Cannot access ASDM

Unanswered Question
Oct 1st, 2010

I have an ASA5505.  I was in on ASDM and working fine.  I added a new user and seem to locked myself out of ASDM.  Not with I try to access it I get

"Identification required. Please select certificate to be used for authentication"

The list of certificates is blank.  I tried to regenerate a key from the CLI but it was unsuccessful.  I can't get in on ASDM.  Does anyone know how to get by this?  Maybe I generated the key wrong...

Harrison

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 10/01/2010 - 13:07

Hi,

If you just generate the keys again it work?

ca zeroize rsa

ca generate rsa key

Try again....

If the problem persists check you have the following in the configuration:

http server enable

http x.x.x.x mask inside --> x.x.x.x should be the IP were you're coming from.

username test password test123 priv 15

aaa authentication http console LOCAL

Federico.

mirober2 Fri, 10/01/2010 - 13:20

Hi Harrison,

Can you check the output of 'show run all ssl' and 'show run aaa' and post the results here?

-Mike

HMidkiff Fri, 10/01/2010 - 13:57

Thanks for replying to my post.   I tried the other recommendation but didn't work.  Here is the output.

ASA(config)# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point localtrust inside
ssl trust-point localtrust outside

ASA(config)# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL

Federico Coto F... Fri, 10/01/2010 - 15:22

So, you do have other users able to access ASDM or nobody can access ASDM anymore?

You can do a ''sh asp table socket'' and make sure the ASA is listening on port 443 for HTTPS:

i.e

ASA(config)# sh asp table socket
Protocol  Socket    Local Address               Foreign Address         State
SSL       00009b1f  192.168.102.3:443           0.0.0.0:*               LISTEN

Also ''sh run http'' should be allowing all the IPs where you initiate the ASDM connection to the ASA.

Since you're using LOCAL authentication for HTTP, you should have a valid username (witgh privilege 15) on the local database on the ASA ''sh run username''

Federico.

HMidkiff Fri, 10/01/2010 - 17:27

Thanks for replying to my post

I can't get access to the ASA right now.  I think the issue is ASDM does not have a certificate to serve out when someone connects.  Do you know of a way from the CLI to regenerate the certificate for ASDM?  When I Google this I find a lot of stuff but they want you to generate the certificate from inside the ASDM.  Right now I can't get there....

Harrison

praprama Fri, 10/01/2010 - 18:21

If you have accessto the CLI, please run a "debug http 255" when trying to access the ASDM and past the outputs here.

Regards,

Prapanch

Namit Agarwal Fri, 10/01/2010 - 23:37

Hi,

Could you please paste the running config of the ASA ? Also what is the version of ASDM you are running ?

Regards,

Namit

HMidkiff Sat, 10/02/2010 - 10:29

Here is the "show run" I X'ed out the sensitive stuff.   I think the issue is with the certificate for the ASDM.

ASA Version 8.2(3)
!
hostname ASA
domain-name avispl.com
enable password XXXXXXXX
passwd XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.200.4.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXXXXXXX 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name avispl.com
object-group network CORP_VPN_NETWORKS
network-object 192.168.2.0 255.255.255.0
network-object 192.168.28.0 255.255.255.0
network-object 192.168.21.0 255.255.255.0
network-object 10.9.30.0 255.255.255.0
network-object 10.9.31.0 255.255.255.0
network-object 10.2.10.0 255.255.255.0
object-group network obj_any
access-list outside_1_cryptomap extended permit ip 10.200.4.0 255.255.255.0 object-group CORP_VPN_NETWORKS
access-list nonat extended permit ip 10.200.4.0 255.255.255.0 object-group CORP_VPN_NETWORKS
access-list nonat extended permit ip object-group CORP_VPN_NETWORKS 10.200.4.224 255.255.255.224
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.28.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 192.168.21.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.9.30.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.9.31.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 10.2.10.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq www
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq ftp
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq ftp-data
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq nntp
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq domain
access-list CORP_ACCESS_IN extended permit udp 10.200.4.0 255.255.255.0 any eq domain
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq https
access-list CORP_ACCESS_IN extended permit udp 10.200.4.0 255.255.255.0 any eq 443
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq telnet
access-list CORP_ACCESS_IN extended permit tcp 10.200.4.0 255.255.255.0 any eq 1194
access-list CORP_ACCESS_IN extended permit icmp 10.200.4.0 255.255.255.0 any
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.2.10.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.9.30.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 10.9.31.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0
access-list DUBAI-VPN-ACCESS_splitTunnelAcl standard permit 192.168.28.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool DUBAI-VPN-IP-POOL 10.200.4.200-10.200.4.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group CORP_ACCESS_IN in interface inside
route outside 0.0.0.0 0.0.0.0 XXXXXXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server AUTH-GRP-TPADC3 protocol radius
aaa-server AUTH-GRP-TPADC3 (inside) host 10.2.10.5
timeout 5
key *****
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 inside
http 10.200.4.0 255.255.255.0 inside
http authentication-certificate inside
snmp-server host inside 10.2.10.52 community *****
snmp-server location Dubai
snmp-server contact XXXXXXXX
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XXXXXXXX
crypto map outside_map 1 set transform-set strong
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn DUBAI.avispl.com
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn dubai-asa.aviinc.local
email [email protected]
subject-name CN=ASA.AVISPL.COM,OU=iTAC,O="AVI-SPL, Inc.",C=US,St=Florida,L=Tampa,[email protected]
crl configure
crypto ca trustpoint ASA_TrustedRoot
enrollment self
fqdn dubai-asa.aviinc.local
email [email protected]
subject-name CN=asa.AVISPL.COM,OU=iTAC,O="AVI-SPL, Inc.",C=US,St=Florida,L=Tampa,[email protected]
proxy-ldc-issuer
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.200.4.100-10.200.4.150 inside
dhcpd dns 192.168.2.34 192.168.2.18 interface inside
dhcpd wins 192.168.2.34 192.168.2.18 interface inside
dhcpd domain aviinc.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust inside
ssl trust-point localtrust outside
webvpn
group-policy DUBAI-VPN-ACCESS internal
group-policy DUBAI-VPN-ACCESS attributes
banner value XXXXXXXX
wins-server value 10.2.10.5 192.168.2.34
dns-server value 10.2.10.5 192.168.2.34
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DUBAI-VPN-ACCESS_splitTunnelAcl
default-domain value XXXXXXXX
username XXXXXXXX password XXXXXXXX encrypted privilege 15
tunnel-group XXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXX ipsec-attributes
pre-shared-key *****
tunnel-group DUBAI-VPN-ACCESS type remote-access
tunnel-group DUBAI-VPN-ACCESS general-attributes
address-pool DUBAI-VPN-IP-POOL
authentication-server-group AUTH-GRP-TPADC3
default-group-policy DUBAI-VPN-ACCESS
tunnel-group DUBAI-VPN-ACCESS ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:97f6d70f51ea165dfc5923697f595a94
: end

HMidkiff Sat, 10/02/2010 - 10:24

This is the output of the debug.

ASA(config)# debug http 225
debug http enabled at level 225.
ASA(config)# HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)
HTTP: processing ASDM request [/admin/version.prop] with cookie-based authentication (aware_webvpn_conf.re2c:422)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 1
HTTP: enforce client certificate for the next request
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: processing ASDM request [/idm/idm.jnlp/] with cookie-based authentication (aware_webvpn_conf.re2c:422)
HTTP: check admin session. Cookie index [-1][0]
HTTP: client certificate required = 1
HTTP: enforce client certificate for the next request
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: ASDM request detected [ASDM/] for [/+webvpn+/index.html]
ewsStringSearch: no buffer
Close 0
HTTP: Periodic admin session check  (idle-timeout = 1800, session-timeout = 0)

Kureli Sankar Sat, 10/02/2010 - 15:31

Did you try to remove this line from the config and try asdm again?

conf t

no http authentication-certificate inside

-KS

Pronay Deb Sat, 03/15/2014 - 05:54

I know this is an old post.....but your comment had helped to get out from a long pending issue....thanks GBU

praprama Sat, 10/02/2010 - 17:16

"Hi,

The ASA seems to be requesting for a client  certificate as see from the debugs:

HTTP: client certificate required = 1

Please remove the command " /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} http authentication-certificate inside" and then try accessing the ASDM.Let me know how it goes.

Regards,

Prapanch

HMidkiff Sun, 10/03/2010 - 09:08

I will try both suggestions on Monday morning.  Thanks all for you input.

HMidkiff Mon, 10/04/2010 - 16:36

Thanks to all who replied....

I fixed the problem.  I created a user account on ASA.  Some how with all the changes the account was removed?  I added the account from the CLI and was able to get into ASDM.  Hmmmmm

Thanks again to all

Harrison

Actions

This Discussion