Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA Series, 9.2(x)

  • Viewing Options

  • EPUB (72.3 KB)
  • MOBI (119.1 KB)
  • PDF (297.8 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA Series, Version 9.2(x)

Important Notes

System Requirements

New Features

New Features in Version 9.2(2)

New Features in Version 9.2(1)

Upgrading the Software

Upgrade Path and Migrations

Viewing Your Current Version

Downloading the Software from Cisco.com

Upgrading a Standalone Unit

Upgrading a Failover Pair or ASACluster

Upgrading an Active/Standby Failover Pair

Upgrading an Active/Active Failover Pair

Upgrading an ASA Cluster

Open Caveats

Resolved Caveats

Resolved Caveats in Version 9.2(2)

Resolved Caveats in Version 9.2(1)

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA Series, Version 9.2(x)

Released: April 24, 2014

Revised: June 26, 2014

This document contains release information for Cisco ASA software Version 9.2(x). This document includes the following sections:

Important Notes

  • ASA 5505 with 256 MB DRAM—Starting in Version 8.3, the DRAM requirements for the ASA 5505 were increased to 512 MB. If you did not use the Unlimited Hosts license or the Security Plus license with failover enabled, then the ASA could continue to operate with 256 MB. As of Version 9.2 and later, all ASA 5505 licenses require 512 MB. If you only have 256 MB, the ASA image may not load into memory. See http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html for memory requirements and upgrade information.
  • WinNT AAA server to be deprecated—In ASA Version 9.3, the WinNT AAA server will no longer be supported. If you use WinNT, you should start planning alternative server types.

System Requirements

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility :

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

New Features


NoteNew, changed, and deprecated syslog messages are listed in the syslog message guide. New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in Version 9.2(2)

Released: June 26, 2014

Table 1 lists the new features for ASA Version 9.2(2).

 

Table 1 New Features for ASA Version 9.2(2)

Feature
Description
Remote Access Features

Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN

We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..

We did not modify any commands.

 

New Features in Version 9.2(1)

Released: April 24, 2014

Table 2 lists the new features for ASA Version 9.2(1).


NoteThe ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models. The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.


 

Table 2 New Features for ASA Version 9.2(1)

Feature
Description
Platform Features

The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.

The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.

Routing Features

BGP Support

We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

We introduced the following commands : router bgp, bgp maxas-limit, bgp log-neighbor-changes, bgp transport path-mtu-discovery, bgp fast-external-fallover, bgp enforce-first-as, bgp asnotation dot, timers bgp, bgp default local-preference, bgp always-compare-med, bgp bestpath compare-routerid, bgp deterministic-med, bgp bestpath med missing-as-worst, policy-list, match as-path, match community, match metric, match tag, as-path access-list, community-list, address-family ipv4, bgp router-id, distance bgp, table-map, bgp suppress-inactive, bgp redistribute-internal, bgp scan-time, bgp nexthop, aggregate-address, neighbor, bgp inject-map, show bgp, show bgp cidr-only, show bgp all community, show bgp all neighbors, show bgp community, show bgp community-list, show bgp filter-list, show bgp injected-paths, show bgp ipv4 unicast, show bgp neighbors, show bgp paths, show bgp pending-prefixes, show bgp prefix-list, show bgp regexp, show bgp replication, show bgp rib-failure, show bgp route-map, show bgp summary, show bgp system-config, show bgp update-group, clear route network, maximum-path, network.

We modified the following commands: show route , show route summary , show running-config router , clear config router , clear route all , timers lsa arrival , timers pacing , timers throttle , redistribute bgp .

Static route for Null0 interface

Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.

We modified the following command: route .

OSPF support for Fast Hellos

OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.

We modified the following command: ospf dead-interval

New OSPF Timers

New OSPF timers were added; old ones were deprecated.

We introduced the following commands: timers lsa arrival, timers pacing, t imers throttle.

We removed the following commands: timers spf, timers lsa-grouping-pacing

OSPF Route filtering using ACL

Route filtering using ACL is now supported.

We introduced the following command: distribute-list

OSPF Monitoring enhancements

Additional OSPF monitoring information was added.

We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief

OSPF redistribute BGP

OSPF redistribution feature was added.

We added the following command: redistribute bgp

EIGRP Auto- Summary

For EIGRP, the Auto-Summary field is now disabled by default.

High Availability Features

Support for cluster members at different geographical locations (inter-site) for transparent mode

You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.

We did not modify any commands.

Static LACP port priority support for clustering

Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:

  • Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.
  • Port-channel bundling downtime should not exceed the configured keepalive interval.

We introduced the following command: clacp static-port-priority .

Support for 32 active links in a spanned EtherChannel for clustering

ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.

Note If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

We introduced the following command: clacp static-port-priority .

Support for 16 cluster members for the ASA 5585-X

The ASA 5585-X now supports 16-unit clusters.

We did not modify any commands.

Support for clustering with the Cisco Nexus 9300

The ASA supports clustering when connected to the Cisco Nexus 9300.

Remote Access Features

ISE Change of Authorization

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

We introduced the following commands: dynamic-authorization, authorize-only , debug radius dynamic-authorization .

We modified the following commands: without-csd [ anyconnect ], interim-accounting-update [ periodic [ interval ]].

We removed the following commands: nac-policy , eou , nac-settings .

Improved clientless rewriter HTTP 1.1 compression handling

The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.

We did not introduce or modify any commands.

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any commands.

Interface Features

Support for 16 active links in an EtherChannel

You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).

Note If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes (the lacp max-bundle command).

We modified the following commands: lacp max-bundle and port-channel min-bundle .

Monitoring Features

Embedded Event Manager (EEM)

The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.

We introduced or modified the following commands: event manager applet , description , event syslog id , event none , event timer , event crashinfo , action cli command , output , show running-config event manager , event manager run , show event manager , show counters protocol eem , clear configure event manager , debug event manager , debug menu eem .

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We introduced or modified the following commands: snmp-server host-group , snmp-server user-list , show running-config snmp-server , clear configure snmp-server .

SNMP message size

The limit on the message size that SNMP sends has been increased to 1472 bytes.

SNMP OIDs and MIBs

The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.

The CISCO-VPN-LIC-USAGE-MONITOR-MIB, a new SNMP MIB for monitoring VPN shared license usage, has been added. The OID has the following index: 1.3.6.1.4.1.9.9.816.x.x. This new OID polls the number of active and max-session connections.

We did not introduce or modify any commands.

Administrative Features
Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec .

Auto Update Server certificate verification enabled by default

The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:

WARNING: The certificate provided by the auto-update servers will not be verified. In order to verify this certificate please use the verify-certificate option.
 

The configuration will be migrated to explicitly configure no verification:

auto-update server no-verification

We modified the following command: auto-update server [ verify-certificate | no-verification ].

 

Upgrading the Software

This section describes how to upgrade to the latest version and includes the following topics:


NoteFor ASDM procedures, see the ASDM documentation. For ASDM procedures, see the ASDM documentation.


Upgrade Path and Migrations

  • If you are upgrading from a pre-9.0 release, because of ACL migration, you cannot later perform a downgrade; be sure to back up your configuration file in case you want to downgrade. See the ACL migration section in the 9.0 release notes for more information.
  • If you are upgrading from one of the following versions, you can successfully upgrade to 9.1(2.8) or later:

8.4(5) or later

9.0(2) or later

9.1(2)

However, if you are running any earlier versions, you cannot upgrade directly to 9.1(2.8) or later without first upgrading to one of the above versions. For example:

 

ASA Version
First Upgrade to:
Then Upgrade to:

8.2(1)

8.4(7)

9.2(1) or later

8.4(4)

8.4(7)

9.2(1) or later

9.0(1)

9.0(4)

9.2(1) or later

9.1(1)

9.1(2)

9.2(1) or later

  • If you are upgrading from a pre-8.3 release:

See the Cisco ASA 5500 Migration Guide to Version 8.3 and Later for important information about migrating your configuration.

You cannot upgrade directly to 9.0 or later. You must first upgrade to Version 8.4 for a successful migration.

  • Software Version Requirements for Zero Downtime Upgrading:

The units in a failover configuration or ASA cluster should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading all units to the same version as soon as possible.

Table 1-3 shows the supported scenarios for performing zero-downtime upgrades.

 

Table 1-3 Zero-Downtime Upgrade Support

Type of Upgrade
Support

Maintenance Release

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between.

Minor Release

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 8.2 to 8.3. Upgrading from 8.2 directly to 8.4 is not supported for zero-downtime upgrades; you must first upgrade to 8.3. For models that are not supported on a minor release, you can skip the minor release; for example, for the ASA 5585-X, you can upgrade from 8.2 to 8.4 (the model is not supported on 8.3).


Note Zero-downtime upgrades are possible, even when feature configuration is migrated, for example, from 8.2 to 8.3.


Major Release

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 8.6 to 9.0, assuming that 8.6 is the last minor version in the 8.x release series for your model. Upgrading from 8.6 directly to 9.1 is not supported for zero-downtime upgrades; you must first upgrade to 9.0. For models that are not supported on a minor release, you can skip the minor release; for example, for the ASA 5585-X, you can upgrade from 8.4 to 9.0 (the model is not supported on 8.5 or 8.6).


Note Zero-downtime upgrades are possible, even when feature configuration is migrated, for example, from 8.4 to 9.0.


Viewing Your Current Version

Use the show version command to verify the software version of your ASA.

Downloading the Software from Cisco.com

If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/go/asa-software

This procedure assumes you put the images on a TFTP server, although other server types are supported.

Upgrading a Standalone Unit

This section describes how to install the ASDM and operating system (OS) images using TFTP. For FTP or HTTP, see the copy command.

Detailed Steps

 

Command
Purpose

Step 1

more system:running-config
 

hostname# more system:running-config

(If there is a configuration migration) The output shows the configuration on the terminal so that you can back up your configuration. Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the configuration guide.

Step 2

copy tftp:// server [/ path ]/ asa_image_name { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname# copy tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the ASA software to the active unit flash memory. For other methods than TFTP, see the copy command.

Step 3

copy tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

hostname# copy tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to the active unit flash memory.

Step 4

configure terminal

 

hostname(config)# configure terminal

If you are not already in global configuration mode, accesses global configuration mode.

Step 5

show running-config boot system

 

hostname(config)# show running-config boot system

boot system disk0:/cdisk.bin

boot system disk0:/asa914-smp-k8.bin

Shows the current boot images configured (up to 4). The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 6 and Step 7.

Step 6

no boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# no boot system disk0:/cdisk.bin

hostname(config)# no boot system disk0:/asa914-smp-k8.bin

Removes any existing boot image configurations so that you can enter the new boot image as your first choice.

Step 7

boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# boot system disk0://asa921-smp-k8.bin

Sets the ASA image to boot (the one you just uploaded).

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 6.

Step 8

asdm image { disk0:/ | disk1:/ }[ path / ] asdm_image_name

 

hostname(config)# asdm image disk0:/asdm-721.bin

Sets the ASDM image to use (the one you just uploaded). You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 9

write memory

 

hostname(config)# write memory

Saves the new settings to the startup configuration.

Step 10

reload

 

hostname# reload

Reloads the ASA.

Upgrading an Active/Standby Failover Pair

To upgrade the Active/Standby failover pair, perform the following steps.

Requirements

Perform these steps on the active unit.

Detailed Steps

 

Command
Purpose

Step 1

more system:running-config
 

active# more system:running-config

(If there is a configuration migration) The output shows the configuration on the terminal so that you can back up your configuration. Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the configuration guide.

Step 2

copy tftp:// server [/ path ]/ asa_image_name { disk0:/ | disk1:/ }[ path /] asa_image_name

 

active# copy tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the ASA software to the active unit flash memory. For other methods than TFTP, see the copy command.

Step 3

failover exec mate copy /noconfirm tftp:// server [/ path ]/f ilename { disk0:/ | disk1:/ }[ path /] filename

 

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the software to the standby unit; be sure to specify the same path as for the active unit.

Step 4

copy tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

active# copy tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to the active unit flash memory.

Step 5

failover exec mate copy /noconfirm tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

active# failover exec mate copy /noconfirm tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to the standby unit; be sure to specify the same path as for the active unit.

Step 6

configure terminal

 

active(config)# configure terminal

If you are not already in global configuration mode, accesses global configuration mode.

Step 7

show running-config boot system

 

hostname(config)# show running-config boot system

boot system disk0:/cdisk.bin

boot system disk0:/asa912-smp-k8.bin

Shows the current boot images configured (up to 4). The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 8 and Step 9.

Step 8

no boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# no boot system disk0:/cdisk.bin

hostname(config)# no boot system disk0:/asa912-smp-k8.bin

Removes any existing boot image configurations so that you can enter the new boot image as your first choice.

Step 9

boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# boot system disk0://asa921-smp-k8.bin

Sets the ASA image to boot (the one you just uploaded).

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 8.

Step 10

asdm image { disk0:/ | disk1:/ }[ path / ] asdm_image_name

 

hostname(config)# asdm image disk0:/asdm-721.bin

Sets the ASDM image to use (the one you just uploaded). You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 11

write memory

 

active(config)# write memory

Saves the new settings to the startup configuration.

Step 12

failover reload-standby

 

active# failover reload-standby

Reloads the standby unit to boot the new image.

Wait for the standby unit to finish loading. Use the show failover command to verify that the standby unit is in the Standby Ready state.

Step 13

no failover active

 

active# no failover active

Forces the active unit to fail over to the standby unit.

Step 14

reload

 

active# reload

Reloads the former active unit (now the new standby unit). If you want to restore this unit to be active after it reloads, enter the failover active command.

Upgrading an Active/Active Failover Pair

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Requirements

Perform these steps in the system execution space of the primary unit.

Detailed Steps

 

Command
Purpose

Step 1

more system:running-config
 

primary# more system:running-config

(If there is a configuration migration) The output shows the configuration on the terminal so that you can back up your configuration. Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the configuration guide.

Step 2

copy tftp:// server [/ path ]/ asa_image_name { disk0:/ | disk1:/ }[ path /] asa_image_name

 

primary# copy tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the ASA software to the primary unit flash memory. For other methods than TFTP, see the copy command.

Step 3

failover exec mate copy /noconfirm tftp:// server [/ path ]/f ilename { disk0:/ | disk1:/ }[ path /] filename

 

primary# failover exec mate copy /noconfirm tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the software to the secondary unit; be sure to specify the same path as for the primary unit.

Step 4

copy tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

primary# copy tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to the primary unit flash memory.

Step 5

failover exec mate copy /noconfirm tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

primary# failover exec mate copy /noconfirm tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to the secondary unit; be sure to specify the same path as for the active unit.

Step 6

failover active group 1

failover active group 2

 

primary# failover active group 1

primary# failover active group 2

Makes both failover groups active on the primary unit.

Step 7

configure terminal

 

primary(config)# configure terminal

If you are not already in global configuration mode, accesses global configuration mode.

Step 8

show running-config boot system

 

hostname(config)# show running-config boot system

boot system disk0:/cdisk.bin

boot system disk0:/asa912-smp-k8.bin

Shows the current boot images configured (up to 4). The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 9 and Step 10.

Step 9

no boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# no boot system disk0:/cdisk.bin

hostname(config)# no boot system disk0:/asa912-smp-k8.bin

Removes any existing boot image configurations so that you can enter the new boot image as your first choice.

Step 10

boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# boot system disk0://asa921-smp-k8.bin

Sets the ASA image to boot (the one you just uploaded).

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 9.

Step 11

asdm image { disk0:/ | disk1:/ }[ path / ] asdm_image_name

 

hostname(config)# asdm image disk0:/asdm-721.bin

Sets the ASDM image to use (the one you just uploaded). You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 12

write memory

 

primary(config)# write memory

Saves the new settings to the startup configuration.

Step 13

failover reload-standby

 

primary# failover reload-standby

Reloads the secondary unit to boot the new image.

Wait for the secondary unit to finish loading. Use the show failover command to verify that both failover groups are in the Standby Ready state.

Step 14

no failover active group 1

no failover active group 2

 

primary# no failover active group 1

primary# no failover active group 2

Forces both failover groups to become active on the secondary unit.

Step 15

reload

 

primary# reload

Reloads the primary unit. If the failover groups are configured with the preempt command, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with the preempt command, you can return them to active status on their designated units using the failover active group command.

Upgrading an ASA Cluster

To upgrade all units in an ASA cluster, perform the following steps on the master unit. For multiple context mode, perform these steps in the system execution space.

Detailed Steps

 

Command
Purpose

Step 1

more system:running-config
 

master# more system:running-config

(If there is a configuration migration) Backs up your configuration file. Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the configuration guide.

Step 2

cluster exec copy /noconfirm tftp:// server [/ path ]/ asa_image_name { disk0:/ | disk1:/ }[ path /] asa_image_name

 

master# cluster exec copy /noconfirm tftp://10.1.1.1/asa921-smp-k8.bin disk0:/asa921-smp-k8.bin

Copies the ASA software to all units in the cluster. For other methods than TFTP, see the copy command.

Step 3

cluster exec copy /noconfirm tftp:// server [/ path ]/ asdm_image_name { disk0:/ | disk1:/ }[ path /] asdm_image_name

 

master# cluster exec copy /noconfirm tftp://10.1.1.1/asdm-721.bin disk0:/asdm-721.bin

Copies the ASDM image to all units in the cluster.

Step 4

configure terminal

 

master(config)# configure terminal

If you are not already in global configuration mode, accesses global configuration mode.

Step 5

show running-config boot system

 

hostname(config)# show running-config boot system

boot system disk0:/cdisk.bin

boot system disk0:/asa912-smp-k8.bin

Shows the current boot images configured (up to 4). The ASA uses the images in the order listed; if the first image is unavailable, the next image is used, and so on. You cannot insert a new image URL at the top of the list; to specify the new image to be first, you must remove any existing entries, and enter the image URLs in the order desired, according to Step 6 and Step 7.

Step 6

no boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# no boot system disk0:/cdisk.bin

hostname(config)# no boot system disk0:/asa912-smp-k8.bin

Removes any existing boot image configurations so that you can enter the new boot image as your first choice.

Step 7

boot system { disk0:/ | disk1:/ }[ path /] asa_image_name

 

hostname(config)# boot system disk0://asa921-smp-k8.bin

Sets the ASA image to boot (the one you just uploaded).

Repeat this command for any backup images that you want to use in case this image is unavailable. For example, you can re-enter the images that you previously removed in Step 6.

Step 8

asdm image { disk0:/ | disk1:/ }[ path / ] asdm_image_name

 

hostname(config)# asdm image disk0:/asdm-721.bin

Sets the ASDM image to use (the one you just uploaded). You can only configure one ASDM image to use, so you do not need to first remove the existing configuration.

Step 9

write memory

 

master(config)# write memory

Saves the new settings to the startup configuration.

Step 10

cluster exec unit slave-unit reload noconfirm

 

master# cluster exec unit unit2 reload noconfirm

Reloads each slave unit when you repeat this command for each unit name. To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up (approximately 5 minutes) before reloading the next unit.

To view member names, enter cluster exec unit ? , or enter the show cluster info command.

Step 11

no enable

 

master(config)# no enable

Disables clustering on the master unit. Wait for 5 minutes for a new master to be selected and traffic to stabilize.

Do not enter write memory ; when the master unit reloads, you want clustering to be enabled on it.

Step 12

reload noconfirm

 

master# reload noconfirm

Reloads the master unit. A new election takes place for a new master unit. When the former master unit rejoins the cluster, it will be a slave.

Open Caveats

Table 4 contains open caveats in the latest maintenance release.

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in these sections to the resolved caveats from later releases. For example, if you are running Version 9.2(1), then you need to add the caveats in this section to the resolved caveats from 9.2(2) and higher to determine the complete list of open caveats.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 4 Open Caveats in ASA Version 9.2

Caveat
Description

CSCup22225

v4 and v6 tput degradation on 5585-60 and ASA-SM1

CSCup26300

ASA-SM crash under 9.2.1 with Thread Name: Checkheaps

CSCup32973

ASA EIGRP does not reset hold time after receiving update

CSCup35300

Jumbo-frame reservation not getting enabled due to insufficient memory

Resolved Caveats

Resolved Caveats in Version 9.2(2)

Table 5 contains resolved caveats in ASA Version 9.2(2).

If you are a registered Cisco.com user, view more information about each caveat using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 5 Resolved Caveats in ASA Version 9.2(2)

Caveat
Description

CSCsz39633

Double auth not triggered if using secondary-aaa-server per interface

CSCty50049

ASA allows SYN/ACK with incorrect ACK value to pass.

CSCuc80975

ASA5500-x: "speed nonegotiate" command not available for fiber interface

CSCue87407

DNS: Inspection drops non in-addr.arpa PTR queries

CSCuf21519

WebVPN: Latest JQuery library doesn't work through ASA

CSCug14102

Need Syslog containing assigned IP address for AnyConnect IKEv2

CSCuh79288

ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP via DHCPD

CSCul33381

ASA 5505 SIP packets may have extra padding one egress of 5505

CSCul68338

WEBVPN IE 11: CIFS bookmarks showing with unicode

CSCum00360

ASA - DHCP Discover Sent out during boot process

CSCum75214

ASA5585-SSP60 Teardown process is delayed under heavy traffic condition

CSCum76734

ASA Backup scansafe tower is never polled

CSCum77758

capture type tls-proxy no longer works

CSCum80899

ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats

CSCum85047

Traceback in Thread: IPsec message handler with rip-tlog_event_allocate

CSCum86538

SunRPC GETPORT Reply dropped when two active sessions use same xid

CSCum92080

Sourcefire Defense Center not able to be rendered via Clientless SSL VPN

CSCun25809

AnyConnect Password Management Fails with SMS Passcode

CSCun28999

When long line is entered on cli, all chars > 510 silentl y discarded

CSCun40620

ASA IPSec - DNS reply for RA client dropped when LZS compression enabled

CSCun41818

ASA: Traceback in thread Name: DATAPATH-1-2581

CSCun45520

Cisco ASA DHCPv6 Denial of Service Vulnerability

CSCun53640

9.2.1/ASAv IPSec "NGE High" throughput performance test low

CSCun66306

IDM/IME/File Transfer Slow For Certain Source and Destination IP Pairs

CSCun69561

ASA Crafted Radius DoS Vulnerability

CSCun69669

Posture assement failing after HS upgrade to 3.1.05152

CSCun78551

Cisco ASA Information Disclosure Vulnerability

CSCun81982

Packet-tracer showing incorrect result for certain NAT configurations

CSCun83186

Nameif command not allowed on TFW multimode ASA with clustering

CSCun85465

'ASA modifies Request Host Part under 'ACK' packet for SIP connection'

CSCun88276

High CPU with IKE daemon Process

CSCun90690

An Application site not rendered properly in FF27

CSCun95075

ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule

CSCun96170

ASA 8.4.6: Traceback with fover_FSM_thread

CSCuo00627

Saleen copper module port speed/duplex changes ineffective

CSCuo02948

To the box traffic dropped due to vpn load-balancing (mis)configuration

CSCuo03555

SNMP: cpmCPUTotal5sec/1min/5min return "0"

CSCuo03569

VPN client firewall and split-tunneling mishandle "inactive" acl rules

CSCuo04526

syslogs not giving proper info in ASA

CSCuo04965

Clientless scrollbar on right hand side of the screen doesn't render

CSCuo08511

ASA 9.0.4.1 traceback in webvpn datapath

CSCuo09070

ASAv only : "configure https://server/asa_config" fails to execute

CSCuo10869

VPN-filter ACL drops all traffic after upgrade for pre 8.3 to 9.x

CSCuo11057

IPsec transform sets mode changes from transport to tunnel after editing

CSCuo11867

CSCub92315 fix is incomplete

CSCuo14701

Interop: relax PrintableString encoding enforcement in PKI

CSCuo19916

ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet

CSCuo23892

ASA SIP Inspect:'From: header' in the INVITE not NATed for outbound flow

CSCuo24659

CTL-provider broken due to midpath block chains

CSCuo26501

ASA: Traceback in Thread Name: Dispatch Unit when enable debug ppp int

CSCuo26632

ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD enabled

CSCuo32369

ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address

CSCuo33186

Traceback with thread DATAPATH-2-1181

CSCuo39395

Error message on module session displays incorrect card state

CSCuo44216

ASA traceback (Page fault) during xlate replication in a failover setup

CSCuo46136

ASA does not relay BOOTP packets

CSCuo49385

Multicast - ASA doesn't populate mroutes after failover

CSCuo60435

ASA: Webvpn using incorrect password for auto-signon with Radius/OTP

CSCuo61372

ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec SA

CSCuo63172

ASA 9.1.(3)4 Memory Leak in KCD

CSCuo66171

Recovery failed to bring up the sfr console

CSCuo68647

Traceback when no failover then clear conf all during xlate replication

CSCuo73792

ASA 9.x Management Port-Channel Cannot configure management-only in TFW

CSCuo78285

Traceback in L2 Cluster automation in tmatch function

CSCuo84225

CIFS drag & drop not working with remote file explorer over webvpn

CSCuo89924

Giaddr to be set to the address of interface facing the client.

CSCuo95602

Standby ASA Crash on Fover_Parse with Botnet Filter

CSCup22532

Multiple Vulnerabilities in OpenSSL - June 2014

Resolved Caveats in Version 9.2(1)

Table 6 contains resolved caveats in ASA Version 9.2(1).

If you are a registered Cisco.com user, view more information about each caveat using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 6 Resolved Caveats in ASA Version 9.2(1)

Caveat
Description

CSCty28878

ASA SSLVPN/DTLS: Copy inner packet TOS field to outer header

CSCud94029

Local CA rollover: reloading ASA deletes original CA cert before expiry

CSCue38161

wr mem all produces traceback on console

CSCuj09444

ASA:Difference in replication result of initial sync and boot sequence

CSCuj49205

SNMP: OID(1.3.6.1.4.1.99.X) inadvertently added

CSCuj62017

ASA doesn't RST conn for same sec-level int (resetoutbound/inbound only)

CSCul16778

vpn load-balancing configuration exits sub-command menu unexpectedly

CSCul61545

ASA Page Fault Traceback in 'vpnfol_thread_msg' Thread

CSCul65863

ASA IGMP receiver-specific filter blocks all multicast receivers

CSCul94773

ASA TCP Proxy can corrupt data, cause ACK storms and session hangs

CSCum03212

URLF: Websense v4 message length calculation is incorrect by 2 bytes

CSCum28756

ASA: Auth failures for SNMPv3 polling after unit rejoins cluster

CSCum51780

Problem configuring QOS priority with user-statistic on same policy-map

CSCun20457

ASA 9.1.x should accept RIP V1 updates

CSCun32388

ASA 5585 cluster indicating SSM card down but no SSM module

End-User License Agreement

For information on the end-user license agreement, go to:

http://www.cisco.com/go/warranty

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

http://www.cisco.com/go/asadocs

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.