Scribd
Upload
169 views17 pages

Asdm Troubleshooting

This document provides troubleshooting steps for accessing the Cisco ASDM graphical interface. It begins with basic configuration steps such as enabling the HTTP server and defining allowed subnets for ASDM access. Common errors discussed include the ASDM launcher failing, HTTP 404 errors, conflicts with the Cisco SSL VPN service, weak encryption errors, not having Java installed, and using an incompatible Java version. Troubleshooting involves verifying configuration, checking firewall logs and sockets, and resolving software/version mismatches.

Uploaded by

Akash Thakur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
169 views17 pages

Asdm Troubleshooting

This document provides troubleshooting steps for accessing the Cisco ASDM graphical interface. It begins with basic configuration steps such as enabling the HTTP server and defining allowed subnets for ASDM access. Common errors discussed include the ASDM launcher failing, HTTP 404 errors, conflicts with the Cisco SSL VPN service, weak encryption errors, not having Java installed, and using an incompatible Java version. Troubleshooting involves verifying configuration, checking firewall logs and sockets, and resolving software/version mismatches.

Uploaded by

Akash Thakur
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

ASDM access troubleshooting

INTRODUCTION BASIC CONFIGURATION Example: Verification: TROUBLESHOOTING METHOD ACCESS ERRORS ASDM

Launcher Fails HTTP 404 not found (type 1) HTTP 404 not found (type 2) WebVPN conflict Weak Encryption Java not installed

on computer Incompatible Java Version Java Error on Launch HTTPS Tips and Tricks Running Show commands Text based

Monitoring RELATED URLs

INTRODUCTION

This document provides the basic configuration and troubleshooting steps for Cisco ASDM
access.

Cisco ASDM provides an intuitive graphical user interface that makes it easy to set up,
configure and manage your Cisco security appliances.

Cisco ASDM can run as a local application or as a Java Web Start application.

The following sections will provide an overview of the common issues faced in accessing
Cisco ASDM.

BASIC CONFIGURATION

!-- Enable listening on port 443 --!

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
1
ASDM access troubleshooting

http server enable

!-- Define what subnets on what interface are allowed to access the ASDM--!

http <ip subnet> <subnet mask> <interface>

!-- Specify an ASDM image in case of multiple images on the Flash --!

asdm image <path>

Example:

http server enable

http 192.168.1.0 255.255.255.0 inside

asdm image flash:/asdm-623.bin

Verification:

show asp table socket

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
2
ASDM access troubleshooting

Protocol Socket Local Address Foreign Address State

SSL 0000375f 192.168.1.1:443 0.0.0.0:* LISTEN

!-- This shows that the ASA is listening on its interface on port 443 --!

TROUBLESHOOTING METHOD

Step 1: Verify if you can ping the ASA from the PC/Laptop you can access it on.

Step 2: Check that the necessary configuration is in place

Commands:

show run http [check if http server is enabled, and http access is allowed on the interface
you are trying to access.]

show run asdm [check that an asdm image is mentioned, and the version is compatible with
the ASA image version.]

show flash [check that the asdm image mentioned is present in the flash.]

Step 3: Check that the ASA is listening for https requests on its interface

Commands:

show asp table socket [under Local Address, you should see <interface ip>:<http server
port> and in a LISTEN state.

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
3
ASDM access troubleshooting

Step 4: If step 1 to 3 are correctly done, then you might be encountering one of the
problems mentioned in the next section.

ACCESS ERRORS
[interface ip for all examples is 10.76.75.48]

ASDM Launcher Fails

ASDM access worked previously via https://10.76.75.48, but fails when using the shortcut
on your desktop.

Resolution

ASDM launcher does not work with 64-bit Java version on Windows. You will have to access
ASDM from your web browser.

HTTP 404 not found (type 1)

Ping to 10.76.75.48 is successful

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
4
ASDM access troubleshooting

You enter https://10.76.75.48 in your web browser

You receive a “Certificate Error: Navigation Blocked” page.

Then when you click “Continue to the Website” you get HTTP 404 not found.

Debug HTTP on the ASA will show the following:

HTTP: processing GET URL '/' from host 64.103.226.131

HTTP: redirecting to: /admin/public/index.html

HTTP: session verified = [0]

HTTP: processing GET URL '/admin/public/index.html' from host 64.103.226.131

HTTP: authentication not required

HTTP: file not found: public/index.html

Possible Resolution

“asdm image xxx” command is missing.

Note: if you add the command, login through ASDM, and then remove it, then fresh ASDM
access will still work until those files are there in browser history/cache.

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
5
ASDM access troubleshooting

HTTP 404 not found (type 2)

Ping to 10.76.75.48 is successful

You enter https://10.76.75.48 in your web browser

After waiting a while, you get HTTP 404 not found.

Logs show:

%ASA-3-710003: TCP access denied by ACL from 64.103.226.131/3212 to


outside:10.76.75.48/443

%ASA-7-710005: TCP request discarded from 64.103.226.131/3212 to


outside:10.76.75.48/443

%ASA-3-710003: TCP access denied by ACL from 64.103.226.131/3212 to


outside:10.76.75.48/443

%ASA-7-710005: TCP request discarded from 64.103.226.131/3212 to


outside:10.76.75.48/443

Captures show:

17: 23:27:51.854844 64.103.226.131.3212 > 10.76.75.48.443: S 247161576:247161576(0)


win 64512 <mss 1260,nop,nop,sackOK>

18: 23:27:54.806019 64.103.226.131.3212 > 10.76.75.48.443: S 247161576:247161576(0)


win 64512 <mss 1260,nop,nop,sackOK>

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
6
ASDM access troubleshooting

Possible Resolution

Check output of “show asp table socket” to see if the ASA is listening on that
interface.

Either configuration may be missing, or it might be hitting a bug which would require further
analysis.

WebVPN conflict

Ping to 10.76.75.48 is successful

You enter https://10.76.75.48 in your web browser

The Cisco SSL VPN service opens up with a prompt for login credentials.

Resolution

Configure asdm to run on a port other than 443, as webvpn uses that port.

Use http server enable XX to enable listening on a port XX instead of 443, and enter
https://10.76.75.48:XX

to access ASDM.

Alternately, use https://10.76.75.48 to access SSL VPN, and https://10.76.75.48/admin to


access ASDM.

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
7
ASDM access troubleshooting

Weak Encryption

Ping to 10.76.75.48 is successful

You enter https://10.76.75.48 in your web browser.

And you get the following error message:

Logs on the ASA show:

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
8
ASDM access troubleshooting

%ASA-7-725011: Cipher[1] : DHE-DSS-AES256-SHA

%ASA-7-725011: Cipher[2] : AES256-SHA

%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA

%ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA

%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA

%ASA-7-725011: Cipher[6] : RC4-MD5

%ASA-7-725011: Cipher[7] : RC4-SHA

%ASA-7-725011: Cipher[8] : AES128-SHA

%ASA-7-725011: Cipher[9] : EDH-RSA-DES-CBC3-SHA

%ASA-7-725011: Cipher[10] : EDH-DSS-DES-CBC3-SHA

%ASA-7-725011: Cipher[11] : DES-CBC3-SHA

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared


cipher

%ASA-6-302014: Teardown TCP connection 79 for outside:64.103.226.131/4514 to


identity:10.76.75.48/443 duration 0:00:00 bytes 7 TCP Reset by appliance

This indicates that the SSL encryption standards being used by the ASA do not match the
ones being used on the browser. To view those being used on the ASA, enter the command
show run all ssl.

You would see something like this:

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
9
ASDM access troubleshooting

Resolution:

Enter the command: ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 in


config mode.

If you get a license error, then procure the VPN-AES-3DES license and apply it. The
procedure can be found on the following link: Obtaining a 3DES/AES License

Enter the command again once the license is applied.

Java not installed on computer

You enter https://10.76.75.48 in your web browser.

And you get the following option on the ASDM page:

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
10
ASDM access troubleshooting

Resolution:

Click on “Install Java Web Start” and it will install the required Java Version

Alternately you can download and install the latest JAVA JRE from the internet.

Incompatible Java Version

Ping to 10.76.75.48 is successful

You enter https://10.76.75.48 in your web browser

After entering the login credentials, the loading process starts and gets hung at this stage.

This error is generally seen in older ASA versions like 5.0(x), but has been known to occur in
later versions as well (often when upgrading or downgrading asdm images).

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
11
ASDM access troubleshooting

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
12
ASDM access troubleshooting

Resolution

Downgrade Java to its base version. For example, in the above screenshot you can see that
the JRE in use is Java 6 update 20. Uninstall it, and install Java 6 base version. The ASDM
screen would immediately load once the bar becomes 100%. If the version of ASDM in use
is below 5.0(9), then upgrade to 5.0(9).

Java Error on Launch

Ping to 10.76.75.48 is successful

ASDM has been working fine for previously, and no change has been made on ASA.

You enter https://10.76.75.48 in your web browser

When you launch ASDM, you get the following Java Error:

Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NumberFormatException: For input string: "1 year 0"
at java.lang.NumberFormatException.forInputString(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at java.lang.Integer.parseInt(Unknown Source)
at com.cisco.pdm.Check.h(DashoA10*..:1358)
at com.cisco.pdm.Check.c(DashoA10*..:858)
at com.cisco.pdm.Check.a(DashoA10*..:438)
at com.cisco.pdm.PDMApplet.start(DashoA10*..:132)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
13
ASDM access troubleshooting

OR,

Exception in thread "SGZ Loader: launchSgzApplet"


java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.lang.String.substring(Unknown Source)
at java.lang.String.substring(Unknown Source)
at com.cisco.pdm.Check.h(DashoA10*..:1345)
at com.cisco.pdm.Check.c(DashoA10*..:841)
at com.cisco.pdm.Check.a(DashoA10*..:422)
at com.cisco.pdm.PDMApplet.start(DashoA10*..:132)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:410)

Resolution

The above errors happen when the ASA has been up for exactly an year (1st Error) or an year and a day (2nd Error).
Up-time for an ASA can be checked in the output of the show version command.The obvious resolution would be to restart the ASA,

HTTPS Tips and Tricks

Apart from accessing the ASDM, there are a few other things that can also be done with the
https://<interface ip>/... url.

Running Show commands

You can view the outputs of all show commands on the browser itself, by typing the following
into the address bar:

https://<interface ip>/admin/exec/show [command]

(spaces can be included after the "show" keyword)

Example:

https://10.76.75.48/admin/exec/show run will display the running configuration in the


browser.

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
14
ASDM access troubleshooting

Text based Monitoring

You can monitor most of the basic information, like connection counts, xlate counts, memory
block usage, etc. in real time.

https://<interface ip>/admin/asdm_handler displays the statistics every 10 seconds once,


and could be useful in certain scenarios.

Example:

https://10.76.75.48/admin/asdm_handler gives the following snapshot on the browser:

METRICS_INFO|BEGIN
TIMESTAMP|1300332039|UTC|0
VERSION|ASA|8.0(4)|pdm|6.3(5)
UPTIME|12083|CONFIG_MOD|370|CONFIG_SAVED|294|CONFIG_STATUS|0x0
INTERFACE|man|up|UP|IP|10.76.75.56|MASK|255.255.255.192|IBC|207|OBC|342|IPC|4|... <o/p deprecated>
MEM|FREE|1919075000|USED|149167432|
CPU|0|
BLOCK|ABLK0|700|UBLK0|0|ABLK4|99|UBLK4|1|ABLK80|700|UBLK80|0|ABLK256|100|........ <o/p deprecated>
PERFMON|XLATES|0|CONNECTIONS|0|TCP CONNS|0|UDP CONNS|0|URLS|0|URLSERVER|0|....... <o/p deprecated>
CONN|CUR|1|MAX|2|
XLATE|CUR|0|MAX|0|
SA|ISAKMP_SAS|0|IPSEC_SAS|0|
TUNNEL|L2TP_SESS|0|L2TP_TUNN|0|WEBVPN_SESS|0|SVC_SESS|0|TOTAL_SESS|0|
METRICS_INFO|END

RELATED URLs

Archive of Java Versions

http://www.oracle.com/technetwork/java/archive-139210.html

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
15
ASDM access troubleshooting

List of ASDM Release Notes

http://www.cisco.com/en/US/products/ps6121/prod_release_notes_list.html

Obtaining a 3DES/AES License

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/
DESlic.html

Upgrading ASDM image using ASDM 5.x

http://www.cisco.com/en/US/products/ps6120/
products_configuration_example09186a008067e9f9.shtml#maintask3

Upgrading ASDM image using ASDM 6.x

http://www.cisco.com/en/US/products/ps6120/
products_configuration_example09186a008067e9f9.shtml#asdm6.x2

Upgraing ASDM image using CLI

http://www.cisco.com/en/US/products/ps6120/
products_configuration_example09186a008067e9f9.shtml#maintask21

Cisco Document on issues with using/accessing ASDM

http://www.cisco.com/en/US/products/ps6121/products_tech_note09186a0080aaeff5.shtml

Document on Troubleshooting Telnet/ssh/https access to the ASA

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
16
ASDM access troubleshooting

https://supportforums.cisco.com/docs/DOC-13012

Postings may contain unverified user-created content and change frequently. The content is provided as-is and
is not warrantied by Cisco.
17

You might also like