Solved: ASDM 7.20.x and 7.23.1 Unusable After ~30 minutes

rommonster · ‎09-01-2025

When accessing a Firepower 4225 running ASA from a Windows 11 (Enterprise) workstation, after approx 20-30 minutes the window starts to lag. It eventually becomes unusable because of how laggy it is (ultimately forcing a close through task manager because the window becomes completely unresponsive and won't even resize properly).

CPU usage gradually grows until exceeding 10% (CPU: Intel Core i5 13500K)

System memory is more than sufficient (32GB total)

I am allocating additional memory (2GB total) to Java via the run.bat launcher for ASDM to accommodate larger configs:

Tried running ASDM 7.20.x (multiple) and 7.23.1

ASA versions 9.20.3.x and 9.22.2.13

Using Java SE Version 8 Update 461 (updated from a previous version with the same issue)

This same workstation is used to access ASAs running many other different versions of ASA firmware with different versions of ASDM (ASA 9.6 all the way to 9.18 and 9.20 on other newer devices, ASDM 7.13.x through 7.20.x) including native ASA platforms and Firepower 1000, 2000, and 3000 series. NONE of the other ASDM instances have this issue when running from the same workstation, simultaneously. This issue appears to be specific to these versions on this platform (ASDM 7.20.x+ and Firepower 4225 9.20.x+).

Looking to see if anyone else is experiencing this and if there is a known solution (have not been able to find anything else in searches to this point).

rommonster · ‎12-11-2025

So I'm posting to follow up on this issue in case anyone else runs into it on Windows 11 and the newer Firepower ASA platforms w/ ASDM since I was able to resolve it.

After a ton of troubleshooting trying to identify the cause of the issue on the "compatible" version of ASDM w/ Java 8, when managing a pair of Firepower 4225 ASAs, the solution for this was moving to version 7.24.x of ASDM and version 7.22+ of ASA code. This also required the use of Java version 11 with the newest ASDM launcher version 1.9(10), which requires Java 11.

Process for this was as follows:

Uninstall any ASDM version currently installed
Clean up any remaining files in the ASDM folder (default: c:\Program Files (x86)\Cisco Systems\ASDM) such as custom run.bat files, etc. and manually remove the folder if necessary.
Uninstall all versions of Java currently installed
Download the latest version of Java 11 Development Kit (requires an Oracle account)
https://www.oracle.com/java/technologies/downloads/#java11-windows
*Note that unlike previous versions of ASDM, 7.24 requires JDK (Java SE Development Kit) not JRE (Java SE Runtime Environment)
Install Java 11 Development Kit as administrator
Make sure your environment variables were set correctly:
Copy the .bin file for ASDM version 7.24+ onto your Firepower ASA and set your ASDM image in the config
asdm image disk0:/asdm-7241.bin
Browse to the admin page for the ASA (https://ipaddress/admin), bypass the certificate error in your browser if necessary, and click the "Install ASDM Launcher" button to download the "dm-launcher.msi" installation for the ASDM launcher version 1.9(10)+.
Install ASDM using the "dm-launcher.msi" file
Optional: Edit the new run.bat file if you require custom allocation of memory to java for ASDM
*Note: the format of the run.bat file has changed in the new launcher, which has FIPS/certificate options built in now, so you can't just replace the run.bat with your old version like in previous cases.

We have been running with this setup for several weeks now without issue. ASDM operates as expected on the new version with no lagging or other issues identified.

Note that, even though it uses Java 11, the new launcher supports all previous versions of ASDM that use Java 8. So we are still able to access other ASA systems running previous versions of ASDM thanks to this backwards compatibility.

View solution in original post

balaji.bandi · ‎09-01-2025

I had same issue some time back- i have setup another jump box to test below post help me to use different JRE - then its much better, may be test it.

https://community.cisco.com/t5/security-knowledge-base/asdm-cannot-load-configuration-windows-11-asdm-7-20-2-asa-9-16-4/ta-p/5140017

i will also advice read lease notes :

https://www.cisco.com/c/en/us/td/docs/security/asdm/7_20/release/notes/rn720.html

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahollifield · ‎09-03-2025

Have you considered running FTD on these instead of ASA software?

rommonster · ‎09-03-2025

No because they need to run ASA. They are not intended for a FTD deployment.

I posted asking for help/info to fix this ASDM problem. Removing ASA and running FTD isn't a solution.

MHM Cisco World · ‎09-03-2025

Cool down friend

@ahollifield suggest a solution' you can use it or not.

Did you check compatibility?

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

MHM

rommonster · ‎09-03-2025

It's not a solution to completely change the software to FTD from ASA to "fix" ASDM... I am trying to resolve an issue with ASDM. The ASA code works just fine.

Is ASDM used by FTD? No, of course not. So changing to FTD is a non-solution. The post isn't "ASDM doesn't work right so can I change to FTD?" lol

MHM Cisco World · ‎09-03-2025

No but as @ahollifield it New Generation of FW

Anyway

Your ASA is 9.20 so you cannot use asdm ver higher than 7.20

Same as 9.22 ypu can not use asdm ver higher than 7.22

Check compatibility link I share again please

MHM

rommonster · ‎09-03-2025

As I stated in my original post:

Tried running ASDM 7.20.x (multiple) and 7.23.1
ASA versions 9.20.3.x and 9.22.2.13

Had the same issue across multiple versions, both compatible and not compatible on the matrix. I realize 7.23.1 is not listed as compatible with 9.22.x but it was worth seeing if it worked or had the same issue. They all have the same issue.

As I also said previously this does not happen on any other ASA/Firepower with any other versions. It's just these 4225's with 7.20.x or higher ASDM. I generally keep ASDM open to multiple firewalls at once without any problems. This is the first time encountering this issue and it's on new 4225's with the latest ASDM. Last time I saw this kind of behavior in ASDM was back right after PIX stopped being a thing lol

MHM Cisco World · ‎09-03-2025

C:\Users\<YourUsername>\.asdm\asdm.log

Or

C:\Users\<YourUsername>\AppData\Roaming\Cisco\ASDM\asdm.log

Check if there are any useful log in this files

Share last log you see please

MHM

rommonster · ‎09-03-2025

File doesn't exist in either location you listed.

There is a log folder @ C:\Users\Username\.asdm\log that contains log files with the format "asdm-idm-log-2025-09-03-13-58-47.txt"

All the logs appear identical for the 4225 ASA and don't contain much. Last section is:

Env.isAsdmInHeadlessMode()-------------->false
fw.isFXOSModeAvailable() :-------------- false
Env.isApplianceMode() :-------------- true
Poller Stop Requested:------------------------- false
SSHParser ssh key-exchange dh-group invalid value dh-group14-sha256
IO Exception occurs while reading the dap file. java.io.FileNotFoundException: https://IPaddress/admin/flash/dap.xml
No CSD version
LifeTime value : -1 HTTP Enable Status : null
Env.isAsdmInHeadlessMode()-------------->false
Poller Stop Requested:------------------------- false
SSHParser ssh key-exchange dh-group invalid value dh-group14-sha256
IO Exception occurs while reading the dap file. java.io.FileNotFoundException: https://IPaddress/admin/flash/dap.xml
com.jidesoft.plaf.LookAndFeelFactory not loaded

MHM Cisco World · ‎09-04-2025

Try connect again and check this log

If log show same line or not

MHM

rommonster · ‎09-04-2025

These logs are all basically identical no matter what device I connect to or what version of ASDM/ASA is running on them. I don't think these are the logs you're trying to have me look at? There is no general "asdm.log" file in either of the 2 locations you mentioned.

Just for fun I left ASDM logged in and open on several other ASA instances, including a 1010 running 9.20.x and ASDM 7.23.1 and there is no lag after almost 24 hours of being open. Again this only seems to be an issue on these 4225's for whatever reason.

MHM Cisco World · ‎09-04-2025

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/116403-configure-asdm-00.html

This link for troubleshooting asdm

Points interesting in link

1- launch asdm from web directly

2- clear asdm cache

3- use java debug

MHM

ahollifield · ‎09-03-2025

Why must they run ASA? What features are missing for you? Also it’s totally a solution since FTD is modern and web based management platform. Doesn’t rely on ancient Java applet.

rommonster · ‎09-03-2025

ASA is a tried and true platform without anywhere near as many bugs and caveats. FTD is not required for us to do what we need to do on these devices that are having issues. We have separate boxes for more modern functions like DPI and threat analysis which run FTD. The web interface of FTD is cumbersome to use, even in the much better 7.x releases, when doing general firewall stuff (NATs, ACLs, IPSec, SSL VPN, etc).

Not looking to change to FTD, just want a solution to fix ASDM so it works like literally every other instance of ASA and ASDM we use.