Solved

Cisco ASDM: Unable to read configuration from the ASA

Posted on 2010-09-02
5
1,908 Views
Last Modified: 2012-05-10
ASDM version: v1.5(20)
ASA 5540 7.2(1)

I get the following error message when I try to login to ASDM:
"ASDM is unable to read the configuration from the ASA. Please check the configuration and your connection and then try again by clicking the Refresh icon."

This only happens when I login with a username which has privilege other than 15.  When I login with a username which has the highest privilege (15), everything works fine.  Any ideas?
0
Comment
Question by:hoggiee
5 Comments
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
try like this

ASDM ver 1.5(20) cannot be ,it has to be minimu asdm521.bin to support ASA version 7.2(1)
see the url : http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/release/notes/asdmrn.html


did u set the below commad on ASA

asdm image flash:asdm-xxx.bin

if any of the above workwround is not working , then try
Uninstall all copies of java from your machine, google search java 1.4.2 and install that and give it a try.
 
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Cannot Access PIX / ASA  ASDM

Make sure the problem is NOT on your client machine first.

1. First make sure you have Java installed
2. If you’re using a new version of java (Above Version 6 update 9) then downgrade your version.
3. Make sure your using Internet Explorer/Firefox or Mozilla.
4. Make sure you are NOT trying to access the ADSM through a proxy server.
5. Can another PC access the ADSM?
6. If the ADSM Opens but will not launch properly > File > Clear ASDM Cache > Clear internal Log Buffer > Refresh Running Configuration with


Before you proceed make sure that the ASDM has been enabled.

1. Connect to the firewall either by SSH/Telnet/Console Cable.
2. Issue an "enable" command and enter the enable password.
3. Issue a show run command and make sure that you see the following in the running configuration on the device.

Http server enable

Note If you see "no http server enable" then its disabled and you need to go to "Configure Terminal" mode and issue a "http server enable" command.
Note If you see "http server enable {a number}" then it has been set up on a different port number and needs to be accesses via https://ip address:{a

number}

4. Providing the server is enabled you need to ensure that you have been granted access to it you can grant access to a network or an individual host.
5. Ensure the IP address you are trying to open the ASDM from is included in the config, i.e.

Http 192.168.1.1 255.255.255.255 inside <- Will allow this one client
or
http 192.168.1.0 255.255.255.0 inside <- Will allow the entire network

Note if you are outside the firewall yours should say "outside" not "inside".

6. Next make sure the Firewall is looking at the correct file to launch its ADSM look for the following,

ON A PIX FIREWALL
asdm image flash:/asdm-506.bin
asdm image flash:/asdm-501.bin

ON AN ASA FIREWALL
asdm image disk0:/asdm-522.bin
asdm image disk0:/asdm-613.bin

if that command is missing or wrong you won’t be able to launch the ASDM either to make sure that the file exists issue a "show flash" command,

Firewall# show flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
  6 5511168    Jan 01 2003 00:07:10 asa707-k8.bin
  7 0          May 15 2008 05:37:16 crypto_archive
  8 6161700    May 15 2008 05:40:24 asdm-507.bin
 11 8312832    Aug 20 2008 08:51:02 asa722-k8.bin
 12 5623108    Aug 20 2008 08:53:04 asdm-522.bin

229728256 bytes available (25698304 bytes used)

Make sure the Version referenced actually exists in the flash memory.
0
 
LVL 2

Accepted Solution

by:
cmonteith earned 400 total points
Comment Utility
While yes,  you certainly should update your ASDM code for stability, the problem your seeing is kind of by design. I don't have anything running super old ASDM, so I can't verify this, but I'm pretty sure in the old revs of ASDM you had to have priv 15 to access.  In the more modern versions you can have difrent levels of users on ASDM.

Now assuming you're not on a buggy version of ASDM, you should be able to configure ASDM to allow three levels of viewing.  The details on it can be found here (based on ASDM 5.2):

https://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html

Look in the section about the authorization tab and it should give you the info you need to set up the various rights....assuming that is your overall goal.
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 100 total points
Comment Utility


Here's a link how to set it up.

 
http://www.fir3net.com/Firewalls/PIX-Cisco/pix-asdm-read-only-account.html

 
There are 16 levels of authorization, 0-15. 15 has the highest privilege level and 0 the least
By default the ASDM will only honor 3 different levels, priv 3(read only), priv 5(monitor), priv15(admin).
For WebVPN configuration like bookmarks, smart-tunnels or portal customization, the ASDM loads the xml file and that functionality is pre-defined for privilege 15 users and it's something we cannot change. We would need to use a privilege 15 for this changes.
0
 

Author Closing Comment

by:hoggiee
Comment Utility
As I mentioned in my question, I have problem only with < privilege 15 users.  Therefore I think it has nothing to do with the JAVA version on the client PC, or any missing ASDM / HTTP commands in my ASA.  After following the guides by cmonteith and anoopkmr, everything works fine.  Thanks!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now