ASA5505 Site2Site Tunnel to CheckPoint not working plus ASDM errors

Unanswered Question

Hi,

I've got 2 problems with an ASA5505:

1. using the latest firmware available I am not able to establish a tunnel to a CheckPoint firewall. I found one walkthrough and one example config on the Cisco site, but the walkthrough is for an older PIX SW version and the example config is for an older ASDM. I do not find on the Cisco website an example config documenting the latest ASDM version. Has anyone a "clean config" for Cisco ASA Software version 8.0(3), which works against a CheckPoint Gateway?

(By the way: even though I have 90 day software support for the new device, it is simply impossible to ask Cisco directly, the TAC refuses to open a case, even though I suppose it is a problem which occurs only in the latest firmware (maybe when using ASDM).

2. The ASDM (asdm-611.bin) behaves absolutely unstable. When issuing Config commands through its interface (like trying out all meaningful settings for the Site2Site config), it even stops reporting the negotiations of the site2site setup phases in the log. After some time when hitting the "apply" button the ASDM hangs completely. When finishing it through the task manager in my Windows, I am not able to restart it. It comes up with the error "Unable to launch ASDM from <device>: Unable to read Device Manager version from device".

I hope a reboot helps here, but I wanted to put this down in writing before the reboot. In any case, I am pretty fed up with the ASDM interface at the moment.

The result is:

- VPN is not really configurable, because ASDM tends to forget settings made and does not fully refresh, even when hitting the refresh button

Has anyone else observed strange behaviour of the ASDM when configuring VPN settings? Would you suggest to return to the command line configuration? But then I probably have to build the whole configuration from scratch.

Why is it not possible for Cisco to provide a fully, error-free, working version of the ADSM? I mean, it makes no sense to release a new ASDM version only because the graphics have become brighter and more colorful, if the mechanisms behind do not really work.

So much for the 3 hours I just wasted in trying to do something meaningful with Cisco ASA5505 ...

Regards,

Olaf

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 03/13/2008 - 15:52

Olaf be patient , three hours is nothing !, frankly it is best not to rely on asdm %100 I have seen strange things in asdm, and have seen configuration entered in cli not seen in asdm. In any case, the answer to ASDM issues is for cisco to respond, it is best to configure your tunnel by command line, there are few l2l config examples out there to help you build a vpn tunnel, Ipsec is a standard and by understanding what is required for Ipsec phase-1 Phase-2 you will realize it is straight forward to build a l2l tunnel with a non-cisco firewall as long the firewall supports Ipsec, it is not more than exactly agreeing on a set of configuration parameters at each end of the tunnel points.

PIX to Checkpoint L2l , this is probably the one you had refered to before, but if you look at the other link bellow PIX-to-PIX vpn tunnel see the Phase-1 and Phase-2 requirements.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008009420f.shtml

PIX 6.3 and CP NG ( again the PIX side is same as 7.x .

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ef796.shtml

PIX-to-PIX l2l

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

Good luck

Rgds

Jorge

tgrundbacher Wed, 09/10/2008 - 05:11

Hi Olaf & everyone else

I'm suffering from a similar problem, in my case it's with ASDM 6.1(3) (also numbered 1.5(30)). I always get the message "Error: Unable to launch ASDM from " whenever I try to connect to an ASA.

I've tried to connect from a different Windows XP hosts to the same ASA, which works fine, yet not with my notebook. I've deinstalled and reinstalled ASDM several times, I also deleted the folder C:\Documents and Settings\\.asdm. Nothing helps.

Since I am forced to use 6.1(3) because the ASA runs 8.0(4), I urgently need a fix. Anyone got a hint? Otherwise I'll escalate to TAC...

Toni

tgrundbacher Tue, 09/30/2008 - 04:49

Just to let you know, I opened a TAC case, yet they couldn't help me. I figured out that the only way to resolve the issue was to reinstall my Windows XP profile...which is a pain in the a.., restoring all application settings, links, etc.

lowfell Wed, 09/10/2008 - 08:24

I always press the save button before refreshing. In my experience the The ASDM is good ONLY for basic stuff. Use the vpn wizard to setup your initial vpn, then go to the command line to check you settings. For all troubleshooting/Debugging the ASDM is virtually useless, always use the command line

for this. Useful Debugging commands for vpn are

Debug crypto isakmp (For your key exchanges in phase 1)

Debug crypto ipsec (for phase 2)

Debug crypto engine (General vpn debugging)

also turn on all terminal & buffered logging.

Also check hits aginst the relative access lists, ie crypto lists, any No nat lists & you ingress & egress access lists as well as any Natting involved.

Hope this helps,

Brian McGaun

CCNP

tgrundbacher Wed, 09/10/2008 - 22:44

Hi Brian

I agree with you. Still, I find ASDM to be more useful when you want to debug, since you can filter messages in the ASDM real-time monitoring tool much easier than when your CLI gets flooded with all the less severe syslog output on a productively used ASA.

Anyway, my ASDM Launcher still doesn't want to connect to any ASA...

Toni

cisco24x7 Tue, 09/30/2008 - 05:58

"Olaf be patient , three hours is nothing !,"

Three hours. These things can be configured in

less than 10 minutes, on both sides.

Actions

This Discussion