Release Notes for Cisco Secure Firewall ASDM, 7.20(x)
This document contains release information for ASDM version 7.20(x) for the Secure Firewall ASA.
 Note |
ASA 9.20(1) is only supported on the Secure Firewall 4200. Later releases are supported on the other models. |
Important Notes
-
ASA 9.20(2) supports all current models.
-
OSPF redistribute commands that specify a route-map that matches a prefix-list will be removed in 9.20(2)—When you upgrade to 9.20(2), OSPF redistribute commands where the specified route-map uses a match ip address prefix-list will be removed from the configuration. Although prefix lists have never been supported, the parser still accepted the command. Before upgrading, you should reconfigure OSPF to use route maps that specify an ACL in the match ip address command.
-
ASA version 9.20(1) only supports the Secure Firewall 4200—ASDM 7.20(1) supports the Secure Firewall 4200 on 9.20(1), but is also backwards-compatible with earlier releases on other platforms.
-
ASDM's self-signed certificate not valid due to a time and date mismatch with ASA—ASDM validates the self-signed SSL certificate, and if the ASA's date is not within the certificate's Issued On and Expires On date, ASDM will not launch. See ASDM Compatibility Notes for more information.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASDM Java Requirements
You can install ASDM using Oracle JRE 8.0 (asdm-version.bin) or OpenJRE 1.8.x (asdm-openjre-version.bin).
Note |
ASDM is not tested on Linux. |
|
Operating System |
Browser |
Oracle JRE |
OpenJRE |
||||||
|---|---|---|---|---|---|---|---|---|---|
|
Firefox |
Safari |
Chrome |
|||||||
|
Microsoft Windows (English and Japanese):
|
Yes |
No support |
Yes |
8.0 version 8u261 or later |
1.8
|
||||
|
Apple OS X 10.4 and later |
Yes |
Yes |
Yes (64-bit version only) |
8.0 version 8u261 or later |
1.8 |
||||
ASDM Compatibility Notes
The following table lists compatibility caveats for ASDM.
|
Conditions |
Notes |
||
|---|---|---|---|
|
ASDM Launcher compatibility with ASDM version |
"Unable to Launch Device Manager" error message. If you upgrade to a new ASDM version and then get this error, you may need to re-install the latest Launcher.
|
||
|
Self-signed certificate not valid due to a time and date mismatch with ASA |
ASDM validates the self-signed SSL certificate, and if the ASA's date is not within the certificate's Issued On and Expires On date, ASDM will not launch. If there is a time and date mismatch, you will see the following error: 
To fix the issue: Set the correct time on the ASA and reload. To check the certificate dates, (example shown is Chrome):
|
||
|
Windows Active Directory directory access |
In some cases, Active Directory settings for Windows users may restrict access to program file locations needed to successfully launch ASDM on Windows. Access is needed to the following directories:
If your Active Directory is restricting directory access, you need to request access from your Active Directory administrator. |
||
|
Windows 10 |
"This app can't run on your PC" error message. When you install the ASDM Launcher, Windows 10 might replace the ASDM shortcut target with the Windows Scripting Host path, which causes this error. To fix the shortcut target:
|
||
|
OS X |
On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes. |
||
|
OS X 10.8 and later |
You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen. 
|
||
|
Requires Strong Encryption license (3DES/AES) on ASA
|
ASDM requires an SSL connection to the ASA. You can request a 3DES license from Cisco:
|
||
|
When the ASA uses a self-signed certificate or an untrusted certificate, Firefox and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. |
||
|
If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to Run Chromium with flags. |
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate.
See Install an Identity Certificate for ASDM to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.
Increase the ASDM Configuration Memory
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog box shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory. To confirm that you are experiencing memory exhaustion, monitor the Java console for the "java.lang.OutOfMemoryError" message.
Increase the ASDM Configuration Memory in Windows
To increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.
Procedure
|
Step 1 |
Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM. |
|
Step 2 |
Edit the run.bat file with any text editor. |
|
Step 3 |
In the line that starts with “start javaw.exe”, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB. |
|
Step 4 |
Save the run.bat file. |
Increase the ASDM Configuration Memory in Mac OS
To increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.
Procedure
|
Step 1 |
Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents. |
|
Step 2 |
In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit. |
|
Step 3 |
Under , change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.  |
|
Step 4 |
If this file is locked, you see an error such as the following:  |
|
Step 5 |
Click Unlock and save the file. If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy. |
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.20(2)/ASDM 7.20(2)
Released: December 13, 2023
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
100GB network module support for the Secure Firewall 3100 |
You can now use the 100GB network module for the Secure Firewall 3100. This module is also supported for the Secure Firewall 4200. |
|
Increased connection limits for the Secure Firewall 4200 |
Connection limits have been increased:
|
|
ASAv on OCI: Additional instances |
ASA Virtual instances on OCI now supports additional shapes to achieve the highest performance and throughput level. |
|
High Availability and Scalability Features |
|
|
ASAv on Azure: Clustering with Gateway Load Balancing |
We now support the ASA virtual clustering deployment on Azure
using the Azure Resource Manager (ARM) template and then configure
the ASAv clusters to use the Gateway Load Balancer (GWLB) for load balancing the network traffic.
New/Modified screens: |
|
ASAv on AWS: Resiliency for clustering with Gateway Load Balancing |
You can configure the Target Failover option in the Target Groups service of AWS, which helps GWLB to forward existing flows to a healthy target in the event of virtual instance failover. In the ASAv clustering, each instance is associated with a Target Group, where the Target Failover option is enabled. It helps GWLB to identify an unhealthy target and redirect or forward the network traffic to a healthy instance identified or registered as a target node in the target group. |
|
Configurable delay to rejoin cluster after chassis heartbeat failure (Firepower 4100/9300) |
By default, if the chassis heartbeat fails and then recovers, the node rejoins the cluster immediately. However, if you configure the health-check chassis-heartbeat-delay-rejoin command, it will rejoin according to the settings of the health-check system auto-rejoin command. New/Modified screens: |
|
show failover statistics includes client statistics |
The failover client packet statistics are now enhanced to improve debuggability. The show failover statistics command is enhanced to display np-clients (data-path clients) and cp-clients (control-plane clients) information. Modified commands: show failover statistics cp-clients , show failover statistics np-clients Also in 9.18(4). |
|
show failover statistics events includes new events |
The show failover statistics events command is now enhanced to identify the local failures notified by the App agent: failover link uptime, supervisor heartbeat failures, and disk full issues. Modified commands: show failover statistics events Also in 9.18(4). |
New Features in ASA 9.20(1)/ASDM 7.20(1)
Released: September 7, 2023
Note |
This release is only supported on the Secure Firewall 4200. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Secure Firewall 4200 |
We introduced the ASA for the Secure Firewall 4215, 4225, and 4245. The Secure Firewall 4200 supports up to 8 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 4200 25 Gbps and higher interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. There are two Management interfaces. |
|
Firewall Features |
|
|
ASDM support for the sysopt connection tcp-max-unprocessed-seg command |
You can set the maximum number of TCP unprocessed segments, from 6 to 24. The default is 6. If you find that SIP phones are not connecting to the call manager, you can try increasing the maximum number of unprocessed TCP segments. New/Modified screens: . |
|
ASP rule engine compilation offloaded to the data plane. |
By default, ASP rule engine compilation is offloaded to the data plane (instead of the control plane) when any rule-based policy (for example, ACL, NAT, VPN) has more than 100 rule updates. The offload leaves more time for the control plane to perform other tasks. We added or modified the following commands: asp rule-engine compile-offload , show asp rule-engine . |
|
High Availability and Scalability Features |
|
|
Reduced false failovers for ASA high availability |
We now introduced an additional heartbeat module in the data plane of the ASA high availability. This heartbeat module helps to avoid false failovers or split-brain scenarios that can happen due to traffic congestion in the control plain or CPU overload. Also in 9.18(4). |
|
Configurable cluster keepalive interval for flow status |
The flow owner sends keepalives (clu_keepalive messages) and updates (clu_update messages) to the director and backup owner to refresh the flow state. You can now set the keepalive interval. The default is 15 seconds, and you can set the interval between 15 and 55 seconds. You may want to set the interval to be longer to reduce the amount of traffic on the cluster control link. New/Modified screens: |
|
Routing Features |
|
|
EIGRPv6 |
You can now configure EIGRP for IPv6 and manage them separately. You must explicitly enable IPv6 when configuring EIGRP on each interface. New/Modified screens: , Setup, Filter Rules,Interface,Passive Interface, Redistribution, Static Neighbor tabs. |
|
Path monitoring through HTTP client |
PBR can now use the performance metrics (RTT, jitter, packet-lost, and MOS) collected by path monitoring through HTTP client on the application domain rather than the metrics on a specific destination IP. HTTP-based application monitoring option is enabled by default for the interface. HTTP based path-monitoring can be configured on the interface using Network Service Group objects. You can configure a PBR policy with match ACL having the monitored applications and interface ordering for path determination. New/Modified screens: |
|
Interface Features |
|
|
VXLAN VTEP IPv6 support |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the ASA virtual cluster control link or for Geneve encapsulation. New/Modified screens: |
|
Loopback interface support for DNS, HTTP, ICMP, and IPsec Flow Offload |
You can now add a loopback interface and use it for:
|
|
License Features |
|
|
IPv6 for Cloud services such as Smart Licensing and Smart Call Home |
ASA now supports IPv6 for Cloud services such as Smart Licensing and Smart Call Home. |
|
Certificate Features |
|
|
IPv6 PKI for OCSP and CRL |
ASA now supports both IPv4 and IPv6 OCSP and CRL URLs. When using IPv6 in the URLs, it must be enclosed with square brackets.
New/Modified screens: |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
Rate limiting for SNMP syslogs |
If you do not set system-wide rate limiting, you can now configure rate limiting separately for syslogs sent to an SNMP server. New/Modified commands: logging history rate-limit |
|
Packet Capture for switches |
You can now configure to capture egress and ingress traffic packets for a switch. This option is applicable only for Secure Firewall 4200 model devices. New/Modified screens: and |
|
VPN Features |
|
|
Crypto debugging enhancements |
Following are the enhancements for crypto debugging:
|
|
Multiple Key Exchanges for IKEv2 |
ASA supports multiple key exchanges in IKEv2 to secure the IPsec communication from quantum computer attacks. |
|
Secure Client connection authentication using SAML |
In a DNS load balancing cluster, when SAML authentication is
configured on ASAs, you can specify a local base URL that uniquely
resolves to the device on which the configuration is applied.
New/Modified screens: Configuration > Remote Access VPN > Network (Client) Access > Secure Client Connection Profiles > Add/Edit > Basic > SAML Identity Provider > Manage > Add/Edit |
|
ASDM Features |
|
|
Windows 11 support |
ASDM has been verified to operate on Windows 11. |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.19 |
— |
Any of the following: → 9.20 |
|
9.18 |
— |
Any of the following: → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 |
|
9.13 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs
This section lists open bugs in each version.
Open Bugs in Version 7.20(2)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASDM backup restore replaces custom policy-map with default class inspect options |
|
|
Checkbox of Enable autogeneration of MAC addresses not working properly |
|
|
Unable to use 'any' keyword as an object when editing object-group through ASDM |
Open Bugs in Version 7.20(1)
There are no open bugs in this release.
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 7.20(2)
There are no resolved bugs in this release.
Resolved Bugs in Version 7.20(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
Anyconnect authenticated user not showing in GET results for /api/monitoring/authusers |
|
|
ASDM - SSL cert verification vulnerability |
|
|
Unable to update hostscan file from ASDM ,Unable to edit the DAP if we install hostscan image |
|
|
Unable to Edit the ACL objects if it is already in use, getting the exception. |
|
|
Post Quantum key validation needs to be handled properly. |
|
|
ASDM losing configured objects/object groups |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback