Unable to Launch Device Manager

Cisco ASA Firewall ASDM Incompatibility with Java 7 Update 51

The latest version of Java 7 Update 51 that was deployed this week breaks access to Cisco ASA firewalls running ASDM.  When you connect with the ASDM you get the following error message: “Unable to launch device manager from X.X.X.X”

Unable to Launch Device Manager
“Unable to launch device manager from”

The symptoms are that the web page for the firewall will show up and display normally, but you can’t connect to the server with the ASDM launcher.  The log on the firewall shows

%ASA-6-302013: Built inbound TCP connection 112 for outside:X.X.X.X/64508 (X.X.X.X/64508) to identity:Y.Y.Y.Y/443 (Y.Y.Y.Y/443)
%ASA-6-725001: Starting SSL handshake with client outside:X.X.X.X/64508 for TLSv1 session.
%ASA-7-725010: Device supports the following 6 cipher(s).
%ASA-7-725011: Cipher[1] : RC4-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-SHA
%ASA-7-725011: Cipher[4] : AES128-SHA
%ASA-7-725011: Cipher[5] : AES256-SHA
%ASA-7-725011: Cipher[6] : DES-CBC3-SHA
%ASA-7-725008: SSL client outside:X.X.X.X/64508 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[3] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[4] : RC4-SHA
%ASA-7-725011: Cipher[5] : DES-CBC3-SHA
%ASA-7-725011: Cipher[6] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:X.X.X.X/64508
%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert certificate unknown
%ASA-6-725006: Device failed SSL handshake with client outside:X.X.X.X/64508
%ASA-6-302014: Teardown TCP connection 112 for outside:X.X.X.X/64508 to identity:Y.Y.Y.Y/443 duration 0:00:00 bytes 580 TCP Reset by appliance

Cisco has included this information in their latest release notes:

If you use Java 7 Update 51, you must upgrade ASDM to Version 7.1(5.100) or later, and you can only use the Java web start. The ASDM Launcher is not supported.

So the alternatives are to downgrade your Java on your workstation or upgrade to the latest ASDM version at this point to get the ASDM working again.

20 thoughts on “Cisco ASA Firewall ASDM Incompatibility with Java 7 Update 51”

  1. I upgraded to Java 7 Update 51, and I have ASDM ver 7.1(3). When I browsed using IE 10 to the to the ASDM web page on the ASA and added the certificate to my trusted root certificate store, I was successful in using both the ASDM webstart and the ASDM Launcher.

  2. By adding the Cisco certificate to the trusted root certificates store on the Windows workstation, I was able to use both the ASDM Launcher and Java Web Start from as far back as ASDM Version 6.4(7).

  3. I am having the same issue. I’ve installed multiple versions of older java including the 32-bit versions and have had no success even installing the asdm.

    Any and all help is appreciated.

  4. This sounds like a different problem as there is no problem installing the ASDM with the new version of Java, but there are issues trying to log into it. Are you getting a particular error during the installation?

  5. I am experiencing the same issue on our ASA5510. Looking at the asdm logs in shows the following error:

    Device failed SSL handshake with client inside:192.168.0.1/54583 for TLSv1 session

  6. Hi all,

    Problem has to do with certificate.
    If no valid certificate is installed on the asa, the new java version drops the connection.

    Cisco says: “Downgrade your java Version or install a trusted certificate (from a known CA; a self-signed certificate will not work)
    You can alternatively use Java Web Start.
    To use Java Web Start, do one of the following:
    •Upgrade ASDM to Version 7.1(5.100) or later. This ASDM version includes the Permissions attribute in the JAR manifest, which is required as of Java 7 Update 51.

    •To use ASDM 7.1(5) or earlier, add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:

    http://java.com/en/download/help/java_blocked.xml
    If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.1(5.100) or later, then you can either use the CLI to upgrade ASDM, or you can use the above security exception workaround to launch the older ASDM, after which you can upgrade to a newer version.”

    Here is the official workaround from cisco:
    http://www.cisco.com/en/US/docs/security/asdm/7_1/release/notes/rn71.html#wp516584

    Cheers

    Andi

  7. I fetched Java 7 update 45, deleted 51 and installed 45 – ASDM 715-100 now works from the launcher. Thanks for this blog, wish I’d found this 3 hours ago dang it.

  8. I am running ASDM 7.1(5.100) with Java 7.51 and IE11 without issue.
    Java security levels have changed and may need to be tweaked to work correctly with newer version of ASDM.
    I also use TLS V1 Only but SSLv3/Any work too for both
    Server & Client.
    Note: TLSV1 you will need a personal cert created by a my local CA then imported onto the ASA.
    I created a self signed FQDN cert for the ASA and applied it to the Cert Trustpoint with only 1 algorithm of AES128-SHA1 and also added this cert to my Local Computer Trusted Root Certificate Authorities store.

  9. Adding certificate to Trusted Root Certificates worked for me. Windows 8.1, ASDM 7.1 Java 7.51

  10. We encountered this as well, except we found a workaround. We were connecting to the ASDM via the local internal IP. I discovered that if you use the external hostname for the VPN or gateway, that works.

    I.e.
    from 192.168.10.10 to 192.168.10.1 (ASA internal) does NOT work.
    from 192.168.10.10 to vpn.mycompany.com (ASA external) works fine.

    Not sure why, and looking forward to the code update to fix this. Thanks for the blog post tho, very helpful!

  11. I got the same issue and the solution is import SSL certificate of the ASA to Certificate Snap-in:

    – Open https:\\asaipaddress
    – Export certificate to ABC.cer (up to browsers)
    – Start\Run => mmc
    – File => Add\Remove Snapin
    – Select Certificate \ Computer Account \ Local Computer
    – Import ABC.cer to:
    – Personal
    – Trusted root certification authorities
    – Intermediate certification authorities
    – Done

  12. I use to run in to this issue all the time at various clients of mine. The solution is rather simple.

    1.) Download and install the 32bit version of Java 6u45 (jre-6u45-windows-i586.exe).

    2.) From the command line, change directory to ‘C:\Program Files (x86)\Cisco Systems\ASDM’

    3.) Specify the 32 bit version of Java 6u45 when running ASDM using the following.

    “C:\Program Files (x86)\Java\jre6\bin\javaw.exe” -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher”

    Hope this helps everyone.

  13. Hello Mike Ratcliffe. Unbelievable. After working for nearly 2-days NON-STOP on this stupid junk software, your solution WORKED. How in the hell did you figure that out?

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.