ASA5512# sh run sslssl cipher

oneirishpollack · ‎08-05-2014

I am having the famous and much discussed issue of ASDM and Java 7 not being compatible. You launch ASDM and it hangs. To resolve you install the older, archived version of Java 1.5 or 1.6 and it works.

My question is - how come Cisco has never seen fit to release a patch or fix to correct this issue?

Marvin Rhoads · ‎08-05-2014

Cisco has updated ASDM and has procedures posted in the release notes and in a dedicated document on how to use it with the more current Java releases.

I am using the current Java 8 Update 11 and using it to manage several customer ASAs running various ASDM releases .

cpotter13 · ‎02-12-2015

I have Java 8 Update 31 and I have a non self signed cert on the firewall and it still does not work. What am I doing wrong here? The cert is signed by GoDaddy and works great otherwise.

Marvin Rhoads · ‎02-12-2015

Doublecheck that the GoDaddy certificate is bound to the interface you are using for management.

The easiest way is by browsing to the ASA i.e. https://<ASA mgmt address>/admin and then inspect / verify the certificate in your browser.

If that looks OK, then try also adding the ASA as a trusted site in Java's control panel.

cpotter13 · ‎02-12-2015

Thanks for the reply. It is bound on all 3 interfaces. I have added both http and https sites as trusted sites already. I have tried all combinations of adding the cert to local cert stores, java control panel trusted certs, secure sites, trusted sites. No luck.

Marvin Rhoads · ‎02-12-2015

I assume you've alllowed HTTP management from your client?

What do you see when browsing to the ASA /admin?

cpotter13 · ‎02-12-2015

Yes. I am managing it from an old server with ASDM at the moment with Java 7 51. However on that server only webstart works no client.

Marvin Rhoads · ‎02-12-2015

Have you drilled down to Java control panel messages and /or looked at a Packet Capture when you try to connect to see what might be happening at a debug level?

What ASDM version are you using?

One other thought is to clear your Java cache.

cpotter13 · ‎02-12-2015

No. I have I have not drilled down or looked at a packet capture.

ASA Version: 9.3(2)
ASDM Version: 7.3(2)102
Device Type: ASA5512

com.sun.deploy.net.FailedDownloadException: Unable to load resource: https://vpn.domain.com/admin/public/asdm.jnlp

at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)

at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)

at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)

at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)

at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)

at com.sun.javaws.Launcher.launch(Unknown Source)

at com.sun.javaws.Main.launchApp(Unknown Source)

at com.sun.javaws.Main.continueInSecureThread(Unknown Source)

at com.sun.javaws.Main.access$000(Unknown Source)

at com.sun.javaws.Main$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.net.SocketException: Connection reset

at java.net.SocketInputStream.read(Unknown Source)

at sun.security.ssl.InputRecord.readFully(Unknown Source)

at sun.security.ssl.InputRecord.read(Unknown Source)

at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)

at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at java.security.AccessController.doPrivileged(Unknown Source)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)

at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)

at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)

at com.sun.deploy.net.BasicHttpRequest.doGetRequest(Unknown Source)

at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)

at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)

at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)

at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)

at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)

at com.sun.javaws.Launcher.launch(Unknown Source)

at com.sun.javaws.Main.launchApp(Unknown Source)

at com.sun.javaws.Main.continueInSecureThread(Unknown Source)

at com.sun.javaws.Main.access$000(Unknown Source)

at com.sun.javaws.Main$1.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Marvin Rhoads · ‎02-12-2015

Can you share "show run ssl" from the ASA cli?

cpotter13 · ‎02-12-2015

ASA5512# sh run ssl
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher sslv3 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 management

Marvin Rhoads · ‎02-12-2015

You have strong ciphers as per the new 9.3(2) "ssl cipher" commands. So that should be OK for you.

We've covered all the obvious places to look.

I'd drill in further with the Java cache clearing and then trying again while doing a packet capture and/or debugging on the ASA to see what's going on in more detail.

ASDM/Java issue - still.....