cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2448
Views
2
Helpful
7
Replies

Unable to connect via ASDM after upgrading ASDM image in ASA to 7202

debbiebeitler
Level 1
Level 1

Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202.
Worked fine on the "secondary" asa.
But on the active one, Cannot connect after restarting ASDM.
I goes through the entire log in process, and then I get "ASDM cannot be loaded, hostname wrong".

I can still SSH into it, and everything look goods, so I did a reload. And now I get "The certificate present in this device is not valid. Certificate date is Expired...."
The Date on the ASA is fine.
It has the same certificates and CA certs as did the backup. None of which show as expired.

I reverted back to the previous ASDM image for now.

1 Accepted Solution

Accepted Solutions

debbiebeitler
Level 1
Level 1

On both units, there are no certificates assigned to the management interface. Only to the public and internal. 

However, I accessed the management interface with a browser and saw that it using an older VPN cert "ssl trust-point <expired cert>" management.  Odd thing is that in the ASDM, it did not show a cert attached to the management interface.  The other one that worked fine, was using the self-signed ASA certificate.  I removed the line "ssl trust-point" line for the management interface and it went back to using the self-signed cert which has not expired.  So ASDM is now happy with version 7202.

Thanks for helping the light bulb go off.

View solution in original post

7 Replies 7

pieterh
VIP
VIP

>>> Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202.
Worked fine on the "secondary" asa. <<<
this is not possible!
you need to set your ASDM version from the primary (c.q. active) ASA
it will activate this for BOTH failover members at the same time (as this is replicated)

my workflow is for the GUI (old ASDM version)
- transfer the ASDM image to the standby ASA
- answer NO  to the question for setting this as the default ASDM image
- transfer the ASDM image to the active ASA
- answer YES to the  question for setting this as the default ASDM image
- restart ASDM connection to use the new version

debbiebeitler
Level 1
Level 1

This is an ASA virtual.  So the config is not shared or replicated between them. basically they are two separate devices with what amounts to a load balancer between them.

debbiebeitler
Level 1
Level 1

Same result with asdm-7201.  Using asdm-7191-95 works fine.

debbiebeitler
Level 1
Level 1

Upgrading the ASA tp 9.18.3.56 does not make a difference.  Still works with asdm-7191. but not with either asdm 7201 or 7272

back to the first post
>>> And now I get "The certificate present in this device is not valid. Certificate date is Expired...." <<<
and your addition >>> basically they are two separate devices with what amounts to a load balancer between them <<<
did you check the consistency of certificates between the two ASA's (maybe also the load-balancer) ?
(IS the expected certificate assigned to the management interface ?)

debbiebeitler
Level 1
Level 1

On both units, there are no certificates assigned to the management interface. Only to the public and internal. 

However, I accessed the management interface with a browser and saw that it using an older VPN cert "ssl trust-point <expired cert>" management.  Odd thing is that in the ASDM, it did not show a cert attached to the management interface.  The other one that worked fine, was using the self-signed ASA certificate.  I removed the line "ssl trust-point" line for the management interface and it went back to using the self-signed cert which has not expired.  So ASDM is now happy with version 7202.

Thanks for helping the light bulb go off.

I'm happy to hear you found the interfering configuration
Regards,

Pieter