Solved

Problems connecting to ASA 5505 ASDM and VPN.

Posted on 2013-01-15
13
768 Views
Last Modified: 2013-01-30
We have a Cisco ASA 5505 that has randomly blocked all incoming VPN connections including our site to site VPN connection. The Site to Site VPN actually connects, but no data is passed. I am also not able to access the inside interface of the device using HTTPS which worked previously. Nothing had changed on this device for months so I'm confused as to what has  happened. I've also tried resetting the device back to defaults and loading a newer version of the ASA operating system with the same results. Has anyone else had this problem before? Could the device be going bad? I've attached my sanitized config.

Thank you
12-28-2012-Comcast-Sanitized.txt
0
Comment
Question by:OAC Technology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780304
If you some how find a way to get in to the device, configure 'management-access inside' in global config mode.

If you were able to manage the device before and all of a sudden things broke, I'd verify there isn't an issue with the ASA itself.
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38780315
I went out with a console cable and was able to access it just fine with that. I was also able to access the CLI through telnet. The odd thing is that HTTPS, SSH, and VPN all broke without anyone touching that device. Could this be a problem with something cryptography related?

Just a thought
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780327
That is interesting, any indication of what's going on in the logs?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 2

Author Comment

by:OAC Technology
ID: 38780336
What command should I be using to get some useful information out of logging?
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780360
Try 'sh log' to start and see if there is anything fishy. Try and access the device via SSH/HTTP and verify if it is being denied in the logs. Have you tried enabling management-access inside?

Verify that the VPN is up as well show crypto isakmp sa
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38780618
When I type sh log this is what I get:

Syslog logging: enabled
    Facility: 22
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level informational, facility 22, 78489 messages logged
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 78488 messages logged


I know the syslog server doesn't exist anymore. Is there a way to have the logs displayed in the telnet session?
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780718
Enable buffer logging:

ASA#conf t
ASA(config)#logging enable
ASA(config)#logging buffered
ASA(config)#terminal monitor (log to ssh or telnet session)

Enable management to inside network over VPN:
ASA(config)# management-access inside
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38783359
I tried the above and received this:
(config)# logging buffered
ERROR: % Incomplete command


I also don't see anything being logged while in the terminal
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38783408
logging buffered debug
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38787266
I have to type "show log" to get a chunk of log file displayed to the screen. So far, by doing this, I haven't seen any mention of me trying to connect to SSH or HTTPS. Is there maybe a way to limit what's displayed on the log file to just the IP I'm trying to access HTTPS/SSH from?

Thanks
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38801327
Any other ideas on this one?

Thanks
0
 
LVL 2

Assisted Solution

by:OAC Technology
OAC Technology earned 0 total points
ID: 38819596
I ended up replacing that device with another ASA 5505 and reloading the configuration on that device. It seems to be working fine so my guess is the original ASA was bad in some way.
0
 
LVL 2

Author Closing Comment

by:OAC Technology
ID: 38834535
Found that the device was bad
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question