Table Of Contents
Cisco ASA 5500 Series Release Notes Version 7.0(2)
Contents
Introduction
System Requirements
Memory Requirements
Determining the Software Version
Upgrading to a New Software Release
New Features
Important Notes
Important Notes in Release 7.0
Hostname and Domain Name Limitation
WebVPN ACLS and DNS Hostname
Proxy Server and ASA
Mismatch PFS
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
User Upgrade Guide
Features not Supported in Version 7.0
MIB Supported
Downgrade to Previous Version
Caveats
Open Caveats - Release 7.0(2)
Resolved Caveats - Release 7.0(2)
Related Documentation
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Documentation and Submitting a Service Request
Cisco ASA 5500 Series Release Notes Version 7.0(2)
July 2005
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•New Features
•Important Notes
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
The Cisco ASA 5500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow specific analysis, improved secure connectivity through end point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high availability services, and management/monitoring.
For more information on all the new features, see the New Features.
Additionally, the Cisco ASA 5500 series security appliance software supports Adaptive Security Device Manager. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.
System Requirements
The sections that follow list the system requirements for operating a Cisco ASA 5500 series security appliance. This section includes the following:
•Memory Requirements
•Determining the Software Version
•Upgrading to a New Software Release
Memory Requirements
Table 1 lists the DRAM memory requirements for the Cisco ASA 5500 series security appliance.
Table 1 DRAM Memory Requirements
ASA Model
|
DRAM Memory
|
ASA 5510
|
256 MB
|
ASA 5520
|
512 MB
|
ASA 5540
|
1 GB
|
All Cisco ASA 5500 series security appliances require a minimum of 64 MB of internal CompactFlash.
Determining the Software Version
Use the show version command to verify the software version of your adaptive security appliance.
Upgrading to a New Software Release
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/cisco/software/navigator.html
New Features
There were no new features in ASA 7.0(2)/ASDM 5.0(2)
Important Notes
Important Notes in Release 7.0
This section lists important notes related to release 7.0(1).
Hostname and Domain Name Limitation
When using ASDM, the hostname and domain names combined should not be more than 63 characters long. If the hostname and domain names combined is more than 63 characters, you will get an error message.
WebVPN ACLS and DNS Hostname
When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, a 'DNS Error' popup is displayed on the browser. The ACL hitcounter is also not incremented.
If the URL ACL is defined by an IP instead of DNS name, then the traffic flow hitting the ACL will be recorded in the hitcounter and a 'Connection Error' is displayed on the browser.
Proxy Server and ASA
If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:
1. If the ASA cannot communicate with the HTTPS or HTTPS proxy server, a "connection error" is displayed on the client browser.
2. If the HTTP(S) proxy cannot resolve or reach the requested URL, it should send an appropriate error to the ASA, which in turn will display it to the client browser.
Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the error to the client browser.
Mismatch PFS
The PFS setting on the VPN client and the security appliance must match.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The adaptive security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using access control lists (ACLs). ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:
•Access control element (ACE) Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
User Upgrade Guide
•For a list of deprecated features, and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html
Features not Supported in Version 7.0
The following features are not supported in Version 7.0 (1):
•PPPoE
•L2TP over IPSec
•PPTP
MIB Supported
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caveats
The following sections describe the caveats for the 7.0(1) release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://tools.cisco.com/Support/BugToolKit/
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 7.0(2)
Table 2 Open Caveats
ID Number
|
Software Release 7.0(2)
|
Corrected
|
Caveat Title
|
CSCeh60845
|
No
|
Logging queue incorrectly registers 8192 256-byte blocks
|
CSCeh81062
|
No
|
wrong ip addr on outgoing packets when PAT and static port are used
|
CSCeh90617
|
No
|
Recompiling ACLs can cause packet drops on low-end platforms
|
CSCeh98117
|
No
|
Tunnel-group passwords in cleartext when viewed with more
|
CSCei00497
|
No
|
PIX/ASA 7.0 doesn't encrypt packets if next hop is PIX interface.
|
CSCei20466
|
No
|
Increase in CPU utilization when OSPF is enabled
|
CSCei20809
|
No
|
sh access-l counters not updated when acl used in nat/nat-exempt
|
CSCei21362
|
No
|
PIX traceback after issuing show isakmp sa detail command.
|
CSCei23290
|
No
|
DHCP Relay fails when static specified
|
CSCei24062
|
No
|
Some hosts in the network connects to inside intf cannot be reached
|
CSCei38640
|
No
|
AAA: radius /w expiry does not work when using funk radius server
|
CSCei38651
|
No
|
NT auth for VPN clients do not work with domainuser or user@domain
|
CSCei38667
|
No
|
Can't differentiate between root CA certs that have been re-keyed
|
CSCei41326
|
No
|
AAA: fallback to LOCAL authentication does not work for SSH
|
CSCei50190
|
No
|
PIX/ASA not accepting 2 ISAKMP policies with different AES types
|
CSCei51867
|
No
|
Usability - crypto config should be grouped together in CLI output
|
CSCei52413
|
No
|
PIX/ASA fails to import cert if CA issuer has 4096 bits cert
|
CSCsb31740
|
No
|
VPN IP local pool - detection of invalid IP OK - but fails to assign IP
|
CSCsb33629
|
No
|
address-pool subcommand doesn't error when list is full
|
CSCsb36188
|
No
|
PIX/ASA 7.0.1 - sending multiple authentication requests to ACS Server
|
CSCsb37531
|
No
|
Traceback after failover if TCP Intercept is triggered.
|
CSCsb40331
|
No
|
PIX 7.0(1)2 Assertion Violation w/Multiple Context & VOIP Configuration
|
Resolved Caveats - Release 7.0(2)
Table 3 Resolved Caveats
ID Number
|
Software Release 7.0(2)
|
Corrected
|
Caveat Title
|
CSCeg85121
|
Yes
|
Not able to specify url-server timeout to 5 seconds
|
CSCeh27584
|
Yes
|
rem-access-mon.mib fails GetNext&Bulk ops
|
CSCeh39197
|
Yes
|
Inspect proxy should not queue dropped packet
|
CSCeh50620
|
Yes
|
Traceback on standby when failing over dynamic L2L tunnel
|
CSCeh57035
|
Yes
|
Named networks not working in ospf network statements
|
CSCeh57562
|
Yes
|
Memory leak in ssh code
|
CSCeh59635
|
Yes
|
GTP: When the PDP CTX reached to 30000 Contexts the System Traceback
|
CSCeh60361
|
Yes
|
isakmp key no-config-mode - will not be converted on upgrade to 7.0
|
CSCeh60367
|
Yes
|
Default tunnel-groups do not appear in the output of show run all
|
CSCeh60673
|
Yes
|
PIX crashes on pinhole preparation and connection limit exceeded
|
CSCeh60887
|
Yes
|
PIX crashes due to memory corruption 7.0.1
|
CSCeh64177
|
Yes
|
Not able to configure inifite isakmp lifetime in pix/asa 7.0
|
CSCeh69389
|
Yes
|
Split-tunnel ACLs not converted to Standard ACLs on upgrade to 7.0
|
CSCeh71023
|
Yes
|
Broadcasts leak from High Level Sec. Intf to Low Level Sec. Intf.
|
CSCeh71492
|
Yes
|
xauth enabled by default on Remote Access VPN tunnels on upgrade
|
CSCeh72706
|
Yes
|
traceback: IKE_daemon: Unexpected cleanup of tunnel table entry
|
CSCeh75725
|
Yes
|
7.0 does not support Extended ACLs (object groups) for split tunnel
|
CSCeh79645
|
Yes
|
ASDM handler stream for blocks data is missing for 2048 size
|
CSCeh81233
|
Yes
|
DCHP client: ip address dhcp setroute missing: no default route
|
CSCeh81774
|
Yes
|
un-NATed ACK packets sent on outside interface
|
CSCeh89562
|
Yes
|
PIX crashes when shuns are cleared while sh shun is running
|
CSCeh90902
|
Yes
|
Support for multiple crypto maps to the same peer missing
|
CSCeh94725
|
Yes
|
Embedded RTP IP not NATed in H.245 OLC Ack
|
CSCeh96708
|
Yes
|
Syslog reports erroneous transfer size in TCP Teardown 302014 syslog
|
CSCeh96865
|
Yes
|
H323: Media stream disconnect in the middle of H323 call
|
CSCeh97110
|
Yes
|
PIX should not response to reset packet outside window
|
CSCeh97407
|
Yes
|
RA Tunnels fail to connect after re-xauth during re-key
|
CSCei00227
|
Yes
|
isakmp key hostname converted to invalid tunnel-group
|
CSCei02443
|
Yes
|
PKI:F1 crash during crl retrival at Crypto CA ,eip _free_pslct_108
|
CSCei03165
|
Yes
|
PIX reboots continuously with overlapping/redundant statics
|
CSCei04829
|
Yes
|
PIX 7.0 crash in IPsec message handler
|
CSCei08652
|
Yes
|
np70.bin reboots PIX without asking to erase the password
|
CSCei09266
|
Yes
|
Traceback when shuns are cleared
|
CSCei09829
|
Yes
|
AppsFW:HTTP-Strict when no reson string in response
|
CSCei12178
|
Yes
|
PIX crashes with memory corruption
|
CSCei12460
|
Yes
|
PIX-ASA crashes with TCP packet where dst IP is a multicast addr
|
CSCei12915
|
Yes
|
PIX-ASA sends Syslogs with source port other than 514
|
CSCei15053
|
Yes
|
IKE test suite causes multiple reboots in 7.0(1)
|
CSCei15215
|
Yes
|
Firewall drops IP Options packets needed for igmp and rsvp traffic
|
CSCei16294
|
Yes
|
ISAKMP: Port selector are in host-order on the wire
|
CSCei16403
|
Yes
|
TCP keepalives on H.225 (1720) blocked with inspect h323 h225
|
CSCei16904
|
Yes
|
Syslog adds extra space
|
CSCei18370
|
Yes
|
sqlnet version 1 inspection crashes the box
|
CSCei19528
|
Yes
|
FTP Failed if client supports EPRT but server does not
|
CSCei20197
|
Yes
|
Can't get acl for pim rp-address cmd
|
CSCei21386
|
Yes
|
SIP: CSeq No parsed incorrectly if CSeq no length is 10
|
CSCei21387
|
Yes
|
SIP: SIP URI Parse error happens when receving SIP Response
|
CSCei24376
|
Yes
|
Interface mtu minimum value changed from 64 to 300 bytes
|
CSCei25213
|
Yes
|
PIX crashes with thread name SSH
|
CSCei27053
|
Yes
|
One byte TCP keepalives not processed correctly by normalizer
|
CSCei27070
|
Yes
|
Pass-through pptp with PAT stops working after a while
|
CSCei28815
|
Yes
|
FIN-ACK Dropped Despite Fact that Sequece Number within TCP Window
|
CSCei29901
|
Yes
|
Inconsistant baehvior on scanning
|
CSCei30474
|
Yes
|
Issue <clear con> command would hit page fault traceback
|
CSCei33574
|
Yes
|
GTP: box reloads on 2ndary PDP create when 1st fails
|
CSCei34524
|
Yes
|
Deny rule in nat exempt fails xlate replication to standby
|
CSCei50549
|
Yes
|
License mismatch when a pix has 4-tuple key and another has 5-tuple
|
Related Documentation
For additional information on the adaptive security appliance, refer to the following documentation found on Cisco.com:
•Cisco ASA 5500 Series Hardware Installation Guide
•Cisco ASA 5500 Series Quick Start Guide
•Cisco Security Appliance Command Line Configuration Guide
•Cisco Security Appliance Command Reference
•Migrating to ASA for VPN 3000 Series Concentrator Administrators
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Feedback
