Sunday, May 29, 2005

Why is my PIX PDM Broken?

If you manage a Cisco PIX firewall, you may have recently run into a problem accessing the PDM (PIX Device Manager) browser-based management interface. Cisco's PDM is a Java-based tool for managing your firewall; there are a handful of things that can't be done via its graphical interface, but for the most part, many users will seldom have any reason to use anything else for configuration and management. The VPN wizard, in particular, is vastly easier to use than the dozen or so lines of arcane commands required to implement the same thing from the command line.

A couple of my clients recently had issues accessing the PDM from Windows XP and Server 2003. After authenticating successfully in both the browser and the Java window, they were presented with an empty window instead of the PDM - and a message in the status bar claiming java.security.AccessControlException: access denied.

Both clients concluded - not unreasonably - that there was some kind of authentication problem with the PIX, and that they were locked out.

In fact, the problem was not with the PIX, but with Java itself. Sun's most recent updates to the JRE (Java Runtime Environment) made changes to the behavior allowed for signed code - and caused consternation for developers and end users by breaking quite a few applets.

Installing the "release 8" update for the 1.4.2 plugin, or the "release 2" update for the 1.5.0 plugin prevented access to the PDM - and no adjustment to the security settings in Internet Explorer or Firefox could fix the issue (both Windows and Linux platforms suffer from this problem.) Applets which behaved like the PDM - launching code which performs security-restricted functions from an HTML button - were now 'broken by design' under the new stricter security model.

Those who had upgraded their Java plugin from an earlier (working) release could uninstall the latest version, and once again access the PDM. But for a new workstation or server, the latest load of Java was broken 'out of the box,' and there wasn't anything to go back to. And unless the affected user tried a Google search on the full status bar error message, there were very few clues on the nature of the problem - or the fix.

There is, in fact, a Cisco Field Notice, dated May 16th, on this issue - but unless you perform a very specific Google search, you'll probably miss it.
I almost never use a vendor's own search tool to explore a support knowledge base. Microsoft's Knowledge Base, in particular, was long notorious for the obscurity of the keywords assigned to articles. More than once, I couldn't re-locate a KB (or Q article, if you're old skool) that I knew was there, which was immensely frustrating. I finally started using site-specific Google searches: specifying a search by site:microsoft.com server 2003 dns firewall allowed me to find information that eluded the built-in tool. Microsoft, by the way, claims to have made significant improvements to the way their site search engine works. Is it better? I don't know - they trained me not to use it by returning poor results for years. Google is my friend.

Cisco does offer a product alert service which will e-mail you notices like this one when they are published, but you have to have an account with Cisco CCO - which generally means, if you're an end user, that you're carrying a SMARTnet service contract on at least one piece of Cisco equipment.

Those who don't have a SMARTnet contract on their PIX not only probably missed the alert, but also cannot implement the official fix, which is a downloadable update - 3.0(3) or 4.1(2) - to the PDM. The workaround is to uninstall the latest copy of the JRE, and download and install release 1 of the Java 1.5.0 plugin.

And, perhaps, consider springing for a SMARTnet contract on at least one of your Cisco products. It doesn't take many of these kinds of headaches for it to pay for itself.

11 comments:

Anonymous said...

Chuck,

Thanks for the excellent info concerning the PDM problem. As you've pointed out, there isn't much out there concerning the issue. (I upgraded to PDM version 3.0.3 and the problem is resolved). Your site is well thought out and very helpful. Pat yourself on the back knowing that the time you spent typing your findings have helped one of your fellow IT professionals. I'll be sure to bookmark you blogger as I'm sure It'll be useful in the future.

Scott

Anonymous said...

Two years later this point was the most relevant article I could find on this problem.

Thanks!

Anonymous said...

point=post :)

Bob Brown said...

It turns out that PDM 3.0(4) simply hangs at the HTML start window with JDK 1.6.0_14, but works with JDK 1.6.0_02. (It may work with later versions than _02, also. I haven't tested this.)

If this is documented anywhere, I can't find it. I've posted this comment in the hope that it will be useful to other searchers. (I am running WinXP and MSIE 6. Didn't work with Firefox 3.5, either, but does appear to work with the downgraded JRE.)

Stephen V Noe said...

On Windows 7 - 64, found that the last version that works is JRE-6u11-windows-i586. I was unable to make 64bit version of Java work with PDM.

Java Release 6 Version 11
PDM 3.0(4)

Seb A said...

Thanks Bob and Steven. Having tried several versions of Java on XP SP2 and SP3 with PDM 3.0(4) after an update broke things, I tried Java 1.6.0 and 1.6.0_11 and can confirm they both work (under IE7 and Firefox 3.6.6). 1.6.0_20 does not, and neither do 1.4.1_07 and 1.4.2_19. This seems to be the only page that correctly documents which is the last version of Java to work with the last version of the PDM 3.0!

medusa said...

Two years later this point was the most relevant article I could find on this problem

Anonymous said...

7 Years later and this article is all that described how to fix the issue that I found.

Thank you Bob and Stephen (that will probably never even see this again). Using the version Stephen listed and IE8 32-Bit I finally got logged in. 64-Bit IE wouldn't work and I didn't even attempt FF (v12.0).

Thanks.

Anonymous said...

8 years later and it's still relevant.

Thank you :)

Rob Lee

Anonymous said...

Make that 9 years.

I vaguely remembered this site from years ago, glad it was still here. Had to get into an ancient PIX 501 at one of our locations. Didn't know we still had a PIX running. Time for an upgrade I think.

Anonymous said...

Make that 10 years.
Thanks