Introduction
This Topic provides the troubleshooting steps to check issues when you access/configure the Cisco Adaptive Security Appliance (ASA) with Cisco Adaptive Security Device Manager (ASDM).
Troubleshooting Steps
There are three different failure points on which this troubleshooting topic focus.
- ASA Configuration
- Network Connectivity
- Application Software
ASA Configuration
To successfully configure the ASDM take a look on below three points :
- ASDM Image in Flash
- ASDM Image in Use
- HTTP Server Restrictions
ASDM Image in Flash
Make sure that the compatible ASDM image is installed inside the ASA. To check compatibility with ASA firmware please check the Cisco website.
Enter show flash on the ASA CLI in order to help you list the files present on the ASA flash memory.
INB_asa# show flash –#– –length– —–date/time—— path
253 17767924 Mar 12 2020 00:12:02 asdm-702.bin —- ASDM Image
In order to further verify if the image present on the flash is valid and not corrupt, you can use the verify command in order to compare the stored MD5 hash in the software package and the MD5 hash of the actual file present:
INB_asa# verify flash:/asdm-702.bin
Verifying file integrity of disk0:/asdm-702.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Done!
Embedded Hash MD5: e441a5723505b8753624243c03a40980
Computed Hash MD5: e441a5723505b8753624243c03a40980
CCO Hash MD5: c305760ec1b7f19d910c4ea5fa7d1cf1
Signature Verified
Verified disk0:/asdm-702.bin
ASDM Image in Use
This step is defined under the ASDM configuration on the ASA.
asdm image disk0:/asdm-702.bin
or
To further verify, you can also use the show asdm image command:
INB_asa# show asdm image
Device Manager image file, disk0:/asdm-702.bin
HTTP Server Restrictions
This step defines which networks have access to the ASA.
http server enable
http 192.168.1.0 255.255.255.0 inside
http 64.0.0.0 255.0.0.0 outside
Verify that you have the necessary networks defined in the previous configuration. Without proper access to subnet the ASDM launch page (https://<ASA IP address>/admin) causes the request to time out and no page is displayed.
Further verify that the HTTP server uses a non-standard port for ASDM connection, such as 8443. This is highlighted in the configuration:
INB_asa(config)# show run http
http server enable 8443
If it uses a non-standard port, you need to specify the port when you connect to the ASA in the ASDM launcher as:
Same applies if you access the ASDM launch page: https://10.106.36.132:8443/admin
Possible Configuration Issues to connect ASDM
- Verify the Secure Sockets Layer (SSL) configuration on the ASA. ASDM uses SSL while it communicates with the ASA. Based on the way ASDM is launched, newer OS software might not allow usage of weaker ciphers when it negotiates SSL sessions.
Verify which ciphers are allowed on the ASA, and if any specific SSL versions are specified in the configuration with the show run all ssl command:INB_asa# show run all ssl
ssl server-version any <— Check SSL Version restriction configured on the ASA
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 <— Check SSL ciphers
permitted on the ASACheck ASA logs for any SSL cipher negotiation errors while the ASDM launches :
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason:
no shared cipher
%ASA-6-302014: Teardown TCP connection 3 for mgmt:64.103.236.189/52501 to
identity:10.106.36.132/443 duration 0:00:00 bytes 7 TCP Reset by applianceIf you see specific settings, revert them to the default.
Verify if VPN-3DES-AES license is enabled .This can be verified with the show version command on the CLI. The output displays like this:
INB_asa# show version
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 64MB
Slot 1: ATA Compact Flash, 32MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
<snip>
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
<snip>
2. Verify that WebVPN is enabled on the ASA. If it is enabled, you need to use this URL (https://10.106.36.132/admin) in order to access it when you access the ASDM web launch page.
3. Check for a Network Address Translation (NAT) configuration on the ASA for port 443.
4. Verify that the ASA is set up to listen on the port defined for ASDM with the show asp table socket command on the ASA CLI. The output should show that the ASA listens on the ASDM port:
Protocol Socket Local Address Foreign Address State
SSL 0001b91f 10.106.36.132:443 0.0.0.0:* LISTEN
If this output does not display, remove and reapply the HTTP server configuration on the ASA in order to reset the socket on the ASA software.
5. If you experience issues when you log in/authenticate to the ASDM, verify that the authentication options for HTTPare set up correctly.
aaa authentication http console LOCAL
Remember to create a username/password when you enable the previous command:
username <username> password <password> priv <Priv level>
Network Connectivity
- Test with Internet Control Message Protocol (ICMP).
Ping the ASA interface from which you want to access the ASDM. - Confirm with packet capture.
Place a packet capture on the interface from which you want to access the ASDM. The capture should show that TCP packets destined to the Interface IP address arrive with destination port number 443 (default).
Application Software
This section describes how to troubleshoot the ASDM launcher software that has been installed on the client machine when it fails to launch/load.
Complete these basic troubleshooting steps in order to rule out any issues on the client machine:
- Open the ASDM launch page from another machine. If it launches, it means that the issue is with the client machine in question. If it fails, follow the troubleshooting guide from the beginning to isolate the involved components in order.
- Open the ASDM via web launch, and launch the software directly from there. If it succeeds, it is likely that there are issues with the ASDM launcher installation. Uninstall the ASDM launcher from the client machine, and reinstall it from the ASA web launch itself.
- Clear the ASDM’s cache directory in the user’s home directory. For example, in Windows 7, it is located here: C:\Users\<username>\.asdm\cache. The cache is cleared when you delete the entire cache If the ASDM starts successfully, you can also clear the cache from within the ASDM Filemenu.
- Verify that the proper Java version is installed.
Clear the Java cache. In the Java Control Panel, chooseGeneral > Temporary Internet File. Then, click View in order to launch a Java Cache Viewer. Delete all entries that refer to or are related to ASDM.