Solved: Re: Unable To Launch Device Manager From x.x.x.x

m_schmidt1 · ‎06-24-2019

Hello Community!

I'm sure you've herd this a thousand times before but I've got an issue with an ASA on which ASDM doesn't work. It will not load from either ASDM launcher or any web browser. I'm attaching some pics to show you the errors. Chrome indicates an SSL version or chiper mismatch. I've altered the logs to show SSL negotiation and attached the logs showing what happens at the time of the HTTPS/SSL connection. The crunch point is the following line in the logs, which I have no idea what its trying to tell me:

SSL lib error. Function: SSL3_GET_RECORD Reason: wrong version number

Google doesn't tell me much about this. Does anyone know what this means? You can see the both endpoints agree a cipher to use [AES128-SHA] so I'm not sure what the problem is. I'm stumped. My SSL configuration on the ASA is as follows:

FW01/pri/act/admin# show run all ssl

ssl server-version tlsv1

ssl client-version tlsv1-only

ssl encryption aes128-sha1

FW01/pri/act/admin#

Any ideas?

m_schmidt1 · ‎06-25-2019

Hi All,

I've fixed it by entering the following global configuration command:
MY-ASA(config)# ssl server-version any

WARNING: SSLv3 is deprecated. Use of TLSv1 is recommended.
MY-ASA(config)# end

MY-ASA#

ASDM now launches fine from either the web browser or ASDM Launcher.

Hope this helps someone else out there.

View solution in original post

Deepak Kumar · ‎06-24-2019

Hi,

Did you verify that SSL version 3 (including SSL 1.1 and 2) is enabled on the system?

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

m_schmidt1 · ‎06-24-2019

How do I verify this Kumar?

m_schmidt1 · ‎06-25-2019

Hi All,

I've fixed it by entering the following global configuration command:
MY-ASA(config)# ssl server-version any

WARNING: SSLv3 is deprecated. Use of TLSv1 is recommended.
MY-ASA(config)# end

MY-ASA#

ASDM now launches fine from either the web browser or ASDM Launcher.

Hope this helps someone else out there.

Moonlit · ‎07-17-2020

@m_schmidt1 That command would presumably affect the ASAs web server towards the internet as well, causing it to allow SSLv3 clients. That will be a security problem if you use your ASA for remote access connections.

Moonlit · ‎07-17-2020

Had the same problem today, after we tightened the TLS settings on the ASA, see bottom.

The currently approved solution in this thread severely reduces the encryption security on your device and should not be used.

The cause of the "Unable to launch device manager" error seems to be that Cisco ships its own version of Java included in the ASDM installer, and this versjon of java does not like TLSv1.2 (or the cipher string) one bit.

In addition, the VBScript and batch file which constitutes part of the Windows launcher generates an error on my Win10 64-bit system, because Windows thinks I'm trying to launch a 16 bit application. This is also fixed by changing the "Target" field.

Solution: Change the ASDM launcher for Windows to point to a newer JRE version, and skip the VBScript/batch file, by changing the "Target" field in the ASDM shortcut. I changed it to this, leaving the "Start in" field alone:

"C:\Program Files (x86)\Java\jre1.8.0_261\bin\javaw.exe" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher

Current SSL config:

ipsec-5516/pri/act# show run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default high
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384"
ssl cipher dtlsv1 medium
ssl dh-group group24
ssl ecdh-group group20
ssl trust-point cert
ssl certificate-authentication fca-timeout 2