cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14374
Views
10
Helpful
43
Replies

ASA5505 ASDM WON'T LAUNCH

Brett Erickson
Level 1
Level 1

I am at my witts end with this one and can't seem to find anything that matches my situtation. So I have an ASA5505 that I am trying to get the ASDM running on. I have done this before on other firewalls with no issue. Everytime I go to the url https://192.168.1.1 I get the prompt to accept the certificate which I do, then it just goes blank and the page freezes. If I try to launch it straight from the ASDM launcher it also just freezes. I have double checked my ssl encryption and made sure it has rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1. I am using asdm-714.bin image and have tried getting it run on the asa 8.2.5, 8.4.7 and 9.1.3 code and get the same results with each version of code I put on this device. I have also tried multiple computers, and both computer connect to my other firewalls just fine via url to lauch asdm or asdm launcher so I know it isn't a java issue with them. Is there something I am missing?? I have tried accessing the url using Safari, Firefox, Chrome and IE, all with the same results, accept the cert and it just hangs there and never displays the asdm launch page. Please Help!

43 Replies 43

Hello Brett,

Ok, 3 more messages and I will be done haha,

no webvpn

or try https://ip_inside/admin

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

No Luck.

I did "no webvpn"

then "no http server enable" then "http server enable" just for kicks to restart it.

I still get the exact same results

I am not the biggest wireshark gurro but here is what the capture shows from the client side when I try to connect to it.

I am now trying it from a different PC, so the client address changed to 192.168.101 still directly connected to the asa

Hello,

Okey 2 more left haha.

so

https://ip_inside/admin  did not do it.

The capture shows the inside client sending a FIN packet for the closure of the session Then the ASA replies to that.

do

crypto key generate rsa label SSL
crypto ca trustpoint localtrust
enrollment self
keypair sslvpnkeypair
exit

crypto ca enroll localtrust noconfirm

ssl trust-point localtrust inside

Then try to connect again.

By the way what do the ASA logs say when you attempt to connect





Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I was hopeful on that one, but the same results still exist.

ciscoasa# show logging asdm

5|Dec 05 2013 07:23:42|111008: User 'enable_15' executed the 'logging asdm informational' command.

5|Dec 05 2013 07:23:43|111008: User 'enable_15' executed the 'logging device-id hostname' command.

5|Dec 05 2013 07:23:46|111005: console end configuration: OK

6|Dec 05 2013 07:23:50|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60961 to 10.30.15.25/161

6|Dec 05 2013 07:24:02|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60961 to 10.30.15.25/161

6|Dec 05 2013 07:24:14|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60962 to 10.30.15.25/161

6|Dec 05 2013 07:24:26|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60962 to 10.30.15.25/161

6|Dec 05 2013 07:25:02|302010: 1 in use, 5 most used

fyi these are my logging settings

ciscoasa# show run log

logging enable

logging timestamp

logging console warnings

logging buffered warnings

logging trap warnings

logging asdm informational

logging device-id hostname

It does not make any sense why the PC is sending a FIN packet,

You told me you did not capture anything on the ASA right?

show cap capin shows nothing?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

this might be helpful, I just got an error when i tried to connect..

Dec 05 2013 07:43:17 ciscoasa : %ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid Scatter/Gather Write Length, code= 0xD) while executing the command SSL Process Handshake Record (0x208D).

ciscoasa# show capture capin

34 packets captured

   1: 07:43:09.000854 802.1Q vlan#10 P0 192.168.1.101.50024 > 192.168.1.1.443: R 4072447170:4072447170(0) ack 238030498 win 0

   2: 07:43:16.537371 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: S 4130703030:4130703030(0) win 65535

   3: 07:43:16.537478 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: S 2002311585:2002311585(0) ack 4130703031 win 8192

   4: 07:43:16.537783 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002311586 win 65535

   5: 07:43:16.539660 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: P 4130703031:4130703173(142) ack 2002311586 win 65535

   6: 07:43:16.539721 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: . ack 4130703173 win 32768

   7: 07:43:16.540285 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: P 2002311586:2002312146(560) ack 4130703173 win 32768

   8: 07:43:16.541231 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002312146 win 65535

   9: 07:43:16.572541 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: F 4130703173:4130703173(0) ack 2002312146 win 65535

  10: 07:43:16.572586 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: . ack 4130703174 win 32768

  11: 07:43:16.572693 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: FP 2002312146:2002312146(0) ack 4130703174 win 32768

  12: 07:43:16.573166 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002312147 win 65535

  13: 07:43:17.907378 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: S 4049108725:4049108725(0) win 65535

  14: 07:43:17.907469 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: S 65111902:65111902(0) ack 4049108726 win 8192

  15: 07:43:17.907713 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65111903 win 65535

  16: 07:43:17.908171 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: P 4049108726:4049108868(142) ack 65111903 win 65535

  17: 07:43:17.908247 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: . ack 4049108868 win 32768

  18: 07:43:17.908796 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: P 65111903:65112463(560) ack 4049108868 win 32768

  19: 07:43:17.909559 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65112463 win 65535

  20: 07:43:17.911528 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: F 4049108868:4049108868(0) ack 65112463 win 65535

  21: 07:43:17.911573 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: . ack 4049108869 win 32768

  22: 07:43:17.911680 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: FP 65112463:65112463(0) ack 4049108869 win 32768

  23: 07:43:17.912443 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: S 820839175:820839175(0) win 65535

  24: 07:43:17.912519 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: S 633784619:633784619(0) ack 820839176 win 8192

  25: 07:43:17.912550 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65112464 win 65535

  26: 07:43:17.913542 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633784620 win 65535

  27: 07:43:17.913984 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: P 820839176:820839318(142) ack 633784620 win 65535

  28: 07:43:17.914045 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839318 win 32768

  29: 07:43:17.914595 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: P 633784620:633785180(560) ack 820839318 win 32768

  30: 07:43:17.915602 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633785180 win 65535

  31: 07:43:17.917860 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: P 820839318:820839516(198) ack 633785180 win 65535

  32: 07:43:17.917906 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839516 win 32768

  33: 07:44:19.913923 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839515 win 32768

  34: 07:44:19.914274 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633785180 win 65535

34 packets shown

That's it.

No config issue.

Possible bugs:

CSCsm77854

CSCsd43563

CSCsj02948

Q.   How can I resolve this error message: %ASA-4-402123:   CRYPTO: The ASA hardware accelerator encountered an error?

A. In order to resolve this issue, try one of these workarounds:

But contact TAC would be the best.

As I do not work with them anymore I will not be able to access the database for this error.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Have you considered that the ASDM image might be corrupted?  Try downloading a new image of  asdm-714.bin.

If that doesnt work, try downloading an earlier version of ASDM and connect using that.  If that works then you are most likely running into a bug.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

From customer:

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin"

So it's a bug. I mean we clearly see the problem with the SSL Crypto Hardware Accelerator

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for all your help diagnosing this, I thought I was going insane.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello bud,

Any time.

Just remember to rate all of the post u think have been helpful ;)

Regards


Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card