cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2119
Views
0
Helpful
11
Replies

ASDM/Java issue - still.....

oneirishpollack
Level 1
Level 1

I am having the famous and much discussed issue of ASDM and Java 7 not being compatible. You launch ASDM and it hangs. To resolve you install the older, archived version of Java 1.5 or 1.6 and it works.

 

My question is - how come Cisco has never seen fit to release a patch or fix to correct this issue? 

 

 

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

Cisco has updated ASDM and has procedures posted in the release notes and in a dedicated document on how to use it with the more current Java releases.

I am using the current Java 8 Update 11 and using it to manage several customer ASAs running various ASDM releases .

I have Java 8 Update 31 and I have a non self signed cert on the firewall and it still does not work. What am I doing wrong here? The cert is signed by GoDaddy and works great otherwise. 

Doublecheck that the GoDaddy certificate is bound to the interface you are using for management.

The easiest way is by browsing to the ASA i.e. https://<ASA mgmt address>/admin and then inspect / verify the certificate in your browser.

If that looks OK, then try also adding the ASA as a trusted site in Java's control panel.

Thanks for the reply. It is bound on all 3 interfaces. I have added both http and https sites as trusted sites already. I have tried all combinations of adding the cert to local cert stores, java control panel trusted certs, secure sites, trusted sites. No luck.

I assume you've alllowed HTTP management from your client?

What do you see when browsing to the ASA /admin?

Yes. I am managing it from an old server with ASDM at the moment with Java 7 51. However on that server only webstart works no client. 

Have you drilled down to Java control panel messages and /or looked at a Packet Capture when you try to connect to see what might be happening at a debug level?

What ASDM version are you using? 

One other thought is to clear your Java cache.

No. I have I have not drilled down or looked at a packet capture.

ASA Version: 9.3(2)
ASDM Version: 7.3(2)102
Device Type: ASA5512

 

com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://vpn.domain.com/admin/public/asdm.jnlp
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
 
 
 
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at sun.security.ssl.InputRecord.readFully(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivileged(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)
at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Can you share "show run ssl" from the ASA cli?

ASA5512# sh run ssl
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher sslv3 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 management

 

You have strong ciphers as per the new 9.3(2) "ssl cipher" commands. So that should be OK for you.

We've covered all the obvious places to look.

I'd drill in further with the Java cache clearing and then trying again while doing a packet capture and/or debugging on the ASA to see what's going on in more detail.

Review Cisco Networking for a $25 gift card