Re: ASDM Problem

ydcnetwork · ‎03-12-2010

Hi all,

We have ASA 5510 and tried to login to through ASDM, but we are receiving the following error's.

Enabled http server
Enabled http any for the requesting interface.

Following are the debug messages collected. Thanks in advance

=========================================================================================================

<183>:Mar 12 07:29:23 IST: %ASA-session-7-609001: Built local-host inside:10.11.12.83
<182>:Mar 12 07:29:23 IST: %ASA-session-6-302013: Built inbound TCP connection 594094 for inside:10.11.12.83/4470 (10.11.12.83/4470) to NP Identity Ifc:FWALL/443 (FWALL/443)
<183>:Mar 12 07:29:23 IST: %ASA-session-7-710002: TCP access permitted from 10.11.12.83/4470 to inside:FWALL/https
<182>:Mar 12 07:29:23 IST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.11.12.83/4470 for SSLv3 session.
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725010: Device supports the following 2 cipher(s).
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[1] : DES-CBC3-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[2] : AES256-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725008: SSL client inside:10.11.12.83/4470 proposes the following 15 cipher(s).
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[1] : RC4-MD5
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[2] : RC4-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[3] : AES128-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[6] : DES-CBC3-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[9] : DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[12] : EXP-RC4-MD5
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[13] : EXP-DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client inside:10.11.12.83/4470
<182>:Mar 12 07:29:24 IST: %ASA-ssl-6-725002: Device completed SSL handshake with client inside:10.11.12.83/4470
<182>:Mar 12 07:29:24 IST: %ASA-sys-6-605005: Login permitted from 10.11.12.83/4470 to inside:FWALL/https for user "admin"
<182>:Mar 12 07:29:24 IST: %ASA-ssl-6-725007: SSL session with client inside:10.11.12.83/4470 terminated.
<182>:Mar 12 07:29:25 IST: %ASA-session-6-302013: Built inbound TCP connection 594095 for inside:10.11.12.83/4472 (10.11.12.83/4472) to NP Identity Ifc:FWALL/443 (FWALL/443)
<182>:Mar 12 07:29:25 IST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.11.12.83/4472 for SSLv3 session.
<182>:Mar 12 07:29:25 IST: %ASA-ssl-6-725003: SSL client inside:10.11.12.83/4472 request to resume previous session.
<182>:Mar 12 07:29:26 IST: %ASA-ssl-6-725002: Device completed SSL handshake with client inside:10.11.12.83/4472
<182>:Mar 12 07:29:26 IST: %ASA-sys-6-605005: Login permitted from 10.11.12.83/4472 to inside:FWALL/https for user "admin"
<182>:Mar 12 07:29:26 IST: %ASA-ssl-6-725007: SSL session with client inside:10.11.12.83/4472 terminated.
<182>:Mar 12 07:29:27 IST: %ASA-session-6-302014: Teardown TCP connection 594095 for inside:10.11.12.83/4472 to NP Identity Ifc:FWALL/443 duration 0:00:01 bytes 926 TCP FINs
<182>:Mar 12 07:29:27 IST: %ASA-session-6-302013: Built inbound TCP connection 594096 for inside:10.11.12.83/4473 (10.11.12.83/4473) to NP Identity Ifc:FWALL/443 (FWALL/443)
<182>:Mar 12 07:29:27 IST: %ASA-ssl-6-725001: Starting SSL handshake with client inside:10.11.12.83/4473 for SSLv3 session.
<182>:Mar 12 07:29:27 IST: %ASA-ssl-6-725003: SSL client inside:10.11.12.83/4473 request to resume previous session.
<182>:Mar 12 07:29:28 IST: %ASA-ssl-6-725002: Device completed SSL handshake with client inside:10.11.12.83/4473
<182>:Mar 12 07:29:28 IST: %ASA-sys-6-605005: Login permitted from 10.11.12.83/4473 to inside:FWALL/https for user "admin"
<182>:Mar 12 07:29:28 IST: %ASA-ssl-6-725007: SSL session with client inside:10.11.12.83/4473 terminated.
<182>:Mar 12 07:29:32 IST: %ASA-session-6-302014: Teardown TCP connection 594094 for inside:10.11.12.83/4470 to NP Identity Ifc:FWALL/443 duration 0:00:08 bytes 1614 TCP FINs

=========================================================================================================

Herbert Baerten · ‎03-12-2010

What happens exactly when you try to launch ASDM?

Do you have the ASDM image installed on the flash, and do you have a "asdm image ..." statement in the config?

ydcnetwork · ‎03-12-2010

Hi Herbert,

Yes. Find the output of the flash.

Fwall# sh flash:
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 0          Aug 18 2009 08:58:22 crypto_archive
7 6163744    Aug 18 2009 09:11:24 asdm-508.bin
10 8515584    Jan 20 2010 04:44:22 asa724-k8.bin

245374976 bytes available (14770176 bytes used)

When i try the ASDM i get the below error message

"Unable to launch device manager from XX.XX.XX.XX"

Erik Ingeberg · ‎03-13-2010

ASDM 5.0(8) is a very old version, it is meant to be used with ASA versions 7.0(x).

The newest ASDM version compatible with ASA 7.2 is 5.2(4). I would try to update to that version. Or you could update the ASA to version 8.2(2) and use ASDM 6.2(5).

Herbert Baerten · ‎03-14-2010

ydcnetwork wrote:

Hi Herbert,

Yes. Find the output of the flash.

Fwall# sh flash:
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 0          Aug 18 2009 08:58:22 crypto_archive
7 6163744    Aug 18 2009 09:11:24 asdm-508.bin
10 8515584    Jan 20 2010 04:44:22 asa724-k8.bin

245374976 bytes available (14770176 bytes used)

When i try the ASDM i get the below error message

"Unable to launch device manager from XX.XX.XX.XX"

As __Pluppo__ wrote, you'll need to get an ASDM version that is compatible with your ASA version.

You will also need to add a "asdm image disk0:/asdm-xxx.bin" statement in your config.

hth

Herbert

Kureli Sankar · ‎03-14-2010

When you issue sh ver you do see the following right?

Cisco Adaptive Security Appliance Software Version 8.2(1)

Device Manager Version 6.2(5)

Compiled on Tue 05-May-09 22:45 by builders

System image file is "disk0:/asa821-k8.bin" ---------------------------> it should indicate the asdm file loaded.

Config file at boot was "startup-config"

.

VPN-3DES-AES : Enabled ----------------> this should be enabled

<183>:Mar 12 07:29:23 IST: %ASA-ssl-7-725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client inside:10.11.12.83/4470

Make sure when you issue "sh run ssl" or "sh run all | i ssl" shows the following

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1

If not add the above line to the config.

-KS