cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
193594
Views
44
Helpful
12
Comments
Shrikant Sundaresh
Cisco Employee
Cisco Employee

     

    INTRODUCTION

     

    This document provides the basic configuration and troubleshooting steps for Cisco ASDM access.

     

    Cisco ASDM provides an intuitive graphical user interface that makes it easy to set up, configure and manage your Cisco security appliances.

     

    Cisco ASDM can run as a local application or as a Java Web Start application.

     

    The following sections will provide an overview of the common issues faced in accessing Cisco ASDM.

     

     

     

    BASIC CONFIGURATION

     

    !-- Enable listening on port 443 --!

    http server enable

     

    !-- Define what subnets on what interface are allowed to access the ASDM--!

    http <ip subnet> <subnet mask> <interface>

     

    !-- Specify an ASDM image in case of multiple images on the Flash --!

    asdm image <path>

     

     

     

    Example:

     

    http server enable

    http 192.168.1.0 255.255.255.0 inside

    asdm image flash:/asdm-623.bin

     

     

     

    Verification:

     

    show asp table socket

     

    Protocol               Socket                  Local Address               Foreign Address         State

    SSL                         0000375f              192.168.1.1:443            0.0.0.0:*                      LISTEN

     

    !-- This shows that the ASA is listening on its interface on port 443 --!

     

     

    TROUBLESHOOTING METHOD

     

    Step 1: Verify if you can ping the ASA from the PC/Laptop you can access it on.

     

    Step 2: Check that the necessary configuration is in place

    Commands:

    show run http [check if http server is enabled, and http access is allowed on the interface you are trying to access.]

    show run asdm [check that an asdm image is mentioned, and the version is compatible with the ASA image version.]

    show flash [check that the asdm image mentioned is present in the flash.]

     

    Step 3: Check that the ASA is listening for https requests on its interface

    Commands:

    show asp table socket [under Local Address, you should see <interface ip>:<http server port> and in a LISTEN state.

     

    Step 4: If step 1 to 3 are correctly done, then you might be encountering one of the problems mentioned in the next section.

     

     

     

    ACCESS ERRORS

    [interface ip for all examples is 10.76.75.48]

     

    ASDM Launcher Fails

     

    ASDM access worked previously via https://10.76.75.48, but fails when using the shortcut on your desktop.

     

    Resolution

     

    ASDM launcher does not work with 64-bit Java version on Windows. You will have to access ASDM from your web browser.

     

     

     

    HTTP 404 not found (type 1)

     

    Ping to 10.76.75.48 is successful

    You enter https://10.76.75.48 in your web browser

    You receive a “Certificate Error: Navigation Blocked” page.

    Then when you click “Continue to the Website” you get HTTP 404 not found.

     

    Debug HTTP on the ASA will show the following:

     

    HTTP: processing GET URL '/' from host 64.103.226.131

    HTTP: redirecting to: /admin/public/index.html

    HTTP: session verified =  [0]

    HTTP: processing GET URL '/admin/public/index.html' from host 64.103.226.131

    HTTP: authentication not required

    HTTP: file not found: public/index.html

     

     

    Possible Resolution

     

    “asdm image xxx” command is missing.

     

    Note: if you add the command, login through ASDM, and then remove it, then fresh ASDM access will still work until those files are there in browser history/cache.

     

     

    HTTP 404 not found (type 2)

     

    Ping to 10.76.75.48 is successful

    You enter https://10.76.75.48 in your web browser

    After waiting a while, you get HTTP 404 not found.

     

    Logs show:

     

    %ASA-3-710003: TCP access denied by ACL from 64.103.226.131/3212 to outside:10.76.75.48/443

    %ASA-7-710005: TCP request discarded from 64.103.226.131/3212 to outside:10.76.75.48/443

    %ASA-3-710003: TCP access denied by ACL from 64.103.226.131/3212 to outside:10.76.75.48/443

    %ASA-7-710005: TCP request discarded from 64.103.226.131/3212 to outside:10.76.75.48/443

     

    Captures show:

     

    17: 23:27:51.854844 64.103.226.131.3212 > 10.76.75.48.443: S 247161576:247161576(0) win 64512 <mss 1260,nop,nop,sackOK>

    18: 23:27:54.806019 64.103.226.131.3212 > 10.76.75.48.443: S 247161576:247161576(0) win 64512 <mss 1260,nop,nop,sackOK>

     

     

    Possible Resolution

     

    Check output of “show asp table socket” to see if the ASA is listening on that interface.

    Either configuration may be missing, or it might be hitting a bug which would require further analysis.

     

     

    WebVPN conflict

     

    Ping to 10.76.75.48 is successful

    You enter https://10.76.75.48 in your web browser

    The Cisco SSL VPN service opens up with a prompt for login credentials.

     

     

    Resolution

     

    Configure asdm to run on a port other than 443, as webvpn uses that port.

    Use http server enable XX to enable listening on a port XX instead of 443, and enter https://10.76.75.48:XX

    to access ASDM.

     

    Alternately, use https://10.76.75.48 to access SSL VPN, and https://10.76.75.48/admin to access ASDM.

     

     

     

    Weak Encryption

     

    Ping to 10.76.75.48 is successful

    You enter https://10.76.75.48in your web browser.

    And you get the following error message:

     

     

    ssl_overlap.JPG

     

    Logs on the ASA show:

     

    %ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA

    %ASA-7-725011: Cipher[2] : AES256-SHA

    %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA

    %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA

    %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA

    %ASA-7-725011: Cipher[6] : RC4-MD5

    %ASA-7-725011: Cipher[7] : RC4-SHA

    %ASA-7-725011: Cipher[8] : AES128-SHA

    %ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA

    %ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA

    %ASA-7-725011: Cipher[11] : DES-CBC3-SHA

    %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

    %ASA-6-302014: Teardown TCP connection 79 for outside:64.103.226.131/4514 to identity:10.76.75.48/443 duration 0:00:00 bytes 7 TCP Reset by appliance

     

    This indicates that the SSL encryption standards being used by the ASA do not match the ones being used on the browser. To view those being used on the ASA, enter the command show run all ssl.

     

    You would see something like this:

    ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

     

     

    Resolution:

     

    Enter the command: ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 in config mode.

     

    If you get a license error, then procure the VPN-AES-3DES license and apply it. The procedure can be found on the following link: Obtaining a 3DES/AES License

     

    Enter the command again once the license is applied.

     

     

    Java not installed on computer

     

     

    You enter https://10.76.75.48in your web browser.

    And you get the following option on the ASDM page:

     

    java_missing.JPG

     

     

    Resolution:

     

    Click on “Install Java Web Start” and it will install the required Java Version

    Alternately you can download and install the latest JAVA JRE from the internet.

     

     
     
    Incompatible Java Version

     

     

    Ping to 10.76.75.48 is successful

    You enter https://10.76.75.48 in your web browser

    After entering the login credentials, the loading process starts and gets hung at this stage.

    This error is generally seen in older ASA versions like 5.0(x), but has been known to occur in later versions as well (often when upgrading or downgrading asdm images).

     

     

     

    java_stuck.JPG

     

     

     

    Resolution

     

    Downgrade Java to its base version. For example, in the above screenshot you can see that the JRE in use is Java 6 update 20. Uninstall it, and install Java 6 base version. The ASDM screen would immediately load once the bar becomes 100%. If the version of ASDM in use is below 5.0(9), then upgrade to 5.0(9).

     

     

     

     

    Java Error on Launch

     

    Ping to 10.76.75.48 is successful

    ASDM has been working fine for previously, and no change has been made on ASA.

    You enter https://10.76.75.48 in your web browser

    When you launch ASDM, you get the following Java Error:

     

    Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NumberFormatException: For input string: "1 year 0"
         at java.lang.NumberFormatException.forInputString(Unknown Source)
         at java.lang.Integer.parseInt(Unknown Source)
         at java.lang.Integer.parseInt(Unknown Source)
         at com.cisco.pdm.Check.h(DashoA10*..:1358)
         at com.cisco.pdm.Check.c(DashoA10*..:858)
         at com.cisco.pdm.Check.a(DashoA10*..:438)
         at com.cisco.pdm.PDMApplet.start(DashoA10*..:132)
         at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)

     

    OR,


    Exception in thread "SGZ Loader: launchSgzApplet"
    java.lang.StringIndexOutOfBoundsException: String index out of range: -1
          at java.lang.String.substring(Unknown Source)
          at java.lang.String.substring(Unknown Source)
          at com.cisco.pdm.Check.h(DashoA10*..:1345)
          at com.cisco.pdm.Check.c(DashoA10*..:841)
          at com.cisco.pdm.Check.a(DashoA10*..:422)
          at com.cisco.pdm.PDMApplet.start(DashoA10*..:132)
          at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)

    Resolution


    The above errors happen when the ASA has been up for exactly an year (1st Error) or an year and a day (2nd Error).
    Up-time for an ASA can be checked in the output of the show version command.
    The obvious resolution would be to restart the ASA, thus resetting the up-time.
    This issue is seen in ASDM versions 6.0 and 6.1 and was fixed in 6.1(5.59). So upgrading the ASDM to a version higher than that would fix the issue.



    HTTPS Tips and Tricks

     

    Apart from accessing the ASDM, there are a few other things that can also be done with the https://<interface ip>/... url.

     

    Running Show commands

    You can view the outputs of all show commands on the browser itself, by typing the following into the address bar:

    https://<interface ip>/admin/exec/show [command]

    (spaces can be included after the "show" keyword)

     

    Example:

    https://10.76.75.48/admin/exec/show run will display the running configuration in the browser.

     
    Text based Monitoring

    You can monitor most of the basic information, like connection counts, xlate counts, memory block usage, etc. in real time.

    https://<interface ip>/admin/asdm_handler displays the statistics every 10 seconds once, and could be useful in certain scenarios.

     

    Example:

    https://10.76.75.48/admin/asdm_handler gives the following snapshot on the browser:

     

    METRICS_INFO|BEGIN
    TIMESTAMP|1300332039|UTC|0
    VERSION|ASA|8.0(4)|pdm|6.3(5)
    UPTIME|12083|CONFIG_MOD|370|CONFIG_SAVED|294|CONFIG_STATUS|0x0
    INTERFACE|man|up|UP|IP|10.76.75.56|MASK|255.255.255.192|IBC|207|OBC|342|IPC|4|... <o/p deprecated>
    MEM|FREE|1919075000|USED|149167432|
    CPU|0|
    BLOCK|ABLK0|700|UBLK0|0|ABLK4|99|UBLK4|1|ABLK80|700|UBLK80|0|ABLK256|100|........ <o/p deprecated>
    PERFMON|XLATES|0|CONNECTIONS|0|TCP CONNS|0|UDP CONNS|0|URLS|0|URLSERVER|0|....... <o/p deprecated>
    CONN|CUR|1|MAX|2|
    XLATE|CUR|0|MAX|0|
    SA|ISAKMP_SAS|0|IPSEC_SAS|0|
    TUNNEL|L2TP_SESS|0|L2TP_TUNN|0|WEBVPN_SESS|0|SVC_SESS|0|TOTAL_SESS|0|
    METRICS_INFO|END

     

     

    RELATED URLs

     

    Archive of Java Versions

    http://www.oracle.com/technetwork/java/archive-139210.html

     

    List of ASDM Release Notes

    http://www.cisco.com/en/US/products/ps6121/prod_release_notes_list.html

     

    Obtaining a 3DES/AES License

    http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/DESlic.html

     

    Upgrading ASDM image using ASDM 5.x

    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#maintask3

     

    Upgrading ASDM image using ASDM 6.x

    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#asdm6.x2

     

    Upgraing ASDM image using CLI

    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml#maintask21

     

    Cisco Document on issues with using/accessing ASDM

    http://www.cisco.com/en/US/products/ps6121/products_tech_note09186a0080aaeff5.shtml

     

    Document on Troubleshooting Telnet/ssh/https access to the ASA

    https://supportforums.cisco.com/docs/DOC-13012

    Comments
    VincentLong
    Level 1
    Level 1

    Thanks...This document really provide guideline for my firewall issue. Thanks again.

    MINGJU YU
    Level 1
    Level 1

    Thx a lot!

    soflakhdari
    Community Member

    thanks a lot Brother ,i appreciate your work

    aljeeran3
    Community Member

    https://10.76.75.48/admin/asdm_handler gives the following snapshot on the browser:

    it ask me username and password

    i did not assign any username ...

    and then i try to make username and password.. but still that username and password doesnot accept.

    and can you please tell me what is SSH credentials. it also ask me to insert that one as well.

    soflakhdari
    Community Member

    hello Ali

    well check if the admin that you enter has privilege 15

    enable on your ASA secure server ( i think this is not obliged , it exists by default )

    authorize the network you enter from and make the interface you enter from level 100

    i think thats all

    for more information search on youtube you will find plenty of helpful videos

    good luck

    Jaaazman777
    Level 1
    Level 1

    Hello shrsunda!

    great post, thank you!

    is there any chance to access ASDM if no 3DES license installed?

    from my CLI I can see:

    show run all ssl

    ssl server-version any
    ssl client-version any
    ssl encryption des-sha1

    nate_pazue
    Community Member

    i would also add that if you are getting a 404 error to check and see if  Encryption-3DES-AES  is Enabled ​you need this for ASDM to work properly for encryption via SSL 

    Fabrizio Chessa
    Level 1
    Level 1

    Hi,

     

    Many thanks, This post solved my issues!!!!

     

    Best Regards

    Adam Hudson
    Level 1
    Level 1

    This post has not helped me solve my ASDM issue. A section about "cannot open device/unable to connect" errors would be appreciated.

    juantron
    Level 1
    Level 1

    Hi.

    Good tutorial, but what about show version command? I think this is the first command to use when troubleshooting asdm access. If the asdm image is not valid or is not in flash, no asdm version is shown in the output.

    thrtnastrx
    Level 1
    Level 1

    Thank you!  Solved my problem.

    kpietras
    Cisco Employee
    Cisco Employee
    Hi. Is there any way to get the HTML dump from ACLs without opening ASDM ?
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: