topic Re: Cannot access ASDM in Network Security

Cannot access ASDM

HMidkiff — Mon, 11 Mar 2019 18:48:46 GMT

I have an ASA5505. I was in on ASDM and working fine. I added a new user and seem to locked myself out of ASDM. Not with I try to access it I get

"Identification required. Please select certificate to be used for authentication"

The list of certificates is blank. I tried to regenerate a key from the CLI but it was unsuccessful. I can't get in on ASDM. Does anyone know how to get by this? Maybe I generated the key wrong...

Harrison

Re: Cannot access ASDM

Federico Coto Fajardo — Fri, 01 Oct 2010 20:07:13 GMT

Hi,

If you just generate the keys again it work?

ca zeroize rsa

ca generate rsa key

Try again....

If the problem persists check you have the following in the configuration:

http server enable

http x.x.x.x mask inside --> x.x.x.x should be the IP were you're coming from.

username test password test123 priv 15

aaa authentication http console LOCAL

Federico.

Re: Cannot access ASDM

mirober2 — Fri, 01 Oct 2010 20:20:25 GMT

Hi Harrison,

Can you check the output of 'show run all ssl' and 'show run aaa' and post the results here?

-Mike

Re: Cannot access ASDM

HMidkiff — Fri, 01 Oct 2010 20:57:29 GMT

Thanks for replying to my post. I tried the other recommendation but didn't work. Here is the output.

ASA(config)# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point localtrust inside
ssl trust-point localtrust outside

ASA(config)# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL

Re: Cannot access ASDM

Federico Coto Fajardo — Fri, 01 Oct 2010 22:22:10 GMT

So, you do have other users able to access ASDM or nobody can access ASDM anymore?

You can do a ''sh asp table socket'' and make sure the ASA is listening on port 443 for HTTPS:

i.e

ASA(config)# sh asp table socket
Protocol Socket Local Address Foreign Address State
SSL 00009b1f 192.168.102.3:443 0.0.0.0:* LISTEN

Also ''sh run http'' should be allowing all the IPs where you initiate the ASDM connection to the ASA.

Since you're using LOCAL authentication for HTTP, you should have a valid username (witgh privilege 15) on the local database on the ASA ''sh run username''

Federico.

Re: Cannot access ASDM

HMidkiff — Sat, 02 Oct 2010 00:27:37 GMT

Thanks for replying to my post

I can't get access to the ASA right now. I think the issue is ASDM does not have a certificate to serve out when someone connects. Do you know of a way from the CLI to regenerate the certificate for ASDM? When I Google this I find a lot of stuff but they want you to generate the certificate from inside the ASDM. Right now I can't get there....

Harrison

Re: Cannot access ASDM

praprama — Sat, 02 Oct 2010 01:21:18 GMT

If you have accessto the CLI, please run a "debug http 255" when trying to access the ASDM and past the outputs here.

Regards,

Prapanch

Re: Cannot access ASDM

Namit Agarwal — Sat, 02 Oct 2010 06:37:12 GMT

Hi,

Could you please paste the running config of the ASA ? Also what is the version of ASDM you are running ?

Regards,

Namit

Re: Cannot access ASDM

HMidkiff — Sat, 02 Oct 2010 17:24:29 GMT

This is the output of the debug.

ASA(config)# debug http 225
debug http enabled at level 225.
ASA(config)# HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)
HTTP: processing ASDM request [/admin/version.prop] with cookie-based authentication (aware_webvpn_conf.re2c:422)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 1
HTTP: enforce client certificate for the next request
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: processing ASDM request [/idm/idm.jnlp/] with cookie-based authentication (aware_webvpn_conf.re2c:422)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 1
HTTP: enforce client certificate for the next request
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: Periodic admin session check (idle-timeout = 1800, session-timeout = 0)

Re: Cannot access ASDM

HMidkiff — Sat, 02 Oct 2010 17:29:29 GMT

Here is the "show run" I X'ed out the sensitive stuff. I think the issue is with the certificate for the ASDM.

ASA Version 8.2(3)
!
hostname ASA
domain-name avispl.com
enable password XXXXXXXX
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXXXXXXX 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name avispl.com
object-group network CORP_VPN_NETWORKS
network-object 192.168.2.0 255.255.255.0
network-object 192.168.28.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
network-object 10.9.30.0 255.255.255.0
network-object 10.9.31.0 255.255.255.0
network-object 10.2.10.0 255.255.255.0
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.200.4.0 255.255.255.0 object-group CORP_VPN_NETWORKS
access-list nonat extended permit ip 10.200.4.0 255.255.255.0 object-group CORP_VPN_NETWORKS
access-list nonat extended permit ip object-group CORP_VPN_NETWORKS 10.200.4.224 255.255.255.224
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.9.30.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.9.31.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.2.10.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq www
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq ftp
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq ftp-data
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq nntp
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq domain
access-list CORP_ACCESS_IN extended permit udp 10.200.4.0 255.255.255.0 any eq domain
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq https
access-list CORP_ACCESS_IN extended permit udp 10.200.4.0 255.255.255.0 any eq 443
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq telnet
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq 1194
access-list CORP_ACCESS_IN extended permit icmp 10.200.4.0 255.255.255.0 any
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.2.10.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.9.30.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.9.31.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.28.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool DUBAI-VPN-IP-POOL 10.200.4.200-10.200.4.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group CORP_ACCESS_IN in interface inside
route outside 0.0.0.0 0.0.0.0 XXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AUTH-GRP-TPADC3 protocol radius
aaa-server AUTH-GRP-TPADC3 (inside) host 10.2.10.5
timeout 5
key *****
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 inside
http 10.200.4.0 255.255.255.0 inside
http authentication-certificate inside
snmp-server host inside 10.2.10.52 community *****
snmp-server location Dubai
snmp-server contact XXXXXXXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XXXXXXXX
crypto map outside_map 1 set transform-set strong
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn DUBAI.avispl.com
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn dubai-asa.aviinc.local
email itbilling@avispl.com
subject-name CN=ASA.AVISPL.COM,OU=iTAC,O="AVI-SPL, Inc.",C=US,St=Florida,L=Tampa,EA=itbilling@avispl.com
crl configure
crypto ca trustpoint ASA_TrustedRoot
enrollment self
fqdn dubai-asa.aviinc.local
email itbilling@avispl.com
subject-name CN=asa.AVISPL.COM,OU=iTAC,O="AVI-SPL, Inc.",C=US,St=Florida,L=Tampa,EA=itbilling@avispl.com
proxy-ldc-issuer
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.200.4.100-10.200.4.150 inside
dhcpd dns 192.168.2.34 192.168.2.18 interface inside
dhcpd wins 192.168.2.34 192.168.2.18 interface inside
dhcpd domain aviinc.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust inside
ssl trust-point localtrust outside
webvpn
group-policy DUBAI-VPN-ACCESS internal
group-policy DUBAI-VPN-ACCESS attributes
banner value XXXXXXXX
wins-server value 10.2.10.5 192.168.2.34
dns-server value 10.2.10.5 192.168.2.34
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DUBAI-VPN-ACCESS_splitTunnelAcl
default-domain value XXXXXXXX
username XXXXXXXX password XXXXXXXX encrypted privilege 15
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group DUBAI-VPN-ACCESS type remote-access
tunnel-group DUBAI-VPN-ACCESS general-attributes
address-pool DUBAI-VPN-IP-POOL
authentication-server-group AUTH-GRP-TPADC3
default-group-policy DUBAI-VPN-ACCESS
tunnel-group DUBAI-VPN-ACCESS ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:97f6d70f51ea165dfc5923697f595a94
: end

Re: Cannot access ASDM

Kureli Sankar — Sat, 02 Oct 2010 22:31:05 GMT

Did you try to remove this line from the config and try asdm again?

conf t

no http authentication-certificate inside

-KS

Re: Cannot access ASDM

praprama — Sun, 03 Oct 2010 00:16:31 GMT

"Hi,

The ASA seems to be requesting for a client certificate as see from the debugs:

HTTP: client certificate required = 1

Please remove the command "http authentication-certificate inside" and then try accessing the ASDM.Let me know how it goes.

Regards,

Prapanch

Re: Cannot access ASDM

HMidkiff — Sun, 03 Oct 2010 16:08:06 GMT

I will try both suggestions on Monday morning. Thanks all for you input.

Re: Cannot access ASDM

HMidkiff — Mon, 04 Oct 2010 23:36:32 GMT

Thanks to all who replied....

I fixed the problem. I created a user account on ASA. Some how with all the changes the account was removed? I added the account from the CLI and was able to get into ASDM. Hmmmmm

Thanks again to all

Harrison

I know this is an old post...

PND — Sat, 15 Mar 2014 12:54:35 GMT

I know this is an old post.....but your comment had helped to get out from a long pending issue....thanks GBU