cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6261
Views
10
Helpful
14
Replies

Unable to launch ASDM

robin.dabhi1
Level 1
Level 1

hello

I am trying to launch ASDM but it gives me error saying unable to launch device manager from x.x.x.x 

I am running it on VM on windows 7 , I have installed JRE . 

what could be the problem?

14 Replies 14

What version ASDM are you running?  Have you configured the ASA to use the correct ASDM image?

enable

config t

asdm image disk0:<asdm-image-name>

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Hey
It says v1.5(50)  on my ASDM 
when i login to ASA it shows ASA version 8.2(5) and Device manager version 6.4(5) .

Hi Robin,

Please upgrade your ASDM to the recommended version 7.6.1.

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137099

Regards,

Aditya

I'm having the same problem on a new ASA 5506-X.  I'm able to connect to the ASA and install the ASDM Launcher, but when I launch it (version 1.7(0)) and enter the device's IP address, I get the dreaded "Unable to launch device manager" error.  I've tried leaving the Username and Password fields blank, and have also entered the creds for a local, priv 15 user.

I have 'aaa authentication http console LOCAL', there is an ASDM image file (disk0:/asdm-761.bin), and 'sho ver' says that Encryption-3DES-AES is Enabled.

Are there any other things I can check?

Thanks!

Please confirm that you are connecting from a PC on the permitted management range to the permitted IP address of the ASA. Also please check in the Java control panel (assuming Windows) that you do not have the "Very high" security box checked under the Security tab.

Also please share the output of:

show run ssl
show run http
show run asdm
show run | i username

We are looking for:

1. Any customization of the ssl parameters. For instance if ssl is restricted to advanced ciphers you need to add the JCE extensions to your Java installation. 

2. Confirmation that http is allowed from your PC's address to the interface you are using when trying to launch ASDM.

3. Verification that the default port for ASDM (443) has not been changed.

4. Confirmation that local username(s) exist.

Thanks, Marvin.

[1] 'sho run ssl' output is blank.

[2] 'sho run http' returns:

  http server enable

  http 10.0.1.0 255.255.255.0 inside

[3] 'sho run 'asdm' returns:

  no asdm history enable

[4] 'sho run | i unsername' returns:

  username admin password <REDACTED> encrypted privilege 15

I have really just unboxed the ASA, changed the IP address for the inside interface, and added a user.  I would have expected that just getting ASDM up would not be a problem with the default config. :-)

BTW, I'm using a MacBook Pro running OS X 10.10.5, the same configuration I use to manage another ASA (a 5515 running ASA 9.2(2)4) set up by another staffer.  The Mac is connected to G1/2, which I believe is the 'inside' interface on a 5506.

Cheers!

Since your computer is using ASDM successfully on another ASA, your client side is likely all fine.

We should see a second line in the "show run asdm" output. The ASDM image that's sitting on your disk0 needs to be specified in the configuration file. If you go into config mode and enter:

asdm image disk0:/asdm-761.bin

...that should do it in your case. It will take effect straight away, no reload needed. (Of course a "wr mem" would be a good idea.)

Check that Gi1/2 is assigned an address from 10.0.1.0/24 and that your MacBook is too.

You might want to update that ASDM to 7.6(2) once you get it working.

Odd.  I had entered 'show asdm image' before and got:

  Device Manager image file, disk0:/asdm-761.bin

I entered the command you suggested, and 'sho run asdm' now reports:

  asdm image disk0:/asdm-761.bin

  no asdm history enable

Interface G1/2 is assigned 10.0.1.1/24 and the Mac was assigned 10.0.1.230/24 via DHCP ( I changed the DHCP range to match the router the ASA is replacing via 'dhcpd address 10.0.1.230-10.0.1.240').

I can ping the ASA from the Mac, but ssh and telnet do not work.  Hmmmmm.

Telnet will be disabled by default. SSH will need a host key generated first. "crypto key gen rsa mod 2048" will take care of that. 

You will then need to allow it on the inside interface: "ssh 10.0.1.0 255.255.255.0 inside"

Shortly after sending the above I had enabled telnet and ssh on the inside interface as you suggest.  I got the 'Fail to establish SSH session because RSA host key retrieval failed" and generated the key, also as you suggest.

Now I'm getting "Unable to negotiate a key exchange method".

The 'fix' for that was to add '-o KexAlgorithms=diffie-hellman-group1-sha1' to the ssh command.  The ASA version I'm running only supports dh-group1-sha1 and dh-group14-sha1.  Maybe the latest version adds more algorithm support.

Looking in the Java log by hitting the Java button in the lower right hand corner of the Launcher dialog, I see:

  java.net.ConnectException: Operation not permitted (connect failed)

Ah - I have seen other posters mistakenly select the Group 14 option and then fail to connect via ssh. That's not a default setting - perhaps your predecessor stirred the settings a bit.

I'm not so familiar with Java settings on a Mac as I'm a Windows guy. :) However the error seems like it's related to Java security settings. Google tells me:

  1. Click on Apple icon on upper left of screen.
  2. Go to System Preferences
  3. Click on the Java icon to access the Java Control Panel.

Perhaps you can tweak that.

Did you perhaps tell it to trust the certificate or add the address of the other ASA you manage to Java's trusted sites?

When all else fails, I sometime run a Wireshark packet capture (or tcpdump for the hard core types) while trying to connect. That can often show you exactly what the problem is in a more informative way that the on screen error messages.

is your ASA configured to use a different port for ASDM other than 443?

show run http

can you access the ASDM URL?  https://<ASA IP>

--

Please select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame

New or old version should be launchable.

Please refer to the troubleshooting guide to eliminate the most common issues launching ASDM.

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-device-manager/110282-asdm-tshoot.html

If that doesn't help, please provide more details - has it ever worked, does it work from any other PC, etc.

If it has never worked and there is a properly referenced ASDM bin file on the ASA, the most common cause of your issue is no 3DES-AES license installed. "show version" will confirm that is or is not the case.

VINH DOAN
Level 1
Level 1

The way this finally worked for me after many hours of troubleshooting is to: 

* uninstall java and asdm. Reboot. 

* install Java 7. I am running Java 7 update 71.

* install ASDM from your ASA by https to your ASA. 

* use Firefox and https to your ASA. When prompted that this connection is untrusted, click Add Exception.

* Then click View, then Details, then Export. 

* Save as a .scr file.

* Go into your Java in Control Panel, Click on Security Tab. 

* Click on manage Certificates.

* Under Certificate Type drop down box, choose Secure Site. 

* Still in the User tab, click Import, and import the csr file. 

* Click OK or Apply.

* then your ASDM. 

This should work. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: