Table Of Contents
Release Notes for Cisco ASDM, Version 6.6(x)
Released: February 28, 2012
Updated: July 5, 2012
This document contains release information for Cisco ASDM Version 6.6(1) for the Cisco ASA 5500-X series, which includes the Cisco 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X.
This document includes the following sections:
Default Shipping Configuration Might Not Allow Access to ASDM
For ASA version 8.6 and ASDM version 6.6, you might have to correct the SSL encryption settings in the ASA's SSL settings to enable access to ASDM.
Note The factory default configuration that you can restore with the configure factory-default command is not affected. Only the initial shipping configuration might be affected.
To change SSL encryption settings:asa> enableasa# show running-config sslasa# ssl encryption des-sha1asa# conf tasa(config)# no ssl encryption des-sha1asa(config)# ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
A change to the ASDM launcher might disrupt ASDM launch capabilities for some users; however, you may use the following workarounds.
In general, we expect that you have the proper file association between JAR files and the Java Runtime Environment. This association is usually created by default when you install the JRE, but there may be scenarios in which you change this association or in which the association does not exist. In these scenarios, the launcher will not launch, or an attempt to launch ASDM may result in another application being launched. If you encounter one of these problems launching, you can choose one of the following three methods to rectify the problem:
•(Recommended) Re-install or upgrade the Java Runtime Environment (JRE).
•Change the application type to open JAR files.
a. Open the Windows Explorer, and choose Tools > Folder Options.
b. Click the File Types tab, scroll down, and choose JAR File type.
c. Click Advanced.
d. From the Edit File Type dialog box, choose Open in the Actions dialog box, and click Edit.
e. Click Browse, and navigate to the location of the Java interpreter "javaw.exe"file (typically, C:\Program Files\Java\).
f. In the Application used to perform action field, modify the field with the following parameters to point to the current JRE installation directory: C:\Program Files\Java\jre6\bin\javaw.exe" -jar "%1" %*
g. Click OK until all dialogs are closed.
•Modify the shortcut target. Right-click the shortcut used to launch the ASDM-IDM launcher, modify the Target field, and prepend the path to the JRE with the -jar parameter.
For example, change:C:\Program Files (x86)\Cisco Systems\ASDM\asdm-launcher.jar" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar
to:C:\Program Files\Java\jre6\bin\javaw.exe" -jar "C:\Program Files (x86)\Cisco Systems\ASDM\asdm-launcher.jar" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar
Maximum Configuration Size
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
To increase the ASDM heap memory size, modify the launcher shortcut by performing the following procedure:
Step 1 Right-click the shortcut for the ASDM-IDM Launcher, and choose Properties.
Step 2 Choose the Shortcut tab.
Step 3 In the Target field, change the argument prefixed with "-Xmx" to specify your desired heap size. For example, change it to -Xmx768m for 768 MB or -Xmx1g for 1 GB. For more information about this parameter, see the Oracle document in the following location: http://docs.oracle.com/javase/1.5.0/docs/tooldocs/windows/java.html
ASDM Client Operating System and Browser Requirements
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Table 1 Operating System and Browser Requirements
Operating System Browser Sun Java SE Plug-in 1 Internet Explorer Firefox 2 Safari
Microsoft Windows (English and Japanese):
6.0 or later2
1.5 or later
Apple Macintosh OS X:
1.5 or later
2.0 or later
Red Hat Enterprise Linux 5 (GNOME or KDE):
•Desktop with Workstation
1.5 or later
2 ASDM requires an SSL connection from the browser to the ASA. By default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support base encryption (DES) for SSL, and therefore require the ASA to have a strong encryption (3DES/AES) license. For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details. For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3 6.4(7) and later. You may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.
Table 2 lists information about ASDM, module, and VPN compatibility with the ASA 5500-X series.
Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the new features tables to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Compatibility.
New Features in Version 6.6(1)
Note New, changed, and deprecated syslog messages are listed in Cisco ASA 5500 Series System Log Messages.
Table 3 lists the new features for ASA Version 8.6(1)/ASDM Version 6.6(1). This ASA software version is only supported on the ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, and ASA 5585-X.
Note Version 8.6(1) includes all features in 8.4(2), plus the features listed in this table.
Features added in 8.4(3) are not included in 8.6(1) unless they are explicitly listed in this table.
Upgrading the Software
This section describes how to upgrade to the latest version and includes the following topics:
Note For CLI procedures, see the ASA release notes.
Viewing Your Current Version
The software version appears on the ASDM home page; view the home page to verify the software version of your ASA.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images.
We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however, you cannot use an old ASDM image with a new OS.
Step 1 Back up your existing configuration. For example, choose File > Show Running Configuration in New Window to open the configuration as an HTML page. You can also use one of the File > Save Running Configuration options.
Step 2 Choose Tools > Check for ASA/ASDM Updates.
In multiple context mode, access this menu from the System.
The Cisco.com Authentication dialog box appears.
Step 3 Enter your assigned Cisco.com username and the Cisco.com password, and then click Login.
The Cisco.com Upgrade Wizard appears.
Step 4 Complete the upgrade wizard.
Step 5 For the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA and restart ASDM.
Step 6 Click Finish to exit the wizard and save the configuration changes that you made.
Installing the IPS Software Module
Your ASA typically ships with IPS module software present on Disk0. If the module is not running, however, you need to install the module.
Step 1 To view the IPS module software filename in flash memory, choose Tools > File Management.
For example, look for a filename like IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip. Note the filename; you will need this filename later in the procedure.
Step 2 If you need to copy a new image to disk0, download the image from Cisco.com to your computer, and then on the File Management dialog box, choose File Transfer > Between Local PC and Flash.
Step 3 Choose Tools > Command Line Interface.
Step 4 To identify the IPS module software location in disk0, enter the following command and then click Send:sw-module module ips recover configure image disk0:file_path
For example, using the filename in the example in Step 1, enter:sw-module module ips recover configure image disk0:IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip
Step 5 To install and load the IPS module software, enter the following command and then click Send:sw-module module ips recover boot
Step 6 To check the progress of the image transfer and module restart process, enter the following command and then click Send:show module ips details
The Status field in the output indicates the operational status of the module. A module operating normally shows a status of "Up." While the ASA transfers an application image to the module, the Status field in the output reads "Recover." When the ASA completes the image transfer and restarts the module, the newly transferred image is running.
Installing or Upgrading Cisco Secure Desktop
ASA Version 8.6.(1) requires Cisco Secure Desktop Release 3.2 or later. You do not need to restart the ASA after you install or upgrade Cisco Secure Desktop.
These instructions provide the CLI commands needed to install Secure Desktop. You may, however, prefer to use ASDM. To do so, choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup and click Help.
To install or upgrade the Cisco Secure Desktop software, perform the following steps:
Step 1 Download the latest Cisco Secure Desktop package file from the following website:
Step 2 Install the new image using TFTP:hostname# copy tftp://server[/path]/filename disk0:/[path/]filename
Step 3 Enter the following command to access webvpn configuration mode (from global confguration mode):hostname(config)# webvpnhostname(config-webvpn)#
Step 4 To validate the Cisco Secure Desktop distribution package and add it to the running configuration, enter the following command:hostname(config-webvpn)# csd image disk0:/securedesktop_asa_3_2_0_build.pkg
Step 5 To enable Cisco Secure Desktop for management and remote user access, use the following command.hostname(config-webvpn)# csd enable
ASDM supports almost all commands available for the adaptive ASA, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.
This section includes the following topics:
Ignored and View-Only Commands
Table 4 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Effects of Unsupported Commands
If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Tools > Show Commands Ignored by ASDM on Device.
Discontinuous Subnet Masks Not Supported
ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:ip address inside 192.168.2.1 255.255.0.255
Interactive User Commands Not Supported by the ASDM CLI Tool
The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
1. Choose Tools > Command Line Interface.
2. Enter the crypto key generate rsa command.
ASDM generates the default 1024-bit RSA key.
3. Enter the crypto key generate rsa command again.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names <Default-RSA-key>
•You can configure most commands that require user interaction by means of the ASDM panes.
•For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:crypto key generate rsa noconfirm
Table 5 contains open caveats in ASDM software BETA Version 6.6(1).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
End-User License Agreement
For information about the end-user license agreement, go to:
For additional information about ASDM or its platforms, see Navigating the Cisco ASA 5500 Series Documentation:
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2012 Cisco Systems, Inc. All rights reserved.