topic ASA cannot logon w/ ADSM (SSH is OK) in Network Security

ASA cannot logon w/ ADSM (SSH is OK)

johanhofmans — Mon, 11 Mar 2019 23:10:21 GMT

all,

since yesterday, I cannot logon with adsm anymore.

when I run adsm, I type in my pw, and the screen keeps displaying "contacting the device". No timeout, just stays this way.

I've updated the java version, no luck.

I can connect with SSH with no problem.

device = asa5550, 8.2(1) asdm 6.2(1)

pieces of the config:

---

BE01NF21#sh run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

BE01NF21#sh asp table socket

Protocol Socket Local Address Foreign Address State

SSL 000028ef 192.168.126.1:443 0.0.0.0:* LISTEN

TCP 000047df 192.168.126.1:22 0.0.0.0:* LISTEN

TCP 0123e588 192.168.126.1:22 192.168.126.3:26807 ESTAB

---

(126.1 is the interface I connect to)

output of debug http 255:

---

HTTP: processing ASDM request [/admin/version.prop] with cookie-based authentication (aware_webvpn_conf.re2c:398)

HTTP: check admin session. Cookie index [-1][0]

HTTP: client certificate required = 0

--- no further output

On another ASA device the debug output is different (asdm does work with this device):

---

HTTP: processing ASDM request [/admin/version.prop] (aware_webvpn_conf.re2c:417)

HTTP: Do not check session. Reasons: not required=[0], no AAA=[1], IPv6=[0]

HTTP: session verified = [0]

HTTP: processing GET URL '/admin/version.prop' from host

etc...

---

notice that there is no "with cookie-based authentication" here -- is this relevant?

Rebooting the device is not really an option... Does anyone have another idea ??

THANKS !!

ASA cannot logon w/ ADSM (SSH is OK)

varrao — Wed, 23 May 2012 09:18:02 GMT

Do you have any webvpn configured on port 443? Try enabling ASDM access onany other port.

https server enable 8443

and then access from browser:

http://:8443

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA cannot logon w/ ADSM (SSH is OK)

johanhofmans — Wed, 23 May 2012 09:27:00 GMT

unfortunately the result is the same -- "contacting the device" is all I get...

I can access the page from the browser (as I could before), I can start the java ADSM, enter my credentials, then freeze...

ASA cannot logon w/ ADSM (SSH is OK)

varrao — Wed, 23 May 2012 09:43:11 GMT

Can you re-isnatll the ASDM launcher on the machine??

Is it possible for you to upgrade to latest ASDM software like 6.4.7 or 6.4.9, they are available on cisco site.

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA cannot logon w/ ADSM (SSH is OK)

johanhofmans — Wed, 23 May 2012 10:09:36 GMT

asdm 647 now

😞 still the same. I'm getting the impression that something is wrong internally and a reboot could solve it.

Any other thoughts?

it's very much appreciated - i hate to have to tell my cio that i have to reboot this device - uptime 3yrs+ now! ...

ASA cannot logon w/ ADSM (SSH is OK)

varrao — Wed, 23 May 2012 10:24:38 GMT

Do you have any command like:

aaa authentication http console LOCAL

can you remove it and try again.

is it same with the launcher and browser??

Thanks,
Varun Rao
Security Team,
Cisco TAC

ASA cannot logon w/ ADSM (SSH is OK)

johanhofmans — Wed, 23 May 2012 10:30:51 GMT

YES! I indeed had this "aaa authentication http console LOCAL"

Once I removed it, I could logon again.

But to my knowledge, this command was always there - very strange that this now was causing issues...

THANKS !!!!!

ASA cannot logon w/ ADSM (SSH is OK)

varrao — Wed, 23 May 2012 10:59:32 GMT

That's great!!!!!!!!

Here's the reason -

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt45397

Thanks,
Varun Rao
Security Team,
Cisco TAC