Unable to access inside ASDM on PIX

Answered Question
Dec 15th, 2008
User Badges:

Hi all:


I cannot access the ASDM on the PIX when I type in


Any advice would be appreciated.


Correct Answer by JORGE RODRIGUEZ about 8 years 7 months ago

hold on, I am reading an interim release of asdm which may have a fix for this issue.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv12681



[edit]

CSCsv12681 Bug Details

Symptom:

While loading ASDM, a dialog is displayed that says:

"ASDM cannot be loaded. Click OK to exit ASDM.

Unconnected sockets not implemented"


This occurs when using Java 6 Update 10 or later.


Conditions:

ASDM version 5.0 or later running on ASA, PIX or FWSM and using Java 6

Update 10 or later.


Workaround:

Use Java 6 Update 7.


1st Found-In

5.0(8)

5.1(2)

5.2(4)

6.1(5)

5.2(4)F

6.1(1)F



Fixed-In

6.2(0.70)

6.2(0.71)

6.1(1.55)F

5.2(4.51)

6.1(5.51)




you can use this release based on above report.


asdm-61551.bin




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
epohxavrio Mon, 12/15/2008 - 10:38
User Badges:

I put that in:

aaa authentication ssh console LOCAL

Range already exists.


So i removed it and put it back in.


Same thing, it just tries to load, but never does.

jbalchunas Mon, 12/15/2008 - 11:34
User Badges:

What do you mean by the page tried to load? Are you prompted for credentials and they don't work? Are you prompted for credentials, they work but the ASDM times out when loading?


One thing to look at is if your Java version got updated automatically. ASDM 6.1(3) does not play well with the latest version of JRE. The latest version it will work with is Java 6 Update 7.

epohxavrio Mon, 12/15/2008 - 11:40
User Badges:

No I am not prompted at all for credentials, the page just keeps showing that is loading but never does, no content ever appears. I checked the version of Java I have two:


1.6.0 update 1

1.6.0 update 10

epohxavrio Mon, 12/15/2008 - 13:03
User Badges:

I also tested this from another computer that only had Java 1.6 update 7


It didn't work either.

don.click1 Mon, 12/15/2008 - 16:35
User Badges:

are you using https:///admin or just https:// ?


for us, if you dont add the /admin, you get the SSL WebVPN login page.


just a thought.

jbalchunas Tue, 12/16/2008 - 08:37
User Badges:

Using the following command, we are prompted for username/password when connecting via ASDM.


aaa authentication serial console TACACS+ LOCAL


I know it seems counter-intuitive with the serial command, but I can change what account is authorized to access ASDM by adding/removing our TACACS+ config. If you simply use:


aaa authentication serial console LOCAL


you should be prompted for your local admin account.

CDawe Wed, 12/17/2008 - 00:09
User Badges:

Hi,

You are specifying two particular IP addresses as being allowed from the inside network. Just a thought, are you sure, that the PC's you are using to access the PIX are having the correct IP addresses?

epohxavrio Wed, 12/17/2008 - 05:59
User Badges:

Yes, they are the correct IP addresses.


I thought it was something simple, but I might have to get TAC involved.

JORGE RODRIGUEZ Wed, 12/17/2008 - 09:44
User Badges:
  • Green, 3000 points or more

I cannot access the ASDM on the PIX when I type in "https://" & PIX_inside_IP

I had no problem accessing the ASDM until I added the user admin to the config. I tried to login once, and I have never been able to access the ASDM again.


I tested using admin as you and worked fine, could you use different user name with privilege 15 instead of admin to atleast narrow down this issue.








epohxavrio Wed, 12/17/2008 - 09:57
User Badges:

Well actually admin is not the actual username.


But I can't even get to the page that show run as asdm or java app, the page never finishes loading (no html content is displayed)

JORGE RODRIGUEZ Wed, 12/17/2008 - 10:14
User Badges:
  • Green, 3000 points or more

ok, have you try accessing it from a different machine as it seems to me that something may have changed either from the PC or asa firewall beside creating username.


can you from the machine do a telnet test to rule out secure port connectivity issue.



from the PC you are accessing firewall inside ip can you do a telnet test on port 443


c:\telnet 443

if you get black screen http services on fw issues is ruled out.


can you then try access from a different PC and see results, at least we can say it is the machine you are accessing the fw from.



Also you did not mention if you can telnet to firewall, can you telnet at all using the username you create?



epohxavrio Wed, 12/17/2008 - 10:50
User Badges:

RE telnet test on port 443:

Yes just the black screen


RE Telnet to f/w using username I created:

Yes, I can I just tested that per your recommendation (good idea)


I power cycled the PIX and I was able to access the main again (progress)


I am getting an error message now. I will put a screen shot up in a minute.

epohxavrio Wed, 12/17/2008 - 11:23
User Badges:

I already installed that, how do I force ASDM to use the older version of Java?

JORGE RODRIGUEZ Wed, 12/17/2008 - 11:34
User Badges:
  • Green, 3000 points or more

ok what version of code are you running now?


post output of show version



epohxavrio Wed, 12/17/2008 - 11:54
User Badges:

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(3)


Compiled on Thu 07-Aug-08 19:42 by builders

System image file is "flash:/pix804.bin"

Config file at boot was "startup-config"


PIX515E up 2 hours


Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB


0: Ext: Ethernet0 : address is 0013.60b8.f2ca, irq 10

1: Ext: Ethernet1 : address is 0013.60b8.f2cb, irq 11

2: Ext: Ethernet2 : address is 000e.0c6e.8b04, irq 11


Licensed features for this platform:

Maximum Physical Interfaces : 3

Maximum VLANs : 10

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Cut-through Proxy : Enabled

Guards : Enabled

URL Filtering : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : Unlimited


This platform has a Restricted (R) license.


Serial Number:

Running Activation Key: xxxxxxxxxxxxxxxxxx

Configuration last modified by user_15 at 05:04:53.232 CST Wed Dec 17 2008


JORGE RODRIGUEZ Wed, 12/17/2008 - 12:14
User Badges:
  • Green, 3000 points or more

I'll go by what you said that your machine have JRE 6 update 7, Im running teh exact same code you are running.


I would try this, disable and reable http services


http server disable

http server enable

write mem


if still get the asdm error message download fresh copy of asdm 6.1.3 release date August 2008, or asdm 6.1.5 release date OCT 2008.. and re-install asdm.



6.1.3 release info see java section

http://www.cisco.com/en/US/docs/security/asdm/6_1/release/notes/rn613.html



6.1.5 release info see java section

http://www.cisco.com/en/US/docs/security/asdm/6_1/release/notes/rn615.html




epohxavrio Wed, 12/17/2008 - 12:27
User Badges:

I should have clarified myself: Yes, I installed that version (JRE 6 Update 7) but I also have installed JRE 6 Update 10 (for security reasons).


http server disable does not appear to work


http server ?

reveals enable only

JORGE RODRIGUEZ Wed, 12/17/2008 - 12:31
User Badges:
  • Green, 3000 points or more

from the machine running jre 6 update 7 can you load asdm form it? update 10 seems where there is issue with that exact message you have attached.

epohxavrio Wed, 12/17/2008 - 12:40
User Badges:

Yes I can. So if I upgrade to asdm 6.1.5 I should be able to run from both machines?

JORGE RODRIGUEZ Wed, 12/17/2008 - 12:43
User Badges:
  • Green, 3000 points or more

I don't think it will..


quote form release 6.1.5


If you load ASDM using ASDM version 5.0 or later, running on ASA, PIX or FWSM, and use Java 6

Update 10 or later, a dialog is displayed that states: "ASDM cannot be loaded. Click OK to exit ASDM.Unconnected sockets not implemented". This occurs when using Java 6 Update 10 or later. To get ASDM to load correctly, use Java 6, update 7.


epohxavrio Wed, 12/17/2008 - 12:47
User Badges:

Gotcha, so simply put, in order to access the ASDM I need to remove the newer version(s) of JRE and stick with Update 7.

Correct Answer
JORGE RODRIGUEZ Wed, 12/17/2008 - 12:53
User Badges:
  • Green, 3000 points or more

hold on, I am reading an interim release of asdm which may have a fix for this issue.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsv12681



[edit]

CSCsv12681 Bug Details

Symptom:

While loading ASDM, a dialog is displayed that says:

"ASDM cannot be loaded. Click OK to exit ASDM.

Unconnected sockets not implemented"


This occurs when using Java 6 Update 10 or later.


Conditions:

ASDM version 5.0 or later running on ASA, PIX or FWSM and using Java 6

Update 10 or later.


Workaround:

Use Java 6 Update 7.


1st Found-In

5.0(8)

5.1(2)

5.2(4)

6.1(5)

5.2(4)F

6.1(1)F



Fixed-In

6.2(0.70)

6.2(0.71)

6.1(1.55)F

5.2(4.51)

6.1(5.51)




you can use this release based on above report.


asdm-61551.bin




epohxavrio Wed, 12/17/2008 - 14:28
User Badges:

Thanks, it works in XP but not in Vista. So I guess I will have to use it in XP (vm)


I removed all other version of jre on the vista box leaving only jre 6 update 10.

JORGE RODRIGUEZ Wed, 12/17/2008 - 15:27
User Badges:
  • Green, 3000 points or more

Great.. at least we got to the bottom of the issue, don't forget to rate post if it helped.



Best Rgds

Jorge

epohxavrio Thu, 12/18/2008 - 05:44
User Badges:

I will and thank you for your help getting me through this!!


For anyone else experiencing this same issue.


Run the ASDM in XP compatibility mode.

Actions

This Discussion