How to troubleshoot Cisco PIX ASDM installation problems

In the first part of this tip, we discussed installation of Adaptive Security Device Manager (ASDM) to simplify Cisco PIX firewall configuration. Now, let's take a look at some common problems that arise with ASDM

    Requires Free Membership to View

    Login

installation.

Troubleshooting

The most common issue I've run into is when ASDM doesn't work/won't start. If it works, it works, and if it doesn't -- well, then we end up reading this part of the article. Here's what to do when ASDM won't start: (See the sample output at the end of this article for references).

  1. The first thing we need to check is to see if ASDM is installed correctly. To do this, issue the "show flash:" command. This will display the contents of the PIX's flash memory. Look for the ASDM image that we pointed to with the "asdm image" command earlier.

  2. Next, type "show ru" to display the running configuration. Look for a line that says "asdm image flash: xxxx.bin".

  3. Does the image name in running config match the image name in flash? If not, use the "asdm image flash: <imagename>" command again with the correct filename from the "show flash:" command. Then issue the command "write mem" to write the config.

  4. Now, what if you don't even see the "asdm image flash:" line in running configuration? Did you issue the "write mem" command after installing ASDM? If not, that's one reason why you would not see it in the running configuration output.

  5. Issue the "write mem" command and then "show ru" to see if the line "asdm image flash: xxxx.bin" is there. If all else fails here, try issuing the "reload" command -- but keep in mind that this command will restart your PIX.

After all of the above steps are taken for troubleshooting, try to access ADSM once more at https://x.x.x.x/admin.

My ASDM configuration is correct so far, but still a no-go on ASDM working. This can be for a number of reasons. Here are more reasons and workarounds:

  • It's possible that your PIX is denying access to the computer trying to connect. You can turn syslog on and watch from console to see if the PIX is not letting you in. If this is the case, go back and look at the "http x.x.x.x z.z.z.z <interface>" entries in the running configuration to be sure that you entered them correctly. If you need to remove an entry, simply use "no http x.x.x.x z.z.z.z <interface>."

  • Is the http sever enabled? This is very important; without it enabled, ASDM won't work. Type "show ru" and press enter. Look at your configuration output and look for "http server enable." If you don't see it, type it from config mode. To enter config mode type "conf t". After issuing the command "http server enable" type "write mem" and try once again to connect to ASDM at https://x.x.x.x/admin .

    • I've done all of the above and ASDM still will not load. Okay, let's try these things:

  • Be sure the interface you will be accessing ASDM from is up. Look at the sample configuration at the end of this article for more information. Issue the command "interface e1" from config mode, if you aren't in config mode type "conf t". Now once you have issued the "interface e1" command or "interface ethernet 1" then type "no shut". This will bring the interface up. Try ASDM again at https://x.x.x.x/admin.

  • Do you have a DES key installed? If not, you can obtain a free key (56-bit) from Cisco's Website. You must have this DES key for ASDM to work. Normally, it's installed and everything is okay and ready to go. Cisco doesn't tell you this in the ASDM documentation, and it costs a lot to speak to technical support. So, to simplify it, see the notes at the bottom of this tip for DES installation.

  • You may need to regenerate the RSA keys for ASDM to work. These are different from the DES key I mentioned above. To do this, issue the following commands from config mode. To enter config mode type "conf t":

    pixconfig)# ca zeroise

    pix(config)# crypto key gen rsa modulus 1024

    WARNING: You already have RSA keys defined named <Default-RSA-Key>.

    Do you really want to replace them? [yes/no]: yes

    If that still doesn't work, check out the DES notes below.

    DES Installation:

    1. Navigate to http://www.cisco.com/public/sw-center/sw-ciscosecure.shtml

    2. Click on "Cisco PIX Firewall License Registration"

    3. Find the 56-bit DES license (You may need a CCO login to continue, register for one if needed. The license is free.)

    4. Follow the steps listed on Cisco's Website. You will need your serial number to register the PIX for a DES license. This can be found by issuing the "show version" command at the CLI.

    5. You will receive an e-mail with the license key. Copy the license key and paste it into the terminal window with the command "activation-key xxxxxxxxxxxx" followed by the DES license.

    6. Issue the "write mem" command and try to access ASDM at https://x.x.x.x/admin . ASDM should load, if not, look at the troubleshooting steps above once more to double check everything. If all fails, you may need to contact Cisco.

    I hope this article was of some assistance.

    Sample Output: 
    PIX Version 7.0(2) <- PIX Software version 
names 
! 
interface Ethernet0 #Ignore this interface. 
 shutdown 
 nameif outside 
 security-level 0 
 no ip address 
! 
interface Ethernet1 
 nameif inside 
 security-level 100 
 ip address 192.168.0.1 255.255.255.0 
! 
enable password 8Ry2YjIyt7RRXU24 encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
hostname pixfirewall 
boot system flash:/image.bin <- PIX Software image location
ftp mode passive 
pager lines 24 
mtu inside 1500 
mtu outside 1500 
no failover 
monitor-interface inside 
monitor-interface outside 
-> asdm image flash:/asdm-502.bin <- ASDM image location 
asdm history enable 
arp timeout 14400 
timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 
timeout uauth 0:05:00 absolute 
-> http server enable <- HTTP Server is enabled. 
-> http 0.0.0.0 0.0.0.0 inside <- We allow all hosts from all subnets 
connected to the interface "inside"
no snmp-server location 
no snmp-server contact 
snmp-server enable traps snmp 
telnet timeout 5 
ssh timeout 5 
console timeout 0 
! 
class-map inspection_default 
 match default-inspection-traffic 
! 
! 
policy-map global_policy 
 class inspection_default 
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
! 
service-policy global_policy global 
Cryptochecksum:e60c275dedddfde831eb68c72656d46c 
: end 
Flash Contents: 
pix(config)# show flash: 
Directory of flash:/ 
4      -rw-  1483        14:35:45 Oct 05 2005  downgrade.cfg 
7      -rw-  5107768     14:36:49 Oct 05 2005  image.bin 
11     -rw-  5967052     14:39:06 Oct 05 2005  asdm-502.bin <- ASDM as it 
appears in flash. 
This should match the ASDM location in running config.
16128000 bytes total (5044224 bytes free) 
Interface States: 
pix(config)# show int 
Interface Ethernet0 "outside", is administratively down, line protocol is 
down #Ignore this interface
  Hardware is i82559, BW 100 Mbps 
        Auto-Duplex, Auto-Speed 
        MAC address 0004.dd7c.17f8, MTU 1500 
        IP address unassigned 
        0 packets input, 0 bytes, 0 no buffer 
        Received 0 broadcasts, 0 runts, 0 giants 
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
        0 packets output, 0 bytes, 0 underruns 
        0 output errors, 0 collisions, 0 interface resets 
        0 babbles, 0 late collisions, 0 deferred 
        0 lost carrier, 0 no carrier 
        input queue (curr/max blocks): hardware (128/128) software (0/0) 
        output queue (curr/max blocks): hardware (0/0) software (0/0) 
        Received 0 VLAN untagged packets, 0 bytes 
        Transmitted 0 VLAN untagged packets, 0 bytes 
        Dropped 0 VLAN untagged packets 
Interface Ethernet1 "inside", is up, line protocol is up #Interface is up and
configured properly.
  Hardware is i82559, BW 100 Mbps 
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) 
        MAC address 0004.dd7c.17f9, MTU 1500 
        IP address 192.168.0.1, subnet mask 255.255.255.0 
        557 packets input, 59130 bytes, 0 no buffer 
        Received 421 broadcasts, 0 runts, 0 giants 
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
        79 packets output, 5096 bytes, 0 underruns 
        0 output errors, 0 collisions, 0 interface resets 
        0 babbles, 0 late collisions, 0 deferred 
        0 lost carrier, 0 no carrier 
        input queue (curr/max blocks): hardware (128/128) software (0/1) 
        output queue (curr/max blocks): hardware (0/1) software (0/1) 
        Received 557 VLAN untagged packets, 50900 bytes 
        Transmitted 79 VLAN untagged packets, 3348 bytes 
        Dropped 434 VLAN untagged packets 
Zeroize the CA: 
pix(config)# ca zeroise 
piX(config)# crypto key gen rsa modulus 1024 
WARNING: You already have RSA keys defined named . 
Do you really want to replace them? [yes/no]: yes #After this I had the same 
result with ASDM.
HTTP Server & Server Access List: 
pix(config)# show run http 
http server enable #HTTP Server is Enabled 
http 0.0.0.0 0.0.0.0 inside #Basic access list allowing any IP from any subnet 
to the 'inside' 
interface Ethernet 1.

    This was first published in November 2005

    • Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.

      Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

      Back to top