cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8726
Views
16
Helpful
8
Replies

ASA5505, AIP-SSC5, Java 7.x

f2l
Level 1
Level 1

After upgrading to Java 7.5, I found that ASDM works fine managing the ASA5505 firewall, but trying to access the AIP-SSC5 module is not possible.  I have had to revert back to Java 6 to have full control.

Does anyone know how to get Java 7 to work with ASDM and also allow access to the AIP-SSC5 module?

8 Replies 8

Todd Pula
Level 7
Level 7

What version of ASDM are you currently running?  If you browse to your SSC's management IP using the sample URL below, are you able to launch IDM directly from your browser?

https://10.10.10.10

I am running:-

ASA version 8.4(4)1

ASDM version 6.4(9)

IPS version 6.2(4)E4

When I try to access the sensor from within ASDM the following error occurs:

"Error connecting to sensor. Error loading sensor."

followed by...

"Access denied by ASM. ASDM will now exit."

If I try to access the sensor directly, as per your suggestion(https://10.10.10.10), the following error is displayed...

"Unable to launch device manager from https://10.10.10.10".

This is more than likely due to Java 7 disabling the SSL 2.0 client hello by default.  Sensors running code prior to 7.1.4 require this feature for IDM access.  On the PC with Java 7 installed, navigate to

Control Panel > Java > Advanced > Security > General and check the box next to "Use SSL 2.0 compatible ClientHello format".  Test again and then report back if you continue to see errors. 

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr86456

I enabled SSL 2.0 and connecting to the sensor using IDM works fine.

However, connecting to the sensor using ASDM-IDM still returns the same error.  Followed be an

immediate exit.

Hello Phillip,

I worked with a customer two weeks ago on the same exact issue, same exact platafform.

So please dowgrade to java version!

If running 7 do a downgrade to version 6.33  and it should work

You can download it from here:

http://www.oldapps.com/java.php

Regards,

Julio

CSC is a free support community, please take your time to rate all of the engineer's answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Yup faced the same problem with Java 7. Not able to access IPS module on the ASA. Cisco should come up with some fix for this issue, as Java 7 has fixed lot of security vulnerabilities and continued use of Java 6 is unsafe.

There is an updated image for the SSC-5 that works better with Java 7.x.  Version 6.2(5)E4

Download from here...

http://software.cisco.com/download/release.html?mdfid=282539293&flowid=4416&softwareid=282549758&release=6.2(5)E4&relind=AVAILABLE&rellifecycle=&reltype=latest

Hope this helps.

hosytan
Level 1
Level 1

I had the same problem.

My device is Cisco ASA 5520 with AIP SSM-10.

I can use ASDM to manage ASA 5520 but cannot login to IPS (in IPS or Intrusion Prevension tab). It show me the error "Error connecting sensor. Error loading sensor".

I try to reset, reload and unplug/plug the module but it don't work.

This my ASA configuration:

ASA-FW# show run

: Saved

:

ASA Version 8.4(4)1

!

hostname ASA-FW

enable password Uonv5zOz/3IVv5nJ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

description Connect to Internet

nameif outside

security-level 0

ip address 10.0.0.4 255.255.255.0

!

interface GigabitEthernet0/1

description Connect to DMZ

nameif inside

security-level 100

ip address 10.2.2.2 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

nameif DMZ

security-level 50

ip address 10.3.3.1 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

description Management

nameif management

security-level 0

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq smtp

access-list OUT-TO-DMZ extended permit tcp any host 10.1.1.2 eq www

access-list OUT-TO-DMZ extended permit icmp any any log

access-list OUT-TO-DMZ extended deny ip any any

access-list inside extended permit tcp any any eq pop3

access-list inside extended permit tcp any any eq smtp

access-list inside extended permit tcp any any eq ssh

access-list inside extended permit tcp any any eq telnet

access-list inside extended permit tcp any any eq https

access-list inside extended permit udp any any eq domain

access-list inside extended permit tcp any any eq domain

access-list inside extended permit tcp any any eq www

access-list inside extended permit ip any any

access-list inside extended permit icmp any any

access-list dmz extended permit ip any any

access-list dmz extended permit icmp any any

access-list acl_outside_in extended permit icmp any host 10.0.0.0

access-list acl_inside_in extended permit ip 10.2.2.0 255.255.255.0 any

access-list acl_dmz_in extended permit icmp 10.3.3.0 255.255.255.0 any

access-list traffic_for_ips extended permit ip any any

pager lines 24

logging enable

logging buffer-size 5000

logging monitor warnings

logging trap warnings

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

access-group acl_outside_in in interface outside

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface DMZ

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 DMZ

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

   .....

  quit

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 management

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username tanhs password fqvYQWcKVO/db.2r encrypted

!

class-map inspection_default

match default-inspection-traffic

class-map ips_class_map

match access-list traffic_for_ips

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class ips_class_map

  ips inline fail-open

!

service-policy global_policy global

prompt hostname context

service call-home

call-home reporting anonymous

call-home

contact-email-addr hosytan@gmail.com

profile CiscoTAC-1

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74d15883f42aaeee6ac30522fe424aeb

: end

ASA-FW#

This is SSM confiuration:

AIP-SSM# show conf

! ------------------------------

! Current configuration last modified Tue Jun 04 00:34:02 2013

! ------------------------------

! Version 7.0(2)

! Host:

!     Realm Keys          key1.0

! Signature Definition:

!     Signature Update    S480.0   2010-03-24

! ------------------------------

service interface

exit

! ------------------------------

service authentication

exit

! ------------------------------

service event-action-rules rules0

variables DMZ address 10.3.3.0-10.3.3.255

variables IN address 10.2.2.0-10.2.2.255

exit

! ------------------------------

service host

network-settings

host-ip 192.168.1.2/24,192.168.1.1

host-name AIP-SSM

telnet-option disabled

access-list 10.0.0.0/8

access-list 10.1.1.0/24

access-list 10.2.2.0/24

access-list 10.3.3.0/24

access-list 172.16.0.0/16

access-list 192.168.1.0/24

login-banner-text VISEC IDS/IPS

dns-primary-server disabled

dns-secondary-server disabled

dns-tertiary-server disabled

http-proxy no-proxy

exit

time-zone-settings

offset 0

standard-time-zone-name CST

exit

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

signatures 2000 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

exit

status

enabled true

exit

exit

signatures 2004 0

alert-severity high

engine atomic-ip

event-action produce-alert|produce-verbose-alert

exit

alert-frequency

summary-mode fire-all

summary-key AxBx

exit

exit

status

enabled true

exit

exit

signatures 60000 0

alert-severity high

sig-fidelity-rating 75

sig-description

sig-name Telnet Command Authorization Failure

sig-string-info Command authorization failed

sig-comment signature triggers string command authorization failed

exit

engine atomic-ip

specify-l4-protocol yes

l4-protocol tcp

no tcp-flags

no tcp-mask

exit

specify-payload-inspection yes

regex-string Command authorization failed

exit

exit

exit

exit

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

enable-tls true

port 443

server-id Nothing to see here. Move along.

exit

! ------------------------------

service anomaly-detection ad0

exit

! ------------------------------

service external-product-interface

exit

! ------------------------------

service health-monitor

exit

! ------------------------------

service global-correlation

exit

! ------------------------------

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/1

exit

exit

AIP-SSM#

Could anyone help me?

Thanks in advanced.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: