Table Of Contents
Release Notes for Cisco ASDM, Version 7.1(x)
Important Notes
Limitations and Restrictions
System Requirements
ASDM Client Operating System and Browser Requirements
New Features
New Features in Version 7.1(3)
New Features in Version 7.1(2.102)
New Features in Version 7.1(2)
New Features in Version 7.1(1)
Upgrading the Software
Upgrade Path and Migrations
Viewing Your Current Version
Downloading the Software from Cisco.com
Upgrading a Standalone Unit
Upgrading from Your Local Computer (ASDM 6.0 or Later)
Upgrading Using the Cisco.com Wizard (ASDM 6.3 or Later)
Upgrading Using the Cisco.com Wizard (ASDM 6.0 Through ASDM 6.2)
Upgrading from Your Local Computer (ASDM 5.2 or Earlier)
Upgrading a Failover Pair or ASA Cluster
Upgrading an Active/Standby Failover Pair
Upgrading an Active/Active Failover Pair
Upgrading an ASA Cluster
Unsupported Commands
Ignored and View-Only Commands
Effects of Unsupported Commands
Discontinuous Subnet Masks Not Supported
Interactive User Commands Not Supported by the ASDM CLI Tool
Open Caveats
Open Caveats in 7.1(3)
Open Caveats in 7.1(2.102)
Open Caveats in 7.1(2)
Open Caveats in 7.1(1)
Resolved Caveats
Resolved Caveats in 7.1(3)
Resolved Caveats in 7.1(2.102)
Resolved Caveats in 7.1(2)
Resolved Caveats in 7.1(1)
End-User License Agreement
Related Documentation
Obtaining Software, Documentation, and Submitting a Service Request
Release Notes for Cisco ASDM, Version 7.1(x)
Released: December 3, 2012
Updated: June 14, 2013
This document contains release information for Cisco ASDM Version 7.1(1) through 7.1(3) for the Cisco ASA series. This document includes the following sections:
•
Important Notes
•Limitations and Restrictions
•System Requirements
•ASDM Client Operating System and Browser Requirements
•New Features
•Upgrading the Software
•Unsupported Commands
•Open Caveats
•Resolved Caveats
•End-User License Agreement
•Related Documentation
•Obtaining Software, Documentation, and Submitting a Service Request
Important Notes
•ASA Clustering—Due to many caveat fixes, we recommend the 9.0(2) release for ASA clustering. If you are running 9.0(1) or 9.1(1), you should upgrade to 9.0(2). Note that due to CSCue72961, hitless upgrading is not supported.
•Downgrading issues—Upgrading to ASA Version 9.0 and later includes ACL migration (see the 9.0 release notes). Therefore, you cannot downgrade from 9.0 with a migrated configuration. Be sure to make a backup copy of your configuration before you upgrade so you can downgrade using the old configuration if required.
•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT. If you upgrade to Version 9.0 and later from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration.
To enable per-session PAT after you upgrade:
a. Choose Configuration > Firewall > Advanced > Per-Session NAT Rules.
b. Select each Deny rule in the table, and click Delete.
After you delete the Deny rules, only the default permit rules are still in place, thus enabling per-session PAT.
c. Click Apply.
•No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA series. The ASA software senses a No Payload Encryption model, and disables the following features:
–Unified Communications
–VPN
You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
•Maximum Configuration Size—ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.
Windows:
a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties.
b. Click the Shortcut tab.
c. In the Target field, change the argument prefixed with "-Xmx" to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Macintosh:
a. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
b. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.
c. Under Java > VMOptions, change the string prefixed with "-Xmx" to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
d. If this file is locked, you see an error such as the following:
e. Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.
Limitations and Restrictions
•Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the "Confirm Security Exception" button is disabled. See: https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and later, use compatibility mode.
•If you are using the ASA IPS software module on the ASA 5500-X with ASA Version 9.1(1), then ASDM cannot connect to the ASA IPS module (see the Home > IPS Module tab or the Configuration > IPS pane). You must launch IDM directly by pointing your browser at the ASA IPS module management IP address (https://ips_ip_address). (CSCud67542)
•(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing using the crypto engine large-mod-accel command instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.
Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.
The ASA 5580/5585-X platforms already integrate this capability; therefore, crypto engine commands are not applicable on these platforms.
System Requirements
For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the latest features supported by the ASA. If you are running an older version of ASA software, the documentation might include features that are not supported in your version. Similarly, if a feature was added into a maintenance release for an older major or minor version, then the ASDM documentation includes the new feature even though that feature might not be available in all later ASA releases. Please refer to the new features tables to determine when features were added. For the minimum supported version of ASDM for each ASA version, see Cisco ASA Compatibility.
For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html
ASDM Client Operating System and Browser Requirements
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Table 1 Operating System and Browser Requirements
Operating System
|
Browser
|
Java SE Plug-in
|
Internet Explorer
|
Firefox
|
Safari
|
Chrome
|
Microsoft Windows (English and Japanese):
•7
•Vista
•2008 Server
•XP
|
6.0 or later
|
1.5 or later
|
No support
|
18.0 or later
|
6.0 or later
|
Apple Macintosh OS X:
•10.8
•10.7
•10.6
•10.5
•10.4
|
No support
|
1.5 or later
|
2.0 or later
|
18.0 or later
|
6.0 or later
|
Red Hat Enterprise Linux 5 (GNOME or KDE):
•Desktop
•Desktop with Workstation
|
N/A
|
1.5 or later
|
N/A
|
18.0 or later
|
6.0 or later
|
See the following caveats:
•If you upgrade from a previous version to Java 7 update 5, you may not be able to open ASDM using the Java Web Start from an IPv6 address; you can either download the ASDM Launcher, or follow the instructions at: http://java.com/en/download/help/clearcache_upgrade.xml.
•Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.
•ASDM requires you to make an SSL connection to the ASA in the following situations:
–When you first connect your browser to the ASA and access the ASDM splash screen.
–When you launch ASDM using the launcher or the Java web start application.
If the ASA only has the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the splash screen or launch ASDM. See the following issues:
–When using Java 7 when launching ASDM, you must have the strong encryption license (3DES/AES) on the ASA. With only the base encryption license (DES), you cannot launch ASDM. Even if you can connect with a browser to the ASDM splash screen and download the launcher or web start application, you cannot then launch ASDM. You must uninstall Java 7, and install Java 6.
–When using Java 6 for accessing the splash screen in a browser, by default, Internet Explorer on Windows Vista and later and Firefox on all operating systems do not support DES for SSL; therefore without the strong encryption license (3DES/AES), see the following workarounds:
If available, use an already downloaded ASDM launcher or Java web start application. The launcher works with Java 6 and weak encryption, even if the browsers do not.
For Windows Internet Explorer, you can enable DES as a workaround. See http://support.microsoft.com/kb/929708 for details.
For Firefox on any operating system, you can enable the security.ssl3.dhe_dss_des_sha setting as a workaround. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
•When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See: https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.
•If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome "SSL false start" feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags.
•For Internet Explorer 9.0 for servers, the "Do not save encrypted pages to disk" option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.
•On MacOS, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.
•On MacOS, you may see the following error message when opening the ASDM Launcher:
Cannot launch Cisco ASDM-IDM. No compatible version of Java 1.5+ is available.
In this case, Java 7 is the currently-preferred Java version; you need to set Java 6 as the preferred Java version: Open the Java Preferences application (under Applications > Utilities), select the preferred Java version, and drag it up to be the first line in the table.
•On MacOS 10.8 and later, you need to allow applications that are not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.
a. To change the security setting, open System Preferences, and click Security & Privacy.
b. On the General tab, under Allow applications downloaded from, click Anywhere.
New Features
•New Features in Version 7.1(3)
•New Features in Version 7.1(2.102)
•New Features in Version 7.1(2)
•New Features in Version 7.1(1)
New Features in Version 7.1(3)
Released: May 14, 2013
Table 2 lists the new features for ASA Version 9.1(2)/ASDM Version 7.1(3).
Note Features added in 8.4(6) are not included in 9.1(2) unless they are explicitly listed in this table.
Table 2 New Features for ASA Version 9.1(2)/ASDM Version 7.1(3)
Feature
|
Description
|
Encryption Features
|
Support for IPsec LAN-to-LAN tunnels to encrypt failover and state link communications
|
Instead of using the proprietary encryption for the failover key, you can now use an IPsec LAN-to-LAN tunnel for failover and state link encryption.
Note Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license.
We modified the following screen: Configuration > Device Management > High Availability > Failover > Setup.
|
Additional ephemeral Diffie-Hellman ciphers for SSL encryption
|
The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:
•DHE-AES128-SHA1
•DHE-AES256-SHA1
These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS).
When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:
•DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
•Some popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used.
•Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following screen: Configuration > Device Management > Advanced > SSL Settings.
Also available in 8.4(4.1).
|
Management Features
|
Support for administrator password policy when using the local database
|
When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters.
We introduced the following screen: Configuration > Device Management > Users/AAA > Password Policy.
Also available in 8.4(4.1).
|
Support for SSH public key authentication
|
You can now enable public key authentication for SSH connections to the ASA on a per-user basis. You can specify a public key file (PKF) formatted key or a Base64 key. The PKF key can be up to 4096 bits. Use PKF format for keys that are too large to for the ASA support of the Base64 format (up to 2048 bits).
We introduced the following screens:
Configuration > Device Management > Users/AAA > User Accounts > Edit User Account > Public Key Authentication
Configuration > Device Management > Users/AAA > User Accounts > Edit User Account > Public Key Using PKF
Also available in 8.4(4.1); PKF key format support is only in 9.1(2).
|
AES-CTR encryption for SSH
|
The SSH server implementation in the ASA now supports AES-CTR mode encryption.
|
Improved SSH rekey interval
|
An SSH connection is rekeyed after 60 minutes of connection time or 1 GB of data traffic.
|
Support for Diffie-Hellman Group 14 for the SSH Key Exchange
|
Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported.
We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH.
Also available in 8.4(4.1).
|
Support for a maximum number of management sessions
|
You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions.
We introduced the following screen: Configuration > Device Management > Management Access > Management Session Quota.
Also available in 8.4(4.1).
|
Support for a pre-login banner in ASDM
|
Administrator can define a message that appears before a user logs into ASDM for management access. This customizable content is called a pre-login banner, and can notify users of special requirements or important information.
|
The default Telnet password was removed
|
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note: The login password is only used for Telnet if you do not configure Telnet user authentication.
Formerly, when you cleared the password, the ASA restored the default of "cisco." Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASA SM (see the session command). For initial ASA SM access, you must use the service-module session command, until you set a login password.
We did not modify any ASDM screens.
Also available in 9.0(2).
|
Platform Features
|
Support for Power-On Self Test (POST)
|
The ASA runs its power-on self-test at boot time even if it is not running in FIPS 140-2-compliant mode.
Additional tests have been added to the POST to address the changes in the AES-GCM/GMAC algorithms, ECDSA algorithms, PRNG, and Deterministic Random Bit Generator Validation System (DRBGVS).
|
Improved pseudo-random number generation (PRNG)
|
The X9.31 implementation has been upgraded to use AES-256 encryption instead of 3DES encryption to comply with the Network Device Protection Profile (NDPP) in single-core ASAs.
|
Support for image verification
|
Support for SHA-512 image integrity checking was added.
We did not modify any ASDM screens.
Also available in 8.4(4.1).
|
Support for private VLANs on the ASA Services Module
|
You can use private VLANs with the ASA SM. Assign the primary VLAN to the ASA SM; the ASA SM automatically handles secondary VLAN traffic. There is no configuration required on the ASA SM for this feature; see the switch configuration guide for more information.
|
CPU profile enhancements
|
The cpu profile activate command now supports the following:
•Delayed start of the profiler until triggered (global or specific thread CPU%)
•Sampling of a single thread
We did not modify any ASDM screens.
Also available in 8.4(6).
|
DHCP Features
|
DHCP relay servers per interface (IPv4 only)
|
You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.
|
DHCP trusted interfaces
|
You can now configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Relay.
|
Module Features
|
ASA 5585-X support for network modules
|
The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:
•ASA 4-port 10G Network Module
•ASA 8-port 10G Network Module
•ASA 20-port 1G Network Module
Also available in 8.4(4.1).
|
ASA 5585-X DC power supply support
|
Support was added for the ASA 5585-X DC power supply.
Also available in 8.4(5).
|
Support for ASA CX monitor-only mode for demonstration purposes
|
For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected.
Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a service policy in monitor-only mode. The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA.
We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA CX Inspection.
The traffic-forwarding feature is supported by CLI only.
|
Support for the ASA CX module and NAT 64
|
You can now use NAT 64 in conjunction with the ASA CX module.
We did not modify any ASDM screens.
|
NetFlow Features
|
Support for NetFlow flow-update events and an expanded set of NetFlow templates
|
In addition to adding the flow-update events, there are now NetFlow templates that allow you to track flows that experience a change to their IP version with NAT, as well as IPv6 flows that remain IPv6 after NAT.
Two new fields were added for IPv6 translation support.
Several NetFlow field IDs were changed to their IPFIX equivalents.
For more information, see the Cisco ASA Implementation Note for NetFlow Collectors.
|
Firewall Features
|
EtherType ACL support for IS-IS traffic (transparent firewall mode)
|
In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL.
We modified the following screen: Configuration > Device Management > Management Access > EtherType Rules.
Also available in 8.4(5).
|
Decreased the half-closed timeout minimum value to 30 seconds
|
The half-closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection.
We modified the following screens:
Configuration > Firewall > Service Policy Rules > Connection Settings
Configuration > Firewall > Advanced > Global Timeouts.
|
Remote Access Features
|
IKE security and performance improvements
|
The number of IPsec-IKE security associations (SAs) can be limited for IKE v1 now, as well as IKE v2.
We modified the following screen: Configuration > Site-to-Site VPN > Advanced > IKE Parameters.
|
The IKE v2 Nonce size has been increased to 64 bytes.
There are no ASDM screen or CLI changes.
|
For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm used by child IPsec SAs is not higher strength than the parent IKE. Higher strength algorithms will be downgraded to the IKE level.
This new algorithm is enabled by default. We recommend that you do not disable this feature.
We did not modify any ASDM screens.
|
For Site-to-Site, IPsec data-based rekeying can be disabled.
We modified the following screen: Configuration > Site-to-Site > IKE Parameters.
|
Improved Host Scan and ASA Interoperability
|
Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy.
Also available in 8.4(5).
|
Clientless SSL VPN:
Windows 8 Support
|
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems.
We support the following browsers on Windows 8:
•Internet Explorer 10 (desktop only)
•Firefox (all supported Windows 8 versions)
•Chrome (all supported Windows 8 versions)
See the following limitations:
•Internet Explorer 10:
–The Modern (AKA Metro) browser is not supported.
–If you enable Enhanced Protected Mode, we recommend that you add the ASA to the trusted zone.
–If you enable Enhanced Protected Mode, Smart Tunnel and Port Forwarder are not supported.
•A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8 PC is not supported.
Also available in 9.0(2).
|
Cisco Secure Desktop:
Windows 8 Support
|
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check.
See the following limitations:
•Secure Desktop (Vault) is not supported with Windows 8.
Also available in 9.0(2).
|
Dynamic Access Policies:
Windows 8 Support
|
ASDM was updated to enable selection of Windows 8 in the DAP Operating System attribute.
Also available in 9.0(2).
|
Monitoring Features
|
NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.
|
Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.
This data is equivalent to the show xlate count command.
We did not modify any ASDM screens.
Also available in 8.4(5).
|
NSEL
|
Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector. You can filter to which collectors flow-update records will be sent.
We modified the following screens:
Configuration > Device Management > Logging > NetFlow.
Configuration > Firewall > Service Policy Rules > Add Service Policy Rule Wizard - Rule Actions > NetFlow > Add Flow Event
Also available in 8.4(5).
|
New Features in Version 7.1(2.102)
Released: April 29, 2013
Table 3 lists the new features for ASA Version 8.4(6)/ASDM Version 7.1(2.102).
Table 3 New Features for ASA Version 8.4(6)/ASDM Version 7.1(2.102)
Feature
|
Description
|
Monitoring Features
|
Ability to view top 10 memory users
|
You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.
No ASDM changes were made.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
|
CPU profile enhancements
|
The cpu profile activate command now supports the following:
•Delayed start of the profiler until triggered (global or specific thread CPU %)
•Sampling of a single thread
No ASDM changes were made.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
|
Remote Access Features
|
user-storage value command password is now encrypted in show commands
|
The password in the user-storage value command is now encrypted when you enter show running-config.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies > More Options > Session Settings.
This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
|
New Features in Version 7.1(2)
Released: February 25, 2013
Table 4 lists the new features for ASA Version 9.0(2)/ASDM Version 7.1(2).
Note Features added in 8.4(4.x), 8.4(5), and 8.4(6) are not included in 9.0(2) unless they were listed in the 9.0(1) feature table.
Table 4 New Features for ASA Version 9.0(2)/ASDM Version 7.1(2)
Feature
|
Description
|
Remote Access Features
|
Clientless SSL VPN:
Windows 8 Support
|
This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems.
We support the following browsers on Windows 8:
•Internet Explorer 10 (desktop only)
•Firefox (all supported Windows 8 versions)
•Chrome (all supported Windows 8 versions)
See the following limitations:
•Internet Explorer 10:
–The Modern (AKA Metro) browser is not supported.
–If you enable Enhanced Protected Mode, we recommend that you add the ASA to the trusted zone.
–If you enable Enhanced Protected Mode, Smart Tunnel and Port Forwarder are not supported.
•A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8 PC is not supported.
|
Cisco Secure Desktop:
Windows 8 Support
|
CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check.
See the following limitations:
•Secure Desktop (Vault) is not supported with Windows 8.
|
Dynamic Access Policies:
Windows 8 Support
|
ASDM was updated to enable selection of Windows 8 in the DAP Operating System attribute.
|
Management Features
|
The default Telnet password was removed
|
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note: The login password is only used for Telnet if you do not configure Telnet user authentication.
Formerly, when you cleared the password, the ASA restored the default of "cisco." Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASA SM (see the session command). For initial ASA SM access, you must use the service-module session command, until you set a login password.
We did not modify any ASDM screens.
|
New Features in Version 7.1(1)
Released: December 3, 2012
Table 5 lists the new features for ASA Version 9.1(1)/ASDM Version 7.1(1).
Note Features added in 8.4(4.x), 8.4(5), 8.4(6), and 9.0(2) are not included in 9.1(1) unless they were listed in the 9.0(1) feature table.
Table 5 New Features for ASA Version 9.1(1)/ASDM Version 7.1(1)
Feature
|
Description
|
Module Features
|
Support for the ASA CX SSP for the ASA 5512-X through ASA 5555-X
|
We introduced support for the ASA CX SSP software module for the ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X. The ASA CX software module requires a Cisco solid state drive (SSD) on the ASA. For more information about the SSD, see the ASA 5500-X hardware guide.
We did not modify any screens.
|
Upgrading the Software
This section describes how to upgrade to the latest version and includes the following topics:
•Upgrade Path and Migrations
•Viewing Your Current Version
•Downloading the Software from Cisco.com
•Upgrading a Standalone Unit
•Upgrading a Failover Pair or ASA Cluster
Note For CLI procedures, see the ASA documentation.
Upgrade Path and Migrations
•If you are upgrading from a pre-8.3 release:
–See the Cisco ASA 5500 Migration Guide to Version 8.3 and Later for important information about migrating your configuration.
•If you are upgrading from a pre-9.0 release, see the migration section in the 9.0 release notes for configuration migration information.
•Software Version Requirements for Zero Downtime Upgrading:
The units in a failover configuration or ASA cluster should have the same major (first number) and minor (second number) software version. However, you do not need to maintain version parity on the units during the upgrade process; you can have different versions on the software running on each unit and still maintain failover support. To ensure long-term compatibility and stability, we recommend upgrading all units to the same version as soon as possible.
Table 1-6 shows the supported scenarios for performing zero-downtime upgrades.
Table 1-6 Zero-Downtime Upgrade Support
Type of Upgrade
|
Support
|
Maintenance Release
|
You can upgrade from any maintenance release to any other maintenance release within a minor release.
For example, you can upgrade from 7.0(1) to 7.0(4) without first installing the maintenance releases in between.
|
Minor Release
|
You can upgrade from a minor release to the next minor release. You cannot skip a minor release.
For example, you can upgrade from 7.0 to 7.1. Upgrading from 7.0 directly to 7.2 is not supported for zero-downtime upgrades; you must first upgrade to 7.1. For models that are not supported on a minor release, you can skip the minor release; for example, for the ASA 5585-X, you can upgrade from 8.2 to 8.4 (the model is not supported on 8.3).
|
Major Release
|
You can upgrade from the last minor release of the previous version to the next major release.
For example, you can upgrade from 7.2 to 8.0, assuming that 7.2 is the last minor version in the 7.x release series.
Note Zero-downtime upgrades are possible, even when feature configuration is migrated, for example, from 8.2 to 8.3.
|
Viewing Your Current Version
The software version appears on the ASDM home page; view the home page to verify the software version of your ASA.
Downloading the Software from Cisco.com
If you are using the ASDM Upgrade Wizard, you do not have to pre-download the software. If you are manually upgrading, for example for a failover upgrade, download the images to your local computer.
If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:
http://www.cisco.com/cisco/software/navigator.html?mdfid=279513386
Upgrading a Standalone Unit
Note This section describes how to install the ASDM and operating system (OS) imagesIf the ASA is running Version 8.0 or later, then you can upgrade to the latest version of ASDM (and disconnect and reconnect to start running it) before upgrading the OS. The exception is for ASA versions that are not supported by the latest ASDM version; for example, ASA 8.5. In that case, follow the instructions for pre-8.0 versions (ASDM 5.2 and earlier).
If the ASA is running a version earlier than 8.0, then use the already installed version of ASDM to upgrade both the OS and ASDM to the latest versions, and then reload.
•Upgrading from Your Local Computer (ASDM 6.0 or Later)
•Upgrading Using the Cisco.com Wizard (ASDM 6.3 or Later)
•Upgrading Using the Cisco.com Wizard (ASDM 6.0 Through ASDM 6.2)
•Upgrading from Your Local Computer (ASDM 5.2 or Earlier)
Upgrading from Your Local Computer (ASDM 6.0 or Later)
The Upgrade Software from Local Computer tool lets you upload an image file from your computer to the flash file system to upgrade the ASA.
To upgrade software from your computer, perform the following steps:
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 2 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.
Step 3 From the Image to Upload drop-down list, choose ASDM.
Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6 Click Upload Image. The uploading process might take a few minutes.
Step 7 Repeat Step 2 through Step 6, choosing ASA from the Image to Upload drop-down list. You can also use this procedure to upload other file types.
Step 8 Configure the ASA to use the new images.
a. Choose Configuration > Device Management > System/Image Configuration > Boot Image/Configuration.
b. In the Boot Configuration table, click Add to add the new image (if you have fewer than four images listed); or you can choose an existing image and click Edit to change it to the new one.
If you do not specify an image, the ASA searches the internal flash memory for the first valid image to boot; we recommend booting from a specific image.
c. Click Browse Flash, choose the OS image, and click OK.
d. Click OK to return to the Boot Image/Configuration pane.
e. Make sure the new image is the first image in the table by using the Move Up button as needed.
f. In the ASDM Image Configuration area, click Browse Flash, choose the ASDM image, and click OK.
g. Click Apply.
Step 9 Choose File > Save Running Configuration to Flash to save your configuration changes.
Step 10 Choose Tools > System Reload to reload the ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Step 11 After the ASA reloads, restart ASDM.
Upgrading Using the Cisco.com Wizard (ASDM 6.3 or Later)
The Upgrade Software from Cisco.com Wizard lets you automatically upgrade the ASDM and ASA to more current versions.
In this wizard, you can do the following:
•Choose an ASA image file and/or ASDM image file to upgrade.
Note ASDM downloads the latest image version, which includes the build number. For example, if you are downloading 8.4(2), the dowload might be 8.4(2.8). This behavior is expected, so you may proceed with the planned upgrade.
•Review the upgrade changes that you have made.
•Download the image or images and install them.
•Review the status of the installation.
•If the installation completed successfully, restart the ASA to save the configuration and complete the upgrade.
Detailed Steps
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 2 Choose Tools > Check for ASA/ASDM Updates.
In multiple context mode, access this menu from the System.
The Cisco.com Authentication dialog box appears.
Step 3 Enter your assigned Cisco.com username and the Cisco.com password, and then click Login.
The Cisco.com Upgrade Wizard appears.
Note If there are no upgrade available, a dialog box appears. Click OK to exit the wizard.
Step 4 Click Next to display the Select Software screen.
The current ASA version and ASDM version appear.
Step 5 To upgrade the ASA version and ASDM version, perform the following steps:
a. In the ASA area, check the Upgrade to check box, and then choose an ASA version to which you want to upgrade from the drop-down list.
b. In the ASDM area, check the Upgrade to check box, and then choose an ASDM version to which you want to upgrade from the drop-down list.
Step 6 Click Next to display the Review Changes screen.
Step 7 Verify the following items:
•The ASA image file and/or ASDM image file that you have downloaded are the correct ones.
•The ASA image file and/or ASDM image file that you want to upload are the correct ones.
•The correct ASA boot image has been selected.
Step 8 Click Next to start the upgrade installation.
You can then view the status of the upgrade installation as it progresses.
The Results screen appears, which provides additional details, such as the upgrade installation status (success or failure).
During the upgrade process from Version 8.2(1) to Version 8.3(1), the following files are automatically saved to flash memory:
•The startup configuration
•The per-context configuration
•The bootup error log, which includes any migration messages
If there is insufficient memory to save the configuration files, an error message appears on the console of the ASA and is saved in the bootup error log file. All previously saved configuration files are also removed.
Step 9 If the upgrade installation succeeded, for the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the ASA, and restart ASDM.
Step 10 Click Finish to exit the wizard and save the configuration changes that you have made.
Note To upgrade to the next higher version, if any, you must restart the wizard.
Upgrading Using the Cisco.com Wizard (ASDM 6.0 Through ASDM 6.2)
Detailed Steps
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 2 From the Tools menu, choose Tools > Upgrade Software from Cisco.com.
In multiple context mode, access this menu from the System.
The Upgrade Software from Cisco.com Wizard appears.
Step 3 Click Next.
The Authentication screen appears.
Step 4 Enter your Cisco.com username and password, and click Next.
The Image Selection screen appears.
Step 5 Check the Upgrade the ASA version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next.
The Selected Images screen appears.
Step 6 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.
The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.
The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the ASA.
If you upgraded the ASA version and the upgrade succeeded, an option to save the configuration and reload the ASA appears.
Step 7 Click Yes.
For the upgrade versions to take effect, you must save the configuration, reload the ASA, and restart ASDM.
Step 8 Click Finish to exit the wizard when the upgrade is finished.
Step 9 After the ASA reloads, restart ASDM.
Upgrading from Your Local Computer (ASDM 5.2 or Earlier)
Detailed Steps
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration. For example, choose File > Show Running Configuration in New Window to open the configuration as an HTML page. You can also use one of the File > Save Running Configuration options.
Step 2 Choose Tools > Upgrade Software.
Step 3 From the Image to Upload drop-down list, choose ASDM.
Step 4 Click Browse Local Files, and browse to the ASDM image you downloaded from Cisco.com.
Step 5 Click Browse Flash to determine where to install the new ASDM image.
The Browse Flash dialog box appears. Choose the new location, and click OK. If you do not have room for both the current image and the new image, you can install over the current image.
Step 6 Click Upload Image.
Wait for the image to upload. An information window appears that indicates a successful upload.
Step 7 Repeat Step 2 through Step 6, choosing ASA from the Image to Upload drop-down list.
Step 8 Click Close to exit the Upgrade Software dialog box.
Step 9 Configure the ASA to use the new images.
a. Choose Configuration > Properties > Device Administration > Boot Image/Configuration.
b. In the Boot Configuration table, click Add to add the new image (if you have fewer than four images listed); or you can choose an existing image and click Edit to change it to the new one.
If you do not specify an image, the ASA searches the internal flash memory for the first valid image to boot; we recommend booting from a specific image.
c. Click Browse Flash, choose the OS image, and click OK.
d. Click OK to return to the Boot Image/Configuration pane.
e. Make sure the new image is the first image in the table by using the Move Up button as needed.
f. In the ASDM Image Configuration area, click Browse Flash, choose the ASDM image, and click OK.
g. Click Apply.
Step 10 Choose File > Save Running Configuration to Flash to save your configuration changes.
Step 11 Choose Tools > System Reload to reload the ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Step 12 After the ASA reloads, restart ASDM.
Upgrading a Failover Pair or ASA Cluster
•Upgrading an Active/Standby Failover Pair
•Upgrading an Active/Active Failover Pair
•Upgrading an ASA Cluster
Upgrading an Active/Standby Failover Pair
To upgrade the Active/Standby failover pair, perform the following steps.
Detailed Steps
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 2 On the active unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.
Step 3 From the Image to Upload drop-down list, choose ASDM.
Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6 Click Upload Image. The uploading process might take a few minutes.
Step 7 Repeat Step 2 through Step 6, choosing ASA from the Image to Upload drop-down list.
Step 8 Configure the ASA to use the new images.
a. Choose Configuration > Device Management > System/Image Configuration > Boot Image/Configuration.
b. In the Boot Configuration table, click Add to add the new image (if you have fewer than four images listed); or you can choose an existing image and click Edit to change it to the new one.
If you do not specify an image, the ASA searches the internal flash memory for the first valid image to boot; we recommend booting from a specific image.
c. Click Browse Flash, choose the OS image, and click OK.
d. Click OK to return to the Boot Image/Configuration pane.
e. Make sure the new image is the first image in the table by using the Move Up button as needed.
f. In the ASDM Image Configuration area, click Browse Flash, choose the ASDM image, and click OK.
g. Click Apply.
Step 9 Choose File > Save Running Configuration to Flash to save your configuration changes.
Step 10 Connect ASDM to the standby unit, and upload the ASA and ASDM software according to Step 2 through Step 7, using the same file locations you used on the active unit.
Step 11 Choose Tools > System Reload to reload the standby ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Step 12 After the standby ASA reloads, restart ASDM and connect to the standby unit to make sure it is running.
Step 13 Connect ASDM to the active unit again.
Step 14 Force the active unit to fail over to the standby unit by choosing Monitoring > Properties > Failover > Status, and clicking Make Standby.
Step 15 Choose Tools > System Reload to reload the (formerly) active ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
After the ASA comes up, it will now be the standby unit.
Upgrading an Active/Active Failover Pair
To upgrade two units in an Active/Active failover configuration, perform the following steps.
Requirements
Perform these steps in the system execution space.
Detailed Steps
Step 1 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 2 On the primary unit, in the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software dialog box appears.
Step 3 From the Image to Upload drop-down list, choose ASDM.
Step 4 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 5 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 6 Click Upload Image. The uploading process might take a few minutes.
Step 7 Repeat Step 2 through Step 6, choosing ASA from the Image to Upload drop-down list.
Step 8 Configure the ASA to use the new images.
a. Choose Configuration > Device Management > System/Image Configuration > Boot Image/Configuration.
b. In the Boot Configuration table, click Add to add the new image (if you have fewer than four images listed); or you can choose an existing image and click Edit to change it to the new one.
If you do not specify an image, the ASA searches the internal flash memory for the first valid image to boot; we recommend booting from a specific image.
c. Click Browse Flash, choose the OS image, and click OK.
d. Click OK to return to the Boot Image/Configuration pane.
e. Make sure the new image is the first image in the table by using the Move Up button as needed.
f. In the ASDM Image Configuration area, click Browse Flash, choose the ASDM image, and click OK.
g. Click Apply.
Step 9 Choose File > Save Running Configuration to Flash to save your configuration changes.
Step 10 Make both failover groups active on the primary unit by choosing Monitoring > Failover > Failover Group #, where # is the number of the failover group you want to move to the primary unit, and clicking Make Active.
Step 11 Connect ASDM to the secondary unit, and upload the ASA and ASDM software according to Step 2 through Step 7, using the same file locations you used on the active unit.
Step 12 Choose Tools > System Reload to reload the secondary ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
Step 13 Connect ASDM to the primary unit, and check when the secondary unit reloads by choosing Monitoring > Failover > System.
Step 14 After the secondary unit comes up, force the primary unit to fail over to the secondary unit by choosing Monitoring > Properties > Failover > System, and clicking Make Standby.
Step 15 Choose Tools > System Reload to reload the (formerly) active ASA.
A new window appears that asks you to verify the details of the reload. Click the Save the running configuration at the time of reload radio button, choose a time to reload (for example, Now), and click Schedule Reload.
Once the reload is in progress, a Reload Status window appears that indicates that a reload is being performed. An option to exit ASDM is also provided.
If the failover groups are configured with Preempt Enabled, they automatically become active on their designated unit after the preempt delay has passed. If the failover groups are not configured with Preempt Enabled, you can return them to active status on their designated units using the Monitoring > Failover > Failover Group # pane.
Upgrading an ASA Cluster
To upgrade all units in an ASA cluster, perform the following steps on the master unit. For multiple context mode, perform these steps in the system execution space.
Detailed Steps
Step 1 Launch ASDM on the master unit.
Step 2 (If there is a configuration migration) In ASDM, back up your existing configuration using the Tools > Backup Configurations tool.
Step 3 In the main ASDM application window, choose Tools > Upgrade Software from Local Computer.
The Upgrade Software from Local Computer dialog box appears.
Step 4 Click the All devices in the cluster radio button.
Step 5 From the Image to Upload drop-down list, choose the new image file.
Step 6 In the Local File Path field, enter the local path to the file on your computer or click Browse Local Files to find the file on your PC.
Step 7 In the Flash File System Path field, enter the path to the flash file system or click Browse Flash to find the directory or file in the flash file system.
Step 8 Click Upload Image. The uploading process might take a few minutes; make sure you wait until it is finished.
Step 9 Choose Tools > System Reload.
The System Reload dialog box appears.
Step 10 Reload each slave unit one at a time by choosing a slave unit name in the Device drop-down list, and then clicking Schedule Reload to reload the unit now.
To avoid connection loss and allow traffic to stabilize, wait for each unit to come back up (approximately 5 minutes) before reloading the next unit. To view when a unit rejoins the cluster, see the Monitoring > ASA Cluster > Cluster Summary pane.
Step 11 After all slave units have reloaded, disable clustering on the master unit by choosing Configuration > Device Management > High Availability and Scalability > ASA Cluster, uncheck the Participate in ASA cluster check box, and click Apply.
Wait for 5 minutes for a new master to be selected and traffic to stabilize. When the former master unit rejoins the cluster, it will be a slave.
Do not save the configuration; when the master unit reloads, you want clustering to be enabled on it.
Step 12 Choose Tools > System Reload and reload the master unit from the System Reload dialog box by choosing --This Device-- from the Device drop-down list.
Step 13 Quit and restart ASDM; you will reconnect to the new master unit.
Unsupported Commands
ASDM supports almost all commands available for the adaptive ASA, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.
This section includes the following topics:
•Ignored and View-Only Commands
•Effects of Unsupported Commands
•Discontinuous Subnet Masks Not Supported
•Interactive User Commands Not Supported by the ASDM CLI Tool
Ignored and View-Only Commands
Table 7 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Table 7 List of Unsupported Commands
Unsupported Commands
|
ASDM Behavior
|
capture
|
Ignored.
|
coredump
|
Ignored. This can be configured only using the CLI.
|
crypto engine large-mod-accel
|
Ignored.
|
dhcp-server (tunnel-group name general-attributes)
|
ASDM only allows one setting for all DHCP servers.
|
eject
|
Unsupported.
|
established
|
Ignored.
|
failover timeout
|
Ignored.
|
fips
|
Ignored.
|
nat-assigned-to-public-ip
|
Ignored.
|
pager
|
Ignored.
|
pim accept-register route-map
|
Ignored. You can configure only the list option using ASDM.
|
service-policy global
|
Ignored if it uses a match access-list class. For example:
access-list myacl extended permit ip any any
service-policy mypm global
|
set metric
|
Ignored.
|
sysopt nodnsalias
|
Ignored.
|
sysopt uauth allow-http-cache
|
Ignored.
|
terminal
|
Ignored.
|
threat-detection rate
|
Ignored.
|
Effects of Unsupported Commands
If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Tools > Show Commands Ignored by ASDM on Device.
Discontinuous Subnet Masks Not Supported
ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255
Interactive User Commands Not Supported by the ASDM CLI Tool
The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
For example:
1. Choose Tools > Command Line Interface.
2. Enter the crypto key generate rsa command.
ASDM generates the default 1024-bit RSA key.
3. Enter the crypto key generate rsa command again.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:
Do you really want to replace them? [yes/no]:WARNING: You already have RSA
ke0000000000000$A key
Input line must be less than 16 characters in length.
%Please answer 'yes' or 'no'.
Do you really want to replace them [yes/no]:
%ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys names <Default-RSA-key>
Workaround:
•You can configure most commands that require user interaction by means of the ASDM panes.
•For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:
crypto key generate rsa noconfirm
Open Caveats
•Open Caveats in 7.1(3)
•Open Caveats in 7.1(2.102)
•Open Caveats in 7.1(2)
•Open Caveats in 7.1(1)
Open Caveats in 7.1(3)
Table 8 contains open caveats in ASDM software Version 7.1(3).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 8 Open Caveats in ASDM Version 7.1(3)
Caveat
|
Description
|
CSCuf91463
|
ASDM resending the same passcode during OTP authentication - failing it
|
Open Caveats in 7.1(2.102)
Table 9 contains open caveats in ASDM software Version 7.1(2.102).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 9 Open Caveats in ASDM Version 7.1(2.102)
Caveat
|
Description
|
CSCug28975
|
network objects not available for VPN RA wizzard
|
CSCug00061
|
Multiple naming-attributes not yet supported ASDM indicates otherwise
|
CSCuf93527
|
ASDM: HA/Scalability Wizard cannot be prompted by clicking "Launch"
|
CSCuf91463
|
ASDM resending the same passcode during OTP authentication - failing it
|
CSCuf66309
|
ASDM: inside interface does not exist error during TFTP copy
|
CSCuf66300
|
ASDM 7.1 config bookmarks causes confusion for KCD and SharePoint use
|
CSCuf60336
|
ASDM: Unable to handle names in DNS servers
|
CSCuf47673
|
ASA-SM/ASDM: non-admin context may require auth multiple times
|
CSCuf16865
|
Bug CSCtl22199 needs added clarity
|
CSCue73337
|
Clicking Refresh after Make Standby in ASDM would cause switchover again
|
CSCue63828
|
Unable to config failover via ASDM due to Firmware version check failure
|
CSCue48827
|
ASA Local CA server add user-db in ASDM fails if blank line Subject (DN)
|
CSCue46483
|
ASDM shows incomplete ASA connection table entries
|
Open Caveats in 7.1(2)
Table 10 contains open caveats in ASDM software Version 7.1(2).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 10 Open Caveats in ASDM Version 7.1(2)
Caveat
|
Description
|
CSCud40686
|
Entering Incorrect Credentials Makes the ASDM Hang
|
CSCud68382
|
Java Web Start may not work on MacOS
|
CSCud75192
|
client profile not properly bound to group policy
|
CSCud80033
|
ASDM: Cannot specify "anyconnect profiles none" in webvpn group-policy
|
CSCud96465
|
HTTP authen: username greater than 50 characters failed
|
CSCue17774
|
ASDM Loses Connectivity after 24 hrs when Monitoring some Traffic's.
|
CSCue31262
|
ASDM: cannot configure BIOS check in DAP
|
CSCue48827
|
ASA Local CA server add user-db in ASDM fails if blank line Subject (DN)
|
Open Caveats in 7.1(1)
Table 11 contains open caveats in ASDM software Version 7.1(1).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 11 Open Caveats in ASDM Version 7.1(1)
Caveat
|
Description
|
CSCud07583
|
ASDM 7.0 ASA 9.0 multi context L2L needs more explicit warning/error.
|
CSCud10835
|
ASDM "run demo" opens a new box with unreadable characters.
|
CSCud24825
|
Need to add prompt "cluster-unit" option
|
CSCud35180
|
Access Rule Lookup in Real-Time Log Viewer Does Not Support Global ACL
|
CSCud03239
|
ASDM 7.1.1: Host Scan Image section - Instructions incorrect
|
CSCud67542
|
ASDM does not detect IPS module in ASA 5512-X and 5515-X
|
CSCud72575
|
Unable to add a sub-interface
|
Resolved Caveats
•Resolved Caveats in 7.1(3)
•Resolved Caveats in 7.1(2.102)
•Resolved Caveats in 7.1(2)
•Resolved Caveats in 7.1(1)
Resolved Caveats in 7.1(3)
Table 12 contains the resolved caveats in ASDM software Version 7.1(3).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 12 Resolved Caveats in ASDM Version 7.1(3)
Caveat
|
Description
|
CSCuc07375
|
ASDM Add User Account attribute stuck in loop
|
CSCud51020
|
ASDM not clearing xlates when making NAT changes
|
CSCud80033
|
ASDM: Cannot specify "anyconnect profiles none" in webvpn group-policy
|
CSCue31262
|
ASDM: cannot configure BIOS check in DAP
|
CSCue46483
|
ASDM shows incomplete ASA connection table entries
|
CSCue48763
|
AnyConnect Connection Profiles doesn't show group-policy in ASDM
|
CSCue48827
|
ASA Local CA server add user-db in ASDM fails if blank line Subject (DN)
|
CSCue63828
|
Unable to config failover via ASDM due to Firmware version check failure
|
CSCue73337
|
Clicking Refresh after Make Standby in ASDM would cause switchover again
|
CSCue97613
|
Unable to adjust SNMP CPU Utilization and Monitoring Interval in ASDM
|
CSCuf16865
|
Bug CSCtl22199 needs added clarity
|
CSCuf47673
|
ASA-SM/ASDM: non-admin context may require auth multiple times
|
CSCuf60336
|
ASDM: Unable to handle names in DNS servers
|
CSCuf66300
|
ASDM 7.1 config bookmarks causes confusion for KCD and SharePoint use
|
CSCuf66309
|
ASDM: inside interface does not exist error during TFTP copy
|
CSCuf66741
|
ASDM: Crypto trustpool import fails with error
|
CSCuf93527
|
ASDM: HA/Scalability Wizard cannot be prompted by clicking "Launch"
|
CSCug00061
|
Multiple naming-attributes not yet supported ASDM indicates otherwise
|
CSCug28975
|
network objects not available for VPN RA wizzard
|
Resolved Caveats in 7.1(2.102)
We did not resolve any caveats in this release.
Resolved Caveats in 7.1(2)
Table 13 contains the resolved caveats in ASDM software Version 7.1(2).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 13 Resolved Caveats in ASDM Version 7.1(2)
Caveat
|
Description
|
CSCub14386
|
Upgrade image to whole cluster: sometime fail to copy images
|
CSCud07583
|
ASDM 7.0 ASA 9.0 multi context L2L needs more explicit warning/error.
|
CSCud35180
|
Access Rule Lookup in Real-Time Log Viewer Does Not Support Global ACL
|
CSCud45909
|
asdm empty Vendor field when setting dap policy for anti-spyware
|
CSCud46446
|
Checkbox text too long to cause usability problem
|
CSCud46473
|
ASDM 7 doesn't save logical operation value for DAP entries
|
CSCud48451
|
ASDM: Enabling Route Tracking defaults route metric 128
|
CSCud55732
|
Unexpected configuration tag 'timeout-alert' appears when booting ASA
|
CSCud77692
|
User Accounts has two Identity tree nodes
|
CSCud83155
|
PPPOE interface shows up as static and not available for VPN connection
|
CSCud89093
|
NAT64: Need to error message for incorrect manual nat64
|
CSCud96486
|
A status popup should be dismissed after adding cluster member
|
CSCue05073
|
Display warning when admin selectis SSLv3 options
|
CSCue06198
|
Adding a unit through the wizard changes master's cluster config
|
CSCue06218
|
Cannot re-add unit to cluster via High Availability & Scalability wizard
|
CSCue46483
|
ASDM shows incomplete ASA connection table entries
|
CSCue53719
|
ASA Cluster node is missing under System in multi mode
|
Resolved Caveats in 7.1(1)
Table 14 contains the resolved caveats in ASDM software Version 7.1(1).
Registered Cisco.com users can view more information about each caveat by using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolkit/
Table 14 Resolved Caveats in ASDM Version 7.1(1)
Caveat
|
Description
|
CSCsw98659
|
IPv6: Restore the default value of "DAD Attempts", "Reachable Time".
|
CSCsz56544
|
ASDM: Implement the ability to better sort ACL's
|
CSCtk48070
|
Make the IPv4/IPv6 view options for ACLs sticky
|
CSCtq19131
|
Clientless WebVPN-Delete bookmark which in use-error msg not consistent
|
CSCtt24721
|
False Error when Manually Enabling Anonymous Reporting the First Time
|
CSCtw48086
|
IPv4 to be made as default for Access Rules/ACL Manager
|
CSCtx17400
|
ENH:space availability in flash should be checked before transfer starts
|
CSCty23077
|
Deferred update - ASDM
|
CSCtz88888
|
ASDM Falcon: Make the IP address in the ASA CX/PRSM URL configurable
|
CSCtz91753
|
UI mis-alignment in ASDM w/ Win 2008 R2 and Java 1.7
|
CSCua79518
|
Horizontal scroll bar is needed for Interface panel of HA cluster wizard
|
CSCub14334
|
ASA-CX startup wizard panel does not display mask and gateway
|
CSCub22142
|
ASACX - Display ASA CX dashboard with deivce info and interface status
|
CSCub32255
|
Java Error in VPN Load Balance
|
CSCub43701
|
Need online help on Torino
|
CSCub52216
|
ASA fails to select DAP record when checking for device type Endpoint ID
|
CSCuc09172
|
Cluster Dashboard: allow the user to resize the table vertically
|
CSCuc37658
|
ASDM Services panel fails to locate Service Object with Where Used btn
|
CSCuc59446
|
IPv6/IPv4 option missing when configuring network object
|
CSCuc61363
|
Improper column sizing for File Management Panel
|
CSCuc63797
|
Static policy nat is not working in ASDM 6.49-103
|
CSCuc68351
|
ASDM truncates regular expression in username-from-certificate script
|
CSCuc77445
|
Design change on ASDM when cluster is configured without cluster license
|
CSCuc81697
|
ASDM changes AES to DES in IKEv1 policy
|
CSCuc93858
|
Add deprecation message to Secure Desktop setup panel
|
CSCuc97140
|
Torino: service policy for CX redirect, destination fields don't match
|
CSCuc97192
|
Torino: ASDM ignored commands shown for valid ASA commands
|
CSCud02591
|
Dynamic NAT using names may not be displayed properly
|
CSCud03838
|
ASDM 7.0 warning "uploaded file is not a valid ASA-SM image" on 9.0.1
|
CSCud05948
|
New iPads device type needs to be added to DAP
|
CSCud06933
|
AnyConnect Connection Profiles with external group-policy in ASDM
|
CSCud09472
|
ASDM 7.0.2 doesn't recognize "trustpoint" keyword in View/Clear CRL
|
CSCud10605
|
ASDM: restrict aes-gmac IPSec encryption for AnyConnect IPSec Proposals
|
CSCud16594
|
ASDM 7.0 Edit Bookmark Window empty
|
CSCud20548
|
ASDM 7.0 does not display unidirectional NAT rules with service.
|
CSCud25139
|
Config >RA VPN>Clientless SSL VPN Access>Portal>Bookmarks assign issue
|
CSCud30081
|
ASDM Torino: Change release notes link
|
CSCud32116
|
ASDM Torinio: Service Policy Rules help link is not correct
|
CSCud32117
|
Postpone ASDM Enhancement to VDI
|
End-User License Agreement
For information about the end-user license agreement, go to:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Related Documentation
For additional information about ASDM or its platforms, see Navigating the Cisco ASA Series Documentation:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
Obtaining Software, Documentation, and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2012-2013 Cisco Systems, Inc. All rights reserved.
Feedback
