cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14291
Views
10
Helpful
43
Replies

ASA5505 ASDM WON'T LAUNCH

Brett Erickson
Level 1
Level 1

I am at my witts end with this one and can't seem to find anything that matches my situtation. So I have an ASA5505 that I am trying to get the ASDM running on. I have done this before on other firewalls with no issue. Everytime I go to the url https://192.168.1.1 I get the prompt to accept the certificate which I do, then it just goes blank and the page freezes. If I try to launch it straight from the ASDM launcher it also just freezes. I have double checked my ssl encryption and made sure it has rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1. I am using asdm-714.bin image and have tried getting it run on the asa 8.2.5, 8.4.7 and 9.1.3 code and get the same results with each version of code I put on this device. I have also tried multiple computers, and both computer connect to my other firewalls just fine via url to lauch asdm or asdm launcher so I know it isn't a java issue with them. Is there something I am missing?? I have tried accessing the url using Safari, Firefox, Chrome and IE, all with the same results, accept the cert and it just hangs there and never displays the asdm launch page. Please Help!

43 Replies 43

JK, I can ssh, I forgot to add my "ssh 192.168.1.0 255.255.255.0 inside" ssh works fine now, just can't access the asdm

Here is the running config, am I missing somethine? I have checked it so many times.

ciscoasa# show run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name test.local

enable password *removed* encrypted

passwd *removed* encrypted

names

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name test.local

pager lines 24

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username berickson password *removed* encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28857584cf7b907dec6680534afadc01

: end

Hello

is 102 the internal PC?

Can you do a show flash?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yes 102 is my computer, and I can ping 192.168.1.102 (my computer) from the asa

ciscoasa(config)# show flash:

--#--  --length--  -----date/time------  path

    3  4096        Aug 23 2013 19:26:26  log

   12  4096        Dec 05 2013 14:42:34  crypto_archive

  116  410532      Dec 05 2013 14:42:10  crypto_archive/crypto_eng0_arch_1.bin

  117  410532      Dec 05 2013 14:42:34  crypto_archive/crypto_eng0_arch_2.bin

   13  4096        Aug 23 2013 19:27:06  coredumpinfo

   14  59          Dec 02 2013 10:09:30  coredumpinfo/coredump.cfg

  102  4792138     Jun 16 2011 15:52:06  anyconnect-win-2.5.3041-k9.pkg

  103  15390720    May 25 2011 19:14:58  asa825-k8.bin

  104  26772780    Apr 20 2011 16:26:46  csd_3.6.181-k9.pkg

  105  418765      Sep 28 2009 12:00:44  sslclient-win-1.1.4.179.pkg

  106  17790720    Dec 02 2013 09:50:44  asdm-711-52.bin

  107  22658960    Dec 05 2013 15:33:12  asdm-714.bin

  108  0           Dec 02 2013 10:09:30  nat_ident_migrate

  109  2768        Dec 02 2013 10:09:30  8_2_5_0_startup_cfg.sav

  110  1138        Dec 02 2013 10:09:30  upgrade_startup_errors_201312021009.log

  112  27408384    Dec 02 2013 11:06:02  asa903-k8.bin

  113  26984448    Dec 02 2013 11:06:42  asa913-k8.bin

  114  24809472    Dec 02 2013 11:46:20  asa847-k8.bin

256503808 bytes total (88137728 bytes free)

I just don't get it, why would it hit the ASA from my web browser then ask me if I want to accept the certificate and then once I accept it then it just does nothing?

Ok I have been trying to connect and checking the capture you had me setup, I saw this one.

79: 09:45:50.837481 802.1Q vlan#10 P0 192.168.1.102.58824 > 192.168.1.1.443: R 86402545:86402545(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order

I can't see how it would be java related, I can't even display the web page that would then launch the java application.

Here is the version info if this helps anyone come up with any ideas, i am so at a loss right now...

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 7.1(4)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 4 mins 2 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is 0021.5595.8321, irq 11

1: Ext: Ethernet0/0         : address is 0021.5595.8319, irq 255

2: Ext: Ethernet0/1         : address is 0021.5595.831a, irq 255

3: Ext: Ethernet0/2         : address is 0021.5595.831b, irq 255

4: Ext: Ethernet0/3         : address is 0021.5595.831c, irq 255

5: Ext: Ethernet0/4         : address is 0021.5595.831d, irq 255

6: Ext: Ethernet0/5         : address is 0021.5595.831e, irq 255

7: Ext: Ethernet0/6         : address is 0021.5595.831f, irq 255

8: Ext: Ethernet0/7         : address is 0021.5595.8320, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8        

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

SSL VPN Peers                  : 2        

Total VPN Peers                : 25       

Dual ISPs                      : Enabled  

VLAN Trunk Ports               : 8        

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has an ASA 5505 Security Plus license.

Serial Number: *removed*

Running Activation Key: *removed*

Configuration register is 0x1

Configuration has not been modified since last system restart.

I even just tried reformating my flash to see if that helped, I only put the asa825-k8.bin and asdm-714.bin back on it.

ciscoasa# show flash:

--#--  --length--  -----date/time------  path

   41  22658960    Dec 05 2013 03:45:44  asdm-714.bin

   42  15390720    Dec 05 2013 03:46:22  asa825-k8.bin

    2  4096        Dec 05 2013 03:56:11  log

    9  4096        Dec 05 2013 03:56:37  crypto_archive

   50  4096        Dec 05 2013 03:56:47  coredumpinfo

   51  43          Dec 05 2013 03:56:47  coredumpinfo/coredump.cfg

255320064 bytes total (216899584 bytes free)

Still no luck, and double verified that my asdm-714.bin works on a different ASA running 8.2.5 code as well.

Julio do you have any other advice? Could it possibly be hardware related?

Hello,

Yeah it does not make any sense.

What happens if you plugin a computer directly to the ASA and attempt to connect?

You have no idea how many Bugs are related to the Java version bud.

I am sorry if I am going around bud have you rebooted the box?? If yes then do the following:

Let's restart the HTTPS daemon

clear configure HTTP

clear configure asdm

Create your own permanent self-signed certificate and then

Configure HTTP/ASDM again,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Computer is plugged directly into the ASA, quick question, when you say to create my own permanent self-signed cert are you just refering to the "crypto key generate rsa" command or is there more to it?

Hello Brett,

Wow this is getting crazy man,

Is there a way that you could downgrade to Java v6?

I know bud. I know.. This works with other firewalls but you have no idea how many times the solution of a ticket was that.

Hope you try it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yes, I am currently using Java 7 update 25, as it was the recommended on ciscos web page. But I will down grade to java 6 and let you know how it goes.

ha, this will be the death of me, I installed java 6 update 45, try to hit the web page in IE, accept the cert and then.....

NOTHING!!

I really do appreciate your help, I thought I was just missing something, that is why I was wondering if there was any type of hardware issue that could be causeing this as nothing I have tried has seemed to work.

Review Cisco Networking for a $25 gift card