0

I've just gotten my ASA 5510 set up to run AnyConnect VPN (w/ client). Unfortunately, it appears that I broke whatever allows the ASDM to connect in somewhere during that process. I get a "cannot open device" when I try to connect into the device from my ASDM software for another ASA (5520) device that I have.

Both devices have the same ASDM version. Can someone help me with this issue? Below is a sanitized config.

    ip local pool XXXVPNPool x.x.5.1-x.x.5.254 mask 255.255.255.0
asdm image disk0:/asdm-715.bin
no asdm history enable

ldap attribute-map XXXVPN_Att_Map
  map-name  memberOf Group-Policy
  map-value memberOf CN=Users,DC=xxx,DC=com XXXVPNGrpPolicy
  map-value memberOf "OU=XXXX Users,DC=xxx,DC=com" XXXVPNGrpPolicy
dynamic-access-policy-record DfltAccessPolicy
aaa-server XXXX protocol ldap
aaa-server XXXX (inside) host x.x.2.38
 ldap-base-dn DC=xxx,DC=COM
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Administrator,CN=Users,DC=xxx,DC=COM
 server-type microsoft
 ldap-attribute-map XXXVPN_Att_Map

http server enable 65000

http redirect outside 80

crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 fqdn XXXvpn.xxx.com
 subject-name CN=XXXvpn.xxx.com,O=XXXCompany,C=US,St=XXX,L=XXX
 keypair XXXVPNcert
 crl configure

ssl trust-point ASDM_TrustPoint2 outside
webvpn
 enable inside
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.00495-k9.pkg 1
 anyconnect profiles XXXVPNclient disk0:/XXXvpnclient.xml
 anyconnect enable
 tunnel-group-list enable

group-policy XXXVPNGrpPolicy internal
group-policy XXXVPNGrpPolicy attributes
 wins-server value x.x.2.38 x.x.1.75
 dns-server value x.x.2.38 x.x.1.75
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXVPN_Split_Tunnel_List
 default-domain value xxx.com
 address-pools value XXXVPNPool
 webvpn
  anyconnect profiles value XXXVPNclient type user

tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
 address-pool XXXVPNPool
 authentication-server-group XXXX
 default-group-policy XXXVPNGrpPolicy
 dhcp-server x.x.2.38
tunnel-group TunnelGroup1 webvpn-attributes
 group-alias XXXVPN enable
Winski Tech
  • 169
  • 3
  • 13
  • After looking at the config more, the line `http redirect outside 80` jumped out at me. Removing this didn't fix anything, I'll reload the ASA after work hours to see if that makes a difference. Any suggestions for modifications or debugging are appreciated. – Winski Tech Aug 19 '15 at 17:27
  • Below is the config of a working ASA 5520 I have, I've been combing through it for differences. – Winski Tech Aug 19 '15 at 18:48
  • I would've put the config in but apparently it's too long for a comment. Any way around this restriction besides splitting it into small posts? – Winski Tech Aug 19 '15 at 18:52
  • Just clarification, I'm attempting to access the ASA via the ASDM software connecting to the inside interface address on port 65000 – Winski Tech Aug 19 '15 at 19:41
  • More clarification, I can get to the page that allows me to download the device manager via the 65000 port, but I cannot actually connect into the device. Also it shows the wrong version of ASDM. This is after I deleted out any old versions of the ASDM image. – Winski Tech Aug 19 '15 at 20:21
  • I'm trying to use Wireshark to troubleshoot this issue but I don't see any SSL communications between my machine and the firewall. What am I missing? – Winski Tech Aug 20 '15 at 15:01
  • I figured out why the browser was showing 6.2(1). It was cached. But it was cached on both machines I was testing with. Even after running device launcher and the java asdm, I still wasn't able to connect to the device. I have versioning set up on my firewalls so right now I'm comparing the configs of the 5510 now, the 5510 a month ago, and the 5520. I'll see what I come up with. On top of all of this, I'm still confused why I didn't see SSL traffic on my wire capture. – Winski Tech Aug 20 '15 at 17:18
  • The SSL traffic is on port 65000 and I've found that on my wireshark capture, I'm not sure what I'm specifically looking for in here though. – Winski Tech Aug 20 '15 at 18:59

1 Answers1

0

I fixed the issue. I followed a link here: https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm#Unable_to_asdm

And had to add ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

I checked, this was not in the config a month ago and I was able to connect into the asdm just fine. Something about adding the VPN capability to the device required me to add this line in to get ASDM working.

Winski Tech
  • 169
  • 3
  • 13