Solved: Re: ASA 5505 https:// access not working, IDM Launcher IS workin

Martin Ostberg · ‎08-24-2012

Hey!

I have a strange issue with one of our 5505's.

I can access it through telnet & when using the IDM launcher, but I'm unable to access it through https://x.x.x.x/admin

As far as I know and from what I can tell in the log the IDM launcher is also using https when accessing the ASA.

When I try to access the ASA from a web browser I can see the traffic in the log, and nothing get's denied, it looks the same as when I'm accessing it from the IDM launcher.

I'm on ASA version 8.4.2 and asdm-645-106

Any thoughts?

Cheers!

Ramraj Sivagnanam Sivajanam · ‎08-24-2012

Can you try a couple of things for me.

1) Ensure your workstation is listed under the show run http and show run asdm command, for example;

http server enable

http 10.10.10.10 255.255.255.255 inside <--- 10.10.10.10 is your workstation IP, for example

asdm image flash:/____.bin

2) Redownload the latest java version into your laptop from www.java.com

3) Rekey these commands in your FW and type show run all ssl

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

FW01# show run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

4) Regenerate the crypto key

crypto key rsa generate modulus 1024

Note: In show version, I presume VPN-3DES-AES is enabled, am I right? If all else fails, reupload in the FW the asdm image.

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

Ramraj Sivagnanam Sivajanam · ‎08-24-2012

Hi Bro

Just to understand you correctly, you have a problem accessing the Cisco ASA ASDM but accessing the IPS service module via IDM is all good, am I right so far? Is this issue happening to all workstations when trying to access the ASDM or only your workstation?

Warm regards,
Ramraj Sivagnanam Sivajanam

Martin Ostberg · ‎08-24-2012

Hey!

I can access ASDM if I go through the launcher (Cisco ASDM-IDM Launcher), but not by going to https://x.x.x.x

It's not just my WS, I've tried from several others.

Ramraj Sivagnanam Sivajanam · ‎08-24-2012

Can you try a couple of things for me.

1) Ensure your workstation is listed under the show run http and show run asdm command, for example;

http server enable

http 10.10.10.10 255.255.255.255 inside <--- 10.10.10.10 is your workstation IP, for example

asdm image flash:/____.bin

2) Redownload the latest java version into your laptop from www.java.com

3) Rekey these commands in your FW and type show run all ssl

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

FW01# show run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

4) Regenerate the crypto key

crypto key rsa generate modulus 1024

Note: In show version, I presume VPN-3DES-AES is enabled, am I right? If all else fails, reupload in the FW the asdm image.

Warm regards,
Ramraj Sivagnanam Sivajanam

Martin Ostberg · ‎08-24-2012

http server is enabled

and I've allowed all clients to connect

* http 0.0.0.0 0.0.0.0 inside

I'm running the latest version of java.

asdm image disk0:/asdm-645-106.bin

my ssl config looks like this

ssl server-version any

ssl client-version any

ssl encryption des-sha1

I tried regenerating the crypto key, that didn't help

VPN-3DES-AES in disabled.

I've tried another asdm image as well, didn't do anything.

Cheers!

Ramraj Sivagnanam Sivajanam · ‎08-24-2012

Hi Bro

I presumed you're trying the https://______ command from an INSIDE workstation, am I right? I believe so, as you did mentioned you can PING and TELNET the FW.

You would need the 3DES enabled, otherwise ASDM won't work. The good news is you can apply for it, and it's FREE. Just click on the link below;

https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139

Warm regards,
Ramraj Sivagnanam Sivajanam

Martin Ostberg · ‎08-24-2012

That's right, but the weird thing is that I can use ASDM when going to the Cisco ASDM-IDM Launcher instead of the web browser, doesn't that require 3DES as well?

Cheers!

Edit: I installed the 3des-license, but that didn't solve it either!

Ramraj Sivagnanam Sivajanam · ‎08-24-2012

You've a point there. Lets do this instead, and let me know the outcome.

Upgrade the asdm image to the latest, I think it's asdm-642.bin. Next, remove all .asdm and .idm files. in your workstation and clear out the java cache as well. Lastly, uninstall the adsm-idm luancher and reboot your machine.

Then, open your browser and type https://x.x.x.x to access the FW. You should receive an upgrade message, and god willing, this time it will work.- continue download the launcher and save the settings and you can use the launcher to access the FW.

The Java VM upper memory limit of ASDM 6.3 and above has been increased. Older versions of ASDM may not have enough available memory for IDM and 7.0(3) to function properly.

Please find enclosed the release notes of the engine E4:

http://www.cisco.com/en/US/docs/security/ips/7.0/release/notes/21671_01.html#wp1226708

Warm regards,
Ramraj Sivagnanam Sivajanam

Martin Ostberg · ‎08-24-2012

asdm-649-103.bin seems to be the newest one, should I use that one?

Edit: and the one that I was running was already newer than 6.4.3 (6.4.5 106)

Martin Ostberg · ‎08-27-2012

I figured it out, I never typed in

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

my line said

ssl encryption des-sha1

The only browser that gave a clue was firefox, it mentioned something about encryption, chrome and IE just failed to connect.

Thanks a lot!

Ramraj Sivagnanam Sivajanam · ‎08-27-2012

Hi Martin

I'm glad all is good.

Please do rate my comments nicely :-) and click on the button CORRECT ANSWER.

Warm regards,
Ramraj Sivagnanam Sivajanam

ASA 5505 https:// access not working, IDM Launcher IS working.