Problem solve Get help with specific problems with your technologies, process and projects.

How to troubleshoot Cisco PIX ASDM installation problems

In part two of this tip, look at some common problems that arise with ASDM installation.

In the first part of this tip, we discussed installation of Adaptive Security Device Manager (ASDM) to simplify...

Cisco PIX firewall configuration. Now, let's take a look at some common problems that arise with ASDM installation.

Troubleshooting

The most common issue I've run into is when ASDM doesn't work/won't start. If it works, it works, and if it doesn't -- well, then we end up reading this part of the article. Here's what to do when ASDM won't start: (See the sample output at the end of this article for references).

  1. The first thing we need to check is to see if ASDM is installed correctly. To do this, issue the "show flash:" command. This will display the contents of the PIX's flash memory. Look for the ASDM image that we pointed to with the "asdm image" command earlier.
  2. Next, type "show ru" to display the running configuration. Look for a line that says "asdm image flash: xxxx.bin".
  3. Does the image name in running config match the image name in flash? If not, use the "asdm image flash: <imagename>" command again with the correct filename from the "show flash:" command. Then issue the command "write mem" to write the config.
  4. Now, what if you don't even see the "asdm image flash:" line in running configuration? Did you issue the "write mem" command after installing ASDM? If not, that's one reason why you would not see it in the running configuration output.
  5. Issue the "write mem" command and then "show ru" to see if the line "asdm image flash: xxxx.bin" is there. If all else fails here, try issuing the "reload" command -- but keep in mind that this command will restart your PIX.

After all of the above steps are taken for troubleshooting, try to access ADSM once more at https://x.x.x.x/admin.

My ASDM configuration is correct so far, but still a no-go on ASDM working. This can be for a number of reasons. Here are more reasons and workarounds:

  • It's possible that your PIX is denying access to the computer trying to connect. You can turn syslog on and watch from console to see if the PIX is not letting you in. If this is the case, go back and look at the "http x.x.x.x z.z.z.z <interface>" entries in the running configuration to be sure that you entered them correctly. If you need to remove an entry, simply use "no http x.x.x.x z.z.z.z <interface>."
  • Is the http sever enabled? This is very important; without it enabled, ASDM won't work. Type "show ru" and press enter. Look at your configuration output and look for "http server enable." If you don't see it, type it from config mode. To enter config mode type "conf t". After issuing the command "http server enable" type "write mem" and try once again to connect to ASDM at https://x.x.x.x/admin .
  • I've done all of the above and ASDM still will not load. Okay, let's try these things:

  • Be sure the interface you will be accessing ASDM from is up. Look at the sample configuration at the end of this article for more information. Issue the command "interface e1" from config mode, if you aren't in config mode type "conf t". Now once you have issued the "interface e1" command or "interface ethernet 1" then type "no shut". This will bring the interface up. Try ASDM again at https://x.x.x.x/admin.
  • Do you have a DES key installed? If not, you can obtain a free key (56-bit) from Cisco's Website. You must have this DES key for ASDM to work. Normally, it's installed and everything is okay and ready to go. Cisco doesn't tell you this in the ASDM documentation, and it costs a lot to speak to technical support. So, to simplify it, see the notes at the bottom of this tip for DES installation.
  • You may need to regenerate the RSA keys for ASDM to work. These are different from the DES key I mentioned above. To do this, issue the following commands from config mode. To enter config mode type "conf t":

    pixconfig)# ca zeroise

    pix(config)# crypto key gen rsa modulus 1024

    WARNING: You already have RSA keys defined named <Default-RSA-Key>.

    Do you really want to replace them? [yes/no]: yes

    If that still doesn't work, check out the DES notes below.

    DES Installation:

    1. Navigate to https://www.cisco.com/public/sw-center/sw-ciscosecure.shtml
    2. Click on "Cisco PIX Firewall License Registration"
    3. Find the 56-bit DES license (You may need a CCO login to continue, register for one if needed. The license is free.)
    4. Follow the steps listed on Cisco's Website. You will need your serial number to register the PIX for a DES license. This can be found by issuing the "show version" command at the CLI.
    5. You will receive an e-mail with the license key. Copy the license key and paste it into the terminal window with the command "activation-key xxxxxxxxxxxx" followed by the DES license.
    6. Issue the "write mem" command and try to access ASDM at https://x.x.x.x/admin . ASDM should load, if not, look at the troubleshooting steps above once more to double check everything. If all fails, you may need to contact Cisco.
    I hope this article was of some assistance.


    Sample Output:
    PIX Version 7.0(2) <- PIX Software version 
    names 
    ! 
    interface Ethernet0 #Ignore this interface. 
     shutdown 
     nameif outside 
     security-level 0 
     no ip address 
    ! 
    interface Ethernet1 
     nameif inside 
     security-level 100 
     ip address 192.168.0.1 255.255.255.0 
    ! 
    enable password 8Ry2YjIyt7RRXU24 encrypted 
    passwd 2KFQnbNIdI.2KYOU encrypted 
    hostname pixfirewall 
    boot system flash:/image.bin <- PIX Software image location
    ftp mode passive 
    pager lines 24 
    mtu inside 1500 
    mtu outside 1500 
    no failover 
    monitor-interface inside 
    monitor-interface outside 
    -> asdm image flash:/asdm-502.bin <- ASDM image location 
    asdm history enable 
    arp timeout 14400 
    timeout xlate 3:00:00 
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 
    timeout uauth 0:05:00 absolute 
    -> http server enable <- HTTP Server is enabled. 
    -> http 0.0.0.0 0.0.0.0 inside <- We allow all hosts from all subnets 
    connected to the interface "inside"
    no snmp-server location 
    no snmp-server contact 
    snmp-server enable traps snmp 
    telnet timeout 5 
    ssh timeout 5 
    console timeout 0 
    ! 
    class-map inspection_default 
     match default-inspection-traffic 
    ! 
    ! 
    policy-map global_policy 
     class inspection_default 
      inspect dns maximum-length 512 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny 
      inspect sunrpc 
      inspect xdmcp 
      inspect sip 
      inspect netbios 
      inspect tftp 
    ! 
    service-policy global_policy global 
    Cryptochecksum:e60c275dedddfde831eb68c72656d46c 
    : end 
    Flash Contents: 
    pix(config)# show flash: 
    Directory of flash:/ 
    4      -rw-  1483        14:35:45 Oct 05 2005  downgrade.cfg 
    7      -rw-  5107768     14:36:49 Oct 05 2005  image.bin 
    11     -rw-  5967052     14:39:06 Oct 05 2005  asdm-502.bin <- ASDM as it 
    appears in flash. 
    This should match the ASDM location in running config.
    16128000 bytes total (5044224 bytes free) 
    Interface States: 
    pix(config)# show int 
    Interface Ethernet0 "outside", is administratively down, line protocol is 
    down #Ignore this interface
      Hardware is i82559, BW 100 Mbps 
            Auto-Duplex, Auto-Speed 
            MAC address 0004.dd7c.17f8, MTU 1500 
            IP address unassigned 
            0 packets input, 0 bytes, 0 no buffer 
            Received 0 broadcasts, 0 runts, 0 giants 
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
            0 packets output, 0 bytes, 0 underruns 
            0 output errors, 0 collisions, 0 interface resets 
            0 babbles, 0 late collisions, 0 deferred 
            0 lost carrier, 0 no carrier 
            input queue (curr/max blocks): hardware (128/128) software (0/0) 
            output queue (curr/max blocks): hardware (0/0) software (0/0) 
            Received 0 VLAN untagged packets, 0 bytes 
            Transmitted 0 VLAN untagged packets, 0 bytes 
            Dropped 0 VLAN untagged packets 
    Interface Ethernet1 "inside", is up, line protocol is up #Interface is up and
    configured properly.
      Hardware is i82559, BW 100 Mbps 
            Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) 
            MAC address 0004.dd7c.17f9, MTU 1500 
            IP address 192.168.0.1, subnet mask 255.255.255.0 
            557 packets input, 59130 bytes, 0 no buffer 
            Received 421 broadcasts, 0 runts, 0 giants 
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 
            79 packets output, 5096 bytes, 0 underruns 
            0 output errors, 0 collisions, 0 interface resets 
            0 babbles, 0 late collisions, 0 deferred 
            0 lost carrier, 0 no carrier 
            input queue (curr/max blocks): hardware (128/128) software (0/1) 
            output queue (curr/max blocks): hardware (0/1) software (0/1) 
            Received 557 VLAN untagged packets, 50900 bytes 
            Transmitted 79 VLAN untagged packets, 3348 bytes 
            Dropped 434 VLAN untagged packets 
    Zeroize the CA: 
    pix(config)# ca zeroise 
    piX(config)# crypto key gen rsa modulus 1024 
    WARNING: You already have RSA keys defined named 
      
       . 
    Do you really want to replace them? [yes/no]: yes #After this I had the same 
    result with ASDM.
    HTTP Server & Server Access List: 
    pix(config)# show run http 
    http server enable #HTTP Server is Enabled 
    http 0.0.0.0 0.0.0.0 inside #Basic access list allowing any IP from any subnet 
    to the 'inside' 
    interface Ethernet 1. 
      

  • This was last published in November 2005

    Dig Deeper on Network Infrastructure

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchUnifiedCommunications

    SearchMobileComputing

    SearchDataCenter

    SearchITChannel

    Close