Solved: Re: ASDM unable to login for v7.18(1)152

TRENT WAITE · ‎07-10-2024

Brand new ASA, I had connected via ASDM. No updates to the ASA, though not aware of anything on the client side changing either. ASA is v9.18(2) with ASDM v7.18(1)152. On one desktop I had tried various versions of Java from 1.8 202 to now 1.8 411 and OpenJDK as well. On 2 machines I am able to connect to various ASAs from 5506s to FPR1010s without issue.

Behavior is I get immediately a prompt to retype my username and password. Same username and password that will allow me to connect to the ASA through a web browser (i.e. /gadmin/exec/sh run). On the ASA I get nothing helpful in logs:

%ASA-6-302013: Built inbound TCP connection 213 for outside:192.168.101.20/50533 (192.168.101.20/50533) to identity:192.168.100.106/443 (192.168.100.106/443)
%ASA-6-725001: Starting SSL handshake with client outside:192.168.101.20/50533 to 192.168.100.106/443 for TLS session
%ASA-6-725003: SSL client outside:192.168.101.20/50533 to 192.168.100.106/443 request to resume previous session
%ASA-6-725002: Device completed SSL handshake with client outside:192.168.101.20/50533 to 192.168.100.106/443 for TLSv1.2 session
%ASA-6-113012: AAA user authentication Successful : local database : user = sam
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = sam
%ASA-6-113008: AAA transaction status ACCEPT : user = sam
%ASA-6-605005: Login permitted from 192.168.101.20/50533 to outside:192.168.100.106/https for user "sam"
%ASA-6-611101: User authentication succeeded: IP address: 192.168.101.20, Uname: sam

On the client end the Java console does not print anything at all. Without any errors either on ASA side or client side I do not know where to look. Hoping someone has had similar issue. Again, I am connecting just fine to other ASA's that have older versions of ASDM, so my thought is something has changed or there is a bug with this version maybe

MHM Cisco World · ‎07-11-2024

Change webvpn port from 443 to other port like 8443 then no need to disable it to make asdm work.

By the way your other post about l2tp over ipsec you try my suggestion?

MHM

View solution in original post

MHM Cisco World · ‎07-10-2024

You run anyconnect in outside interface?

If yes then try add

/admin

In end of url when ypu try access to asa

MHM

TRENT WAITE · ‎07-11-2024

ASDM only accepts the IP address, no URL format for sub folders accepted. Besides, when I do connect to just the IP address I see in the Java console log:

Trying for ASDM Version file; url = https://192.168.100.106/admin/

So the "admin" is already being added by the ASDM launcher. If I do remove "webvpn" this does work. Odd, because I have webvpn on a few others without this problem. This is the first time in years I have encountered an issue with ASDM like this. The last was on Windows machine where I had to accept the cookie (i.e. open the ASA URL in Internet Explorer before opening in ASDM).

MHM Cisco World · ‎07-11-2024

Change webvpn port from 443 to other port like 8443 then no need to disable it to make asdm work.

By the way your other post about l2tp over ipsec you try my suggestion?

MHM

Marvin Rhoads · ‎07-11-2024

I recently had a similar issue with one customer ASA that was updated after working for many years. I found that clearing my Java cache from within the Java control panel of my client PC got things back in working order.

TRENT WAITE · ‎07-11-2024

I did have a java cache issue a few years ago, that was easily resolved and figured when I connected from a different PC. This time it did turn out to be 'webvpn' configuration was in place. This has to be something new where it would conflict with ASDM as I would have many from 5505s to 5506s to FPR1010s that had webvpn & ASDM accessible. For this situation there was no need for webvpn, so once that was removed the ASDM immediately worked. It would have been nice had I seen something in the logs to indicate the conflict or error.