03-13-2008 02:57 PM
Hi,
I've got 2 problems with an ASA5505:
1. using the latest firmware available I am not able to establish a tunnel to a CheckPoint firewall. I found one walkthrough and one example config on the Cisco site, but the walkthrough is for an older PIX SW version and the example config is for an older ASDM. I do not find on the Cisco website an example config documenting the latest ASDM version. Has anyone a "clean config" for Cisco ASA Software version 8.0(3), which works against a CheckPoint Gateway?
(By the way: even though I have 90 day software support for the new device, it is simply impossible to ask Cisco directly, the TAC refuses to open a case, even though I suppose it is a problem which occurs only in the latest firmware (maybe when using ASDM).
2. The ASDM (asdm-611.bin) behaves absolutely unstable. When issuing Config commands through its interface (like trying out all meaningful settings for the Site2Site config), it even stops reporting the negotiations of the site2site setup phases in the log. After some time when hitting the "apply" button the ASDM hangs completely. When finishing it through the task manager in my Windows, I am not able to restart it. It comes up with the error "Unable to launch ASDM from <device>: Unable to read Device Manager version from device".
I hope a reboot helps here, but I wanted to put this down in writing before the reboot. In any case, I am pretty fed up with the ASDM interface at the moment.
The result is:
- VPN is not really configurable, because ASDM tends to forget settings made and does not fully refresh, even when hitting the refresh button
Has anyone else observed strange behaviour of the ASDM when configuring VPN settings? Would you suggest to return to the command line configuration? But then I probably have to build the whole configuration from scratch.
Why is it not possible for Cisco to provide a fully, error-free, working version of the ADSM? I mean, it makes no sense to release a new ASDM version only because the graphics have become brighter and more colorful, if the mechanisms behind do not really work.
So much for the 3 hours I just wasted in trying to do something meaningful with Cisco ASA5505 ...
Regards,
Olaf
03-13-2008 03:52 PM
Olaf be patient , three hours is nothing !, frankly it is best not to rely on asdm %100 I have seen strange things in asdm, and have seen configuration entered in cli not seen in asdm. In any case, the answer to ASDM issues is for cisco to respond, it is best to configure your tunnel by command line, there are few l2l config examples out there to help you build a vpn tunnel, Ipsec is a standard and by understanding what is required for Ipsec phase-1 Phase-2 you will realize it is straight forward to build a l2l tunnel with a non-cisco firewall as long the firewall supports Ipsec, it is not more than exactly agreeing on a set of configuration parameters at each end of the tunnel points.
PIX to Checkpoint L2l , this is probably the one you had refered to before, but if you look at the other link bellow PIX-to-PIX vpn tunnel see the Phase-1 and Phase-2 requirements.
PIX 6.3 and CP NG ( again the PIX side is same as 7.x .
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml
PIX-to-PIX l2l
Good luck
Rgds
Jorge
09-10-2008 05:11 AM
Hi Olaf & everyone else
I'm suffering from a similar problem, in my case it's with ASDM 6.1(3) (also numbered 1.5(30)). I always get the message "Error: Unable to launch ASDM from
I've tried to connect from a different Windows XP hosts to the same ASA, which works fine, yet not with my notebook. I've deinstalled and reinstalled ASDM several times, I also deleted the folder C:\Documents and Settings\
Since I am forced to use 6.1(3) because the ASA runs 8.0(4), I urgently need a fix. Anyone got a hint? Otherwise I'll escalate to TAC...
Toni
09-30-2008 04:49 AM
Just to let you know, I opened a TAC case, yet they couldn't help me. I figured out that the only way to resolve the issue was to reinstall my Windows XP profile...which is a pain in the a.., restoring all application settings, links, etc.
09-10-2008 08:24 AM
I always press the save button before refreshing. In my experience the The ASDM is good ONLY for basic stuff. Use the vpn wizard to setup your initial vpn, then go to the command line to check you settings. For all troubleshooting/Debugging the ASDM is virtually useless, always use the command line
for this. Useful Debugging commands for vpn are
Debug crypto isakmp (For your key exchanges in phase 1)
Debug crypto ipsec (for phase 2)
Debug crypto engine (General vpn debugging)
also turn on all terminal & buffered logging.
Also check hits aginst the relative access lists, ie crypto lists, any No nat lists & you ingress & egress access lists as well as any Natting involved.
Hope this helps,
Brian McGaun
CCNP
09-10-2008 10:44 PM
Hi Brian
I agree with you. Still, I find ASDM to be more useful when you want to debug, since you can filter messages in the ASDM real-time monitoring tool much easier than when your CLI gets flooded with all the less severe syslog output on a productively used ASA.
Anyway, my ASDM Launcher still doesn't want to connect to any ASA...
Toni
09-30-2008 05:58 AM
"Olaf be patient , three hours is nothing !,"
Three hours. These things can be configured in
less than 10 minutes, on both sides.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide