ASA5505 ASDM WON'T LAUNCH

Answered Question
Dec 5th, 2013

I am at my witts end with this one and can't seem to find anything that matches my situtation. So I have an ASA5505 that I am trying to get the ASDM running on. I have done this before on other firewalls with no issue. Everytime I go to the url https://192.168.1.1 I get the prompt to accept the certificate which I do, then it just goes blank and the page freezes. If I try to launch it straight from the ASDM launcher it also just freezes. I have double checked my ssl encryption and made sure it has rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1. I am using asdm-714.bin image and have tried getting it run on the asa 8.2.5, 8.4.7 and 9.1.3 code and get the same results with each version of code I put on this device. I have also tried multiple computers, and both computer connect to my other firewalls just fine via url to lauch asdm or asdm launcher so I know it isn't a java issue with them. Is there something I am missing?? I have tried accessing the url using Safari, Firefox, Chrome and IE, all with the same results, accept the cert and it just hangs there and never displays the asdm launch page. Please Help!

I have this problem too.
0 votes
Correct Answer by Julio Carvajal about 1 year 4 months ago

From customer:

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin"

So it's a bug. I mean we clearly see the problem with the SSL Crypto Hardware Accelerator

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
erickson.brett Thu, 12/05/2013 - 16:46

More information, I have currently put 8.2.5 code back on my 5505, and have "asdm image disk0:/asdm-714.bin" go to the url accept the cert, and it just freezes.

Julio Carvajal Thu, 12/05/2013 - 19:56

Hello,

Share:

Show run http

show run aaa

show run asdm

Can you also enable

debug http 255

and then connect

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 07:52

ciscoasa# show run all http

http server enable 443

http 192.168.1.0 255.255.255.0 inside

show run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ciscoasa# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

ciscoasa# show run all aaa

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa proxy-limit 16

no aaa authentication secure-http-client

no aaa local authentication attempts max-fail

no aaa authorization exec authentication-server

ciscoasa# show run all asdm

asdm image disk0:/asdm-714.bin

no asdm history enable

ciscoasa# debug http 255

debug http enabled at level 255.

ciscoasa# HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

erickson.brett Fri, 12/06/2013 - 08:07

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin" I got straight from the cisco web site and I have put that image file on another ASA and it worked fine. I am so lost on this one, the debug isn't showing anything when I try to connect, it just keeps giving the;

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

Any ASA Ninja's out there have any idea what I should try next?

Julio Carvajal Fri, 12/06/2013 - 08:18

Hello,

do

capture capin interface inside match tcp any host x.x.x.x eq 443 (where x.x.x.x is the ASA inside interface)

capture asp type asp-drop all circular-buffer

afterwards try to connect and provide

show cap capin

show cap asp | include x.x.x.x

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 08:21

ciscoasa(config)# show capture

capture capin type raw-data interface inside [Capturing - 0 bytes]

  match tcp any host 192.168.1.1 eq https

capture asp type asp-drop all circular-buffer [Capturing - 1066 bytes]

erickson.brett Fri, 12/06/2013 - 08:23

ciscoasa# show cap asp | include 192.168.1.1

   1: 09:20:30.891280 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   2: 09:20:31.916898 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535

   3: 09:20:33.024611 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   4: 09:20:34.032224 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   5: 09:20:35.138573 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   6: 09:20:35.186071 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

   7: 09:20:36.248735 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   8: 09:20:38.264985 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   9: 09:20:42.283783 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  10: 09:20:50.287659 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  11: 09:21:05.202916 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

  12: 09:21:06.341260 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  13: 09:21:35.221820 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122

  14: 09:22:05.246065 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

  15: 09:22:35.270432 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122

erickson.brett Fri, 12/06/2013 - 08:25

huh, there is some acl rule dropping it if i am reading this right, but i don't even have any ACL's configured on this ASA. I did a "wr erease" have have really only done the config to the point so I can't access the asdm.

Julio Carvajal Fri, 12/06/2013 - 08:28

Check my ARP, Connectivity post and provide results

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal Fri, 12/06/2013 - 08:23

Hello Brett,

Can you ping the Client PC from the ASA?

Do you see an ARP entry??

It seems like the packets are not even reaching the ASA bud.

Can you try from a different machine

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 08:27

I can ping the asa from my computer, and I have tried from two different computers now

Bretts-MBP:~ berickson$ ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes

64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.075 ms

64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.709 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.728 ms

64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.708 ms

64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.825 ms

^C

--- 192.168.1.1 ping statistics ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.708/0.809/1.075/0.140 ms

Julio Carvajal Fri, 12/06/2013 - 08:29

What java version do you have on the PCs?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 08:31

ciscoasa# show arp

        inside 192.168.1.102 5855.ca22.ffd2 96

erickson.brett Fri, 12/06/2013 - 08:32

on the mac i am currently using 7 update 35 and I can connect to two other asa's with no issue. I guess I can't ssh to it either, i just tried that for kicks.

erickson.brett Fri, 12/06/2013 - 08:33

JK, I can ssh, I forgot to add my "ssh 192.168.1.0 255.255.255.0 inside" ssh works fine now, just can't access the asdm

erickson.brett Fri, 12/06/2013 - 08:37

Here is the running config, am I missing somethine? I have checked it so many times.

ciscoasa# show run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name test.local

enable password *removed* encrypted

passwd *removed* encrypted

names

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name test.local

pager lines 24

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username berickson password *removed* encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28857584cf7b907dec6680534afadc01

: end

Julio Carvajal Fri, 12/06/2013 - 08:39

Hello

is 102 the internal PC?

Can you do a show flash?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 08:41

yes 102 is my computer, and I can ping 192.168.1.102 (my computer) from the asa

ciscoasa(config)# show flash:

--#--  --length--  -----date/time------  path

    3  4096        Aug 23 2013 19:26:26  log

   12  4096        Dec 05 2013 14:42:34  crypto_archive

  116  410532      Dec 05 2013 14:42:10  crypto_archive/crypto_eng0_arch_1.bin

  117  410532      Dec 05 2013 14:42:34  crypto_archive/crypto_eng0_arch_2.bin

   13  4096        Aug 23 2013 19:27:06  coredumpinfo

   14  59          Dec 02 2013 10:09:30  coredumpinfo/coredump.cfg

  102  4792138     Jun 16 2011 15:52:06  anyconnect-win-2.5.3041-k9.pkg

  103  15390720    May 25 2011 19:14:58  asa825-k8.bin

  104  26772780    Apr 20 2011 16:26:46  csd_3.6.181-k9.pkg

  105  418765      Sep 28 2009 12:00:44  sslclient-win-1.1.4.179.pkg

  106  17790720    Dec 02 2013 09:50:44  asdm-711-52.bin

  107  22658960    Dec 05 2013 15:33:12  asdm-714.bin

  108  0           Dec 02 2013 10:09:30  nat_ident_migrate

  109  2768        Dec 02 2013 10:09:30  8_2_5_0_startup_cfg.sav

  110  1138        Dec 02 2013 10:09:30  upgrade_startup_errors_201312021009.log

  112  27408384    Dec 02 2013 11:06:02  asa903-k8.bin

  113  26984448    Dec 02 2013 11:06:42  asa913-k8.bin

  114  24809472    Dec 02 2013 11:46:20  asa847-k8.bin

256503808 bytes total (88137728 bytes free)

erickson.brett Fri, 12/06/2013 - 09:01

I just don't get it, why would it hit the ASA from my web browser then ask me if I want to accept the certificate and then once I accept it then it just does nothing?

erickson.brett Fri, 12/06/2013 - 09:05

Ok I have been trying to connect and checking the capture you had me setup, I saw this one.

79: 09:45:50.837481 802.1Q vlan#10 P0 192.168.1.102.58824 > 192.168.1.1.443: R 86402545:86402545(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order

erickson.brett Fri, 12/06/2013 - 09:20

I can't see how it would be java related, I can't even display the web page that would then launch the java application.

erickson.brett Fri, 12/06/2013 - 10:04

Here is the version info if this helps anyone come up with any ideas, i am so at a loss right now...

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 7.1(4)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 4 mins 2 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is 0021.5595.8321, irq 11

1: Ext: Ethernet0/0         : address is 0021.5595.8319, irq 255

2: Ext: Ethernet0/1         : address is 0021.5595.831a, irq 255

3: Ext: Ethernet0/2         : address is 0021.5595.831b, irq 255

4: Ext: Ethernet0/3         : address is 0021.5595.831c, irq 255

5: Ext: Ethernet0/4         : address is 0021.5595.831d, irq 255

6: Ext: Ethernet0/5         : address is 0021.5595.831e, irq 255

7: Ext: Ethernet0/6         : address is 0021.5595.831f, irq 255

8: Ext: Ethernet0/7         : address is 0021.5595.8320, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8        

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

SSL VPN Peers                  : 2        

Total VPN Peers                : 25       

Dual ISPs                      : Enabled  

VLAN Trunk Ports               : 8        

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has an ASA 5505 Security Plus license.

Serial Number: *removed*

Running Activation Key: *removed*

Configuration register is 0x1

Configuration has not been modified since last system restart.

erickson.brett Fri, 12/06/2013 - 10:07

I even just tried reformating my flash to see if that helped, I only put the asa825-k8.bin and asdm-714.bin back on it.

ciscoasa# show flash:

--#--  --length--  -----date/time------  path

   41  22658960    Dec 05 2013 03:45:44  asdm-714.bin

   42  15390720    Dec 05 2013 03:46:22  asa825-k8.bin

    2  4096        Dec 05 2013 03:56:11  log

    9  4096        Dec 05 2013 03:56:37  crypto_archive

   50  4096        Dec 05 2013 03:56:47  coredumpinfo

   51  43          Dec 05 2013 03:56:47  coredumpinfo/coredump.cfg

255320064 bytes total (216899584 bytes free)

Still no luck, and double verified that my asdm-714.bin works on a different ASA running 8.2.5 code as well.

erickson.brett Fri, 12/06/2013 - 10:25

Julio do you have any other advice? Could it possibly be hardware related?

Julio Carvajal Fri, 12/06/2013 - 10:52

Hello,

Yeah it does not make any sense.

What happens if you plugin a computer directly to the ASA and attempt to connect?

You have no idea how many Bugs are related to the Java version bud.

I am sorry if I am going around bud have you rebooted the box?? If yes then do the following:

Let's restart the HTTPS daemon

clear configure HTTP

clear configure asdm

Create your own permanent self-signed certificate and then

Configure HTTP/ASDM again,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 11:03

Computer is plugged directly into the ASA, quick question, when you say to create my own permanent self-signed cert are you just refering to the "crypto key generate rsa" command or is there more to it?

Julio Carvajal Fri, 12/06/2013 - 12:09

Hello Brett,

Wow this is getting crazy man,

Is there a way that you could downgrade to Java v6?

I know bud. I know.. This works with other firewalls but you have no idea how many times the solution of a ticket was that.

Hope you try it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 12:13

Yes, I am currently using Java 7 update 25, as it was the recommended on ciscos web page. But I will down grade to java 6 and let you know how it goes.

erickson.brett Fri, 12/06/2013 - 12:23

ha, this will be the death of me, I installed java 6 update 45, try to hit the web page in IE, accept the cert and then.....

NOTHING!!

I really do appreciate your help, I thought I was just missing something, that is why I was wondering if there was any type of hardware issue that could be causeing this as nothing I have tried has seemed to work.

erickson.brett Fri, 12/06/2013 - 12:56

No Luck.

I did "no webvpn"

then "no http server enable" then "http server enable" just for kicks to restart it.

I still get the exact same results

erickson.brett Fri, 12/06/2013 - 13:04

I am not the biggest wireshark gurro but here is what the capture shows from the client side when I try to connect to it.

I am now trying it from a different PC, so the client address changed to 192.168.101 still directly connected to the asa

Julio Carvajal Fri, 12/06/2013 - 13:14

Hello,

Okey 2 more left haha.

so

https://ip_inside/admin  did not do it.

The capture shows the inside client sending a FIN packet for the closure of the session Then the ASA replies to that.

do

crypto key generate rsa label SSL
crypto ca trustpoint localtrust
enrollment self
keypair sslvpnkeypair
exit

crypto ca enroll localtrust noconfirm

ssl trust-point localtrust inside

Then try to connect again.

By the way what do the ASA logs say when you attempt to connect





Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 13:28

I was hopeful on that one, but the same results still exist.

ciscoasa# show logging asdm

5|Dec 05 2013 07:23:42|111008: User 'enable_15' executed the 'logging asdm informational' command.

5|Dec 05 2013 07:23:43|111008: User 'enable_15' executed the 'logging device-id hostname' command.

5|Dec 05 2013 07:23:46|111005: console end configuration: OK

6|Dec 05 2013 07:23:50|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60961 to 10.30.15.25/161

6|Dec 05 2013 07:24:02|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60961 to 10.30.15.25/161

6|Dec 05 2013 07:24:14|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60962 to 10.30.15.25/161

6|Dec 05 2013 07:24:26|110002: Failed to locate egress interface for UDP from inside:192.168.1.101/60962 to 10.30.15.25/161

6|Dec 05 2013 07:25:02|302010: 1 in use, 5 most used

erickson.brett Fri, 12/06/2013 - 13:30

fyi these are my logging settings

ciscoasa# show run log

logging enable

logging timestamp

logging console warnings

logging buffered warnings

logging trap warnings

logging asdm informational

logging device-id hostname

Julio Carvajal Fri, 12/06/2013 - 13:41

It does not make any sense why the PC is sending a FIN packet,

You told me you did not capture anything on the ASA right?

show cap capin shows nothing?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Fri, 12/06/2013 - 13:46

this might be helpful, I just got an error when i tried to connect..

Dec 05 2013 07:43:17 ciscoasa : %ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid Scatter/Gather Write Length, code= 0xD) while executing the command SSL Process Handshake Record (0x208D).

erickson.brett Fri, 12/06/2013 - 13:47

ciscoasa# show capture capin

34 packets captured

   1: 07:43:09.000854 802.1Q vlan#10 P0 192.168.1.101.50024 > 192.168.1.1.443: R 4072447170:4072447170(0) ack 238030498 win 0

   2: 07:43:16.537371 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: S 4130703030:4130703030(0) win 65535

   3: 07:43:16.537478 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: S 2002311585:2002311585(0) ack 4130703031 win 8192

   4: 07:43:16.537783 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002311586 win 65535

   5: 07:43:16.539660 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: P 4130703031:4130703173(142) ack 2002311586 win 65535

   6: 07:43:16.539721 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: . ack 4130703173 win 32768

   7: 07:43:16.540285 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: P 2002311586:2002312146(560) ack 4130703173 win 32768

   8: 07:43:16.541231 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002312146 win 65535

   9: 07:43:16.572541 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: F 4130703173:4130703173(0) ack 2002312146 win 65535

  10: 07:43:16.572586 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: . ack 4130703174 win 32768

  11: 07:43:16.572693 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50050: FP 2002312146:2002312146(0) ack 4130703174 win 32768

  12: 07:43:16.573166 802.1Q vlan#10 P0 192.168.1.101.50050 > 192.168.1.1.443: . ack 2002312147 win 65535

  13: 07:43:17.907378 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: S 4049108725:4049108725(0) win 65535

  14: 07:43:17.907469 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: S 65111902:65111902(0) ack 4049108726 win 8192

  15: 07:43:17.907713 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65111903 win 65535

  16: 07:43:17.908171 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: P 4049108726:4049108868(142) ack 65111903 win 65535

  17: 07:43:17.908247 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: . ack 4049108868 win 32768

  18: 07:43:17.908796 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: P 65111903:65112463(560) ack 4049108868 win 32768

  19: 07:43:17.909559 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65112463 win 65535

  20: 07:43:17.911528 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: F 4049108868:4049108868(0) ack 65112463 win 65535

  21: 07:43:17.911573 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: . ack 4049108869 win 32768

  22: 07:43:17.911680 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50051: FP 65112463:65112463(0) ack 4049108869 win 32768

  23: 07:43:17.912443 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: S 820839175:820839175(0) win 65535

  24: 07:43:17.912519 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: S 633784619:633784619(0) ack 820839176 win 8192

  25: 07:43:17.912550 802.1Q vlan#10 P0 192.168.1.101.50051 > 192.168.1.1.443: . ack 65112464 win 65535

  26: 07:43:17.913542 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633784620 win 65535

  27: 07:43:17.913984 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: P 820839176:820839318(142) ack 633784620 win 65535

  28: 07:43:17.914045 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839318 win 32768

  29: 07:43:17.914595 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: P 633784620:633785180(560) ack 820839318 win 32768

  30: 07:43:17.915602 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633785180 win 65535

  31: 07:43:17.917860 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: P 820839318:820839516(198) ack 633785180 win 65535

  32: 07:43:17.917906 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839516 win 32768

  33: 07:44:19.913923 802.1Q vlan#10 P0 192.168.1.1.443 > 192.168.1.101.50052: . ack 820839515 win 32768

  34: 07:44:19.914274 802.1Q vlan#10 P0 192.168.1.101.50052 > 192.168.1.1.443: . ack 633785180 win 65535

34 packets shown

Julio Carvajal Fri, 12/06/2013 - 14:09

That's it.

No config issue.

Possible bugs:

CSCsm77854

CSCsd43563

CSCsj02948

Q.   How can I resolve this error message: %ASA-4-402123:   CRYPTO: The ASA hardware accelerator encountered an error?

A. In order to resolve this issue, try one of these workarounds:

But contact TAC would be the best.

As I do not work with them anymore I will not be able to access the database for this error.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Marius Gunnerud Sat, 12/07/2013 - 11:31

Have you considered that the ASDM image might be corrupted?  Try downloading a new image of  asdm-714.bin.

If that doesnt work, try downloading an earlier version of ASDM and connect using that.  If that works then you are most likely running into a bug.

--
Please remember to rate and select a correct answer

Correct Answer
Julio Carvajal Sat, 12/07/2013 - 11:38

From customer:

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin"

So it's a bug. I mean we clearly see the problem with the SSL Crypto Hardware Accelerator

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

erickson.brett Sat, 12/07/2013 - 17:27

Thank you for all your help diagnosing this, I thought I was going insane.

Julio Carvajal Sat, 12/07/2013 - 20:40

Hello bud,

Any time.

Just remember to rate all of the post u think have been helpful ;)

Regards


Sent from Cisco Technical Support Android App

Actions

Login or Register to take actions

This Discussion

Posted December 5, 2013 at 4:38 PM
Updated December 5, 2013 at 7:06 PM
Stats:
Replies:43 Overall Rating:5
Views:3609 Votes:0
Shares:0

Related Content