11-19-2014 08:42 AM - edited 03-11-2019 10:06 PM
Hi all,
i have a brand new ASA 5505 which wont let me access with either https or asdm. I tried from 2 different computers, with manual IP settings and DHCP from the ASA. I can ping the ASA and connect via terminal but not with https and asdm. ssh doesnt work either.
I already tried to reset the settings to factory defaults via console, configured http access manually (http 192.168.x.0 255.255.255.0 inside), configured the asa with the wizard on the console, i even uploaded a fresh image via tftp to check if there is something wrong. Still no access. This is not my first 5505 and i have never seen this behaviour.
If anyone has an idea what this might cause (and fix) please let me know
Thanks in Advance
Tobias
Solved! Go to Solution.
11-20-2014 04:11 AM
Give me the Teamviewer Access, Let me check if you dont mind
11-20-2014 04:43 AM
VPN-3DES-AES : Disabled
The ASA needs the 3DES-AES license for ASDM to work. Go to http://www.cisco.com/go/license and request the license for your device.
11-19-2014 09:04 AM
I also tried this
http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/
without any change
11-19-2014 09:47 PM
Try to enable the following command,
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
And make sure ASDM image on show running configuration.
11-19-2014 10:00 PM
RC4 has to be considered broken and shouldn't be used any more. Better remove it from the "ssl-encryption" command.
11-20-2014 01:43 AM
I can connect to different ASAs with different versions of ASDM, when i try to connect to this new ASA I immediately receive the "Unable to launch device manager" standard message. https://192.168.1.1/ or https://192.168.1.1/admin and https://192.168.1.1/admin/public/index.html just displays "page cannot be displayed" and the corresponding messages in Firefox and Chrome.
I tried the ssl encryption command, did not change the behaviour. The asdm image does not show up in the running config but i double checked with other ASAs and it does not show up either? I can find config for asdm logging and history but nothing regarding the image.
11-20-2014 01:53 AM
Hi,
Could you share the configuration (remove any sensitive information if present) and the output of the following commands
show version
dir flash:
show asp table socket
- Jouni
11-20-2014 02:16 AM
Hi Jouni,
here are the results, running ASA 8.2.5 is just a current test i did with an old asa image to see if it changes anything, the image the ASA originally had is 9.0.1
BR
Tobias
Config
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
object-group network obj_any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:483100f5006fe478429ef1fb7be2184e
: end
Show Version:
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 7.1(1)52
Compiled on Fri 20-May-11 16:00 by builders
System image file is "tftp://192.168.1.50/asa825-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 6 mins 9 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 881d.fcc5.61d5, irq 11
1: Ext: Ethernet0/0 : address is 881d.fcc5.61cd, irq 255
2: Ext: Ethernet0/1 : address is 881d.fcc5.61ce, irq 255
3: Ext: Ethernet0/2 : address is 881d.fcc5.61cf, irq 255
4: Ext: Ethernet0/3 : address is 881d.fcc5.61d0, irq 255
5: Ext: Ethernet0/4 : address is 881d.fcc5.61d1, irq 255
6: Ext: Ethernet0/5 : address is 881d.fcc5.61d2, irq 255
7: Ext: Ethernet0/6 : address is 881d.fcc5.61d3, irq 255
8: Ext: Ethernet0/7 : address is 881d.fcc5.61d4, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Disabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: xxx
Running Activation Key: xxx
Configuration register is 0x1
Configuration last modified by enable_15 at 02:58:21.069 UTC Thu Nov 20 2014
dir flash:
Directory of disk0:/
128 -rwx 27260928 11:16:36 Oct 21 2014 asa901-k8.bin
13 drwx 2048 11:16:48 Oct 21 2014 coredumpinfo
129 -rwx 17790720 11:18:04 Oct 21 2014 asdm-711-52.bin
3 drwx 2048 11:19:46 Oct 21 2014 log
12 drwx 2048 11:20:04 Oct 21 2014 crypto_archive
130 -rwx 196 11:20:14 Oct 21 2014 upgrade_startup_errors_201410211120.log
132 -rwx 2048 00:00:00 Jan 01 1980 FSCK0000.REC
133 -rwx 4096 00:00:00 Jan 01 1980 FSCK0001.REC
134 -rwx 4096 00:00:00 Jan 01 1980 FSCK0002.REC
135 -rwx 4096 00:00:00 Jan 01 1980 FSCK0003.REC
136 -rwx 4096 00:00:00 Jan 01 1980 FSCK0004.REC
137 -rwx 6144 00:00:00 Jan 01 1980 FSCK0005.REC
138 -rwx 6144 00:00:00 Jan 01 1980 FSCK0006.REC
139 -rwx 6144 00:00:00 Jan 01 1980 FSCK0007.REC
140 -rwx 26624 00:00:00 Jan 01 1980 FSCK0008.REC
141 -rwx 38912 00:00:00 Jan 01 1980 FSCK0009.REC
142 -rwx 34816 00:00:00 Jan 01 1980 FSCK0010.REC
143 -rwx 43008 00:00:00 Jan 01 1980 FSCK0011.REC
144 -rwx 2048 00:00:00 Jan 01 1980 FSCK0012.REC
145 -rwx 28672 00:00:00 Jan 01 1980 FSCK0013.REC
146 -rwx 2048 00:00:00 Jan 01 1980 FSCK0014.REC
147 -rwx 28672 00:00:00 Jan 01 1980 FSCK0015.REC
148 -rwx 2048 00:00:00 Jan 01 1980 FSCK0016.REC
149 -rwx 200 07:11:52 Nov 19 2014 upgrade_startup_errors_201411190711.log
150 -rwx 200 08:29:32 Nov 19 2014 upgrade_startup_errors_201411190829.log
151 -rwx 200 09:04:14 Nov 19 2014 upgrade_startup_errors_201411190904.log
152 -rwx 200 09:16:10 Nov 19 2014 upgrade_startup_errors_201411190916.log
153 -rwx 200 09:18:52 Nov 19 2014 upgrade_startup_errors_201411190918.log
127004672 bytes total (81295360 bytes free)
show asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0003cf3f 192.168.1.1:443 0.0.0.0:* LISTEN
11-20-2014 04:11 AM
Give me the Teamviewer Access, Let me check if you dont mind
11-20-2014 04:43 AM
VPN-3DES-AES : Disabled
The ASA needs the 3DES-AES license for ASDM to work. Go to http://www.cisco.com/go/license and request the license for your device.
11-20-2014 02:49 AM
Did you include "https://192.168.1.1" in the sitelist in the security-tab of the Java control-panel? Depending on your environment, that could be needed.
11-20-2014 03:02 AM
I am running Java 7 45 on this client because there was an issue with certificates and asdm in a later Java version (guess this is fixed now). There is no sitelist in this older version, it was introduced later
But i should be able to see the webpage with the options to install or run asdm even if there would be any java issues?
11-20-2014 04:07 AM
I checked with another client and Java 8 25 with https://192.168.1.1 in the sidelist, still no change
04-01-2019 05:43 AM
still not working
11-19-2014 11:12 AM
What exactly doesn't work? And can your PC connect to other ASAs with ASDM?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: