cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7974
Views
16
Helpful
7
Replies

Unable to Access the AIP SSM through ASDM

jimmyc_2
Beginner
Beginner

CISCO Recommendations below:

Unable to Access the AIP SSM through ASDM

Problem:

This error message is seen on the GUI.

Error connecting to sensor. Error Loading Sensor error

Solution:

Check the IPS SSM management interface is up/down, and check its configured IP address, subnet mask and default gateway. This is the interface to access the Cisco Adaptive Security Device Manager (ASDM) Software from the local machine. Try to ping the management interface IP address of IPS SSM from the local machine that you want to access the ASDM. If unable to ping check the ACLs on the sensor

----------------------------------------------------------------------------------------------------------------------------------------------

I tried everything recommended above. I can ping the ASDM host from the FW and from the SSM-10 module. Likewise, I can ping the SSM from the ASDM, and the host machine. I opened the ACLs as wide as possible. I changed IP addresses and masks several times. The management port of the ASA and the SSM, and the PC, are on the same subnet. 

A packet trace from the PC to the SSM shows it being blocked by ACL rule, yet I've opened everything wide.   I've seen this type of issue before, and it was solved by applying Dual static NAT, but I'm not sure how to do that if all the IPs are on the same subnet.

Tried everything, need some high-level help.

1 Accepted Solution

Accepted Solutions

The IDM software that comes with ASDM does not support java 1.7. The ASA portion of ASDM supports 1.7 but launching the IPS applet only works with 1.6. The TAC enginner suggested I use the IME (IPS Manager Express) that is available for free on Cisco's website (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html).

I have been playing around with it today and so far it seems to work pretty well.

View solution in original post

7 Replies 7

k-schwartz
Beginner
Beginner

I have a ASA5585-SSP-IPS20 and am having the same problem. Because the ASA does not have a separate route table for the management interface I have to use a default-route on my inside interface. According to this link:

http://www.cisco.com/en/US/docs/security/asa/quick_start/ips/ips_qsg.html I have to configure the management interface of the IPS module in the same VLAN as the inside interface. I have done this and can now

1. Ping the IPS host-ip

2. SSH to the IPS

3. Connect to the IPS through https and download the IDM

However, a wireshark shows that the connection is immediatly terminated by the IPS with FIN. I'm out of ideas and will have to call TAC in the morning.

Thanks for the reply, let me know what is said.

k-schwartz wrote:

...

1. Ping the IPS host-ip

2. SSH to the IPS

3. Connect to the IPS through https and download the IDM

However, a wireshark shows that the connection is immediatly terminated by the IPS with FIN. I'm out of ideas and will have to call TAC in the morning.

I am experiencing the exact same issue with a brand new ASA5515X that I'm setting up.  I am using the management0/0 interface for communicating with both the ASA and the AIP-SSM (software-based on this device).  I've got two separate IP addresses, one for each.  My workstation is directly connected to the same interface.  I can ping both ASA and AIP interface addresses, ssh to them both, and access both of them over HTTPS.  However, when the ASDM applet attempts to communicate, I get a drop.   As k-schwartz said, it doesn't even get to the application layer, the AIP doesn't like something in the SSL negotiation from ASDM.

Comparing a capture from a browser (which does work) it appears that the AIP does not like TLS.  The opening gambit from both browser and ADSM is to request TLS, but the browser includes a couple of extra flags (renegotiation_info and status_request).  The browser reconnects two more times, the last of which is the SSLv3 request which then causes the AIP to send the server cert and continue negotiation.  The AIP just drops the connection from ASDM.

Not sure how to tweak ASDM SSL and or AIP TLS settings.    

I broke open a second new ASA, and have a very similar issue.    ASDM will not connect to the sensor.   Access list is wide open.

The IDM software that comes with ASDM does not support java 1.7. The ASA portion of ASDM supports 1.7 but launching the IPS applet only works with 1.6. The TAC enginner suggested I use the IME (IPS Manager Express) that is available for free on Cisco's website (http://www.cisco.com/en/US/products/ps9610/tsd_products_support_general_information.html).

I have been playing around with it today and so far it seems to work pretty well.

Many, many thanks K.    I'll give it a shot.   jc

I know this thread is about a year old, but just wanted to add that after upgrading the SSM to the latest version (7.1(8)E4), I could connect to it via ASDM just fine.  Java version is 1.7.0_25 and ASDM version is 7.1(4)

IDM Express definitely seems to offer a higher level of monitoring though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: