×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA 5505 unresponsive remote management

Unanswered Question
Aug 22nd, 2012
User Badges:

Anyone else experience unresponsive / lockups with Cisco ASA 5505 remote management ?


I think it happens like this:


1) With ASDM (Java Web Start), add new crypto map (it could be anything, just happens to be what i added the last time this happened)

2) Click apply

3) ASDM hangs (at this point the Java client becomes entirely unresponsive)

4) ASDM.jnlp refuses to connect and eventually timeout dialog appears. However, VPN connections are still accepted.

5) After a few hours (over night), the ASA refuses all incoming traffic including VPN connections.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ramraj Sivagnan... Wed, 08/22/2012 - 03:07
User Badges:
  • Silver, 250 points or more

I presume, your Internet connection is stabile. Hence, what version of FW software and ASDM are you running on?

Kasreyn_01 Thu, 08/23/2012 - 02:46
User Badges:

I know the ASA 5505 is up because Nmap tells me so but no open ports, i.e. "1 IP address (1 host up) scanned in .."


After reboot Nmap would return something like this:


Starting Nmap 5.00 ( http://nmap.org ) at 2012-08-23 10:16 CEST

Interesting ports:

Not shown: 998 filtered ports

PORT    STATE SERVICE

80/tcp  open  http

443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 15.69 seconds



Versions installed are as follows, where ASA 8.2 is the latest possible with 512 MB RAM. But perhaps ASDM can be upgraded while keeping ASA at 8.2 ?


ASA Version: 8.2(1)

ASDM Version: 6.2(1)

Firewall Mode: Routed

Total Flash: 128 MB

Device Type: ASA 5505

Total Memory: 512 MB


ciscoasa> show version



Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(1)



Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin"

Config file at boot was "startup-config"



ciscoasa up 16 hours 9 mins



Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB



Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04


Licensed features for this platform:

Maximum Physical Interfaces  : 8        

VLANs                        : 20, DMZ Unrestricted

Inside Hosts                 : Unlimited

Failover                     : Active/Standby

VPN-DES                      : Enabled  

VPN-3DES-AES                 : Enabled  

SSL VPN Peers                : 2        

Total VPN Peers              : 25       

Dual ISPs                    : Enabled  

VLAN Trunk Ports             : 8        

Shared License               : Disabled

AnyConnect for Mobile        : Disabled 

AnyConnect for Linksys phone : Disabled 

AnyConnect Essentials        : Disabled 

Advanced Endpoint Assessment : Disabled 

UC Phone Proxy Sessions      : 2        

Total UC Proxy Sessions      : 2        

Botnet Traffic Filter        : Disabled 


This platform has an ASA 5505 Security Plus license.

Ramraj Sivagnan... Thu, 08/23/2012 - 03:24
User Badges:
  • Silver, 250 points or more

Hi Bro

Your Cisco ASDM version 6.2(1) could be hit with Cisco Bug ID CSCtl42678 and CSCsr89144. Please click on the URLs below for the description of the 2 Cisco Bug IDs.


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsr89144


http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl42678


Your action plan here is to upgrade your Cisco ASA FW and ASDM version to version 8.2.4 (asa824-k8.bin) and version 6.4.2 (asdm-642.bin) respectively.



Upgrading FW software image will require about 15 minutes downtime (including Pre-UAT and Post UAT network/application verification), but the ASDM upgrade can be done on the fly. No downtime needed here. Let me know how this goes.

Kasreyn_01 Fri, 08/24/2012 - 01:21
User Badges:

Thank you for your reply Ramraj.


I'll try what you suggest but why those perticular versions and not latest possible?

Ramraj Sivagnan... Fri, 08/24/2012 - 01:32
User Badges:
  • Silver, 250 points or more

Hi Bro

Since your current software image version is version 8.2.1, the latest within its's train is version 8.2.5. After version 8.2.5, is version 8.3 and so on. To upgrade to version 8.3 or 8.4 (latest), this requires memory upgrade. In other words, this requires costs $$$$. I hate to propose suggestions that involves costs, unless it's deemed necessary. Furthermore, the CLI syntax in version 8.3 or 8.4 for object names and NATs are totally different compared to version 8.2.X and below. Trust me! it's a pain :-p


For your information, I hate version 8.2.5, as it's very buggy for many reasons. Hence, I suggested to you version 8.2.4 instead. By the way, the ASDM version 6.4.2 is the latest version, suitable for version 8.2.4.


Lastly, upgrading your software image version from version 8.2.1 to 8.2.4, has almost no adverse effects on your present configuration. So, no worries there. Let me know how it goes. Should everything go well, you owe me a beer, just kidding! :-)

Actions

This Discussion

Related Content