release 7.5

Release Notes for Cisco ASDM, Version 7.5(x)

First Published: August 31, 2015

This document contains release information for Cisco ASDM Version 7.5(x) for the Cisco ASA series.

Important Notes, page 1 System Requirements, page 1 New Features, page 8 Upgrade the Software, page 12 Open and Resolved Bugs, page 12 End-User License Agreement, page 13 Related Documentation, page 13 Obtaining Documentation and Submitting a Service Request, page 13

Important Notes E-mail proxy commands to be deprecatedIn ASA Version 9.5(2), the e-mail proxy commands (imap4s,

pop3s, smtps) and subcommands will no longer be supported.

Select AAA commands to be deprecatedIn ASA Version 9.5(2), these AAA commands and subcommands (override-account-disable, authentication crack) will no longer be supported.

CSD commands to be deprecated or migratedIn ASA Version 9.5(2), the CSD commands (csd image, show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image) will no longer be supported.

The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image migrates to hostscan image.

System Requirements ASDM Client Operating System and Browser Requirements, page 2 Java and Browser Compatibility, page 2 Install an Identity Certificate for ASDM, page 7Cisco Systems, Inc. www.cisco.com

1

Increase the ASDM Configuration Memory, page 7 ASA and ASDM Compatibility, page 8 VPN Compatibility, page 8


System Requirements

ASDM Client Operating System and Browser RequirementsThe following table lists the supported and recommended client operating systems and Java for ASDM.

Java and Browser CompatibilityThe following table lists compatibility caveats for Java, ASDM, and browser compatibility.

Table 1 Operating System and Browser Requirements

Operating System Browser Java SE Plug-inInternet

ExplorerFirefox Safari Chrome

Microsoft Windows (English and Japanese):

8

7

Server 2008

Server 2012

Yes Yes No support Yes 7.0 or later

Apple OS X 10.4 and later No support Yes Yes Yes (64-bit version only)

7.0 or later

Red Hat Enterprise Linux 5 (GNOME or KDE):

Desktop

Desktop with Workstation

N/A Yes N/A Yes 7.0 or later2


System Requirements

Table 2 Java Caveats for ASDM Compatibility

Java Version

Conditions Notes

7 update 51

ASDM Launcher requires trusted certificate

To continue using the Launcher, do one of the following:

Upgrade to Java 8 or downgrade Java to 7 update 45 or earlier. Install a trusted certificate on the ASA from a known CA. Install a self-signed certificate and register it with Java. See

Install an Identity Certificate for ASDM.

Alternatively use Java Web Start.Note: ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2 or later, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the Workaround section at:

http://java.com/en/download/help/java_blocked.xml

After adding the security exception, launch the older ASDM and then upgrade to 7.2 or later.

In rare cases, online help does not load when using Java Web Start

In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: Unable to connect.

Workaround:

Use the ASDM LauncherOr:

Clear the -Djava.net.preferIPv6Addresses=true parameter in Java Runtime Parameters:

a. Launch the Java Control Panel.

b. Click the Java tab.

c. Click View.

d. Clear this parameter: -Djava.net.preferIPv6Addresses=true

e. Click OK, then Apply, then OK again.7 update 45

ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate

Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning; ASDM 7.2 and later includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box.3


System Requirements

7 Requires strong encryption license (3DES/AES) on ASA

ASDM requires an SSL connection to the ASA. You can request a 3DES license from Cisco:

1. Go to www.cisco.com/go/license.

2. Click Continue to Product License Registration.

3. In the Licensing Portal, click Get Other Licenses next to the text field.

4. Choose IPS, Crypto, Other... from the drop-down list.

5. Type ASA in to the Search by Keyword field.

6. Select Cisco ASA 3DES/AES License in the Product list, and click Next.

7. Enter the serial number of the ASA, and follow the prompts to request a 3DES/AES license for the ASA.

Table 2 Java Caveats for ASDM Compatibility (continued)

Java Version

Conditions Notes4


System Requirements

All Self-signed certificate or an untrusted certificate

IPv6 Firefox and Safari

When the ASA uses a self-signed certificate or an untrusted certificate, Firefox and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority.

SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.

Chrome

If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome SSL false start feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to Run Chromium with flags.

IE9 for servers For Internet Explorer 9.0 for servers, the Do not save encrypted pages to disk option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download.

OS X On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.


Java Version

Conditions Notes5


System Requirements

All OS X 10.8 and later You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.

1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open.

2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens.


Java Version

Conditions Notes6


System Requirements

Install an Identity Certificate for ASDMWhen using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch ASDM until you install a certificate.

See Install an Identity Certificate for ASDM to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.

Increase the ASDM Configuration MemoryASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog box shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.

Increase the ASDM Configuration Memory in Windows, page 7 Increase the ASDM Configuration Memory in Mac OS, page 7

Increase the ASDM Configuration Memory in WindowsTo increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.

Procedure

1. Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM.

2. Edit the run.bat file with any text editor.

3. In the line that starts with start javaw.exe, change the argument prefixed with -Xmx to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

4. Save the run.bat file.

Increase the ASDM Configuration Memory in Mac OSTo increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.

Procedure

1. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.

2. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.

3. Under Java > VMOptions, change the string prefixed with -Xmx to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.7


New Features

4. If this file is locked, you see an error such as the following:

5. Click Unlock and save the file.

If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.

ASA and ASDM CompatibilityFor information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

VPN CompatibilityFor VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

New Features New Features in ASA 9.5(1.200)/ASDM 7.5(1), page 8 New Features in ASA 9.5(1)/ASDM 7.5(1), page 9

New Features in ASA 9.5(1.200)/ASDM 7.5(1)

Released: August 31, 2015

The following table lists the new features for ASA Version 9.5(1.200)/ASDM Version 7.5(1).

Note: This release supports only the ASAv.8


New Features

New Features in ASA 9.5(1)/ASDM 7.5(1)Note: New, changed, and deprecated syslog messages are listed in the syslog message guide.

Released: August 12, 2015

The following table lists the new features for ASA Version 9.5(1)/ASDM Version 7.5(1).

Note: This version does not support the Firepower 9300 ASA security module.

Table 3 New Features for ASA Version 9.5(1.200)/ASDM Version 7.5(1)

Feature Description

Platform Features

Microsoft Hyper-V supervisor support

Extends the hypervisor portfolio for the ASAv.

ASAv5 low memory support The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see an error that you are using more memory than is licensed.

Table 4 New Features for ASA Version 9.5(1)/ASDM Version 7.5(1)

Feature Description

Firewall Features

GTPv2 inspection and improvements to GTPv0/1 inspection

GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses.

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP

IP Options inspection improvements

IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map.

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options

Carrier Grade NAT enhancements

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888).

We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes.

High Availability Features

Inter-site clustering support for Spanned EtherChannel in Routed firewall mode

You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a sites units.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration9


New Features

ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails

You can now customize the auto-rejoin behavior when an interface or the cluster control link fails.

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin

The ASA cluster supports GTPv1 and GTPv2

The ASA cluster now supports GTPv1 and GTPv2 inspection.

We did not modify any screens.Cluster replication delay for TCP connections

This feature helps eliminate the unnecessary work related to short-lived flows by delaying the director/backup flow creation.

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster Replication

Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).

Disable health monitoring of a hardware module in ASA clustering

By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

Enable use of the Management 1/1 interface as the failover link on the ASA 5506H

On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface.

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

Routing Features

Support for IPv6 in Policy Based Routing

IPv6 addresses are now supported for Policy Based Routing.

We modified the following screens:

Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based RoutingConfiguration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

VXLAN support for Policy Based Routing

You can now enable Policy Based Routing on a VNI interface.

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General

Policy Based Routing support for Identity Firewall and Cisco Trustsec

You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps.

We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

Separate routing table for management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.

We did not modify any screens.

Table 4 New Features for ASA Version 9.5(1)/ASDM Version 7.5(1) (continued)

Feature Description10


New Features

Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support

The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources.

We did not modify any screens.Remote Access Features

IPv6 VLAN Mapping ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator.

Clientless SSL VPN SharePoint 2013 Support

Added support and a predefined application template for this new SharePoint version.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates

Dynamic Bookmarks for Clientless VPN

Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless users portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks

VPN Banner Length Increase The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000.

We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner

Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X

This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch.

We introduced the following screen: Configuration > VPN > Easy VPN RemoteMonitoring Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the username in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We modified the following screen: Configuration > Device Management > Logging > Syslog Setup

This feature is also available in 9.2(4) and 9.3(3).

Table 4 New Features for ASA Version 9.5(1)/ASDM Version 7.5(1) (continued)

Feature Description11


Upgrade the Software

Upgrade the SoftwareSee the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version.

Note: There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with the following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless upgrading is not supported.

For detailed steps about upgrading, see the 9.5 upgrade guide.

Open and Resolved BugsThe open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.

Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open BugsAll open bugs severity 3 and higher for each version are included in the following searches:

7.5(1) open bug search.

Resolved BugsAll resolved bugs for each version are included in the following searches:

Current ASA Version First Upgrade to: Then Upgrade to:

8.2(x) 8.4(6) 9.5(1) or later8.3(x) 8.4(6) 9.5(1) or later8.4(1) through 8.4(4) 8.4(6), 9.0(4), or 9.1(2) 9.5(1) or later8.4(5) and later 9.5(1) or later8.5(1) 9.0(4) or 9.1(2) 9.5(1) or later8.6(1) 9.0(4) or 9.1(2) 9.5(1) or later9.0(1) 9.0(4) or 9.1(2) 9.5(1) or later9.0(2) or later 9.5(1) or later9.1(1) 9.1(2) 9.5(1) or later9.1(2) or later 9.5(1) or later9.2(x) 9.5(1) or later9.3(x) 9.5(1) or later9.4(x) 9.5(1) or later12

7.5(1) fixed bug search.


End-User License Agreement

End-User License AgreementFor information on the end-user license agreement, go to http://www.cisco.com/go/warranty.

Related DocumentationFor additional information on the ASA, see Navigating the Cisco ASA Series Documentation.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see Whats New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.

Subscribe to Whats New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. Toview a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the propertyof their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any othercompany. (1110R)

2015 Cisco Systems, Inc. All rights reserved.13


Obtaining Documentation and Submitting a Service Request14


Documents

release 7.5