Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
357
Views
0
Helpful
4
Replies

WSA Management interface only responsive to local network traffic

DamianRCL
Level 1
Level 1

‎06-03-2024 06:07 AM

Hello,
I'm using the management interface for management traffic only.
After a recent reboot, the management interface will only respond to ssh and https requests from a host on the same subnet (192.168.42.0/255). Before the reboot the device was accessible from other routed, permitted segments. Strange enough, we can still ping the manament inteface from the other routed network.
What's going on?

Thanks!

Labels:
0 Helpful
4 Replies 4

amojarra
Cisco Employee
Cisco Employee

‎06-03-2024 07:44 AM

Hi @DamianRCL 

It looks like there might be some issue in the routing. 

[1] I assume you already confirmed the routing table is correct for the Management interface. 

[2] Maybe its best to have a PCAP from the Management interface to see if the packets are reaching WSA and will WSA reply to them.

[3] you can have a test from CLI as well, kindly type "ping" and press enter, then choose Management interface and try to ping the gateway ( if ICMP is not blocked ) or any other devices in the other subnets.

[4] you can do the same test from CLI with "traceroute" command. ( CLI > traceroute > hit enter > choose interface > ... ) 

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

DamianRCL
Level 1
Level 1
In response to amojarra

‎06-03-2024 09:43 AM - edited ‎06-03-2024 09:43 AM

Amirhossein,
I'll be happy to work on getting a capture; however, the device responds to pings sourced from other networks. For your awareness, it does sit behind a firewall, but the traffic is allowed. Also, the FW reports that it can't determine the application when I SSH since the web filter isn't replying to the requests. Am I missing some settings to enable this functionality?

Additionally, this same behavior is occurring with our email filter. A reboot was required. After that, it would no longer reply to devices in other network segments. We have a second web filter, and we're cautious to reboot it out of fear of losing connectivity.

0 Helpful

amojarra
Cisco Employee
Cisco Employee
In response to DamianRCL

‎06-03-2024 12:21 PM

@DamianRCL thanks. for your reply 

[1] So ICMP is working => (sorry I missed that part from your previous message) meaning that the route config is OK 

[2] SSH ->  Firewall : it can't determine the application: this could be due to:

[2-1] WSA blocked the source IP, which is most likely not our case.

[2-2] The SSH client is trying to connect to the device via the wrong version, or it is set to automatic, but the WSA is not responding with the SSH version. 

May I ask for a test please, can you manually SSH to WSA, I mean not using saved session in your SSH application, just normally ssh to the IP address, provide the username, and then password please. 

that would be best to see in which stage of SSH handshake the connection gets dropped. ( PCAP) 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++     If you find this answer helpful, please rate it as such    ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

0 Helpful

DamianRCL
Level 1
Level 1
In response to amojarra

‎06-04-2024 06:53 AM

Amirhossein,

Updating the AsyncOS version resolved the problem!

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents