Table Of Contents
Cisco ASA 5500 Series Release Notes Version 7.1(2)
March 2006, OL-10087-01
This document includes the following sections:
The Cisco ASA 5500 series security appliance are purpose-built solutions that combine best-of-breed security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network, the adaptive security appliance provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network adaptive security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security. This version introduces significant enhancements to major functional areas including: new Anti-X Services, VPN services, and management/monitoring.
Additionally, the adaptive security appliance software supports Adaptive Security Device Manager. ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances.
The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics:
Table 1 lists the DRAM memory requirements for the adaptive security appliance.
Table 1 DRAM Memory Requirements
ASA Model DRAM Memory
All adaptive security appliances require a minimum of 64 MB of internal CompactFlash.
Determining the Software Version
Use the show version command to verify the software version of your adaptive security appliance.
Upgrading to a New Software Version
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
You must upgrade from Version 7.0(x) or 7.1(1) to 7.1(2) because older versions of the ASA images do not recognize new ASDM images and new ASA images do not recognize old ASDM images. Similarly, if you downgrade to an earlier version of ASA software, you must also downgrade the ASDM image.
You can also use command-line interface to download the image. See the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.0.(x) or 7.1(1) to 7.1(2), you must perform the following steps:
Load the new 7.1(2) image from the following website: http://www.cisco.com/cisco/pub/software/portal/select.html
Step 1 Reload the device so that it uses the 7.1(2) image.
Load the new ASDM 5.1(2) image from the following website: http://www.cisco.com/cisco/pub/software/portal/select.html
To downgrade from Version 7.1(2) to an earlier version, you must perform the following steps:
Load the 7.0.(x) or 7.1(1) image from the following website: http://www.cisco.com/cisco/pub/software/portal/select.html
Step 1 Reload the device so that it uses the earlier image.
Load the ASDM 5.0(x) or 5.1(1) image from the following website: http://www.cisco.com/cisco/pub/software/portal/select.html
There were no new features in ASA 7.1(2)/ASDM 5.1(2)
This section lists important notes related to Version 7.1(2).
SSL VPN Licenses
Beginning with Version 7.1(1), SSL VPN (WebVPN) services require a license. These services are now licensed on a per-user session basis, with licensing levels at 10, 50, 100, 250, 500, 750, 1000, and 2500 user sessions. The complete SSL VPN feature functionality offered by the adaptive security appliance is included in this single SSL VPN license. No per-feature licenses are required. This SSL VPN license has a one-time fee and lasts for the lifetime of the adaptive security appliance. Upon installation of Version 7.1(1) or later, two simultaneous SSL VPN user sessions are included for evaluation.
ActiveX and WebVPN
Many ActiveX controls are custom and require special treatment by WebVPN. Please contact Cisco TAC if your application uses ActiveX controls and you have problems with its functionality over a WebVPN connection (CSCsb85180).
If a remote user accesses CIFS files using Internet Explorer, the filename in the File Download window might not display some Japanese Shift_JIS characters correctly. However, the Open and Save functions do work properly. This issue does not occur with Netscape.
Failover and WebVPN and SVC Connections
To ensure that WebVPN and SVC connections reconnect quickly in the event of a failover, enable the adaptive security appliancee to respond to incoming client TCP packets with the service resetoutside command from global configuration mode:[no] service resetoutside
This command causes the adaptive security appliance that takes over the existing WebVPN and SVC connections to send TCP RST packets in response to incoming client TCP packets, causing client connections to reestablish quicker. If you do not enable the service resetoutside command, the security appliance drops TCP packets from failed-over connections and waits for each client to reestablish the TCP connection. This may take longer or result in the session being lost due to timeout.
The following example enables the security appliance to send TCP RST packets:hostname(config)# service resetoutside
The adaptive security appliances are on the FIPS 140-2 Pre-Validation List.
WebVPN ACLS and DNS Hostname
When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, the browser displays q "DNS Error" popup. The ACL hit counter does not increment.
If an IP address rather than a DNS name defines a deny webtype URL, then the hit counter does record the traffic flow hitting the ACL, and the browser displays a "Connection Error."
Proxy Server and ASA
If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:
1. If the ASA cannot communicate with the HTTPS or HTTPS proxy server, a "connection error" is displayed on the client browser.
2. If the HTTP(S) proxy cannot resolve or reach the requested URL, it should send an appropriate error to the ASA, which in turn displays it on the client browser.
Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the client browser about the error.
The PFS setting on the VPN client and the adaptive security appliance must match.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The adaptive security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:
•ACE Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
VPN Load Balancing Requirements
VPN load balancing for the adaptive security appliance requires an ASA 5520 or ASA 5540. It also requires a 3DES-AES encryption license.
User Upgrade Guide
For a list of deprecated features, and user upgrade information, go to the following URL:
Features not Supported in Version 7.1(2)
The following features are not supported in Version 7.1(2):
•L2TP over IPSec
For information on MIB Support, go to:
Downgrading to a Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caveats, Version 7.1(2)
The following sections describe open and resolved VPN caveats for version 7.1(2).
The following sections describe the caveats that remain open for Version 7.1(2).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation might be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
To become a registered cisco.com user, go to the following website:
Table 2 lists open caveats in Version 7.1(2).
Table 3 lists caveats resolved in Version 7.1(2).
For additional information on the adaptive security appliance, see the following documentation found on Cisco.com:
•Cisco ASA 5500 Hardware Installation Guide
•Cisco Adaptive Security Appliance Getting Started Guide
•Cisco ASDM Release Notes
•Cisco Security Appliance Command Line Configuration Guide
•Cisco Security Appliance Command Reference
•Migrating to ASA for VPN 3000 Series Concentrator Administrators
•Release Notes for Cisco SSL VPN Client
•Cisco Secure Desktop Configuration Guide
•Release Notes for Cisco Secure Desktop
•Regulatory Compliance and Safety Information for the Cisco ASA 5500 Series
•Selected ASDM VPN Configuration Procedures for the Cisco ASA 5500 Series
•Cisco Security Appliance Logging Configuration and System Log Messages
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2006 Cisco Systems, Inc. All rights reserved.