Table Of Contents
Cisco ASA 5500 Series Release Notes Version 7.0(6)
Contents
Introduction
System Requirements
Memory Requirements
Determining the Software Version
Upgrading to a New Software Release
New Features
Important Notes
Important Notes in Release 7.0
Common Criteria EAL4+
FIPS 140-2
Hostname and Domain Name Limitation
WebVPN ACLS and DNS Hostname
Proxy Server and ASA
Mismatch PFS
ACS Radius Authorization Server
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
User Upgrade Guide
Features not Supported in Version 7.0
MIB Supported
Downgrade to Previous Version
Caveats
Open Caveats - Release 7.0(6)
Resolved Caveats - Release 7.0(6)
Related Documentation
Software Configuration Tips on the Cisco TAC Home Page
Obtaining Documentation and Submitting a Service Request
Cisco ASA 5500 Series Release Notes Version 7.0(6)
August 2006
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•New Features
•Important Notes
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
The Cisco ASA 5500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability. This release introduces significant enhancements to all major functional areas, including: firewalling and inspection services, VPN services, network integration, high-availability services, and management/monitoring.
For more information on all the new features, see New Features.
Additionally, the Cisco ASA 5500 series security appliance software supports Adaptive Security Device Manager. ASDM is a browser-based, Java applet used to configure and monitor the software on the security appliances. ASDM is loaded from the security appliance, then used to configure, monitor, and manage the device.
System Requirements
The sections that follow list the system requirements for operating a Cisco ASA 5500 series security appliance. This section includes the following topics:
•Memory Requirements
•Determining the Software Version
•Upgrading to a New Software Release
Memory Requirements
Table 1 lists the DRAM memory requirements for the Cisco ASA 5500 series security appliance.
Table 1 DRAM Memory Requirements
ASA Model
|
DRAM Memory
|
ASA 5510
|
256 MB
|
ASA 5520
|
512 MB
|
ASA 5540
|
1 GB
|
All Cisco ASA 5500 series security appliances require a minimum of 64 MB of internal CompactFlash.
Determining the Software Version
Use the show version command to verify the software version of your Cisco ASA 5500 series security appliance.
Upgrading to a New Software Release
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/cisco/software/navigator.html
New Features
There are no new features in this release.
Important Notes
Important Notes in Release 7.0
This section lists important notes related to release 7.0(6).
Common Criteria EAL4+
For information on common criteria EAL4+, see the Installation and Configuration for Common Criteria EAL4 Evaluated Cisco Adaptive Security Appliance, Version 7.0(6) document.
FIPS 140-2
The Cisco ASA 5500 series security appliance is on the FIPS 140-2 Pre-Validation List.
Hostname and Domain Name Limitation
When using ASDM, the hostname and domain names combined should not be more than 63 characters long. If the hostname and domain names combined is more than 63 characters, you will get an error message.
WebVPN ACLS and DNS Hostname
When a deny webtype URL ACL (DNS-based) is defined, but the DNS-based URL is not reachable, a "DNS Error" popup is displayed on the browser. The ACL hitcounter is also not incremented.
If the URL ACL is defined by an IP instead of DNS name, then the traffic flow hitting the ACL will be recorded in the hitcounter and a "Connection Error" is displayed on the browser.
Proxy Server and ASA
If WebVPN is configured to use an HTTP(S)-proxy server to service all requests for browsing HTTP and/or HTTPS sites, the client/browser may expect the following behavior:
1. If the ASA cannot communicate with the HTTPS or HTTPS proxy server, a "connection error" is displayed on the client browser.
2. If the HTTP(S) proxy cannot resolve or reach the requested URL, it should send an appropriate error to the ASA, which in turn will display it to the client browser.
Only when the HTTP(S) proxy server notifies the ASA of the inaccessible URL, can the ASA notify the error to the client browser.
Mismatch PFS
The PFS setting on the VPN client and the security appliance must match.
ACS Radius Authorization Server
When certificate authentication is used in conjuction with Radius authorization, the ACS server sends a bogus Group=CISCOACS:0003b9c6/5a940131/username and is displayed in the vpn-session database.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The Cisco ASA 5500 series security appliance Outbound/Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and leverage the powerful ACL feature set. ACL based configurations provide the following benefit:
•ACE Insertion capability - System configuration and management is greatly simplified by the ACE insertion capability that allows users to add, delete or modify individual ACEs.
User Upgrade Guide
•For a list of deprecated features, and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/vpn3000_upgrade/upgrade/guide/migr_vpn.html
Features not Supported in Version 7.0
The following features are not supported in Version 7.0(6):
•PPPoE
•L2TP over IPSec
•PPTP
MIB Supported
For information on MIB Support, go to:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caveats
The following sections describe the caveats for the 7.0(6) release.
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://tools.cisco.com/Support/BugToolKit/l
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 7.0(6)
Table 2 Open Caveats
ID Number
|
Software Release 7.0(6)
|
Corrected
|
Caveat Title
|
CSCeh98117
|
No
|
Tunnel-group passwords in cleartext when viewed with more
|
CSCsc36891
|
No
|
Higher CPU utilization for url filtering in recent releases.
|
CSCsc98412
|
No
|
PIX console accounting doesn't appear in ACS Logged-In User report
|
CSCsd69625
|
No
|
EZVPN:IOS C876 Client can't connect to ASA using digi certs and noXauth
|
CSCsd99279
|
No
|
IKE: interop with Macintosh vpn client problem with transparent tunnel
|
CSCse06951
|
No
|
SNMP process stops working on PIX when the utilization is high
|
CSCse40999
|
No
|
SSH conns limited to 4 instead of 5
|
CSCse48144
|
No
|
cut-through proxy authentication misbehavior
|
CSCse67035
|
No
|
VPN filter deny outbound traffic if return is not permitted.
|
CSCse73922
|
No
|
Cmds excuted in SSH / Telnet sessions continue after session disconnects
|
CSCse74721
|
No
|
complete IPSEC SA deleted upon receiving delete for old SPI's
|
CSCse86968
|
No
|
Standby unit sends accounting records for replicated DACL commands
|
CSCse88062
|
No
|
Standby pix crashes following replication
|
CSCse98719
|
No
|
Connection fails with the CA cert of 4096 bits fails with Error #72eh
|
CSCsf05931
|
No
|
AAA: group-lock does not handle tunnel-group names with spaces
|
CSCsf06947
|
No
|
Large FTP transfer over L2L tunnel between PIX and Netscreen breaking
|
Resolved Caveats - Release 7.0(6)
Table 3 Resolved Caveats
ID Number
|
Software Release 7.0(6)
|
Corrected
|
Caveat Title
|
CSCee00612
|
Yes
|
F1 floods network if Syslog is not available
|
CSCei47678
|
Yes
|
SNMP packet size standards in RFC3417 not fully supported.
|
CSCek40279
|
Yes
|
Increase in CPU utilization when OSPF is enabled
|
CSCsd03664
|
Yes
|
Reload w/ Thread Name:Session Manager w/ high volume of L2L VPN traffic
|
CSCsd47976
|
Yes
|
Traceback on nameif command on unused intf with 8000 static commands
|
CSCsd59936
|
Yes
|
Registering to the RP for PIM fails if fragmented in more then 12 packs
|
CSCsd82355
|
Yes
|
Malformed syslog packets may be generated.
|
CSCsd85345
|
Yes
|
Traceback may occur in fover_parse on 7.0.4
|
CSCsd89983
|
Yes
|
Access-list entered at line 1 is ineffective until access-group is rede
|
CSCsd90505
|
Yes
|
traceback with assertion in file "vf_api.c", line 264
|
CSCsd92296
|
Yes
|
DHCP relay failed after failover
|
CSCsd93207
|
Yes
|
Show failover indicates different uptimes on devices in failover pair
|
CSCsd93380
|
Yes
|
Packets for VPN-l2l peer get dropped instead of encrypted
|
CSCsd94835
|
Yes
|
Proxy may queue too many packets when url filtering client is down
|
CSCsd94875
|
Yes
|
Traceback in VPN/IPSec CLI code when clear crypto ipsec sa counter
|
CSCsd95170
|
Yes
|
PIX 7.0(4)10 : reporting incorrect context CPU usage
|
CSCsd97077
|
Yes
|
ASA/PIX - crash from SiVus SIP tester inside to outside w/ inspect/fixup
|
CSCsd97134
|
Yes
|
PIX/ASA ignores OSPF DBDs during adajency building
|
CSCsd98071
|
Yes
|
conns fail after two successful authentications to virtual telnet IP
|
CSCsd98435
|
Yes
|
DHCPD pool does not allow to set ip add on interface once it is removed
|
CSCsd99200
|
Yes
|
Traceback in 7.1.2 caused by strict http inspection
|
CSCsd99709
|
Yes
|
PIX gets high cpu when type q to interrupt output of show conf
|
CSCse00173
|
Yes
|
PIX 515 fails to synch via serial based failover with VPN config
|
CSCse00303
|
Yes
|
Traceback during active/active config replication with 4 syslog servers
|
CSCse00756
|
Yes
|
URL filtering using Websense locks up downloads.
|
CSCse00996
|
Yes
|
tcp normalizer drop to-the-box traffic not conforming to RFC793 (MSS)
|
CSCse01293
|
Yes
|
Traceback in the arp_forward_thread
|
CSCse02354
|
Yes
|
PIX crash by dispatch unit
|
CSCse02703
|
Yes
|
Passwords in startup config may be changed without user intervention
|
CSCse02722
|
Yes
|
SSL Handshake failure with self signed cert
|
CSCse03299
|
Yes
|
VPN clients behind same PAT device using IPSEC/TCP & NAT-T fails IKE neg
|
CSCse04610
|
Yes
|
EzVPN: assert Thread Name: IKE Daemon (Old pc 0x00501f6d ebp 0x03401418)
|
CSCse06536
|
Yes
|
ASA 7.1 : ASR not forwarding fragmented IP packets between contexts
|
CSCse07242
|
Yes
|
Crash in pix_flash_config_thread
|
CSCse08300
|
Yes
|
Show block shows inuse and current values greater than max
|
CSCse08731
|
Yes
|
FIPS reload on failed ACL Checksum after clear config all
|
CSCse09591
|
Yes
|
ASA5540 crashes in IPsec message handler
|
CSCse10714
|
Yes
|
Shun behavior change in 7.x
|
CSCse11010
|
Yes
|
VPN:tback IKE Daemon (Old pc 0x001a9ee5 ebp 0x023d8dd8) 515 w/VAC +
|
CSCse11384
|
Yes
|
ASA crash in dhcp_daemon
|
CSCse14214
|
Yes
|
Malformed ICMPv6 NA packet causes PIX to crash and reload
|
CSCse14296
|
Yes
|
Trustpoint not found if ASA not enrolled with the trustpoint
|
CSCse14402
|
Yes
|
EzVPN:5505 Phase 2 SAs fail to establish causing tunnel to drop
|
CSCse15977
|
Yes
|
ASA/PIX reboot if 2 admin sessions are working on the same capture
|
CSCse19020
|
Yes
|
PPTP Pass-through not working due to inspection
|
CSCse20501
|
Yes
|
Passive FTP to Multinet server fails
|
CSCse22150
|
Yes
|
Traceback during config synch and console at More
|
CSCse22853
|
Yes
|
Active unit crash in accept/http when disabling DHCP relay
|
CSCse23164
|
Yes
|
PIX crash
|
CSCse23554
|
Yes
|
Memory leak within event_smtpmgr:es_SmtpSndMSG function
|
CSCse23751
|
Yes
|
Nested crash dump doesn't stop
|
CSCse27184
|
Yes
|
basic attribute is not checked in all mode config attributes...
|
CSCse29840
|
Yes
|
AdmissionConfirm received without an AdmissionRequest, ACF dropped
|
CSCse30049
|
Yes
|
SSH conns to the box not removed after a Failover
|
CSCse30061
|
Yes
|
PIX/ASA VPN decompress error when decrypting packet with IP compression
|
CSCse32309
|
Yes
|
PIX/ASA: Timeout of secondary flow causes crash in thread Checkheaps
|
CSCse33143
|
Yes
|
Dynamic ACL created under with command access-list <name> d ...
|
CSCse34179
|
Yes
|
MFW-R: traceback in 'clear cfg all' during a performance test.
|
CSCse35566
|
Yes
|
ASA 7.0.5 Traceback in Dispatch unit on clear xlate
|
CSCse37787
|
Yes
|
ASA: Standby crashed after becoming Active with VPN connections
|
CSCse38039
|
Yes
|
ASA drops small ICMP length packets with IPsec/UDP
|
CSCse40332
|
Yes
|
ASA multiple mode rollback of config failed for admin and other VC
|
CSCse40583
|
Yes
|
PIX 7 should not reply to the IP network address
|
CSCse40671
|
Yes
|
RTSP w/PAT, PIX set client_ports to NULL
|
CSCse45308
|
Yes
|
Static nailed rule does not match conn destined for that address
|
CSCse45450
|
Yes
|
PIX/ASA Crash in aaa thread
|
CSCse45694
|
Yes
|
Standby: Traceback in Thread Name: IKE Daemon with dACL
|
CSCse46292
|
Yes
|
Traceback in obj-f1/bld_pkt:_AddOctetString+17 in snmp thread
|
CSCse48193
|
Yes
|
ASA vulnerable to cross-site scripting when using WebVPN
|
CSCse50716
|
Yes
|
PIX 7.0.5.1 URL Filtering Traceback Thread Name: Dispatch Unit
|
CSCse50804
|
Yes
|
OSPF stuck in EXCHANGE in certain assymetric routing scenarios
|
CSCse53294
|
Yes
|
ASA Crash- when an SSH connection is made and "conf t" is issued
|
CSCse53344
|
Yes
|
IKE: vpn-tunnel-protocol attribute is not checked if the value is 0
|
CSCse54749
|
Yes
|
210007 LU allocate xlate failed syslog generated by overlapping nat cfg
|
CSCse58985
|
Yes
|
sh uauth shows 32 in-progress and prevents SSH to ASA using LOCAL db
|
CSCse61315
|
Yes
|
SSMIO-4GE SFP interfaces G1/1 - G1/3 don't operate
|
CSCse62914
|
Yes
|
Standby device Traceback in Thread Name: tcp_thread
|
CSCse66235
|
Yes
|
Memory exhausts with logging flash-bufferwrap and high syslog level
|
CSCse70993
|
Yes
|
Traceback observed in Thread Name: ci/console
|
CSCse75523
|
Yes
|
Received ARP request collision when issuing write standby
|
CSCse76115
|
Yes
|
Cascade delimiter not inserted with correct priority for dynamic crypto.
|
CSCse77122
|
Yes
|
FTP-data connection not replicated back to primary after failover
|
CSCse77680
|
Yes
|
P2 in progress test broken - could cause unexpected rekey.
|
CSCse77855
|
Yes
|
buffer leak upon IPSEC spoofing.
|
CSCse78065
|
Yes
|
# sign in config not replicated to Standby unit
|
CSCse78299
|
Yes
|
Primary/Secondary units become Active state when failover link failed
|
CSCse80001
|
Yes
|
Traceback in IKE daemon while trying to post event (syslog)
|
CSCse81384
|
Yes
|
traffic delay when dynamic arp entry times out
|
CSCse81633
|
Yes
|
ASA 4GE-SSM Gig ports silently drop IGMP joins
|
CSCse83905
|
Yes
|
dhcprelay stops working if FW interface ip address is modified
|
CSCse88873
|
Yes
|
IPV6: TCP SYN-ACK with layer 2 padding dropped
|
CSCse94241
|
Yes
|
Reload with Thread Name:vpnlb_thread when taking over as failover active
|
CSCse96289
|
Yes
|
Traceback with Thread Name: Dispatch Unit
|
CSCsf00368
|
Yes
|
Crashinfo file may incorrectly show 0% free memory
|
Related Documentation
For additional information on the Cisco ASA 5500 series security appliance, refer to the following URL on Cisco.com:
http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html
Software Configuration Tips on the Cisco TAC Home Page
The Cisco Technical Assistance Center has many helpful pages. If you have a CDC account you can visit the following websites for assistance:
TAC Troubleshooting, Sample Configurations, Hardware Info, Software Installations and more:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
Printed in the USA on recycled paper containing 10% postconsumer waste.
Feedback
