cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10051
Views
20
Helpful
26
Replies

ASA 5506-X missing FirePOWER configuration tab

wan_cubby34
Level 1
Level 1

Hi all

 

I have ASA 5506-X with FirePOWER services, when I enter in ASDM I see FirePOWER status tab but don't see FirePOWER configuration button on left side of ASDM. ASA, my laptop and FirePOWER module is in same Vlan and same Subnet, ping is OK. During login to ASDM it shows "Initializing FirePOWER communication" but after login can't find FirePOWER configuration button

 

ASA# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(2)151

 

ASA# sh module sfr details
Getting details from the Service Module, please wait...

Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
Serial Number: JAD214705GR
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 005d.73f8.3e5d to 005d.73f8.3e5d
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 172.16.16.26
Mgmt Network mask: 255.255.255.240
Mgmt Gateway: 172.16.16.17
Mgmt web ports: 443
Mgmt TLS enabled: true

 

It seems everything is OK

can you help me?

1 Accepted Solution

Accepted Solutions

It looks like a Java on Linux issue. The screen shot shows it’s not liking the module’s SSL certificate. I wonder if you can override that behavior on Java. On Windows it’s possible in the Java control panel. 

 

Another person was posting a similar experience a few days back. 

 

Technically the only supported Linux version for ASDM is RHEL 5. 

 

https://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html#id_25472

View solution in original post

26 Replies 26

Marvin Rhoads
Hall of Fame
Hall of Fame

Doe the userid that you use to login to ASDM have level 15 privilege?

yes this is level 15 privilege

I've made everything as described in:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/200889-Using-ASDM-to-manage-a-FirePOWER-module.html#anc7

but during login on ASDM it don't ask me about FirePOWER authentification

Have you done the other verification steps in the document you linked?

 

9 out of 10 times (or more) one of those will fix the issue.

All verification steps I've done, ASA image is 9.8 and ASDM image is 7.8
difference is that I connected to ASA network with CIsco VPN client but I can ping ASA and Firepower module

ping is not always the best test as it can work while the ssl connection required between your ASDM and the Firepower module IP fails.

 

Are you able to log into the module address directly via ssh? That requires a successful tcp 3-way handshake and while icmp echo request/reply (ping) is connectionless and will work even with an asymmetric path.

Yes I can connect using ssh to FirePOWER module, I can also telnet to the module with 443 port

Hmm, OK - that is looking quite odd then. Are you using a Windows PC?

 

I would at this point do a packet capture and see if your workstation is attempting and failing to make the tcp/443 connection to the Firepower module address.

 

It is probably connecting based on what you said but something higher in the stack (Java security, certificate etc.) is failing. 

Yes something drops ssl packets from asdm to module but why?
I'm using Linux Mint PC if that helps

strange issue, it seems that my pc drops packet, can you see attached screenshot?

module IP: 172.16.16.34

My PC: 172.16.16.38

 

Screenshot from 2018-01-28 20-16-59.png

Java Log

Local Launcher Version = 1.8.0
Local Launcher Version Display = 1.8(0)
OK button clicked
Trying for ASDM Version file; url = https://172.16.16.35/admin/
Server Version = 7.8(2)151
Server Launcher Version = 1.8.0, size = 774656 bytes
invoking SGZ Loader..
Cache location = /home/zura/.asdm/cache
2018-01-28 20:27:20,060 [ERROR] CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing:
0 [SGZ Loader: launchSgzApplet] ERROR com.cisco.pdm.headless.startup - CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing:
CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing:
2018-01-28 20:27:20,156 [ERROR] CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing messenger: ckg@397261c9
96 [SGZ Loader: launchSgzApplet] ERROR com.cisco.pdm.headless.startup - CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing messenger: ckg@397261c9
CLI-PASSTHROUGH-DEBUG Inside doInitialProcessing messenger: ckg@397261c9
Jan 28, 2018 4:27:37 PM tm co
INFO: Failed to connect to FirePower, continuing without it.
Jan 28, 2018 4:27:37 PM tm co
INFO: If the FirePower is NATed, clear the cache (/home/zura/.asdm/data/firepower.conf) and try again.
IO Exception occurs while reading the dap file. java.io.FileNotFoundException: https://172.16.16.35/admin/flash/dap.xml
No CSD version

It looks like a Java on Linux issue. The screen shot shows it’s not liking the module’s SSL certificate. I wonder if you can override that behavior on Java. On Windows it’s possible in the Java control panel. 

 

Another person was posting a similar experience a few days back. 

 

Technically the only supported Linux version for ASDM is RHEL 5. 

 

https://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html#id_25472

Same problem on Windows PC
which version of Windows and java do you use to communicate FirePower?
I tried on windows 10 and Java 7u51 but same problem

I tried two different Windows PC but same problem. What version Java can I use?

I have been using the current JRE 8 (1.8) releases successfully. As of right now that is 1.8.0151.

 

Make sure your Java Security setting is not "very high" and is instead the more permissive "high".

 

One member reported that moving from Java 1.7 to 1.8 fixed his problem as 1.7 was not negotiating TLS 1.2 successfully.

 

https://supportforums.cisco.com/t5/firewalling/asa5506x-help-cannot-connect-to-the-asa-firepower-module/td-p/2695748

Review Cisco Networking for a $25 gift card