ASDM is pretty straightforward to troubleshoot. If you cannot connect to the Cisco ASA via ASDM, it’s probably due to one of these causes:
- HTTP server not enabled on the ASA (To rectify, use http server enable command).
- Management workstation’s IP address is not permitted to access ASA (To rectify, use http command).
- Management workstation is trying to connect on the wrong port (To rectify, use http server enable [port] command on the ASA to change the port, or have the management workstation connect to https://ASA_IP_Address:Correct_ASDM_Port).
- Management workstation does not have a compatible web browser or Java installed (To rectify, install/enable JRE or use another browser).
- ASA does not contain a compatible ASDM image on flash (To rectify, copy a compatible ASDM image onto the ASA flash).
Unlike traffic traversing the ASA, you do not need to explicitly permit HTTP or HTTP traffic in an ACL. Management traffic, such as via ASDM, terminates at an interface and does not traverse the firewall. Other ASDM issues can be more easily diagnosed with a quick snuffle through the debug logs. To enable debugging, use the debug http command.
ciscoasa(config)# debug http debug http enabled at level 1.
The following is what a typical ASDM session establishment looks like in the debug output:
The management workstation at 11.11.11.2 opens a web browser to https://11.11.11.1 which is the Cisco ASA’s outside interface. Once the user accepts the certificate, the web browser displays the Cisco ASDM page:

And the debug output of the ASA shows the web browser requesting everything that is presented in index.html such as the graphics and the HTML file.
HTTP: processing GET URL '/' from host 11.11.11.2 HTTP: redirecting to: /admin/public/index.html HTTP: processing GET URL '/admin/public/index.html' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/index.html, length: 6725 HTTP: processing GET URL '/admin/public/cisco.gif' from host 11.11.11.2 HTTP: authentication not required HTTP: file not modified: public/cisco.gif HTTP: processing GET URL '/admin/public/asa-pix.gif' from host 11.11.11.2 HTTP: authentication not required HTTP: file not modified: public/asa-pix.gif
Once the user clicks Run ASDM, the Java Web Start from the Java Runtime Environment (JRE) is launched and the debug log shows:
HTTP: processing GET URL '/admin/public/asdm.jnlp' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/asdm.jnlp, length: 1441
The user receives a login prompt for the ASDM:

And the debug log shows:
HTTP: processing GET URL '/admin/public/asdm.jnlp' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/asdm.jnlp, length: 1441 HTTP: processing GET URL '/admin/public/dm-launcher.jar' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/dm-launcher.jar, length: 106356 HTTP: processing GET URL '/admin/public/lzma.jar' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/lzma.jar, length: 9445 HTTP: processing GET URL '/admin/public/jploader.jar' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/jploader.jar, length: 67446 HTTP: processing GET URL '/admin/public/retroweaver-rt-2.0.jar' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/retroweaver-rt-2.0.jar, length: 111119 HTTP: processing GET URL '/admin/public/asdm32.gif' from host 11.11.11.2 HTTP: authentication not required HTTP: sending file: public/asdm32.gif, length: 1443
After logging in (as user enable_15 in my example), the ASDM interface is launched for the user.
The debug log shows everything that is loaded in ASDM and the credentials used to execute what are essentially show commands:
HTTP: processing GET URL '/admin/version.prop' from host 11.11.11.2 HTTP: authentication required, no authentication information was provided HTTP: processing GET URL '/admin/version.prop' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: sending file: version.prop, length: 109 HTTP: processing GET URL '/admin/pdm.sgz' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: sending file: pdm.sgz, length: 15076818 HTTP: processing GET URL '/admin/asdm_banner' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: file not found: asdm_banner HTTP: processing GET URL '/admin/exec/show+version/show+curpriv/perfmon+interval+10/show+asdm+sessions/show+firewall/show+mode/changeto+system/show+admin-context' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+module/show+module+1+details' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+version' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+running-config+%7C+grep+%5E%28logging+enable%7Clogging+asdm%7Chostname%7Cdomain-name%29/show+running-config++%7C+grep+%5Ename+/show+running-config+route/show+running-config+interface/show+running-config+track/show+running-config+sla+monitor/show+running-config+threat-detection/show+running-config+dynamic-filter/show+running-config+hpm' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+blocks' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+vpn-sessiondb+summary' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/asdm_handler' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+running-config+all+regex/show+running-config+all+class-map' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/config' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/dir+flash%3A%2Fdap.xml' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/export+dap+configuration+stdout' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/disk0/dap.xml' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: file not found: disk0:/dap.xml HTTP: processing GET URL '/admin/cache/sdesktop/data.xml' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: file not found: cache/sdesktop/data.xml HTTP: processing GET URL '/admin/exec/show+module+1+details' from host 11.11.11.2 HTTP: Authentication username = 'enable_15'
Whatever the ASDM user loads from the ASA config, it is shown in the debug output. For example, looking at the ARP Table in ASDM causes this to be generated in the debug log:
HTTP: processing GET URL '/admin/exec/show+arp+' from host 11.11.11.2 HTTP: Authentication username = 'enable_15'
And checking out the VPN Crypto Statistics churns out this debug output:
HTTP: processing GET URL '/admin/exec/show+crypto+protocol+statistics+all' from host 11.11.11.2 HTTP: Authentication username = 'enable_15'
Applying a configuration change on the ASA via the ASDM generates this debug output:
HTTP: processing POST URL '/admin/config' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+version' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+running-config+%7C+grep+%5E%28logging+enable%7Clogging+asdm%7Chostname%7Cdomain-name%29/show+running-config++%7C+grep+%5Ename+/show+running-config+route/show+running-config+interface/show+running-config+track/show+running-config+sla+monitor/show+running-config+threat-detection/show+running-config+dynamic-filter/show+running-config+hpm' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+curpriv' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+running-config+all+regex/show+running-config+all+class-map' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/show+run+aaa+authorization' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/config' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/dir+flash%3A%2Fdap.xml' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/exec/export+dap+configuration+stdout' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: processing GET URL '/admin/disk0/dap.xml' from host 11.11.11.2 HTTP: Authentication username = 'enable_15' HTTP: file not found: disk0:/dap.xml HTTP: processing POST URL '/admin/config' from host 11.11.11.2 HTTP: Authentication username = 'enable_15'
Additional Information:
asdm image command in the Cisco ASA 8.4 and 8.5 Command Reference.
http command in the Cisco ASA 8.4 and 8.5 Command Reference.
http server enable command in the Cisco ASA 8.4 and 8.5 Command Reference.
Cisco Adaptive Security Device Manager Product Page at cisco.com
Cisco ASA and ASDM Compatibility Matrix Page at cisco.com