Unable to access ASDM

jf1134 · ‎06-28-2021

I am no longer able to access ASDM. I have version 7.33. I have the IP in the Java exception list and the security level is set to medium. If I try to open ASDM from a browser I get a 404 error

The first message I get is ASDM will start up using Java Web Start. For ASDM 7.3(1) and later, you will be prompted to follow the wizard to create a self-sign certificate.

Then I get an error Unable to launch the application.

I have tried with Java version 7 update 80

The Java error I get it this.

java.io.FileNotFoundException: https://172.16.10.100/admin/public/cert.jnlp
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Marius Gunnerud · ‎06-28-2021

from the cli could you post the output from the following commands

show run ssl

show crypto ca certificate

--
Please remember to select a correct answer and rate helpful posts

jf1134 · ‎06-28-2021

Alex-ASA# sh run ssl
Alex-ASA#
Alex-ASA# sh crypto ca certif
Alex-ASA# sh crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 6ecc7aa5a7032009b8cebcf4e952d491
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=VeriSign Class 3 Public Primary Certification Authority - G5
ou=(c) 2006 VeriSign\, Inc. - For authorized use only
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
Subject Name:
cn=VeriSign Class 3 Secure Server CA - G3
ou=Terms of use at https://www.verisign.com/rpa (c)10
ou=VeriSign Trust Network
o=VeriSign\, Inc.
c=US
OCSP AIA:
URL: http://ocsp.verisign.com
CRL Distribution Points:
[1] http://crl.verisign.com/pca3-g5.crl
Validity Date:
start date: 19:00:00 EST Feb 7 2010
end date: 18:59:59 EST Feb 7 2020
Associated Trustpoints: _SmartCallHome_ServerCA

Milos_Jovanovic · ‎06-28-2021

Since you are running a very old version of ASDM (7.3) it could easily be that your OS is blocking SSLv3/TLSv1.0/TLSv1.1, since TLS1.0 and 1.1 are EoL since April 2021 (SSL was EoL even before).

I know that Java introduced EoL of these protocols too since 1.8.0_291.

BR,

Milos

Marius Gunnerud · ‎06-28-2021

Could you please provide the output of the following aswell,

show run http

show run asdm

show asp table socket

Also you are missing the command,

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

--
Please remember to select a correct answer and rate helpful posts

jf1134 · ‎06-29-2021

Alex-ASA# sh run http
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 Outside
http 0.0.0.0 0.0.0.0 Inside
http 0.0.0.0 0.0.0.0 Temp

Alex-ASA# sh run asdm
asdm image disk0:/asdm-7161.bin
asdm history enable

Alex-ASA# show asp table socket

Protocol Socket State Local Address Foreign Address
SSL 00003688 LISTEN 192.168.1.1:443 0.0.0.0:*
SSL 00005648 LISTEN 50.242.252.131:443 0.0.0.0:*
SSL 00006e78 LISTEN 172.16.128.2:443 0.0.0.0:*
SSL 00008778 LISTEN 172.16.10.100:443 0.0.0.0:*
TCP 0000bfe8 LISTEN 172.16.128.2:23 0.0.0.0:*
TCP 0000d428 LISTEN 50.242.252.131:22 0.0.0.0:*
TCP 0000e6d8 LISTEN 172.16.128.2:22 0.0.0.0:*

Marius Gunnerud · ‎06-30-2021

did you add the command ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 ?

--
Please remember to select a correct answer and rate helpful posts

jf1134 · ‎06-30-2021

I did..

Marius Gunnerud · ‎07-05-2021

Have you tried generating a new certificate and binding that trustpoint to ssl on the outside interface?

--
Please remember to select a correct answer and rate helpful posts

jf1134 · ‎07-06-2021

I have.. I have three ASA's that are all having the same problem. I found a 4th that actually works and going to use that one to send to my customer but I still need to get these other ones working somehow.

Marvin Rhoads · ‎07-06-2021

Your old ASDM is only offering TLS 1.0 in its server hello handshake. Please upgrade to a current ASDM release and it will then support TLS 1.2 and you should be able to connect from your client PCs.