Table Of Contents
Release Notes for the Cisco ASA 5500-X Series, Version 8.6(x)
Released: February 28, 2012
Update: July 5, 2012
This document contains release information for the Cisco ASA 5500-X software Version 8.6(1).
This document includes the following sections:
Version 8.6.(1) supports only the Cisco ASA 5500-X series, which includes the Cisco ASA 5512-X, 5515-X, 5525-X, 5545-X, and 5555-X. This version is not available for the ASA 5585-X.
Table 1 lists information about ASDM, module, and VPN compatibility with the ASA 5500 series.
New FeaturesReleased: February 28, 2012
Table 2 lists the new features for ASA Version 8.6(1). This ASA software version is only supported on the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X.
Note Version 8.6(1) includes all features in 8.4(2), plus the features listed in this table.
Features added in 8.4(3) are not included in 8.6(1) unless they are explicitly listed in this table.
Upgrading the Software
This section describes how to upgrade to the latest version and includes the following topics:
Note For ASDM procedures, see the ASDM release notes.
Viewing Your Current Version
Use the show version command to verify the software version of your ASA.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images using TFTP. For FTP or HTTP, see the "Managing Software and Configurations" chapter in CLI configuration guide.
We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however, you cannot use an old ASDM image with a new OS.
For information about upgrading software in a failover pair, see the "Performing Zero Downtime Upgrades for Failover Pairs" chapter in the CLI configuration guide.
Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:
Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command in privileged EXEC mode:hostname# show running-config
Copy the output from this command, then paste the configuration in to a text file.
Note If you are upgrading from a pre-8.3 version, then the running configuration is backed up automatically.
For other methods of backing up, see the "Managing Software and Configurations" chapter in the CLI configuration guide.
Step 3 Install the new images using TFTP. Enter this command separately for the OS image and the ASDM image:hostname# copy tftp://server[/path]/filename disk0:/[path/]filename
For example:hostname# copy tftp://10.1.1.1/asa840-4-k8.bin disk0:/asa861-k8.bin...hostname# copy tftp://10.1.1.1/asdm-64099.bin disk0:/asdm-661.bin
If your ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.
Step 4 To change the OS boot image to the new image name, enter the following commands in global configuration mode.hostname(config)# clear configure boothostname(config)# boot system disk0:/[path/]new_filename
For example:hostname(config)# clear configure boothostname(config)# boot system disk0:/asa861-k8.bin
Step 5 To configure the ASDM image to the new image name, enter the following command:hostname(config)# asdm image disk0:/[path/]new_filename
Step 6 To save the configuration and reload, enter the following commands:hostname(config)# write memoryhostname(config)# reload
Installing the IPS Software Module
Your ASA typically ships with IPS module software present on Disk0. If the module is not running, however, you need to install the module.
Step 1 To view the IPS module software filename in flash memory, enter:.hostname# dir disk0:
For example, look for a filename like IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip. Note the filename; you will need this filename later in the procedure.
Step 2 If you need to copy a new image to disk0, download the image from Cisco.com to a TFTP server, and then enter:hostname# copy tftp://server/file_path disk0:/file_path
For other server types, see the "Downloading a File to a Specific Location" section.
Step 3 To identify the IPS module software location in disk0, enter the following command:hostname# sw-module module ips recover configure image disk0:file_path
For example, using the filename in the example in Step 1, enter:hostname# sw-module module ips recover configure image disk0:IPS-SSP_5512-K9-sys-1.1-a-7.1-4-E4.aip
Step 4 To install and load the IPS module software, enter the following command:hostname# sw-module module ips recover boot
Step 5 To check the progress of the image transfer and module restart process, enter the following command:hostname# show module ips details
The Status field in the output indicates the operational status of the module. A module operating normally shows a status of "Up." While the ASA transfers an application image to the module, the Status field in the output reads "Recover." When the ASA completes the image transfer and restarts the module, the newly transferred image is running.
Installing or Upgrading Cisco Secure Desktop
ASA Version 8.6.(1) requires Cisco Secure Desktop Release 3.2 or later. You do not need to restart the ASA after you install or upgrade Cisco Secure Desktop.
To install or upgrade the Cisco Secure Desktop software, perform the following steps:
Step 1 Download the latest Cisco Secure Desktop package file from the following website:
Step 2 Install the new image using TFTP:hostname# copy tftp://server[/path]/filename disk0:/[path/]filename
Step 3 Enter the following command to access webvpn configuration mode (from global confguration mode):hostname(config)# webvpnhostname(config-webvpn)#
Step 4 To validate the Cisco Secure Desktop distribution package and add it to the running configuration, enter the following command:hostname(config-webvpn)# csd image disk0:/securedesktop_asa_3_2_0_build.pkg
Step 5 To enable Cisco Secure Desktop for management and remote user access, use the following command.hostname(config-webvpn)# csd enable
Table 3 contains the open caveats in Version 8.6(1).
If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
End-User License Agreement
For information on the end-user license agreement, go to:
For additional information about the ASA, see Navigating the Cisco ASA Series Documentation:
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc.
All rights reserved.