Windows NT AAA server was deprecated—In ASA Version 9.3, the Windows NT AAA server is no longer supported.
IPS Module management—For the IPS module, ASDM 7.1(6) and later are not compatible with IPS 7.3(2) and earlier—To manage an IPS module on an ASA, you must connect to the IPS IP address directly through your browser.
Default color scheme for ASDM in Windows—In 7.3(2) and later, the default color scheme for ASDM now defaults to not use the Office look and feel. To change the color scheme back, choose View > Office Look and Feel.
Note ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2 or later, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at:
After adding the security exception, launch the older ASDM and then upgrade to 7.2 or later.
In rare cases, online help does not load when using Java Web Start
In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: “Unable to connect”.
Use the ASDM Launcher
Clear the -Djava.net.preferIPv6Addresses=true parameter in Java Runtime Parameters:
a. Launch the Java Control Panel.
b. Click the Java tab.
c. Click View.
d. Clear this parameter: -Djava.net.preferIPv6Addresses=true
e. Click OK, then Apply, then OK again.
7 update 45
ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate
Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning ; ASDM 7.2 and later includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box.
Requires strong encryption license (3DES/AES) on ASA
ASDM requires an SSL connection to the ASA. You can request a 3DES license from Cisco:
2. Click Continue to Product License Registration.
3. In the Licensing Portal, click Get Other Licenses next to the text field.
4. Choose IPS, Crypto, Other... from the drop-down list.
5. Type ASA in to the Search by Keyword field.
6. Select Cisco ASA 3DES/AES License in the Product list, and click Next.
7. Enter the serial number of the ASA, and follow the prompts to request a 3DES/AES license for the ASA.
Self-signed certificate or an untrusted certificate
Firefox and Safari
When the ASA uses a self-signed certificate or an untrusted certificate, Firefox and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.
SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.
If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to Run Chromium with flags.
IE9 for servers
For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.
On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.
OS X 10.8 and later
You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.
1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open.
2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens.
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch ASDM until you install a certificate.
See the following document to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog box shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
The following table lists the new features for ASA Version 9.3(2.200)/ASDM Version 7.3(2).
Note This release supports only the ASAv.
Table 3 New Features for ASA Version 9.3(2.200)/ASDM Version 7.3(2)
ASAv with KVM and Virtio
You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and the Virtio virtual interface driver.
New Features in ASA 9.3(2)/ASDM 7.3(2)
Released: December 18, 2014
The following table lists the new features for ASA Version 9.3(2)/ASDM Version 7.3(2).
Table 4 New Features for ASA Version 9.3(2)/ASDM Version 7.3(2)
We introduced the ASA 5506-X.
ASA REST API 1.0.1
A REST API was added to support configuring and managing major functions of the ASA.
Support for ASA image signing and verification
ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.
This feature is not supported in ASDM.
Accelerated security path load balancing
The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.
We introduced the following screen: Configuration > Device Management > Advanced > ASP Load Balancing
Configuration session for editing ACLs and objects.
Forward referencing of objects and ACLs in access rules.
You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.
This feature is not supported in ASDM.
SIP support for Trust Verification Services, NAT66, CUCM 10.5, and model 8831 phones.
You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5.
We introduced the following screen: Configuration > Firewall > Objects > Inspection Maps > SIP > Add/Edit SIP Inspect Map > Details > TVS Server
Unified Communications support for CUCM 10.5
SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5.
Remote Access Features
Browser support for Citrix VDI
We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.
Clientless SSL VPN for Mac OSX 10.9
We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.
Interoperability with standards-based, third-party, IKEv2 remote access clients
We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).
AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.
Cisco Smart Software Licensing for the ASAv
Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.
Lock configuration changes on the standby unit or standby context in a failover pair
You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup
ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks
You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.
You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.
Note You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.
Note Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.
Sharepoint features that require desktop applications (for example, MS Office applications)
AnyConnect Web launch
Citrix Receiver, XenDesktop, and Xenon
Other non-browser-based and browser plugin-based applications
We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie
New Features in ASA 9.3(1)/ASDM 7.3(1)
Released: July 24, 2014
Table 6 lists the new features for ASA Version 9.3(1)/ASDM Version 7.3(1).
Table 6 New Features for ASA Version 9.3(1)/ASDM Version 7.3(1)
SIP, SCCP, and TLS Proxy support for IPv6
You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).
We did not modify any ASDM screens.
Support for Cisco Unified Communications Manager 8.6
The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).
We did not modify any ASDM screens.
Transactional Commit Model on rule engine for access groups and NAT
When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.
We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine
Remote Access Features
XenDesktop 7 Support for clientless SSL VPN
We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
AnyConnect Custom Attribute Enhancements
Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.
AnyConnect Identity Extensions (ACIDex) for Desktop Platforms
ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.
The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.
We modified the following screen: Configuration > Remote Access VPN > Dynamic Access Policies > Add/Edit > Add/Edit (endpoint attribute), select AnyConnect for the Endpoint Attribute Type. Additional operating systems are in the Platform drop-down list and MAC Address has changed to Mac Address Pool.
TrustSec SGT Assignment for VPN
TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.
We introduced or modified the following screens:
Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit User > VPN Policy Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add a Policy
High Availability Features
Improved support for monitoring module health in clustering
We added improved support for monitoring module health in clustering.
We did not modify any ASDM screens.
Disable health monitoring of a hardware module
By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Interfaces
ASP Load Balancing
The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:
Overruns caused by sporadic traffic spikes on flows
Overruns caused by bulk flows oversubscribing specific interface receive rings
Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load
We did not modify any ASDM screens.
The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASA SM.
Transparent mode bridge group maximum increased to 250
The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.
You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.
We removed NTLM support for remote access VPN users.
We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add AAA Server Group
ASDM Identity Certificate Wizard
When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. The ASDM Identity Certificate Wizard makes creating a self-signed identity certificate easy. When you first launch ASDM and do not have a trusted certificate, you are prompted to launch ASDM with Java Web Start; this new wizard starts automatically. After creating the identity certificate, you need to register it with the Java Control Panel. See https://www.cisco.com/go/asdm-certificate for instructions.
We added the following screen: Wizards > ASDM Identity Certificate Wizard
Monitoring Aggregated Traffic for Physical Interfaces
The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.
Upgrading the Software
See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version.
Note There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with the following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless upgrading is not supported.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.