Table Of Contents
Release Notes for Cisco ASDM for the FWSM, Version 6.2(x)F
This document contains release information for Cisco ASDM Versions 6.2(1)F through 6.2(3)F for the FWSM.
This document includes the following sections:
Table 1 lists the new features for ASDM Versions 6.2(1)F through 6.2(3)F. These features were introduced in Version 6.2(1)F. There are no new features for Version 6.2(2)F and 6.2(3)F. All features apply to FWSM Version 4.1(1), as well.
ASDM Client Operating System and Browser Requirements
Table 2 lists the supported and recommended client operating systems and Java for ASDM.
Table 2 Operating System and Browser Requirements
Operating System Browser Sun Java SE Plug-in1 Internet Explorer Firefox Safari
Microsoft Windows (English and Japanese):
•2000 (Service Pack 4 or higher)
6.0 or later
1.5 or later
Apple Macintosh OS X:
1.5 or later
2.0 or later
Red Hat Enterprise Linux 5 (GNOME or KDE):
1.5 or later
FWSM and ASDM Release Compatibility
Table 3 shows the ASDM or PDM versions that can be used with each FWSM release.
All ASDM releases are backward-compatible with FWSM 3.1. PDM releases are not backward-compatible.
Upgrading or Downgrading the Software
This section describes how to upgrade to the latest version, and includes the following topics:
Note For CLI procedures, see the ASA release notes.
Viewing Your Current Version
The software version appears on the ASDM home page; view the home page to verify the software version of your FWSM.
Upgrading from 2.x or 3.x
Starting in Release 4.0(1), many commands are migrated to new commands (for example, the http-map commands are converted to policy-map type inspect http commands).
If you upgrade from 2.x or 3.x, the configuration is converted. This converted configuration is not saved to memory until you save the configuration by clicking Save at the top of the window.
If you try to downgrade to 2.x or 3.x using a converted configuration, many commands will be rejected. Moreover, if you add access lists to the 4.x configuration to take advantage of larger access list memory space, then downgrading could result in an inability to load all the new access lists.
If you want to downgrade, be sure to copy a saved 2.x or 3.x configuration to the starting configuration before you reload with the 2.x or 3.x image.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images to the current application partition.
Note If the FWSM is running Version 4.0 or later, then you can upgrade to the latest version of ASDM (and disconnect and reconnect to start running it) before upgrading the OS.
If the FWSM is running a version earlier than 4.0, then use the already installed version of ASDM to upgrade both the OS and ASDM to the latest versions, and then reload.
To install and start using the new images, perform the following steps:
Step 1 From the Tools menu, choose Tools > Upgrade Software from Cisco.com.
In multiple context mode, access this menu from the System. For 6.2F, this menu item is located under Tools > Software Updates.
The Upgrade Software from Cisco.com Wizard appears.
Note If you are running ASDM Version 5.2 or lower, then the Upgrade Software from Cisco.com Wizard is not available. You can download the software from the following URL:
Then use Tools > Upgrade Software.
Step 2 Click Next.
The Authentication screen appears.
Step 3 Enter your Cisco.com username and password, and click Next.
The Image Selection screen appears.
Step 4 Check the Upgrade the FWSM version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next.
The Selected Images screen appears.
Step 5 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.
The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.
The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the FWSM.
If you upgraded the FWSM version and the upgrade succeeded, an option to save the configuration and reload the FWSM appears.
Step 6 Click Yes.
For the upgrade versions to take effect, you must save the configuration, reload the FWSM, and restart ASDM.
Step 7 Click Finish to exit the wizard when the upgrade is finished.
Downgrading from 4.1
This section describes how to downgrade from 4.1, and includes the following topics:
If you configure the shared management VLAN feature that was introduced in 4.1(1), this feature is not supported when you downgrade to a pre-4.1(1) release.
See the following issues when you use this feature, and then downgrade:
•The interface configuration for the shared VLAN is accepted in the first context configuration in which it appears, but is rejected in subsequent transparent mode contexts.
•For these subsequent contexts, if the startup-config has the management VLAN configuration defined directly after another VLAN configuration for through traffic, then the name and security level associated with the (rejected) shared management VLAN is erroneously applied to the immediately preceding VLAN.
Workaround: Remove the interface configuration for the shared VLAN from all contexts before you downgrade.
For example, you have the following configuration in 4.1:interface Vlan100nameif outsidebridge-group 5security-level 0interface Vlan101nameif dmzsecurity-level 100management-onlyip address 10.90.90.4 255.255.255.0 standby 10.90.90.5
After downgrading, the shared management interface vlan101 command is rejected if it was already used in another context; so the nameif dmz and security-level 100 commands are applied to VLAN 100, overwriting the original nameif and security-level commands. (The VLAN 101 management-only and ip address commands are rejected because they are not allowed for the interface vlan command pre-4.1). The resulting VLAN 100 configuration is the following:interface Vlan100nameif dmzbridge-group 5security-level 100
This section describes how to downgrade the ASDM and operating system (OS) images to the current application partition.
To install and start using the old images, perform the following steps:
Step 1 If you have a Cisco.com login, you can obtain the old OS and ASDM images from the following website:
Step 2 If you configured shared management VLANs for transparent mode contexts, see the "Important Notes" section to remove the configuration for each context.
Step 3 From the Tools menu, choose Tools > Software Updates > Upgrade Software from Local Computer.
The Upgrade Software from Local Computer dialog box appears.
Step 4 (Optional) To downgrade ASDM, from the Image to Upload drop-down list, choose ASDM.
ASDM Version 6.2F is backwards compatible with previous versions, so you do not need to downgrade ASDM.
Step 5 Enter the local path to the file on your PC or click Browse Local Files to find the file on your PC.
Step 6 Click Upload Image. The uploading process might take a few minutes; make sure you wait until it is finished.
Step 8 You are prompted to reload. Click OK.
ASDM supports almost all commands available for the adaptive FWSM, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.
This section includes the following topics:
Ignored and View-Only Commands
Table 4 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Effects of Unsupported Commands
•If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Tools > Show Commands Ignored by ASDM on Device.
•If ASDM loads an existing running configuration and finds the alias command, it enters Monitor-only mode.
Monitor-only mode allows access to the following functions:
–The Monitoring area
–The CLI tool (Tools > Command Line Interface), which lets you use the CLI commands
To exit Monitor-only mode, use the CLI tool or access the FWSM console, and remove the alias command. You can use outside NAT instead of the alias command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information.
Note You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to three by your system administrator, which allows Monitor-only mode. For more information, choose Configuration > Device Management > Users/AAA > User Accounts and
Configuration > Device Management > Users/AAA > AAA Access.
Discontinuous Subnet Masks Not Supported
ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:ip address inside 192.168.2.1 255.255.0.255
Interactive User Commands Not Supported by the ASDM CLI Tool
The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
1. From the ASDM Tools menu, click Command Line Interface.
2. Enter the crypto key generate rsa command.
ASDM generates the default 1024-bit RSA key.
3. Enter the crypto key generate rsa command again.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names <Default-RSA-key>
•You can configure most commands that require user interaction by means of the ASDM panes.
•For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:crypto key generate rsa noconfirm
This section lists the open caveats in software Versions 6.2(2)F and 6.2(3)F.
If you are running an older release and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from your release moving forward. For example, if you are running Release 6.2(1), then you need to add the caveats in that section to the resolved caveats from 6.2(2) to determine the complete list of open caveats for your release.
If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
Table 6 Open Caveats Version 6.2(3)F
Caveat ID Description
Java Web Start may not work on MacOS
This section lists the open caveats in software Versions 6.2(2)F and 6.2(3)F.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012 Cisco Systems, Inc. All rights reserved.