Unable to use HTTPS Managment “API” on Cisco ASA 9.12Cisco ASA ACL helphttps url filtering on Cisco ASA 5520Unable to save ASA configSSD status on Cisco ASAASA unable to pass ICMP and RDP through internal interfacesASA / WCCP issue with https service group 70Unable to properly configure ASA 5512 with WAN IPUnable to reach public IPs of servers behind ASA 5512Oxidized Unable to Pull Cisco ASA ConfigCisco ASA rekeying
Apt - strange requests to d16r8ew072anqo.cloudfront.net:80
Where's this lookout in Nova Scotia?
Does pair production happen even when the photon is around a neutron?
How to cut a climbing rope?
Does the monk's Martial Arts feature replace the damage die type, the die number, or both?
Melodic minor Major 9 chords
Why did Theresa May offer a vote on a second Brexit referendum?
How to deal with a colleague who is being aggressive?
Efficient Algorithm for the boundary of a set of tiles
Why does Mjolnir fall down in Age of Ultron but not in Endgame?
Did 20% of US soldiers in Vietnam use heroin, 95% of whom quit afterwards?
Why are GND pads often only connected by four traces?
How can I tell if I'm being too picky as a referee?
Parallel fifths in the orchestra
Why didn't Thanos use the Time Stone to stop the Avengers' plan?
How to politely tell someone they did not hit "reply to all" in an email?
Why did the person in charge of a principality not just declare themself king?
Compaq Portable vs IBM 5155 Portable PC
Pirate democracy at its finest
What is the function of the corrugations on a section of the Space Shuttle's external tank?
Is Jon Snow the last of his House?
Website returning plaintext password
Have 1.5% of all nuclear reactors ever built melted down?
Did this character show any indication of wanting to rule before S8E6?
Unable to use HTTPS Managment “API” on Cisco ASA 9.12
Cisco ASA ACL helphttps url filtering on Cisco ASA 5520Unable to save ASA configSSD status on Cisco ASAASA unable to pass ICMP and RDP through internal interfacesASA / WCCP issue with https service group 70Unable to properly configure ASA 5512 with WAN IPUnable to reach public IPs of servers behind ASA 5512Oxidized Unable to Pull Cisco ASA ConfigCisco ASA rekeying
After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.
Example curl that is functional in prior code (9.8 or 9.10):
curl -k -u mah_user https://10.10.10.1/admin/exec/show+version
Now, instead of the output of that command, we are receiving a 400 Bad Request error.
What changed?
cisco cisco-asa api
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
add a comment |
After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.
Example curl that is functional in prior code (9.8 or 9.10):
curl -k -u mah_user https://10.10.10.1/admin/exec/show+version
Now, instead of the output of that command, we are receiving a 400 Bad Request error.
What changed?
cisco cisco-asa api
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
add a comment |
After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.
Example curl that is functional in prior code (9.8 or 9.10):
curl -k -u mah_user https://10.10.10.1/admin/exec/show+version
Now, instead of the output of that command, we are receiving a 400 Bad Request error.
What changed?
cisco cisco-asa api
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.
Example curl that is functional in prior code (9.8 or 9.10):
curl -k -u mah_user https://10.10.10.1/admin/exec/show+version
Now, instead of the output of that command, we are receiving a 400 Bad Request error.
What changed?
cisco cisco-asa api
cisco cisco-asa api
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
asked 9 hours ago
Brett LykinsBrett Lykins
7,46352964
7,46352964
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.
In the ASA code version 9.12 release notes, it specifies the following:
Allow non-browser-based HTTPS clients to access the ASA
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.
New/Modified commands: http server basic-auth-client
What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.
In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.
You can either do one of the following:
Add
user-agentheaders with a value you specify inhttp server basic-auth-client <my-user-agent-goes-here>- Example config:
http server basic-auth-client mah_user_agent - Example curl:
curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version
- Example config:
Use one of the pre-existing/supported
user-agentheaders:- Example curl:
curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version
- Example curl:
Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.
It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59366%2funable-to-use-https-managment-api-on-cisco-asa-9-12%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.
In the ASA code version 9.12 release notes, it specifies the following:
Allow non-browser-based HTTPS clients to access the ASA
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.
New/Modified commands: http server basic-auth-client
What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.
In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.
You can either do one of the following:
Add
user-agentheaders with a value you specify inhttp server basic-auth-client <my-user-agent-goes-here>- Example config:
http server basic-auth-client mah_user_agent - Example curl:
curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version
- Example config:
Use one of the pre-existing/supported
user-agentheaders:- Example curl:
curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version
- Example curl:
Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.
It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
add a comment |
As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.
In the ASA code version 9.12 release notes, it specifies the following:
Allow non-browser-based HTTPS clients to access the ASA
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.
New/Modified commands: http server basic-auth-client
What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.
In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.
You can either do one of the following:
Add
user-agentheaders with a value you specify inhttp server basic-auth-client <my-user-agent-goes-here>- Example config:
http server basic-auth-client mah_user_agent - Example curl:
curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version
- Example config:
Use one of the pre-existing/supported
user-agentheaders:- Example curl:
curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version
- Example curl:
Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.
It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
add a comment |
As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.
In the ASA code version 9.12 release notes, it specifies the following:
Allow non-browser-based HTTPS clients to access the ASA
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.
New/Modified commands: http server basic-auth-client
What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.
In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.
You can either do one of the following:
Add
user-agentheaders with a value you specify inhttp server basic-auth-client <my-user-agent-goes-here>- Example config:
http server basic-auth-client mah_user_agent - Example curl:
curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version
- Example config:
Use one of the pre-existing/supported
user-agentheaders:- Example curl:
curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version
- Example curl:
Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.
It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.
In the ASA code version 9.12 release notes, it specifies the following:
Allow non-browser-based HTTPS clients to access the ASA
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.
New/Modified commands: http server basic-auth-client
What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.
In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.
You can either do one of the following:
Add
user-agentheaders with a value you specify inhttp server basic-auth-client <my-user-agent-goes-here>- Example config:
http server basic-auth-client mah_user_agent - Example curl:
curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version
- Example config:
Use one of the pre-existing/supported
user-agentheaders:- Example curl:
curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version
- Example curl:
Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.
It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
answered 9 hours ago
Brett LykinsBrett Lykins
7,46352964
7,46352964
add a comment |
add a comment |
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59366%2funable-to-use-https-managment-api-on-cisco-asa-9-12%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
