Unable to use HTTPS Managment “API” on Cisco ASA 9.12Cisco ASA ACL helphttps url filtering on Cisco ASA 5520Unable to save ASA configSSD status on Cisco ASAASA unable to pass ICMP and RDP through internal interfacesASA / WCCP issue with https service group 70Unable to properly configure ASA 5512 with WAN IPUnable to reach public IPs of servers behind ASA 5512Oxidized Unable to Pull Cisco ASA ConfigCisco ASA rekeying

Apt - strange requests to d16r8ew072anqo.cloudfront.net:80

Where's this lookout in Nova Scotia?

Does pair production happen even when the photon is around a neutron?

How to cut a climbing rope?

Does the monk's Martial Arts feature replace the damage die type, the die number, or both?

Melodic minor Major 9 chords

Why did Theresa May offer a vote on a second Brexit referendum?

How to deal with a colleague who is being aggressive?

Efficient Algorithm for the boundary of a set of tiles

Why does Mjolnir fall down in Age of Ultron but not in Endgame?

Did 20% of US soldiers in Vietnam use heroin, 95% of whom quit afterwards?

Why are GND pads often only connected by four traces?

How can I tell if I'm being too picky as a referee?

Parallel fifths in the orchestra

Why didn't Thanos use the Time Stone to stop the Avengers' plan?

How to politely tell someone they did not hit "reply to all" in an email?

Why did the person in charge of a principality not just declare themself king?

Compaq Portable vs IBM 5155 Portable PC

Pirate democracy at its finest

What is the function of the corrugations on a section of the Space Shuttle's external tank?

Is Jon Snow the last of his House?

Website returning plaintext password

Have 1.5% of all nuclear reactors ever built melted down?

Did this character show any indication of wanting to rule before S8E6?



Unable to use HTTPS Managment “API” on Cisco ASA 9.12


Cisco ASA ACL helphttps url filtering on Cisco ASA 5520Unable to save ASA configSSD status on Cisco ASAASA unable to pass ICMP and RDP through internal interfacesASA / WCCP issue with https service group 70Unable to properly configure ASA 5512 with WAN IPUnable to reach public IPs of servers behind ASA 5512Oxidized Unable to Pull Cisco ASA ConfigCisco ASA rekeying













2















After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.



Example curl that is functional in prior code (9.8 or 9.10):



curl -k -u mah_user https://10.10.10.1/admin/exec/show+version


Now, instead of the output of that command, we are receiving a 400 Bad Request error.



What changed?






cisco cisco-asa api







share|improve this question


























    2















    After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.



    Example curl that is functional in prior code (9.8 or 9.10):



    curl -k -u mah_user https://10.10.10.1/admin/exec/show+version


    Now, instead of the output of that command, we are receiving a 400 Bad Request error.



    What changed?






    cisco cisco-asa api







    share|improve this question
























      2












      2








      2








      After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.



      Example curl that is functional in prior code (9.8 or 9.10):



      curl -k -u mah_user https://10.10.10.1/admin/exec/show+version


      Now, instead of the output of that command, we are receiving a 400 Bad Request error.



      What changed?






      cisco cisco-asa api







      share|improve this question














      After upgrading a Cisco ASA to code version 9.12(1)3, I am unable to reach the HTTPS management interface, which we use for many automation tools.



      Example curl that is functional in prior code (9.8 or 9.10):



      curl -k -u mah_user https://10.10.10.1/admin/exec/show+version


      Now, instead of the output of that command, we are receiving a 400 Bad Request error.



      What changed?






      cisco cisco-asa api




      cisco cisco-asa api






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 9 hours ago









      Brett LykinsBrett Lykins

      7,46352964




      7,46352964




















          1 Answer
          1






          active

          oldest

          votes


















          3














          As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.



          In the ASA code version 9.12 release notes, it specifies the following:




          Allow non-browser-based HTTPS clients to access the ASA



          You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.



          New/Modified commands: http server basic-auth-client




          What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.



          In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.



          You can either do one of the following:




          1. Add user-agent headers with a value you specify in http server basic-auth-client <my-user-agent-goes-here>



            • Example config: http server basic-auth-client mah_user_agent

            • Example curl: curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version



          2. Use one of the pre-existing/supported user-agent headers:



            • Example curl: curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version


          Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.



          It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.






          share|improve this answer























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "496"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59366%2funable-to-use-https-managment-api-on-cisco-asa-9-12%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            3














            As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.



            In the ASA code version 9.12 release notes, it specifies the following:




            Allow non-browser-based HTTPS clients to access the ASA



            You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.



            New/Modified commands: http server basic-auth-client




            What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.



            In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.



            You can either do one of the following:




            1. Add user-agent headers with a value you specify in http server basic-auth-client <my-user-agent-goes-here>



              • Example config: http server basic-auth-client mah_user_agent

              • Example curl: curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version



            2. Use one of the pre-existing/supported user-agent headers:



              • Example curl: curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version


            Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.



            It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.






            share|improve this answer



























              3














              As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.



              In the ASA code version 9.12 release notes, it specifies the following:




              Allow non-browser-based HTTPS clients to access the ASA



              You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.



              New/Modified commands: http server basic-auth-client




              What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.



              In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.



              You can either do one of the following:




              1. Add user-agent headers with a value you specify in http server basic-auth-client <my-user-agent-goes-here>



                • Example config: http server basic-auth-client mah_user_agent

                • Example curl: curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version



              2. Use one of the pre-existing/supported user-agent headers:



                • Example curl: curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version


              Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.



              It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.






              share|improve this answer

























                3












                3








                3







                As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.



                In the ASA code version 9.12 release notes, it specifies the following:




                Allow non-browser-based HTTPS clients to access the ASA



                You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.



                New/Modified commands: http server basic-auth-client




                What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.



                In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.



                You can either do one of the following:




                1. Add user-agent headers with a value you specify in http server basic-auth-client <my-user-agent-goes-here>



                  • Example config: http server basic-auth-client mah_user_agent

                  • Example curl: curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version



                2. Use one of the pre-existing/supported user-agent headers:



                  • Example curl: curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version


                Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.



                It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.






                share|improve this answer













                As of ASA code 9.12, you must provide a user-agent header with your HTTP requests to the ASA management interface.



                In the ASA code version 9.12 release notes, it specifies the following:




                Allow non-browser-based HTTPS clients to access the ASA



                You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.



                New/Modified commands: http server basic-auth-client




                What they do not explicitly spell out in this output, is that the ASA management "API" was not previously a supported way to access the ASA. It was intended to be used by the ASDM or their own REST API wrapper.



                In opening it up for "the rest of us" and making it supported behavior (which they needed to do because there is no ASA REST API java applet on the ASA code running on Firepower hardware), they added some new restrictions.



                You can either do one of the following:




                1. Add user-agent headers with a value you specify in http server basic-auth-client <my-user-agent-goes-here>



                  • Example config: http server basic-auth-client mah_user_agent

                  • Example curl: curl -k -u mah_user -A mah_user_agent https://10.10.10.1/admin/exec/show+version



                2. Use one of the pre-existing/supported user-agent headers:



                  • Example curl: curl -k -u mah_user -A ASDM https://10.10.10.1/admin/exec/show+version


                Either one of these will work for you, although I prefer the second as it needs no config changes on the ASA to function.



                It is also worth noting, that in my testing you can also send the user-agent: ASDM header with all prior versions of ASA code as well, they just don't care what you send or set for that value.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 9 hours ago









                Brett LykinsBrett Lykins

                7,46352964




                7,46352964



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Network Engineering Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59366%2funable-to-use-https-managment-api-on-cisco-asa-9-12%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Log på Navigationsmenu

                    Image
                    DeutschEnglishEsperantofrançaisespañolitalianoNederlands (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003ELuku003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="da" dir="ltr"u003Eu003Cpu003EI u003Ca href="/wiki/Wikipedia:Fokusm%C3%A5ned/maj_2019" title="Wikipedia:Fokusmåned/maj 2019"u003Emaj 2019u003C/au003E fokuserer vi på u003Cbu003Elokaliteter i Danmark som ikke er beskrevet på dansk Wikipediau003C/bu003E.u003Cbr /u003EDu kan desuden deltage i årets u003Ciu003Eu003Ca href="/wiki/Bruger:Ramloser/for%C3%A5rskonkurrence_2019" title="Bruger:Ramloser/forårskonkurrence 2019"u003Eforårskonkurrenceu003C/au003Eu003C/iu...
                    Read more

                    Creating second map without labels using QGIS?How to lock map labels for inset map in Print Composer?How to Force the Showing of Labels of a Vector File in QGISQGIS Valmiera, Labels only show for part of polygonsRemoving duplicate point labels in QGISLabeling every feature using QGIS?Show labels for point features outside map canvasAbbreviate Road Labels in QGIS only when requiredExporting map from composer in QGIS - text labels have moved in output?How to make sure labels in qgis turn up in layout map?Writing label expression with ArcMap and If then Statement?

                    Image
                    Why is the Eisenstein ideal paper so great? What would prevent living skin from being a good conductor for magic? Using too much dialogue? Fixie: how to learn to ride: step by step Who knighted this character? The Maltese Falcon Expected maximum number of unpaired socks If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe? Why does Bran want to find Drogon? Why isn't Tyrion mentioned in 'A song of Ice and Fire'? Did this character show any indication of wanting to rule before S8E6? Should I split timestamp parts into separate columns? What were the Ethiopians doing in Xerxes' army? “For nothing” = “pour rien”? Can you still travel to America on the ESTA waiver program if you have been to Iran in transit? Can a UK national work as a paid shop assistant in the USA? Why does the Starter Set wizard have six spells in their spellbook? Why does sp...
                    Read more

                    Nuuk Indholdsfortegnelse Etyomologi | Historie | Geografi | Transport og infrastruktur | Politik og administration | Uddannelsesinstitutioner | Kultur | Venskabsbyer | Noter | Eksterne henvisninger | Se også | Navigationsmenuwww.sermersooq.gl64°10′N 51°45′V / 64.167°N 51.750°V / 64.167; -51.75064°10′N 51°45′V / 64.167°N 51.750°V / 64.167; -51.750DMI - KlimanormalerSalmonsen, s. 850Grønlands Naturinstitut undersøger rensdyr i Akia og Maniitsoq foråret 2008Grønlands NaturinstitutNy vej til Qinngorput indviet i dagAntallet af biler i Nuuk må begrænsesNy taxacentral mødt med demonstrationKøreplan. Rute 1, 2 og 3SnescootersporNuukNord er for storSkoler i Kommuneqarfik SermersooqAtuarfik Samuel KleinschmidtKangillinguit AtuarfiatNuussuup AtuarfiaNuuk Internationale FriskoleIlinniarfissuaq, Grønlands SeminariumLedelseÅrsberetning for 2008Kunst og arkitekturÅrsberetning for 2008Julie om naturenNuuk KunstmuseumSilamiutGrønlands Nationalmuseum og ArkivStatistisk ÅrbogGrønlands LandsbibliotekStore koncerter på stribeVandhund nummer 1.000.000Kommuneqarfik Sermersooq – MalikForsidenVenskabsbyerLyngby-Taarbæk i GrønlandArctic Business NetworkWinter Cities 2008 i NuukDagligt opdaterede satellitbilleder fra NuukområdetKommuneqarfik Sermersooqs hjemmesideTurist i NuukGrønlands Statistiks databankGrønlands Hjemmestyres valgresultaterrrWorldCat124325457671310-5

                    Image
                    CentrumNuussuaqKolonihavnenQernertunnguitQinngorputQuassussuup TungaaMyggedalenRadiofjeldetKatuaqNuuk CenterGrønlands Nationalmuseum og ArkivHotel Hans EgedeBrættetHerrnhuthusetNuuk KunstmuseumVor Frelser KirkeHans Egede KirkeNuuk TuristkontorSømandshjemmetHans Egedes statueArctic Umiaq LineNuuk LufthavnNuuk HavnNuup BussiiTaxagutNuuk TaxiRoyal Arctic LineRoyal GreenlandIlulissat (Jakobshavn)Qaanaaq (Thule)UpernavikUummannaqAappilattoqIkerasak (Sundet)Ilimanaq (Claushavn)IllorsuitInnaarsuitKangersuatsiaq (Prøven)Kullorsuaq (Djævelens Tommelfinger)MoriusaqNaajaatNiaqornatNutaarmiutNuugaatsiaqNuussuaq (Kraulshavn)Oqaatsut (Rodebay)QaarsutQeqertaqQeqertatSaattutSaqqaqSavissivikSiorapalukTasiusaqTussaaqUkkusissatUpernavik Kujalleq (Søndre Upernavik)Maniitsoq (Sukkertoppen)Sisimiut (Holsteinsborg)AtammikItilleqKangaamiut (Gammel Sukkertoppen)Kangerlussuaq (Søndre Strømfjord)NapasoqSarfannguitNanortalikNarsaqQaqortoq (Julianehåb)AappilattoqAlluitsu...
                    Read more