Solved

Problems connecting to ASA 5505 ASDM and VPN.

Posted on 2013-01-15
13
766 Views
Last Modified: 2013-01-30
We have a Cisco ASA 5505 that has randomly blocked all incoming VPN connections including our site to site VPN connection. The Site to Site VPN actually connects, but no data is passed. I am also not able to access the inside interface of the device using HTTPS which worked previously. Nothing had changed on this device for months so I'm confused as to what has  happened. I've also tried resetting the device back to defaults and loading a newer version of the ASA operating system with the same results. Has anyone else had this problem before? Could the device be going bad? I've attached my sanitized config.

Thank you
12-28-2012-Comcast-Sanitized.txt
0
Comment
Question by:OAC Technology
  • 8
  • 5
13 Comments
 
LVL 5

Accepted Solution

by:
Leeeee earned 500 total points
ID: 38780304
If you some how find a way to get in to the device, configure 'management-access inside' in global config mode.

If you were able to manage the device before and all of a sudden things broke, I'd verify there isn't an issue with the ASA itself.
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38780315
I went out with a console cable and was able to access it just fine with that. I was also able to access the CLI through telnet. The odd thing is that HTTPS, SSH, and VPN all broke without anyone touching that device. Could this be a problem with something cryptography related?

Just a thought
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780327
That is interesting, any indication of what's going on in the logs?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:OAC Technology
ID: 38780336
What command should I be using to get some useful information out of logging?
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780360
Try 'sh log' to start and see if there is anything fishy. Try and access the device via SSH/HTTP and verify if it is being denied in the logs. Have you tried enabling management-access inside?

Verify that the VPN is up as well show crypto isakmp sa
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38780618
When I type sh log this is what I get:

Syslog logging: enabled
    Facility: 22
    Timestamp logging: enabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: level informational, facility 22, 78489 messages logged
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 78488 messages logged


I know the syslog server doesn't exist anymore. Is there a way to have the logs displayed in the telnet session?
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38780718
Enable buffer logging:

ASA#conf t
ASA(config)#logging enable
ASA(config)#logging buffered
ASA(config)#terminal monitor (log to ssh or telnet session)

Enable management to inside network over VPN:
ASA(config)# management-access inside
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38783359
I tried the above and received this:
(config)# logging buffered
ERROR: % Incomplete command


I also don't see anything being logged while in the terminal
0
 
LVL 5

Expert Comment

by:Leeeee
ID: 38783408
logging buffered debug
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38787266
I have to type "show log" to get a chunk of log file displayed to the screen. So far, by doing this, I haven't seen any mention of me trying to connect to SSH or HTTPS. Is there maybe a way to limit what's displayed on the log file to just the IP I'm trying to access HTTPS/SSH from?

Thanks
0
 
LVL 2

Author Comment

by:OAC Technology
ID: 38801327
Any other ideas on this one?

Thanks
0
 
LVL 2

Assisted Solution

by:OAC Technology
OAC Technology earned 0 total points
ID: 38819596
I ended up replacing that device with another ASA 5505 and reloading the configuration on that device. It seems to be working fine so my guess is the original ASA was bad in some way.
0
 
LVL 2

Author Closing Comment

by:OAC Technology
ID: 38834535
Found that the device was bad
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question