1. No category

PDF

Release Notes for Cisco ASDM, Version 7.3(x)
Released: July 24, 2014
Updated: February 18, 2015
This document contains release information for Cisco ASDM Version 7.3(x) for the Cisco ASA series.
•
Important Notes, page 1
•
System Requirements, page 1
•
New Features, page 8
•
Upgrading the Software, page 17
•
Open Bugs, page 18
•
Resolved Bugs, page 19
•
End-User License Agreement, page 21
•
Related Documentation, page 22
•
Obtaining Documentation and Submitting a Service Request, page 22
Important Notes
•
Windows NT AAA server was deprecated—In ASA Version 9.3, the Windows NT AAA server is no
longer supported.
•
IPS Module management—For the IPS module, ASDM 7.1(6) and later are not compatible with IPS
7.3(2) and earlier—To manage an IPS module on an ASA, you must connect to the IPS IP address
directly through your browser.
•
Default color scheme for ASDM in Windows—In 7.3(2) and later, the default color scheme for
ASDM now defaults to not use the Office look and feel. To change the color scheme back, choose
View > Office Look and Feel.
System Requirements
•
ASDM Client Operating System and Browser Requirements, page 2
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
System Requirements
•
Java and Browser Compatibility, page 3
•
Install an Identity Certificate for ASDM, page 6
•
Increase the ASDM Configuration Memory, page 6
•
ASA and ASDM Compatibility, page 8
•
VPN Compatibility, page 8
ASDM Client Operating System and Browser Requirements
The following table lists the supported and recommended client operating systems and Java for ASDM.
Table 1
Operating System and Browser Requirements
Browser
Internet
Explorer
Firefox
Safari
Chrome
Java SE
Plug-in
Yes
Yes
No support
Yes
7.0 or later
Apple OS X 10.4 and later
No support
Yes
Yes
Yes (64-bit
version only)
7.0 or later
Red Hat Enterprise Linux 5 (GNOME
or KDE):
N/A
Yes
N/A
Yes
7.0 or later
Operating System
Microsoft Windows (English and
Japanese):
•
8
•
7
•
Server 2008
•
Server 2012
•
Desktop
•
Desktop with Workstation
Release Notes for Cisco ASDM, Version 7.3(x)
2
System Requirements
Java and Browser Compatibility
The following table lists compatibility caveats for Java, ASDM, and browser compatibility.
Table 2
Java
Version
Java Caveats for ASDM Compatibility
Conditions
7 update 51 ASDM Launcher requires trusted
certificate
Notes
To continue using the Launcher, do one of the following:
•
Upgrade to Java 8 or downgrade Java to 7 update 45 or earlier.
•
Install a trusted certificate on the ASA from a known CA.
•
Install a self-signed certificate and register it with Java. See Install an
Identity Certificate for ASDM.
•
Alternatively use Java Web Start.
ASDM 7.1(5) and earlier are not supported with Java 7 update 51.
If you already upgraded Java, and can no longer launch ASDM in
order to upgrade it to Version 7.2 or later, then you can either use
the CLI to upgrade ASDM, or you can add a security exception in
the Java Control Panel for each ASA you want to manage with
ASDM. See the “Workaround” section at:
Note
http://java.com/en/download/help/java_blocked.xml
After adding the security exception, launch the older ASDM and
then upgrade to 7.2 or later.
In rare cases, online help does not
load when using Java Web Start
In rare cases, when launching online help, the browser window loads, but
the content fails to appear. The browser reports an error: “Unable to
connect”.
Workaround:
•
Use the ASDM Launcher
Or:
•
Clear the -Djava.net.preferIPv6Addresses=true parameter in Java
Runtime Parameters:
a. Launch the Java Control Panel.
b. Click the Java tab.
c. Click View.
d. Clear this parameter: -Djava.net.preferIPv6Addresses=true
e. Click OK, then Apply, then OK again.
Release Notes for Cisco ASDM, Version 7.3(x)
3
System Requirements
Table 2
Java
Version
Java Caveats for ASDM Compatibility (continued)
Conditions
Notes
7 update 45 ASDM shows a yellow warning
about the missing Permissions
attribute when using an untrusted
certificate
Due to a bug in Java, if you do not have a trusted certificate installed on
the ASA, you see a yellow warning about a missing Permissions attribute
in the JAR manifest. It is safe to ignore this warning; ASDM 7.2 and
later includes the Permissions attribute. To prevent the warning from
appearing, install a trusted certificate (from a known CA); or generate a
self-signed certificate on the ASA by choosing Configuration > Device
Management > Certificates > Identity Certificates. Launch ASDM,
and when the certificate warning is shown, check the Always trust
connections to websites check box.
7
ASDM requires an SSL connection to the ASA. You can request a 3DES
license from Cisco:
Requires strong encryption license
(3DES/AES) on ASA
All
•
Self-signed certificate or an
untrusted certificate
•
IPv6
•
Firefox and Safari
•
SSL encryption on the ASA
must include both RC4-MD5
and RC4-SHA1 or disable SSL
false start in Chrome.
•
Chrome
Go to www.cisco.com/go/license.
2.
Click Continue to Product License Registration.
3.
In the Licensing Portal, click Get Other Licenses next to the text
field.
4.
Choose IPS, Crypto, Other... from the drop-down list.
5.
Type ASA in to the Search by Keyword field.
6.
Select Cisco ASA 3DES/AES License in the Product list, and click
Next.
7.
Enter the serial number of the ASA, and follow the prompts to request
a 3DES/AES license for the ASA.
When the ASA uses a self-signed certificate or an untrusted certificate,
Firefox and Safari are unable to add security exceptions when browsing
using HTTPS over IPv6. See
https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat
affects all SSL connections originating from Firefox or Safari to the ASA
(including ASDM connections). To avoid this caveat, configure a proper
certificate for the ASA that is issued by a trusted certificate authority.
If you change the SSL encryption on the ASA to exclude both RC4-MD5
and RC4-SHA1 algorithms (these algorithms are enabled by default), then
Chrome cannot launch ASDM due to the Chrome “SSL false start”
feature. We suggest re-enabling one of these algorithms (see the
Configuration > Device Management > Advanced > SSL Settings
pane); or you can disable SSL false start in Chrome using the
--disable-ssl-false-start flag according to Run Chromium with flags.
IE9 for servers
For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to
disk” option is enabled by default (See Tools > Internet Options >
Advanced). This option causes the initial ASDM download to fail. Be sure
to disable this option to allow ASDM to download.
OS X
On OS X, you may be prompted to install Java the first time you run
ASDM; follow the prompts as necessary. ASDM will launch after the
installation completes.
Release Notes for Cisco ASDM, Version 7.3(x)
4
1.
System Requirements
Table 2
Java Caveats for ASDM Compatibility (continued)
Java
Version
Conditions
Notes
All
OS X 10.8 and later
You need to allow ASDM to run because it is not signed with an Apple
Developer ID. If you do not change your security preferences, you see an
error screen.
1.
To allow ASDM to run, right-click (or Ctrl-Click) the Cisco
ASDM-IDM Launcher icon, and choose Open.
2.
You see a similar error screen; however, you can open ASDM from
this screen. Click Open. The ASDM-IDM Launcher opens.
Release Notes for Cisco ASDM, Version 7.3(x)
5
System Requirements
Install an Identity Certificate for ASDM
When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy
approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use
Java Web Start to launch ASDM until you install a certificate.
See the following document to install a self-signed identity certificate on the ASA for use with ASDM,
and to register the certificate with Java.
http://www.cisco.com/go/asdm-certificate
Increase the ASDM Configuration Memory
ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may
experience performance issues. For example, when you load the configuration, the status dialog box
shows the percentage of the configuration that is complete, yet with large configurations it stops
incrementing and appears to suspend operation, even though ASDM might still be processing the
configuration. If this situation occurs, we recommend that you consider increasing the ASDM system
heap memory.
•
Increase the ASDM Configuration Memory in Windows (ASDM 7.3(2) and Later), page 6
•
Increase the ASDM Configuration Memory in Windows (ASDM 7.3(1)), page 6
•
Increase the ASDM Configuration Memory in Mac OS (ASDM 7.3(3) and Later), page 7
Increase the ASDM Configuration Memory in Windows (ASDM 7.3(2) and Later)
To increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.
Procedure
Step 1
Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM.
Step 2
Edit the run.bat file with any text editor.
Step 3
In the line that starts with “start javaw.exe”, change the argument prefixed with “-Xmx” to specify your
desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Step 4
Save the run.bat file.
Increase the ASDM Configuration Memory in Windows (ASDM 7.3(1))
To increase the ASDM heap memory size, modify the launcher shortcut by performing the following
procedure.
Procedure
Step 1
Right-click the shortcut for the ASDM-IDM Launcher, and choose Properties.
Release Notes for Cisco ASDM, Version 7.3(x)
6
System Requirements
Step 2
Click the Shortcut tab.
Step 3
In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For
example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Increase the ASDM Configuration Memory in Mac OS (ASDM 7.3(3) and Later)
To increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.
Procedure
Step 1
Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
Step 2
In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in
the Property List Editor. Otherwise, it opens in TextEdit.
Step 3
Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size.
For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
Step 4
If this file is locked, you see an error such as the following:
Release Notes for Cisco ASDM, Version 7.3(x)
7
New Features
Step 5
Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose
Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the
Desktop. Then change the heap size from this copy.
ASA and ASDM Compatibility
For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
•
New Features in ASA 9.3(2)/ASDM 7.3(2.102), page 9
•
New Features in ASA 9.3(2.200)/ASDM 7.3(2), page 9
•
New Features in ASA 9.3(2)/ASDM 7.3(2), page 9
•
New Features in ASA 9.2(3)/ASDM 7.3(1.101), page 13
•
New Features in ASA 9.3(1)/ASDM 7.3(1), page 13
New Features in ASA 9.3(2)/ASDM 7.3(3)
Released: February 2, 2015
Release Notes for Cisco ASDM, Version 7.3(x)
8
New Features
The following table lists the new features for ASDM Version 7.3(3).
Table 3
New Features for ASDM Version 7.3(3)
Feature
Description
Platform Features
ASA FirePOWER software
module for the ASA 5506-X
You can configure ASA FirePOWER on the ASA 5506-X using ASDM; a
separate FireSIGHT Management Center is not required, although you can use
one instead of ASDM.
We introduced the following screens:
Home > ASA FirePOWER Dashboard
Home > ASA FirePOWER Reporting
Configuration > ASA FirePOWER Configuration
Monitoring > ASA FirePOWER Monitoring
New Features in ASA 9.3(2)/ASDM 7.3(2.102)
Released: January 21, 2015
There were no new features in this release.
New Features in ASA 9.3(2.200)/ASDM 7.3(2)
Released: December 18, 2014
The following table lists the new features for ASA Version 9.3(2.200)/ASDM Version 7.3(2).
Note
Table 4
This release supports only the ASAv.
New Features for ASA Version 9.3(2.200)/ASDM Version 7.3(2)
Feature
Description
Platform Features
ASAv with KVM and Virtio
You can deploy the ASAv using the Kernel-based Virtual Machine (KVM) and
the Virtio virtual interface driver.
New Features in ASA 9.3(2)/ASDM 7.3(2)
Released: December 18, 2014
The following table lists the new features for ASA Version 9.3(2)/ASDM Version 7.3(2).
Release Notes for Cisco ASDM, Version 7.3(x)
9
New Features
Table 5
New Features for ASA Version 9.3(2)/ASDM Version 7.3(2)
Feature
Description
Platform Features
ASA 5506-X
We introduced the ASA 5506-X.
ASA FirePOWER passive
You can now configure a traffic forwarding interface to send traffic to the
monitor-only mode using traffic module instead of using a service policy. In this mode, neither the module nor
redirection interfaces
the ASA affects the traffic.
We fully supported the following command: traffic-forward sfr
monitor-only. You can configure this in CLI only.
Mixed level SSPs in the ASA
5585-X
You can now use the following mixed level SSPs in the ASA 5585-X:
•
ASA SSP-10/ASA FirePOWER SSP-40
•
ASA SSP-20/ASA FirePOWER SSP-60
Requirements: ASA SSP in slot 0, ASA FirePOWER SSP in slot 1
ASA REST API 1.0.1
A REST API was added to support configuring and managing major functions
of the ASA.
Support for ASA image signing ASA images are now signed using a digital signature. The digital signature is
and verification
verified after the ASA is booted.
This feature is not supported in ASDM.
Accelerated security path load
balancing
The accelerated security path (ASP) load balancing mechanism reduces packet
drop and improves throughput by allowing multiple cores of the CPU to
receive packets from an interface receive ring and work on them independently.
We introduced the following screen: Configuration > Device Management >
Advanced > ASP Load Balancing
Firewall Features
Configuration session for
editing ACLs and objects.
Forward referencing of objects
and ACLs in access rules.
You can now edit ACLs and objects in an isolated configuration session. You
can also forward reference objects and ACLs, that is, configure rules and
access groups for objects or ACLs that do not yet exist.
This feature is not supported in ASDM.
SIP support for Trust
Verification Services, NAT66,
CUCM 10.5, and model 8831
phones.
You can now configure Trust Verification Services servers in SIP inspection.
You can also use NAT66. SIP inspection has been tested with CUCM 10.5.
Unified Communications
support for CUCM 10.5
SIP and SCCP inspections were tested and verified with Cisco Unified
Communications Manager 10.5.
We introduced the following screen: Configuration > Firewall > Objects >
Inspection Maps > SIP > Add/Edit SIP Inspect Map > Details > TVS
Server
Remote Access Features
Browser support for Citrix VDI We now support an HTML 5-based browser solution for accessing the Citrix
VDI, without requiring the Citrix Receiver client on the desktop.
Clientless SSL VPN for Mac
OSX 10.9
We now support Clientless SSL VPN features such as the rewriter, smart
tunnels, and plugins on all browsers that are supported on Mac OSX 10.9.
Release Notes for Cisco ASDM, Version 7.3(x)
10
New Features
Table 5
New Features for ASA Version 9.3(2)/ASDM Version 7.3(2) (continued)
Feature
Description
Interoperability with
standards-based, third-party,
IKEv2 remote access clients
We now support VPN connectivity via standards-based, third-party, IKEv2
remote-access clients (in addition to AnyConnect). Authentication support
includes preshared keys, certificates, and user authentication via the Extensible
Authentication Protocol (EAP).
We introduced or modified the following screens:
Wizards > IPsec IKEv2 Remote Access Wizard.
Configuration > Remote Access VPN > Network (Client) Access > IPsec
(IKEv2) Connection Profiles
Configuration > Remote Access VPN > Network (Client) Access > IPsec
(IKEv2) Connection Profiles > Add/Edit > Advanced > IPsec
Monitoring > VPN > VPN Statistics > Sessions
Transport Layer Security (TLS) We now support TLS version 1.2 for secure message transmission for ASDM,
version 1.2 support
Clientless SSVPN, and AnyConnect VPN.
We modified the following screens:
Configuration > Device Management > Advanced > SSL Settings
Configuration > Remote Access VPN > Advanced > SSL Settings
AnyConnect 4.0 support for
TLS version 1.2
AnyConnect 4.0 now supports TLS version 1.2 with the following four
additional cipher suites: DHE-RSA-AES256-SHA256,
DHE-RSA-AES128-SHA256, AES256-SHA256, and AES128-SHA256.
Licensing Features
Cisco Smart Software
Licensing for the ASAv
Smart Software Licensing lets you purchase and manage a pool of licenses.
Unlike PAK licenses, smart licenses are not tied to a specific serial number.
You can easily deploy or retire ASAvs without having to manage each unit’s
license key. Smart Software Licensing also lets you see your license usage and
needs at a glance.
We introduced or modified the following screens:
Configuration > Device Management > Licensing > Smart License
Configuration > Device Management > Smart Call-Home
Monitoring > Properties > Smart License
High Availability Features
Lock configuration changes on
the standby unit or standby
context in a failover pair
You can now lock configuration changes on the standby unit (Active/Standby
failover) or the standby context (Active/Active failover) so you cannot make
changes on the standby unit outside normal configuration syncing.
We modified the following screen: Configuration > Device Management >
High Availability and Scalability > Failover > Setup
Release Notes for Cisco ASDM, Version 7.3(x)
11
New Features
Table 5
New Features for ASA Version 9.3(2)/ASDM Version 7.3(2) (continued)
Feature
Description
ASA clustering inter-site
deployment in transparent
mode with the ASA cluster
firewalling between inside
networks
You can now deploy a cluster in transparent mode between inside networks and
the gateway router at each site (AKA East-West insertion), and extend the
inside VLANs between sites. We recommend using Overlay Transport
Virtualization (OTV), but you can use any method that ensures that the
overlapping MAC Addresses and IP addresses of the gateway router do not
leak between sites. Use a First Hop Redundancy Protocol (FHRP) such as
HSRP to provide the same virtual MAC and IP addresses to the gateway
routers.
Interface Features
Traffic Zones
You can group interfaces together into a traffic zone to accomplish traffic load
balancing (using Equal Cost Multi-Path (ECMP) routing), route redundancy,
and asymmetric routing across multiple interfaces.
Note
You cannot apply a security policy to a named zone; the security policy
is interface-based. When interfaces in a zone are configured with the
same access rule, NAT, and service policy, then load-balancing and
asymmetric routing operate correctly.
We introduced or modified the following screens:
Configuration > Device Setup > Interface Parameters > Zones
Configuration > Device Setup > Interface Parameters > Interfaces
Routing Features
BGP support for IPv6
We added support for IPv6.
We introduced the following screen: Configuration > Device Setup >
Routing > BGP > IPv6 Family
Monitoring Features
SNMP MIBs and traps
The CISCO-PRODUCTS-MIB and
CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the
new ASA 5506-X.
The ASA 5506-X have been added as new products to the SNMP sysObjectID
OID and entPhysicalVendorType OID.
The ASA now supports the CISCO-CONFIG-MAN-MIB, which enables you
to do the following:
•
Know which commands have been entered for a specific configuration.
•
Notify the NMS when a change has occurred in the running configuration.
•
Track the time stamps associated with the last time that the running
configuration was changed or saved.
•
Track other changes to commands, such as terminal details and command
sources.
We modified the following screen: Configuration > Device Management >
Management Access > SNMP > Configure Traps > SNMP Trap
Configuration
Showing route summary
The show route-summary command output has been added to the show
information for troubleshooting tech-support detail command.
Release Notes for Cisco ASDM, Version 7.3(x)
12
New Features
Table 5
New Features for ASA Version 9.3(2)/ASDM Version 7.3(2) (continued)
Feature
Description
Management Features
System backup and restore
We now support complete system backup and restoration using the CLI.
We did not modify any screens. This functionality is already available in
ASDM.
New Features in ASA 9.2(3)/ASDM 7.3(1.101)
Released: December 15, 2014
Table 6 lists the new features for ASA Version 9.2(3)/ASDM Version 7.3(1.101).
Table 6
New Features for ASA Version 9.2(3)/ASDM Version 7.3(1.101)
Feature
Description
Remote Access Features
Clientless SSL VPN session cookie access
restriction
You can now prevent a Clientless SSL VPN session cookie from being
accessed by a third party through a client-side script such as Javascript.
Use this feature only if Cisco TAC advises you to do so. Enabling this
command presents a security risk because the following Clientless SSL
VPN features will not work without any warning.
Note
•
Java plug-ins
•
Java rewriter
•
Port forwarding
•
File browser
•
Sharepoint features that require desktop applications (for example,
MS Office applications)
•
AnyConnect Web launch
•
Citrix Receiver, XenDesktop, and Xenon
•
Other non-browser-based and browser plugin-based applications
We introduced the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Advanced > HTTP Cookie
New Features in ASA 9.3(1)/ASDM 7.3(1)
Released: July 24, 2014
The following table lists the new features for ASA Version 9.3(1)/ASDM Version 7.3(1).
Release Notes for Cisco ASDM, Version 7.3(x)
13
New Features
Note
Table 7
The ASA 5505 is not supported in this release or later. ASA Version 9.2 was the final release for the
ASA 5505.
New Features for ASA Version 9.3(1)/ASDM Version 7.3(1)
Feature
Description
Firewall Features
SIP, SCCP, and TLS Proxy support for IPv6 You can now inspect IPv6 traffic when using SIP, SCCP, and TLS Proxy (using
SIP or SCCP).
We did not modify any ASDM screens.
Support for Cisco Unified Communications
Manager 8.6
The ASA now interoperates with Cisco Unified Communications Manager
Version 8.6 (including SCCPv21 support).
We did not modify any ASDM screens.
Transactional Commit Model on rule engine When enabled, a rule update is applied after the rule compilation is completed;
for access groups and NAT
without affecting the rule matching performance.
We introduced the following screen: Configuration > Device Management >
Advanced > Rule Engine
Remote Access Features
XenDesktop 7 Support for clientless SSL
VPN
We added support for XenDesktop 7 to clientless SSL VPN. When creating a
bookmark with auto sign-on, you can now specify a landing page URL or a
Control ID.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Bookmarks
AnyConnect Custom Attribute
Enhancements
Custom attributes define and configure AnyConnect features that have not
been incorporated into the ASA, such as Deferred Upgrade. Custom attribute
configuration has been enhanced to allow multiple values and longer values,
and now requires a specification of their type, name and value. They can now
be added to Dynamic Access Policies as well as Group Policies. Previously
defined custom attributes will be updated to this enhanced configuration
format upon upgrade to 9.3.x.
We introduced or modified the following screens:
Configuration > Remote Access VPN > Network (Client) Access >
Advanced > AnyConnect Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access >
Advanced > AnyConnect Custom Attribute Names
Configuration > Remote Access VPN > Network (Client) Access > Group
Policies > Add/Edit > Advanced > AnyConnect Client > Custom Attributes
Configuration > Remote Access VPN > Network (Client) Access >
Dynamic Access Policies > Add/Edit > AnyConnect Custom Attributes
Release Notes for Cisco ASDM, Version 7.3(x)
14
New Features
Table 7
New Features for ASA Version 9.3(1)/ASDM Version 7.3(1) (continued)
Feature
Description
AnyConnect Identity Extensions (ACIDex)
for Desktop Platforms
ACIDex, also known as AnyConnect Endpoint Attributes or Mobile Posture, is
the method used by the AnyConnect VPN client to communicate posture
information to the ASA. Dynamic Access Polices use these endpoint attributes
to authorize users.
The AnyConnect VPN client now provides Platform identification for the
desktop operating systems (Windows, Mac OS X, and Linux) and a pool of
MAC Addresses which can be used by DAPs.
We modified the following screen: Configuration > Remote Access VPN >
Dynamic Access Policies > Add/Edit > Add/Edit (endpoint attribute),
select AnyConnect for the Endpoint Attribute Type. Additional operating
systems are in the Platform drop-down list and MAC Address has changed to
Mac Address Pool.
TrustSec SGT Assignment for VPN
TrustSec Security Group Tags (SGT) can now be added to the SGT-IP table on
the ASA when a remote user connects.
We introduced or modified the following screens:
Configuration > Remote Access VPN > AAA/Local Users > Local Users >
Edit User > VPN Policy
Configuration > Remote Access VPN > Network (Client) Access > Group
Policies > Add a Policy
High Availability Features
Improved support for monitoring module
health in clustering
We added improved support for monitoring module health in clustering.
Disable health monitoring of a hardware
module
By default, the ASA monitors the health of an installed hardware module such
as the ASA FirePOWER module. If you do not want a hardware module failure
to trigger failover, you can disable module monitoring.
We did not modify any ASDM screens.
We modified the following screen: Configuration > Device Management >
High Availability and Scalability > Failover > Interfaces
Platform Features
ASP Load Balancing
The new auto option in the asp load-balance per-packet command enables
the ASA to adaptively switch ASP load balancing per-packet on and off on
each interface receive ring. This automatic mechanism detects whether or not
asymmetric traffic has been introduced and helps avoid the following issues:
•
Overruns caused by sporadic traffic spikes on flows
•
Overruns caused by bulk flows oversubscribing specific interface receive
rings
•
Overruns caused by relatively heavily overloaded interface receive rings,
in which a single core cannot sustain the load
We did not modify any ASDM screens.
SNMP MIBs
The CISCO-REMOTE-ACCESS-MONITOR-MIB now supports the ASASM.
Interface Features
Release Notes for Cisco ASDM, Version 7.3(x)
15
New Features
Table 7
New Features for ASA Version 9.3(1)/ASDM Version 7.3(1) (continued)
Feature
Description
Transparent mode bridge group maximum
increased to 250
The bridge group maximum was increased from 8 to 250 bridge groups. You
can configure up to 250 bridge groups in single mode or per context in multiple
mode, with 4 interfaces maximum per bridge group.
We modified the following screens:
Configuration > Device Setup > Interfaces
Configuration > Device Setup > Interfaces > Add/Edit Bridge Group
Interface
Configuration > Device Setup > Interfaces > Add/Edit Interface
Routing Features
BGP support for ASA clustering
We added support for BGP with ASA clustering.
We modified the following screen: Configuration > Device Setup > Routing
> BGP > IPv4 Family > General
BGP support for nonstop forwarding
We added support for BGP Nonstop Forwarding.
We modified the following screens:
Configuration > Device Setup > Routing > BGP > General
Configuration > Device Setup > Routing > BGP > IPv4 Family > Neighbor
Monitoring > Routing > BGP Neighbors
BGP support for advertised maps
We added support for BGPv4 advertised map.
We modified the following screen: Configuration > Device Setup > Routing
> BGP > IPv4 Family > Neighbor > Add BGP Neighbor > Routes
OSPF Support for Non-Stop Forwarding
(NSF)
OSPFv2 and OSPFv3 support for NSF was added.
We added the following screens:
Configuration > Device Setup > Routing > OSPF > Setup > NSF Properties
Configuration > Device Setup > Routing > OSPFv3 > Setup > NSF Properties
AAA Features
Layer 2 Security Group Tag Imposition
You can now use security group tagging combined with Ethernet tagging to
enforce policies. SGT plus Ethernet Tagging, also called Layer 2 SGT
Imposition, enables the ASA to send and receive security group tags on
Gigabit Ethernet interfaces using Cisco proprietary Ethernet framing (Ether
Type 0x8909), which allows the insertion of source security group tags into
plain-text Ethernet frames.
We modified the following screens:
Configuration > Device Setup > Interfaces > Add Interface > Advanced
Configuration > Device Setup > Interfaces > Add Redundant Interface >
Advanced
Configuration > Device Setup > Add Ethernet Interface > Advanced
Wizards > Packet Capture Wizard
Tools > Packet Tracer
Release Notes for Cisco ASDM, Version 7.3(x)
16
Upgrading the Software
Table 7
New Features for ASA Version 9.3(1)/ASDM Version 7.3(1) (continued)
Feature
Description
Removal of AAA Windows NT domain
authentication
We removed NTLM support for remote access VPN users.
We modified the following screen: Configuration > Remote Access VPN >
AAA/Local Users > AAA Server Groups > Add AAA Server Group
ASDM Identity Certificate Wizard
When using the current Java version, the ASDM Launcher requires a trusted
certificate. An easy approach to fulfill the certificate requirements is to install
a self-signed identity certificate. The ASDM Identity Certificate Wizard makes
creating a self-signed identity certificate easy. When you first launch ASDM
and do not have a trusted certificate, you are prompted to launch ASDM with
Java Web Start; this new wizard starts automatically. After creating the identity
certificate, you need to register it with the Java Control Panel. See
https://www.cisco.com/go/asdm-certificate for instructions.
We added the following screen: Wizards > ASDM Identity Certificate
Wizard
Monitoring Features
Monitoring Aggregated Traffic for Physical
Interfaces
The show traffic command output has been updated to include aggregated
traffic for physical interfaces information. To enable this feature, you must first
enter the sysopt traffic detailed-statistics command.
ASDM can save Botnet Traffic Filter reports ASDM can no longer save Botnet Traffic Filter reports as PDF files; it can
as HTML instead of PDF
instead save them as HTML.
The following screen was modified: Monitoring > Botnet Traffic Filter
Upgrading the Software
See the following table for the upgrade path for your version. Some versions require an interim upgrade
before you can upgrade to the latest version.
Note
There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with
the following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless
upgrading is not supported.
Current ASA Version
First Upgrade to:
Then Upgrade to:
8.2(x) and earlier
8.4(6)
9.3(1) or later
8.3(x)
8.4(6)
9.3(1) or later
8.4(1) through 8.4(4)
8.4(6), 9.0(4), or 9.1(2)
9.3(1) or later
8.4(5) and later
—
9.3(1) or later
8.5(1)
9.0(4) or 9.1(2)
9.3(1) or later
8.6(1)
9.0(4) or 9.1(2)
9.3(1) or later
Release Notes for Cisco ASDM, Version 7.3(x)
17
Open Bugs
Current ASA Version
First Upgrade to:
Then Upgrade to:
9.0(1)
9.0(4) or 9.1(2)
9.3(1) or later
9.0(2) or later
—
9.3(1) or later
9.1(1)
9.1(2)
9.3(1) or later
9.1(2) or later
—
9.3(1) or later
9.2(x)
—
9.3(1) or later
For detailed steps about upgrading, see the 9.3 upgrade guide.
Open Bugs
•
Open Bugs in 7.3(3), page 18
•
Open Bugs in 7.3(2.102), page 18
•
Open Bugs in 7.3(2), page 19
•
Open Bugs in 7.3(1.101), page 19
•
Open Bugs in 7.3(1), page 19
Open Bugs in 7.3(3)
The following table contains open bugs in ASDM software Version 7.3(3).
Table 8
Open Bugs in ASDM Version 7.3(2.102)
Bug
Description
CSCus51974
ASDM: CSDM Section to be redesigned to remove deprecated features
CSCus56092
Add max TLS session values for 5506, 5508 and 5516
CSCus70758
ASDM should not allow changing speed/duplex on gi1/9 on 5506
CSCus79187
ASDM may stall @ 72% refreshing large number of VPN Sessions
CSCus79614
Can't configure TLS proxy max sessions on 5506
Open Bugs in 7.3(2.102)
The following table contains open bugs in ASDM software Version 7.3(2.102).
Table 9
Open Bugs in ASDM Version 7.3(2.102)
Bug
Description
CSCur29821
ASDM becomes unresponsive after some time
CSCur60489
ASDM Identity Certificate Wizard error due to usage-keys
CSCus05440
ASDM: Unableto display correct NAT Rules using specific object name
Release Notes for Cisco ASDM, Version 7.3(x)
18
Resolved Bugs
Open Bugs in 7.3(2)
The following table contains open bugs in ASDM software Version 7.3(2).
Table 10
Open Bugs in ASDM Version 7.3(2)
Bug
Description
CSCur29821
ASDM becomes unresponsive after some time
CSCur60489
ASDM Identity Certificate Wizard error due to usage-keys
CSCus05440
ASDM: Unableto display correct NAT Rules using specific object name
Open Bugs in 7.3(1.101)
The following table contains open bugs in ASDM software Version 7.3(1.101).
Registered Cisco.com users can view more information about each bug by using Bug Search.
Table 11
Open Bugs in ASDM Version 7.3(1.101)
Bug
Description
CSCup69456
Command to negate ACL remarks not sent from ASDM
CSCup82758
ASDM sorting VPNs freezes up at 97%
Open Bugs in 7.3(1)
The following table contains open bugs in ASDM software Version 7.3(1).
Registered Cisco.com users can view more information about each bug by using Bug Search.
Table 12
Open Bugs in ASDM Version 7.3(1)
Bug
Description
CSCup69456
Command to negate ACL remarks not sent from ASDM
CSCup82758
ASDM sorting VPNs freezes up at 97%
Resolved Bugs
•
Resolved Bugs in 7.3(3), page 20
•
Resolved Bugs in 7.3(2.102), page 20
•
Resolved Bugs in 7.3(2), page 20
•
Resolved Bugs in 7.3(1.101), page 21
•
Resolved Bugs in 7.3(1), page 21
Release Notes for Cisco ASDM, Version 7.3(x)
19
Resolved Bugs
Resolved Bugs in 7.3(3)
There were no resolved bugs in this release.
Resolved Bugs in 7.3(2.102)
The following table contains the resolved bugs in ASDM software Version 7.3(2.102).
Table 13
Resolved Bugs in ASDM Version 7.3(2.102)
Bug
Description
CSCur23947
ASDM 7.3.2 doesn't display the "Endpoint Attribute Type: Policy" in DAP
CSCus11684
ASDM goes unresponsive with HPM enabled
CSCus30737
ASDM 7.3.2 becomes slow when hpm topN is enabled
CSCus46034
Collapse All button is missing in Advanced/ACL Manager
CSCus52758
Top 200 Hosts bar chart doesn't work
Resolved Bugs in 7.3(2)
The following table contains the resolved bugs in ASDM software Version 7.3(2).
Table 14
Resolved Bugs in ASDM Version 7.3(2)
Bug
Description
CSCuo97033
ASDM nat- ASDM changes interface to object if obj. with such name exists
CSCup33692
Unable to add PUBLIC SERVER through ASDM
CSCup37140
ASDM 7.2(1) hangs up at 90%: "Populating GUI modules"
CSCup82758
ASDM sorting VPNs freezes up at 97%
CSCuq10801
ASA - User with privilege level less than 15 cannot login to ASDM
CSCuq24052
EIGRP neighbors not showing in ASDM after upgrade to 7.1.6
CSCuq40844
Packet tracer doesn't work for ASDM version 7.3(1)
CSCuq41877
ASDM should check for dependencies when deleting host from Public Server
CSCuq53503
ASDM 7.3.1 loading process gets stuck at 15% or 17%
CSCuq54818
ASDM 7.3.1 goes unresponsive after 2 minutes with Poller exception
CSCuq87483
ASDM 7.3(1): Unable to configure a Web type ACL with URL containing '/'
CSCur27774
Unable to create User Identity domain from ASDM
CSCur33996
ASDM Launcher doesn't work after upgrading to Java 8
CSCur41682
ASDM real time logs freezes after removing filter by "show all" button
CSCur49880
ASDM: TLS - SSLv3 keywords deprecated
Release Notes for Cisco ASDM, Version 7.3(x)
20
End-User License Agreement
Resolved Bugs in 7.3(1.101)
The following table contains the resolved bugs in ASDM software Version 7.3(1.101).
Registered Cisco.com users can view more information about each bug by using Bug Search.
Table 15
Resolved Bugs in ASDM Version 7.3(1.101)
Bug
Description
CSCuq40844
Packet tracer doesn't work for ASDM version 7.3(1)
CSCuq54818
ASDM 7.3.1 goes unresponsive after 2 minutes with Poller exception
Resolved Bugs in 7.3(1)
The following table contains the resolved bugs in ASDM software Version 7.3(1).
Registered Cisco.com users can view more information about each bug by using Bug Search.
Table 16
Resolved Bugs in ASDM Version 7.3(1)
Bug
Description
CSCul79308
Enh: ASDM knob to export user-identity inactive/active/all user file
CSCum23202
Webvpn customisation editor should error out when it fails
CSCum24568
ASDM not responding properly if "anyconnect profile none" is configured
CSCum57517
ASDM launcher is not working with Java 7u51
CSCun78199
ASDM unable to add subinterfaces
CSCuo10523
ASDM 7.1 - Trustsec support is not enabled for ASA-SM in ASDM
CSCuo55691
ASDM 7.1.6 RSA key generation fail (command syntax error)
CSCuo62386
ASDM 7.1.6: No DNS Configuration warnings on managing GP through CP
CSCuo64879
ASDM apply button does not work when adding anyconnect xml profile
CSCuo71581
ASDM re-enables ikev1 if you switch from basic to the advanced config.
CSCuo80011
"Enable auto-generation of MAC addresses..." checkbox missing in ASDM
CSCuo89106
ASDM does not show empty object group in object-group section
CSCup26608
ASDM logs out vpn sessions when trying to cancel operation
End-User License Agreement
For information on the end-user license agreement, see Product Warranties.
Release Notes for Cisco ASDM, Version 7.3(x)
21
Related Documentation
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see What’s New in Cisco Product Documentation.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical
documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The
RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the “Related Documentation” section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
©2015 Cisco Systems, Inc. All rights reserved.
Release Notes for Cisco ASDM, Version 7.3(x)
22

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz