topic Unable to Access the AIP SSM through ASDM in Network Security

Unable to Access the AIP SSM through ASDM

jimmyc_2 — Sun, 10 Mar 2019 12:50:33 GMT

CISCO Recommendations below:

Unable to Access the AIP SSM through ASDM

Problem:

This error message is seen on the GUI.

Error connecting to sensor. Error Loading Sensor error

Solution:

Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. This is the interface to access the Cisco Adaptive Security Device Manager (ASDM) Software from the local machine. Try to ping the management interface IP address of IPS SSM from the local machine that you want to access the ASDM. If unable to ping check the ACLs on the sensor

----------------------------------------------------------------------------------------------------------------------------------------------

I tried everything recommended above. I can ping the ASDM host from the FW and from the SSM-10 module. Likewise, I can ping the SSM from the ASDM, and the host machine. I opened the ACLs as wide as possible. I changed IP addresses and masks several times. The management port of the ASA and the SSM, and the PC, are on the same subnet.

A packet trace from the PC to the SSM shows it being blocked by ACL rule, yet I've opened everything wide. I've seen this type of issue before, and it was solved by applying Dual static NAT, but I'm not sure how to do that if all the IPs are on the same subnet.

Tried everything, need some high-level help.

Unable to Access the AIP SSM through ASDM

k-schwartz — Tue, 04 Dec 2012 06:05:58 GMT

I have a ASA5585-SSP-IPS20 and am having the same problem. Because the ASA does not have a separate route table for the management interface I have to use a default-route on my inside interface. According to this link:

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html I have to configure the management interface of the IPS module in the same VLAN as the inside interface. I have done this and can now

1. Ping the IPS host-ip

2. SSH to the IPS

3. Connect to the IPS through https and download the IDM

However, a wireshark shows that the connection is immediatly terminated by the IPS with FIN. I'm out of ideas and will have to call TAC in the morning.

Unable to Access the AIP SSM through ASDM

jimmyc_2 — Tue, 04 Dec 2012 14:10:41 GMT

Thanks for the reply, let me know what is said.

Unable to Access the AIP SSM through ASDM

rrich-oberlin — Tue, 04 Dec 2012 19:18:20 GMT

k-schwartz wrote:

...

1. Ping the IPS host-ip

2. SSH to the IPS

3. Connect to the IPS through https and download the IDM

However, a wireshark shows that the connection is immediatly terminated by the IPS with FIN. I'm out of ideas and will have to call TAC in the morning.

I am experiencing the exact same issue with a brand new ASA5515X that I'm setting up. I am using the management0/0 interface for communicating with both the ASA and the AIP-SSM (software-based on this device). I've got two separate IP addresses, one for each. My workstation is directly connected to the same interface. I can ping both ASA and AIP interface addresses, ssh to them both, and access both of them over HTTPS. However, when the ASDM applet attempts to communicate, I get a drop. As k-schwartz said, it doesn't even get to the application layer, the AIP doesn't like something in the SSL negotiation from ASDM.

Comparing a capture from a browser (which does work) it appears that the AIP does not like TLS. The opening gambit from both browser and ADSM is to request TLS, but the browser includes a couple of extra flags (renegotiation_info and status_request). The browser reconnects two more times, the last of which is the SSLv3 request which then causes the AIP to send the server cert and continue negotiation. The AIP just drops the connection from ASDM.

Not sure how to tweak ASDM SSL and or AIP TLS settings.

Unable to Access the AIP SSM through ASDM

jimmyc_2 — Tue, 04 Dec 2012 21:11:03 GMT

I broke open a second new ASA, and have a very similar issue. ASDM will not connect to the sensor. Access list is wide open.

Re: Unable to Access the AIP SSM through ASDM

k-schwartz — Wed, 05 Dec 2012 04:43:04 GMT

The IDM software that comes with ASDM does not support java 1.7. The ASA portion of ASDM supports 1.7 but launching the IPS applet only works with 1.6. The TAC enginner suggested I use the IME (IPS Manager Express) that is available for free on Cisco's website (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html).

I have been playing around with it today and so far it seems to work pretty well.

Unable to Access the AIP SSM through ASDM

jimmyc_2 — Wed, 05 Dec 2012 14:27:47 GMT

Many, many thanks K. I'll give it a shot. jc

Unable to Access the AIP SSM through ASDM

johnnylingo — Mon, 25 Nov 2013 20:21:59 GMT

I know this thread is about a year old, but just wanted to add that after upgrading the SSM to the latest version (7.1(8)E4), I could connect to it via ASDM just fine. Java version is 1.7.0_25 and ASDM version is 7.1(4)

IDM Express definitely seems to offer a higher level of monitoring though.