Symptom
ASDM/WebVPN enabled on the same interface using same port, ASDM access will not work
Conditions
1) 'aaa authentication http console (LOCAL or Remote)' is configured
2) Webvpn + Asdm are enabled on the same interface and port ( any port ).
Example :
asa# sh run webvpn
webvpn
enable outside <- default port in use ( 443)
asa# sh run http
http server enable <- default port in use (443)
http 0.0.0.0 0.0.0.0 outside <- Configured on the same interface
asa# show run aaa
aaa authentication http console LOCAL <- The command is configured
Workaround
We have two workarounds :
1) Use different port numbers: http server enable 65000
2) Remove "aaa authentication http console (LOCAL or Remote)"
Here the ASDM will not use the remote server for authentication anymore and starts to accept a blank username and the enabled password as credentials. Also can use the local database for Authentication even if you do not configure this command. This command disallows the blank username/enable password login.
Further Problem Description
Customer not able to access ASDM if WebVPN and ASDM enabled on same interface
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and determined it does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
