ASDM no longer launches

mark1mccorkle · ‎07-31-2011

Hi,

ADSM on our ASA was working last week but today I tried to access ASDM as usual and this time it will not launch. I have the ASDM client on my PC and when I run it from there, it says Unable to launch the device manager. When I try to run the java client, it says web page unavailable. I have tried from different PC's with the same results.

This line is in the ASA:

asdm image disk0:/asdm-613.bin

Any help would be appreciated.

Thanks,

Mark

Richard Burts · ‎07-31-2011

Mark

Here are several suggestions which I hope might be helpful:

- have there been configuration changes on the ASA recently? If so what changed on the ASA and is it possible that the config change is impacting ASDM?

- can you access the ASA via console, via SSH, or via telnet? If so can you check the logs on the ASA at the time when you attempted ASDM and see if there are any helpful messages in the logs?

- There is a limit on the number of simultaneous ASDM sessions. Is it possible that other people are running ASDM and there is not capacity for another ASDM session?

- I have seen situations where updating the version of java on the PC has impacted ASDM. Have you recently updated the java software on the PC?

HTH

Rick

HTH

Rick

csaxena · ‎07-31-2011

Hello Mark,

Please refer to this document by one of my collegues. This talks about all the issues related to ASDM access.

https://supportforums.cisco.com/docs/DOC-15016

Hope this helps.

Regards,
Chirag

clooney · ‎07-31-2011

if you can access the cli the following should be set in order to access the asdm.

http server enable

http server 0.0.0.0 0.0.0.0 inside

asdm image disk0:/asdm-615.bin

!

aaa authentication http console LOCAL

!

username cisco password cisco123 priv 15

!

If that's in the it should work. You may also want to enter a "dir" and check that the asdm image is actually loaded on the device.

mark1mccorkle · ‎07-31-2011

I appreciate the replies. I have checked the troubleshooting documents and requirements and it appears that I am good to go. We have made a few changes to add VPN connections since it was working. But everything that is listed that is needed for ASDM to work is still there. The config is below.

Any other ideas?

Thanks,

Mark

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password mDnUbb1nQkpe6eG9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 97.0.0.250 tarantella

name 172.31.255.3 MGMT_HOST description Remote Network Management

name 97.0.0.56 axis-camera-1

name 10.99.0.60 axis-camera-2

!

interface GigabitEthernet0/0

nameif CABLE

security-level 0

ip address 95.36.115.66 255.255.255.248

!

interface GigabitEthernet0/1

shutdown

nameif DSL

security-level 0

ip address 64.173.93.28 255.255.255.128

!

interface GigabitEthernet0/2

nameif FIBER

security-level 0

ip address 25.181.205.2 255.255.255.240

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 97.0.0.100 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list 100 extended permit tcp any host 25.181.205.2 eq 3144

access-list 100 extended permit tcp any host 25.181.205.2 eq 8080

access-list 100 extended permit tcp any host 25.181.205.2 eq 100

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit tcp any host 25.181.205.2 eq https

access-list 100 extended permit tcp any host 25.181.205.2 eq www

access-list 100 extended permit tcp any host 25.181.205.2 eq 8081

access-list 100 extended permit tcp any host 25.181.205.2 eq 8082

access-list 80 extended permit ip any 192.168.222.0 255.255.255.0

access-list 80 extended permit ip any 172.31.253.0 255.255.254.0

access-list 80 extended permit ip host 97.0.0.50 192.168.223.0 255.255.255.240

access-list 80 extended permit ip any 192.168.222.0 255.255.255.224

access-list GLSVPN extended permit ip 10.1.100.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list GLSVPN extended permit ip 172.17.254.0 255.255.255.0 172.31.253.0 255.255.254.0

access-list DSIVPNUser_splitTunnelAcl standard permit host 97.0.0.50

access-list DSIAdminUsers_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging timestamp

logging buffered informational

logging trap errors

logging asdm informational

mtu CABLE 1500

mtu DSL 1500

mtu FIBER 1500

mtu inside 1500

ip local pool VPNPOOL 192.168.222.1-192.168.222.10

ip local pool AdminPool 192.168.222.11-192.168.222.20

ip local pool TestPool 1.1.1.2-1.1.1.254 mask 255.255.255.0

ip audit name DSI-Attack attack action alarm drop reset

ip audit name DSI-Alarm info action alarm

ip audit interface FIBER DSI-Alarm

ip audit interface FIBER DSI-Attack

ip audit interface inside DSI-Alarm

ip audit interface inside DSI-Attack

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo DSL

icmp permit any echo-reply DSL

icmp permit any unreachable DSL

icmp permit any unreachable FIBER

icmp permit any echo FIBER

icmp permit any echo-reply FIBER

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (DSL) 1 interface

global (FIBER) 1 interface

nat (inside) 0 access-list 80

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,FIBER) tcp interface 8080 tarantella 8080 netmask 255.255.255.255

static (inside,FIBER) tcp interface 3144 tarantella 3144 netmask 255.255.255.255

static (inside,FIBER) tcp interface telnet 97.0.0.2 telnet netmask 255.255.255.255

static (inside,FIBER) tcp interface 2222 97.0.0.179 ssh netmask 255.255.255.255

static (inside,FIBER) tcp interface 100 10.18.0.88 100 netmask 255.255.255.255

static (inside,FIBER) tcp interface https 97.0.0.34 https netmask 255.255.255.255

static (inside,FIBER) tcp interface www 97.0.0.34 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8081 axis-camera-1 www netmask 255.255.255.255

static (inside,FIBER) tcp interface 8082 axis-camera-2 www netmask 255.255.255.255

access-group 100 in interface FIBER

route FIBER 0.0.0.0 0.0.0.0 25.181.205.1 254

route inside 10.0.0.0 255.0.0.0 97.0.0.3 1

route inside 10.2.0.0 255.255.0.0 97.0.0.3 1

route inside 10.3.0.0 255.255.0.0 97.0.0.3 1

route inside 10.4.0.0 255.255.0.0 97.0.0.3 1

route inside 10.8.0.0 255.255.0.0 97.0.0.3 1

route inside 10.12.0.0 255.255.0.0 97.0.0.3 1

route inside 10.31.0.0 255.255.0.0 97.0.0.3 1

route inside 10.41.0.0 255.255.0.0 97.0.0.3 1

route inside 10.99.0.0 255.255.0.0 97.0.0.3 1

route inside 172.17.253.0 255.255.255.0 97.0.0.235 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

url-server (inside) vendor websense host 97.0.0.87 timeout 10 protocol TCP version 4 connections 5

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 88

type echo protocol ipIcmpEcho 96.36.115.65 interface CABLE

num-packets 3

timeout 1000

frequency 3

sla monitor schedule 88 life forever start-time now

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DCMAP 10 set pfs

crypto dynamic-map DCMAP 10 set transform-set TSET

crypto dynamic-map DCMAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DCMAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map inside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map CMAP 1 match address GLSVPN

crypto map CMAP 1 set peer 66.129.114.59

crypto map CMAP 1 set transform-set ESP-3DES-MD5

crypto map CMAP 1 set security-association lifetime seconds 28800

crypto map CMAP 1 set security-association lifetime kilobytes 4608000

crypto map CMAP 10 ipsec-isakmp dynamic DCMAP

crypto map CMAP interface FIBER

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable FIBER

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 88 reachability

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 FIBER

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy ASAVPN internal

group-policy ASAVPN attributes

dns-server value 24.217.0.3 63.162.197.99

vpn-tunnel-protocol IPSec svc

default-domain value dsidsi.com

group-policy DSIAdminUsers internal

group-policy DSIAdminUsers attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIAdminUsers_splitTunnelAcl

default-domain value dsi.local

group-policy DSIVPNUser internal

group-policy DSIVPNUser attributes

dns-server value 97.0.0.21 97.0.0.22

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DSIVPNUser_splitTunnelAcl

default-domain value dsi.local

username test password hmQhTUMT1T5Z4KHC encrypted

username test attributes

vpn-group-policy DSIAdminUsers

username akipper password 9PojOPiG2IXFp42B encrypted privilege 0

username akipper attributes

vpn-group-policy ASAVPN

username user1 password 0dldJICVF//EH4X3 encrypted

username user1 attributes

vpn-group-policy DSIVPNUser

username t.reese password JvMrGsialw4hFL/z encrypted privilege 15

username mark password g2vDAdNY1Hx6WOoS encrypted privilege 15

username mark attributes

vpn-group-policy DSIAdminUsers

tunnel-group DefaultRAGroup general-attributes

address-pool (FIBER) VPNPOOL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPNPOOL

tunnel-group ASAVPN type remote-access

tunnel-group ASAVPN general-attributes

address-pool VPNPOOL

default-group-policy ASAVPN

tunnel-group ASAVPN ipsec-attributes

pre-shared-key *

tunnel-group 66.129.114.59 type ipsec-l2l

tunnel-group 66.129.114.59 ipsec-attributes

pre-shared-key *

tunnel-group DSIVPNUser type remote-access

tunnel-group DSIVPNUser general-attributes

address-pool VPNPOOL

default-group-policy DSIVPNUser

tunnel-group DSIVPNUser ipsec-attributes

pre-shared-key *

tunnel-group DSIAdminUsers type remote-access

tunnel-group DSIAdminUsers general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group DSIAdminUsers ipsec-attributes

pre-shared-key *

tunnel-group TestUser type remote-access

tunnel-group TestUser general-attributes

address-pool (FIBER) AdminPool

default-group-policy DSIAdminUsers

tunnel-group TestUser ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:dfb0accab0916d7f7f3a886c6c7d1ca2

: end