How to log into ASDM for a Cisco ASA when you get the Unable to launch device manager error

I like to keep my client’s devices up to date to prevent any issues from arising and have access to the devices latest features. Unfortunately not everyone is happy to pay that little extra to have an on-going support / maintenance agreement.  I was recently out at a customer who had an ASA 5505 which had been running for years but needed some new NAT translations added in.  So I fired up my laptop and loaded up ASDM Launcher, after typing in the credentials I got Unable to launch device manager on ASA-5505 error.  One thing I like to do when this happens is to check why, click on the Java icon in the login window and you will be prompted with the Java console, I saw the following;

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

java_securityThe main thing sticking out to me was Java couldn’t trust Server to fix this I needed to load up the Java control panel once open navigate to the Security tab > Edit Site List… > Add > Enter the URL of ASDM.  In my case that was https://192.168.1.254/ once I added that, click Ok and Apply and close out of your browser / ASDM Launcher.  Now if you try to log in again it should let you through into ASDM and allow you to make the changes you need.

Another method to resolve this error is to export the certificate of the device to your computer (use firefox and navigate to the appliance web page and export the SSL certificate) then import it into Java using the control panel method above but hit Manage Certificates…

If you’re running a new version of ASDM, this doesn’t happen, also some say downgrading Java to 1.6 will remove the issue also.  Hope that helps someone out.

Backing up your EVA SAN (4400 or P63x0) Configuration with HP StorageWorks Storage System Scripting Utility (SSSU)

SSSUJust a short one today.  I was assisting in the change from a stand-alone Hyper-V environment to a clustered environment, the customer had an HP EVA P6300 SAN which was going to be used for the Clustered Shared Volumes.  As a precaution before beginning work on the EVA, I loaded up SSSU which was installed on one of their servers and took a backup of their current configuration of the EVA.  The backup file would come in handy if something were to happen and can assist HP Support in restoring your array if something were to happen.

When you load up SSSU it will firstly ask you to login with a user and password with rights to the Storage Array, once in, we need to select a Storage System and then finally issue a configuration backup to the local workstation.

select system
capture configuration filename

Replace filename with something like c:\SAN_backup.txt the backup is a plaintext file telling the Storage Array how it has been configured with LUNs and Hosts.

Random password prompts with users running Windows Phone / Mobile Active Sync for Exchange through ISA 2006 or TMG Reverse Proxy

form options

So I recently came across an issue where some end users were getting prompted for their password when running a Windows Phone device (Android and Apple devices seem immune).  The client had recently had an Office 365 hybrid configuration completed and where using ISA / TMG as a reverse proxy to authenticate to their local infrastructure for external users. Their move to a hybrid deployment required some changes to the way they had TMG setup (adding another web listener and re-configuring some rules).

Judging from the password prompt, I quickly gathered that the issue was around a web listener, so opening up their one for Exchange, the listener used forms based authentication, so I went to the Forms tab and hit Advanced to see what options had been enabled or disabled.  I could see that Apply session timeout to non-browser clients was enabled. After disabling this option and applying the changes, ActiveSync clients stopped prompting users for their passwords and the sessions remained active even after the timeout value expired.

Hyper-V Virtual Machine stops responding to network traffic if VMQ (Virtual Machine Queues) are enabled on a 1GB physical NIC

vmqI recently took on a new customer who’s IT infrastructure was a mess.  They have good hardware but the setup they had was just awful (it was an internal guy who had great ideas but little skill).  They had Hyper-V running on a nice new Gen9 HP Server on Windows Server 2012 R2, which is a nice combination.  Once they were on boarded they let us know that the server kept on crashing (they had no idea their setup was virtualised or that they had more than one server…).    Virtual Machine Queuing or VMQ allows the “virtualization” of the network allowing for the NIC to create paths to each virtual NIC to offload the traffic.

After about a week, I got the call I was waiting for to tell me their server had stop responding, the virtual machine was still up but wasn’t responding to pings or allowing access to network resources (it was their SBS server).   So as a quick fix, I disabled and re-enabled the NIC on the server (as a best practice you should have a dedicated Management NIC to allow access to the host), this brought things back online.  After having a quick look at the Broadcom NIC it had VMQ enabled, I then set it to disabled and restarted the server out of hours.  Since then there hasn’t been any issues with the servers dropping off the network.

The issue hasn’t resurfaced since and is documented in the following Microsoft KB article https://support.microsoft.com/en-us/kb/2986895

It is interesting to note that the server had the latest drivers and firmware installed but was still having the issue, so I’d recommend leaving VMQ Disabled completely as the benefits aren’t that great (unless your high-traffic 10 Gbps).