Rules lists are empty...but everything is working??

Posted on 2009-02-09
Medium Priority
Last Modified: 2012-05-06
Hello experts.
I wanted to change a couple of access rules on my cisco asa firewall, but when i loaded the asdm  interface all the rules lists were empty!!!
Oddly everything is working, if you try to monitor top 10 access rules you get "n/a config out of sync" on both dest and sorc.
if you want to enable loggin you get : \
[ERROR] logging asdm Informational
logging asdm Informational
 % Invalid input detected at '^' marker.

ASDM v is 6.1
ASA ver: Cisco ASA-5505
I tried to restart both the asa and the server, same results.
Uninstalled the ASDM and the java and reinstalled it...still no luck.
Tried to search experts and google, nothing...
Help..ran out of ideas.
Thank you
Question by:siltech
  • 6
  • 5
LVL 43

Expert Comment

ID: 23593724
Can you post a "show version"?

Author Comment

ID: 23594635
Result of the command: "show version"

Cisco Adaptive Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 19:29 by builders
System image file is "disk0:/asa802-k8.bin"
Config file at boot was "startup-config"

domain-xxx up 11 hours 28 mins

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.01
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001f.9e1f.6664, irq 11
 1: Ext: Ethernet0/0         : address is 001f.9e1f.665c, irq 255
 2: Ext: Ethernet0/1         : address is 001f.9e1f.665d, irq 255
 3: Ext: Ethernet0/2         : address is 001f.9e1f.665e, irq 255
 4: Ext: Ethernet0/3         : address is 001f.9e1f.665f, irq 255
 5: Ext: Ethernet0/4         : address is 001f.9e1f.6660, irq 255
 6: Ext: Ethernet0/5         : address is 001f.9e1f.6661, irq 255
 7: Ext: Ethernet0/6         : address is 001f.9e1f.6662, irq 255
 8: Ext: Ethernet0/7         : address is 001f.9e1f.6663, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces  : 8        
VLANs                        : 3, DMZ Restricted
Inside Hosts                 : Unlimited
Failover                     : Disabled
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
VPN Peers                    : 10        
WebVPN Peers                 : 2        
Dual ISPs                    : Disabled  
VLAN Trunk Ports             : 0        
Advanced Endpoint Assessment : Disabled  

This platform has a Base license.

Serial Number: JMX1208Z2A3
Running Activation Key: 0xb829715a 0xf43b8469 0x50e3a100 0xae18f4ec 0xc920e799
Configuration register is 0x1
Configuration last modified by admin at 19:47:07.799 UTC Mon Feb 9 2009

if i telnet the firewall i can see everything, all the rules all the interfaces.

LVL 43

Expert Comment

ID: 23596553
Can you post a "show run asdm" and a "dir flash:"
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.


Author Comment

ID: 23598893
Result of the command: "show run asdm"

show run asdm
ERROR: % Invalid input detected at '^' marker.

Result of the command: "dir flash"

dir flash
ERROR: % Invalid input detected at '^' marker.

Author Comment

ID: 23598920

I tried the same commands in telnet:
show run asdm:
asdm image disk0:/asdm-602.bin
no asdm history enable

dir flash:

Directory of disk0:/

69     -rwx  8386560     08:06:02 Feb 22 2008  asa723-k8.bin
70     -rwx  4181246     08:06:26 Feb 22 2008  securedesktop-asa-
71     -rwx  398305      08:06:40 Feb 22 2008  sslclient-win-
72     -rwx  6287244     08:08:10 Feb 22 2008  asdm-523.bin
6      drwx  4096        14:58:12 Apr 10 2008  crypto_archive
74     -rwx  6889764     08:28:42 Apr 10 2008  asdm-602.bin
75     -rwx  14524416    08:54:16 Apr 10 2008  asa802-k8.bin
2      drwx  4096        09:43:38 Apr 10 2008  log
76     -rwx  2206062     07:26:20 Apr 14 2008  sslclient-win-

126849024 bytes total (82898944 bytes free)

LVL 43

Expert Comment

ID: 23600002
Okay, has this worked before?  Did you just upgrade to 8.0(2) and 6.02 ASDM?  Try rebooting the ASA. Have you tried accessing ASDM via a different PC?

Author Comment

ID: 23602782
It worked before.
I would upgrate if I had the cisco.com user name and password.
Tried to reboot, what happened was mails stopped going out because the rules updated ( apparently somebody changed them but never rebooted...). So had to add another rule to let smtp out.
Just tried from another PC...same thing

Author Comment

ID: 23602816
Is it possible that the account I am using doesnt have enough rights to actually see the rules? (( the account works fine on telnet console))
LVL 43

Expert Comment

ID: 23603117
What version of Java do you have on the machine?  Try 1.5 if you are using a different version.  I know there are issues with 1.6.  It isn't a credential thing as your account has level 15 access if you are able to reload or make changes.  If HTTP access wasn't allowed from your IP address, you wouldn't get as far as you are getting but you can do a "show run http" to verify your IP has access via ASDM.

Accepted Solution

siltech earned 0 total points
ID: 23605305
Ok , solved it!!!!
If you got to asa telnet and type "show run" it will show you the use rs and their privileges...
the admin user I was using had "0" privilege, that was the reason I had no rules and "out of sync " message. I created a new user on the telnet, gave him "15" on privilege and tada..Can see everything on ASDM.
Thank you for you replies.
LVL 43

Expert Comment

ID: 23607249
Good deal.  I assumed the account you were using had level 15 access.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question