Cisco ASA New Features

This document lists new features for each release.

Note
Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in Version 9.10

New Features in ASA 9.10(1)/ASDM 7.10(1)

Released: October 25, 2018

Feature

Description

Platform Features

ASAv VHD custom images for Azure

You can now create your own custom ASAv images on Azure using a compressed VHD image available from Cisco. To deploy using a VHD image, you upload the VHD image to your Azure storage account. Then, you can create a managed image using the uploaded disk image and an Azure Resource Manager template. Azure templates are JSON files that contain resource descriptions and parameter definitions.

ISA 3000 support for FirePOWER module Version 6.3

The previous supported version was FirePOWER 5.4.

Firewall Features

Cisco Umbrella support

You can configure the device to redirect DNS requests to Cisco Umbrella, so that your Enterprise Security policy defined in Cisco Umbrella can be applied to user connections. You can allow or block connections based on FQDN, or for suspicious FQDNs, you can redirect the user to the Cisco Umbrella intelligent proxy, which can perform URL filtering. The Umbrella configuration is part of the DNS inspection policy.

New/Modified commands: umbrella , umbrella-global , token , public-key , timeout edns , dnscrypt , show service-policy inspect dns detail

New/Modified screens:

Configuration > Firewall > Objects > Umbrella, Configuration > Firewall > Objects > Inspect Maps > DNS

GTP inspection enhancements for MSISDN and Selection Mode filtering, anti-replay, and user spoofing protection

You can now configure GTP inspection to drop Create PDP Context messages based on Mobile Station International Subscriber Directory Number (MSISDN) or Selection Mode. You can also implement anti-replay and user spoofing protection.

New/Modified commands: anti-replay , gtp-u-header-check , match msisdn , match selection-mode

New/Modified screens:

Configuration > Firewall > Objects > Inspection Maps > GTP > Add/Edit dialog box

Default idle timeout for TCP state bypass

The default idle timeout for TCP state bypass connections is now 2 minutes instead of 1 hour.

Support for removing the logout button from the cut-through proxy login page

If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address.

New/Modified commands: aaa authentication listener no-logout-button

No ASDM support.

Also in 9.8(3).

Trustsec SXP connection configurable delete hold down timer

The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds.

New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections

No ASDM support.

Also in 9.8(3).

Support for offloading NAT'ed flows in transparent mode.

If you are using flow offload (the flow-offload enable and set connection advanced-options flow-offload commands), offloaded flows can now include flows that require NAT in transparent mode.

Support for transparent mode deployment for a Firepower 4100/9300 ASA logical device

You can now specify transparent or routed mode when you deploy the ASA on a Firepower 4100/9300.

New/Modified FXOS commands: enter bootstrap-key FIREWALL_MODE , set value routed , set value transparent

New/Modified Firepower Chassis Manager screens:

Logical Devices > Add Device > Settings

New/Modified options: Firewall Mode drop-down list

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6 (or later). This option will be deprecated in the near future.

New/Modified commands: saml external-browser

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

Also in 9.8(3).

DTLS 1.2 support for AnyConnect VPN remote access connections.

DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506; and applies when the ASA is acting as a server only, not a client. DTLS 1.2 supports additional ciphers, as well as all current TLS/DTLS cyphers, and a larger cookie size.

New/Modified commands: show run ssl , show vpn-sessiondb detail anyconnect ssl cipher , ssl server-version

New/Modified screens: Configuration > Remote Access VPN > Advanced > SSL Settings

High Availability and Scalability Features

Cluster control link customizable IP Address for the Firepower 4100/9300

By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses.

New/Modified FXOS commands: set cluster-control-link network

New/Modified Firepower Chassis Manager screens:

Logical Devices > Add Device > Cluster Information

New/Modified options: CCL Subnet IP field

Parallel joining of cluster units per Firepower 9300 chassis

For the Firepower 9300, this feature ensures that the security modules in a chassis join the cluster simultaneously, so that traffic is evenly distributed between the modules. If a module joins very much in advance of other modules, it can receive more traffic than desired, because the other modules cannot yet share the load.

New/Modified commands: unit parallel-join

New/Modified screens:

Configuration > Device Management > High Availability and Scalability > ASA Cluster

New/Modified options: Parallel Join of Units Per Chassis area

Cluster interface debounce time now applies to interfaces changing from a down state to an up state

When an interface status update occurs, the ASA waits the number of milliseconds specified in the health-check monitor-interface debounce-time command or the ASDM Configuration > Device Management > High Availability and Scalability > ASA Cluster screen before marking the interface as failed and the unit is removed from the cluster. This feature now applies to interfaces changing from a down state to an up state. For example, in the case of an EtherChannel that transitions from a down state to an up state (for example, the switch reloaded, or the switch enabled an EtherChannel), a longer debounce time can prevent the interface from appearing to be failed on a cluster unit just because another cluster unit was faster at bundling the ports.

We did not modify any commands.

We did not modify any screens.

Active/Backup High Availability for ASAv on Microsoft Azure Government Cloud

The stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud is now available in the Azure Government Cloud.

New or modified command: failover cloud

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover

Monitoring > Properties > Failover > Status

Monitoring > Properties > Failover > History

Interface Features

show interface ip brief and show ipv6 interface output enhancement to show the supervisor association for the Firepower 2100/4100/9300

For the Firepower 2100/4100/9300, the output of the command is enhanced to indicate the supervisor association status of the interfaces.

New/Modified commands: show interface ip brief, show ipv6 interface

The set lacp-mode command was changed to set port-channel-mode on the Firepower 2100

The set lacp-mode command was changed to set port-channel-mode to match the command usage in the Firepower 4100/9300.

New/Modified FXOS commands: set port-channel-mode

Administrative and Troubleshooting Features

Support for NTP Authentication on the Firepower 2100

You can now configure SHA1 NTP server authentication in FXOS.

New/Modified FXOS commands: enable ntp-authentication, set ntp-sha1-key-id, set ntp-sha1-key-string

New/Modified Firepower Chassis Manager screens:

Platform Settings > NTP

New/Modified options: NTP Server Authentication: Enable check box, Authentication Key field, Authentication Value field

Packet capture support for matching IPv6 traffic without using an ACL

If you use the match keyword for the capture command, the any keyword only matches IPv4 traffic. You can now specify any4 and any6 keywords to capture either IPv4 or IPv6 traffic. The any keyword continues to match only IPv4 traffic.

New/Modified commands: capture match

No ASDM support.

Support for public key authentication for SSH to FXOS on the Firepower 2100

You can set the SSH key so you can use public key authentication instead of/as well as password authentication.

New/Modified FXOS commands: set sshkey

No Firepower Chassis Manager support.

Support for GRE and IPinIP encapsulation

When you do a packet capture on interface inside, the output of the command is enhanced to display the GRE and IPinIP encapsulation on ICMP, UDP, TCP, and others.

New/Modified commands: show capture

Support to enable memory threshold that restricts application cache allocations

You can restrict application cache allocations on reaching certain memory threshold so that there is a reservation of memory to maintain stability and manageability of the device.

New/Modified commands: memory threshold enable, show run memory threshold,clear conf memory threshold

Support for RFC 5424 logging timestamp

You can enable the logging timestamp as per RFC 5424 format.

New/Modified command: logging timestamp

Support to display memory usage of TCB-IPS

Shows application level memory cache for TCB-IPS

New/Modified command: show memory app-cache

New Features in Version 9.9

New Features in ASDM 7.9(2.152)

Released: May 9, 2018

Feature

Description

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will be deprecated in the near future.

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

New Features in ASA 9.9(2)/ASDM 7.9(2)

Released: March 26, 2018

Feature

Description

Platform Features

ASAv support for VMware ESXi 6.5

The ASAv virtual platform supports hosts running on VMware ESXi 6.5. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASAv on ESXi 6.5.

We did not modify any commands.

We did not modify any screens.

ASAv support for VMXNET3 interfaces

The ASAv virtual platform supports VMXNET3 interfaces on VMware hypervisors.

We did not modify any commands.

We did not modify any screens.

ASAv support for virtual serial console on first boot

You can now configure the ASAv to use the virtual serial console on first boot, instead of the virtual VGA console, to access and configure the ASAv.

New or Modified commands: console serial

ASAv support to update user-defined routes in more than one Azure subscription for High Availability on Microsoft Azure

You can now configure the ASAv in an Azure High Availability configuration to update user-defined routes in more than one Azure subscription.

New or Modified commands: failover cloud route-table

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover > Route-Table

VPN Features

Remote Access VPN multi-context support extended to IKEv2 protocol

Support for configuring ASA to allow Anyconnect and third party Standards-based IPSec IKEv2 VPN clients to establish Remote Access VPN sessions to ASA operating in multi-context mode.

IPv6 connectivity to Radius Servers

ASA 9.9.2 now supports IPv6 connectivity to external AAA Radius Servers.

Easy VPN Enhancements for BVI Support

Easy VPN has been enhanced to support a Bridged Virtual Interface as its internal secure interface, and administrators are now allowed to directly configure the internal secure interface using the new vpnclient secure interface [interface-name] command.

A physical interface, or a Bridged Virtual Interface can be assigned as the internal secure interface. If this is not set by the administrator, Easy VPN will choose its internal secure interface using security levels as before, whether it is an independent physical interface or a BVI.

Also, management services, such as telnet, http, and ssh, can now be configured on a BVI if management access has been enabled on that BVI.

New or Modified commands: vpnclient secure interface [interface-name], https, telnet, ssh, management-access

Distributed VPN Session Improvements

  • The Active Session Redistribution logic, which balances Distributed S2S VPN active and backup sessions, has been improved. Also, the balancing process may be repeated up to eight times in the background for a single cluster redistribute vpn-sessiondb command entered by the administrator.

  • The handling of dynamic Reverse Route Injections (RRI) across the cluster has been improved.

High Availability and Scalability Features

Automatically rejoin the cluster after an internal failure

Formerly, many error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals by default: 5 minutes, 10 minutes, and then 20 minutes. These values are configurable. Internal failures include: application sync timeout; inconsistent application statuses; and so on.

New or Modified commands: health-check system auto-rejoin, show cluster info auto-join

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin

Configurable debounce time to mark an interface as failed for the ASA 5000-X series

You can now configure the debounce time before the ASA considers an interface to be failed and the unit is removed from the cluster on the ASA 5500-X series. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds. This feature was previously available for the Firepower 4100/9300.

New or modified command: health-check monitor-interface debounce-time

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Show transport related statistics for cluster reliable transport protocol messages

You can now view per-unit cluster reliable transport buffer usage so you can identify packet drop issues when the buffer is full in the control plane.

New or modified command: show cluster info transport cp detail

Show failover history from peer unit

You can now view failover history from the peer unit, using the details keyword . This includes failover state changes and reason for the state change.

New or modified command: show failover

Administrative Features

RSA key pair supports 3072-bit keys

You can now set the modulus size to 3072.

New or modified command: crypto key generate rsa modulus

New or modified screen: Configuration > Device Management > Certificate Management > Identity Certificates

The FXOS bootstrap configuration now sets the enable password

When you deploy the ASA on the Firepower 4100/9300, the password setting in the bootstrap configuration now sets the enable password as well as the admin user password. Requires FXOS Version 2.3.1.

Monitoring and Troubleshooting Features

SNMP IPv6 support

The ASA now supports SNMP over IPv6, including communicating with SNMP servers over IPv6, allowing the execution of queries and traps over IPv6, and supporting IPv6 addresses for existing MIBs. We added the following new SNMP IPv6 MIB objects as described in RFC 8096.

  • ipv6InterfaceTable (OID: 1.3.6.1.2.1.4.30)—Contains per-interface IPv6-specific information.

  • ipAddressPrefixTable (OID:1.3.6.1.2.1.4.32)—Includes all the prefixes learned by this entity.

  • ipAddressTable (OID: 1.3.6.1.2.1.4.34)—Contains addressing information relevant to the entity's interfaces.

  • ipNetToPhysicalTable (OID: 1.3.6.1.2.1.4.35)—Contains the mapping from IP addresses to physical addresses.

New or modified command: snmp-server host

Note 

The snmp-server host-group command does not support IPv6.

New or modified screen: Configuration > Device Management > Management Access > SNMP

Conditional Debugging to troubleshoot a single user session

Conditional debugging feature now assists you to verify the logs of specific ASA VPN sessions based on the filter conditions that are set. Support for "any, any" for IPv4 and IPv6 subnets is provided.

New Features in ASDM 7.9(1.151)

Released: February 14, 2018

There are no new features in this release.

New Features in ASA 9.9(1)/ASDM 7.9(1)

Released: December 4, 2017

Feature

Description

Firewall Features

Ethertype access control list changes

EtherType access control lists now support Ethernet II IPX (EII IPX). In addition, new keywords are added to the DSAP keyword to support common DSAP values: BPDU (0x42), IPX (0xE0), Raw IPX (0xFF), and ISIS (0xFE). Consequently, existing EtherType access contol entries that use the BPDU or ISIS keywords will be converted automatically to use the DSAP specification, and rules for IPX will be converted to 3 rules (DSAP IPX, DSAP Raw IPX, and EII IPX). In addition, packet capture that uses IPX as an EtherType value has been deprecated, because IPX corresponds to 3 separate EtherTypes.

New or modified command: access-list ethertype added the new keywords eii-ipx and dsap {bpdu | ipx | isis | raw-ipx } ; capture ethernet-type no longer supports the ipx keyword.

New or modified screen: Configuration > Firewall > Ethertype Rules.

VPN Features

Distributed Site-to-Site VPN with clustering on the Firepower 9300

An ASA cluster on the Firepower 9300 supports Site-to-Site VPN in distributed mode. Distributed mode provides the ability to have many Site-to-Site IPsec IKEv2 VPN connections distributed across members of an ASA cluster, not just on the master unit (as in centralized mode). This significantly scales VPN support beyond Centralized VPN capabilities and provides high availability. Distributed S2S VPN runs on a cluster of up to two chassis, each containing up to three modules (six total cluster members), each module supporting up to 6K active sessions (12K total), for a maximum of approximately 36K active sessions (72K total).

New or modified commands: cluster redistribute vpn-sessiondb, show cluster vpn-sessiondb, vpn mode , show cluster resource usage, show vpn-sessiondb , show connection detail, show crypto ikev2

New or modified screens:

Monitoring > ASA Cluster > ASA Cluster > VPN Cluster Summary

Monitoring > VPN > VPN Statistics > Sessions > Slave

Configuration > Device Management > High Availablility and Scalability > ASA Cluster

Wizards > Site-to-Site

Monitoring > VPN > VPN Statistics > Sessions

Monitoring > ASA Cluster > ASA Cluster > VPN Cluster Summary

Monitoring > ASA Cluster > ASA Cluster > System Resource Graphs > CPU/Memory

Monitoring > Logging > Real-Time Log Viewer

High Availability and Scalability Features

Active/Backup High Availability for ASAv on Microsoft Azure

A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud.

New or modified command: failover cloud

New or modified screens: Configuration > Device Management > High Availability and Scalability > Failover

Monitoring > Properties > Failover > Status

Monitoring > Properties > Failover > History

Also in 9.8(1.200).

Improved chassis health check failure detection for the Firepower chassis

You can now configure a lower holdtime for the chassis health check: 100 ms. The previous minimum was 300 ms.

New or modified command: app-agent heartbeat interval

No ASDM support.

Inter-site redundancy for clustering

Inter-site redundancy ensures that a backup owner for a traffic flow will always be at the other site from the owner. This feature guards against site failure.

New or modified commands: site-redundancy, show asp cluster counter change, show asp table cluster chash-table, show conn flag

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Monitoring and Troubleshooting Features

Enhanced packet tracer and packet capture capabilities

The packet tracer has been enhanced with the following features:

  • Trace a packet when it passes between cluster units.

  • Allow simulated packets to egress the ASA.

  • Bypass security checks for a similated packet.

  • Treat a simulated packet as an IPsec/SSL decrypted packet.

The packet capture has been enhanced with the following features:

  • Capture packets after they are decrypted.

  • Capture traces and retain them in the persistent list.

New or modified commands: cluster exec capture test trace include-decrypted, cluster exec capture test trace persist, cluster exec clear packet-tracer, cluster exec show packet-tracer id, cluster exec show packet-tracer origin, packet-tracer persist, packet-tracer transmit, packet-tracer decrypted, packet-tracer bypass-checks

New or modified screens:

Tools > Packet Tracer

We added Cluster Capture field to support these options: decrypted, persist, bypass-checks, transmit

We added two new options in the Filter By view under the All Sessions drop-down list: Origin and Origin-ID

Monitoring > VPN > VPN Statistics > Packet Tracer and Capture

We added ICMP Capture field in the Packet Capture Wizard screen:Wizards > Packet Capture Wizard

We added two options include-decrypted and persist to support ICMP Capture.

New Features in Version 9.8

New Features in ASA 9.8(3)/ASDM 7.9(2.152)

Released: July 2, 2018

Feature

Description

Platform Features

Firepower 2100 Active LED now lights amber when in standby mode

Formerly, the Active LED was unlit in standby mode.

Firewall Features

Support for removing the logout button from the cut-through proxy login page.

If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address.

New/Modified commands: aaa authentication listener no-logout-button .

No ASDM support.

Trustsec SXP connection configurable delete hold down timer

The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds.

New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections

No ASDM support.

VPN Features

Support for legacy SAML authentication

If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will be deprecated in the near future.

New/Modified commands: saml external-browser

New/Modified screens:

Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles page > Connection Profiles area > Add button > Add AnyConnect Connection Profile dialog box

Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > page > Connection Profiles area > Add button > Add Clientless SSL VPN Connection Profile dialog box

New/Modified options: SAML External Browser check box

New Features in ASDM 7.8(2.151)

Released: October 12, 2017

Feature

Description

Firewall Features

Ethertype access control list changes

EtherType access control lists now support Ethernet II IPX (EII IPX). In addition, new keywords are added to the DSAP keyword to support common DSAP values: BPDU (0x42), IPX (0xE0), Raw IPX (0xFF), and ISIS (0xFE). Consequently, existing EtherType access contol entries that use the BPDU or ISIS keywords will be converted automatically to use the DSAP specification, and rules for IPX will be converted to 3 rules (DSAP IPX, DSAP Raw IPX, and EII IPX). In addition, packet capture that uses IPX as an EtherType value has been deprecated, because IPX corresponds to 3 separate EtherTypes.

This feature is supported in 9.8(2.9) and other interim releases. For more information, see CSCvf57908.

We modified the following commands: access-list ethertype added the new keywords eii-ipx and dsap {bpdu | ipx | isis | raw-ipx } ; capture ethernet-type no longer supports the ipx keyword.

We modified the following screens: Configuration > Firewall > Ethertype Rules.

New Features in ASA 9.8(2)/ASDM 7.8(2)

Released: August 28, 2017

Feature

Description

Platform Features

ASA for the Firepower 2100 series

We introduced the ASA for the Firepower 2110, 2120, 2130, and 2140. Similar to the Firepower 4100 and 9300, the Firepower 2100 runs the base FXOS operating system and then the ASA operating system as an application. The Firepower 2100 implementation couples FXOS more closely with the ASA than the Firepower 4100 and 9300 do (pared down FXOS functions, single device image bundle, easy management access for both ASA and FXOS).

FXOS owns configuring hardware settings for interfaces, including creating EtherChannels, as well as NTP services, hardware monitoring, and other basic functions. You can use the Firepower Chassis Manager or the FXOS CLI for this configuration. The ASA owns all other functionality, including Smart Licensing (unlike the Firepower 4100 and 9300). The ASA and FXOS each have their own IP address on the Management 1/1 interface, and you can configure management of both the ASA and FXOS instances from any data interface.

We introduced the following commands: connect fxos, fxos https, fxos snmp, fxos ssh, ip-client

We introduced the following screens:

Configuration > Device Management > Management Access > FXOS Remote Management

Department of Defense Unified Capabilities Approved Products List

The ASA was updated to comply with the Unified Capabilities Approved Products List (UC APL) requirements. In this release, when you enter the fips enable command, the ASA will reload. Both failover peers must be in the same FIPS mode before you enable failover.

We modified the following command: fips enable

ASAv for Amazon Web Services M4 instance support

You can now deploy the ASAv as an M4 instance.

We did not modify any commands.

We did not modify any screens.

ASAv5 1.5 GB RAM capability

Starting in Version 9.7(1), the ASAv5 may experience memory exhaustion where certain functions such as enabling AnyConnect or downloading files to the ASAv fail. You can now assign 1.5 GB (up from 1 GB) of RAM to the ASAv5.

We did not modify any commands.

We did not modify any screens.

VPN Features

HTTP Strict Transport Security (HSTS) header support

HSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web servers declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.

We introduced the following commands: hsts enable, hsts max-age age_in_seconds

We modified the following screens: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies

Interface Features

VLAN support for the ASAv50

The ASAv50 now supports VLANs on the ixgbe-vf vNIC for SR-IOV interfaces.

We did not modify any commands.

We did not modify any screens.

New Features in ASA 9.8(1.200)

Released: July 30, 2017

Note
Note

This release is only supported on the ASAv for Microsoft Azure. These features are not supported in Version 9.8(2).


Feature

Description

High Availability and Scalability Features

Active/Backup High Availability for ASAv on Microsoft Azure

A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud.

We introduced the following commands: failover cloud

No ASDM support.

New Features in ASDM 7.8(1.150)

Released: June 20, 2017

There are no new features in this release.

New Features in ASA 9.8(1)/ASDM 7.8(1)

Released: May 15, 2017

Feature

Description

Platform Features

ASAv50 platform

The ASAv virtual platform has added a high-end performance ASAv50 platform that provides 10 Gbps Firewall throughput levels. The ASAv50 requires ixgbe-vf vNICs, which are supported on VMware and KVM only.

SR-IOV on the ASAv platform

The ASAv virtual platform supports Single Root I/O Virtualization (SR-IOV) interfaces, which allows multiple VMs to share a single PCIe network adapter inside a host. ASAv SR-IOV support is available on VMware, KVM, and AWS only.

Automatic ASP load balancing now supported for the ASAv

Formerly, you could only manually enable and disable ASP load balancing.

We modified the following command: asp load-balance per-packet auto

We modified the following screen: Configuration > Device Management > Advanced > ASP Load Balancing

Firewall Features

Support for setting the TLS proxy server SSL cipher suite

You can now set the SSL cipher suite when the ASA acts as a TLS proxy server. Formerly, you could only set global settings for the ASA using the ssl cipher command on the Configuration > Device Management > Advanced > SSL Settings > Encryption page.

We introduced the following command: server cipher-suite

We modified the following screen: Configuration > Firewall > Unified Communications > TLS Proxy, Add/Edit dialog boxes, Server Configuration page.

Global timeout for ICMP errors

You can now set the idle time before the ASA removes an ICMP connection after receiving an ICMP echo-reply packet. When this timeout is disabled (the default), and you enable ICMP inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received; thus any ICMP errors that are generated for the (now closed) connection are dropped. This timeout delays the removal of ICMP connections so you can receive important ICMP errors.

We added the following command: timeout icmp-error

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.

High Availability and Scalability Features

Improved cluster unit health-check failure detection

You can now configure a lower holdtime for the unit health check: .3 seconds minimum. The previous minimum was .8 seconds. This feature changes the unit health check messaging scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats improves the reliability and the responsiveness of clustering by not being susceptible to control plane CPU hogging and scheduling delays. Note that configuring a lower holdtime increases cluster control link messaging activity. We suggest that you analyze your network before you configure a low holdtime; for example, make sure a ping from one unit to another over the cluster control link returns within the holdtime/3, because there will be three heartbeat messages during one holdtime interval. If you downgrade your ASA software after setting the hold time to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is unsupported.

We modified the following commands: health-check holdtime, show asp drop cluster counter, show cluster info health details

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Configurable debounce time to mark an interface as failed for the Firepower 4100/9300 chassis

You can now configure the debounce time before the ASA considers an interface to be failed, and the unit is removed from the cluster. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds.

New or modified command: health-check monitor-interface debounce-time

New or modified screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

VPN Features

Support for IKEv2, certificate based authentication, and ACL in VTI

Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in standalone and high availability modes. You can use certificate based authentication by setting up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group commands to filter ingress traffic.

We introduced the following command in the IPsec profile configuration mode: set trustpoint.

We introduced options to select the trustpoint for certificate based authentication in the following screen:

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add

Mobile IKEv2 (MobIKE) is enabled by default

Mobile devices operating as remote access clients require transparent IP address changes while moving. Supporting MobIKE on ASA allows a current IKE security association (SA) to be updated without deleting the current SA. MobIKE is “always on.”

We introduced the following command: ikev2 mobike-rrc. Used to enable/disable return routability checking.

SAML 2.0 SSO Updates

The default signing method for a signature in a SAML request changed from SHA1 to SHA2, and you can configure which signing method you prefer: rsa-sha1, rsa-sha256, rsa-sha384, or rsa-sha512.

We changed the following command in webvpn mode: saml idp signature can be configured with a value. Disabled is still the default.

We introduced changes to the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Sign On Servers > Add.

Change for tunnelgroup webvpn-attributes We changed the pre-fill-username and secondary-pre-fill-username value from clientless to client.

We changed the following commands in webvpn mode: pre-fill-username and secondary-pre-fill-usernamecan be configured with a client value.

AAA Features

Login history

By default, the login history is saved for 90 days. You can disable this feature or change the duration, up to 365 days. This feature only applies to usernames in the local database when you enable local AAA authentication for one or more of the management methods (SSH, ASDM, Telnet, and so on).

We introduced the following commands: aaa authentication login-history, show aaa login-history

We introduced the following screen: Configuration > Device Management > Users/AAA > Login History

Password policy enforcement to prohibit the reuse of passwords, and prohibit use of a password matching a username

You can now prohibit the reuse of previous passwords for up to 7 generations, and you can also prohibit the use of a password that matches a username.

We introduced the following commands: password-history, password-policy reuse-interval, password-policy username-check

We modified the following screen: Configuration > Device Management > Users/AAA > Password Policy

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

We did not modify any screens.

Also in Version 9.6(3).

Monitoring and Troubleshooting Features

Saving currently-running packet captures when the ASA crashes

Formerly, active packet captures were lost if the ASA crashed. Now, packet captures are saved to disk 0 at the time of the crash with the filename [context_name.]capture_name.pcap.

We did not modify any commands.

We did not modify any screens.

New Features in Version 9.7

New Features in ASDM 7.7(1.151)

Released: April 28, 2017

Note
Note

ASDM 7.7(1.150) was removed from Cisco.com due to bug CSCvd90344.


Feature

Description

Admin Features

New background service for the ASDM upgrade tool

ASDM uses a new background service for Tools > Check for ASA/ASDM Upgrades. The older service used by earlier versions of ASDM will be discontinued by Cisco in the future.

New Features in ASA 9.7(1.4)/ASDM 7.7(1)

Released: April 4, 2017

Note
Note

Verion 9.7(1) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

Platform Features

New default configuration for the ASA 5506-X series using Integrated Routing and Bridging

A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware.

The new default configuration includes:

  • outside interface on GigabitEthernet 1/1, IP address from DHCP

  • inside bridge group BVI 1 with GigabitEthernet ½ (inside1) through 1/8 (inside7), IP address 192.168.1.1

  • inside --> outside traffic flow

  • inside ---> inside traffic flow for member interfaces

  • (ASA 5506W-X) wifi interface on GigabitEthernet 1/9, IP address 192.168.10.1

  • (ASA 5506W-X) wifi <--> inside, wifi --> outside traffic flow

  • DHCP for clients on inside and wifi. The access point itself and all its clients use the ASA as the DHCP server.

  • Management 1/1 interface is Up, but otherwise unconfigured. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.

  • ASDM access—inside and wifi hosts allowed.

  • NAT—Interface PAT for all traffic from inside, wifi, and management to outside.

If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration).

Alarm ports support on the ISA 3000

The ISA 3000 supports two alarm input interfaces and one alarm out interface. External sensors such as door sensors can be connected to the alarm inputs. External devices like buzzers can be connected to the alarm out interface. Alarms triggered are conveyed through two LEDs, syslogs, SNMP traps, and through devices connected to the alarm out interface.You can configure descriptions of external alarms. You can also specify the severity and trigger, for external and internal alarms. All alarms can be configured for relay, monitoring and logging.

We introduced the following commands: alarm contact description, alarm contact severity, alarm contact trigger, alarm facility input-alarm, alarm facility power-supply rps, alarm facility temperature, alarm facility temperature high, alarm facility temperature low, clear configure alarm, clear facility-alarm output, show alarm settings, show environment alarm-contact.

We introduced the following screens:

Configuration > Device Management > Alarm Port > Alarm Contact

Configuration > Device Management > Alarm Port > Redundant Power Supply

Configuration > Device Management > Alarm Port > Temperature

Monitoring > Properties > Alarm > Alarm Settings

Monitoring > Properties > Alarm > Alarm Contact

Monitoring > Properties > Alarm > Facility Alarm Status

Microsoft Azure Security Center support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. Microsoft Azure Security Center is a Microsoft orchestration and management layer on top of Azure that simplifies the deployment of a highly secure public cloud infrastructure. Integration of the ASAv into Azure Security Center allows the ASAv to be offered as a firewall option to protect Azure environments.

Precision Time Protocol (PTP) for the ISA 3000

The ISA 3000 supports PTP, a time synchronization protocol for nodes distributed across a network. It provides greater accuracy than other time synchronization protocols, such as NTP, due to its hardware timestamp feature. The ISA 3000 supports PTP forward mode, as well as the one-step, end-to-end transparent clock. We added the following commands to the default configuration to ensure that PTP traffic is not sent to the ASA FirePOWER module for inspection. If you have an existing deployment, you need to manually add these commands:


object-group service bypass_sfr_inspect
  service-object udp destination range 319 320
access-list sfrAccessList extended deny object-group bypass_sfr_inspect any any

We introduced the following commands: debug ptp, ptp domain, ptp mode e2etransparent, ptp enable, show ptp clock, show ptp internal-info, show ptp port

We introduced the following screens:

Configuration > Device Management > PTP

Monitoring > Properties > PTP

Automatic Backup and Restore for the ISA 3000

You can enable auto-backup and/or auto-restore functionality using pre-set parameters in the backup and restore commands. The use cases for these features include initial configuration from external media; device replacement; roll back to an operable state.

We introduced the following commands: backup-package location, backup-package auto, show backup-package status, show backup-package summary

No ASDM support.

Firewall Features

Support for SCTP multi-streaming reordering and reassembly and fragmentation. Support for SCTP multi-homing, where the SCTP endpoints have more than one IP address.

The system now fully supports SCTP multi-streaming reordering, reassembly, and fragmentation, which improves Diameter and M3UA inspection effectiveness for SCTP traffic. The system also supports SCTP multi-homing, where the endpoints have more than one IP address each. For multi-homing, the system opens pinholes for the secondary addresses so that you do not need to write access rules to allow them. SCTP endpoints must be limited to 3 IP addresses each.

We modified the output of the following command: show sctp detail .

We did not modify any screens.

M3UA inspection improvements.

M3UA inspection now supports stateful failover, semi-distributed clustering, and multihoming. You can also configure strict application server process (ASP) state validation and validation for various messages. Strict ASP state validation is required for stateful failover and clustering.

We added or modified the following commands: clear service-policy inspect m3ua session [assocID id] , match port sctp , message-tag-validation , show service-policy inspect m3ua drop , show service-policy inspect m3ua endpoint , show service-policy inspect m3ua session , show service-policy inspect m3ua table , strict-asp-state , timeout session .

We modified the following screens: Configuration > Firewall > Objects > Inspection Maps > M3UA Add/Edit dialog boxes.

Support for TLSv1.2 in TLS proxy and Cisco Unified Communications Manager 10.5.2.

You can now use TLSv1.2 with TLS proxy for encrypted SIP or SCCP inspection with the Cisco Unified Communications Manager 10.5.2. The TLS proxy supports the additional TLSv1.2 cipher suites added as part of the client cipher-suite command.

We modified the following commands: client cipher-suite

We did not modify any screens.

Integrated Routing and Bridging

Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the ASA bridges instead of routes. The ASA is not a true bridge in that the ASA continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place. Previously, you could only configure bridge groups in transparent firewall mode, where you cannot route between bridge groups. This feature lets you configure bridge groups in routed firewall mode, and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the ASA to assign to the bridge group. In routed mode, the BVI can be a named interface and can participate separately from member interfaces in some features, such as access rules and DHCP server.

The following features that are supported in transparent mode are not supported in routed mode: multiple context mode, ASA clustering. The following features are also not supported on BVIs: dynamic routing and multicast routing.

We modified the following commands: access-group, access-list ethertype, arp-inspection, dhcpd, mac-address-table static, mac-address-table aging-time, mac-learn, route, show arp-inspection, show bridge-group, show mac-address-table, show mac-learn

We modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Routing > Static Routes

Configuration > Device Management > DHCP > DHCP Server

Configuration > Firewall > Access Rules

Configuration > Firewall > EtherType Rules

VM Attributes

You can define network objects to filter traffic according to attributes associated with one or more Virtual Machines (VMs) in an VMware ESXi environment managed by VMware vCenter. You can define access control lists (ACLs) to assign policies to traffic from groups of VMs sharing one or more attributes.

We added the following command: show attribute .

We added the following screen:

Configuration > Firewall > VM Atttribute Agent

Stale route timeout for interior gateway protocols

You can now configure the timeout for removing stale routes for interior gateway protocols such as OSPF.

We added the following command: timeout igp stale-route .

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts.

Network object limitations for object group search.

You can reduce the memory required to search access rules by enabling object group search with the the object-group-search access-control command. When enabled, object group search does not expand network or service objects, but instead searches access rules for matches based on those group definitions.

Starting with this release, the following limitation is applied: For each connection, both the source and destination IP addresses are matched against network objects. If the number of objects matched by the source address times the number matched by the destination address exceeds 10,000, the connection is dropped.

This check is to prevent performance degradation. Configure your rules to prevent an excessive number of matches.

Routing Features

31-bit Subnet Mask

For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 ASAs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog. This feature is not supported with BVIs for bridge groups or multicast routing.

We modified the following commands: ip address, http, logging host, snmp-server host, ssh

We modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

High Availability and Scalability Features

Inter-site clustering improvement for the ASA on the Firepower 4100/9300 chassis

You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy the ASA cluster. Previously, you had to configure the site ID within the ASA application; this new feature eases initial deployment. Note that you can no longer set the site ID within the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and performance.

We modified the following command: site-id

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Director localization: inter-site clustering improvement for data centers

To improve performance and keep traffic within a site for inter-site clustering for data centers, you can enable director localization. New connections are typically load-balanced and owned by cluster members within a given site. However, the ASA assigns the director role to a member at any site. Director localization enables additional director roles: a local director at the same site as the owner, and a global director that can be at any site. Keeping the owner and director at the same site improves performance. Also, if the original owner fails, the local director chooses a new connection owner at the same site. The global director is used if a cluster member receives packets for a connection that is owned on a different site.

We introduced or modified the following commands: director-localization, show asp table cluster chash, show conn, show conn detail

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Interface link state monitoring polling for failover now configurable for faster detection

By default, each ASA in a failover pair checks the link state of its interfaces every 500 msec. You can now configure the polling interval, between 300 msec and 799 msec; for example, if you set the polltime to 300 msec, the ASA can detect an interface failure and trigger failover faster.

We introduced the following command: failover polltime link-state

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Criteria

Bidirectional Forwarding Detection (BFD) support for Active/Standby failover health monitoring on the Firepower 9300 and 4100

You can enable Bidirectional Forwarding Detection (BFD) for the failover health check between two units of an Active/Standby pair on the Firepower 9300 and 4100. Using BFD for the health check is more reliable than the default health check method and uses less CPU.

We introduced the following command: failover health-check bfd

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

VPN Features

Dynamic RRI for IKEv2 static crypto maps

Dynamic Reverse Route Injection occurs upon the successful establishment of IPsec Security Associations (SA's) when dynamic is specified for a crypto map . Routes are added based on the negotiated selector information. The routes will be deleted after the IPsec SA's are deleted. Dynamic RRI is supported on IKEv2 based static crypto maps only.

We modified the following command: crypto map set reverse-route.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps > Add/Edit > Tunnel Policy (Crypto Maps) - Advanced

Virtual Tunnel Interface (VTI) support for ASA VPN module

The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces.

We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface.

We introduced the following screens:

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile

Configuration > Site-to-Site VPN > Advanced > IPsec Proposals (Transform Sets) > IPsec Profile > Add > Add IPsec Profile

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > General

Configuration > Device Setup > Interface Settings > Interfaces > Add > VTI Interface > Advanced

SAML 2.0 based SSO for AnyConnect

SAML 2.0-based service provider IdP is supported in a private network. With the ASA as a gateway between the user and services, authentication on IdP is handled with a restricted anonymous webvpn session, and all traffic between IdP and the user is translated.

We added the following command: saml idp

We modified the following commands: debug webvpn saml, show saml metadata

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Single Sign On Servers > Add SSO Server.

CMPv2

To be positioned as a security gateway device in wireless LTE networks, the ASA now supports certain management functions using the Certificate Management Protocol (CMPv2).

We modified the following commands: enrollment url, keypair, auto-update, crypto-ca-trustpoint, show crypto ca server certificates, show crypto key, show tech-support

We modified the following screens: Configuration > Remote Access VPN > Certificate Management > Identity Certificates > Add an Identity Certificate

Multiple certificate authentication

You can now validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. The Aggregate Authentication protocol has been extended to define the protocol exchange for multiple-certificate authentication and utilize this for both session types.

We modified the following command: authentication {[aaa] [certificate | multiple-certificate] | saml}

We modified the following screens:

Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Edit AnyConnect Connection Profile

Configuration > Remote Access VPN > Network Client Access > AnyConnect Connection Profiles > Edit AnyConnect Connection Profiles

Increase split-tunneling routing limit

The limit for split-tunneling routes for AC-SSL and AC-IKEv2 was increased from 200 to 1200. The IKEv1 limit was left at 200.

Smart Tunnel Support on Chrome

A new method for smart-tunnel support in the Chrome browser on Mac and Windows devices was created. A Chrome Smart Tunnel Extension has replaced Netscape Plugin Application Program Interfaces (NPAPIs) that are no longer supported on Chrome. If you click on the smart tunnel enabled bookmark in Chrome without the extension already being installed, you are redirected to the Chrome Web Store to obtain the extension. New Chrome installations will direct the user to the Chrome Web Store to download the extension. The extension downloads the binaries from ASA that are required to run smart tunnel. Your usual bookmark and application configuration while using smart tunnel is unchanged other than the process of installing the new extension.

Clientless SSL VPN: Session information for all web interfaces

All web interfaces will now display details of the current session, including the user name used to login, and user privileges which are currently assigned. This will help the user be aware of the current user session and will improve user security.

Clientless SSL VPN: Validation of all cookies for web applications' sessions

All web applications will now grant access only after validating all security-related cookies. In each request, each cookie with an authentication token or a session ID will be verified before granting access to the user session. Multiple session cookies in the same request will result in the connection being dropped. Cookies with failed validations will be treated as invalid and the event will be added to the audit log.

AnyConnect: Maximum Connect Time Alert Interval is now supported in the Group Policy for AnyConnect VPN Client connections.

The alert interval is the interval of time before max connection time is reached that a message will be displayed to the user warning them of termination. Valid time interval is 1-30 minutes. Default is 30 minutes. Previously supported for clientless and site-to-site VPN connections.

The following command can now be used for AnyConnect connections: vpn-session-timeout alert-interval

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit > General > More Options, adding a Maximum Connect Time Alert Interval field

AAA Features

IPv6 address support for LDAP and TACACS+ Servers for AAA

You can now use either IPv4 or IPv6 addresses for LDAP and TACACS+ servers used for AAA.

We modified the following command: aaa-server host, test aaa-server

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Server Groups > Add AAA Server Group

Administrative Features

PBKDF2 hashing for all local username and enable passwords

Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines.

We modified the following commands: enable password, username

We modified the following screens:

Configuration > Device Setup > Device Name/Password > Enable Password

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account > Identity

Licensing Features

Licensing changes for failover pairs on the Firepower 4100/9300 chassis

Only the active unit requests the license entitlements. Previously, both units requested license entitlements. Supported with FXOS 2.1.1.

Monitoring and Troubleshooting Features

IPv6 address support for traceroute

The traceroute command was modified to accept an IPv6 address.

We modified the following command: traceroute

We modified the following screen: Tools > Traceroute

Support for the packet tracer for bridge group member interfaces

You can now use the packet tracer for bridge group member interfaces.

We added two new options to the packet-tracer command; vlan-id and dmac

We added VLAN ID and Destination MAC Address fields in the packet-tracer screen:Tools > Packet Tracer

IPv6 address support for syslog servers

You can now configure syslog servers with IPv6 addresses to record and send syslogs over TCP and UDP.

We modified the following commands: logging host, show running config, show logging

We modified the following screen: Configuration > Device Management > Logging > Syslog Servers > Add Syslog Server

SNMP OIDs and MIBs

The ASA now supports SNMP MIB objects corresponding to the end-to-end transparent clock mode as part of the Precision Time Protocol (PTP) for the ISA 3000. The following SNMP MIB objects are supported:

  • ciscoPtpMIBSystemInfo

  • cPtpClockDefaultDSTable

  • cPtpClockTransDefaultDSTable

  • cPtpClockPortTransDSTable

Manually stop and start packet captures

You can now manually stop and start the capture.

Added/Modified commands: capture stop

Added/Modified screens: Wizards > Packet Capture Wizard > Run Captures

Added/Modified options: Start button, Stop button

New Features in Version 9.6

New Features in ASA 9.6(4)/ASDM 7.9(1)

Released: December 13, 2017

There are no new features in this release.

New Features in ASA 9.6(3.1)/ASDM 7.7(1)

Released: April 3, 2017

Note
Note

Version 9.6(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

AAA Features

Separate authentication for users with SSH public key authentication and users with passwords

In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS.

We did not modify any commands.

We did not modify any screens.

Also in Version 9.8(1).

New Features in ASDM 7.6(2.150)

Released: October 12, 2016

There are no new features in this release.

New Features in ASA 9.6(2)/ASDM 7.6(2)

Released: August 24, 2016

Feature

Description

Platform Features

ASA for the Firepower 4150

We introduced the ASA for the Firepower 4150.

Requires FXOS 2.0.1.

We did not add or modify any commands.

We did not add or modify any screens.

Hot Plug Interfaces on the ASAv

You can add and remove Virtio virtual interfaces on the ASAv while the system is active. When you add a new interface to the ASAv, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor.

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Also in 9.5(2.200).

Through traffic support on the Management 0/0 interface for the ASAv

You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously, only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default.

We modified the following command: management-only

Common Criteria Certification

The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:

  • ASA SSL Server mode matching for ASDM

  • SSL client RFC 6125 support:

    • Reference Identities for Secure Syslog Server connections and Smart Licensing connections

    • ASA client checks Extended Key Usage in server certificates

    • Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

  • PKI debug messages

  • Crypto Key Zeroization verification

  • IPsec/ESP Transport Mode Support for IKEv2

  • New syslog messages

Firewall Features

DNS over TCP inspection

You can now inspect DNS over TCP traffic (TCP/53).

We added the following command: tcp-inspection

We modified the following page: Configuration > Firewall > Objects > Inspection Maps > DNS Add/Edit dialog box

MTP3 User Adaptation (M3UA) inspection

You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type.

We added or modified the following commands: clear service-policy inspect m3ua {drops | endpoint [IP_address]} , inspect m3ua , match dpc , match opc , match service-indicator , policy-map type inspect m3ua , show asp table classify domain inspect-m3ua , show conn detail , show service-policy inspect m3ua {drops | endpoint IP_address} , ss7 variant , timeout endpoint

We added or modified the following pages: Configuration > Firewall > Objects > Inspection Maps > M3UA; the Rule Action > Protocol Inspection tab for service policy rules

Session Traversal Utilities for NAT (STUN) inspection

You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic.

We added or modified the following commands: inspect stun , show conn detail , show service-policy inspect stun

We added an option to the Rule Actions > Protocol Inspection tab of the Add/Edit Service Policy dialog box

Application layer health checking for Cisco Cloud Web Security

You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system.

We added the following commands: health-check application url , health-check application timeout

We modified the following screen: Configuration > Device Management > Cloud Web Security

Connection holddown timeout for route convergence.

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We added the following command: timeout conn-holddown

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts

Also in 9.4(3).

Changes in TCP option handling

You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped.

You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared.

We modified the following command: tcp-options

We modified the following screen: Configuration > Firewall > Objects > TCP Maps Add/Edit dialog box

Transparent mode maximum interfaces per bridge group increased to 64

The maximum interfaces per bridge group was increased from 4 to 64.

We did not modify any commands.

We did not modify any screens.

Flow offload support for multicast connections in transparent mode.

You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces.

There are no new commands or ASDM screens for this feature.

Customizable ARP rate limiting

You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack.

We added the following commands: arp rate-limit, show arp rate-limit

We modified the following screen: Configuration > Device Management > Advanced > ARP > ARP Static Table

Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address.

You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 .

We modified the following commands: access-list ethertype

We modified the following screen: Configuration > Firewall > EtherType Rules.

Remote Access Features

Pre-fill/Username-from-cert feature for multiple context mode

AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well.

We did not modify any commands.

We did not modify any screens.

Flash Virtualization for Remote Access VPN

Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:

  • Private storage—Store files associated only with that user and specific to the content that you want for that user.

  • Shared storage—Upload files to this space and have it accessible to any user context for read/write access once you enable it.

We introduced the following commands: limit-resource storage, storage-url

We modified the following screens: Configuration > Context Management > Resource Class > Add Resource Class

Configuration > Context Management > Security Contexts

AnyConnect client profiles supported in multiple context mode

AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later.

Stateful failover for AnyConnect connections in multiple context mode

Stateful failover is now supported for AnyConnect connections in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode

You can now configure DAP per context in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode

You can now configure CoA per context in multiple context mode.

We did not modify any commands.

We did not modify any screens.

Remote Access VPN localization is supported in multiple context mode

Localization is supported globally. There is only one set of localization files that are shared across different contexts.

We did not modify any commands.

We did not modify any screens.

Umbrella Roaming Security module support

You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active.

We did not modify any commands.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile.

IPsec/ESP Transport Mode Support for IKEv2

Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet.

We modified the following command: crypto map set ikev2 mode

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > IPsec Proposals (Transform Sets) > IKEv2 proposals > Add/Edit

Per-packet routing lookups for IPsec inner packets

By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets.

We added the following command: crypto ipsec inner-routing-lookup

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto Maps adding the Enable IPsec Inner Routing Lookup checkbox.

Certificate and Secure Connection Features

ASA client checks Extended Key Usage in server certificates

Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails.

Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2

If the server requests a client certificate from the ASA for authentication, the ASA will send the client identity certificate configured for that interface. The certificate is configured by the ssl trust-point command.

PKI debug messages

The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5.

ASA SSL Server mode matching for ASDM

For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map.

We modified the following command: http authentication-certificate match

We modified the following screen: Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Reference Identities for Secure Syslog Server connections and Smart Licensing connections

TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established.

We added or modified the following commands: crypto ca reference-identity, logging host, call home profile destination address

We modifed the following screens:

Configuration > Remote Access VPN > Advanced

Configuration > Device Management > Logging > Syslog Servers > Add/Edit

Configuration > Device Management > Smart Call Home

Crypto Key Zeroization verification

The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful.

SSH public key authentication improvements

In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined.

We modified the following commands: ssh authentication, username

We modifed the following screens:

Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account

Interface Features

Increased MTU size for the ASA on the Firepower 4100/9300 chassis

You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later.

We modified the following command: mtu

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Advanced

Routing Features

Bidirectional Forwarding Detection (BFD) Support

The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added.

We added or modified the following commands: authentication, bfd echo, bfd interval, bfd map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd, neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd summary

We added or modified the following screens:

Configuration > Device Setup > Routing > BFD > Template

Configuration > Device Setup > Routing > BFD > Interface

Configuration > Device Setup > Routing > BFD > Map

Configuration > Device Setup > Routing > BGP > IPv6 Family > Neighbors

IPv6 DHCP

The ASA now supports the following features for IPv6 addressing:

  • DHCPv6 Address client—The ASA obtains an IPv6 global address and optional default route from the DHCPv6 server.

  • DHCPv6 Prefix Delegation client—The ASA obtains delegated prefix(es) from a DHCPv6 server. The ASA can then use these prefixes to configure other ASA interface addresess so that StateLess Address Auto Configuration (SLAAC) clients can autoconfigure IPv6 addresses on the same network.

  • BGP router advertisement for delegated prefixes

  • DHCPv6 stateless server—The ASA provides other information such as the domain name to SLAAC clients when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients.

We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address

We added or modified the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > IPv6

Configuration > Device Management > DHCP > DHCP Pool

Configuration > Device Setup > Routing > BGP > IPv6 Family > Networks

Monitoring > interfaces > DHCP

High Availability and Scalability Features

Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover

When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup.

We did not modify any commands.

We did not modify any screens.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added support for this feature for the ASAv on Amazon Web Services. This feature is not supported for Microsoft Azure.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Also in 9.5(2.200).

Permanent License Reservation for the ASAv Short String enhancement

Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings.

We did not modify any commands.

We did not modify any screens.

Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1.

All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA.

Smart Agent Upgrade for ASAv to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

We did not change any screens.

Also in 9.5(2.200).

Monitoring Features

Packet capture of type asp-drop supports ACL and match filtering

When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture.

We modified the following command: capture type asp-drop

We did not modify any screens.

Forensic Analysis enhancements

You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination.

We modified the following commands: copy system:text, verify system:text, crashinfo force dump process

We did not modify any screens.

Tracking Packet Count on a Per-Connection Basis through NetFlow

Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events.

We did not modify any commands.

We did not modify any screens.

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

No ASDM support.

Also in 9.4(3).

New Features in ASA 9.6(1)/ASDM 7.6(1)

Released: March 21, 2016

Note
Note

The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2).


Feature

Description

Platform Features

ASA for the Firepower 4100 series

We introduced the ASA for the Firepower 4110, 4120, and 4140.

Requires FXOS 1.1.4.

We did not add or modify any commands.

We did not add or modify any screens.

SD card support for the ISA 3000

You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version.

We did not add or modify any commands.

We did not add or modify any screens.

Dual power supply support for the ISA 3000

For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply.

We introduced the following command: power-supply dual .

No ASDM support.

Firewall Features

Diameter inspection improvements

You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode.

We introduced or modified the following commands: client clear-text , inspect diameter , strict-diameter .

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP stateful inspection in cluster mode

SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode.

We did not add or modify any commands.

We did not add or modify any screens.

H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility.

You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18.

We introduced the following command: early-message .

We added an option to the Call Attributes tab in the H.323 inspection policy map.

Cisco Trustsec support for Security Exchange Protocol (SXP) version 3.

Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings.

We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts , cts role-based sgt-map , show cts sgt-map , show cts sxp sgt-map , show asp table cts sgt-map .

We modified the following screens: Configuration > Firewall > Identity By TrustSec and the SGT Map Setup dialog boxes.

Flow off-load support for the Firepower 4100 series.

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series.

Requires FXOS 1.1.4.

We did not add or modify any commands.

We did not add or modify any screens.

Remote Access Features

IKEv2 Fragmentation, RFC-7383 support

The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client.

We introduced the following commands: crypto ikev2 fragmentation , show running-config crypto ikev2 , show crypto ikev2 sa detail

VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series

The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL.

We modified the following command: crypto engine accelerator-bias

We did not add or modify any screens.

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7), 9.4(3), and 9.5(3).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

We added functionality to the following screen: Configuration > Device Management > HTTP Redirect

Also available in 9.1(7) and 9.4(3).

Routing Features

IS-IS routing

The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol.

We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address.

We introduced the following screens:

Configuration > Device Setup > Routing > ISIS

Monitoring > Routing > ISIS

High Availability and Scalability Features

Support for site-specific IP addresses in Routed, Spanned EtherChannel mode

For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses.

We modified the following commands: mac-address, show interface

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit EtherChannel Interface > Advanced

Administrative Features

Longer password support for local username and enable passwords (up to 127 characters)

You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method.

We modified the following commands: enable, username

We modified the following screens:

Configuration > Device Setup > Device Name/Password > Enable Password

Configuration > Device Management > Users/AAA > User Accounts > Add/Edit User Account > Identity

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

Note 

The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

REST API Version 1.3.1

We added support for the REST API Version 1.3.1.

New Features in Version 9.5

New Features in ASA 9.5(3.9)/ASDM 7.6(2)

Released: April 11, 2017

Note
Note

Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

Remote Access Features

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7) and 9.4(3).

New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)

Released: January 28, 2016

Note
Note

This release supports only the ASAv.


Feature

Description

Platform Features

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Smart Agent Upgrade to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

We did not change any screens.

New Features in ASA 9.5(2.1)/ASDM 7.5(2)

Released: December 14, 2015

Note
Note

This release supports only the ASA on the Firepower 9300.


Feature

Description

Platform Features

VPN support for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now configure VPN features.

Firewall Features

Flow off-load for the ASA on the Firepower 9300

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers.

Also requires FXOS 1.1.3.

We added or modified the following commands: clear flow-offload , flow-offload enable , set-connection advanced-options flow-offload , show conn detail , show flow-offload .

We added or modified the following screens: Configuration > Firewall > Advanced > Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules under Configuration > Firewall > Service Policy Rules.

High Availability Features

Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

We did not modify any screens.

Licensing Features

Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300

For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.

Note 

If you are using the Smart Software Manager satellite deployment, to use ASDM and other strong encryption features, after you deploy the ASA you must enable the Strong Encryption (3DES) license using the ASA CLI.

This feature requires FXOS 1.1.3.

We removed the following command for non-satellite configurations: feature strong-encryption

We modified the following screen: Configuration > Device Management > Licensing > Smart License

New Features in ASA 9.5(2)/ASDM 7.5(2)

Released: November 30, 2015

Feature

Description

Platform Features

Cisco ISA 3000 Support

The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay

We modified the following screen: Configuration > Device Management > Hardware Bypass

Also in Version 9.4(1.225).

Firewall Features

DCERPC inspection improvements and UUID filtering

DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset or log particular message types. There is a new DCERPC inspection class map for UUID filtering.

We introduced the following command: match [not ] uuid . We modified the following command: class-map type inspect .

We added the following screen: Configuration > Firewall > Objects > Class Maps > DCERPC.

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > DCERPC.

Diameter inspection

You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.

We introduced or modified the following commands: class-map type inspect diameter , diameter , inspect diameter , match application-id , match avp , match command-code , policy-map type inspect diameter , show conn detail , show diameter , show service-policy inspect diameter , unsupported

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP inspection and access control

You can now use the SCTP protocol and port specifications in service objects, access control lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier license.

We introduced the following commands: access-list extended , clear conn protocol sctp , inspect sctp , match ppid , nat static (object), policy-map type inspect sctp , service-object , service , set connection advanced-options sctp-state-bypass , show conn protocol sctp , show local-host connection sctp , show service-policy inspect sctp , timeout sctp

We added or modified the following screens:

Configuration > Firewall > Access Rules add/edit dialogs

Configuration > Firewall > Advanced > ACL Manager add/edit dialogs

Configuration > Firewall > Advanced > Global Timeouts

Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT Settings dialog box

Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs

Configuration > Firewall > Objects > Inspect Maps > SCTP

Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol Inspection and Connection Settings tabs

Carrier Grade NAT enhancements now supported in failover and ASA clustering

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). This feature is now supported in failover and ASA cluster deployments.

We modified the following command: show local-host

We did not modify any screens.

Captive portal for active authentication on ASA FirePOWER 6.0.

The captive portal feature is required to enable active authentication using identity policies starting with ASA FirePOWER 6.0.

We introduced or modified the following commands: captive-portal , clear configure captive-portal , show running-config captive-portal .

High Availability Features

LISP Inspection for Inter-Site Flow Mobility

Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients. The ASA can inspect LISP traffic for location changes and then use this information for seamless clustering operation; the ASA cluster members inspect LISP traffic passing between the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then change the flow owner to be at the new site.

We introduced or modified the following commands: allowed-eid, clear cluster info flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key

We introduced or modified the following screens:

Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Configuration > Firewall > Objects > Inspect Maps > LISP

Configuration > Firewall > Service Policy Rules > Protocol Inspection

Configuration > Firewall > Service Policy Rules > Cluster

Monitoring > Routing > LISP-EID Table

ASA 5516-X support for clustering

The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license.

We did not modify any commands.

We did not modify any screens.

Configurable level for clustering trace entries

By default, all levels of clustering events are included in the trace buffer, including many low level events. To limit the trace to higher level events, you can set the minimum trace level for the cluster.

We introduced the following command: trace-level

We did not modify any screens.

Interface Features

Support to map Secondary VLANs to a Primary VLAN

You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

We introduced or modified the following commands: vlan secondary, show vlan mapping

We modified the following screens: Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

Routing Features

PIM Bootstrap Router (BSR) support for multicast routing

The ASA currently supports configuring static RPs to route multicast traffic for different groups. For large complex networks where multiple RPs could exist, the ASA now supports dynamic RP selection using PIM BSR to support mobility of RPs.

We introduced the following commands: clear pim group-map, debug pim bsr, pim bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers

We introduced the following screen: Configuration > Device Setup > Routing > Multicast > PIM > Bootstrap Router

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

  • Centralized AnyConnect image configuration

  • AnyConnect image upgrade

  • Context Resource Management for AnyConnect connections

Note 

The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality

The ASA acts as a SAML Service Provider.

Clientless SSL VPN conditional debugging

You can debug logs by filtering, based on the filter condition sets, and can then better analyze them.

We introduced the following additions to the debug command:

  • [no] debug webvpn condition user <user name>

  • [no] debug webvpn condition group <group name>

  • [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]

  • [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]

  • debug webvpn condition reset

  • show debug webvpn condition

  • show webvpn debug-condition

Clientless SSL VPN cache disabled by default

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.


webvpn
   cache
      no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache

Licensing Features

Validation of the Smart Call Home/Smart Licensing certificate if the issuing hierarchy of the server certificate changes

Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes; you can enable the automatic update of the trustpool bundle at periodic intervals.

We introduced the following command: auto-import

We modified the following screen: Configuration > Remote Access VPN > Certificate Management > Trusted Certificate Pool > Edit Policy

New Carrier license

The new Carrier license replaces the existing GTP/GPRS license, and also includes support for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp command will automatically migrate to the feature carrier command.

We introduced or modified the following commands: feature carrier, show activation-key, show license, show tech-support, show version

We modified the following screen: Configuration > Device Management > Licensing > Smart License

Monitoring Features

SNMP engineID sync

In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following commands: snmp-server user, no snmp-server user

We did not add or modify any screens.

Also available in 9.4(3).

show tech support enhancements

The show tech support command now:

  • Includes dir all-filesystems output—This output can be helpful in the following cases:

    • SSL VPN configuration: check if the required resources are on the ASA

    • Crash: check for the date timestamp and presence of a crash file

  • Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.

We modified the following command: show tech support

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

logging debug-trace persistence

Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the SSH connection were disconnected (due to network connectivity or timeout), then the debugs were removed. Now, debugs persist for as long as the logging command is in effect.

We modified the following command: logging debug-trace

We did not modify any screens.

New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)

Released: November 11, 2015

Feature

Description

Platform Features

Support for ASA FirePOWER 6.0

The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models.

Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X.

You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT Management Center) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X when running 6.0.

No new screens or commands were added.

New Features in ASDM 7.5(1.90)

Released: October 14, 2015

Feature

Description

Remote Access Features

AnyConnect Version 4.2 support

ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances the enterprise administrator’s ability to do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetry and logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-party vendor), which performs the file analysis and provides a UI interface.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called Network Visibility Service Profile)

New Features in ASAv 9.5(1.200)/ASDM 7.5(1)

Released: August 31, 2015

Note
Note

This release supports only the ASAv.


Feature

Description

Platform Features

Microsoft Hyper-V supervisor support

Extends the hypervisor portfolio for the ASAv.

ASAv5 low memory support

The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see an error that you are using more memory than is licensed.

New Features in ASA 9.5(1)/ASDM 7.5(1)

Released: August 12, 2015

Note
Note

This version does not support the Firepower 9300 ASA security module or the ISA 3000.


Feature

Description

Firewall Features

GTPv2 inspection and improvements to GTPv0/1 inspection

GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses.

We modified the following commands: clear service-policy inspect gtp statistics, clear service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request, show service-policy inspect gtp statistics, timeout endpoint

We deprecated the following command: timeout gsn

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP

IP Options inspection improvements

IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map.

We introduced the following commands: basic-security, commercial-security, default, exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start, record-route, timestamp

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options

Carrier Grade NAT enhancements

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888).

We introduced the following commands: xlate block-allocation size, xlate block-allocation maximum-per-host. We added the block-allocation keyword to the nat command.

We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes.

High Availability Features

Inter-site clustering support for Spanned EtherChannel in Routed firewall mode

You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a site’s units.

We introduced or modified the following commands: site-id, mac-address site-id, show cluster info, show interface

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails

You can now customize the auto-rejoin behavior when an interface or the cluster control link fails.

We introduced the following command: health-check auto-rejoin

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin

The ASA cluster supports GTPv1 and GTPv2

The ASA cluster now supports GTPv1 and GTPv2 inspection.

We did not modify any commands.

We did not modify any screens.

Cluster replication delay for TCP connections

This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying the director/backup flow creation.

We introduced the following command: cluster replication delay

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster Replication

Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).

Disable health monitoring of a hardware module in ASA clustering

By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: health-check monitor-interface service-module

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

Enable use of the Management 1/1 interface as the failover link on the ASA 5506H

On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface.

We modified the following commands: failover lan interface, failover link

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

Routing Features

Support for IPv6 in Policy Based Routing

IPv6 addresses are now supported for Policy Based Routing.

We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set ipv6 dscp

We modified the following screens:



Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based Routing
Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

VXLAN support for Policy Based Routing

You can now enable Policy Based Routing on a VNI interface.

We did not modify any commands.

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General

Policy Based Routing support for Identity Firewall and Cisco Trustsec

You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps.

We did not modify any commands.

We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

Separate routing table for management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.

We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only

We did not modify any screens.

Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support

The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources.

We did not modify any commands.

We did not modify any screens.

Remote Access Features

IPv6 VLAN Mapping

ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator.

Clientless SSL VPN SharePoint 2013 Support

Added support and a predefined application template for this new SharePoint version.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates

Dynamic Bookmarks for Clientless VPN

Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless user’s portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks

VPN Banner Length Increase

The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000.

We modified the following command: banner (group-policy).

We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner

Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X

This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch.

We introduced the following commands: vpnclient enable, vpnclient server, vpnclient mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt

We introduced the following screen: Configuration > VPN > Easy VPN Remote

Monitoring Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

We modified the following screen: Configuration > Device Management > Logging > Syslog Setup

This feature is also available in 9.2(4) and 9.3(3).

REST API Features

REST API Version 1.2.1

We added support for the REST API Version 1.2.1.

New Features in Version 9.4

New Features in ASA 9.4(4.5)/ASDM 7.6(2)

Released: April 3, 2017

Note
Note

Verion 9.4(4) was removed from Cisco.com due to bug CSCvd78303.


There are no new features in this release.

New Features in ASA 9.4(3)/ASDM 7.6(1)

Released: April 25, 2016

Feature

Description

Firewall Features

Connection holddown timeout for route convergence

You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping.

We added the following command: timeout conn-holddown

We modified the following screen: Configuration > Firewall > Advanced > Global Timeouts

Remote Access Features

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

We added functionality to the following screen: Configuration > Device Management > HTTP Redirect

Also available in 9.1(7).

Monitoring Features

SNMP engineID sync for Failover

In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following command: snmp-server user

No ASDM support.

show tech support enhancements

The show tech support command now:

  • Includes dir all-filesystems output—This output can be helpful in the following cases:

    • SSL VPN configuration: check if the required resources are on the ASA

    • Crash: check for the date timestamp and presence of a crash file

  • Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.

We modified the following command: show tech support

We did not add or modify any screens.

Also available in 9.1(7).

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

Note 

The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

We did not add or modify any screens.

Also available in 9.1(7).

New Features in ASA 9.4(2.145)/ASDM 7.5(1)

Released: November 13, 2015

There are no new features in this release.

Note
Note

This release supports only the Firepower 9300 ASA security module.


New Features in ASA 9.4(2)/ASDM 7.5(1)

Released: September 24, 2015

There are no new features in this release.

Note
Note

ASAv 9.4(1.200) features are not included in this release.


Note
Note

This version does not support the ISA 3000.


New Features in ASA 9.4(1.225)/ASDM 7.5(1)

Released: September 17, 2015

Note
Note

This release supports only the Cisco ISA 3000.


Feature

Description

Platform Features

Cisco ISA 3000 Support

The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following commands: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay, show hardware-bypass

We introduced the following screen: Configuration > Device Management > Hardware Bypass

The hardware-bypass boot-delay command is not available in ASDM 7.5(1).

This feature is not available in Version 9.5(1).

New Features in ASA 9.4(1.152)/ASDM 7.4(3)

Released: July 13, 2015

Note
Note

This release supports only the ASA on the Firepower 9300.


Feature

Description

Platform Features

ASA security module on the Firepower 9300

We introduced the ASA security module on the Firepower 9300.

Note 

Firepower Chassis Manager 1.1.1 does not support any VPN features (site-to-site or remote access) for the ASA security module on the Firepower 9300.

High Availability Features

Intra-chassis ASA Clustering for the Firepower 9300

You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster.

We introduced the following commands: cluster replication delay, debug service-module, management-only individual, show cluster chassis

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster Replication

Licensing Features

Cisco Smart Software Licensing for the ASA on the Firepower 9300

We introduced Smart Software Licensing for the ASA on the Firepower 9300.

We introduced the following commands: feature strong-encryption, feature mobile-sp, feature context

We modified the following screen: Configuration > Device Management > Licensing > Smart License

New Features in ASAv 9.4(1.200)/ASDM 7.4(2)

Released: May 12, 2015

Note
Note

This release supports only the ASAv.


Feature

Description

Platform Features

ASAv on VMware no longer requires vCenter support

You can now install the ASAv on VMware without vCenter using the vSphere client or the OVFTool using a Day 0 configuration.

ASAv on Amazon Web Services (AWS)

You can now use the ASAv with Amazon Web Services (AWS) and the Day 0 configuration.

Note 

Amazon Web Services only supports models ASAv10 and ASAv30.

New Features in ASDM 7.4(2)

Released: May 6, 2015

Feature

Description

Remote Access Features

AnyConnect Version 4.1 support

ASDM now supports AnyConnect Version 4.1.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called AMP Enabler Service Profile)

New Features in ASA 9.4(1)/ASDM 7.4(1)

Released: March 30, 2015

Feature

Description

Platform Features

ASA 5506W-X, ASA 5506H-X, ASA 5508-X, ASA 5516-X

We introduced the ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA 5508-X, and ASA 5516-X models.

We introduced the following command: hw-module module wlan recover image, hw-module module wlan recover image.

We did not modify any ASDM screens.

Certification Features

Department of Defense Unified Capabilities Requirements (UCR) 2013 Certification

The ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this table for the following features that were added for this certification:

  • Periodic certificate authentication

  • Certificate expiration alerts

  • Enforcement of the basic constraints CA flag

  • ASDM Username From Certificate Configuration

  • ASDM management authorization

  • IKEv2 invalid selectors notification configuration

  • IKEv2 pre-shared key in Hex

FIPS 140-2 Certification compliance updates

When you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA to be FIPS 140-2 compliant. Restrictions include:

  • RSA and DH Key Size Restrictions—Only RSA and DH keys 2K (2048 bits) or larger are allowed. For DH, this means groups 1 (768 bit), 2 (1024 bit), and 5 (1536 bit) are not allowed.

    Note 

    The key size restrictions disable use of IKEv1 with FIPS.

  • Restrictions on the Hash Algorithm for Digital Signatures—Only SHA256 or better is allowed.

  • SSH Cipher Restrictions—Allowed ciphers: aes128-cbc or aes256-cbc. MACs: SHA1

To see the FIPS certification status for the ASA, see:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

This PDF is updated weekly.

See the Computer Security Division Computer Security Resource Center site for more information:

http://csrc.nist.gov/groups/STM/cmvp/inprocess.html

We modified the following command: fips enable

Firewall Features

Improved SIP inspection performance on multiple core ASAs.

If you have multiple SIP signaling flows going through an ASA with multiple cores, SIP inspection performance has been improved. However, you will not see improved performance if you are using a TLS, phone, or IME proxy.

We did not modify any commands.

We did not modify any screens.

SIP inspection support for Phone Proxy and UC-IME Proxy was removed.

You can no longer use Phone Proxy or UC-IME Proxy when configuring SIP inspection. Use TLS Proxy to inspect encrypted traffic.

We removed the following commands: phone-proxy, uc-ime. We removed the phone-proxy and uc-ime keywords from the inspect sip command.

We removed Phone Proxy and UC-IME Proxy from the Select SIP Inspect Map service policy dialog box.

DCERPC inspection support for ISystemMapper UUID message RemoteGetClassObject opnum3.

The ASA started supporting non-EPM DCERPC messages in release 8.3, supporting the ISystemMapper UUID message RemoteCreateInstance opnum4. This change extends support to the RemoteGetClassObject opnum3 message.

We did not modify any commands.

We did not modify any screens.

Unlimited SNMP server trap hosts per context

The ASA supports an unlimited number of SNMP server trap hosts per context. The show snmp-server host command output displays only the active hosts that are polling the ASA, as well as the statically configured hosts.

We modified the following command: show snmp-server host.

We did not modify any screens.

VXLAN packet inspection

The ASA can inspect the VXLAN header to enforce compliance with the standard format.

We introduced the following command: inspect vxlan.

We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > Protocol Inspection

DHCP monitoring for IPv6

You can now monitor DHCP statistics and DHCP bindings for IPv6.

We introduced the following screens:

Monitoring > Interfaces > DHCP > IPV6 DHCP Statistics
Monitoring > Interfaces > DHCP > IPV6 DHCP Binding.

ESMTP inspection change in default behavior for TLS sessions.

The default for ESMTP inspection was changed to allow TLS sessions, which are not inspected. However, this default applies to new or reimaged systems. If you upgrade a system that includes no allow-tls , the command is not changed.

The change in default behavior was also made in these older versions: 8.4(7.25), 8.5(1.23), 8.6(1.16), 8.7(1.15), 9.0(4.28), 9.1(6.1), 9.2(3.2) 9.3(1.2), 9.3(2.2).

High Availability Features

Blocking syslog generation on a standby ASA

You can now block specific syslogs from being generated on a standby unit.

We introduced the following command: no logging message syslog-id standby.

We did not modify any screens.

Enable and disable ASA cluster health monitoring per interface

You can now enable or disable health monitoring per interface. Health monitoring is enabled by default on all port-channel, redundant, and single physical interfaces. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster control link; it is always monitored. You might want to disable health monitoring of non-essential interfaces, for example, the management interface.

We introduced the following command: health-check monitor-interface.

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

ASA clustering support for DHCP relay

You can now configure DHCP relay on the ASA cluster. Client DHCP requests are load-balanced to the cluster members using a hash of the client MAC address. DHCP client and server functions are still not supported.

We introduced the following command: debug cluster dhcp-relay

We did not modify any screens.

SIP inspection support in ASA clustering

You can now configure SIP inspection on the ASA cluster. A control flow can be created on any unit (due to load balancing), but its child data flows must reside on the same unit. TLS Proxy configuration is not supported.

We introduced the following command: show cluster service-policy

We did not modify any screens.

Routing Features

Policy Based Routing

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route

We introduced or modified the following screens:

Configuration > Device Setup > Routing > Route Maps > Policy Based Routing
Configuration > Device Setup > Routing > Interface Settings > Interfaces.

Interface Features

VXLAN support

VXLAN support was added, including VXLAN tunnel endpoint (VTEP) support. You can define one VTEP source interface per ASA or security context.

We introduced the following commands: debug vxlan, default-mcast-group, encapsulation vxlan, inspect vxlan, interface vni, mcast-group, nve, nve-only, peer ip, segment-id, show arp vtep-mapping, show interface vni, show mac-address-table vtep-mapping, show nve, show vni vlan-mapping, source-interface, vtep-nve, vxlan port

We introduced the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI Interface
Configuration > Device Setup > Interface Settings > VXLAN

Monitoring Features

Memory tracking for the EEM

We have added a new debugging feature to log memory allocations and memory usage, and to respond to memory logging wrap events.

We introduced or modified the following commands: memory logging, show memory logging, show memory logging include, event memory-logging-wrap

We modified the following screen: Configuration > Device Management > Advanced > Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet Event

Troubleshooting crashes

The show tech-support command output and show crashinfo command output includes the most recent 50 lines of generated syslogs. Note that you must enable the logging buffer command to enable these results to appear.

Remote Access Features

Support for ECDHE-ECDSA ciphers

TLSv1.2 added support for the following ciphers:

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • DHE-RSA-AES256-GCM-SHA384

  • AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES128-GCM-SHA256

  • RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

    Note 

    ECDSA and DHE ciphers are the highest priority.

We introduced the following command: ssl ecdh-group.

We modified the following screen: Configuration > Remote Access VPN > Advanced > SSL Settings.

Clientless SSL VPN session cookie access restriction

You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.

Note 

Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.

  • Java plug-ins

  • Java rewriter

  • Port forwarding

  • File browser

  • Sharepoint features that require desktop applications (for example, MS Office applications)

  • AnyConnect Web launch

  • Citrix Receiver, XenDesktop, and Xenon

  • Other non-browser-based and browser plugin-based applications

We introduced the following command: http-only-cookie.

We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie.

This feature is also in 9.2(3).

Virtual desktop access control using security group tagging

The ASA now supports security group tagging-based policy control for Clientless SSL remote access to internal applications and websites. This feature uses Citrix’s virtual desktop infrastructure (VDI) with XenDesktop as the delivery controller and the ASA’s content transformation engine.

See the following Citrix product documentation for more information:

OWA 2013 feature support has been added for Clientless SSL VPN

Clientless SSL VPN supports the new features in OWA 2013 except for the following:

  • Support for tablets and smartphones

  • Offline mode

  • Active Directory Federation Services (AD FS) 2.0. The ASA and AD FS 2.0 can't negotiate encryption protocols.

We did not modify any commands.

We did not modify any screens.

Citrix XenDesktop 7.5 and StoreFront 2.5 support has been added for Clientless SSL VPN

Clientless SSL VPN supports the access of XenDesktop 7.5 and StoreFront 2.5.

See http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html for the full list of XenDesktop 7.5 features, and for more details.

See http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html for the full list of StoreFront 2.5 features, and for more details.

We did not modify any commands.

We did not modify any screens.

Periodic certificate authentication

When you enable periodic certificate authentication, the ASA stores certificate chains received from VPN clients and re-authenticates them periodically.

We introduced or modified the following commands: periodic-authentication certificate, revocation-check, show vpn-sessiondb

We modified the following screens:

Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates

Certificate expiration alerts

The ASA checks all CA and ID certificates in the trust points for expiration once every 24 hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure the reminder and recurrence intervals. By default, reminders will start at 60 days prior to expiration and recur every 7 days.

We introduced or modified the following commands: crypto ca alerts expiration

We modified the following screens:

Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates

Enforcement of the basic constraints CA flag

Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default. The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. You can configure the ASA to allow installation of these certificates if desired.

We introduced the following command: ca-check

We modified the following screens: Configuration > Device Management > Certificate Management > CA Certificates

IKEv2 invalid selectors notification configuration

Currently, if the ASA receives an inbound packet on an SA, and the packet’s header fields are not consistent with the selectors for the SA, then the ASA discards the packet. You can now enable or disable sending an IKEv2 notification to the peer. Sending this notification is disabled by default.

Note 

This feature is supported with AnyConnect 3.1.06060 and later.

We introduced the following command: crypto ikev2 notify invalid-selectors

IKEv2 pre-shared key in Hex

You can now configure the IKEv2 pre-shared keys in hex.

We introduced the following command: ikev2 local-authentication pre-shared-key hex, ikev2 remote-authentication pre-shared-key hex

Administrative Features

ASDM management authorization

You can now configure management authorization separately for HTTP access vs. Telnet and SSH access.

We introduced the following command: aaa authorization http console

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization

ASDM Username From Certificate Configuration

When you enable ASDM certificate authentication (http authentication-certificate), you can configure how ASDM extracts the username from the certificate; you can also enable pre-filling the username at the login prompt.

We introduced the following command: http username-from-certificate

We introduced the following screen: Configuration > Device Management > Management Access > HTTP Certificate Rule.

terminal interactive command to enable or disable help when you enter ? at the CLI

Normally, when you enter ? at the ASA CLI, you see command help. To be able to enter ? as text within a command (for example, to include a ? as part of a URL), you can disable interactive help using the no terminal interactive command.

We introduced the following command: terminal interactive

REST API Features

REST API Version 1.1

We added support for the REST API Version 1.1.

Support for token-based authentication (in addition to existing basic authentication)

Client can send log-in request to a specific URL; if successful, a token is returned (in response header). Client then uses this token (in a special request header) for sending additional API calls. The token is valid until explicitly invalidated, or the idle/session timeout is reached.

Limited multiple-context support

The REST API agent can now be enabled in multi-context mode; the CLI commands can be issued only in system-context mode (same commands as single-context mode).

Pass-through CLI API commands can be used to configure any context, as follows.


https://<asa_admin_context_ip>/api/cli?context=<context_name>

If the context parameter is not present, it is assumed that the request is directed to the admin context.

Advanced (granular) inspection

Granular inspection of these protocols is supported:

  • DNS over UDP

  • HTTP

  • ICMP

  • ICMP ERROR

  • RTSP

  • SIP

  • FTP

  • DCERPC

  • IP Options

  • NetBIOS Name Server over IP

  • SQL*Net

New Features in Version 9.3

New Features in ASA 9.3(3)/ASDM 7.4(1)

Released: April 22, 2015

Feature

Description

Platform Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

This feature is not supported in ASDM.

This feature is not available in 9.4(1).

New Features in ASA 9.3(2)/ASDM 7.3(3)

Released: February 2, 2015

Feature

Description

Platform Features

ASA FirePOWER software module for the ASA 5506-X

You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM.

We introduced the following screens:

Home > ASA FirePOWER Dashboard


Home > ASA FirePOWER Reporting


Configuration > ASA FirePOWER Configuration


Monitoring > ASA FirePOWER Monitoring

New Features in ASA 9.3(2.200)/ASDM 7.3(2)

Released: December 18, 2014

Note
Note

This release supports only the ASAv.


Feature

Description

Platform Features

ASAv with KVM and Virtio

You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and the Virtio virtual interface driver.

New Features in ASA 9.3(2)/ASDM 7.3(2)

Released: December 18, 2014

Feature

Description

Platform Features

ASA 5506-X

We introduced the ASA 5506-X.

We introduced or modified the following commands: service sw-reset-button, upgrade rommon, show environment temperature accelerator

ASA FirePOWER software module for the ASA 5506-X

You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a separate FireSIGHT Management Center is not required, although you can use one instead of ASDM. Note: This feature requires ASA 7.3(3).

We introduced the following screens:

Home > ASA FirePOWER Dashboard


Home > ASA FirePOWER Reporting


Configuration > ASA FirePOWER Configuration


Monitoring > ASA FirePOWER Monitoring

ASA FirePOWER passive monitor-only mode using traffic redirection interfaces

You can now configure a traffic forwarding interface to send traffic to the module instead of using a service policy. In this mode, neither the module nor the ASA affects the traffic.

We fully supported the following command: traffic-forward sfr monitor-only. You can configure this in CLI only.

Mixed level SSPs in the ASA 5585-X

You can now use the following mixed level SSPs in the ASA 5585-X:

  • ASA SSP-10/ASA FirePOWER SSP-40

  • ASA SSP-20/ASA FirePOWER SSP-60

Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1

ASA REST API 1.0.1

A REST API was added to support configuring and managing major functions of the ASA.

We introduced or modified the following commands: rest-api image, rest-api agent, show rest-api agent, debug rest-api, show version

Support for ASA image signing and verification

ASA images are now signed using a digital signature. The digital signature is verified after the ASA is booted.

We introduced the following commands: copy /noverify, verify /image-signature, show software authenticity keys, show software authenticity file, show software authenticity running, show software authenticity development, software authenticity development, software authenticity key add special, software authenticity key revoke special

This feature is not supported in ASDM.

Accelerated security path load balancing

The accelerated security path (ASP) load balancing mechanism reduces packet drop and improves throughput by allowing multiple cores of the CPU to receive packets from an interface receive ring and work on them independently.

We introduced the following command: asp load-balance per-packet-auto

We introduced the following screen: Configuration > Device Management > Advanced > ASP Load Balancing

Firewall Features

Configuration session for editing ACLs and objects.

Forward referencing of objects and ACLs in access rules.

You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.

We introduced the following commands: clear configuration session, clear session, configure session, forward-reference, show configuration session

This feature is not supported in ASDM.

SIP support for Trust Verification Services, NAT66, CUCM 10.5(1), and model 8831 phones.

You can now configure Trust Verification Services servers in SIP inspection. You can also use NAT66. SIP inspection has been tested with CUCM 10.5(1).

We introduced the following command: trust-verification-server.

We introduced the following screen: Configuration > Firewall > Objects > Inspection Maps > SIP > Add/Edit SIP Inspect Map > Details > TVS Server

Unified Communications support for CUCM 10.5(1)

SIP and SCCP inspections were tested and verified with Cisco Unified Communications Manager 10.5(1).

Remote Access Features

Browser support for Citrix VDI

We now support an HTML 5-based browser solution for accessing the Citrix VDI, without requiring the Citrix Receiver client on the desktop.

Clientless SSL VPN for Mac OSX 10.9

We now support Clientless SSL VPN features such as the rewriter, smart tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.

Interoperability with standards-based, third-party, IKEv2 remote access clients

We now support VPN connectivity via standards-based, third-party, IKEv2 remote-access clients (in addition to AnyConnect). Authentication support includes preshared keys, certificates, and user authentication via the Extensible Authentication Protocol (EAP).

We introduced or modified the following commands: ikev2 remote-authentication, ikev2 local-authentication, clear vpn-sessiondb, show vpn-sessiondb, vpn-sessiondb logoff

We introduced or modified the following screens:

Wizards > IPsec IKEv2 Remote Access Wizard.

Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv2) Connection Profiles


Configuration > Remote Access VPN > Network (Client) Access > IPsec (IKEv2) Connection Profiles > Add/Edit > Advanced > IPsec


Monitoring > VPN > VPN Statistics > Sessions

Transport Layer Security (TLS) version 1.2 support

We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN.

We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb

We deprecated the following command: ssl encryption

We modified the following screens:

Configuration > Device Management > Advanced > SSL Settings


Configuration > Remote Access VPN > Advanced > SSL Settings

AnyConnect 4.0 support for TLS version 1.2

AnyConnect 4.0 now supports TLS version 1.2 with the following four additional cipher suites: DHE-RSA-AES256-SHA256, DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.

Licensing Features

Cisco Smart Software Licensing for the ASAv

Smart Software Licensing lets you purchase and manage a pool of licenses. Unlike PAK licenses, smart licenses are not tied to a specific serial number. You can easily deploy or retire ASAvs without having to manage each unit’s license key. Smart Software Licensing also lets you see your license usage and needs at a glance.

We introduced the following commands: clear configure license, debug license agent, feature tier, http-proxy, license smart, license smart deregister, license smart register, license smart renew, show license, show running-config license, throughput level

We introduced or modified the following screens:

Configuration > Device Management > Licensing > Smart License


Configuration > Device Management > Smart Call-Home


Monitoring > Properties > Smart License

High Availability Features

Lock configuration changes on the standby unit or standby context in a failover pair

You can now lock configuration changes on the standby unit (Active/Standby failover) or the standby context (Active/Active failover) so you cannot make changes on the standby unit outside normal configuration syncing.

We introduced the following command: failover standby config-lock

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

ASA clustering inter-site deployment in transparent mode with the ASA cluster firewalling between inside networks

You can now deploy a cluster in transparent mode between inside networks and the gateway router at each site (AKA East-West insertion), and extend the inside VLANs between sites. We recommend using Overlay Transport Virtualization (OTV), but you can use any method that ensures that the overlapping MAC Addresses and IP addresses of the gateway router do not leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as HSRP to provide the same virtual MAC and IP addresses to the gateway routers.

Interface Features

Traffic Zones

You can group interfaces together into a traffic zone to accomplish traffic load balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy, and asymmetric routing across multiple interfaces.

Note 

You cannot apply a security policy to a named zone; the security policy is interface-based. When interfaces in a zone are configured with the same access rule, NAT, and service policy, then load-balancing and asymmetric routing operate correctly.

We introduced or modified the following commands: zone, zone-member, show running-config zone, clear configure zone, show zone, show asp table zone, show nameif zone, show conn long, show local-host zone, show route zone, show asp table routing, clear conn zone, clear local-host zone

We introduced or modified the following screens:

Configuration > Device Setup > Interface Parameters > Zones


Configuration > Device Setup > Interface Parameters > Interfaces

Routing Features

BGP support for IPv6

We added support for IPv6.

We introduced or modified the following commands: address-family ipv6, bgp router-id, ipv6 prefix-list, ipv6 prefix-list description, ipv6 prefix-list sequence-number, match ipv6 next-hop, match ipv6 route-source, match ipv6- address prefix-list, set ipv6-address prefix -list, set ipv6 next-hop, set ipv6 next-hop peer-address

We introduced the following screen: Configuration > Device Setup > Routing > BGP > IPv6 Family

Monitoring Features

SNMP MIBs and traps

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASA 5506-X.

The ASA 5506-X have been added as new products to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you to do the following:

  • Know which commands have been entered for a specific configuration.

  • Notify the NMS when a change has occurred in the running configuration.

  • Track the time stamps associated with the last time that the running configuration was changed or saved.

  • Track other changes to commands, such as terminal details and command sources.

We modified the following command: snmp-server enable traps

We modified the following screen: Configuration > Device Management > Management Access > SNMP > Configure Traps > SNMP Trap Configuration

Showing route summary information for troubleshooting

The show route-summary command output has been added to the show tech-support detail command.

Management Features

System backup and restore

We now support complete system backup and restoration using the CLI.

We introduced the following commands: backup, restore

We did not modify any screens. This functionality is already available in ASDM.

New Features in ASA 9.3(1)/ASDM 7.3(1)

Released: July 24, 2014

Note
Note

The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the ASA 5505.


Feature

Description

Firewall Features

SIP, SCCP, and TLS Proxy support for IPv6

You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using SIP or SCCP).

We did not modify any commands.

We did not modify any ASDM screens.

Support for Cisco Unified Communications Manager 8.6

The ASA now interoperates with Cisco Unified Communications Manager Version 8.6 (including SCCPv21 support).

We did not modify any commands.

We did not modify any ASDM screens.

Transactional Commit Model on rule engine for access groups and NAT

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following commands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit

We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine

Remote Access Features

XenDesktop 7 Support for clientless SSL VPN

We added support for XenDesktop 7 to clientless SSL VPN. When creating a bookmark with auto sign-on, you can now specify a landing page URL or a Control ID.

We did not modify any commands.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks

AnyConnect Custom Attribute Enhancements

Custom attributes define and configure AnyConnect features that have not been incorporated into the ASA, such as Deferred Upgrade. Custom attribute configuration has been enhanced to allow multiple values and longer values, and now requires a specification of their type, name and value. They can now be added to Dynamic Access Policies as well as Group Policies. Previously defined custom attributes will be updated to this enhanced configuration format upon upgrade to 9.3.x.

We introduced or modified the following commands: anyconnect-custom-attr, anyconnect-custom-data, and anyconnect-custom

We introduced or modified the following screens:

Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes


Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names


Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit > Advanced > AnyConnect Client > Custom Attributes


Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add/Edit > AnyConnect Custom Attributes

AnyConnect Identity Extensions (ACIDex) for Desktop Platforms

ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is the method used by the AnyConnect VPN client to communicate posture information to the ASA. Dynamic Access Polices use these endpoint attributes to authorize users.

The AnyConnect VPN client now provides Platform identification for the desktop operating systems (Windows, Mac OS X, and Linux) and a pool of MAC Addresses which can be used by DAPs.

We did not modify any commands.

We modified the following screen: Configuration > Remote Access VPN > Dynamic Access Policies > Add/Edit > Add/Edit (endpoint attribute), select AnyConnect for the Endpoint Attribute Type. Additional operating systems are in the Platform drop-down list and MAC Address has changed to Mac Address Pool.

TrustSec SGT Assignment for VPN

TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on the ASA when a remote user connects.

We introduced the following new command: security-group-tag value

We introduced or modified the following screens:

Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit User > VPN Policy


Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add a Policy

High Availability Features

Improved support for monitoring module health in clustering

We added improved support for monitoring module health in clustering.

We modified the following command: show cluster info health

We did not modify any ASDM screens.

Disable health monitoring of a hardware module

By default, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: monitor-interface service-module

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Interfaces

Platform Features

ASP Load Balancing

The new auto option in the asp load-balance per-packet command enables the ASA to adaptively switch ASP load balancing per-packet on and off on each interface receive ring. This automatic mechanism detects whether or not asymmetric traffic has been introduced and helps avoid the following issues:

  • Overruns caused by sporadic traffic spikes on flows

  • Overruns caused by bulk flows oversubscribing specific interface receive rings

  • Overruns caused by relatively heavily overloaded interface receive rings, in which a single core cannot sustain the load

We introduced or modified the following commands: asp load-balance per-packet auto, show asp load-balance per-packet, show asp load-balance per-packet history, and clear asp load-balance history

We did not modify any ASDM screens.

SNMP MIBs

The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASASM.

Interface Features

Transparent mode bridge group maximum increased to 250

The bridge group maximum was increased from 8 to 250 bridge groups. You can configure up to 250 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

We modified the following commands: interface bvi, bridge-group

We modified the following screens:

Configuration > Device Setup > Interfaces


Configuration > Device Setup > Interfaces > Add/Edit Bridge Group Interface


Configuration > Device Setup > Interfaces > Add/Edit Interface

Routing Features

BGP support for ASA clustering

We added support for BGP with ASA clustering.

We introduced the following new command: bgp router-id clusterpool

We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > General

BGP support for nonstop forwarding

We added support for BGP Nonstop Forwarding.

We introduced the following new commands: bgp graceful-restart, neighbor ha-mode graceful-restart

We modified the following screens:

Configuration > Device Setup > Routing > BGP > General


Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor


Monitoring > Routing > BGP Neighbors

BGP support for advertised maps

We added support for BGPv4 advertised map.

We introduced the following new command: neighbor advertise-map

We modified the following screen: Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor > Add BGP Neighbor > Routes

OSPF Support for Non-Stop Forwarding (NSF)

OSPFv2 and OSPFv3 support for NSF was added.

We added the following commands: capability, nsf cisco, nsf cisco helper, nsf ietf, nsf ietf helper, nsf ietf helper strict-lsa-checking, graceful-restart, graceful-restart helper, graceful-restart helper strict-lsa-checking

We added the following screens:

Configuration > Device Setup > Routing > OSPF > Setup > NSF Properties

Configuration > Device Setup > Routing > OSPFv3 > Setup > NSF Properties

AAA Features

Layer 2 Security Group Tag Imposition

You can now use security group tagging combined with Ethernet tagging to enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT Imposition, enables the ASA to send and receive security group tags on Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether Type 0x8909), which allows the insertion of source security group tags into plain-text Ethernet frames.

We introduced or modified the following commands: cts manual, policy static sgt, propagate sgt, cts role-based sgt-map, show cts sgt-map, packet-tracer, capture, show capture, show asp drop, show asp table classify, show running-config all, clear configure all, and write memory

We modified the following screens:

Configuration > Device Setup > Interfaces > Add Interface > Advanced


Configuration > Device Setup > Interfaces > Add Redundant Interface > Advanced


Configuration > Device Setup > Add Ethernet Interface > Advanced


Wizards > Packet Capture Wizard


Tools > Packet Tracer

Removal of AAA Windows NT domain authentication

We removed NTLM support for remote access VPN users.

We deprecated the following command: aaa-server protocol nt

We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add AAA Server Group

ASDM Identity Certificate Wizard

When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. The ASDM Identity Certificate Wizard makes creating a self-signed identity certificate easy. When you first launch ASDM and do not have a trusted certificate, you are prompted to launch ASDM with Java Web Start; this new wizard starts automatically. After creating the identity certificate, you need to register it with the Java Control Panel. See https://www.cisco.com/go/asdm-certificate for instructions.

We added the following screen: Wizards > ASDM Identity Certificate Wizard

Monitoring Features

Monitoring Aggregated Traffic for Physical Interfaces

The show traffic command output has been updated to include aggregated traffic for physical interfaces information. To enable this feature, you must first enter the sysopt traffic detailed-statistics command.

show tech support enhancements

The show tech support command now includes show resource usage count all 1 output, including information about xlates, conns, inspects, syslogs, and so on. This information is helpful for diagnosing performance issues.

We modified the following command: show tech support

We did not add or modify any screens.

ASDM can save Botnet Traffic Filter reports as HTML instead of PDF

ASDM can no longer save Botnet Traffic Filter reports as PDF files; it can instead save them as HTML.

The following screen was modified: Monitoring > Botnet Traffic Filter

New Features in Version 9.2

New Features in ASA 9.2(4)/ ASDM 7.4(3)

Released: July 16, 2015

Feature

Description

Platform Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

We modified the following screen: Configuration > Device Management > Logging > Syslog Setup

DHCP features

DHCP Relay server validates the DHCP Server Identifier for replies

If the ASA DHCP relay server receives a reply from an incorrect DHCP server, it now verifies that the reply is from the correct server before acting on the reply.

Monitoring Features

NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

This data is equivalent to the show xlate count command.

We did not modify any ASDM screens.

Also available in 8.4(5) and 9.1(5).

New Features in ASA 9.2(3)/ ASDM 7.3(1.101)

Released: December 15, 2014

Feature

Description

Remote Access Features

Clientless SSL VPN session cookie access restriction

You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.

Note 

Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.

  • Java plug-ins

  • Java rewriter

  • Port forwarding

  • File browser

  • Sharepoint features that require desktop applications (for example, MS Office applications)

  • AnyConnect Web launch

  • Citrix Receiver, XenDesktop, and Xenon

  • Other non-browser-based and browser plugin-based applications

We introduced the following command: http-only-cookie

We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie

New Features in ASA 9.2(2.4)/ASDM 7.2(2)

Released: August 12, 2014

Note
Note

Version 9.2(2) was removed from Cisco.com due to build issues; please upgrade to Version 9.2(2.4) or later.


Feature

Description

Platform Features

ASA 5585-X (all models) support for the matching ASA FirePOWER SSP hardware module.

ASA 5512-X through ASA 5555-X support for the ASA FirePOWER software module.

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.

We introduced or modified the following commands: capture interface asa_dataplane, debug sfr, hw-module module 1 reload, hw-module module 1 reset, hw-module module 1 shutdown, session do setup host ip, session do get-config, session do password-reset, session sfr, sfr, show asp table classify domain sfr, show capture, show conn, show module sfr, show service-policy, sw-module sfr.

We introduced the following screens:

Home > ASA FirePOWER Status

Wizards > Startup Wizard > ASA FirePOWER Basic Configuration

Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > ASA FirePOWER Inspection

Remote Access Features

Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN

We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..

We did not modify any commands.

We did not modify any screens.

New Features in ASA 9.2(1)/ASDM 7.2(1)

Released: April 24, 2014

Note
Note

The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.


Feature

Description

Platform Features

The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.

The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.

Routing Features

BGP Support

We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

We introduced the following commands: router bgp, bgp maxas-limit, bgp log-neighbor-changes, bgp transport path-mtu-discovery, bgp fast-external-fallover, bgp enforce-first-as, bgp asnotation dot, timers bgp, bgp default local-preference, bgp always-compare-med, bgp bestpath compare-routerid, bgp deterministic-med, bgp bestpath med missing-as-worst, policy-list, match as-path, match community, match metric, match tag, as-path access-list, community-list, address-family ipv4, bgp router-id, distance bgp, table-map, bgp suppress-inactive, bgp redistribute-internal, bgp scan-time, bgp nexthop, aggregate-address, neighbor, bgp inject-map, show bgp, show bgp cidr-only, show bgp all community, show bgp all neighbors, show bgp community, show bgp community-list, show bgp filter-list, show bgp injected-paths, show bgp ipv4 unicast, show bgp neighbors, show bgp paths, show bgp pending-prefixes, show bgp prefix-list, show bgp regexp, show bgp replication, show bgp rib-failure, show bgp route-map, show bgp summary, show bgp system-config, show bgp update-group, clear route network, maximum-path, network.

We modified the following commands: show route, show route summary, show running-config router, clear config router, clear route all, timers lsa arrival, timers pacing, timers throttle, redistribute bgp.

We introduced the following screens:


Configuration > Device Setup > Routing > BGP


Monitoring > Routing > BGP Neighbors, Monitoring > Routing > BGP Routes

We modified the following screens:

Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route


Configuration > Device Setup > Routing > Route Maps> Add > Add Route Map

Static route for Null0 interface

Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.

We modified the following command: route.

We modified the following screen:
Configuration > Device Setup > Routing > Static Routes> Add > Add Static Route

OSPF support for Fast Hellos

OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.

We modified the following command: ospf dead-interval

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Interface > Edit OSPF Interface Advanced properties

New OSPF Timers

New OSPF timers were added; old ones were deprecated.

We introduced the following commands: timers lsa arrival, timers pacing, timers throttle.

We removed the following commands: timers spf, timers lsa-grouping-pacing

We modified the following screen: Configuration > Device Setup > Routing > OSPF > Setup > Edit OSPF Process Advanced Properties

OSPF Route filtering using ACL

Route filtering using ACL is now supported.

We introduced the following command: distribute-list

We introduced the following screen: Configuration > Device Setup > Routing > OSPF > Filtering Rules > Add Filter Rules

OSPF Monitoring enhancements

Additional OSPF monitoring information was added.

We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief

OSPF redistribute BGP

OSPF redistribution feature was added.

We added the following command: redistribute bgp

We added the following screen: Configuration > Device Setup > Routing > OSPF > Redistribution

EIGRP Auto- Summary

For EIGRP, the Auto-Summary field is now disabled by default.

We modified the following screen: Configuration > Device Setup > Routing > EIGRP > Setup > Edit EIGRP Process Advanced Properties

High Availability Features

Support for cluster members at different geographical locations (inter-site) for transparent mode

You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.

We did not modify any commands.

We did not modify any ASDM screens.

Static LACP port priority support for clustering

Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:

  • Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.

  • Port-channel bundling downtime should not exceed the configured keepalive interval.

We introduced the following command: clacp static-port-priority.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 32 active links in a spanned EtherChannel for clustering

ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.

Note 

If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

We introduced the following command: clacp static-port-priority.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster

Support for 16 cluster members for the ASA 5585-X

The ASA 5585-X now supports 16-unit clusters.

We did not modify any commands.

We did not modify any ASDM screens.

Support for clustering with the Cisco Nexus 9300

The ASA supports clustering when connected to the Cisco Nexus 9300.

Remote Access Features

ISE Change of Authorization

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

We introduced the following commands: dynamic-authorization, authorize-only, debug radius dynamic-authorization.

We modified the following commands: without-csd [anyconnect], interim-accounting-update [periodic [interval]].

We removed the following commands: nac-policy, eou, nac-settings.

We modified the following screen: Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups > Add/Edit AAA Server Group

Improved clientless rewriter HTTP 1.1 compression handling

The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.

We did not introduce or modify any commands.

We did not introduce or modify any ASDM screens.

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note 

We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any commands.

We did not introduce or modify any ASDM screens.

Interface Features

Support for 16 active links in an EtherChannel

You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).

Note 

If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes (the lacp max-bundle command).

We modified the following commands: lacp max-bundle and port-channel min-bundle.

We modified the following screen: Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface > Advanced.

Maximum MTU is now 9198 bytes

The maximum MTU that the ASA can use is 9198 bytes (check for your model’s exact limit at the CLI help). This value does not include the Layer 2 header. Formerly, the ASA let you specify the maximum MTU as 65535 bytes, which was inaccurate and could cause problems. If your MTU was set to a value higher than 9198, then the MTU is automatically lowered when you upgrade. In some cases, this MTU change can cause an MTU mismatch; be sure to set any connecting equipment to use the new MTU value.

We modified the following command: mtu

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Edit Interface > Advanced

Also in Version 9.1(6).

Monitoring Features

Embedded Event Manager (EEM)

The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.

We introduced or modified the following commands: event manager applet, description, event syslog id, event none, event timer, event crashinfo, action cli command, output, show running-config event manager, event manager run, show event manager, show counters protocol eem, clear configure event manager, debug event manager, debug menu eem.

We introduced the following screens: Configuration > Device Management > Advanced > Embedded Event Manager, Monitoring > Properties > EEM Applets.

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We introduced or modified the following commands: snmp-server host-group, snmp-server user-list, show running-config snmp-server, clear configure snmp-server.

We modified the following screen: Configuration > Device Management > Management Access > SNMP.

SNMP message size

The limit on the message size that SNMP sends has been increased to 1472 bytes.

SNMP OIDs and MIBs

The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.

Administrative Features

Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec.

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.

Auto Update Server certificate verification enabled by default

The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:


WARNING: The certificate provided by the auto-update servers will not be verified. 
In order to verify this certificate please use the verify-certificate option.

The configuration will be migrated to explicitly configure no verification:.

auto-update server no-verification

We modified the following command: auto-update server [verify-certificate | no-verification].

We modified the following screen: Configuration > Device Management > System/Image Configuration > Auto Update > Add Auto Update Server.

New Features in Version 9.1

New Features in ASA 9.1(7.4)/ASDM 7.5(2.153)

Released: February 19, 2016

Note
Note

Version 9.1(7) was removed from Cisco.com due to build issues; please upgrade to Version 9.1(7.4) or later.


Feature

Description

Remote Access Features

Clientless SSL VPN session cookie access restriction

You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.

Note 

Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.

  • Java plug-ins

  • Java rewriter

  • Port forwarding

  • File browser

  • Sharepoint features that require desktop applications (for example, MS Office applications)

  • AnyConnect Web launch

  • Citrix Receiver, XenDesktop, and Xenon

  • Other non-browser-based and browser plugin-based applications

We introduced the following command: http-only-cookie.

We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie.

This feature is also in 9.2(3) and 9.4(1).

Configurable SSH encryption and HMAC algorithm

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms.

We introduced the following commands: ssh cipher encryption and ssh cipher integrity.

No ASDM support.

Clientless SSL VPN cache disabled by default

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.


webvpn
cache
no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache

Also available in 9.5(2).

HTTP redirect support for IPv6

When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address.

We added functionality to the following command: http redirect

We added functionality to the following screen: Configuration > Device Management > HTTP Redirect

Administrative Features

show tech support enhancements

The show tech support command now:

  • Includes dir all-filesystems output—This output can be helpful in the following cases:

    • SSL VPN configuration: check if the required resources are on the ASA

    • Crash: check for the date timestamp and presence of a crash file

  • Includes show resource usage count all 1 output—Includes information about xlates, conns, inspects, syslogs, and so on. This information is helpful for diagnosing performance issues.

  • Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.

We modified the following command: show tech support

We did not add or modify any screens.

Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB

The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.

Note 

The CISCO-ENHANCED-MEMPOOL-MIB uses 64-bit counters and supports reporting of memory on platforms with more than 4GB of RAM.

We did not add or modify any commands.

We did not add or modify any screens.

New Features in ASA 9.1(6)/ASDM 7.1(7)

Released: March 2, 2015

Feature

Description

Interface Features

Maximum MTU is now 9198 bytes

The maximum MTU that the ASA can use is 9198 bytes (check for your model’s exact limit at the CLI help). This value does not include the Layer 2 header. Formerly, the ASA let you specify the maximum MTU as 65535 bytes, which was inaccurate and could cause problems. If your MTU was set to a value higher than 9198, then the MTU is automatically lowered when you upgrade. In some cases, this MTU change can cause an MTU mismatch; be sure to set any connecting equipment to use the new MTU value.

We modified the following command: mtu

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Edit Interface > Advanced

New Features in ASA 9.1(5)/ASDM 7.1(6)

Released: March 31, 2014

Feature

Description

Administrative Features

Secure Copy client

The ASA now supports the Secure Copy (SCP) client to transfer files to and from a SCP server.

We introduced the following commands: ssh pubkey-chain, server (ssh pubkey-chain), key-string, key-hash, ssh stricthostkeycheck.

We modified the following command: copy scp.

We modified the following screens:

Tools > File Management > File Transfer > Between Remote Server and Flash
Configuration > Device Management > Management Access > File Access > Secure Copy (SCP) Server

Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec.

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization.

Firewall Features

Transactional Commit Model on rule engine for access groups

When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following comands: asp rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit.

We introduced the following screen: Configuration > Device Management > Advanced > Rule Engine.

Monitoring Features

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We introduced or modified the following commands: snmp-server host-group, snmp-server user-list, show running-config snmp-server, clear configure snmp-server.

We modified the following screen: Configuration > Device Management > Management Access > SNMP.

NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

This data is equivalent to the show xlate count command.

We did not modify any ASDM screens.

Also available in 8.4(5).

Remote Access Features

AnyConnect DTLS Single session Performance Improvement

UDP traffic, such as streaming media, was being affected by a high number of dropped packets when sent over an AnyConnect DTLS connection. For example, this could result in streaming video playing poorly or cease streaming completely. The reason for this was the relatively small size of the flow control queue.

We increased the DTLS flow-control queue size and offset this by reducing the admin crypto queue size. For TLS sessions, the priority of the crypto command was increased to high to compensated for this change. For both DTLS and TLS sessions, the session will now persist even if packets are dropped. This will prevent media streams from closing and ensure that the number of dropped packets is comparable with other connection methods.

We did not modify any commands.

We did not modify any ASDM screens.

Webtype ACL enhancements

We introduced URL normalization. URL normalization is an additional security feature that includes path normalization, case normalization and scheme normalization. URLs specified in an ACE and portal address bar are normalized before comparison; for making decisions on webvpn traffic filtering.

For example, if you have an https://calo.cisco.com/checkout/Devices bookmark, an https://calo.cisco.com/checkout/Devices/* under web type acl seems to match. However, since URL normalization has been introduced, both bookmark URL and web type ACL are normalized before comparison. In this example, https://calo.cisco.com/checkout/Devices is normalized to https://calo.cisco.com/checkout/Devices and https://calo.cisco.com/checkout/Devices/* stays the same, so the two do not match.

You must configure the following to meet the requirement:

  • to permit the bookmark URL (https://calo.cisco.com/checkout/Devices), configure the ACL to permit that URL

  • to permit the URLs within the Devices folder, configure the ACL to permit https://calo.cisco.com/checkout/Devices/*

We did not modify any commands.

We did not modify any ASDM screens.

New Features in ASA 9.1(4)/ASDM 7.1(5)

Released: December 9, 2013

Feature

Description

Remote Access Features

HTML5 WebSocket proxying

HTML5 WebSockets provide persistent connections between clients and servers. During the establishment of the clientless SSL VPN connection, the handshake appears to the server as an HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a relay after the handshake is complete. Gateway mode is not currently supported.

We did not modify any commands.

We did not modify any ASDM screens.

Inner IPv6 for IKEv2

IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6 traffic are being tunneled, and when both the client and headend support GRE. For a single traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.

Note 

This feature requires AnyConnect Client Version 3.1.05 or later.

Output of the show ipsec sa and show vpn-sessiondb detail anyconnect commands has been updated to reflect the assigned IPv6 address, and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic.

The vpn-filter command must now be used for both IPv4 and IPv6 ACLs. If the depracated ipv6-vpn-filter command is used to configure IPv6 ACLs the connection will be terminated.

We did not modify any ASDM screens.

Mobile Devices running Citrix Server Mobile have additional connection options

Support for mobile devices connecting to Citrix server through the ASA now includes selection of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different tunnel-groups allows the administrator to use different authentication methods.

We introduced the application-type command to configure the default tunnel group for VDI connections when a Citrix Receiver user does not choose