ASDM access to 5500 using Java was just a frustrating experience. If you manage only one device you may not notice the pain. But if you are managing multiple devices with some device 'forbidden' to update ASA firmware, it is very frustrating. I spend few days looking at the issue and came to a conclusion and decided to post to guide all newer VPN admins who will go through the same pain and hopefully we can reduce some combined wasted time. No thanks to Cisco. This is not a guide but a start point of a dicussion and all input are welcome.
Recommended Beginning Setup for New Admin :
Java Version 6 Update 7
Reason for recommendation :
a. There doesn't seem to be any recommendation to where to start your ASDM journey. So here. Start from here. Attached PDF is simple list of Java version and its release date. http://en.wikipedia.org/wiki/Java_version_history Version 6 Update 7 is unique in that it is the last version to support Win 9x. Why is that important? ASDM is written on Win 9x interface.
b. It is a very old 2008 release. So why use such an old security cesspool of a product as a base? Security of newer version of Java isn't any better. Recommendation of Java use is to not use it. Java isn't secure. '.' But Cisco is insisting on using it. Shame on Cisco and this ASDM Java debacle is a shameful thing that Cisco even now can't careless.
c. Attached is the list of release date of Java and Cisco products. ASDMS for FWSM range from 2007-2010, ASA 5500 and PIX 2007-2008, ASA 2010-2013. 2008 seems to fit quite nicely in the middle. Very scientific .
Recommendation after gaining full access
a. Update ASA and ASDM firmware to latest. ASDM 7.1.3 has same interface as much older ASDM. Kudos to Cisco on that..
b. Write to US-CERT and CC Cisco to have them remove Java on their key platform. (Android too.. <- now, there's a joke!)
Jonathan, good posting. I know many share your frustration.
I would add that if anyone has an ASA still running old 7.x code they will not be able to use ASDM 7.1(3). For anything 8.0 or higher though I agree it is good. See the Cisco compatibility matrix for details.
The other issue is: what if you use anything else besides ASDM that requires Java? Several Cisco products also require Java (IPS Manager Express, CiscoWorks and Cisco Prime LMS Topology) and may need a later release of version 6. So that is a consideration.
Personally I have unistalled Java Version 7 wherever I find it - it only breaks things in my experience.
Long term Cisco is rewriting their applications to deprecate use of and requirements for Java. It is a big job though - ASA alone is supporting something like 9 release trains and a "new" ASDM that was Java free but without the compatibility from 8.0 trough 9.1 on multiple hardware architectures would not be received well.
ASDM ASA management platform has a major flaw. Different version require different version of Java JRE(Runtime Environment). One would think latest version should be backward compatible. It isn't so.
So far Java Version 6 and Update 7 has been most compatible for my work. But NSP and other management console also require JRE and they unlike Cisco works well with the latest version but not with older version.
Keeping and working with multiple version of JRE is a pain because JRE does not have proper control to support that automatically. One way to accomplish launching different version of JRE instead of default is use of command-line.
In ASDM's shortcut icon properties, add version information in "target:". Find out JRE versions installed in your system under C:\Program Files (x86)\Java. Add option -version:"1.6.0_07" to specify which version to use. My example is JRE version 6 update 7.
Original line :
C:\Windows\SysWOW64\javaw.exe -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher
Modified line :
C:\Windows\SysWOW64\javaw.exe -version:"1.6.0_07" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher
#ASDM #JAVA #JRE
Thanks for the guide I had the same issue, I must have tried at least 5 different older versions of Java7 .x, none worked.
Just to add a caveat I experienced issues with Windows XP as well, had to use a Win 7 PC.