnel was gone. Just figured out how to fix it. At least this fixed it for me. Bounce the management-access config;

config t

no management-access inside

management-access inside

JesseIvens46733 · ‎08-18-2020

This worked for me too, thanks!

erpomik · ‎10-18-2020

Thank for so much for this hint.

Moved to VTI on a number of ASA units. Management access work on some units, but not all. Bouncing the management-access config, made them all work.