KB ID 0000458
Problem
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
Note: If you are using Java version 7 Update 51 see the following article.
Unable to Access ASDM – “Unable to launch device manager from…”
2. Make sure the internet browser you are using is supported:
Operating System
|
Browser
|
Java SE Plug-in1
|
|||
---|---|---|---|---|---|
Internet Explorer
|
Firefox2
|
Safari
|
Chrome
|
||
Microsoft Windows 10 |
Yes |
Yes |
No support |
Yes |
8.0 |
Apple Macintosh OS X: 10.6 |
No support |
Yes |
Yes |
Yes (64 bit only) |
8.0 |
Ubuntu Linux 14.04 |
N/A |
Yes |
N/A |
Yes |
8.0 (Oracle only) |
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is “allowed” access
1. Connect to the firewall using either SSH, Telnet, or via the Console Cable.
2. Log into the firewall, go to enable mode > Enter the enable password
[box]
Type help or '?' for a list of available commands. PetesASA> enable Password: ******** PetesASA#
[/box]
3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”
[box]
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
[/box]
Note: if the command is NOT there, you need to issue the following three commands:
[box]
PetesASA# configure terminal PetesASA(config)# http server enable PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#
[/box]
Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
[box]
PetesASA# configure terminal PetesASA(config)# http 10.254.254.5 255.255.255.255 inside PetesASA(config)# http 10.254.254.0 255.255.255.0 inside PetesASA(config)# http 123.123.123.123 255.255.255.255 outside PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#
[/box]
5. At this point try and access the ASDM again.
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
[box]
PetesASA# show run asdm asdm image disk0:/asdm-739.bin Note: on a Cisco PIX the results will look like.. PetesPIX# show run asdm asdm image flash:/asdm-501.bin
[/box]
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.
[box]
PetesASA# show flash --#-- --length-- -----date/time------ path 142 15943680 May 08 2010 18:10:42 asa831-k8.bin 144 14240396 May 08 2010 18:11:50 asdm-739.bin 3 2048 Jul 21 2009 12:04:26 log 6 2048 Apr 28 2010 15:08:32 crypto_archive 163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin 164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin 147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg 148 2048 Jul 21 2009 12:04:54 sdesktop 150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg 127135744 bytes total (29583360 bytes free)
[/box]
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).
[box]
PetesASA# configure terminal PetesASA(config)# asdm image disk0:/asdm-631.bin PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links
Connecting to and Managing Cisco Firewalls