Cisco ASA Device Management – Debugging ASDM

- August

2011

Posted By : Gom Jabbar

ASDM is pretty straightforward to troubleshoot. If you cannot connect to the Cisco ASA via ASDM, it’s probably due to one of these causes:

HTTP server not enabled on the ASA (To rectify, use http server enable command).
Management workstation’s IP address is not permitted to access ASA (To rectify, use http command).
Management workstation is trying to connect on the wrong port (To rectify, use http server enable [port] command on the ASA to change the port, or have the management workstation connect to https://ASA_IP_Address:Correct_ASDM_Port).
Management workstation does not have a compatible web browser or Java installed (To rectify, install/enable JRE or use another browser).
ASA does not contain a compatible ASDM image on flash (To rectify, copy a compatible ASDM image onto the ASA flash).

Unlike traffic traversing the ASA, you do not need to explicitly permit HTTP or HTTP traffic in an ACL. Management traffic, such as via ASDM, terminates at an interface and does not traverse the firewall. Other ASDM issues can be more easily diagnosed with a quick snuffle through the debug logs. To enable debugging, use the debug http command.

ciscoasa(config)# debug http
debug http enabled at level 1.

The following is what a typical ASDM session establishment looks like in the debug output:

The management workstation at 11.11.11.2 opens a web browser to https://11.11.11.1 which is the Cisco ASA’s outside interface. Once the user accepts the certificate, the web browser displays the Cisco ASDM page:

And the debug output of the ASA shows the web browser requesting everything that is presented in index.html such as the graphics and the HTML file.

HTTP: processing GET URL '/' from host 11.11.11.2
HTTP: redirecting to: /admin/public/index.html
HTTP: processing GET URL '/admin/public/index.html' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/index.html, length: 6725
HTTP: processing GET URL '/admin/public/cisco.gif' from host 11.11.11.2
HTTP: authentication not required
HTTP: file not modified: public/cisco.gif
HTTP: processing GET URL '/admin/public/asa-pix.gif' from host 11.11.11.2
HTTP: authentication not required
HTTP: file not modified: public/asa-pix.gif

Once the user clicks Run ASDM, the Java Web Start from the Java Runtime Environment (JRE) is launched and the debug log shows:

HTTP: processing GET URL '/admin/public/asdm.jnlp' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/asdm.jnlp, length: 1441

The user receives a login prompt for the ASDM:

And the debug log shows:

HTTP: processing GET URL '/admin/public/asdm.jnlp' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/asdm.jnlp, length: 1441
HTTP: processing GET URL '/admin/public/dm-launcher.jar' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/dm-launcher.jar, length: 106356
HTTP: processing GET URL '/admin/public/lzma.jar' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/lzma.jar, length: 9445
HTTP: processing GET URL '/admin/public/jploader.jar' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/jploader.jar, length: 67446
HTTP: processing GET URL '/admin/public/retroweaver-rt-2.0.jar' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/retroweaver-rt-2.0.jar, length: 111119
HTTP: processing GET URL '/admin/public/asdm32.gif' from host 11.11.11.2
HTTP: authentication not required
HTTP: sending file: public/asdm32.gif, length: 1443

After logging in (as user enable_15 in my example), the ASDM interface is launched for the user.

The debug log shows everything that is loaded in ASDM and the credentials used to execute what are essentially show commands:

HTTP: processing GET URL '/admin/version.prop' from host 11.11.11.2
HTTP: authentication required, no authentication information was provided
HTTP: processing GET URL '/admin/version.prop' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: sending file: version.prop, length: 109
HTTP: processing GET URL '/admin/pdm.sgz' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: sending file: pdm.sgz, length: 15076818
HTTP: processing GET URL '/admin/asdm_banner' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: file not found: asdm_banner
HTTP: processing GET URL '/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+module/show+module+1+details' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+version' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+running-config+%7C+grep+%5E%28logging+enable%7Clogging+asdm%7Chostname%7Cdomain-name%29/show+running-config++%7C+grep+%5Ename+/show+running-config+route/show+running-config+interface/show+running-config+track/show+running-config+sla+monitor/show+running-config+threat-detection/show+running-config+dynamic-filter/show+running-config+hpm' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+blocks' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+vpn-sessiondb+summary' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/asdm_handler' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+running-config+all+regex/show+running-config+all+class-map' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/config' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/dir+flash%3A%2Fdap.xml' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/export+dap+configuration+stdout' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/disk0/dap.xml' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: file not found: disk0:/dap.xml
HTTP: processing GET URL '/admin/cache/sdesktop/data.xml' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: file not found: cache/sdesktop/data.xml
HTTP: processing GET URL '/admin/exec/show+module+1+details' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'

Whatever the ASDM user loads from the ASA config, it is shown in the debug output. For example, looking at the ARP Table in ASDM causes this to be generated in the debug log:

HTTP: processing GET URL '/admin/exec/show+arp+' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'

And checking out the VPN Crypto Statistics churns out this debug output:

HTTP: processing GET URL '/admin/exec/show+crypto+protocol+statistics+all' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'

Applying a configuration change on the ASA via the ASDM generates this debug output:

HTTP: processing POST URL '/admin/config' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+version' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+running-config+%7C+grep+%5E%28logging+enable%7Clogging+asdm%7Chostname%7Cdomain-name%29/show+running-config++%7C+grep+%5Ename+/show+running-config+route/show+running-config+interface/show+running-config+track/show+running-config+sla+monitor/show+running-config+threat-detection/show+running-config+dynamic-filter/show+running-config+hpm' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+running-config+all+regex/show+running-config+all+class-map' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/config' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/dir+flash%3A%2Fdap.xml' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/exec/export+dap+configuration+stdout' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: processing GET URL '/admin/disk0/dap.xml' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'
HTTP: file not found: disk0:/dap.xml
HTTP: processing POST URL '/admin/config' from host 11.11.11.2
HTTP: Authentication username = 'enable_15'