This document explains the procedures you can use in order to resolve problems with the PIX Device Manager (PDM) software.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions. However, the content is valid up to the latest version of code (6.3.3 at the time of document creation).
Cisco PIX Firewall Software Release 6.1(1)
PDM Version 1.1(2)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
You must meet these two requirements in order to access PDM.
A Data Encryption Standard (DES) or Triple Data Encryption Standard (3DES) Activation Key is enabled on your PIX.
A separate software image for PDM is loaded on the PIX's Flash.
Enter the show version command from the PIX command line to verify that you meet these requirements. The PIX Firewall version must be 6.0 or later. This information appears.
pixfirewall#show version Cisco Secure PIX Firewall Version 6.1(1) PIX Device Manager Version 1.1(2) <snip> Licensed Features: Failover: Enabled VPN-DES: Enabled VPN-3DES: Disabled
If you are missing the lines that indicate your PIX or PDM versions, and if both DES and 3DES are disabled, you are not able to access the PDM software. If you do not have a DES key, you can get the PIX 56-bit License Upgrade Key (registered customers only) from the Cisco Downloads. If you do not have a DES key and you are not a registered user, you can obtain a free key when you send an E-mail to email@example.com with the serial number of the PIX as it appears in the show version command on the PIX.
If you need to install the key, you must reload the PIX software. This is the only way that you can install the DES/3DES key. Refer to the Upgrading the PIX Firewall from Boothelper or Monitor Mode section of Upgrading Software for the Cisco Secure PIX Firewall for a step-by-step procedure for a PIX software reload.
If you do not already have PDM software installed, load it with the copy tftp flash:pdm command. Do not use the copy tftp flash command.
Next, follow the procedures in Installing PDM on a PIX Firewall to install and run PDM software on a PIX Firewall.
After you install the PDM software and have DES/3DES enabled, run setup from the PIX command line in order to set up PDM to run on the PIX, and to enable specific hosts or networks for which you want to allow access to PDM. Ensure that the year is correct when you go through the setup questions, or the certificate generated is invalid. The domain name used in the setup can be the name of your domain or any arbitrarily chosen string in the form of <text.text> that you use for key generation; name resolution need not work. Also, press ENTER in order to choose the default values.
An example of the setup process is shown here.
pixfirewall(config)#setup Pre-configure PIX Firewall now through interactive prompts [yes]? Enable password [<use current password>]: Clock (UTC): Year : Month [Dec]: Day : Time [17:43:35]: Inside IP address [127.0.0.1]: 172.16.1.2 Inside network mask [255.255.255.255]: 255.255.255.0 Host name [pixfirewall]: Domain name: cisco.com IP address of host running PIX Device Manager: 172.16.1.43 The following configuration will be used: Enable password: <current password> Clock (UTC): 17:43:35 Dec 7 2001 Inside IP address: 172.16.1.2 Inside network mask: 255.255.255.0 Host name: pixfirewall Domain name: cisco.com IP address of host running PIX Device Manager: 172.16.1.43 Use this configuration and write to flash? yes Building configuration... Cryptochecksum: e6dd475b 322e8674 1dc237c3 543afdef [OK] pixfirewall(config)#
Type https://<pix_interface_ip_address> in your browser to access the PDM software. An example of this syntax is https://172.16.1.2.
When the username/password box comes up and if AAA authentication is not on, then the PIX Telnet password needs to go in the password box. If AAA authentication is on (such as on a Telnet to the PIX, and the PIX asks for a username/password instead of just a password), then the PIX username needs to go in the username box and the password in the password box.
If PIX command authorization is on (in PIX version 6.2 or later) and certain users cannot do all commands (such as write terminal, write memory, or configure terminal), then those users are similarly limited in PDM (to monitoring the PIX only, or to performing a subset of commands). In PIX 6.2 or later, you can determine whether a user has the most powerful privileges (15) when you perform a Telnet into the PIX as that user and issue the show curpriv command in enable mode.
If you continue to experience problems with PDM, try some of these suggestions.
Check that PDM is installed properly.
show version . Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.0(2) .
Check that a DES Activation Key is enabled.
show version . VPN-DES: Enabled .
Check that proxy is not enabled in the browser.
Issue the show clock command to verify that the software is set for the correct year. Modify the year if necessary using this command.
clock set <hh:mm:ss> <month> <day> <year>
Under normal operation, when the PIX is set for the correct time, connecting with PDM causes the generation of a certificate that is visible with the show ca mypubkey rsa command. If there is some question as to whether or not the clock was set properly at the time of the original connection, reset the clock as described in the previous step. Issue the ca zeroize rsa command in order to delete the existing certificate, then reconnect with PDM to cause key regeneration.
Verify that you can connect with the use of https://.
Before you download the PDM software to the PIX, make sure that the FTP of the PDM software is a binary transfer by typing bin on the FTP transfer command line. If the transfer was in ASCII or if the PDM file is otherwise corrupted, you can receive a "PDM is not installed" message.
Verify that the browser you use has the proper Java version.
For Microsoft Internet Explorer, on the Windows system, select Start > Run and type wjview in order to determine the version (or type wjview at the DOS prompt). Sample output is shown in this output.
Microsoft (R) VM for Java, 5.0 Release 220.127.116.1102
The last four digits need to be 3167 or greater in order to work with PDM.
You can also verify the version of Java installed on your PC through Control Panel > Java > About. If your PC does not have the required Java software, you can download it from the Sun web site . After you install the required Java version, close all browser windows (or reboot) before you attempt to access PDM.
For Netscape 4.5.x or 4.7.x, you need to disable the Java Plug-in option if it is installed. In order to disable the plug-in, select Edit > Preferences > Advanced and set the Enable Java Plug-in option to disable. If you do not see the checkbox, then the Java Plug-in is not used by default.
Verify that you run a supported browser for the version of PDM that you use. Browser or Java versions other than what are tested might not work.
If some stations can connect to the PIX for management and others cannot, make sure that you have an entry for the IP address of each unit that manages the PIX.
http <ip_address> [netmask] [if_name] http server enable
If you see a message that says "The PIX has a version number of unknown," then this is generally a result of one of the conditions listed in this document not being met, such as:
The PDM version does not agree with the PIX version (check the PDM documentation for the prerequisites).
The browser version is not supported (check the PDM documentation for the prerequisites).
The Java version is incorrect or the Java Plug-in is enabled.
If all else fails, contact the Cisco Technical Support. Be prepared to provide the output of a show tech command from the PIX, debug ssl from the PIX, Java console output from your browser, and information about your browser version to help resolve the issue.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.