ASA ASDM connection problems

Answered Question
Mar 18th, 2008

Hi,

I'm new to ASA and have a question about what alternatives there is to manage the ASA "out of the box".

My problem is that after uppgrading ASDM to 6.0(3) I get the following error message:

"Your ASA Image has a version number 7.2(2) which is not supported by ASDM 6.0(2). Please use Device Mgr 5.2(x)"

I've tried downloading and installing ASDM 5.2(3) but when I try to connect it upgrades leaving me stucked with no connection.

The thing I think is making this is: asdm image flash:/asdm-603.bin...

When trying to connect with SSH i recieve a login prompt but can't login with the same password as through ASDM. (are the login options different from ASDM?).

I've never needed to connect through terminal and Console: Does the login options (user and pwd) differ in some way from ASDM?

I have not changed any settings as far as I know for administrative access more then enabling ASDM for VPN https access.

Hope someone can help me regaining access to my ASA.

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 8 months ago

First try fixing asdm, go to firewall command line and see where your asdm upgrade image landed "dir", most likely it landed in disk0, if that is the case do " show run | inc asdm" to see current firewall asdm statement and correct as follows.

example:

AsAfw# dir

Directory of disk0:/

75 -rwx 6851212 05:22:16 Dec 11 2007 asdm-603.bin

76 -rwx 1868412 09:02:20 Apr 19 2007 securedesktop-asa-3.1.1.29-k9.pkg

77 -rwx 398305 09:02:36 Apr 19 2007 sslclient-win-1.1.0.154.pkg

2 drwx 4096 05:27:40 Dec 11 2007 log

79 -rwx 14635008 05:17:54 Dec 11 2007 asa803-k8.bin

80 drwx 4096 11:00:56 Oct 18 2007 sdesktop

6 drwx 4096 05:28:02 Dec 11 2007 crypto_archive

81 -rwx 545757 08:02:48 Jan 04 2008 rdp-plugin.jar

82 -rwx 2206269 08:03:34 Jan 04 2008 sslclient-win-1.1.4.177-anyconnect.pkg

verify that indeed your asdm 5.2.3 the one you downloaded is in disk0 directory, if it is there do the following to verify asdm config statement in firewall.

show run | inc asdm

it will show the firewall current asdm config statement, if it is still loading 603 you must correct it.

example:

remove old statement, add new statement

asa#config t

asa(config)#no asdm image disk0:/asdm-603.bin

asa(config)#asdm image disk0:/new_asdm_image.bin

asa(config)#exit

asa#write mem

I do not believe you need reboot after changing statement, after corrections try loading asdm, if it does no load then reboot asa, but again asdm should load without reload.

as for ssh follow this link.( use aaa authentication local )

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs

Let us know how it works out.

HTH

Rgds

Jorge

Rate any helpful posts if it helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
JORGE RODRIGUEZ Tue, 03/18/2008 - 08:51

First try fixing asdm, go to firewall command line and see where your asdm upgrade image landed "dir", most likely it landed in disk0, if that is the case do " show run | inc asdm" to see current firewall asdm statement and correct as follows.

example:

AsAfw# dir

Directory of disk0:/

75 -rwx 6851212 05:22:16 Dec 11 2007 asdm-603.bin

76 -rwx 1868412 09:02:20 Apr 19 2007 securedesktop-asa-3.1.1.29-k9.pkg

77 -rwx 398305 09:02:36 Apr 19 2007 sslclient-win-1.1.0.154.pkg

2 drwx 4096 05:27:40 Dec 11 2007 log

79 -rwx 14635008 05:17:54 Dec 11 2007 asa803-k8.bin

80 drwx 4096 11:00:56 Oct 18 2007 sdesktop

6 drwx 4096 05:28:02 Dec 11 2007 crypto_archive

81 -rwx 545757 08:02:48 Jan 04 2008 rdp-plugin.jar

82 -rwx 2206269 08:03:34 Jan 04 2008 sslclient-win-1.1.4.177-anyconnect.pkg

verify that indeed your asdm 5.2.3 the one you downloaded is in disk0 directory, if it is there do the following to verify asdm config statement in firewall.

show run | inc asdm

it will show the firewall current asdm config statement, if it is still loading 603 you must correct it.

example:

remove old statement, add new statement

asa#config t

asa(config)#no asdm image disk0:/asdm-603.bin

asa(config)#asdm image disk0:/new_asdm_image.bin

asa(config)#exit

asa#write mem

I do not believe you need reboot after changing statement, after corrections try loading asdm, if it does no load then reboot asa, but again asdm should load without reload.

as for ssh follow this link.( use aaa authentication local )

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml#configs

Let us know how it works out.

HTH

Rgds

Jorge

Rate any helpful posts if it helps

PeterBodzay Tue, 03/18/2008 - 09:04

Hi Jorge,

thanks for the post. A couple of questions so I understand Your response correctly:

I need to connect through Console at this point because I haven't done the SSH config, right? There is no "default" username to connect?

Not beeing familiar with the console connection: Is there some username or password other then used in ASDM?

Thanks once again for Your help, I'll give You some feedback when I've tried Your suggestions on site.

JORGE RODRIGUEZ Tue, 03/18/2008 - 09:14

correct.. is this firewall new out of the box? if so there should not be any username configurations in it..you should be able to connect to console without authentication..

if new asa just try connecting through console see what you get.. press enter several times, and type enable to get to enable mode.. terminal emulation settings are

COM1, 9600 bps, data 8, partity none, stop bits 1, flow hardware..

[edit] some basic guide on asa basic configs.

http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/asa_gsg.html

PeterBodzay Tue, 03/18/2008 - 09:20

Well, there is a local user that I've made for test VPN connections. There is also a AAA config for VPN connections. However I haven't issued the commands for SSH (as described in the link You supplied)...

Think 'm stuck with console the next time I'll get on site... :-p

I'll get back to You then!

PeterBodzay Wed, 03/19/2008 - 09:11

Yeah!

Worked great, thanks.

Can't understand why SSH is enabled on inside interface in default config but not the local authentication of SSH sessions... Whats the point enabling something You cant use?

However, I've learned to:

aaa authentication ssh console LOCAL

before doing anything else on my ASA:s... ;-)

JORGE RODRIGUEZ Wed, 03/19/2008 - 10:25

Pete, thanks for the update. Indeed, I do not believe ssh would be preconfigured on a asa out of the box, at least it was not the case in our ASAs, perhaps things have changed with newer asa shippments..or perhaps the asa was previously used and its config was not fully cleared.. in any case, the most inportant thing is you have it working and understand how to implement aaa authentication using asa local users from asa.

Thanks fort the rating , I encourange you to participate in cisco forums, you'll be surprise how much you can learn here as well as share your networking experiences.

Bst Rgds

Jorge

Actions

This Discussion