Solved: Unable to access ASDM on 5505

1urbane50 · ‎02-20-2013

I'm new to the forum/discussions so forgive me if this is already posted. I read through several other posts and have followed the troubleshooting procedures in them, but I still can't access ASDM. I deleted the old ASDM versions and upgraded to ASDM 7.1(1)52 which shows compatible with ASA 8.2(1). I'm on an inside NAT address connected to Eth 0/5, 192.168.1.5/24. I can ping and SSH to the FW but no ASDM. FW is passing traffic and everything else works just fine. Please advise. Thank you.

JEREMY-ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 7.1(1)52

JEREMY-ASA# show run asdm

asdm image disk0:/asdm-711-52.bin

no asdm history enable

JEREMY-ASA# show run http

http server enable

http 192.168.1.0 255.255.255.0 inside

JEREMY-ASA# show run

: Saved

:

ASA Version 8.2(1)

!

hostname JEREMY-ASA

enable password OMIT encrypted

passwd OMIT encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 134.121.11.153 255.255.248.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner exec

OMIT BANNER STATEMENTS

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

same-security-traffic permit intra-interface

access-list outside_access_in extended deny ip any any

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 250

logging trap informational

logging asdm informational

logging device-id ipaddress outside

logging host outside OMIT

mtu outside 1500

mtu inside 1500

ip verify reverse-path interface outside

ip audit attack action drop

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-711-52.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.1.0 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 134.121.15.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 10

ssh version 2

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server OMIT

ssl encryption des-sha1

webvpn

username OMIT password OMIT encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

crashinfo console disable

Cryptochecksum:3c8669ae6960ca4cc206db58ffbf3c21

: end

Marvin Rhoads · ‎02-20-2013

It's most likely the string:

ssl encryption des-sha1

That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:

ssl encryption des-sha1 aes256-sha1

Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active).

View solution in original post

Marvin Rhoads · ‎02-20-2013

It's most likely the string:

ssl encryption des-sha1

That weak cipher is not compatible with most modern browsers and current releases of Java which ASDM depend on. Try adding a strong cipher, e.g.:

ssl encryption des-sha1 aes256-sha1

Make sure you have 3DES-AES activation first ("show version" or "show activation-key" will confirm that feature license is active).

1urbane50 · ‎02-21-2013

Thanks for the info. I changed to the stronger encryption you recommended. Now I can see the ASDM login page but its "Unable to Launch The Application". I've read this is a Java vs version problem. I've tried installing different ASDM version, clearing cache, etc but it still won't launch. Any ideas?

JEREMY-ASA(config)# debug http 255

debug http enabled at level 255.

JEREMY-ASA(config)# HTTP: session verified = [0]

HTTP: processing GET URL '/admin/public/asdm.jnlp' from host 192.168.1.5

HTTP: authentication not required

HTTP: sending file: public/asdm.jnlp, length: 1441

1urbane50 · ‎02-21-2013

Fixed. Had to back up to Java 6.

Marvin Rhoads · ‎02-21-2013

Glad you got it working. I've been ignoring Java's nagging me to migrate to 7 because of the many things it breaks, ASDM among them.

Thanks for the rating.