ASDM Failover wizard error "ASDM is temporarily unable to contact the firewall"

PiEich — Tue, 12 Mar 2019 07:13:10 GMT

Hi,

I have an ASA5540 perfectly running on ASA 9.1(4) and want to set up HA with another 5540.

When I use the ASDM High Availability and Scalability Wizard, I provide the new peer IP address and right away get this error: "ASDM is temporarily unable to contact the firewall".

I tried to open ASDM from the same management PC where I access the ASDM on the current working ASA (let's call it FW1) and it does not work with none of the 3 browsers.

Both FWs are directly connected on Gi0/3. I access the new box with the IP address 192.168.0.3, it is also pingable from FW1.

Below, the configuration on the new box. Any clues?

Thank you!!!

ciscoasa# sh run
: Saved
:
ASA Version 9.1(4)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.3 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa914-k8.bin
ftp mode passive
pager lines 24
logging asdm-buffer-size 300
logging asdm debugging
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
route inside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:455cc44cf01874284573ffa423037838
: end

As soon as you have the

Syed Taukir — Sat, 30 Jan 2016 15:29:04 GMT

As soon as you have the failover configuration on the primary unit and the failover configuration on the secondary unit and enable failover on both units they will detect each other and automatically the primary unit will sync the config to the secondary unit. Just make sure the failover interface is up.

Also check do show run all ssl and check if you have aes-128 configured.You may refer this ASDM support document for ASDM issues.

HTH

Syed

I had a weak encryption!!

PiEich — Mon, 01 Feb 2016 13:21:04 GMT

I had a weak encryption!!

ciscoasa# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption des-sha1

Resolution:

Enter the command: ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 in config mode.

That ASDM troubleshooting doc was really helpful, thank you!!!

topic I had a weak encryption!! in Network Security

ASDM Failover wizard error "ASDM is temporarily unable to contact the firewall"

As soon as you have the

I had a weak encryption!!