Guest

Cisco Adaptive Security Device Manager

Release Notes for Cisco ASDM, 7.3(x)

  • Viewing Options

  • EPUB (156.0 KB)
  • MOBI (183.1 KB)
  • PDF (331.3 KB)
  • Feedback

Table of Contents

Release Notes for Cisco ASDM, Version 7.3(x)

Important Notes

System Requirements

ASDM Client Operating System and Browser Requirements

Java and Browser Compatibility

Installing an Identity Certificate for ASDM

ASA and ASDM Compatibility

VPN Compatibility

Maximum Configuration Size in ASDM

New Features

Upgrading the Software

Open Caveats

Resolved Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for Cisco ASDM, Version 7.3(x)

Released: July 24, 2014

 

This document contains release information for Cisco ASDM Version 7.3(1) for the Cisco ASA series. This document includes the following sections:

Important Notes

  • WinNT AAA server was deprecated—In ASA Version 9.3, the WinNT AAA server is no longer supported.

System Requirements

ASDM Client Operating System and Browser Requirements

Table 1 lists the supported and recommended client operating systems and Java for ASDM.

 

Table 1 Operating System and Browser Requirements

Operating System
Browser
Java SE Plug-in
Internet Explorer
Firefox
Safari
Chrome

Microsoft Windows (English and Japanese):

  • 8
  • 7
  • Vista
  • 2008 Server
  • XP

6.0 or later

1.5 or later

No support

18.0 or later

6.0 or later

Apple OS X 10.4 and later

No support

1.5 or later

2.0 or later

18.0 or later

6.0 or later

Red Hat Enterprise Linux 5 (GNOME or KDE):

  • Desktop
  • Desktop with Workstation

N/A

1.5 or later

N/A

18.0 or later

6.0 or later

Java and Browser Compatibility

Table 2 lists compatibility caveats for Java, ASDM, and browser compatibility.

 

Table 2 Caveats for ASDM Compatibility

Java Version
Conditions
Notes

7 update 51

ASDM Launcher requires trusted certificate

To continue using the Launcher, do one of the following:

  • Install a trusted certificate on the ASA from a known CA.
  • Install a self-signed certificate and register it with Java. See http://www.cisco.com/go/asdm-certificate .
  • Downgrade Java to 7 update 45 or earlier.
  • Alternatively use Java Web Start.

Note ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:

http://java.com/en/download/help/java_blocked.xml

After adding the security exception, launch the older ASDM and then upgrade to 7.2.

In rare cases, online help does not load when using Java Web Start

In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: “Unable to connect”.

Workaround:

  • Use the ASDM Launcher

Or:

  • Clear the -Djava.net.preferIPv6Addresses=true parameter in Java Runtime Parameters:

a. Launch the Java Control Panel.

b. Click the Java tab.

c. Click View .

d. Clear this parameter: -Djava.net.preferIPv6Addresses=true

e. Click OK , then Apply , then OK again.

7 update 45

ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate

Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning ; ASDM 7.2 includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates . Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box.

7

Requires strong encryption license (3DES/AES) on ASA

ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html ). Note that a workaround is required for weak encryption and Java 6 (see below, in this table).

6

No usernames longer than 50 characters

Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.

Requires strong encryption license (3DES/AES) on ASA or workaround

When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:

  • If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.
  • For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details.
  • For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

All

  • Self-signed certificate or an untrusted certificate
  • IPv6
  • Firefox and Safari

When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001 . This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.

  • SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.
  • Chrome

If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags .

IE9 for servers

For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.

OS X

On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.

All

OS X 10.8 and later

You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.

 

1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open .

 

2. You see a similar error screen; however, you can open ASDM from this screen. Click Open . The ASDM-IDM Launcher opens.

 

Installing an Identity Certificate for ASDM

When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch ASDM until you install a certificate.

See the following document to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.

http://www.cisco.com/go/asdm-certificate

ASA and ASDM Compatibility

For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

VPN Compatibility

For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html

Maximum Configuration Size in ASDM

  • ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.

To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.

Windows:

a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties .

b. Click the Shortcut tab.

c. In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

 

Macintosh:

a. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents .

b. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.

c. Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

 

d. If this file is locked, you see an error such as the following:

 

e. Click Unlock and save the file.

If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM , and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.

New Features

Released: July 24, 2014

Table 3 lists the new features for ASA Version 9.3(1)/ASDM Version 7.3(1).

 

Table 3 New Features for ASA Version 9.3(1)/ASDM Version 7.3(1)

Feature
Description
Firewall Features

SIP, SCCP, and TLS Proxy support for IPv6

You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).

We did not modify any ASDM screens.

Support for Cisco Unified Communications Manager 8.6

The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).

We did not modify any ASDM screens.

Transactional Commit Model on rule engine for access groups and NAT

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine

Remote Access Features

XenDesktop 7 Support for clientless SSL VPN

We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks

Mobile Enablement Proxy

Mobile Enablement Proxy, a component of the ISE Mobile Enablement solution, allows off-premise mobile devices to participate in mobile device management in exactly the same way as on-premise mobile devices.

Note Mobile Enablement Proxy requires ISE support in an upcoming ISE release in early 2015.

We introduced the following screen: Configuration > Remote Access VPN > AAA/Local Users > MDM Proxy

AnyConnect Custom Attribute Enhancements

Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now require a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.

We introduced or modified the following screens:

Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit > Advanced > AnyConnect Client > Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add/Edit > AnyConnect Custom Attributes

AnyConnect Identity Extensions (ACIDex) for Desktop Platforms

ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.

The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.

We modified the following screen: Configuration > Remote Access VPN > Dynamic Access Policies > Add/Edit > Add/Edit (endpoint attribute) , select AnyConnect for the Endpoint Attribute Type . Additional operating systems are in the Platform drop-down list and MAC Address has changed to Mac Address Pool .

TrustSec SGT Assignment for VPN

TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.

We introduced or modified the following screens:

Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit User > VPN Policy
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add a Policy

High Availability Features

Improved support for monitoring module health in clustering

We added improved support for monitoring module health in clustering.

We did not modify any ASDM screens.

Platform Features

ASP Load Balancing

The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows
  • Overruns caused by bulk flows oversubscribing specific interface receive rings
  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load

We did not modify any ASDM screens.

SNMP MIBs

The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASA SM.

Interface Features

Transparent mode bridge group maximum increased to 250

The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

We modified the following screens:

Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge Group Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface

Routing Features

BGP support for ASA clustering

We added support for BGP with ASA clustering.

We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > General

BGP support for nonstop forwarding

We added support for BGP Nonstop Forwarding.

We modified the following screens:

Configuration > Device Setup > Routing > BGP > General
Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor
Monitoring > Routing > BGP Neighbors

BGP support for advertised maps

We added support for BGPv4 advertised map.

We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor > Add BGP Neighbor > Routes

OSPF Support for Non-Stop Forwarding (NSF)

OSPFv2 and OSPFv3 support for NSF was added.

We added the following screens:

Configuration > Device Setup > Routing > OSPF > Setup > NSF Properties
Configuration > Device Setup > Routing > OSPFv3 > Setup > NSF Properties

AAA Features

Layer 2 Security Group Tag Imposition

You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.

We modified the following screens:

Configuration > Device Setup > Interfaces > Add Interface > Advanced
Configuration > Device Setup > Interfaces > Add Redundant Interface > Advanced
Configuration > Device Setup > Add Ethernet Interface > Advanced
Wizards > Packet Capture Wizard
Tools > Packet Tracer

Removal of AAA Windows NT domain authentication

We removed NTLM support for remote access VPN users.

We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add AAA Server Group

ASDM Identity Certificate Wizard

When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. The ASDM Identity Certificate Wizard makes creating a self-signed identity certificate easy. When you first launch ASDM and do not have a trusted certificate, you are prompted to launch ASDM with Java Web Start; this new wizard starts automatically. After creating the identity certificate, you need to register it with the Java Control Panel. See https://www.cisco.com/go/asdm-certificate for instructions.

We added the following screen: Wizards > ASDM Identity Certificate Wizard

Monitoring Features

Monitoring Aggregated Traffic for Physical Interfaces

The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.

Open Caveats

Table 4 contains open caveats in ASDM software Version 7.3(1).

Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 4 Open Caveats in ASDM Version 7.3(1)

Caveat
Description

CSCup69456

Command to negate ACL remarks not sent from ASDM

CSCup82758

ASDM sorting VPNs freezes up at 97%

Resolved Caveats

Table 5 contains the resolved caveats in ASDM software Version 7.3(1).

Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 5 Resolved Caveats in ASDM Version 7.3(1)

Caveat
Description

CSCul79308

Enh:  ASDM knob to export user-identity inactive/active/all user file

CSCum23202

Webvpn customisation editor should error out when it fails

CSCum24568

ASDM not responding properly if "anyconnect profile none" is configured

CSCum57517

ASDM launcher is not working with Java 7u51

CSCun78199

ASDM unable to add subinterfaces

CSCuo10523

ASDM 7.1 - Trustsec support is not enabled for ASA-SM in ASDM

CSCuo55691

ASDM 7.1.6 RSA key generation fail (command syntax error)

CSCuo62386

ASDM 7.1.6: No DNS Configuration warnings on managing GP through CP

CSCuo64879

ASDM apply button does not work when adding anyconnect xml profile

CSCuo71581

ASDM re-enables ikev1 if you switch from basic to the advanced config.

CSCuo80011

"Enable auto-generation of MAC addresses..." checkbox missing in ASDM

CSCuo89106

ASDM does not show empty object group in object-group section

CSCup26608

ASDM logs out vpn sessions when trying to cancel operation

End-User License Agreement

For information on the end-user license agreement, go to:

http://www.cisco.com/go/warranty

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

http://www.cisco.com/go/asadocs

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.