topic Have you drilled down to Java in Network Security

ASDM/Java issue - still.....

oneirishpollack — Tue, 12 Mar 2019 04:34:52 GMT

I am having the famous and much discussed issue of ASDM and Java 7 not being compatible. You launch ASDM and it hangs. To resolve you install the older, archived version of Java 1.5 or 1.6 and it works.

My question is - how come Cisco has never seen fit to release a patch or fix to correct this issue?

Cisco has updated ASDM and

Marvin Rhoads — Tue, 05 Aug 2014 18:49:14 GMT

Cisco has updated ASDM and has procedures posted in the release notes and in a dedicated document on how to use it with the more current Java releases.

I am using the current Java 8 Update 11 and using it to manage several customer ASAs running various ASDM releases .

I have Java 8 Update 31 and I

cpotter13 — Thu, 12 Feb 2015 16:41:41 GMT

I have Java 8 Update 31 and I have a non self signed cert on the firewall and it still does not work. What am I doing wrong here? The cert is signed by GoDaddy and works great otherwise.

Doublecheck that the GoDaddy

Marvin Rhoads — Thu, 12 Feb 2015 18:13:06 GMT

Doublecheck that the GoDaddy certificate is bound to the interface you are using for management.

The easiest way is by browsing to the ASA i.e. https://<ASA mgmt address>/admin and then inspect / verify the certificate in your browser.

If that looks OK, then try also adding the ASA as a trusted site in Java's control panel.

Thanks for the reply. It is

cpotter13 — Thu, 12 Feb 2015 18:16:41 GMT

Thanks for the reply. It is bound on all 3 interfaces. I have added both http and https sites as trusted sites already. I have tried all combinations of adding the cert to local cert stores, java control panel trusted certs, secure sites, trusted sites. No luck.

I assume you've alllowed HTTP

Marvin Rhoads — Thu, 12 Feb 2015 18:30:49 GMT

I assume you've alllowed HTTP management from your client?

What do you see when browsing to the ASA /admin?

Yes. I am managing it from an

cpotter13 — Thu, 12 Feb 2015 18:32:11 GMT

Yes. I am managing it from an old server with ASDM at the moment with Java 7 51. However on that server only webstart works no client.

Have you drilled down to Java

Marvin Rhoads — Thu, 12 Feb 2015 18:47:49 GMT

Have you drilled down to Java control panel messages and /or looked at a Packet Capture when you try to connect to see what might be happening at a debug level?

What ASDM version are you using?

One other thought is to clear your Java cache.

No. I have I have not drilled

cpotter13 — Thu, 12 Feb 2015 18:58:34 GMT

No. I have I have not drilled down or looked at a packet capture.

ASA Version: 9.3(2)
ASDM Version: 7.3(2)102
Device Type: ASA5512

com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://vpn.domain.com/admin/public/asdm.jnlp

at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)

at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)

at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)

at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)

at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)

at com.sun.javaws.Launcher.launch(Unknown Source)

at com.sun.javaws.Main.launchApp(Unknown Source)

at com.sun.javaws.Main.continueInSecureThread(Unknown Source)

at com.sun.javaws.Main.access$000(Unknown Source)

at com.sun.javaws.Main$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.net.SocketException: Connection reset

at java.net.SocketInputStream.read(Unknown Source)

at sun.security.ssl.InputRecord.readFully(Unknown Source)

at sun.security.ssl.InputRecord.read(Unknown Source)

at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.AccessController.doPrivileged(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)

at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)

at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)

at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)

at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)

at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)

at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)

at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)

at com.sun.javaws.Launcher.launch(Unknown Source)

at com.sun.javaws.Main.launchApp(Unknown Source)

at com.sun.javaws.Main.continueInSecureThread(Unknown Source)

at com.sun.javaws.Main.access$000(Unknown Source)

at com.sun.javaws.Main$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Can you share "show run ssl"

Marvin Rhoads — Thu, 12 Feb 2015 19:46:54 GMT

Can you share "show run ssl" from the ASA cli?

ASA5512# sh run sslssl cipher

cpotter13 — Thu, 12 Feb 2015 20:07:58 GMT

ASA5512# sh run ssl
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher sslv3 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 management

You have strong ciphers as

Marvin Rhoads — Thu, 12 Feb 2015 20:28:06 GMT

You have strong ciphers as per the new 9.3(2) "ssl cipher" commands. So that should be OK for you.

We've covered all the obvious places to look.

I'd drill in further with the Java cache clearing and then trying again while doing a packet capture and/or debugging on the ASA to see what's going on in more detail.