Solved: Reinstall CISCO ASA-5555x / ASDM hangs

Slippy_Skin · ‎05-13-2020

Greetings all.

I have 2 x CISCO ASA 5555x 's

Firewall 1 - fresh box install, worked a treat, now happily logged in to ASDM - ASA and Firepower

2nd needed a re-install so after much fighting I am in theory nearly there (I hope)

I followed :

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

and

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html#pgfId-132044

I am at the point now where ASDM hangs trying to Admin the rebuild ASA at Software Update Completed.

I don't think it's the ASDM / Java config on the desktop machine as connected to the "fresh box install" Firewall I can get into ASDM so I presume the 2nd FW is misconfigured somehow.

Any tips / ideas appreciated.

Cheers,

LM

Marvin Rhoads · ‎05-13-2020

Your non-working unit doesn't have an ASDM image specified in the config:

CISCOASA(config)# show run asdm
no asdm history enable
CISCOASA(config)#

It should have a line like:

asdm image disk0:/asdm-7141-46.bin

Once you have a working ASDM, it's easy to backup from working and then restore to non-working unit. Just use "Tools > Backup Configurations" and "Tools > Restore Configurations" on each respective unit's ASDM GUI.

Why do you want the exact same config though? If they are members of an HA pair then just do the bare bones HA setup on the secondary unit. Once connected to an Active Primary unit the config will copy over via the failover link.

View solution in original post

Slippy_Skin · ‎05-13-2020

It should have a line like:

asdm image disk0:/asdm-7141-46.bin

>Ahh that would do it :-( Next numpty question, how do I add it to the config ?

Edit... snip, I just copied it into the puTTY session :-) ) Config Terminal

>Why do you want the exact same config though? If they are members of an HA pair then just do the bare bones HA setup on the secondary unit. Once connected to an Active Primary unit the config will copy over via the failover link.

They are two separate stand along Firewalls, not a HA pair.

I am putting (or trying to) a default config on to test and then apply a working config once installed.

View solution in original post

Marvin Rhoads · ‎05-13-2020

Does the fresh box have a valid asdm image and is it called out in the config file?

Can you share:

dir disk0:/
show run asdm
show version

...outputs?

Slippy_Skin · ‎05-13-2020

Thanks for the reply Sir.

>Does the fresh box have a valid asdm image and is it called out in the config file?

How can I check ?

>Output

OK:

CISCOASA(config)# dir disk0:/

Directory of disk0:/

4 drwx 4096 11:06:48 Mar 12 2020 log
15 drwx 4096 11:32:32 Jan 06 2014 crypto_archive
16 drwx 4096 11:32:40 Jan 06 2014 coredumpinfo
152 -rwx 41848832 12:32:00 May 04 2020 asasfr-5500x-boot-6.2.2-3.img
153 -rwx 1639343266 14:49:56 May 04 2020 asasfr-sys-6.6.0-90.pkg
154 -rwx 111587328 13:36:26 Mar 12 2020 asa984-smp-k8.bin
155 -rwx 5038 12:48:34 Apr 05 2016 tfpt
156 -rwx 34033084 08:13:40 Mar 04 2020 asdm-7131.bin
157 drwx 4096 12:20:42 Jan 06 2014 sdesktop
162 -rwx 35743132 10:24:16 Apr 30 2020 asdm-7141-46.bin
168 -rwx 103071744 11:30:28 Apr 30 2020 asa9-12-3-12-smp-k8.bin
171 -rwx 42962944 14:20:48 May 04 2020 asasfr-5500x-boot-6.6.0-1.img
172 -rwx 4815 07:53:36 May 04 2020 startup-config-new.cfg
173 -rwx 3274 14:56:12 Apr 30 2020 oldconfig_2020Apr30_1457.cfg
174 -rwx 3190 07:53:30 May 04 2020 ru_customization.po
175 -rwx 4932 07:53:30 May 04 2020 ru_PortForwarder.po
176 -rwx 42083 07:53:32 May 04 2020 ru_webvpn.po
177 -rwx 105172992 11:23:38 May 04 2020 asa9-14-1-smp-k8.bin

29 file(s) total size: 2113876383 bytes
8238202880 bytes total (2900725760 bytes free/35% free)

CISCOASA(config)#
CISCOASA(config)# show run asdm
no asdm history enable
CISCOASA(config)# show version

Cisco Adaptive Security Appliance Software Version 9.14(1)
SSP Operating System Version 2.8(1.105)
Device Manager Version 7.13(1)

Compiled on Wed 01-Apr-20 12:47 PDT by builders
System image file is "disk0:/asa9-14-1-smp-k8.bin"
Config file at boot was "startup-config"

CISCOASA up 4 hours 18 mins

Hardware: ASA5555, 16384 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)
ASA: 8573 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Boot microcode : CNPx-MC-BOOT-2.00
SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

0: Int: Internal-Data0/0 : address is 3c08.f6d9.b8c8, irq 11
1: Ext: GigabitEthernet0/0 : address is 3c08.f6d9.b8cd, irq 5
2: Ext: GigabitEthernet0/1 : address is 3c08.f6d9.b8c9, irq 5
3: Ext: GigabitEthernet0/2 : address is 3c08.f6d9.b8ce, irq 10
4: Ext: GigabitEthernet0/3 : address is 3c08.f6d9.b8ca, irq 10
5: Ext: GigabitEthernet0/4 : address is 3c08.f6d9.b8cf, irq 5
6: Ext: GigabitEthernet0/5 : address is 3c08.f6d9.b8cb, irq 5
7: Ext: GigabitEthernet0/6 : address is 3c08.f6d9.b8d0, irq 10
8: Ext: GigabitEthernet0/7 : address is 3c08.f6d9.b8cc, irq 10
9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 3c08.f6d9.b8c8, irq 0
13: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 500 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 5000 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5555 VPN Premium license.

Serial Number: ABC
Running Permanent Activation Key: 0x1
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by user1 at 09:15:15.609 UTC Wed May 13 2020

Slippy_Skin · ‎05-13-2020

One wierd thing...

I had ASDM connected from a client into the working firewall and swapped the cables to non working one.
The session stayed open and I managed to change the FW name..

I closed ASDM and now it won't re open

Marvin Rhoads · ‎05-13-2020

You may have been in some indeterminate state when you switched cables. You should have had to re-authenticate at the very least to the new firewall.

Slippy_Skin · ‎05-13-2020

@Marvin Rhoads Yeah it was kind of working, but not correctly.

Just a thought...Is there a way I can take a full backup of the 1. Working Firewall and restore it to the 2. Not working firewall ?

Marvin Rhoads · ‎05-13-2020

Your non-working unit doesn't have an ASDM image specified in the config:

CISCOASA(config)# show run asdm
no asdm history enable
CISCOASA(config)#

It should have a line like:

asdm image disk0:/asdm-7141-46.bin

Once you have a working ASDM, it's easy to backup from working and then restore to non-working unit. Just use "Tools > Backup Configurations" and "Tools > Restore Configurations" on each respective unit's ASDM GUI.

Why do you want the exact same config though? If they are members of an HA pair then just do the bare bones HA setup on the secondary unit. Once connected to an Active Primary unit the config will copy over via the failover link.

Slippy_Skin · ‎05-13-2020

It should have a line like:

asdm image disk0:/asdm-7141-46.bin

>Ahh that would do it :-( Next numpty question, how do I add it to the config ?

Edit... snip, I just copied it into the puTTY session :-) ) Config Terminal

>Why do you want the exact same config though? If they are members of an HA pair then just do the bare bones HA setup on the secondary unit. Once connected to an Active Primary unit the config will copy over via the failover link.

They are two separate stand along Firewalls, not a HA pair.

I am putting (or trying to) a default config on to test and then apply a working config once installed.

Marvin Rhoads · ‎05-13-2020

OK - just be careful not to put a testing firewall with the same interface addresses as your live firewall online. That could cause a network outage / rge (resume-generating-event).

Slippy_Skin · ‎05-13-2020

OK Sir, thank you for your assistance, much appreciated

Cheers,

LM

sundoggin · ‎05-13-2020

uslbgg