Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5505 ASDM WON'T LAUNCH

I am at my witts end with this one and can't seem to find anything that matches my situtation. So I have an ASA5505 that I am trying to get the ASDM running on. I have done this before on other firewalls with no issue. Everytime I go to the url https://192.168.1.1 I get the prompt to accept the certificate which I do, then it just goes blank and the page freezes. If I try to launch it straight from the ASDM launcher it also just freezes. I have double checked my ssl encryption and made sure it has rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1. I am using asdm-714.bin image and have tried getting it run on the asa 8.2.5, 8.4.7 and 9.1.3 code and get the same results with each version of code I put on this device. I have also tried multiple computers, and both computer connect to my other firewalls just fine via url to lauch asdm or asdm launcher so I know it isn't a java issue with them. Is there something I am missing?? I have tried accessing the url using Safari, Firefox, Chrome and IE, all with the same results, accept the cert and it just hangs there and never displays the asdm launch page. Please Help!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5505 ASDM WON'T LAUNCH

From customer:

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin"

So it's a bug. I mean we clearly see the problem with the SSL Crypto Hardware Accelerator

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
43 REPLIES
New Member

ASA5505 ASDM Freezing

More information, I have currently put 8.2.5 code back on my 5505, and have "asdm image disk0:/asdm-714.bin" go to the url accept the cert, and it just freezes.

ASA5505 ASDM WON'T LAUNCH

Hello,

Share:

Show run http

show run aaa

show run asdm

Can you also enable

debug http 255

and then connect

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM Freezing

ciscoasa# show run all http

http server enable 443

http 192.168.1.0 255.255.255.0 inside

show run all ssl

ssl server-version any

ssl client-version any

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ciscoasa# show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 null-sha1

No SSL trust-points configured

Certificate authentication is not enabled

ciscoasa# show run all aaa

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa proxy-limit 16

no aaa authentication secure-http-client

no aaa local authentication attempts max-fail

no aaa authorization exec authentication-server

ciscoasa# show run all asdm

asdm image disk0:/asdm-714.bin

no asdm history enable

ciscoasa# debug http 255

debug http enabled at level 255.

ciscoasa# HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

New Member

ASA5505 ASDM Freezing

Also I have tried power cycling the ASA, using a diffrent asdm image file, the image file "asdm-714.bin" I got straight from the cisco web site and I have put that image file on another ASA and it worked fine. I am so lost on this one, the debug isn't showing anything when I try to connect, it just keeps giving the;

HTTP: Periodic admin session check  (idle-timeout = 1200, session-timeout = 0)

Any ASA Ninja's out there have any idea what I should try next?

ASA5505 ASDM Freezing

Hello,

do

capture capin interface inside match tcp any host x.x.x.x eq 443 (where x.x.x.x is the ASA inside interface)

capture asp type asp-drop all circular-buffer

afterwards try to connect and provide

show cap capin

show cap asp | include x.x.x.x

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

ciscoasa(config)# show capture

capture capin type raw-data interface inside [Capturing - 0 bytes]

  match tcp any host 192.168.1.1 eq https

capture asp type asp-drop all circular-buffer [Capturing - 1066 bytes]

New Member

ASA5505 ASDM WON'T LAUNCH

ciscoasa# show cap asp | include 192.168.1.1

   1: 09:20:30.891280 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   2: 09:20:31.916898 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535

   3: 09:20:33.024611 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   4: 09:20:34.032224 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   5: 09:20:35.138573 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   6: 09:20:35.186071 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

   7: 09:20:36.248735 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   8: 09:20:38.264985 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

   9: 09:20:42.283783 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  10: 09:20:50.287659 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  11: 09:21:05.202916 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

  12: 09:21:06.341260 802.1Q vlan#10 P0 192.168.1.102.58504 > 192.168.1.1.80: S 3815319795:3815319795(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule

  13: 09:21:35.221820 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122

  14: 09:22:05.246065 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122 Drop-reason: (acl-drop) Flow is denied by configured rule

  15: 09:22:35.270432 802.1Q vlan#10 P0 192.168.1.102.17500 > 192.168.1.255.17500:  udp 122

New Member

ASA5505 ASDM WON'T LAUNCH

huh, there is some acl rule dropping it if i am reading this right, but i don't even have any ACL's configured on this ASA. I did a "wr erease" have have really only done the config to the point so I can't access the asdm.

ASA5505 ASDM WON'T LAUNCH

Check my ARP, Connectivity post and provide results

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: ASA5505 ASDM Freezing

Hello Brett,

Can you ping the Client PC from the ASA?

Do you see an ARP entry??

It seems like the packets are not even reaching the ASA bud.

Can you try from a different machine

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

I can ping the asa from my computer, and I have tried from two different computers now

Bretts-MBP:~ berickson$ ping 192.168.1.1

PING 192.168.1.1 (192.168.1.1): 56 data bytes

64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=1.075 ms

64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=0.709 ms

64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=0.728 ms

64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=0.708 ms

64 bytes from 192.168.1.1: icmp_seq=4 ttl=255 time=0.825 ms

^C

--- 192.168.1.1 ping statistics ---

5 packets transmitted, 5 packets received, 0.0% packet loss

round-trip min/avg/max/stddev = 0.708/0.809/1.075/0.140 ms

ASA5505 ASDM WON'T LAUNCH

What java version do you have on the PCs?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

ciscoasa# show arp

        inside 192.168.1.102 5855.ca22.ffd2 96

New Member

ASA5505 ASDM WON'T LAUNCH

on the mac i am currently using 7 update 35 and I can connect to two other asa's with no issue. I guess I can't ssh to it either, i just tried that for kicks.

New Member

ASA5505 ASDM WON'T LAUNCH

JK, I can ssh, I forgot to add my "ssh 192.168.1.0 255.255.255.0 inside" ssh works fine now, just can't access the asdm

New Member

Re: ASA5505 ASDM WON'T LAUNCH

Here is the running config, am I missing somethine? I have checked it so many times.

ciscoasa# show run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name test.local

enable password *removed* encrypted

passwd *removed* encrypted

names

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name test.local

pager lines 24

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username berickson password *removed* encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:28857584cf7b907dec6680534afadc01

: end

ASA5505 ASDM WON'T LAUNCH

Hello

is 102 the internal PC?

Can you do a show flash?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

yes 102 is my computer, and I can ping 192.168.1.102 (my computer) from the asa

ciscoasa(config)# show flash:

--#--  --length--  -----date/time------  path

    3  4096        Aug 23 2013 19:26:26  log

   12  4096        Dec 05 2013 14:42:34  crypto_archive

  116  410532      Dec 05 2013 14:42:10  crypto_archive/crypto_eng0_arch_1.bin

  117  410532      Dec 05 2013 14:42:34  crypto_archive/crypto_eng0_arch_2.bin

   13  4096        Aug 23 2013 19:27:06  coredumpinfo

   14  59          Dec 02 2013 10:09:30  coredumpinfo/coredump.cfg

  102  4792138     Jun 16 2011 15:52:06  anyconnect-win-2.5.3041-k9.pkg

  103  15390720    May 25 2011 19:14:58  asa825-k8.bin

  104  26772780    Apr 20 2011 16:26:46  csd_3.6.181-k9.pkg

  105  418765      Sep 28 2009 12:00:44  sslclient-win-1.1.4.179.pkg

  106  17790720    Dec 02 2013 09:50:44  asdm-711-52.bin

  107  22658960    Dec 05 2013 15:33:12  asdm-714.bin

  108  0           Dec 02 2013 10:09:30  nat_ident_migrate

  109  2768        Dec 02 2013 10:09:30  8_2_5_0_startup_cfg.sav

  110  1138        Dec 02 2013 10:09:30  upgrade_startup_errors_201312021009.log

  112  27408384    Dec 02 2013 11:06:02  asa903-k8.bin

  113  26984448    Dec 02 2013 11:06:42  asa913-k8.bin

  114  24809472    Dec 02 2013 11:46:20  asa847-k8.bin

256503808 bytes total (88137728 bytes free)

New Member

ASA5505 ASDM WON'T LAUNCH

I just don't get it, why would it hit the ASA from my web browser then ask me if I want to accept the certificate and then once I accept it then it just does nothing?

New Member

ASA5505 ASDM WON'T LAUNCH

Ok I have been trying to connect and checking the capture you had me setup, I saw this one.

79: 09:45:50.837481 802.1Q vlan#10 P0 192.168.1.102.58824 > 192.168.1.1.443: R 86402545:86402545(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order

New Member

ASA5505 ASDM WON'T LAUNCH

I can't see how it would be java related, I can't even display the web page that would then launch the java application.

New Member

ASA5505 ASDM WON'T LAUNCH

Here is the version info if this helps anyone come up with any ideas, i am so at a loss right now...

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 7.1(4)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 4 mins 2 secs

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is 0021.5595.8321, irq 11

1: Ext: Ethernet0/0         : address is 0021.5595.8319, irq 255

2: Ext: Ethernet0/1         : address is 0021.5595.831a, irq 255

3: Ext: Ethernet0/2         : address is 0021.5595.831b, irq 255

4: Ext: Ethernet0/3         : address is 0021.5595.831c, irq 255

5: Ext: Ethernet0/4         : address is 0021.5595.831d, irq 255

6: Ext: Ethernet0/5         : address is 0021.5595.831e, irq 255

7: Ext: Ethernet0/6         : address is 0021.5595.831f, irq 255

8: Ext: Ethernet0/7         : address is 0021.5595.8320, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8        

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled  

VPN-3DES-AES                   : Enabled  

SSL VPN Peers                  : 2        

Total VPN Peers                : 25       

Dual ISPs                      : Enabled  

VLAN Trunk Ports               : 8        

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled 

AnyConnect for Cisco VPN Phone : Disabled 

AnyConnect Essentials          : Disabled 

Advanced Endpoint Assessment   : Disabled 

UC Phone Proxy Sessions        : 2        

Total UC Proxy Sessions        : 2        

Botnet Traffic Filter          : Disabled 

This platform has an ASA 5505 Security Plus license.

Serial Number: *removed*

Running Activation Key: *removed*

Configuration register is 0x1

Configuration has not been modified since last system restart.

New Member

ASA5505 ASDM WON'T LAUNCH

I even just tried reformating my flash to see if that helped, I only put the asa825-k8.bin and asdm-714.bin back on it.

ciscoasa# show flash:

--#--  --length--  -----date/time------  path

   41  22658960    Dec 05 2013 03:45:44  asdm-714.bin

   42  15390720    Dec 05 2013 03:46:22  asa825-k8.bin

    2  4096        Dec 05 2013 03:56:11  log

    9  4096        Dec 05 2013 03:56:37  crypto_archive

   50  4096        Dec 05 2013 03:56:47  coredumpinfo

   51  43          Dec 05 2013 03:56:47  coredumpinfo/coredump.cfg

255320064 bytes total (216899584 bytes free)

Still no luck, and double verified that my asdm-714.bin works on a different ASA running 8.2.5 code as well.

New Member

ASA5505 ASDM WON'T LAUNCH

Julio do you have any other advice? Could it possibly be hardware related?

ASA5505 ASDM WON'T LAUNCH

Hello,

Yeah it does not make any sense.

What happens if you plugin a computer directly to the ASA and attempt to connect?

You have no idea how many Bugs are related to the Java version bud.

I am sorry if I am going around bud have you rebooted the box?? If yes then do the following:

Let's restart the HTTPS daemon

clear configure HTTP

clear configure asdm

Create your own permanent self-signed certificate and then

Configure HTTP/ASDM again,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

Computer is plugged directly into the ASA, quick question, when you say to create my own permanent self-signed cert are you just refering to the "crypto key generate rsa" command or is there more to it?

ASA5505 ASDM WON'T LAUNCH

Hello Brett,

Wow this is getting crazy man,

Is there a way that you could downgrade to Java v6?

I know bud. I know.. This works with other firewalls but you have no idea how many times the solution of a ticket was that.

Hope you try it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA5505 ASDM WON'T LAUNCH

Yes, I am currently using Java 7 update 25, as it was the recommended on ciscos web page. But I will down grade to java 6 and let you know how it goes.

New Member

Re: ASA5505 ASDM WON'T LAUNCH

ha, this will be the death of me, I installed java 6 update 45, try to hit the web page in IE, accept the cert and then.....

NOTHING!!

I really do appreciate your help, I thought I was just missing something, that is why I was wondering if there was any type of hardware issue that could be causeing this as nothing I have tried has seemed to work.

4976
Views
10
Helpful
43
Replies