Release Notes for Cisco ASDM, 7.15(x)
This document contains release information for Cisco ASDM Version 7.15(x) for the Cisco ASA series.
Important Notes
-
No support in ASA 9.15(1) and later for the ASA 5525-X, ASA 5545-X, and ASA 5555-X—ASA 9.14(x) is the last supported version. For the ASA FirePOWER module, the last supported version is 6.6.
-
Cisco announces the feature deprecation for Clientless SSL VPN effective with ASA version 9.17(1)—Limited support will continue on releases prior to 9.17(1).
-
For the Firepower 1010, invalid VLAN IDs can cause problems—Before you upgrade to 9.15(1), make sure you are not using a VLAN for switch ports in the range 3968 to 4047. These IDs are for internal use only, and 9.15(1) includes a check to make sure you are not using these IDs. For example, if these IDs are in use after upgrading a failover pair, the failover pair will go into a suspended state. See CSCvw33057 for more information.
-
ASDM Cisco.com Upgrade Wizard failure on Firepower 1000 and 2100 in Appliance mode in 9.13—The ASDM Cisco.com Upgrade Wizard does not work for upgrading from 9.13 (Tools > Check for ASA/ASDM Updates). The wizard can upgrade ASDM from 7.13, but the ASA image upgrade is grayed out. (CSCvt72183) As a workaround, use one of the following methods:
-
Use Tools > Upgrade Software from Local Computer for both ASA and ASDM.
-
Use Tools > Check for ASA/ASDM Updates to upgrade ASDM; then use the new ASDM to upgrade the ASA image. Note that you may see a Fatal Installation Error; in this case, click OK. You must then set the boot image manually on the screen. Save the configuration and reload the ASA.
-
-
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
SAMLv1 feature deprecation—Support for SAMLv1 is deprecated.
-
Low-Security Cipher Removal in ASA 9.15(1)—Support for the following less secure ciphers used by IKE and IPsec have been removed:
-
Diffie-Hellman groups: 2 and 24
-
Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256, NULL, ESP-3DES, ESP-DES, ESP-MD5-HMAC
-
Hash algorithms: MD5
Note
Low-security SSH and SSL ciphers have not yet been removed.
Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:
-
The command will use the default cipher.
-
The command will be removed.
Fixing your configuration before upgrading is especially important for clustering or failover deployments. For example, if the secondary unit is upgraded to 9.15(1), and the removed ciphers are synced to this unit from the primary, then the secondary unit will reject the configuration. This rejection might cause unexpected behavior, like failure to join the cluster.
IKEv1: The following subcommands are removed:
-
crypto ikev1 policy priority:
-
hash md5
-
encryption 3des
-
encryption des
-
group 2
-
IKEv2: The following subcommands are removed:
-
crypto ikev2 policy priority:
-
prf md5
-
integrity md5
-
group 2
-
group 24
-
encryption 3des
-
encryption des
-
encryption null
-
IPsec: The following subcommands are removed:
-
crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac
-
crypto ipsec ikev2 ipsec-proposal name
-
protocol esp integrity md5
-
protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des
-
-
crypto ipsec profile name
-
set pfs group2 group24
-
Crypto Map: The following subcommands are removed:
-
crypto map name sequence set pfs group2
-
crypto map name sequence set pfs group24
-
crypto map name sequence set ikev1 phase1-mode aggressive group2
-
-
Re-introduction of CRL Distribution Point configuration—The static CDP URL configuration option, that was removed in 9.13(1), was re-introduced in the match-certificate command.
-
Restoration of bypass certificate validity checks option—The option to bypass revocation checking due to connectivity problems with the CRL or OCSP server was restored.
The following subcommands were restored:
-
revocation-check crl none
-
revocation-check ocsp none
-
revocation-check crl ocsp none
-
revocation-check ocsp crl none
-
System Requirements
This section lists the system requirements to run this release.
ASDM Java Requirements
You can install ASDM using Oracle JRE 8.0 (asdm-version.bin) or OpenJRE 1.8.x (asdm-openjre-version.bin).
Note |
ASDM is not tested on Linux. |
Operating System |
Browser |
Oracle JRE |
OpenJRE |
||||||
---|---|---|---|---|---|---|---|---|---|
Firefox |
Safari |
Chrome |
|||||||
Microsoft Windows (English and Japanese):
|
Yes |
No support |
Yes |
8.0 version 8u261 or later |
1.8
|
||||
Apple OS X 10.4 and later |
Yes |
Yes |
Yes (64-bit version only) |
8.0 version 8u261 or later |
1.8 |
ASDM Compatibility Notes
The following table lists compatibility caveats for ASDM.
Conditions |
Notes |
||
---|---|---|---|
Windows 10 |
"This app can't run on your PC" error message. When you install the ASDM Launcher, Windows 10 might replace the ASDM shortcut target with the Windows Scripting Host path, which causes this error. To fix the shortcut target:
|
||
OS X |
On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes. |
||
OS X 10.8 and later |
You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.
|
||
Requires Strong Encryption license (3DES/AES) on ASA
|
ASDM requires an SSL connection to the ASA. You can request a 3DES license from Cisco:
|
||
|
When the ASA uses a self-signed certificate or an untrusted certificate, Firefox and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. |
||
|
If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Run Chromium with flags. pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to |
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch ASDM until you install a certificate.
See Install an Identity Certificate for ASDM to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.
Increase the ASDM Configuration Memory
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog box shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.
Increase the ASDM Configuration Memory in Windows
To increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.
Procedure
Step 1 |
Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM. |
Step 2 |
Edit the run.bat file with any text editor. |
Step 3 |
In the line that starts with “start javaw.exe”, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB. |
Step 4 |
Save the run.bat file. |
Increase the ASDM Configuration Memory in Mac OS
To increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.
Procedure
Step 1 |
Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents. |
Step 2 |
In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit. |
Step 3 |
Under , change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB. |
Step 4 |
If this file is locked, you see an error such as the following: |
Step 5 |
Click Unlock and save the file. If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy. |
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASDM 7.15(1.150)
Released: February 8, 2021
There are no new features in this release.
New Features in ASA 9.15(1)/ASDM 7.15(1)
Released: November 2, 2020
Feature |
Description |
---|---|
Platform Features |
|
ASAv for the Public Cloud |
We introduced the ASAv for the following Public Cloud offerings:
No modified screens. |
ASAv support for Autoscale |
The ASAv now supports Autoscale for the following Public Could offerings:
Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements. No modified screens. |
ASAv for Microsoft Azure support for Accelerated Networking (SR-IOV). |
The ASAv on the Microsoft Azure Public Cloud now supports Azure's Accelerated Networking (AN), which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. No modified screens. |
Firewall Features |
|
Changes to PAT address allocation in clustering. The PAT pool flat option is now enabled by default and it is not configurable. |
The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the master instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally included the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address. As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1023 - 65535. Previously, you could optionally use a flat range by including the flat keyword in a PAT pool rule. The flat keyword is no longer supported: the PAT pool is now always flat. The include-reserve keyword, which was previously a sub-keyword to flat , is now an independent keyword within the PAT pool configuration. With this option, you can include the 1 - 1023 port range within the PAT pool. Note that if you configure port block allocation (the block-allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster. New/Modified screens: NAT PAT Pool configuration. |
XDMCP inspection disabled by default in new installations. |
Previously, XDMCP inspection was enabled by default for all traffic. Now, on new installations, which includes new systems and reimaged systems, XDMCP is off by default. If you need this inspection, please enable it. Note that on upgrades, your current settings for XDMCP inspection are retained, even if you simply had it enabled by way of the default inspection settings. |
High Availability and Scalability Features |
|
Disable failover delay |
When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions. New/Modified screens: |
Routing Features |
|
Multicast IGMP interface state limit raised from 500 to 5000 |
The multicast IGMP state limit per interface was raised from 500 to 5000. New/Modified commands: igmp limit No ASDM support. Also in 9.12(4). |
Interface Features |
|
ASDM support for unique MAC address generation for single context mode |
You can now enable unique MAC address generation for VLAN subinterfaces in single context mode in ASDM. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses. CLI support was added in ASA 9.8(3), 9.8(4), and 9.9(2) and later. New/Modified screen: |
DDNS support for the web update method |
You can now configure an interface to use DDNS with the web update method. New/Modified screens: |
Certificate Features |
|
Modifications to Match Certificate commands to support static CRL Distribution Point URL |
The static CDP URL configuration commands allowed CDPs to be mapped uniquely to each certificate in a chain that is being validated. However, only one such mapping was supported for each certificate. This modification allows statically configured CDPs to be mapped to a chain of certificates for authentication. |
Administrative and Troubleshooting Features |
|
Manual import of node secret file from the RSA Authentication Manager for SDI AAA server groups. |
You can import the node secret file that you export from the RSA Authentication Manager for use with SDI AAA server groups. We added the following screen: . |
show fragment command output enhanced |
The output for show fragment command was enhanced to include IP fragment related drops and error counters. No modified screens |
show tech-support command output enhanced |
The output for show tech-support command was enhanced to include the bias that is configured for the crypto accelerator. The bias value can be ssl, ipsec, or balanced. No modified screens |
Monitoring Features |
|
Support to configure cplane keepalive holdtime values |
Due to communication delays caused by high CPU usage, the response to the keepalive event fails to reach ASA, resulting in trigerring failover due to card failure. You can now configure the keepalive timeout period and the maximum keepalive counter value to ensure sufficient time and retries are given. We added the following screen: . |
VPN Features |
|
Support for configuring the maximum in-negotiation SAs as an absolute value |
You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed. New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value No ASDM support. Also in 9.12(4). |
Cross-Site Request Forgery (CSRF) Vulnerabilities Prevention for WebVPN Handlers |
ASA provides protection against CSRF attacks for WebVPN handlers. If a CSRF attack is detected, a user is notified by warning messages. This feature is enabled by default. |
Kerberos server validation for Kerberos Constrained Delegation (KCD). |
When configured for KCD, the ASA initiates an AD domain join with the configured server in order to acquire Kerberos keys. These keys are required for the ASA to request service tickets on behalf of clientless SSL VPN users. You can optionally configure the ASA to validate the identity of the server during domain join. We changed the following screens: |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose
. -
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2(x) was the final version for the ASA 5505. ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.14(x) |
— |
Any of the following: → 9.15(x) |
9.13(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) |
9.12(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) |
9.10(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.9(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.8(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.7(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.6(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.5(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.4(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.3(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.2(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.6(x) → 9.1(7.4) |
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) → 9.0(4) |
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12(x) → 9.8(x) → 9.1(7.4) |
8.3(x) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.2(x) and earlier |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs
This section lists open bugs in each version.
Open Bugs in Version 7.15(1.150)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
Appliance mode : checksum does not match issue while downloading asa image from CCO |
|
ASDM: Need support for MAC in Launcher 1.9.1 |
|
Check box not available for disable delete tunnel with no delay in simultaneous connection prempt |
Open Bugs in Version 7.15(1)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
Appliance mode : checksum does not match issue while downloading asa image from CCO |
|
ASDM: Need support for MAC in Launcher 1.9.1 |
|
Check box not available for disable delete tunnel with no delay in simultaneous connection prempt |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 7.15(1.150)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASDM connection limited shows N/A in one of the contexts |
|
ASDM Display "n/a" for "Peak Usage (KB)" Under Tab "Context Usage" of Memory Status |
Resolved Bugs in Version 7.15(1)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASDM packet tracer destination MAC not showing when switching from routed to transparent context |
|
Not able to Unselect dedicate the interface to management only check box |
|
Unable to Change Pre-Shared Key Using ASDM with password encryption enabled |
|
ASDM Fails to Launch with error - invalid SHA1 signature file digest for LZMA/LzmaInputStream.class |
|
Power over Ethernet dialog has incorrect label for checkbox |
|
ASDM creates wrong outside identity NAT rule during creation of connection profile for s2s vpn |
|
dns-class inside of DNS Class-Map gets incorrect value |
|
Remove the engineID field from ASDM UI |
|
ASDM - ACL on management can't be added even interface configured with "no management-only" |
|
Unable to edit AnyConnect Custom Attribute Name value |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.