ROUTING AND SWITCHING
How to troubleshoot Cisco PIX ASDM installation problems
Brian Clark
11.08.2005
Rating: -4.33- (out of 5)
|
In the first part of this tip, we discussed installation of Adaptive Security Device Manager (ASDM) to simplify Cisco PIX firewall configuration. Now, let's take a look at some common problems that arise with ASDM installation.
Troubleshooting
The most common issue I've run into is when ASDM doesn't work/won't start. If it works, it works, and if it doesn't -- well, then we end up reading this part of the article. Here's what to do when ASDM won't start: (See the sample output at the end of this article for references).
- The first thing we need to check is to see if ASDM is installed correctly. To do this, issue the "show flash:" command. This will display the contents of the PIX's flash memory. Look for the ASDM image that we pointed to with the "asdm image" command earlier.
- Next, type "show ru" to display the running configuration. Look for a line that says "asdm image flash: xxxx.bin".
- Does the image name in running config match the image name in flash? If not, use the "asdm image flash: <imagename>" command again with the correct filename from the "show flash:" command. Then issue the command "write mem" to write the config.
- Now, what if you don't even see the "asdm image flash:" line in running configuration? Did you issue the "write mem" command after installing ASDM? If not, that's one reason why you would not see it in the running configuration output.
- Issue the "write mem" command and then "show ru" to see if the line "asdm image flash: xxxx.bin" is there. If all else fails here, try issuing the "reload" command -- but keep in mind that this command will restart your PIX.
After all of the above steps are taken for troubleshooting, try to access ADSM once more at https://x.x.x.x/admin.
My ASDM configuration is correct so far, but still a no-go on ASD...
To continue reading for free, register below or login
To read more you must become a member of SearchNetworking.com
M working. This can be for a number of reasons. Here are more reasons and workarounds:
It's possible that your PIX is denying access to the computer trying to connect. You can turn syslog on and watch from console to see if the PIX is not letting you in. If this is the case, go back and look at the "http x.x.x.x z.z.z.z <interface>" entries in the running configuration to be sure that you entered them correctly. If you need to remove an entry, simply use "no http x.x.x.x z.z.z.z <interface>."
Is the http sever enabled? This is very important; without it enabled, ASDM won't work. Type "show ru" and press enter. Look at your configuration output and look for "http server enable." If you don't see it, type it from config mode. To enter config mode type "conf t". After issuing the command "http server enable" type "write mem" and try once again to connect to ASDM at https://x.x.x.x/admin .
I've done all of the above and ASDM still will not load. Okay, let's try these things:
Be sure the interface you will be accessing ASDM from is up. Look at the sample configuration at the end of this article for more information. Issue the command "interface e1" from config mode, if you aren't in config mode type "conf t". Now once you have issued the "interface e1" command or "interface ethernet 1" then type "no shut". This will bring the interface up. Try ASDM again at https://x.x.x.x/admin.
Do you have a DES key installed? If not, you can obtain a free key (56-bit) from Cisco's Website. You must have this DES key for ASDM to work. Normally, it's installed and everything is okay and ready to go. Cisco doesn't tell you this in the ASDM documentation, and it costs a lot to speak to technical support. So, to simplify it, see the notes at the bottom of this tip for DES installation.
You may need to regenerate the RSA keys for ASDM to work. These are different from the DES key I mentioned above. To do this, issue the following commands from config mode. To enter config mode type "conf t":
pixconfig)# ca zeroise
pix(config)# crypto key gen rsa modulus 1024
WARNING: You already have RSA keys defined named <Default-RSA-Key>.
Do you really want to replace them? [yes/no]: yes
If that still doesn't work, check out the DES notes below.
DES Installation:
- Navigate to http://www.cisco.com/public/sw-center/sw-ciscosecure.shtml
- Click on "Cisco PIX Firewall License Registration"
- Find the 56-bit DES license (You may need a CCO login to continue, register for one if needed. The license is free.)
- Follow the steps listed on Cisco's Website. You will need your serial number to register the PIX for a DES license. This can be found by issuing the "show version" command at the CLI.
- You will receive an e-mail with the license key. Copy the license key and paste it into the terminal window with the command "activation-key xxxxxxxxxxxx" followed by the DES license.
- Issue the "write mem" command and try to access ASDM at https://x.x.x.x/admin . ASDM should load, if not, look at the troubleshooting steps above once more to double check everything. If all fails, you may need to contact Cisco.
I hope this article was of some assistance.
Sample Output:
|
|
|
|
|
|
