KB ID 0000915
Problem
A colleague of mine was trying to connect to a firewall via ASDM last week, and was greeted by an error like this.
Now this is a pretty standard error, and usually means you haven’t been allowed access, or there isn’t a firewall at that address, but in this case I knew that a) he did have access, b) that was the correct IP address, and c) it worked fine on my machine, so it was setup correctly.
As I said above this is a pretty generic error make sure your ASDM is configured correctly. If no one else can access it then run though the article below.
Solution 1 (Oct 2018)
This stung me once again today! Windows 10, latest version of Java 8, and ASDM version 7.6(1) and 7.9(2). In the debug I was seeing;
Fixed by running;
Solution 2 (circa 2015)
I saw this very problem again today, while hardening a firewall I had disabled some SSL encryption ciphers, I had left aes256-sha1 active, and removed the others. Took me a while to realise, but if you only have one (or both), of the following ciphers enabled, ASDM won’t load;
- aes-256-sha1
- dhe-aes256sha1
If you have any of the following ASDM should load normally;
- aes128-sha1
- dhe-aes128-sha1
- rc4-sha1
- 3des-sha1
At this point I would consider the problem ‘fixed’ and move on, but the client I’m installing the firewall for wanted some clarification as to why it would not work. “Was it a bug?” So I opened a TAC call, and did some Googling. I came across an excellent article. And found I could replicate it exactly;
Log output
Note: the Client (My machine running ASDM) offers 14 cipher sets and theres no match.
By this time I had reply from TAC
————————————–
“The ciphers depends on the client, which in this case is ASDM launcher. ASDM launcher depends on ASDM version installed, latest available launcher is 1.5(73) – ASDM 7.4.1.
I did some tests with the latest software (ciphers741.png) but AES256 was still not proposed by the launcher.
I found a bug opened back in 2012 for exactly same issue, which was closed due to inactivity. Developers mentioned there that launcher is using all the ciphers supported by Java installed on client PC.
https://tools.cisco.com/bugsearch/bug/CSCtx78540/
Please refer to:
https://en.wikipedia.org/wiki/Java_Cryptography_Extension
JCE adds additional ciphers support for a Java client.
I downloaded the JCE for Java 7
Then I copied local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (these jars were already there so I had to overwrite them).
After that I tried once again and it worked.
————————————–
OK, that seems fair enough, and Kudos to the TAC engineer who had really gone the extra mile. So I thought I’d try and replicate it on the test bench.
Then it worked fine, so I logged the results once again;
Note: We now have 23 cipher proposals from the client.
Solution 3
Java 7 Update 51
Java Version 7 update 51 (Released Jan 2014) does not play nice with the Cisco ASDM.
Note: This is NOT the case if the ASDM presents a known, trusted, (not self signed) digital certificate.
Option 1
The easiest option is simply remove Java and downgrade to Java Version 7 Update 45
OR
You can also upgrade your ASDM to version 7.1(5.100) or later, and use the Java Web Start Option.
java
OR
Create a Java site exception. Note: This DID NOT WORK for me with Java version 7 update 51 to both ASDM Versions 7.1(1) and 7.1(5.100). I only put it here for completeness, because Cisco say it’s a solution.
Related Articles, References, Credits, or External Links
Original Article Written 11/02/14
Kudos and thanks to Michal Kunikowski from Cisco TAC for his assistance.
