cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
50248
Views
67
Helpful
16
Replies

ASDM-IDM Unable to launch device manager

licensing
Level 1
Level 1

Hi,

I am having trouble trying to log into my IPS 4260 sensor using ASDM-IDM. When I try to login I get the error message "Unable to launch device manager". When I look in the Java console I see a few of these messages:

"javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake"

I do have access to the sensor over SSH and I have done a tls generate-key. I am also able to access the sensor using IPS Manager Express, just not ASDM-IDM. The ASDM-IDM application I am using does work for my ASA 5525 and 5520s.

Does anyone know why I might be getting this error message?

16 Replies 16

david-swope
Level 1
Level 1

Can you get to the sensor via web interface? Try that and launch IDM from there, could be some issues with the local install. I have had similar issues before.

When I try that I get a window that says "Unable to launch the application". After clicking the "Details" button, I get this message:

com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://10.1.1.18/public/idm/idm.jnlp

Time to troubleshoot, can you ping the sensor from your desktop? Do you have console access to it?

Yes I can ping it and I am able to connect to it using IPS Manager Express as noted in the original question. I don't have console access as it's in another location but I can access it over SSH.

I removed Java 7 and installed Java 6 update 45. Now launching ASDM from the webpage works.

Yes ASDM-IDM application does not support Java 7.

Solved.

That's Java issue. I'm running mac 10.9.5. 

IPS 7.1 recommend Java JRE 1.5 or 1.6 

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/release/notes/release7_1_10.html

How ever downgrading from Java 8 to Java 6 to get an application to work. But had no luck. 

You must ensure that your JRE is truely 1.5 or 1.6

This works on downgrading 8 to 6

https://support.apple.com/en-us/HT202643

veramasu
Cisco Employee
Cisco Employee

can you post your show version output.

also the sh run ssl output.

Brian Green
Level 1
Level 1

I had the same issue and was able to resolve this by doing the following:

First of all add the site to the Exception site list:

From Java control panel, click security click edit site list and add your device https://x.x.x.x

Next, adjust your SSL settings: 

From Java Control Panel Click Advanced-> scroll to "Advanced Security Settings"-> Uncheck "Use TLS1.1", "Use TLS1.2" (if they are checked) and check "Use SSL2.0 compatible ClientHello Format" as well as "Use SSL 3.0" and "Use TLS1.0".

 

Hope you had the same luck with this solution that I did.

 

I had to do what Brian did, and some more.

 

First I did Brian Green's steps of changing the SSL/TLS versions.

From Java Control Panel Click Advanced-> scroll to "Advanced Security Settings"-> Uncheck "Use TLS1.1", "Use TLS1.2" (if they are checked) and check "Use SSL2.0 compatible ClientHello Format" as well as "Use SSL 3.0" and "Use TLS1.0"

Then, I also had to import the certificate files a very specific way. Fortunately getting into the Java options from Brian's hint opened up Pandora's box here, plus a little wireshark debugging made me certain that MY PC did NOT LIKE the certificate.

Here's what I did (all steps after 1-3 from Java Control Panel)

  1. Go to the https page for the ASA in your browser
  2. Click the Lock Icon in the Address Bar, and go thru the usual to export the certificate.
  3. Change the .pem or .crt extension to .csr
  4. Just as a precaution, from Java Settings Panel's Security tab > Network Settings do not use any https proxies, use 'Direct connection'
  5. Now go to the Security tab
  6. add your ASA's https:// URL to the 'Exceptions' Sites list
  7. Click the 'Manage Certificates' button
  8. THIS IS KEY >>> Pull the drop-down 'Certifcate Type' menu down and select 'Secure Site'
  9. Remain on the 'User' tab and click 'Import'
  10. Now import the .csr certifiate file that the ASA will present in the handshake that you saved in steps 1-3
  11. Click Apply and OK in the Java Security Setting
  12. Now try the ASA.... ;)

By the way the default 'High' securiy level worked just fine for me.

************** Tristan Manduley Cisco TAC

Thanks a million Bernard. Following through this procedure finally resolved both ASDM and SSH access to my ASA after I installed version 9.2(2)4 and they both went in-op.

hello all,

 

this solution didn't worked for me either. I had JRE 1.8.0.25, I think it was latest version for that moment.

then I installed 1.7.0.71 and what I did next:

1. added my host URL to exceptions list

2. unchecked "use TLS1.2"

3. checked "Use SSL2.0 compatible ClientHello Format"

you can find in the attachment screenshots of my settings (sorry for ugly lines)

thats all

 

p.s. it wasn't ASA ASDM, it was UCS CIMC, but I think all the same Java

I looked at your screenshot.  Try unchecking the use TLS 1.1 and see if that works. 

I'm sorry for misleading I meant that with Java 1.8.0.2 it didn't works.

But it indeed did worked when I did what I said (and what showed at the screenshot) despite "TLS1.1" option was checked.

 

Ruslan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: