topic ASA5505, AIP-SSC5, Java 7.x in Network Security

ASA5505, AIP-SSC5, Java 7.x

f2l — Sun, 10 Mar 2019 12:43:38 GMT

After upgrading to Java 7.5, I found that ASDM works fine managing the ASA5505 firewall, but trying to access the AIP-SSC5 module is not possible. I have had to revert back to Java 6 to have full control.

Does anyone know how to get Java 7 to work with ASDM and also allow access to the AIP-SSC5 module?

ASA5505, AIP-SSC5, Java 7.x

Todd Pula — Wed, 11 Jul 2012 20:26:35 GMT

What version of ASDM are you currently running? If you browse to your SSC's management IP using the sample URL below, are you able to launch IDM directly from your browser?

https://10.10.10.10

ASA5505, AIP-SSC5, Java 7.x

f2l — Thu, 12 Jul 2012 07:20:17 GMT

I am running:-

ASA version 8.4(4)1

ASDM version 6.4(9)

IPS version 6.2(4)E4

When I try to access the sensor from within ASDM the following error occurs:

"Error connecting to sensor. Error loading sensor."

followed by...

"Access denied by ASM. ASDM will now exit."

If I try to access the sensor directly, as per your suggestion(https://10.10.10.10), the following error is displayed...

"Unable to launch device manager from https://10.10.10.10".

ASA5505, AIP-SSC5, Java 7.x

Todd Pula — Thu, 12 Jul 2012 14:58:55 GMT

This is more than likely due to Java 7 disabling the SSL 2.0 client hello by default. Sensors running code prior to 7.1.4 require this feature for IDM access. On the PC with Java 7 installed, navigate to

Control Panel > Java > Advanced > Security > General and check the box next to "Use SSL 2.0 compatible ClientHello format". Test again and then report back if you continue to see errors.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr86456

ASA5505, AIP-SSC5, Java 7.x

f2l — Thu, 12 Jul 2012 15:37:58 GMT

I enabled SSL 2.0 and connecting to the sensor using IDM works fine.

However, connecting to the sensor using ASDM-IDM still returns the same error. Followed be an

immediate exit.

ASA5505, AIP-SSC5, Java 7.x

Julio Carvajal — Sun, 15 Jul 2012 18:32:11 GMT

Hello Phillip,

I worked with a customer two weeks ago on the same exact issue, same exact platafform.

So please dowgrade to java version!

If running 7 do a downgrade to version 6.33 and it should work

You can download it from here:

http://www.oldapps.com/java.php

Regards,

Julio

CSC is a free support community, please take your time to rate all of the engineer's answers.

ASA5505, AIP-SSC5, Java 7.x

Sundeep Dsouza — Mon, 24 Dec 2012 08:46:03 GMT

Yup faced the same problem with Java 7. Not able to access IPS module on the ASA. Cisco should come up with some fix for this issue, as Java 7 has fixed lot of security vulnerabilities and continued use of Java 6 is unsafe.

ASA5505, AIP-SSC5, Java 7.x

f2l — Tue, 25 Dec 2012 10:34:59 GMT

There is an updated image for the SSC-5 that works better with Java 7.x. Version 6.2(5)E4

Download from here...

http://software.cisco.com/download/release.html?mdfid=282539293&flowid=4416&softwareid=282549758&release=6.2(5)E4&relind=AVAILABLE&rellifecycle=&reltype=latest

Hope this helps.

ASA5505, AIP-SSC5, Java 7.x

hosytan — Tue, 04 Jun 2013 09:31:49 GMT

I had the same problem.

My device is Cisco ASA 5520 with AIP SSM-10.

I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".

I try to reset, reload and unplug/plug the module but it don't work.

This my ASA configuration:

ASA-FW# show run

: Saved

ASA Version 8.4(4)1

hostname ASA-FW

enable password Uonv5zOz/3IVv5nJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

interface GigabitEthernet0/0

description Connect to Internet

nameif outside

security-level 0

ip address 10.0.0.4 255.255.255.0

interface GigabitEthernet0/1

description Connect to DMZ

nameif inside

security-level 100

ip address 10.2.2.2 255.255.255.0

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.3.3.1 255.255.255.0

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

description Management

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

ftp mode passive

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www

access-list OUT-TO-DMZ extended permit icmp any any log

access-list OUT-TO-DMZ extended deny ip any any

access-list inside extended permit tcp any any eq pop3

access-list inside extended permit tcp any any eq smtp

access-list inside extended permit tcp any any eq ssh

access-list inside extended permit tcp any any eq telnet

access-list inside extended permit tcp any any eq https

access-list inside extended permit udp any any eq domain

access-list inside extended permit tcp any any eq domain

access-list inside extended permit tcp any any eq www

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list dmz extended permit ip any any

access-list dmz extended permit icmp any any

access-list acl_outside_in extended permit icmp any host 10.0.0.0

access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any

access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging enable

logging buffer-size 5000

logging monitor warnings

logging trap warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

access-group acl_outside_in in interface outside

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface DMZ

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

.....

quit

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username tanhs password fqvYQWcKVO/db.2r encrypted

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class ips_class_map

ips inline fail-open

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr hosytan@gmail.com

profile CiscoTAC-1

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb

: end

ASA-FW#

This is SSM confiuration:

AIP-SSM# show conf

! ------------------------------

! Current configuration last modified Tue Jun 04 00:34:02 2013

! ------------------------------

! Version 7.0(2)

! Host:

! Realm Keys key1.0

! Signature Definition:

! Signature Update S480.0 2010-03-24

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

variables DMZ address 10.3.3.0-10.3.3.255

variables IN address 10.2.2.0-10.2.2.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name AIP-SSM

telnet-option disabled

access-list 10.0.0.0/8

access-list 10.1.1.0/24

access-list 10.2.2.0/24

access-list 10.3.3.0/24

access-list 172.16.0.0/16

access-list 192.168.1.0/24

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy no-proxy

exit

time-zone-settings

offset 0

standard-time-zone-name CST

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 2000 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 2004 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

status

enabled true

exit

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Telnet Command Authorization Failure

sig-string-info Command authorization failed

sig-comment signature triggers string command authorization failed

exit

engine atomic-ip

specify-l4-protocol yes

l4-protocol tcp

no tcp-flags

no tcp-mask

exit

specify-payload-inspection yes

regex-string Command authorization failed

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id Nothing to see here. Move along.

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

AIP-SSM#

Could anyone help me?

Thanks in advanced.