cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11498
Views
20
Helpful
15
Replies

ASA ASDM and IPS IDM with Oracle java 7u51

Maxim Zimovets
Level 1
Level 1

Hello, everybody!

As you all probably know on January 14th 2014 Oracle issued CPU with new java 7u51. After installing it I'm not able to loging to ASA via ASDM, not  int to IPS via IDM.

I always have the same error:

image001.jpeg

On the java console I see a lot of exception devoted to security.DeployManifestChecker. It looks like all applets suffer from one problem -  new security features from Oracle (https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias).

I can also say that all Cisco ASA plugins for SSLVPN don't work too.

I use ASDM version 7.1.4 on my devices.

Downgrade to Java 7u45 resolved the problem.

Is it only my problem? Does anyone expirience the same proble with new Java?

With best regards,

Maxim

15 Replies 15

Maxim Zimovets
Level 1
Level 1

Small update to the previous post.

Cisco issued update to ASDM - 7.1(5)100. But the update did not bring expected results. I'm not able to launch ASDM application, even with workaraound proposed in bug CSCum46193. I was only able to launch ASDM  via browser.

Maxim

I have this problem too.  Even with the exception in the Java security panel I cannot launch it.

momentapharma
Level 1
Level 1

Same here - new ASDM and whitelisting does not solve the issue. Read this is effecting Anyconnect portal installs and Cisco Prime too.

As of right now there are only two methods that I can get the ASDM to work after upgrading.   Adding the ASA’s URL to the exception site list does not fix the issue. 

1.       Import the ASA Certificate and install the certificate into the “Secure Site” Section (Secure Site NOT Trusted Certificate)

2.      Import the CA certificate chain into the Java Secure Site CA Section.*

*If you use method two and import the CA certificates the hostname must match the CN presented.  So if the certificate on the ASA has vpn.example.com and you type in the IP address in to the ASDM window you will get the same results.

This is not the same behavior if you import the certificate into the secure sites.  If you import the cert into the secure site you can use any hostname/IP address that resolves to the IP address of the ASA (host file entries have also been tested).

I also noticed that the Java certificate store does not reflect the Windows Certificate store.  So if you have an Corporate CA certificate that is distributed via GPO this cert will still need to be manually imported into the Java Control Panel. 

k.whitelaw
Level 1
Level 1

We have the same problem and the fix worked for IE11 but not FireFox 26 or Google Chrome on one PC running Win 7 x64. On another Win 7 x32 PC, the fix worked for FireFox 26 and Google Chrome, but not for IE11. We have not run into the problem with the Cisco AnyConnect VPN Client yet and hoping that it doesn't also become an issue.

Cassio Oliveira
Level 1
Level 1

I had the same problem and what I did is: downgrade to Java 7u45, and installed the Java 7u51, but I kept the older version also. I'm using ASDM 7.1 (2).

It works for me, at least for now. Not tested on AnyConnect.

I hope this help you.

ronoffer98
Level 1
Level 1

I had the same issue, here is what I did to fix it...

  1. Launch the Java Control Panel (you can select 'Check for Updates' from Start -> Program Menu -> Java)
  2. Select the security tab
  3. Click on Edit Site and add the IP address of your ASA (e.g. https://192.168.1.1/)

I am running Java 7 Update 51 build 13 with ASDM v 7.1(2) and ASA 9.0(2).

That should do the trick!

Ron Offer wrote:

I had the same issue, here is what I did to fix it...

  1. Launch the Java Control Panel (you can select 'Check for Updates' from Start -> Program Menu -> Java)
  2. Select the security tab
  3. Click on Edit Site and add the IP address of your ASA (e.g. https://192.168.1.1/)

I am running Java 7 Update 51 build 13 with ASDM v 7.1(2) and ASA 9.0(2).

That should do the trick!

This worked for me THANK YOU

bobtherina
Level 1
Level 1

I was having the same problem. The other suggestions weren't working for me. What did work for me was:

1. Go to the ASA IP address in IE.

2. Select Continue to website. (This is where it asks if you want to install the ASDM Launcher)

3. In the Address Bar click on "Certificate Error" then "View Certificates."

4. Go to Details tab and select "Copy to File" and export the cert to my desktop using the default DER format.

5. Open Java Control Panel and go to "Security" tab and "Manage Certificates."

6. Selected "Secure Site" in drop down box and clicked "Import."

7. Select "All Files" in drop down box, and selected the Cert that I exported from IE.

Thank you Robert it works! :-)

I had been messing with this off and on for a couple days. I followed your procedure on my personal Windows 2003 server and now able to access my ASA5505 which has the latest IOS and ADM on it. I noticed that I already had several certificates to the ASA's IP address already installed in Java so I removed those before installing the one I put on my desktop.

I will try it with my customers that are also experiencing problems. I wonder why the dis-association with Java.

Thanks again, this worked great!

John, I think what happens is that in the past when using a much older version of Java, you were probably asked to check a box to always trust a site. At that point it automatically cached the cert. Later versions just gave a warning without the option to always trust. In 7 u 45 there was a warning that a future update would not allow self signed certs and no option to always trust so when u 51 it just failed.

So if you got a new piece of equipment after updating Java to u 51, or used a new computer to try to connect to an older ASA that was accessible from other, older computers, it would fail because there was never a simple opportunity to cache the cert. That's my theory anyway.

What happens if you have a ton of ASA's to manage?  Nobody has to time install the certs for all of them. 

What a pain in the ass this is. 

I don't know. I don't work for Cisco or Oracle. I'm just a guy who had the same problem and found a workaround. Maybe there is a better way.

jean.rozycki
Level 1
Level 1

Hi dpatten78,

I have this situation with lots of ASAs on which I cannot add certs on all of them. See my post

https://supportforums.cisco.com/message/4170709#4170709 where I describe a workaround that works for us.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: