Solved: Re: Cannot Open ASDM

dancumming · ‎03-21-2011

Good afternoon,

We are running a Cisco ASA 5510 in our district. We have been using it for about a year and a half after an upgrade from our PIX. I have been using the CLI to manage it but I wanted to start using the ASDM. I installed the ASDM Launcher last Friday but could not access it. I have enable the http server on the ASA, assigned an IP to the interface, and granted my machine's IP inside access. On Friday I was unable to launch the ASDM. I then downgraded Java. I came in this morning and was able to connect through the launcher. However I could not make any changes as it would give me an error message and often popped up with "lost connection" type messages. I then closed the ASDM but could not reconnect after that. When I try to connect through the launcher I receive the message "Unable to launch ASDM from 172.16.5.1: Connection reset". When I try https://172.16.5.1/admin/ from a browser I simply receive "page cannot be displayed". I'm not sure why I can't connect. Any help would be appreciated. Thank you!

Java Version 1.5.0 (build 1.5.0_14-b03)

Cisco ASDM Launcher v1.5(20)

Bordentown-PIX# show version

Cisco Adaptive Security Appliance Software Version 7.0(8)
Device Manager Version 5.0(8)

Compiled on Sat 31-May-08 23:48 by builders
System image file is "disk0:/asa708-k8.bin"
Config file at boot was "startup-config"

Bordentown-PIX up 1 year 209 days

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode   : ☻CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: ♥CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : ☺CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0         : address is 0021.a0af.d9e2, irq 9
1: Ext: Ethernet0/1         : address is 0021.a0af.d9e3, irq 9
2: Ext: Ethernet0/2         : address is 0021.a0af.d9e4, irq 9
3: Ext: Ethernet0/3         : address is 0021.a0af.d9e5, irq 9
4: Ext: Management0/0       : address is 0021.a0af.d9e6, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 150

This platform has an ASA 5510 Security Plus license.

Serial Number: JMX1305L2YF
Running Activation Key: 0xa83ec371 0xbc981d82 0x18c1251c 0xabb850fc 0x80023795
Configuration register is 0x1
Configuration last modified by enable_15 at 08:44:08.343 UTC Mon Mar 21 2011
Bordentown-PIX# dir

Directory of disk0:/

5      -rw- 5548032     00:06:12 Jan 01 2003 asa708-k8.bin
683    drw- 0           07:54:54 Jan 31 2009 crypto_archive
685    -rw- 6163744     07:57:46 Jan 31 2009 asdm-508.bin

255426560 bytes total (243621888 bytes free)
Bordentown-PIX# sh asdm image
Device Manager image file, disk0:/asdm-508.bin

Dan

Shrikant Sundaresh · ‎03-22-2011

Hi Dan,

When the page does not display anything at all, this means that the PIX is not listening on port 443 on the interface.

To my knowledge, the "show asp table socket" command, is not available in v 7.0(8), and thus I think we would not be able to see if this is true or not.

So lets try to make it listen on one of the other ports.

Do "show run http" and remove every line that comes up. (no http server enable, and no http xx yy inside for all)

Now enter the following 2 lines:

http server enable 4443 (some other port, if this is being used for something else)

http 0 0 inside (for now everything on inside can try accessing)

Now please try accessing the device from your browser: https://172.16.5.1:4443/admin and see if the site opens.

View solution in original post

PAUL GILBERT ARIAS · ‎03-21-2011

have you tried from another PC or laptop? This really seems to be a java problem.

dancumming · ‎03-21-2011

Tried updating my Java version and a different computer. Same result. Using the ASDM launcher I get the following error on the first attempt. The attempts after that I recieve the connection reset error.

Unable to launch ASDM from 172.16.5.1:

Connection reset by peer: socket write error

tj.mitchell · ‎03-21-2011

Not sure that I understand what you are saying by "I assigned an IP address to the interface". Wouldnt that be already there because you have been using the device for awhile? What is the name you gave to that interface? You should already have an inside correct?

Also you don't need to put the "/admin" at the end of the URL. Only if you enabled SSL termination on the inside interface would you need that.

Sent from Cisco Technical Support iPhone App

PAUL GILBERT ARIAS · ‎03-21-2011

what is the IP of the ASA that you are trying to connect? Can you share the show run http?

dancumming · ‎03-21-2011

The IP is 172.16.5.1

Bordentown-PIX# show run http
http server enable
http 172.16.0.0 255.255.255.255 inside
http 172.16.1.41 255.255.255.255 inside
http 172.16.1.200 255.255.255.255 inside
http 172.16.1.11 255.255.255.255 inside
http 172.16.1.53 255.255.255.255 inside
http 172.16.4.183 255.255.255.255 inside
http 172.16.1.226 255.255.255.255 inside

dancumming · ‎03-21-2011

You are correct, the interface already had an address. Sorry, my wording was a little confusing. The interface is ethernet0/1 and it is inside. I was using /admin as I saw it on another post but I have tried it without. It still gives me a "Internet Explorer cannot display the webpage" error.

tj.mitchell · ‎03-21-2011

Did you do http or https? Http will not work unless you have port redirection configured. Must use https://

Try that..

Sent from Cisco Technical Support iPhone App

dancumming · ‎03-21-2011

Yes, I have been using https. I have tried both of the following

https://172.16.5.1

https://172.16.5.1/admin/

tj.mitchell · ‎03-21-2011

What host IP address are you coming from? In the list the top one shows a host mask for the 172.16.0.0 network and the rest are host addresses.

Did you mean to put a 172.16.0.0 255.255.0.0 inside for that line?

Sent from Cisco Technical Support iPhone App

dancumming · ‎03-21-2011

The host I am coming in from is 172.16.4.183. Do I need to change that entry?

PAUL GILBERT ARIAS · ‎03-21-2011

your IP is already allowed. have you tried rebooting the ASA?

tj.mitchell · ‎03-21-2011

Try the reboot.. Sometimes in the older code, ASDM does not take effect untill there is a reboot of the device. Just something I have run into..

dancumming · ‎03-21-2011

Just tried the reboot, no luck.

tj.mitchell · ‎03-21-2011

Pls post the configuration and the dir outputs..