1 2 Previous Next 15 Replies Latest reply: Jan 8, 2018 6:15 AM by arteq RSS

    ASA 5510 and JAVA 9.0 compatibility

    DavidJ

      I know the 5510 is at EOL, but where can I find out if ASDM 7.5.1 is compatible with JAVA 9.0?  I've tried searching the web and Cisco, but no combination gives me any answers.  Our computers at work were upgraded from version 8 Update 144 to JAVA 9.0 about the time I lost connectivity.

        What happens is I try to start ASDM, it hour glasses for about 5-8 seconds and then nothing.  We've gone as far as to put my workstation in it's own OU with no inheritance and shut off the local software firewall and it still won't run.

        I can still run the IME gui for the IPS, but the ASDM won't run.  I've removed and reinstalled ASDM with no success.

        • 1. Re: ASA 5510 and JAVA 9.0 compatibility
          Juergen Ilse CCNA R&S

          If i remember correctly, ASA5510 has support until some time later this year (but the newest firmware supported is 9.1.7 interim version). If you have the possibility to get a newer ASDM version, that version may fix your issue ... As far as i know, the newer ASDM version will still support 9.1.x firmwares. I didn't try to run ASDM7.5.1 with Java9, so i can't answer your question, if that may work ...

          I mostly use CLI on Cisco ASA, I don't remember of when i used ASDM at work ...

          • 2. Re: ASA 5510 and JAVA 9.0 compatibility
            Luke Savage

            Hi DavidJ,

             

            Yeah, that'll do it. Simple way to fix is to roll back to Java 8.

             

            I've had lots of problems with this in the past and generally, if you get it working, you don't update Java. Which also leaves a nice big security whole for you

             

            Let us know if you get it working on Java 9.

             

            Luke

            • 3. Re: ASA 5510 and JAVA 9.0 compatibility
              arteq

              agreed.... asdm has been notorious with java for many years... for instructional purposes use asdm, for practical purposes use cli...

              • 4. Re: ASA 5510 and JAVA 9.0 compatibility
                DavidJ

                You both are right about the cli.  I've mainly been a R/S engineer and my only experience with FW's were to be able to troubleshoot, replace and upgrade them locally to a condition where the FW team could log in and take over.  Never was responsible for day to day monitoring.

                  Now that I am responsible for my own devices I've used the ASDM mainly as a visual monitoring aid.  Bandwidth usage, top source, destination and protocol usage maps give me a great birds eye view.

                  We've gone through several JAVA 8 updates going starting from the 80's up to 144 with no trouble.  Once it went to Java 9.0 I started having trouble.

                • 5. Re: ASA 5510 and JAVA 9.0 compatibility
                  Aref - CCNPx2 (R&S - Security) / Network+ / Security+

                  David, what Juergen suggested should fix the issue for you. Install ASDM 7.8.x or 7.9.x on your 5510 ASA with latest code 9.1.7 and you should be good to go.

                  • 6. Re: ASA 5510 and JAVA 9.0 compatibility
                    Luke Savage

                    DavidJ wrote:

                     

                    Now that I am responsible for my own devices I've used the ASDM mainly as a visual monitoring aid.

                    For the exam you will need to know how to configure everything through ASDM as well. The ASDM interface in the exams is usually restricted (you don't have access to all functions) so really need to know what you're doing for this.

                    • 7. Re: ASA 5510 and JAVA 9.0 compatibility
                      Aref - CCNPx2 (R&S - Security) / Network+ / Security+

                      In some cases we have to use ASDM such as when configuring AnyConnect profiles unless we go for the external profile editor.

                      • 8. Re: ASA 5510 and JAVA 9.0 compatibility
                        duanlightfoot

                        ASDM is a good tool but can we get off of the java platform?

                        • 9. Re: ASA 5510 and JAVA 9.0 compatibility
                          arteq

                          what i've always disliked about configuring with asdm is what i call "the boogers" that it creates, specifically the dm_in-line stuff that it generates... makes the config messy...

                          • 10. Re: ASA 5510 and JAVA 9.0 compatibility
                            Juergen Ilse CCNA R&S

                            Correct. But you can avoid it (with enough discipline while using ASDM): you may avoid the put more than one port or more than one protocol or more than one host/network in a firewall rule. If you want to put for example several hosts in one firewall rule, generate first an object-group with a "speaking name" for it, than put that one object-group in your firewall rule. Avoid to put another host/network/object/object-group in the same rule, instead edit the object-group (same for protocols, ports, icmp-types). If you strictly use this method, ASDM will not generate those object-groups with that dm_inline-* names, because the object-groups used in the firewall rule already exist. ASDM will only generate that object-groups, if you add more than 1 object/object-group/host/network or more than 1 protocol or more than 1 port oder more than 1 icmp type in a single firewall rule.

                            • 11. Re: ASA 5510 and JAVA 9.0 compatibility
                              arteq

                              cool, thanks for that... to be clear, if exist object-group in rule, i can edit/add more objects to the rule without generating dm_inline funk as long as rule param's remain the same?

                              • 12. Re: ASA 5510 and JAVA 9.0 compatibility
                                Juergen Ilse CCNA R&S

                                Exactly. I never tried it with current ASDM versions (it was longer ago, when i tried it), but i think, ASDM will still work this way.

                                ASDM creates (as far as i know) only new object-groups, if really necessary, and this is only the case, if you put more than 1 entry in a field of a firewall rule. And because ASDM can't know anything about the purpose of the rule, it can't generate "speaking names", so it generates names like that dm_inline* names ... The bigger problem with this is (in my opinion), that it will generate new object-groups for every new use of the same collection of hosts/objects/protocols/..., so you may get many different object-groups with the same content, even if that is not really necessary. It takes very much time to clean up such unnecessary redundances, so nearly nobody will do it. The configuration gets really messy this way ... I have cleaned up such a configuration many years ago. It was in preparation of migrating the old (ASA 8.2) configuration to newer firmware. The migration code in the firmware has generated a configuration with nearly 1000 nat rules, so i decided to do the migration manually. It took about 4 days, but the number of nat rules in the remaining configuration was about 100 nat rules (a little bit more). The original configuration was about 500 kb, after cleaning up the configuration, it was about 250 kb, and the migrated configuration was about the same size ...

                                • 13. Re: ASA 5510 and JAVA 9.0 compatibility
                                  arteq

                                  i'll have to test that out... it's been my experience that DM_INLINE from asdm is unavoidable, and it gets really ugly after a while... typically i use asdm for monitoring and to get a pretty picture of the config... adds/edits i usually perform from the cli, but i will definietly try that out.... thanks...

                                  • 14. Re: ASA 5510 and JAVA 9.0 compatibility
                                    Juergen Ilse CCNA R&S

                                    I have tried it now on my ASA at home (added a firewall-rule, that only used existing network objects or object-groups with no more than 1 entry for source and destination to an existing ACL). There was no "dm_inline*" object or object-group created.

                                    1 2 Previous Next