Solved: Unable to launch ASDM from select ASAs

kerryjcox · ‎10-09-2013

Not sure what happened, but on two of my Cisco ASAs, (one is a 5515X and the other a 5510) I can no longer connect to them using the ASDM. I have confirmed asdm-713.bin is installed on both and I CAN connect from my Macbook. It is just my Windows 7 workstation that cannot connect. I have rebooted a couple times, but the problem persists. I have the exact same ASDM version running on 5 other 5510s without any problems. I have not made any changes to the firewall so I am confused what happened.

SSH works just fine so I can connect that way still.

Also, I have received reports today of users no longer able to connect using the Cisco AnyConnect client. It was just working yesterday. I RDP

'ed to a user's machine and attempted to AnyConnect as using my ID on her machine and it stated login was unsuccessful.

I have downgraded my Java version and have re-installed Java again using various versions of Java 6 upgrade 21 to Java 7 upgrade 25 and then finally to Java 7 upgrade 40. I also updated my ASDM version to asdm-714.bin, but am still not having luck.

When I launch the ASDM and

Any ideas?

Thanks in advance.

Julio Carvajal · ‎10-09-2013

Hello Kerry,

So downgrading the Java version did not make the trick.

You are also experiencing issues connecting via anyconnect to the ASA.

So my first recommendation is make sure traffic is reaching the ASA

Do the following

cap test interface whatever (here comes the interface that you are trying to connect via ASDM) match tcp host x.x.x.x (source IP address) x.x.x.x (ASA Interface IP address) eq 443

cap asp type asp-drop all circular-buffer

debug http 255 (Make sure you have terminal monitor so you can get the debugs)

Then try to connect once from that host IP address and provide the following outputs

show run http

show cap test

show cap asp | include x.x.x.x (Source client IP address)

The debug outputs

I want to make sure traffic is not getting drop somewhere else on the path or that the ASA is not

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Stefan Bischoff · ‎10-10-2013

Hello Kerry,

in Windows 7 the build-in firewall refuses the connection to ASA and AnyConnect. You have to setup rules for these applications under the advanced settings of the firewall. Second problem is related to Java. ASDM is not able to work with Java Version 7. I've had the same issue with Java 7 and only going back to version 6 was helpful. Most of the GUIs on Cisco devices and applications have problems with Java 7. So the best thing is putting these applications in one "virtual" machine running older windows version and java 6 so you can work.

Kind regards

Stefan

View solution in original post

Julio Carvajal · ‎10-09-2013

Hello Kerry,

So downgrading the Java version did not make the trick.

You are also experiencing issues connecting via anyconnect to the ASA.

So my first recommendation is make sure traffic is reaching the ASA

Do the following

cap test interface whatever (here comes the interface that you are trying to connect via ASDM) match tcp host x.x.x.x (source IP address) x.x.x.x (ASA Interface IP address) eq 443

cap asp type asp-drop all circular-buffer

debug http 255 (Make sure you have terminal monitor so you can get the debugs)

Then try to connect once from that host IP address and provide the following outputs

show run http

show cap test

show cap asp | include x.x.x.x (Source client IP address)

The debug outputs

I want to make sure traffic is not getting drop somewhere else on the path or that the ASA is not

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Stefan Bischoff · ‎10-10-2013

Hello Kerry,

in Windows 7 the build-in firewall refuses the connection to ASA and AnyConnect. You have to setup rules for these applications under the advanced settings of the firewall. Second problem is related to Java. ASDM is not able to work with Java Version 7. I've had the same issue with Java 7 and only going back to version 6 was helpful. Most of the GUIs on Cisco devices and applications have problems with Java 7. So the best thing is putting these applications in one "virtual" machine running older windows version and java 6 so you can work.

Kind regards

Stefan

kerryjcox · ‎10-10-2013

Okay, here is the weird thing, a reboot of the firewall last night fixed the issue with users being unable to login using the AnyConnect client. So that was resolved. I am guessing it was a simple memory leak. This is the only 5515X firewall in my network. I am running asa911-smp-k8.bin. So the 2nd problem has been resolved.

However, I am still having issues connecting to this firewall using the ASDM but ONLY on my Windows 7 workstation. I can connect just fine using ASDM on my Mac and on my Linux (CentOS 6.4) machines.

I have re-installed Java 7 update 40 (both 32 and 64 bit versions), but to no avail.

I am not going to concern myself too much with this. I can still SSH in from all three platforms, which is most important.

I was moe concerned with users being unable to VPN in using AnyConnect.

Thanks all for your help. I will continue to debug the remaining ASDM on Windows 7 issue.

Marvin Rhoads · ‎10-10-2013

For the ASDM on windows 7 issue, check your license and ssl ciphers:

show ver | i 3DES

show run | i ssl

You need the (free) 3DES-AES license installed and ssl ciphers with 3des and/or aes ciphers to be active more the most recent windows versions with updated browsers to work.