Solved: ASDM not working on new ASA

mahesh18 · ‎12-13-2013

Hi Everyone,

I am setting up new ASA for testing purposes.

So far it has single interface Active which is management.

I can ssh to ASA fine but ASDM is not working.

sh run http shows

sh run http

http server enable

http 172.31.20.0 255.255.255.0 management

sh run ssh

ssh 172.31.20.0 255.255.255.0 management.

Regards

MAhesh

lwilfredoflor · ‎12-14-2013

Hi Mahesh

if the ASA you try to asdm is x generation, the problem is caused by the command 'ssl encryption des-sha1' all browsers will reject the ssl conection with that choise. to resolve

this you have to create another cipher for ssl, the folling will help you

'no ssl encryption des-sha1' 'ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1'

Best Regards,

View solution in original post

lwilfredoflor · ‎12-14-2013

Hi Mahesh, sorry but did you select the asdm image as source ?

asdm image disk0:/asdm-645.bin

is the asdm appropiate for your ios ?

asdm6.4 -> ASA8.4 or above = work

asdm6.4 -> ASA9.1 = dont work

Best Regards,

View solution in original post

Julio Carvajal · ‎12-14-2013

Hello,

Share the output of the following commands after the change

show run asdm

show flash | include asdm

show run ssl

What is the IP address you are using to connect?

cap capin interface management match tcp host x.x.x.x (source host) y.y.y.y (management IP address) eq 443

Then connect once and share

show cap capin

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-15-2013

Please provide the rest of the outputs

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Richard Burts · ‎12-15-2013

Mahesh

I would think that the output from these 2 commands would be especially helpful

show run asdm

show flash | include asdm

HTH

Rick

HTH

Rick

View solution in original post

Ahmad Murad · ‎12-13-2013

Hi,

Did you upload ASDM image to the flash and configure it with:

asdm image flash:/-----

Please check the flash with "dir" to check if there is any existing ASDM image on the disk.

Thanks.

mahesh18 · ‎12-14-2013

Hi Murad,

I checked dir it sows flash is there.

Regards

mahesh

Julio Carvajal · ‎12-14-2013

Hello share the following

show run asdm

show flash | include asdm

show run ssl

sh version

Regards

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎12-14-2013

Hi Julio,

sh run ssl foed not sjow any output

show flash | include asdm

111 16280544 Jun 29 2011 12:10:58 asdm-645.bin

sh run asdm

no asdm history enable

sh ver shows

up 2 days 2 hours

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

0: Ext: GigabitEthernet0/0 : address is e8b7.483d.0d68, irq 9
1: Ext: GigabitEthernet0/1 : address is e8b7.483d.0d69, irq 9
2: Ext: GigabitEthernet0/2 : address is e8b7.483d.0d6a, irq 9
3: Ext: GigabitEthernet0/3 : address is e8b7.483d.0d6b, irq 9
4: Ext: Management0/0       : address is e8b7.483d.0d6c, irq 11
5: Int: Not used            : irq 11
6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Regards

MAhesh

lwilfredoflor · ‎12-14-2013

Hi Mahesh

if the ASA you try to asdm is x generation, the problem is caused by the command 'ssl encryption des-sha1' all browsers will reject the ssl conection with that choise. to resolve

this you have to create another cipher for ssl, the folling will help you

'no ssl encryption des-sha1' 'ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1'

Best Regards,

mahesh18 · ‎12-14-2013

Hi Luis,

I tried above command still same thing.

Best regards

MAhesh

lwilfredoflor · ‎12-14-2013

Hi Mahesh, sorry but did you select the asdm image as source ?

asdm image disk0:/asdm-645.bin

is the asdm appropiate for your ios ?

asdm6.4 -> ASA8.4 or above = work

asdm6.4 -> ASA9.1 = dont work

Best Regards,

mahesh18 · ‎12-14-2013

Hi Luis,

I added the command asdm image disk0:/asdm-645.bin as it was not in config.

Still same thing.

Current ios is

Version 8.4(2)

Seems IOS is compatible with ASA.

Regards

MAhesh

Julio Carvajal · ‎12-14-2013

Hello,

Share the output of the following commands after the change

show run asdm

show flash | include asdm

show run ssl

What is the IP address you are using to connect?

cap capin interface management match tcp host x.x.x.x (source host) y.y.y.y (management IP address) eq 443

Then connect once and share

show cap capin

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎12-15-2013

Hi Julio,

Here is the output of

sh cap capin

3 packets captured

   1: 13:23:18.895095 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
   2: 13:23:21.901167 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
   3: 13:23:27.896712 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192
3 packets shown

I have no clue what does this output mean?

Regards

MAhesh

Julio Carvajal · ‎12-15-2013

Please provide the rest of the outputs

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Richard Burts · ‎12-15-2013

Mahesh

I would think that the output from these 2 commands would be especially helpful

show run asdm

show flash | include asdm

HTH

Rick

HTH

Rick

mahesh18 · ‎12-15-2013

Hi Everyone,

Seems it is my bad.

SSH only works from our unix jump box.

When i try ssh from my pc 172.31.23 it did not work even though ASA has been configured for that.

Seems its routing issue with the new ASA.

Will check the routing issue within our network and will update you

Thanks everyone for their help & time.

Best regards

MAhesh

Ahmad Murad · ‎12-15-2013

According to the captures, I see that the source IP is different than the configured on the ASA to accept a HTTP request.

1: 13:23:18.895095 172.31.23.107.63448 > 172.16.17.199.443: S 2067821230:2067821230(0) win 8192

You mentioned in the configuration that you add this line:

http 172.31.20.0 255.255.255.0 management

In order to check this, please add:

http 0 0 management, and check if you can access it or not.

Thanks.