01-28-2018 06:25 AM - edited 02-21-2020 07:13 AM
Hi all
I have ASA 5506-X with FirePOWER services, when I enter in ASDM I see FirePOWER status tab but don't see FirePOWER configuration button on left side of ASDM. ASA, my laptop and FirePOWER module is in same Vlan and same Subnet, ping is OK. During login to ASDM it shows "Initializing FirePOWER communication" but after login can't find FirePOWER configuration button
ASA# sh ver
Cisco Adaptive Security Appliance Software Version 9.8(1)
Firepower Extensible Operating System Version 2.2(1.47)
Device Manager Version 7.8(2)151
ASA# sh module sfr details
Getting details from the Service Module, please wait...
Card Type: FirePOWER Services Software Module
Model: ASA5506
Hardware version: N/A
Serial Number: JAD214705GR
Firmware version: N/A
Software version: 6.2.0-362
MAC Address Range: 005d.73f8.3e5d to 005d.73f8.3e5d
App. name: ASA FirePOWER
App. Status: Up
App. Status Desc: Normal Operation
App. version: 6.2.0-362
Data Plane Status: Up
Console session: Ready
Status: Up
DC addr: No DC Configured
Mgmt IP addr: 172.16.16.26
Mgmt Network mask: 255.255.255.240
Mgmt Gateway: 172.16.16.17
Mgmt web ports: 443
Mgmt TLS enabled: true
It seems everything is OK
can you help me?
Solved! Go to Solution.
01-28-2018 08:37 AM - edited 01-28-2018 08:41 AM
It looks like a Java on Linux issue. The screen shot shows it’s not liking the module’s SSL certificate. I wonder if you can override that behavior on Java. On Windows it’s possible in the Java control panel.
Another person was posting a similar experience a few days back.
Technically the only supported Linux version for ASDM is RHEL 5.
https://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html#id_25472
01-28-2018 07:00 AM
Doe the userid that you use to login to ASDM have level 15 privilege?
01-28-2018 07:19 AM
01-28-2018 07:30 AM
Have you done the other verification steps in the document you linked?
9 out of 10 times (or more) one of those will fix the issue.
01-28-2018 07:48 AM
01-28-2018 07:52 AM
ping is not always the best test as it can work while the ssl connection required between your ASDM and the Firepower module IP fails.
Are you able to log into the module address directly via ssh? That requires a successful tcp 3-way handshake and while icmp echo request/reply (ping) is connectionless and will work even with an asymmetric path.
01-28-2018 07:57 AM
01-28-2018 08:01 AM
Hmm, OK - that is looking quite odd then. Are you using a Windows PC?
I would at this point do a packet capture and see if your workstation is attempting and failing to make the tcp/443 connection to the Firepower module address.
It is probably connecting based on what you said but something higher in the stack (Java security, certificate etc.) is failing.
01-28-2018 08:05 AM
01-28-2018 08:20 AM - edited 01-28-2018 08:20 AM
strange issue, it seems that my pc drops packet, can you see attached screenshot?
module IP: 172.16.16.34
My PC: 172.16.16.38
01-28-2018 08:29 AM
01-28-2018 08:37 AM - edited 01-28-2018 08:41 AM
It looks like a Java on Linux issue. The screen shot shows it’s not liking the module’s SSL certificate. I wonder if you can override that behavior on Java. On Windows it’s possible in the Java control panel.
Another person was posting a similar experience a few days back.
Technically the only supported Linux version for ASDM is RHEL 5.
https://www.cisco.com/c/en/us/td/docs/security/asdm/7_8/release/notes/rn78.html#id_25472
01-28-2018 09:39 AM
01-28-2018 01:05 PM
01-28-2018 06:17 PM
I have been using the current JRE 8 (1.8) releases successfully. As of right now that is 1.8.0151.
Make sure your Java Security setting is not "very high" and is instead the more permissive "high".
One member reported that moving from Java 1.7 to 1.8 fixed his problem as 1.7 was not negotiating TLS 1.2 successfully.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide