Why does ASDM access to active firewalls stop?

This really annoys me, and its a pretty common occurrence with ASAs set up in a failover pair. ASDM access will work to the standby member of the pair, but not to the primary. It has worked in the past, but it just stops working.

With the following setup – one PC with the lastest ASDM software installed and two ASA firewalls. Hardly a complex scenario. Well we start off with full ASDM access to both active and standby, but for some reason, after a while, ASDM access works to the standby in the pair, but not to the primary (active).

We can rule out a problem with ASDM, or with Java (because we can get to the standby). We can also rule out a problem with the http server and access rules for such, as the standby member gets its rule base from the primary – we can access the standby so we know that the rules to allow ASDM access are fine.

We can reload the standby, wait for it to come backup, for the configs to resync, and when the two show that all is healthy, perform a failover, and reboot the other (what was the primary but is now the secondary).

This usually works fine, but not always.

If we check the uptime:

 

We can see that the device uptime is at most 21 minutes, but still, no ASDM access to the active firewall:

SSH access works fine though, and trying to access through a web browser returns “Page cannot be displayed”, whereas accessing the standby through a browser brings you into the correct page.

So what is the cause and what is the solution?

From what I have read on the various Google searches it does appear to be cause by uptime exceeding one year. You would have thought that this would apply to device uptime rather than cluster uptime, and I have ASAs in other locations, again in a failover cluster that also exceed cluster uptime of one year and they work fine AFTER doing a reload-standby, failover, reload-standby, but have exhibited the same issue.

It’s not version specific as I have seen this in ASA 8.X and 9.X.

Interestingly, running “sh asp table socket” shows that the ASA is listening on the inside interface, and although connections cannot be made on the inside, ASDM from an outside address is still possible. So is it linked to an interface?

Where the full address is blanked out is an external address, where just an octet is blanked out is an internet address. So we can see https (i.e. ASDM) from an outside address still works!

I have tried removing the rules for ASDM access on the Inside and reapplying them, but this still does not work.

If anyone has encountered and fixed this I would love to hear back from you!

3 Comments

  1. Anonymous December 13, 2013
  2. 802101.com December 13, 2013
  3. Anonymous December 3, 2014