1. No category

PDF

Release Notes for Cisco ASDM, 7.5(x)
First Published: 2015-08-31
Last Modified: --
Release Notes for Cisco ASDM, 7.5(x)
This document contains release information for Cisco ASDM Version 7.5(x) for the Cisco ASA series.
Important Notes
• E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s,
pop3s, smtps) and subcommands are no longer supported.
• CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image,
show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan
image) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan
image migrates to hostscan image.
• Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands
(override-account-disable, authentication crack) are no longer supported.
• The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes
differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name
Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates
with an OU field name of 60 characters. Because of this difference, certificates that can be imported in
ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA
running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASDM Client Operating System and Browser Requirements
The following table lists the supported and recommended client operating systems and Java for ASDM.
Release Notes for Cisco ASDM, 7.5(x)
1
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Table 1: Operating System and Browser Requirements
Operating System
Browser
Java SE Plug-in
Internet Firefox Safari Chrome
Explorer
Microsoft Windows (English and Japanese):
Yes
Yes
8
No
Yes
support
7.0 or later
7
Server 2008
Server 2012
Apple OS X 10.4 and later
No
Yes
support
Yes
Yes
(64-bit
version
only)
7.0 or later
Red Hat Enterprise Linux 5 (GNOME or KDE):
N/A
N/A
Yes
7.0 or later
Yes
Desktop
Desktop with Workstation
Java and Browser Compatibility
The following table lists compatibility caveats for Java, ASDM, and browser compatibility.
Release Notes for Cisco ASDM, 7.5(x)
2
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Java
Version
Conditions
7 update 51 ASDM Launcher requires trusted
certificate
Notes
To continue using the Launcher, do one of the following:
• Upgrade to Java 8 or downgrade Java to 7 update
45 or earlier.
• Install a trusted certificate on the ASA from a
known CA.
• Install a self-signed certificate and register it with
Java. See Install an Identity Certificate for ASDM.
• Alternatively use Java Web Start.
Note
ASDM 7.1(5) and earlier are not supported with
Java 7 update 51. If you already upgraded Java,
and can no longer launch ASDM in order to
upgrade it to Version 7.2 or later, then you can
either use the CLI to upgrade ASDM, or you
can add a security exception in the Java Control
Panel for each ASA you want to manage with
ASDM. See the “Workaround” section at:
http://java.com/en/download/help/java_
blocked.xml
After adding the security exception, launch the
older ASDM and then upgrade to 7.2 or later.
In rare cases, online help does not
load when using Java Web Start
In rare cases, when launching online help, the browser
window loads, but the content fails to appear. The
browser reports an error: “Unable to connect”.
Workaround:
• Use the ASDM Launcher
Or:
• Clear the -Djava.net.preferIPv6Addresses=true
parameter in Java Runtime Parameters:
1 Launch the Java Control Panel.
2 Click the Java tab.
3 Click View.
4 Clear this parameter:
-Djava.net.preferIPv6Addresses=true
5 Click OK, then Apply, then OK again.
Release Notes for Cisco ASDM, 7.5(x)
3
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Java
Version
Conditions
7 update 45 ASDM shows a yellow warning
about the missing Permissions
attribute when using an untrusted
certificate
7
Notes
Due to a bug in Java, if you do not have a trusted
certificate installed on the ASA, you see a yellow warning
about a missing Permissions attribute in the JAR
manifest. It is safe to ignore this warning; ASDM 7.2
and later includes the Permissions attribute. To prevent
the warning from appearing, install a trusted certificate
(from a known CA); or generate a self-signed certificate
on the ASA by choosing Configuration > Device
Management > Certificates > Identity Certificates.
Launch ASDM, and when the certificate warning is
shown, check the Always trust connections to websites
check box.
Requires strong encryption license ASDM requires an SSL connection to the ASA. You can
(3DES/AES) on ASA
request a 3DES license from Cisco:
1 Go to www.cisco.com/go/license.
2 Click Continue to Product License Registration.
3 In the Licensing Portal, click Get Other Licenses
next to the text field.
4 Choose IPS, Crypto, Other... from the drop-down
list.
5 Type ASA in to the Search by Keyword field.
6 Select Cisco ASA 3DES/AES License in the Product
list, and click Next.
7 Enter the serial number of the ASA, and follow the
prompts to request a 3DES/AES license for the ASA.
Release Notes for Cisco ASDM, 7.5(x)
4
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Java
Version
All
Conditions
• Self-signed certificate or an
untrusted certificate
• IPv6
• Firefox and Safari
Notes
When the ASA uses a self-signed certificate or an
untrusted certificate, Firefox and Safari are unable to add
security exceptions when browsing using HTTPS over
IPv6. See https://bugzilla.mozilla.org/show_
bug.cgi?id=633001. This caveat affects all SSL
connections originating from Firefox or Safari to the
ASA (including ASDM connections). To avoid this
caveat, configure a proper certificate for the ASA that is
issued by a trusted certificate authority.
If you change the SSL encryption on the ASA to exclude
• SSL encryption on the ASA both RC4-MD5 and RC4-SHA1 algorithms (these
must include both RC4-MD5 algorithms are enabled by default), then Chrome cannot
and RC4-SHA1 or disable
launch ASDM due to the Chrome “SSL false start”
SSL false start in Chrome.
feature. We suggest re-enabling one of these algorithms
(see the Configuration > Device Management >
• Chrome
Advanced > SSL Settings pane); or you can disable SSL
false start in Chrome using the --disable-ssl-false-start
flag according to Run Chromium with flags.
IE9 for servers
For Internet Explorer 9.0 for servers, the “Do not save
encrypted pages to disk” option is enabled by default
(See Tools > Internet Options > Advanced). This option
causes the initial ASDM download to fail. Be sure to
disable this option to allow ASDM to download.
OS X
On OS X, you may be prompted to install Java the first
time you run ASDM; follow the prompts as necessary.
ASDM will launch after the installation completes.
Release Notes for Cisco ASDM, 7.5(x)
5
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Java
Version
Conditions
All
OS X 10.8 and later
Release Notes for Cisco ASDM, 7.5(x)
6
Notes
Release Notes for Cisco ASDM, 7.5(x)
Java and Browser Compatibility
Java
Version
Conditions
Notes
You need to allow ASDM to run because it is not signed
with an Apple Developer ID. If you do not change your
security preferences, you see an error screen.
1 To allow ASDM to run, right-click (or Ctrl-Click)
the Cisco ASDM-IDM Launcher icon, and choose
Open.
2 You see a similar error screen; however, you can open
ASDM from this screen. Click Open. The
ASDM-IDM Launcher opens.
Release Notes for Cisco ASDM, 7.5(x)
7
Release Notes for Cisco ASDM, 7.5(x)
Install an Identity Certificate for ASDM
Java
Version
Conditions
Notes
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach
to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start
to launch ASDM until you install a certificate.
See Install an Identity Certificate for ASDM to install a self-signed identity certificate on the ASA for use
with ASDM, and to register the certificate with Java.
Increase the ASDM Configuration Memory
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience
performance issues. For example, when you load the configuration, the status dialog box shows the percentage
of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend
operation, even though ASDM might still be processing the configuration. If this situation occurs, we
recommend that you consider increasing the ASDM system heap memory.
Increase the ASDM Configuration Memory in Windows
To increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.
Step 1
Step 2
Step 3
Step 4
Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM.
Edit the run.bat file with any text editor.
In the line that starts with “start javaw.exe”, change the argument prefixed with “-Xmx” to specify your desired heap size.
For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Save the run.bat file.
Release Notes for Cisco ASDM, 7.5(x)
8
Release Notes for Cisco ASDM, 7.5(x)
ASA and ASDM Compatibility
Increase the ASDM Configuration Memory in Mac OS
To increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.
Step 1
Step 2
Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property
List Editor. Otherwise, it opens in TextEdit.
Step 3
Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size. For example,
change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Step 4
If this file is locked, you see an error such as the following:
Step 5
Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco
ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap
size from this copy.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module
compatibility, see Cisco ASA Compatibility.
Release Notes for Cisco ASDM, 7.5(x)
9
Release Notes for Cisco ASDM, 7.5(x)
VPN Compatibility
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
Note
This release supports only the ASA on the Firepower 9300.
Feature
Description
Platform Features
VPN support for the ASA on the
Firepower 9300
With FXOS 1.1.3, you can now configure VPN features.
Firewall Features
Flow off-load for the ASA on the
Firepower 9300
You can identify flows that should be off-loaded from the ASA and switched directly in the
NIC (on the Firepower 9300). This provides improved performance for large data flows in
data centers.
Also requires FXOS 1.1.3.
We added or modified the following screens: Configuration > Firewall > Advanced >
Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules
under Configuration > Firewall > Service Policy Rules.
High Availability Features
Inter-chassis clustering for 6
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering.
modules, and inter-site clustering for You can include up to 6 modules in up to 6 chassis.
the ASA on the Firepower 9300
We did not modify any screens.
Licensing Features
Release Notes for Cisco ASDM, 7.5(x)
10
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
Strong Encryption (3DES) license
automatically applied for the ASA
on the Firepower 9300
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically
enabled for qualified customers when you apply the registration token on the Firepower 9300.
If you are using the Smart Software Manager satellite deployment, to use ASDM
and other strong encryption features, after you deploy the ASA you must enable the
Strong Encryption (3DES) license using the ASA CLI.
This feature requires FXOS 1.1.3.
Note
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
Feature
Description
Platform Features
Cisco ISA 3000 Support
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is
low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model
comes with the ASA Firepower module pre-installed. Special features for this model include
a customized transparent mode default configuration, as well as a hardware bypass function
to allow traffic to continue flowing through the appliance when there is a loss of power.
We modified the following screen: Configuration > Device Management > Hardware
Bypass
Also in Version 9.4(1.225).
Firewall Features
DCERPC inspection improvements DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages.
and UUID filtering
You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset
or log particular message types. There is a new DCERPC inspection class map for UUID
filtering.
We added the following screen: Configuration > Firewall > Objects > Class Maps >
DCERPC.
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps
> DCERPC.
Diameter inspection
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.
We added or modified the following screens:
Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP
Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol
Inspection tab
Release Notes for Cisco ASDM, 7.5(x)
11
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
SCTP inspection and access control You can now use the SCTP protocol and port specifications in service objects, access control
lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection and access control
requires the Carrier license.
We added or modified the following screens:
Configuration > Firewall > Access Rules add/edit dialogs
Configuration > Firewall > Advanced > ACL Manager add/edit dialogs
Configuration > Firewall > Advanced > Global Timeouts
Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT
Settings dialog box
Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs
Configuration > Firewall > Objects > Inspect Maps > SCTP
Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol
Inspection and Connection Settings tabs
Carrier Grade NAT enhancements For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
now supported in failover and ASA than have NAT allocate one port translation at a time (see RFC 6888). This feature is now
clustering
supported in failover and ASA cluster deployments.
We did not modify any screens.
Captive portal for active
The captive portal feature is required to enable active authentication using identity policies
authentication on ASA FirePOWER starting with ASA FirePOWER 6.0.
6.0.
We introduced or modified the following commands: captive-portal, clear configure
captive-portal, show running-config captive-portal.
High Availability Features
LISP Inspection for Inter-Site Flow Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from
Mobility
its location into two different numbering spaces, making server migration transparent to clients.
The ASA can inspect LISP traffic for location changes and then use this information for
seamless clustering operation; the ASA cluster members inspect LISP traffic passing between
the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then
change the flow owner to be at the new site.
We introduced or modified the following screens:
Configuration > Device Management > High Availability and Scalability > ASA Cluster
> Cluster Configuration
Configuration > Firewall > Objects > Inspect Maps > LISP
Configuration > Firewall > Service Policy Rules > Protocol Inspection
Configuration > Firewall > Service Policy Rules > Cluster
Monitoring > Routing > LISP-EID Table
Release Notes for Cisco ASDM, 7.5(x)
12
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
ASA 5516-X support for clustering The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default
in the base license.
We did not modify any screens.
Configurable level for clustering
trace entries
By default, all levels of clustering events are included in the trace buffer, including many low
level events. To limit the trace to higher level events, you can set the minimum trace level for
the cluster.
We did not modify any screens.
Interface Features
Support to map Secondary VLANs You can now configure one or more secondary VLANs for a subinterface. When the ASA
to a Primary VLAN
receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.
We modified the following screens: Configuration > Device Setup > Interface Settings >
Interfaces
Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General
Routing Features
PIM Bootstrap Router (BSR) support The ASA currently supports configuring static RPs to route multicast traffic for different
for multicast routing
groups. For large complex networks where multiple RPs could exist, the ASA now supports
dynamic RP selection using PIM BSR to support mobility of RPs.
We introduced the following screen: Configuration > Device Setup > Routing > Multicast
> PIM > Bootstrap Router
Remote Access Features
Support for Remote Access VPN in You can now use the following remote access features in multiple context mode:
multiple context mode
• AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
• Centralized AnyConnect image configuration
• AnyConnect image upgrade
• Context Resource Management for AnyConnect connections
The AnyConnect Apex license is required for multiple context mode; you cannot use
the default or legacy license.
We modified the following screen: Configuration > Context Management > Resource
Class > Add Resource Class
Note
Clientless SSL VPN offers SAML
2.0-based Single Sign-On (SSO)
functionality
The ASA acts as a SAML Service Provider.
Clientless SSL VPN conditional
debugging
You can debug logs by filtering, based on the filter condition sets, and can then better analyze
them.
Release Notes for Cisco ASDM, 7.5(x)
13
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(2)/ASDM 7.5(2)
Feature
Description
Clientless SSL VPN cache disabled The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN
by default
cache provides better stability. If you want to enable the cache, you must manually enable it.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Advanced > Content Cache
Licensing Features
Validation of the Smart Call
Home/Smart Licensing certificate if
the issuing hierarchy of the server
certificate changes
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures
Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint
containing the certificate of the CA that issued the Smart Call Home server certificate. The
ASA now supports validation of the certificate if the issuing hierarchy of the server certificate
changes; you can enable the automatic update of the trustpool bundle at periodic intervals.
We modified the following screen: Configuration > Remote Access VPN > Certificate
Management > Trusted Certificate Pool > Edit Policy
New Carrier license
The new Carrier license replaces the existing GTP/GPRS license, and also includes support
for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp
command will automatically migrate to the feature carrier command.
We modified the following screen: Configuration > Device Management > Licensing >
Smart License
Monitoring Features
SNMP engineID sync
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets
of engineIDs are maintained per ASA—synced engineID, native engineID and remote
engineID.
An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve
localized snmp-server user authentication and privacy options. If a user does not specify the
native engineID, the show running config output will show two engineIDs per user.
We did not add or modify any screens.
Also available in 9.4(3).
show tech support enhancements
The show tech support command now:
• Includes dir all-filesystems output—This output can be helpful in the following cases:
◦SSL VPN configuration: check if the required resources are on the ASA
◦Crash: check for the date timestamp and presence of a crash file
• Removes the show kernel cgroup-controller detail output—This command output
will remain in the output of show tech-support detail.
We did not add or modify any screens.
Also available in 9.1(7) and 9.4(3).
Release Notes for Cisco ASDM, 7.5(x)
14
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Feature
Description
logging debug-trace persistence
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the
SSH connection were disconnected (due to network connectivity or timeout), then the debugs
were removed. Now, debugs persist for as long as the logging command is in effect.
We did not modify any screens.
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
Feature
Description
Platform Features
Support for ASA FirePOWER 6.0
The 6.0 software version for the ASA FirePOWER module is supported on all previously
supported device models.
Support for managing the ASA
You can manage the ASA FirePOWER module using ASDM instead of using Firepower
FirePOWER module through ASDM Management Center (formerly FireSIGHT Management Center) when running version 6.0
for the 5512-X through 5585-X.
on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X,
5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
Feature
Description
Remote Access Features
AnyConnect Version 4.2 support
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances
the enterprise administrator’s ability to do capacity and service planning, auditing, compliance,
and security analytics. The NVM collects the endpoint telemetry and logs both the flow data
and the file reputation in the syslog and also exports the flow records to a collector (a third-party
vendor), which performs the file analysis and provides a UI interface.
We modified the following screen: Configuration > Remote Access VPN > Network (Client)
Access > AnyConnect Client Profile (a new profile called Network Visibility Service
Profile)
Release Notes for Cisco ASDM, 7.5(x)
15
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
Note
This release supports only the ASAv.
Feature
Description
Platform Features
Microsoft Hyper-V supervisor
support
Extends the hypervisor portfolio for the ASAv.
ASAv5 low memory support
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For
already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see
an error that you are using more memory than is licensed.
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
Note
Feature
This version does not support the Firepower 9300 ASA security module or the ISA 3000.
Description
Firewall Features
GTPv2 inspection and improvements GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now
to GTPv0/1 inspection
supports IPv6 addresses.
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
GTP
IP Options inspection improvements IP Options inspection now supports all possible IP options. You can tune the inspection to
allow, clear, or drop any standard or experimental options, including those not yet defined.
You can also set a default behavior for options not explicitly defined in an IP options inspection
map.
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps >
IP Options
Release Notes for Cisco ASDM, 7.5(x)
16
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
Carrier Grade NAT enhancements
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather
than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following screen: Configuration > Firewall > Advanced > PAT Port
Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog
boxes.
High Availability Features
Inter-site clustering support for
Spanned EtherChannel in Routed
firewall mode
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid
MAC address flapping, configure a site ID for each cluster member so that a site-specific
MAC address for each interface can be shared among a site’s units.
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Configuration
ASA cluster customization of the
auto-rejoin behavior when an
interface or the cluster control link
fails
You can now customize the auto-rejoin behavior when an interface or the cluster control link
fails.
The ASA cluster supports GTPv1
and GTPv2
The ASA cluster now supports GTPv1 and GTPv2 inspection.
Cluster replication delay for TCP
connections
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying
the director/backup flow creation.
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Auto Rejoin
We did not modify any screens.
We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a
By default when using clustering, the ASA monitors the health of an installed hardware module
hardware module in ASA clustering such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger
failover, you can disable module monitoring.
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster > Cluster Interface Health Monitoring
Enable use of the Management 1/1
interface as the failover link on the
ASA 5506H
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover
link. This feature lets you use all other interfaces on the device as data interfaces. Note that
if you use this feature, you cannot use the ASA Firepower module, which requires the
Management 1/1 interface to remain as a regular management interface.
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > Failover > Setup
Routing Features
Release Notes for Cisco ASDM, 7.5(x)
17
Release Notes for Cisco ASDM, 7.5(x)
New Features in ASA 9.5(1)/ASDM 7.5(1)
Feature
Description
Support for IPv6 in Policy Based
Routing
IPv6 addresses are now supported for Policy Based Routing.
We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based
Routing Configuration > Device Setup > Routing > Route Maps > Add Route Maps >
Match Clause
VXLAN support for Policy Based
Routing
You can now enable Policy Based Routing on a VNI interface.
We modified the following screen: Configuration > Device Setup > Interface Settings >
Interfaces > Add/Edit Interface > General
Policy Based Routing support for
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and
Identity Firewall and Cisco Trustsec Cisco TrustSec ACLs in Policy Based Routing route maps.
We modified the following screen: Configuration > Device Setup > Routing > Route Maps
> Add Route Maps > Match Clause
Separate routing table for
management-only interfaces
To segregate and isolate management traffic from data traffic, the ASA now supports a separate
routing table for management-only interfaces.
We did not modify any screens.
Protocol Independent Multicast
Source-Specific Multicast
(PIM-SSM) pass-through support
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing,
unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a
multicast group while also protecting against different attacks; hosts only receive traffic from
explicitly-requested sources.
We did not modify any screens.
Remote Access Features
IPv6 VLAN Mapping
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change
is necessary for the administrator.
Clientless SSL VPN SharePoint
2013 Support
Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type >
Predefined application templates
Dynamic Bookmarks for Clientless Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the
VPN
list of macros when using bookmarks. These macros allow the administrator to configure a
single bookmark that can generate multiple bookmark links on the clientless user’s portal and
to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP
attribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL
VPN Access > Portal > Bookmarks
Release Notes for Cisco ASDM, 7.5(x)
18
Release Notes for Cisco ASDM, 7.5(x)
Upgrade the Software
Feature
Description
VPN Banner Length Increase
The overall banner length, which is displayed during post-login on the VPN remote client
portal, has increased from 500 to 4000.
We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit
Internal Group Policy > General Parameters > Banner
Cisco Easy VPN client on the ASA This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X.
5506-X, 5506W-X, 5506H-X, and The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices
5508-X
(computers, printers, and so on) behind the ASA on the Easy VPN port can communicate
over the VPN; they do not have to run VPN clients individually. Note that only one ASA
interface can act as the Easy VPN port; to connect multiple devices to that port, you need to
place a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in syslog
messages
You can now show invalid usernames in syslog messages for unsuccessful login attempts.
The default setting is to hide usernames when the username is invalid or if the validity is
unknown. If a user accidentally types a password instead of a username, for example, then it
is more secure to hide the “username” in the resultant syslog message. You might want to
show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging >
Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
REST API Features
REST API Version 1.2.1
We added support for the REST API Version 1.2.1.
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
Upgrade Path
See the following table for the upgrade path for your version. Some versions require an interim upgrade before
you can upgrade to the latest version.
Current ASA Version
First Upgrade to:
Then Upgrade to:
8.2(x) and earlier
8.4(5)
9.1(3) and later
8.3(x)
8.4(5)
9.1(3) and later
Release Notes for Cisco ASDM, 7.5(x)
19
Release Notes for Cisco ASDM, 7.5(x)
Upgrade Link
Current ASA Version
First Upgrade to:
Then Upgrade to:
8.4(1) through 8.4(4)
8.4(5) or 9.0(4)
9.1(3) and later
8.4(5) and later
—
9.1(3) and later
8.5(1)
9.0(4)
9.1(3) and later
8.6(1)
9.0(4)
9.1(3) and later
9.0(1)
9.0(4)
9.1(3) and later
9.0(2) or later
—
9.1(3) and later
9.1(1)
9.1(2)
9.1(3) and later
9.1(2) or later
—
9.1(3) and later
9.2(x)
—
9.2(2) and later
9.3(x)
—
9.3(2) and later
9.4(x)
—
9.4(2) and later
9.5(x)
—
9.5(2) and later
Upgrade Link
To complete your upgrade, see Upgrade to ASA 9.4 and ASDM 7.4.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based
tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and
vulnerabilities in this product and other Cisco hardware and software products.
Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have
one, you can register for an account. If you do not have a Cisco support contract, you can only look up
bugs by ID; you cannot run searches.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs
This section lists open bugs in each version.
Release Notes for Cisco ASDM, 7.5(x)
20
Release Notes for Cisco ASDM, 7.5(x)
Open Bugs
Open Bugs in Version 7.5(2.153)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(2.153):
• 7.5(2.153) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCux13150
ASDM: Backup/Restore does not work with policy-map global_policy
CSCux26490
ASDM Removes an Entire DAP Bookmark List If It Exceeds 245 Characters
CSCux59614
ASDM duplicates remarks when moving ACEs from order
CSCux63266
DAP policy - dap.xml should get updated for HS3.x to HS4.x upgrade
CSCux69363
ASDM 7.5(2) password-storage is shown disabled
Open Bugs in Version 7.5(2)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(2):
• 7.5(2) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCux11651
ASDM Cannot delete ACL description (remark) lines
CSCux13150
ASDM: Backup/Restore does not work with policy-map global_policy
CSCux26490
ASDM Removes an Entire DAP Bookmark List If It Exceeds 245 Characters
CSCux33151
ASDM duplicates remarks in ACL instead of replacing
CSCux35016
ASDM discrepencies in crypto map
CSCux37581
ASDM 7.5.2 Not displaying active anyconnect clients
CSCux59614
ASDM duplicates remarks when moving ACEs from order
CSCux63266
DAP policy - dap.xml should get updated for HS3.x to HS4.x upgrade
CSCux69363
ASDM 7.5(2) password-storage is shown disabled
Release Notes for Cisco ASDM, 7.5(x)
21
Release Notes for Cisco ASDM, 7.5(x)
Resolved Bugs
Open Bugs in Version 7.5(1.112)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(1.112):
• 7.5(1.112) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCuv76021
ASDM Gtp syslog mismatch
Open Bugs in Version 7.5(1.90)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(1.90):
• 7.5(1.90) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCuv76021
ASDM Gtp syslog mismatch
Open Bugs in Version 7.5(1)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(1):
• 7.5(1) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCuv76021
ASDM Gtp syslog mismatch
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 7.5(2.153)
If you have a Cisco support contract, use the following search for all resolved bugs:
• 7.5(2.153) fixed bug search.
Release Notes for Cisco ASDM, 7.5(x)
22
Release Notes for Cisco ASDM, 7.5(x)
Resolved Bugs
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCux11651
ASDM Cannot delete ACL description (remark) lines
CSCux33151
ASDM duplicates remarks in ACL instead of replacing
CSCux35016
ASDM discrepencies in crypto map
CSCux37581
ASDM 7.5.2 Not displaying active anyconnect clients
Open Bugs in Version 7.5(2)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher
for Version 7.5(2):
• 7.5(2) open bug search.
The following table lists the open bugs at the time of this Release Note publication.
Identifier
Description
CSCux11651
ASDM Cannot delete ACL description (remark) lines
CSCux13150
ASDM: Backup/Restore does not work with policy-map global_policy
CSCux26490
ASDM Removes an Entire DAP Bookmark List If It Exceeds 245 Characters
CSCux33151
ASDM duplicates remarks in ACL instead of replacing
CSCux35016
ASDM discrepencies in crypto map
CSCux37581
ASDM 7.5.2 Not displaying active anyconnect clients
CSCux59614
ASDM duplicates remarks when moving ACEs from order
CSCux63266
DAP policy - dap.xml should get updated for HS3.x to HS4.x upgrade
CSCux69363
ASDM 7.5(2) password-storage is shown disabled
Resolved Bugs in Version 7.5(1.112)
If you have a Cisco support contract, use the following search for all resolved bugs:
• 7.5(1.112) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
Release Notes for Cisco ASDM, 7.5(x)
23
Release Notes for Cisco ASDM, 7.5(x)
Resolved Bugs
Identifier
Description
CSCuv20248
ASDM 7.4.x could not open device
Resolved Bugs in Version 7.5(1.90)
If you have a Cisco support contract, use the following search for all resolved bugs:
• 7.5(1.90) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCut04399
ASDM hangs on MAC after upgrade to Java 8
CSCuv00153
ASDM NullPointerException when accessing SNMP configuration section
CSCuv20248
ASDM 7.4.x could not open device
CSCuw09242
Not able to configure more than 2 interface of ASA using ASDM 7.5.1
Resolved Bugs in Version 7.5(1)
If you have a Cisco support contract, use the following search for all resolved bugs:
• 7.5(1) fixed bug search.
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
CSCuo60919
ASDM connection profiles show 1 interface for multiinterface crypto map
CSCuq59528
DOC:ASDM Doc. needs update for Removing PDF feature for botnet reports
CSCur25021
ASDM command exec order - old object should always be removed first
CSCus47864
ASDM: PBR should accept multiple next-hops for verify-availability
CSCus59519
ENH: ASDM should have an option to clear dhcpd bindings
CSCus60471
Top 200 Hosts bar chart not plotted correctly
CSCut14280
ASDM doesn't allow change Authentication Key "trusted" to FALSE
CSCut35940
ASDM Check Updates finds 9.3.2.200 as Valid Build for Hardware Platforms
CSCut48058
ASDM 7.3(3) not reading some of the ACL's from ASA
Release Notes for Cisco ASDM, 7.5(x)
24
Release Notes for Cisco ASDM, 7.5(x)
End-User License Agreement
Identifier
Description
CSCut49785
ASDM 7.4.X gets stuck in "software update completed"
CSCut50204
ASDM: NPE when parsing ssl command
CSCut55416
ASDM: ACL with object user name is not populated in route-map
CSCut57751
ASDM 7.4.1 hangs at 87% while validating running configuration
CSCut63568
Can't configure DHCP server on interface with no IP
CSCut92725
ASDM 7.4.1 - Packet capture wizard does not work for ASA cluster
CSCut95424
ASDM Group Policy misbehave
CSCuu00966
ASDM does not read dap.xml file - ASA-SM only
CSCuu04312
ASDM Route Map menu is not listing extended ACLs
CSCuu09489
ASDM: DAP warning about CSD not enabled should mention HS instead of CSD
CSCuu10877
ASDM NAT Properties not Displayed
CSCuu13807
output split-tunnel-all-dns command selecting Group Policies by ASDM
CSCuu35093
ASDM: Ikev2 policy - Can't add multiple PRF Hash
CSCuu41337
ASDM sends incorrect cli for configuring PSK for IKEv2
CSCuu59497
ASDM sending commands in incorrect order to ASA
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Release Notes for Cisco ASDM, 7.5(x)
25
Release Notes for Cisco ASDM, 7.5(x)
Related Documentation
Release Notes for Cisco ASDM, 7.5(x)
26
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco
trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective
owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2015
Cisco Systems, Inc. All rights reserved.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz