Guest

Cisco Adaptive Security Device Manager

Release Notes for Cisco ASDM, 7.2(x)

  • Viewing Options

  • EPUB (329.2 KB)
  • MOBI (398.8 KB)
  • PDF (531.2 KB)
  • Feedback

Table of Contents

Release Notes for Cisco ASDM, Version 7.2(x)

Important Notes

System Requirements

ASDM Client Operating System and Browser Requirements

Java and Browser Compatibility

Installing an Identity Certificate for ASDM

ASA and ASDM Compatibility

VPN Compatibility

Maximum Configuration Size in ASDM

New Features

New Features in Version 7.2(2)

New Features in Version 7.2(1)

Upgrading the Software

Upgrade Path and Migrations

Viewing Your Current Version

Downloading the Software from Cisco.com

Upgrading a Standalone Unit

Upgrading from Your Local Computer

Upgrading Using the Cisco.com Wizard

Upgrading a Failover Pair or ASACluster

Upgrading an Active/Standby Failover Pair

Upgrading an Active/Active Failover Pair

Upgrading an ASA Cluster

Unsupported Commands

Ignored and View-Only Commands

Effects of Unsupported Commands

Discontinuous Subnet Masks Not Supported

Interactive User Commands Not Supported by the ASDM CLI Tool

Open Caveats

Open Caveats in Version 7.2(2)

Open Caveats in Version 7.2(1)

Resolved Caveats

Resolved Caveats in 7.2(2)

Resolved Caveats in 7.2(1)

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco ASDM, Version 7.2(x)

Released: April 24, 2014

Updated: June 26, 2014

This document contains release information for Cisco ASDM Version 7.2(x) for the Cisco ASA series. This document includes the following sections:

Important Notes

  • WinNT AAA server to be deprecated—In ASA Version 9.3, the WinNT AAA server will no longer be supported. If you use WinNT, you should start planning alternative server types.

System Requirements

ASDM Client Operating System and Browser Requirements

Table 1 lists the supported and recommended client operating systems and Java for ASDM.

 

Table 1 Operating System and Browser Requirements

Operating System
Browser
Java SE Plug-in
Internet Explorer
Firefox
Safari
Chrome

Microsoft Windows (English and Japanese):

  • 8
  • 7
  • Vista
  • 2008 Server
  • XP

6 through 10. Version 11 or later is not supported.

1.5 or later

No support

18 or later

6 or later

Apple OS X 10.4 and later

No support

1.5 or later

2 or later

18 or later

6 or later

Red Hat Enterprise Linux 5 (GNOME or KDE):

  • Desktop
  • Desktop with Workstation

N/A

1.5 or later

N/A

18 or later

6 or later

Java and Browser Compatibility

Table 2 lists compatibility caveats for Java, ASDM, and browser compatibility.

 

Table 2 Caveats for ASDM Compatibility

Java Version
Conditions
Notes

7 update 51

ASDM Launcher requires trusted certificate

To continue using the Launcher, do one of the following:

  • Install a trusted certificate on the ASA from a known CA.
  • Install a self-signed certificate and register it with Java. See the ASDM certificate procedure in this document.
  • Downgrade Java to 7 update 45 or earlier.
  • Alternatively use Java Web Start.

Note ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:

http://java.com/en/download/help/java_blocked.xml

After adding the security exception, launch the older ASDM and then upgrade to 7.2.

In rare cases, online help does not load when using Java Web Start

In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: “Unable to connect”.

Workaround:

  • Use the ASDM Launcher

Or:

  • Clear the -Djava.net.preferIPv6Addresses=true parameter in Java Runtime Parameters:

a. Launch the Java Control Panel.

b. Click the Java tab.

c. Click View .

d. Clear this parameter: -Djava.net.preferIPv6Addresses=true

e. Click OK , then Apply , then OK again.

7 update 45

ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate

Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning ; ASDM 7.2 includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates . Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box.

7

Requires strong encryption license (3DES/AES) on ASA

ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html ). Note that a workaround is required for weak encryption and Java 6 (see below, in this table).

6

No usernames longer than 50 characters

Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.

Requires strong encryption license (3DES/AES) on ASA or workaround

When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:

  • If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.
  • For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details.
  • For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

All

  • Self-signed certificate or an untrusted certificate
  • IPv6
  • Firefox and Safari

When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001 . This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.

  • SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.
  • Chrome

If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags .

IE9 for servers

For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.

OS X

On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.

All

OS X 10.8 and later

You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.

 

1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open .

 

2. You see a similar error screen; however, you can open ASDM from this screen. Click Open . The ASDM-IDM Launcher opens.

 

Installing an Identity Certificate for ASDM

When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to generate a self-signed identity certificate and to configure the ASA to use it when establishing an SSL connection. After you generate the identity certificate and configure the ASA, you need to register it with the Java Control Panel on your computer. You can use Java Web Start to launch ASDM until you install a certificate.

See the following document to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.

http://www.cisco.com/go/asdm-certificate

ASA and ASDM Compatibility

For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

VPN Compatibility

For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html

Maximum Configuration Size in ASDM

  • ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.

To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.

Windows:

a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties .

b. Click the Shortcut tab.

c. In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

 

Macintosh:

a. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents .

b. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.

c. Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

 

d. If this file is locked, you see an error such as the following:

 

e. Click Unlock and save the file.

If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM , and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.

New Features

New Features in Version 7.2(2)

Released: June 26, 2014

Table 3 lists the new features for ASA Version 9.2(2)/ASDM Version 7.2(2).

 

Table 3 New Features for ASA Version 9.2(2)/ASDM Version 7.2(2)

Feature
Description
Remote Access Features

Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN

We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..

We did not modify any screens.

 

New Features in Version 7.2(1)

Released: April 24, 2014

Table 4 lists the new features for ASA Version 9.2(1)/ASDM Version 7.2(1).


NoteThe ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models. The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.


 

Table 4 New Features for ASA Version 9.2(1)/ASDM Version 7.2(1)

Feature
Description
Platform Features

The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.

The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.

Routing Features

BGP Support

We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

We introduced the following screens:
Configuration > Device Setup > Routing > BGP
Monitoring > Routing > BGP Neighbors, Monitoring > Routing > BGP Routes

We modified the following screens:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route
Configuration > Device Setup > Routing > Route Maps> Add > Add Route Map

Static route for Null0 interface

Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.

We modified the following screen:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route

OSPF support for Fast Hellos

OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.

 

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Interface > Edit OSPF Interface Advanced properties

New OSPF Timers

New OSPF timers were added; old ones were deprecated.

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Setup > Edit OSPF Process Advanced Properties

OSPF Route filtering using ACL

Route filtering using ACL is now supported.

We introduced the following screen: Configuration > Device Setup > Routing > OSPF > Filtering Rules > Add Filter Rules

OSPF Monitoring enhancements

Additional OSPF monitoring information was added.

We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief

OSPF redistribute BGP

OSPF redistribution feature was added.

We added the following screen: Configuration > Device Setup > Routing > OSPF > Redistribution

EIGRP Auto- Summary

For EIGRP, the Auto-Summary field is now disabled by default.

We modified the following screen: Configuration > Device Setup > Routing > EIGRP > Setup > Edit EIGRP Process Advanced Properties

High Availability Features

Support for cluster members at different geographical locations (inter-site) for transparent mode

You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.

We did not modify any ASDM screens.

Static LACP port priority support for clustering

Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:

  • Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.
  • Port-channel bundling downtime should not exceed the configured keepalive interval.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 32 active links in a spanned EtherChannel for clustering

ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.

Note If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 16 cluster members for the ASA 5585-X

The ASA 5585-X now supports 16-unit clusters.

We did not modify any ASDM screens.

Support for clustering with the Cisco Nexus 9300

The ASA supports clustering when connected to the Cisco Nexus 9300.

Remote Access Features

ISE Change of Authorization

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group

Improved clientless rewriter HTTP 1.1 compression handling

The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.

We did not introduce or modify any ASDM screens.

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any ASDM screens.

Interface Features

Support for 16 active links in an EtherChannel

You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).

Note If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes.

We modified the following screen: Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface > Advanced.

Monitoring Features

Embedded Event Manager (EEM)

The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.

We introduced the following screens: Configuration > Device Management > Advanced > Embedded Event Manager, Monitoring > Properties > EEM Applets.

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We modified the following screen: Configuration > Device Management > Management Access > SNMP.

SNMP message size

The limit on the message size that SNMP sends has been increased to 1472 bytes.

SNMP OIDs and MIBs

The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.

The CISCO-VPN-LIC-USAGE-MONITOR-MIB, a new SNMP MIB for monitoring VPN shared license usage, has been added. The OID has the following index: 1.3.6.1.4.1.9.9.816.x.x. This new OID polls the number of active and max-session connections.

We did not introduce or modify any commands.

Administrative Features
Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.

Auto Update Server certificate verification enabled by default

The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:

WARNING: The certificate provided by the auto-update servers will not be verified. In order to verify this certificate please use the verify-certificate option.
 

The configuration will be migrated to explicitly configure no verification.

We modified the following screen: Configuration > Device Management > System/Image Configuration > Auto Update > Add Auto Update Server.

 

Upgrading the Software

This section describes how to upgrade to the latest version and includes the following topics:


NoteFor CLI procedures, see the ASA documentation. For CLI procedures, see the ASA documentation.


Upgrade Path and Migrations

  • If you are upgrading from a pre-9.0 release, because of ACL migration, you cannot later perform a downgrade; be sure to back up your configuration file in case you want to downgrade. See the ACL migration section in the 9.0 release notes for more information.
  • If you are upgrading from one of the following versions, you can successfully upgrade to 9.1(2.8) or later:

8.4(5) or later

9.0(2) or later

9.1(2)

However, if you are running any earlier versions, you cannot upgrade directly to 9.1(2.8) or later without first upgrading to one of the above versions. For example:

 

ASA Version
First Upgrade to:
Then Upgrade to:

8.2(1)

8.4(7)

9.2(1) or later

8.4(4)

8.4(7)

9.2(1) or later

9.0(1)

9.0(4)

9.2(1) or later

9.1(1)

9.1(2)

9.2(1) or later

  • If you are upgrading from a pre-8.3 release:

See the Cisco ASA 5500 Migration Guide to Version 8.3 and Later for important information about migrating your configuration.

You cannot upgrade directly to 9.0 or later. You must first upgrade to Version 8.4 for a successful migration.

  • Software Version Requirements for Zero Downtime Upgrading:

The units in a failover configuration or ASA cluster should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading all units to the same version as soon as possible.

Table 1-5 shows the supported scenarios for performing zero-downtime upgrades.

 

Table 1-5 Zero-Downtime Upgrade Support

Type of Upgrade
Support

Maintenance Release

You can upgrade from any maintenance release to any other maintenance release within a minor release.

For example, you can upgrade from 8.4(1) to 8.4(6) without first installing the maintenance releases in between.

Minor Release

You can upgrade from a minor release to the next minor release. You cannot skip a minor release.

For example, you can upgrade from 8.2 to 8.3. Upgrading from 8.2 directly to 8.4 is not supported for zero-downtime upgrades; you must first upgrade to 8.3. For models that are not supported on a minor release, you can skip the minor release; for example, for the ASA 5585-X, you can upgrade from 8.2 to 8.4 (the model is not supported on 8.3).


Note Zero-downtime upgrades are possible, even when feature configuration is migrated, for example, from 8.2 to 8.3.


Major Release

You can upgrade from the last minor release of the previous version to the next major release.

For example, you can upgrade from 8.6 to 9.0, assuming that 8.6 is the last minor version in the 8.x release series for your model. Upgrading from 8.6 directly to 9.1 is not supported for zero-downtime upgrades; you must first upgrade to 9.0. For models that are not supported on a minor release, you can skip the minor release; for example, for the ASA 5585-X, you can upgrade from 8.4 to 9.0 (the model is not supported on 8.5 or 8.6).


Note Zero-downtime upgrades are possible, even when feature configuration is migrated, for example, from 8.4 to 9.0.


Viewing Your Current Version

The software version appears on the ASDM home page; view the home page to verify the software version of your ASA.

Downloading the Software from Cisco.com

If you are using the ASDM Upgrade Wizard, you do not have to pre-download the software. If you are manually upgrading, for example for a failover upgrade, download the images to your local computer.

If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/go/asa-software

Upgrading a Standalone Unit

This section describes how to install the ASDM and operating system (OS) images.

Upgrading from Your Local Computer

The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the ASA.

Detailed Steps


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer .

The Upgrade Software dialog box appears.

 

Step 3 From the Image to Upload drop-down list, choose ASDM .

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 6 Click Upload Image . The uploading process might take a few minutes.

Step 7 You are prompted to set this image as the ASDM image. Click Yes .

 

Step 8 You are reminded to exit ASDM and save the configuration. Click OK . You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

 

Step 9 Repeat Step 2 through Step 8, choosing ASA from the Image to Upload drop-down list. You can also use this procedure to upload other file types.

Step 10 Choose Tools > System Reload to reload the ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now , the default).

c. Click Schedule Reload .

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 11 After the ASA reloads, restart ASDM.


 

Upgrading Using the Cisco.com Wizard

The Upgrade Software from Cisco.com Wizard lets you automatically upgrade the ASDM and ASA to more current versions.

In this wizard, you can do the following:

  • Choose an ASA image file and/or ASDM image file to upgrade.

Note ASDM downloads the latest image version, which includes the build number. For example, if you are downloading 9.2(1), the download might be 9.2(1.2). This behavior is expected, so you may proceed with the planned upgrade.


  • Review the upgrade changes that you have made.
  • Download the image or images and install them.
  • Review the status of the installation.
  • If the installation completed successfully, restart the ASA to save the configuration and complete the upgrade.

Detailed Steps


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 Choose Tools > Check for ASA/ASDM Updates .

In multiple context mode, access this menu from the System.

The Cisco.com Authentication dialog box appears.

Step 3 Enter your Cisco.com username and password, and then click Login .

The Cisco.com Upgrade Wizard appears.


Note If there is no upgrade available, a dialog box appears. Click OK to exit the wizard.


Step 4 Click Next to display the Select Software screen.

The current ASA version and ASDM version appear.

Step 5 To upgrade the ASA version and ASDM version, perform the following steps:

a. In the ASA area, check the Upgrade to check box, and then choose an ASA version to which you want to upgrade from the drop-down list.

b. In the ASDM area, check the Upgrade to check box, and then choose an ASDM version to which you want to upgrade from the drop-down list.

Step 6 Click Next to display the Review Changes screen.

Step 7 Verify the following items:

    • The ASA image file and/or ASDM image file that you have downloaded are the correct ones.
    • The ASA image file and/or ASDM image file that you want to upload are the correct ones.
    • The correct ASA boot image has been selected.

Step 8 Click Next to start the upgrade installation.

You can then view the status of the upgrade installation as it progresses.

The Results screen appears, which provides additional details, such as the upgrade installation status (success or failure).

Step 9 If the upgrade installation succeeded, for the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA, and restart ASDM.

Step 10 Click Finish to exit the wizard and save the configuration changes that you have made.


Note To upgrade to the next higher version, if any, you must restart the wizard.



 

Upgrading an Active/Standby Failover Pair

To upgrade the Active/Standby failover pair, perform the following steps.

Detailed Steps


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 On the active unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer .

The Upgrade Software dialog box appears.

 

Step 3 From the Image to Upload drop-down list, choose ASDM .

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 6 Click Upload Image . The uploading process might take a few minutes.

Step 7 You are prompted to set this image as the ASDM image. Click Yes .

 

Step 8 You are reminded to exit ASDM and save the configuration. Click OK . You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 9 Repeat Step 2 through Step 8, choosing ASA from the Image to Upload drop-down list.

Step 10 Click the Save icon on the toolbar to save your configuration changes.

Step 11 Connect ASDM to the standby unit, and upload the ASA and ASDM software according to Step 2 through Step 9, using the same file locations you used on the active unit.

Step 12 Choose Tools > System Reload to reload the standby ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now , the default).

c. Click Schedule Reload .

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 13 After the standby ASA reloads, restart ASDM and connect to the standby unit to make sure it is running.

Step 14 Connect ASDM to the active unit again.

Step 15 Force the active unit to fail over to the standby unit by choosing Monitoring > Properties > Failover > Status , and clicking Make Standby .

Step 16 Choose Tools > System Reload to reload the (formerly) active ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now , the default).

c. Click Schedule Reload .

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

After the ASA comes up, it will now be the standby unit.


 

Upgrading an Active/Active Failover Pair

To upgrade two units in an Active/Active failover configuration, perform the following steps.

Requirements

Perform these steps in the system execution space.

Detailed Steps


Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 2 On the primary unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer .

The Upgrade Software dialog box appears.

 

Step 3 From the Image to Upload drop-down list, choose ASDM .

Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 6 Click Upload Image . The uploading process might take a few minutes.

Step 7 You are prompted to set this image as the ASDM image. Click Yes .

 

Step 8 You are reminded to exit ASDM and save the configuration. Click OK . You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 9 Repeat Step 2 through Step 8, choosing ASA from the Image to Upload drop-down list.

Step 10 Click the Save icon on the toolbar to save your configuration changes.

Step 11 Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover Group # , where # is the number of the failover group you want to move to the primary unit, and clicking Make Active .

Step 12 Connect ASDM to the secondary unit, and upload the ASA and ASDM software according to Step 2 through Step 9, using the same file locations you used on the active unit.

Step 13 Choose Tools > System Reload to reload the secondary ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now , the default).

c. Click Schedule Reload .

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

Step 14 Connect ASDM to the primary unit, and check when the secondary unit reloads by choosing Monitoring > Failover > System .

Step 15 After the secondary unit comes up, force the primary unit to fail over to the secondary unit by choosing Monitoring > Properties > Failover > System , and clicking Make Standby .

Step 16 Choose Tools > System Reload to reload the (formerly) active ASA.

A new window appears that asks you to verify the details of the reload.

a. Click the Save the running configuration at the time of reload radio button (the default).

b. Choose a time to reload (for example, Now , the default).

c. Click Schedule Reload .

Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.

If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the Monitoring > Failover > Failover Group # pane.


 

Upgrading an ASA Cluster

To upgrade all units in an ASA cluster, perform the following steps on the master unit. For multiple context mode, perform these steps in the system execution space.

Detailed Steps


Step 1 Launch ASDM on the master unit.

Step 2 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.

Step 3 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer .

The Upgrade Software from Local Computer dialog box appears.

Step 4 Click the All devices in the cluster radio button.

The Upgrade Software dialog box appears.

 

Step 5 From the Image to Upload drop-down list, choose ASDM .

Step 6 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.

Step 7 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.

Step 8 Click Upload Image . The uploading process might take a few minutes.

Step 9 You are prompted to set this image as the ASDM image. Click Yes .

 

Step 10 You are reminded to exit ASDM and save the configuration. Click OK . You exit the Upgrade tool. Note: You will save the configuration and reload ASDM after you upgrade the ASA software.

Step 11 Repeat Step 3 through Step 10, choosing ASA from the Image to Upload drop-down list.

Step 12 Click the Save icon on the toolbar to save your configuration changes.

Step 13 Choose Tools > System Reload .

The System Reload dialog box appears.

Step 14 Reload each slave unit one at a time by choosing a slave unit name from the Device drop-down list, and then clicking Schedule Reload to reload the unit now.

 

To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up (approximately 5 minutes) before reloading the next unit. To view when a unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.

Step 15 After all slave units have reloaded, disable clustering on the master unit by choosing Configuration > Device Management > High Availability and Scalability > ASA Cluster , uncheck the Participate in ASA cluster check box, and click Apply .

Wait for 5 minutes for a new master to be selected and traffic to stabilize. When the former master unit rejoins the cluster, it will be a slave.

Do not save the configuration; when the master unit reloads, you want clustering to be enabled on it.

Step 16 Choose Tools > System Reload and reload the master unit from the System Reload dialog box by choosing --This Device-- from the Device drop-down list.

Step 17 Quit and restart ASDM; you will reconnect to the new master unit.


 

Unsupported Commands

ASDM supports almost all commands available for the adaptive ASA, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.

This section includes the following topics:

Ignored and View-Only Commands

Table 6 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.

 

Table 6 List of Unsupported Commands

Unsupported Commands
ASDM Behavior

capture

Ignored.

coredump

Ignored. This can be configured only using the CLI.

crypto engine large-mod-accel

Ignored.

dhcp-server (tunnel-group name general-attributes)

ASDM only allows one setting for all DHCP servers.

eject

Unsupported.

established

Ignored.

failover timeout

Ignored.

fips

Ignored.

nat-assigned-to-public-ip

Ignored.

pager

Ignored.

pim accept-register route-map

Ignored. You can configure only the list option using ASDM.

service-policy global

Ignored if it uses a match access-list class. For example:

access-list myacl extended permit ip any any
class-map mycm
match access-list myacl
policy-map mypm
class mycm
inspect ftp
service-policy mypm global

set metric

Ignored.

sysopt nodnsalias

Ignored.

sysopt uauth allow-http-cache

Ignored.

terminal

Ignored.

threat-detection rate

Ignored.

Effects of Unsupported Commands

If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Tools > Show Commands Ignored by ASDM on Device .

Discontinuous Subnet Masks Not Supported

ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:

ip address inside 192.168.2.1 255.255.0.255
 

Interactive User Commands Not Supported by the ASDM CLI Tool

The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter “[yes/no]” but does not recognize your input. ASDM then times out waiting for your response.

For example:

1. Choose Tools > Command Line Interface .

2. Enter the crypto key generate rsa command.

ASDM generates the default 1024-bit RSA key.

3. Enter the crypto key generate rsa command again.

Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:

Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A key
Input line must be less than 16 characters in length.
 
%Please answer 'yes' or 'no'.
Do you really want to replace them [yes/no]:
 
%ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys names <Default-RSA-key>
 

Workaround :

  • You can configure most commands that require user interaction by means of the ASDM panes.
  • For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:
crypto key generate rsa noconfirm

Open Caveats

Open Caveats in Version 7.2(2)

Table 7 contains open caveats in ASDM software Version 7.2(2).

Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 7 Open Caveats in ASDM Version 7.2(2)

Caveat
Description

CSCuh28694

ASDM on Mac: System font issues (font too large)

CSCul11018

Cluster wizard fails ungracefully when CCL interface is disconnected

CSCum00219

Cannot create an IPv6 network

CSCum10167

Unable to apply regex in web type acl via ASDM

CSCum89863

ASDM is not clearing the default user group for SNMP v3

CSCun78199

ASDM unable to add subinterfaces

CSCun87045

ASDM - When IPv6 configured, startup wizard hangs on Interface Setting

CSCuo10523

ASDM 7.1 - Trustsec support is not enabled for ASA-SM in ASDM

CSCuo41545

ASDM messages displays incorrect information regarding ASAv licensing

CSCuo55691

ASDM 7.1.6 RSA key generation fail (command syntax error)

CSCuo57123

unable to config more then 3 registry check value

CSCuo62386

ASDM 7.1.6: No DNS Configuration warnings on managing GP through CP

CSCuo64879

ASDM apply button does not work when adding anyconnect xml profile

CSCuo68208

AnyConnect profiles are not rendered properly after the creation

CSCuo80011

"Enable auto-generation of MAC addresses..." checkbox missing in ASDM

CSCuo89106

ASDM does not show empty object group in object-group section

CSCuo97033

ASDM nat- ASDM changes interface to object if obj. with such name exists

CSCup01753

ASDM doesnt populate the value when username from script is configrd

CSCup01970

Editing username from cer script throws unable to parse error

CSCup26608

ASDM logs out vpn sessions when trying to cancel operation

CSCup27452

ASDM persistently polling ASA with CX installed

CSCup33692

Unable to add PUBLIC SERVER through ASDM

CSCup35489

No "Run ASDM" button in IE 11

Open Caveats in Version 7.2(1)

Table 8 contains open caveats in ASDM software Version 7.2(1).

Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 8 Open Caveats in ASDM Version 7.2(1)

Caveat
Description

CSCuh28694

ASDM on Mac: System font issues (font too large)

CSCul11018

Cluster wizard fails ungracefully when CCL interface is disconnected

CSCum00219

Cannot create an IPv6 network

CSCum10167

Unable to apply regex in web type acl via ASDM

CSCum89863

ASDM is not clearing the default user group for SNMP v3

CSCun78199

ASDM unable to add subinterfaces

CSCun87045

ASDM - When IPv6 configured, startup wizard hangs on Interface Setting

CSCuo10523

ASDM 7.1 - Trustsec support is not enabled for ASA-SM in ASDM

CSCuo41545

ASDM messages displays incorrect information regarding ASAv licensing

Resolved Caveats

Resolved Caveats in 7.2(2)

There were no resolved caveats in Version 7.2(2).

Resolved Caveats in 7.2(1)

Table 9 contains the resolved caveats in ASDM software Version 7.2(1).

Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 9 Resolved Caveats in ASDM Version 7.2(1)

Caveat
Description

CSCuj75028

SSL VPN bookmark's form parameter has unclear value

CSCum08151

ASDM: Clicking whitespace after chkbox text should not change its state.

CSCum09750

ASDM Top 10 Protected Servers graph shows large Others value for cluster

CSCum39889

ASDM does not show upgrade options for few OS versions:

CSCum46193

ASDM is being blocked by Java after an upgrade to Java 7u51

CSCum62475

ASDM sending wrong encrypted password

CSCum98114

ASDM not responding properly when group url doesn't contain http/https

CSCun64783

ASDM treats "not used" object with auto-NAT as not in use.

CSCun69981

ASDM: Object group not displayed in Threat detection exclude shun list

CSCuo25494

ASDM 7.1.6 not recognizing SSH commands

End-User License Agreement

For information on the end-user license agreement, go to:

http://www.cisco.com/go/warranty

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

http://www.cisco.com/go/asadocs

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.