Solved: ASA5505 ASDM WON'T LAUNCH

Brett Erickson · ‎12-05-2013

I am at my witts end with this one and can't seem to find anything that matches my situtation. So I have an ASA5505 that I am trying to get the ASDM running on. I have done this before on other firewalls with no issue. Everytime I go to the url https://192.168.1.1 I get the prompt to accept the certificate which I do, then it just goes blank and the page freezes. If I try to launch it straight from the ASDM launcher it also just freezes. I have double checked my ssl encryption and made sure it has rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1. I am using asdm-714.bin image and have tried getting it run on the asa 8.2.5, 8.4.7 and 9.1.3 code and get the same results with each version of code I put on this device. I have also tried multiple computers, and both computer connect to my other firewalls just fine via url to lauch asdm or asdm launcher so I know it isn't a java issue with them. Is there something I am missing?? I have tried accessing the url using Safari, Firefox, Chrome and IE, all with the same results, accept the cert and it just hangs there and never displays the asdm launch page. Please Help!

Julio Carvajal · ‎12-07-2013

From customer:

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin"

So it's a bug. I mean we clearly see the problem with the SSL Crypto Hardware Accelerator

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Brett Erickson · ‎12-05-2013

More information, I have currently put 8.2.5 code back on my 5505, and have "asdm image disk0:/asdm-714.bin" go to the url accept the cert, and it just freezes.

Julio Carvajal · ‎12-05-2013

Hello,

Share:

Show run http

show run aaa

show run asdm

Can you also enable

debug http 255

and then connect

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Brett Erickson · ‎12-06-2013

ciscoasa# show run all http

http server enable 443

http 192.168.1.0 255.255.255.0 inside

show run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ciscoasa# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

ciscoasa# show run all aaa

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa proxy-limit 16

no aaa authentication secure-http-client

no aaa local authentication attempts max-fail

no aaa authorization exec authentication-server

ciscoasa# show run all asdm

asdm image disk0:/asdm-714.bin

no asdm history enable

ciscoasa# debug http 255

debug http enabled at level 255.

ciscoasa# HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)

Brett Erickson · ‎12-06-2013

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin" I got straight from the cisco web site and I have put that image file on another ASA and it worked fine. I am so lost on this one, the debug isn't showing anything when I try to connect, it just keeps giving the;

HTTP: Periodic admin session check (idle-timeout = 1200, session-timeout = 0)

Any ASA Ninja's out there have any idea what I should try next?

Julio Carvajal · ‎12-06-2013

Hello,

do

capture capin interface inside match tcp any host x.x.x.x eq 443 (where x.x.x.x is the ASA inside interface)

capture asp type asp-drop all circular-buffer

afterwards try to connect and provide

show cap capin

show cap asp | include x.x.x.x

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Brett Erickson · ‎12-06-2013

ciscoasa(config)# show capture

capture capin type raw-data interface inside [Capturing - 0 bytes]

match tcp any host 192.168.1.1 eq https

capture asp type asp-drop all circular-buffer [Capturing - 1066 bytes]

Brett Erickson · ‎12-06-2013

ciscoasa# show cap asp | include 192.168.1.1

1: 09:20:30.891280 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

2: 09:20:31.916898 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535

3: 09:20:33.024611 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

4: 09:20:34.032224 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

5: 09:20:35.138573 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

6: 09:20:35.186071 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500: udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

7: 09:20:36.248735 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

8: 09:20:38.264985 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

9: 09:20:42.283783 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

10: 09:20:50.287659 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

11: 09:21:05.202916 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500: udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

12: 09:21:06.341260 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

13: 09:21:35.221820 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500: udp 122

14: 09:22:05.246065 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500: udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

15: 09:22:35.270432 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500: udp 122

Brett Erickson · ‎12-06-2013

huh, there is some acl rule dropping it if i am reading this right, but i don't even have any ACL's configured on this ASA. I did a "wr erease" have have really only done the config to the point so I can't access the asdm.

Julio Carvajal · ‎12-06-2013

Check my ARP, Connectivity post and provide results

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎12-06-2013

Hello Brett,

Can you ping the Client PC from the ASA?

Do you see an ARP entry??

It seems like the packets are not even reaching the ASA bud.

Can you try from a different machine

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Brett Erickson · ‎12-06-2013

I can ping the asa from my computer, and I have tried from two different computers now

Bretts-MBP:~ berickson$ ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes

64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.075 ms

64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.709 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.728 ms

64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.708 ms

64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.825 ms

^C

--- 192.168.1.1 ping statistics ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.708/0.809/1.075/0.140 ms

Julio Carvajal · ‎12-06-2013

What java version do you have on the PCs?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Brett Erickson · ‎12-06-2013

ciscoasa# show arp

inside 192.168.1.102 5855.ca22.ffd2 96

Brett Erickson · ‎12-06-2013

on the mac i am currently using 7 update 35 and I can connect to two other asa's with no issue. I guess I can't ssh to it either, i just tried that for kicks.