ASDM Troubleshooting

Introduction

This document provides information about an error message in the Cisco Adaptive Security Device Manager (ASDM).

This video posted to the Cisco Support Community demonstrates how to troubleshoot a few of the common ASDM access issues:

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco ASDM 5.0 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem: You are Authorized to Access Only Home and Monitoring Views

If you click the Configuration tab in the ASDM, you might recieve this error message: "you are authorized to access only Home and Monitoring Views".

Solution

The error occurs due to the user privilege. Go to the PIX/ASA CLI prompt, and create the new user and password with full privilege 15 as shown here:

ASA(config)#username cisco password cisco123 priv 15

The full privilege level allows you to log into the ASDM.

Problem: Your Firewall Image has a Version Number Null which is not Supported by ASDM

When you try to run the ASDM interface, the Your Firewall image has a version number null which is not support by ASDM error may be received.

The same error on the FWSM appears as:

Your FWSM image has a version number unknown which is not supported by ASDM

This error is caused by one of these reasons:

• No ASDM image in the flash

• No aaa related configuration for ASDM access through http

• Incompatible Java version

Solution 1

Verify whether or not the compatible ASDM image exists in the flash, and then specify the location of the image:

ASA(config)#show asdm image

ASA(config)#asdm image flash:asdm-XXX.bin

Solution 2

Enter the aaa command for ASDM access through http:

ASA(config)#aaa authentication http console <server-tag> LOCAL

Solution 3

Verify whether or not the Java version is compatible. Then upgrade/downgrade the Java version accordingly and install the JRE.

Solution 4

If you attempt to access the ASDM over a VPN connection, make sure the management-access <ASDM access Interface name> command is configured on the ASA. For example, if the ASDM is accessed using the inside interface, then use the management-access Inside command.

Problem: Using a 64-bit Java Version on Windows causes ASDM Launcher to Fail and the Launcher does not Run

When you use a 64-bit Java version on Windows, it causes the ASDM Launcher to fail and the launcher does not run.

Solution

This issue is documented in Cisco bug ID CSCtb86774 (registered customers only) .

The workaround is to run the ASDM using the web browser.

Problem: %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

This log displays when you try to load ASDM (which fails to load):

%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no
shared cipher

Solution

In order to resolve this issue, use an alternate or additional encryption alogorithm and use the ssl encryption command:

ASA(config)# ssl encryption rc4-sha1

        ASA(config)# ssl encryption rc4-md5

Problem: Unable to Launch Device Manager from ip-address/hostname

This error message displays when you access the ASDM:

Solution

In order to resolve this issue, check if a compatible ASDM image is on the flash or not:

ASA#show asdm image

Problem: When 'http 0 0 outside' is configured, the 'Could not start admin' Error Message is Displayed

This problem is caused by Cisco bug ID CSCsm39805 (registered customers only) . As a result, ASDM cannot be launched.

Solution

In order to resolve this issue, access the ASA through the CLI, and assign the http server to listen on a different port.

Example 1:

ASA(config)#no http server enable
ASA(config)#http server enable 444

Example 2:

ASA(config)#no http server enable 8923
ASA(config)#http server enable 8924

Problem: Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NumberFormatException: For input string: "1 year 0"

This problem is caused by Cisco bug ID CSCsr89144 (registered customers only) in ASA running for more than one year with ASDM 6.0.3 or 6.1. As a result, ASDM cannot be launched.

Solution

This error can be resolved by reloading the ASA.

Problem: ASDM Cannot be loaded. Click Ok to exit ASDM. Unexpected end of file from server.

This problem occurs when a user tries to connect to the ASA using ASDM.

Solution

Reload the ASA.

Problem: Error - ASDM is unable to read the configuration file

This problem is caused by Cisco bug ID CSCsx39786 (registered customers only) in ASA running with ASA 7.2.4 and ASDM 5.2.4. As a result, ASDM cannot be launched.

Solution

Downgrade to Java 6 Update 7.

Problem: Unable to Reset the VPN Tunnel using ASDM

The user is unable to reset the VPN Tunnel using ASDM.

Solution

Select Monitoring > VPN > VPN statistics > VPN session and choose active tunnel and log off in order to reset the tunnel.

Problem: Unable to load the DLL "C:\Program Files\Java\jre6\bin\client\jvm.dll"

Not able to start ASDM because of the Java version mismatch.

Solution

In order to avoid this error, perform these steps:

1. Downgrade the Java version to Version 6, Update 7.

2. Edit the adsm-launcher config file and modify the Java path to the folder that contained the jvm.dll.

Problem: Unable to view access list hit count entry on ASDM

The Hit Counter of ASDM does not display a value, including zero (0).

Solution

ASDM always sends a request for all ACLs in one HTTP server request string to the FWSM. The FWSM device is unable to handle the super long request to its HTTPS server from the ASDM, runs out of buffer space, and finally drops the request. When you have too many access lists, the request from ASDM to the FWSM becomes too long for the FWSM to process. As a result, it does not get the correct response. This is an expected behavior with the functionality of ASDM and the FWSM. Bugs CSCta01974 (registered customers only) and CSCsz14320 (registered customers only) have been filed to address this behavior with no known workaround. A temporary workaround is to use the CLI to monitor the ACL hits.

There are several other bugs filed to address this issue which are superseded by another bug, CSCsl15055 (registered customers only) . This bug shows that the issue is fixed in 6.1(1.54). For the FWSM, the fixed ASDM version is 6.2.1F. The issue has been fixed by tweaking how the ASDM queries the FWSM for the ACL information. Instead of sending one big, long request string that contains all the access list information, the ASDM now splits them into multiple meaningful requests and sends to the FWSM for processing.

Note: The access list hit count entry on the FWSM is supported from version 4.0 onwards.

Problem: Unable to access ASDM when SSL encryption level is set to AES256-SHA1

User is unable to access ASDM when SSL encryption level is set to AES256-SHA1 on the PC.

Solution

This issue occurs when the command ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 is used which sets encryption level to AES256-SHA1. The issue can be resolved by either removing this command or by installing the JCE version of Java so that the PC becomes AES 256 compatible.

Problem: ASA network objects get deleted when using ASDM version 6.4.5

While editing an existing network object using ASDM version 6.4.5, the object disappears from the list of all objects when you click OK.

Solution

Downgrade to ASDM version 6.2.4 in order to resolve this issue.

Problem: Error - ASDM cannot be loaded. Unconnected sockets not implemented.

The user receives the ASDM cannot be loaded. Unconnected sockets not implemented. error message when accessing the ASDM.

Solution

This error message is the result of an incompatibility between the ASDM version and Java version, and is logged in Cisco bug ID CSCsv12681 (registered customers only) .

In order to resolve this issue, try one of these methods:

• Upgrade the ASDM to version 6.2 or later.

• Specify the Java version as Java 6 Update 7.

Problem: Performance issues when ASDM configuration size exceeds 512 kb on Windows

Performance issues seen on ASDM when the configuration exceeds 512 kb on a Windows machine.

Solution

ASDM supports a maximum configuration size of 512 kb. If you exceed this amount, you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete. However, with large configurations, it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.

In order to increase the ASDM heap memory size, modify the launcher shortcut.

Complete these steps:

1. Right-click the shortcut for the ASDM-IDM Launcher, and choose Properties.

2. Click the Shortcut tab.

3. In the Target field, change the argument prefixed with -Xmx in order to specify your desired heap size. For example, change it to -Xmx768m for 768 MB or -Xmx1g for 1 GB. For more information about this parameter, refer to the Xmx topic in this Oracle document .

   Note: This solution applies only to Windows PCs.

Problem: Error received when accessing the IPS functionality tab in ASDM 6.2

After the upgrade to Java 1.6.0_18, ASDM 6.2 generates this error:

Your current Java memory heap size is less than 512 MB. You must increase the Java memory heap size before accessing IPS functionality

Solution

In order to resolve this issue, you need to increase the memory specification to 512 MB:

• Use the ASDM launcher on Windows:

  For ASDM versions lesser then/equal to 6.2 - Right-click the ASDM launcher icon on the desktop and change the target string value from -Xmx256m to -Xmx512m.

  For ASDM versions greater than 6.2 - Go to file C:\Program Files\Cisco Systems\ASDM\asdm-launcher.config and update string -Xmx256m to -Xmx512m.

• Use the Run ASDM option on Windows/Linux:

  When the Run ASDM option is selected, you will receive an option to download the asdm.jnlp file or bring up the ASDM using Java webstart. After you download the asdm.jnlp file, edit it in order to change the "max-heap-size" value from 256m to 512m. Then, bring up the asdm.jnlp file with Java webstart in order to bring up ASDM.

Refer to Cisco bug ID CSCtf21045 (registered customers only) for more information.

Related Information

• Cisco Adaptive Security Device Manager Product Support
• Cisco ASA 5500 Series Adaptive Security Appliances Product Support
• Technical Support & Documentation - Cisco Systems