Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco Catalyst 6500 Series ASA Services Module, 8.5(x)

  • Viewing Options

  • PDF (190.4 KB)
  • Feedback
Release Notes for the Cisco ASA Services Module, Version 8.5(x)

Table Of Contents

Release Notes for the Cisco ASA Services Module, Version 8.5(x)

Limitations and Restrictions

System Requirements

New Features

New Features in Version 8.5(1.7)

New Features in Version 8.5(1.6)

New Features in Version 8.5(1)

Upgrading the Software

Upgrading the ASA Image

Viewing Your Current Version

Upgrading the Operating System and ASDM Images

Upgrading the FPD Image

Deteriming if an FPD Upgrade is Required

Upgrading the Cisco IOS and FPD Image

Upgrading the FPD Image Only

Upgrading the ASA from the Supervisor 720 to the Supervisor 2T

Open Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Notes for the Cisco ASA Services Module, Version 8.5(x)


Released: July 7, 2011

Updated: September 4, 2012

This document contains release information for the Cisco ASA Services Module (ASASM) Version 8.5(x).

This document includes the following sections:

Limitations and Restrictions

System Requirements

New Features

Upgrading the Software

Open Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request, page 12

Limitations and Restrictions

(8.5(1.7) and later) To use the Catalyst 6500E Supervisor 2T, you may need to upgrade the FPD image on the ASASM. See the "Upgrading the FPD Image" section for more information.

The ASASM is only available as a No Payload Encryption model for this release. The ASA software senses a No Payload Encryption model and disables the following features:

Unified Communications

VPN

You can still install the Strong Encryption (3DES/AES) license for use with management connections. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL).

When you view the license, VPN and Unified Communications licenses will not be listed.

System Requirements

For information about ASDM and Catalyst 6500 compatibility, see Cisco ASA Compatibility:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

New Features

New Features in Version 8.5(1.7)

New Features in Version 8.5(1.6)

New Features in Version 8.5(1)

New Features in Version 8.5(1.7)

Released: March 5, 2012

Table 1 lists the new features for ASA interim Version 8.5(1.7).


Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.


Table 1 New Features for ASA Interim Version 8.5(1.7) 

Feature
Description
Hardware Features

Support for the Catalyst 6500 Supervisor 2T

The ASA now interoperates with the Catalyst 6500 Supervisor 2T. For hardware and software compatibility, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.

Note You may have to upgrade the FPD image on the ASA. See the Upgrading procedure the in the release notes.

Failover Features

Configure the connection replication rate during a bulk sync

You can now configure the rate at which the ASA replicates connections to the standby unit when using stateful failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533K connections per second. However, the maximum connections allowed per second is 300K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.

We introduced the following command: failover replication rate rate.

 


New Features in Version 8.5(1.6)

Released: January 27, 2012

Table 1 lists the new features for ASA interim Version 8.5(1.6).


Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.


Table 2 New Features for ASA Interim Version 8.5(1.6) 

Feature
Description
Multiple Context Features

Automatic generation of a MAC address prefix

In multiple context mode, the ASA now converts the automatic MAC address generation configuration to use a default prefix. The ASA auto-generates the prefix based on the last two bytes of the backplane MAC address. This conversion happens automatically when you reload, or if you reenable MAC address generation. The prefix method of generation provides many benefits, including a better guarantee of unique MAC addresses on a segment. You can view the auto-generated prefix by entering the show running-config mac-address command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.

Note To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled. However, we strongly recommend that you manually change to the prefix method of generation when using failover. Without the prefix method, ASASMs installed in different slot numbers experience a MAC address change upon failover, and can experience traffic interruption. After upgrading, to use the prefix method of MAC address generation, reenable MAC address generation to use the default prefix.

We modified the following command: mac-address auto.

 


New Features in Version 8.5(1)

Released: July 8, 2011

Table 3 lists the new features for ASA Version 8.5(1). This ASA software version is only supported on the ASASM.


Note Version 8.5(1) includes all features in 8.4(1), plus the features listed in this table. The following features, however, are not supported in No Payload Encryption software, and this release is only available as a No Payload Encryption release:

VPN

Unified Communications

Features added in 8.4(2) are not included in 8.5(1) unless they are explicitly listed in this table.


Table 3 New Features forASA Version 8.5(1) 

Feature
Description
Hardware Features

Support for the ASA Services Module

We introduced support for the ASASM for the Cisco Catalyst 6500 E switch.

Firewall Features

Mixed firewall mode support in multiple context mode

You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.

We modified the following command: firewall transparent.

 

Interface Features

Automatic MAC address generation is now enabled by default in multiple context mode

Automatic generation of MAC addresses is now enabled by default in multiple context mode.

We modified the following command: mac address auto.

 

NAT Features

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

Also available in Version 8.4(2).

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.5(1), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).

Also available in Version 8.4(2).

Switch Integration Features

Autostate

The switch supervisor engine can send autostate messages to the ASASM about the status of physical interfaces associated with ASA VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the ASA that the VLAN is down. This information lets the ASA declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the ASA takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).

Note The switch supports autostate messaging only if you install a single ASA in the chassis.

See the following Cisco IOS command: firewall autostate.

Virtual Switching System

The ASASM supports VSS when configured on the switches. No ASA configuration is required.


Upgrading the Software


Note For users migrating from the FWSM, see Migrating to the Cisco ASA Services Module from the FWSM.


This section describes how to upgrade to the latest version of the ASA image or the Field-Programmable Device (FPD) image and includes the following topics:

Upgrading the ASA Image

Upgrading the FPD Image

Upgrading the ASA from the Supervisor 720 to the Supervisor 2T


Note For ASDM procedures, see the ASDM release notes.


Upgrading the ASA Image

Viewing Your Current Version

Upgrading the Operating System and ASDM Images

Viewing Your Current Version

Use the show version command to verify the software version of your ASA.

Upgrading the Operating System and ASDM Images

This section describes how to install the ASDM and operating system (OS) images using TFTP. For FTP or HTTP, see the "Managing Software and Configurations" chapter in the configuration guide.

We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however you cannot use an old ASDM image with a new OS.

For information about upgrading software in a failover pair, see the "Performing Zero Downtime Upgrades for Failover Pairs" chapter in the configuration guide.

Detailed Steps


Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/cisco/pub/software/portal/select.html?&i=!m&mdfid=283783691

Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command:

hostname# show running-config
 
   

Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the "Managing Software and Configurations" chapter in the configuration guide.

Step 3 Install the new images using TFTP. Enter this command separately for the OS image and the ASDM image:

hostname# copy tftp://server[/path]/filename disk0:/[path/]filename
 
   

For example:

hostname# copy tftp://10.1.1.1/asa851-k8.bin disk0:/asa851-k8.bin
...
hostname# copy tftp://10.1.1.1/asdm-651.bin disk0:/asdm-651.bin
 
   

If your ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.

Step 4 To change the OS boot image to the new image name, enter the following commands:

hostname(config)# clear configure boot
hostname(config)# boot system disk0:/[path/]new_filename
 
   

For example:

hostname(config)# clear configure boot
hostname(config)# boot system disk0:/asa851-k8.bin
 
   

Step 5 To configure the ASDM image to the new image name, enter the following command:

hostname(config)# asdm image disk0:/[path/]new_filename
 
   

For example:

hostname(config)# asdm image disk0:/asdm-651.bin
 
   

Step 6 To save the configuration and reload, enter the following commands:

hostname(config)# write memory
hostname(config)# reload
 
   

Upgrading the FPD Image

The ASA includes a separate FPD image that you can upgrade using Cisco IOS software on the switch.

Deteriming if an FPD Upgrade is Required

Upgrading the Cisco IOS and FPD Image

Upgrading the FPD Image Only

Deteriming if an FPD Upgrade is Required

Determine if an FPD upgrade is required using the show hw-module all fpd IOS command on the switch.

If the ASA has the minimum required version, no further action is necessary. If an FPD image package needs an upgrade, proceed to the next step.

The following sample output indicates that the ASA does not meet the minimum version requirements.

Router# show hw-module all fpd
==== ====================== ====== =============================================
                             H/W   Field Programmable   Current   Min. Required
Slot Card Type               Ver.  Device: "ID-Name"    Version      Version
==== ====================== ====== ================== =========== ==============
   1 WS-SVC-ASA-SM1          1.0   1-TRISUL FPGA          1.8        1.10
==== ====================== ====== =============================================
 
   

Upgrading the Cisco IOS and FPD Image

If you need to upgrade the Cisco IOS image, you can also load a new FPD image on local flash memory (disk0: or bootdisk:) to automatically install the FPD on the ASA when you reload the switch.

Detailed Steps


Step 1 Verify that the FPD automatic upgrade feature is enabled by examining the output of the show running-config IOS command on the switch.

Look for the "upgrade fpd auto" line in the output. If there are no upgrade commands in the output, upgrade fpd auto is enabled because it is the default setting. If automatic upgrades are disabled, use the upgrade fpd auto command to enable automatic FPD upgrades.

Step 2 If you have a Cisco.com login, you can obtain the FPD image from the following website:

http://www.cisco.com/cisco/software/release.html?mdfid=283933147&flowid=29364&softwareid=280805682&release=15.0.1-SY1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Step 3 Download the FPD image package to local flash memory on the switch.

See the switch documentation for more information about downloading files to flash memory.


Note Do not change any FPD-related settings on your system. If the default settings for the upgrade fpd path command have been changed, change the settings back to their default settings using the no form of this command.


Step 4 Obtain the Cisco IOS image from the following website:

http://www.cisco.com/cisco/software/release.html?mdfid=283933147&flowid=29364&dvdid=282804709&softwareid=280805685&release=15.0.1-SY1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

See the switch documentation for information about loading the new IOS image.

Step 5 Reload the switch using the new IOS image.

When Cisco IOS boots, it searches for the FPD image package in flash. The switch updates the FPD images automatically as part of the Cisco IOS boot process.


Upgrading the FPD Image Only

If you do not need to upgrade the Cisco IOS image, you can upgrade the FPD image separately.

Restrictions

The FPD image must be in local flash memory. Remote upgrading from FTP or TFTP is not supported.

Detailed Steps


Step 1 If you have a Cisco.com login, you can obtain the FPD image from the following website:

http://www.cisco.com/cisco/software/release.html?mdfid=283933147&flowid=29364&softwareid=280805682&release=15.0.1-SY1&relind=AVAILABLE&rellifecycle=ED&reltype=latest

Step 2 Download the FPD image package to the switch flash memory. We recommend the local flash disk (disk0: or bootdisk:).

See the switch documentation for more information about downloading files to flash memory.

Step 3 Verify the contents of the FPD image package using the following command:

Router# show upgrade fpd file file-url
 
   

The file-url argument is the location and name of the FPD image package file. For example, the following command successfully verifies the image (see the TRIFECTA card type for the ASASM):

Router# show upgrade fpd file disk0:c6500-fpd-pkg.1.10.pkg
Cisco Field Programmable Device Image Package for IOS
C6500 Family FPD Image Package (c6500-fpd-pkg.1.10.pkg), Version 15.0(0)SY99.41
Copyright (c) 2004-2012 by cisco Systems, Inc.
Built Thu 12-Jan-2012 14:46 by integ
 
   
 
   
=============================== ================================================
                                        Bundled FPD Image Version Matrix
                                ================================================
                                                                       Min. Req.
Supported Card Types            ID  Image Name                Version  H/W Ver.
=============================== == ========================= ========= =========
2-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0
                                 2 T3E3 SPA I/O FPGA            0.24      0.0
                                 3 T3E3 SPA E3 FPGA             1.4       0.0
                                 4 T3E3 SPA T3 FPGA             1.4       0.0
------------------------------- -- ------------------------- --------- ---------
4-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0
                                 2 T3E3 SPA I/O FPGA            0.24      0.0
                                 3 T3E3 SPA E3 FPGA             1.4       0.0
                                 4 T3E3 SPA T3 FPGA             1.4       0.0
...
------------------------------- -- ------------------------- --------- ---------
TRIFECTA                         1 Trifecta  DPFPGA             1.10      0.0
=============================== ================================================
 
   

Step 4 Upgrade the FPD using the following command:

Router# upgrade hw-module slot slot-number fpd file file-url
 
   

The slot-number argument indicates the chassis slot location of the ASA. The file-url argument is the location and name of the FPD image package file. For example, to upgrade the ASA in slot 2, enter the following command:

Router# upgrade hw-module slot 2 fpd file disk0:c6500-fpd-pkg.1.10.pkg
 
   
% The following FPD will be upgraded for WS-SVC-ASA-SM1 (H/W ver = 1.0) in slot 2:
 
   
 ================== =========== =========== ============ 
 Field Programmable   Current     Upgrade   Estimated 
 Device: "ID-Name"    Version     Version   Upgrade Time 
 ================== =========== =========== ============ 
 1-TRISUL FPGA          1.8         1.10      00:06:30
 ================== =========== =========== ============ 
 
   
% NOTES:
  - Use 'show upgrade fpd progress' command to view the progress of the FPD
    upgrade.
   - Since the target card is currently in disabled state, it will be 
     automatically reloaded after the upgrade operation for the changes to 
     take effect.
 
   
WARNING: The target card will be reloaded in order to start FPD image 
         upgrade. This action will interrupt normal operation of the card.
         If necessary, ensure that appropriate actions have been taken to 
         redirect card traffic before starting the upgrade operation.
 
   
% Are you sure that you want to perform this operation? [no]: yes
% Reloading the target card for FPD image upgrade ... Done!
% Upgrade operation will start in the background once the target card gets 
  initialized after the reload operation. Please wait ...
  (Use "show upgrade fpd progress" command to see upgrade progress)
 
   

Step 5 Verify that the FPD upgrade is complete using the following command:

Router# show upgrade fpd progress
 
   

The following example shows that the FPD upgrade is updating:

Router# show upgrade fpd progress
 
   
FPD Image Upgrade Progress Table:
 
   
 ==== =================== ====================================================
                                               Approx.
                          Field Programmable    Time     Elapsed
 Slot Card Type           Device : "ID-Name"   Needed      Time    State
 ==== =================== ================== ========== ========== ===========
    2 WS-SVC-ASA-SM1      1-TRISUL FPGA       00:06:30   00:00:24  Updating...
 ==== =================== ====================================================
 
   

The following example shows that the FPD upgrade is complete, because the upgrade is no longer in progress:

Router# show upgrade fpd progress
 
   
% There is no FPD image upgrade in progress.
 
   

Step 6 Verify that the FPD upgrade was successful using the following command:

Router# show hw-module all fpd
 
   

Upgrading the ASA from the Supervisor 720 to the Supervisor 2T

To upgrade the ASA from the Supervisor 720 to the Supervisor 2T, perform the following steps:


Step 1 Upgrade the ASA with the Supervisor 2T image while the Supervisor 720 image is still loaded on the Catalyst 65000 Series E Switch.


Note If you replace the supervisor card on the Catalyst 65000 Series E Switch before you upgrade the ASA, then the interfaces on the ASA will not be recognized, and you will not be able to load a new image.


Step 2 Change the supervisor card from the Supervisor 720 to the Supervisor 2T on the Catalyst 65000 Series E Switch.

Step 3 Upgrade the Catalyst 65000 Series E Switch with the Supervisor 2T image.


Open Caveats

Table 4 contains open caveats in the latest maintenance release.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/

.

Table 4 Open Caveats in ASA Version 8.5

Caveat
Description

CSCtq41035

Incorrect interface MAC address after failover.


End-User License Agreement

For information on the end-user license agreement, go to the following URL:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Related Documentation

For additional information about ASDM or its platforms, see Navigating the Cisco ASA Documentation:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.