This document provides information about an error message in the Cisco Adaptive Security Device Manager (ASDM).
This video posted to the Cisco Support Community demonstrates how to troubleshoot a few of the common ASDM access issues:
There are no specific requirements for this document.
The information in this document is based on Cisco ASDM 5.0 and later.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
If you click the Configuration tab in the ASDM, you might recieve this error message: "you are authorized to access only Home and Monitoring Views".
The error occurs due to the user privilege. Go to the PIX/ASA CLI prompt, and create the new user and password with full privilege 15 as shown here:
ASA(config)#username cisco password cisco123 priv 15
The full privilege level allows you to log into the ASDM.
When you try to run the ASDM interface, the Your Firewall image has a version number null which is not support by ASDM error may be received.
The same error on the FWSM appears as:
Your FWSM image has a version number unknown which is not supported by ASDM
This error is caused by one of these reasons:
No ASDM image in the flash
No aaa related configuration for ASDM access through http
Incompatible Java version
Verify whether or not the compatible ASDM image exists in the flash, and then specify the location of the image:
ASA(config)#show asdm image
ASA(config)#asdm image flash:asdm-XXX.bin
Enter the aaa command for ASDM access through http:
ASA(config)#aaa authentication http console <server-tag> LOCAL
Verify whether or not the Java version is compatible. Then upgrade/downgrade the Java version accordingly and install the JRE.
If you attempt to access the ASDM over a VPN connection, make sure the management-access <ASDM access Interface name> command is configured on the ASA. For example, if the ASDM is accessed using the inside interface, then use the management-access Inside command.
When you use a 64-bit Java version on Windows, it causes the ASDM Launcher to fail and the launcher does not run.
This issue is documented in Cisco bug ID CSCtb86774 (registered customers only) .
The workaround is to run the ASDM using the web browser.
This log displays when you try to load ASDM (which fails to load):
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
In order to resolve this issue, use an alternate or additional encryption alogorithm and use the ssl encryption command:
ASA(config)# ssl encryption rc4-sha1 ASA(config)# ssl encryption rc4-md5
This error message displays when you access the ASDM:
In order to resolve this issue, check if a compatible ASDM image is on the flash or not:
ASA#show asdm image
This problem is caused by Cisco bug ID CSCsm39805 (registered customers only) . As a result, ASDM cannot be launched.
In order to resolve this issue, access the ASA through the CLI, and assign the http server to listen on a different port.
Example 1:
ASA(config)#no http server enable ASA(config)#http server enable 444
Example 2:
ASA(config)#no http server enable 8923 ASA(config)#http server enable 8924
This problem is caused by Cisco bug ID CSCsr89144 (registered customers only) in ASA running for more than one year with ASDM 6.0.3 or 6.1. As a result, ASDM cannot be launched.
This error can be resolved by reloading the ASA.
This problem occurs when a user tries to connect to the ASA using ASDM.
Reload the ASA.
This problem is caused by Cisco bug ID CSCsx39786 (registered customers only) in ASA running with ASA 7.2.4 and ASDM 5.2.4. As a result, ASDM cannot be launched.
Downgrade to Java 6 Update 7.
The user is unable to reset the VPN Tunnel using ASDM.
Select Monitoring > VPN > VPN statistics > VPN session and choose active tunnel and log off in order to reset the tunnel.
Not able to start ASDM because of the Java version mismatch.
In order to avoid this error, perform these steps:
Downgrade the Java version to Version 6, Update 7.
Edit the adsm-launcher config file and modify the Java path to the folder that contained the jvm.dll.
The Hit Counter of ASDM does not display a value, including zero (0).
ASDM always sends a request for all ACLs in one HTTP server request string to the FWSM. The FWSM device is unable to handle the super long request to its HTTPS server from the ASDM, runs out of buffer space, and finally drops the request. When you have too many access lists, the request from ASDM to the FWSM becomes too long for the FWSM to process. As a result, it does not get the correct response. This is an expected behavior with the functionality of ASDM and the FWSM. Bugs CSCta01974 (registered customers only) and CSCsz14320 (registered customers only) have been filed to address this behavior with no known workaround. A temporary workaround is to use the CLI to monitor the ACL hits.
There are several other bugs filed to address this issue which are superseded by another bug, CSCsl15055 (registered customers only) . This bug shows that the issue is fixed in 6.1(1.54). For the FWSM, the fixed ASDM version is 6.2.1F. The issue has been fixed by tweaking how the ASDM queries the FWSM for the ACL information. Instead of sending one big, long request string that contains all the access list information, the ASDM now splits them into multiple meaningful requests and sends to the FWSM for processing.
Note: The access list hit count entry on the FWSM is supported from version 4.0 onwards.
User is unable to access ASDM when SSL encryption level is set to AES256-SHA1 on the PC.
This issue occurs when the command ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 is used which sets encryption level to AES256-SHA1. The issue can be resolved by either removing this command or by installing the JCE version of Java so that the PC becomes AES 256 compatible.
While editing an existing network object using ASDM version 6.4.5, the object disappears from the list of all objects when you click OK.
Downgrade to ASDM version 6.2.4 in order to resolve this issue.
The user receives the ASDM cannot be loaded. Unconnected sockets not implemented. error message when accessing the ASDM.
This error message is the result of an incompatibility between the ASDM version and Java version, and is logged in Cisco bug ID CSCsv12681 (registered customers only) .
In order to resolve this issue, try one of these methods:
Upgrade the ASDM to version 6.2 or later.
Specify the Java version as Java 6 Update 7.
Performance issues seen on ASDM when the configuration exceeds 512 kb on a Windows machine.
ASDM supports a maximum configuration size of 512 kb. If you exceed this amount, you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete. However, with large configurations, it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
In order to increase the ASDM heap memory size, modify the launcher shortcut.
Complete these steps:
Right-click the shortcut for the ASDM-IDM Launcher, and choose Properties.
Click the Shortcut tab.
In the Target field, change the argument prefixed with -Xmx in order to specify your desired heap size. For example, change it to -Xmx768m for 768 MB or -Xmx1g for 1 GB. For more information about this parameter, refer to the Xmx topic in this Oracle document .
Note: This solution applies only to Windows PCs.
After the upgrade to Java 1.6.0_18, ASDM 6.2 generates this error:
Your current Java memory heap size is less than 512 MB. You must increase the Java memory heap size before accessing IPS functionality
In order to resolve this issue, you need to increase the memory specification to 512 MB:
Use the ASDM launcher on Windows:
For ASDM versions lesser then/equal to 6.2 - Right-click the ASDM launcher icon on the desktop and change the target string value from -Xmx256m to -Xmx512m.
For ASDM versions greater than 6.2 - Go to file C:\Program Files\Cisco Systems\ASDM\asdm-launcher.config and update string -Xmx256m to -Xmx512m.
Use the Run ASDM option on Windows/Linux:
When the Run ASDM option is selected, you will receive an option to download the asdm.jnlp file or bring up the ASDM using Java webstart. After you download the asdm.jnlp file, edit it in order to change the "max-heap-size" value from 256m to 512m. Then, bring up the asdm.jnlp file with Java webstart in order to bring up ASDM.
Refer to Cisco bug ID CSCtf21045 (registered customers only) for more information.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
28-Apr-2009 |
Initial Release |