08-24-2012 04:05 AM - edited 03-11-2019 04:45 PM
Hey!
I have a strange issue with one of our 5505's.
I can access it through telnet & when using the IDM launcher, but I'm unable to access it through https://x.x.x.x/admin
As far as I know and from what I can tell in the log the IDM launcher is also using https when accessing the ASA.
When I try to access the ASA from a web browser I can see the traffic in the log, and nothing get's denied, it looks the same as when I'm accessing it from the IDM launcher.
I'm on ASA version 8.4.2 and asdm-645-106
Any thoughts?
Cheers!
Solved! Go to Solution.
08-24-2012 04:36 AM
Can you try a couple of things for me.
1) Ensure your workstation is listed under the show run http and show run asdm command, for example;
http server enable
http 10.10.10.10 255.255.255.255 inside <--- 10.10.10.10 is your workstation IP, for example
asdm image flash:/____.bin
2) Redownload the latest java version into your laptop from www.java.com
3) Rekey these commands in your FW and type show run all ssl
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
FW01# show run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
4) Regenerate the crypto key
crypto key rsa generate modulus 1024
Note: In show version, I presume VPN-3DES-AES is enabled, am I right? If all else fails, reupload in the FW the asdm image.
08-24-2012 04:20 AM
Hi Bro
Just to understand you correctly, you have a problem accessing the Cisco ASA ASDM but accessing the IPS service module via IDM is all good, am I right so far? Is this issue happening to all workstations when trying to access the ASDM or only your workstation?
08-24-2012 04:23 AM
Hey!
I can access ASDM if I go through the launcher (Cisco ASDM-IDM Launcher), but not by going to https://x.x.x.x
It's not just my WS, I've tried from several others.
08-24-2012 04:36 AM
Can you try a couple of things for me.
1) Ensure your workstation is listed under the show run http and show run asdm command, for example;
http server enable
http 10.10.10.10 255.255.255.255 inside <--- 10.10.10.10 is your workstation IP, for example
asdm image flash:/____.bin
2) Redownload the latest java version into your laptop from www.java.com
3) Rekey these commands in your FW and type show run all ssl
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
FW01# show run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
4) Regenerate the crypto key
crypto key rsa generate modulus 1024
Note: In show version, I presume VPN-3DES-AES is enabled, am I right? If all else fails, reupload in the FW the asdm image.
08-24-2012 04:45 AM
http server is enabled
and I've allowed all clients to connect
* http 0.0.0.0 0.0.0.0 inside
I'm running the latest version of java.
asdm image disk0:/asdm-645-106.bin
my ssl config looks like this
ssl server-version any
ssl client-version any
ssl encryption des-sha1
I tried regenerating the crypto key, that didn't help
VPN-3DES-AES in disabled.
I've tried another asdm image as well, didn't do anything.
Cheers!
08-24-2012 04:51 AM
Hi Bro
I presumed you're trying the https://______ command from an INSIDE workstation, am I right? I believe so, as you did mentioned you can PING and TELNET the FW.
You would need the 3DES enabled, otherwise ASDM won't work. The good news is you can apply for it, and it's FREE. Just click on the link below;
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
08-24-2012 04:59 AM
That's right, but the weird thing is that I can use ASDM when going to the Cisco ASDM-IDM Launcher instead of the web browser, doesn't that require 3DES as well?
Cheers!
Edit: I installed the 3des-license, but that didn't solve it either!
08-24-2012 05:11 AM
You've a point there. Lets do this instead, and let me know the outcome.
Upgrade the asdm image to the latest, I think it's asdm-642.bin. Next, remove all .asdm and .idm files. in your workstation and clear out the java cache as well. Lastly, uninstall the adsm-idm luancher and reboot your machine.
Then, open your browser and type https://x.x.x.x to access the FW. You should receive an upgrade message, and god willing, this time it will work.- continue download the launcher and save the settings and you can use the launcher to access the FW.
The Java VM upper memory limit of ASDM 6.3 and above has been increased. Older versions of ASDM may not have enough available memory for IDM and 7.0(3) to function properly.
Please find enclosed the release notes of the engine E4:
http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/21671_01.html#wp1226708
08-24-2012 05:16 AM
asdm-649-103.bin seems to be the newest one, should I use that one?
Edit: and the one that I was running was already newer than 6.4.3 (6.4.5 106)
08-27-2012 12:28 AM
I figured it out, I never typed in
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
my line said
ssl encryption des-sha1
The only browser that gave a clue was firefox, it mentioned something about encryption, chrome and IE just failed to connect.
Thanks a lot!
08-27-2012 03:00 AM
Hi Martin
I'm glad all is good.
Please do rate my comments nicely :-) and click on the button CORRECT ANSWER.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: