Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5169
Views
2
Helpful
9
Replies

Unable to connect via ASDM after upgrading ASDM image in ASA to 7202

Go to solution
debbiebeitler
Level 1
Level 1

‎01-17-2024 11:26 AM

Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202.
Worked fine on the "secondary" asa.
But on the active one, Cannot connect after restarting ASDM.
I goes through the entire log in process, and then I get "ASDM cannot be loaded, hostname wrong".

I can still SSH into it, and everything look goods, so I did a reload. And now I get "The certificate present in this device is not valid. Certificate date is Expired...."
The Date on the ASA is fine.
It has the same certificates and CA certs as did the backup. None of which show as expired.

I reverted back to the previous ASDM image for now.

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
debbiebeitler
Level 1
Level 1

‎01-19-2024 07:20 AM

On both units, there are no certificates assigned to the management interface. Only to the public and internal. 

However, I accessed the management interface with a browser and saw that it using an older VPN cert "ssl trust-point <expired cert>" management.  Odd thing is that in the ASDM, it did not show a cert attached to the management interface.  The other one that worked fine, was using the self-signed ASA certificate.  I removed the line "ssl trust-point" line for the management interface and it went back to using the self-signed cert which has not expired.  So ASDM is now happy with version 7202.

Thanks for helping the light bulb go off.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
pieterh
VIP
VIP

‎01-18-2024 07:57 AM

>>> Tried to upgrade ASDM on a 9.16 ASAv, from 7181-152 to 7202.
Worked fine on the "secondary" asa. <<<
this is not possible!
you need to set your ASDM version from the primary (c.q. active) ASA
it will activate this for BOTH failover members at the same time (as this is replicated)

my workflow is for the GUI (old ASDM version)
- transfer the ASDM image to the standby ASA
- answer NO  to the question for setting this as the default ASDM image
- transfer the ASDM image to the active ASA
- answer YES to the  question for setting this as the default ASDM image
- restart ASDM connection to use the new version

0 Helpful

Go to solution
debbiebeitler
Level 1
Level 1

‎01-18-2024 10:50 AM

This is an ASA virtual.  So the config is not shared or replicated between them. basically they are two separate devices with what amounts to a load balancer between them.

0 Helpful

Go to solution
debbiebeitler
Level 1
Level 1

‎01-18-2024 11:52 AM

Same result with asdm-7201.  Using asdm-7191-95 works fine.

Go to solution
debbiebeitler
Level 1
Level 1

‎01-18-2024 12:06 PM

Upgrading the ASA tp 9.18.3.56 does not make a difference.  Still works with asdm-7191. but not with either asdm 7201 or 7272

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to debbiebeitler

‎01-18-2024 11:33 PM

back to the first post
>>> And now I get "The certificate present in this device is not valid. Certificate date is Expired...." <<<
and your addition >>> basically they are two separate devices with what amounts to a load balancer between them <<<
did you check the consistency of certificates between the two ASA's (maybe also the load-balancer) ?
(IS the expected certificate assigned to the management interface ?)

0 Helpful

Go to solution
debbiebeitler
Level 1
Level 1

‎01-19-2024 07:20 AM

On both units, there are no certificates assigned to the management interface. Only to the public and internal. 

However, I accessed the management interface with a browser and saw that it using an older VPN cert "ssl trust-point <expired cert>" management.  Odd thing is that in the ASDM, it did not show a cert attached to the management interface.  The other one that worked fine, was using the self-signed ASA certificate.  I removed the line "ssl trust-point" line for the management interface and it went back to using the self-signed cert which has not expired.  So ASDM is now happy with version 7202.

Thanks for helping the light bulb go off.

0 Helpful

Go to solution
pieterh
VIP
VIP
In response to debbiebeitler

‎01-19-2024 07:43 AM

I'm happy to hear you found the interfering configuration
Regards,

Pieter

0 Helpful

Go to solution
Ced W
Level 1
Level 1

‎08-15-2024 11:28 AM

Hello,
I am having the same problem. I only have 1 ASA5525 running ASA Version 9.14(4)24 and ASDM version 7.18(1)152. ASA upgrade went fine. but when I tried to upgrade the ASDM, I received the error "The certificate present in this device is not valid. Certificate date is Expired or not valid as per current date". 

How do I roll back the ASDM version if I do not have access to the ASA through the ASDM ...? Thank you ...!

0 Helpful

Go to solution
tomasz.gluszko
Level 1
Level 1

‎10-26-2024 05:02 AM

Just add in Java security tab https://ip_address_asa - then ASDM 7202 will work as well

0 Helpful
Customers Also Viewed These Support Documents