Table Of Contents
Cisco ASDM Release Notes Version 5.2(3)
Introduction
New Features
Client PC Operating System and Browser Requirements
Memory Errors in Firefox
Supported Platforms and Feature Licenses
ASDM and SSM Compatibility
Upgrading ASDM
Getting Started with ASDM
Before You Begin
Downloading the ASDM Launcher
Starting ASDM from the ASDM Launcher
Using ASDM in Demo Mode
Starting ASDM from a Web Browser
Using the Startup Wizard
Using the VPN Wizard
Configuring Stateful Failover
Reenabling Stateful Failover and Securing the Failover Key
Troubleshooting Java Problems
Printing from ASDM
ASDM Limitations
Unsupported Commands
One-Time Password Not Supported
Effects of Unsupported Commands
Ignored and View-Only Commands
Other CLi Limitations
Interactive User Commands Not Supported in ASDM CLI Tool
Caveats
Open Caveats - Version 5.2(3)
Resolved Caveats - Version 5.2(3)
Related Documentation
Obtaining Documentation and Submitting a Service Request
Cisco ASDM Release Notes Version 5.2(3)
August 2007
This document contains release information for Cisco ASDM Version 5.2(3) on Cisco PIX 500 series security appliance and Cisco ASA 5500 series adaptive security appliance Version 7.2(3). It includes the following sections:
•
Introduction
•New Features
•Client PC Operating System and Browser Requirements
•Supported Platforms and Feature Licenses
•ASDM and SSM Compatibility
•Upgrading ASDM
•Getting Started with ASDM
•ASDM Limitations
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
Cisco ASDM delivers world-class security management and monitoring services for and ASA 5500 Cisco PIX 500 series security appliances through an intuitive, easy-to-use, web-based management interface. Bundled with supported security appliances, the device manager accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced security and networking features offered by Cisco PIX 500 series security appliance and Cisco ASA 5500 series adaptive security appliance software Version 7.2(3). Its secure, web-based design enables anytime, anywhere access to security appliances.
New Features
Released: August 15, 2007
Table 1 lists the new features for ASA and PIX Version 7.2(3)/ASDM Version 5.2(3).
Table 1 New Features for ASA and PIX Version 7.2(3)/ASDM Version 5.2(3)
Feature
|
Description
|
Remote Access Features
|
WebVPN load Balancing
|
The PIX Security Appliance now supports the use of FQDNs for load balancing. To perform WebVPN load balancing using FQDNs, you must enable the use of FQDNs for load balancing, enter the redirect-fqdn enable command. Then add an entry for each of your PIX Security Appliance outside interfaces into your DNS server if not already present. Each PIX Security Appliance outside IP address should have a DNS entry associated with it for lookups. These DNS entries must also be enabled for reverse lookup. Enable DNS lookups on your PIX Security Appliance with the dns domain-lookup inside command (or whichever interface has a route to your DNS server). Finally, you must define the ip address, of your DNS server on the PIX Security Appliance. Following is the new CLI associated with this enhancement: redirect-fqdn {enable | disable}.
In ASDM, see Configuration > VPN > Load Balancing.
Also available in Version 8.0(3).
|
Clientless SSL VPN Caching Static Content Enhancement
|
There are two changes to the clientless SSL VPN caching commands:
The cache-compressed command is deprecated.
The new cache-static-content command configures the adaptive security appliance to cache all static content, which means all cacheable Web objects that are not subject to SSL VPN rewriting. This includes content such as images and PDF files.
The syntax of the command is cache-static-content {enable | disable}. By default, static content caching is disabled.
Example:
hostname (config) # webvpn
hostname (config-webvpn) # cache
hostname (config-webvpn-cache) # cache-static-content enable
hostname (config-webvpn-cache) #
In ASDM, see Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache.
Also available in Version 8.0(3).
|
Smart Card Removal Disconnect
|
This feature allows the central site administrator to configure remote client policy for deleting active tunnels when a Smart Card is removed. The Cisco VPN Remote Access Software clients (both IPSec and SSL) will, by default, tear down existing VPN tunnels when the user removes the Smart Card used for authentication. The following cli command disconnects existing VPN tunnels when a smart card is removed: smartcard-removal-disconnect {enable | disable}. This option is enabled by default.
In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit Internal/External Group Policies > More Options.
Also available in Version 8.0(3).
|
Platform Features
|
ASA 5510 Security Plus License Allows Gigabit Ethernet for Port 0 and 1
|
The ASA 5510 adaptive security appliance now has the security plus license to enable GE (Gigabit Ethernet) for port 0 and 1. If you upgrade the license from base to security plus, the capacity of the external port Ethernet0/0 and Ethernet0/1 increases from the original FE (Fast Ethernet) (100 Mbps) to GE (1000 Mbps). The interface names will remain Ethernet 0/0 and Ethernet 0/1. Use the speed command to change the speed on the interface and use the show interface command to see what speed is currently configured for each interface.
Also available in Version 8.0(3).
|
ASA 5505 Increased VLAN range
|
The ASA 5505 adaptive security appliance now supports VLAN IDs between 1 and 4090. Originally, only VLAN IDs between 1 and 1001 were supported.
Also available in Version 8.0(3).
|
Troubleshooting Features
|
capture Command Enhancement
|
The enhancement to the capture command allows the user to capture traffic and display it in real time. It also allows the user to specify command line options to filter traffic without having to configure a separate access list. This enhancement adds the real-time and five-tupple match options.
capture cap_name [real-time] [dump] [detail [trace] [match prot {host ip | ip mask | any} [{eq | lt | gt} port] {host ip | ip mask | any} [{eq | lt | gt} port]]
Also available in Version 8.0(3).
|
Application Inspection Features
|
Support for ESMTP over TLS
|
This enhancement adds the configuration parameter allow-tls [action log] in the esmtp policy map. By default, this parameter is not enabled. When it is enabled, ESMTP inspection would not mask the 250-STARTTLS echo reply from the server nor the STARTTLS command from the client. After the server replies with the 220 reply code, the ESMTP inspection turns off by itself; the ESMTP traffic on that session is no longer inspected. If the allow-tls action log parameter is configured, the syslog message ASA-6-108007 is generated when TLS is started on an ESMTP session.
policy-map type inspect esmtp esmtp_map
parameters
allow-tls [action log]
A new line for displaying counters associated with the allow-tls parameter is added to the show service-policy inspect esmtp command. It is only present if allow-tls is configured in the policy map. By default, this parameter is not enabled.
show service-policy inspect esmtp
allow-tls, count 0, log 0
This enhancement adds a new system log message for the allow-tls parameter. It indicates on an esmtp session the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine will no longer inspect the traffic on this connection.
System log Number and Format:
%ASA-6-108007: TLS started on ESMTP session between client <client-side interface-name>:<client IP address>/<client port> and server <server-side interface-name>:<server IP address>/<server port>
In ASDM, see Configuration > Firewall > Objects > Inspect Map > ESMTP.
Also available in Version 8.0(3).
|
DNS Guard Enhancement
|
Added an option to enable or disable DNS guard. When enabled, this feature allows only one DNS response back from a DNS request.
In ASDM, see Configuration > Firewall > Objects > Inspect maps > DNS.
Also available in Version 8.0(3).
|
WAAS and ASA Interoperability
|
The inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under a default inspection class and under a custom class-map. This inspection service is not enabled by default.
The keyword option waas is added to the show service-policy inspect command to display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.
A new connection flag "W" is added in the WAAS connection. The show conn detail command is updated to reflect the new flag.
In ASDM, see Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Protocol Inspection.
Also available in Version 8.0(3).
|
DHCP Features
|
DHCP client ID enhancement
|
If you enable the DHCP client for an interface using the ip address dhcp command, some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. Use this new command to include the interface MAC address for option 61. If you do not configure this command, the client ID is as follows: cisco-<MAC>-<interface>-<hostname>.
We modified the following screen: Configuration > Device Management > DHCP > DHCP Server; then click Advanced.
Also available in Version 8.0(3).
|
Module Features
|
Added Dataplane Keepalive Mechanism
|
You can now configure the adaptive security appliance so that a failover will not occur if the AIP SSM is upgraded. In previous releases when two adaptive security appliances with AIP SSMs are configured in failover and the AIP SSM software is updated, the adaptive security appliance triggers a failover, because the AIP SSM needs to reboot or restart for the software update to take effect.
Also available in Version 7.0(7) and 8.0(3)
|
ASDM Features
|
ASDM banner enhancement
|
The PIX Security Appliance software supports an ASDM banner. If configured, when you start ASDM, this banner text will appear in a dialog box with the option to continue or disconnect. The Continue option dismisses the banner and completes login as usual whereas, the Disconnect option dismisses the banner and terminates the connection. This enhancement requires the customer to accept the terms of a written policy before connecting.
In ASDM, see Configuration > Properties > Device Administration > Banner.
Also available in Version 8.0(3).
|
Cisco Content Security and Control (CSC) Damage Cleanup Services (DCS) feature events and statistics
|
With the Cisco Content Security and Control (CSC) 6.2 software, ASDM provides events and statistics for the new Damage Cleanup Services (DCS) feature. DCS removes malware from clients and servers and repairs system registries and memory.
|
Client Software Location
|
Added support in Client Software Location list to allow client updates from Linux or Mac systems. In ASDM, see Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Upload Software > Client Software.
Also available in Version 8.0(3).
|
Client PC Operating System and Browser Requirements
Table 2 lists the supported and recommended PC operating systems and browsers for Version 5.2(3).
Table 2 Operating System and Browser Requirements
Operating System
|
Version
|
Browser
|
Other Requirements
|
Windows
|
Windows Vista, Windows XP, Windows 2000 (Service Pack 4 or higher), Windows 2003 Server (English or Japanese versions)
|
Internet Explorer 6.0 with Sun Java SE1 1.4.2, 5.0 , and 6.
Firefox 1.5 or 2.0 or Internet Explorer 6.0 or 7.0
Note HTTP 1.1—Settings for Internet Options > Advanced > HTTP 1.1 should use HTTP 1.1 for both proxy and non-proxy connections.
|
SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
|
Linux
|
Red Hat Desktop, Red Hat Enterprise Linux WS version 4
|
Firefox 1.5 or 2.0
Java SE 1.4.2, 5.0, or 6
|
|
Memory Errors in Firefox
Firefox may stop responding or give an out of memory error message in Linux and Windows if multiple instances of ASDM are running. You can use the following steps to increase the Java memory and work around the behavior.
This section describes how to increase the memory for Java on the following platforms:
•Java for Windows
•Java on Linux
Java for Windows
To change the memory settings of the Java on Windows for Java versions 1.4.2 and 5.0, perform the following steps:
Step 1 Close all instances of Internet Explorer or Netscape.
Step 2 Click Start > Settings > Control Pane.
Step 3 If you have Java 1.4.2 installed:
a. Click Java Plug-in. The Java Control pane appears.
b. Click the Advanced tab.
c. Type -Xmx256m in the Java RunTime Parameters field.
d. Click Apply and exit the Java Control pane.
Step 4 If you have Java 5.0 installed:
a. Click Java. The Java Control pane appears.
b. Click the Java tab.
c. Click View under Java Applet Runtime Settings. The Java Runtime Settings pane appears.
d. Type -Xmx256m in the Java Runtime Parameters field and then click OK.
e. Click OK and exit the Java Control pane.
Step 5 If you have Java 6 installed:
a. Click Java. The Java Control pane appears.
b. Click the Java tab.
c. Click View under Java Applet Runtime Settings. The Java Runtime Settings pane appears.
d. Type -Xmx256m in the Java Runtime Parameters field and then click OK.
e. Click OK and exit the Java Control pane.
Java on Linux
To change the settings of Java version 1.4.2 or 5.0 on Linux, perform the following steps:
Step 1 Close all instances of Firefox.
Step 2 Open the Java Control pane by launching the Control pane executable file.
Note In the Java 2 SDK, this file is located in SDK installation directory/jre/bin/Controlpane. For example: if the Java 2 SDK is installed in /usr/j2se, the full path is /usr/j2se/jre/bin/Controlpane. In a Java 2 Runtime Environment installation, the file is located in JRE installation directory/bin/Controlpane.
Step 3 If you have Java 1.4.2 installed:
a. Click the Advanced tab.
b. Type -Xmx256m in the Java RunTime Parameters field.
c. Click Apply and close the Java Control pane.
Step 4 If you have Java 5.0 installed:
a. Click the Java tab.
b. Click View under Java Applet Runtime Settings.
c. Type -Xmx256m in the Java Runtime Parameters field and then click OK.
d. Click OK and exit the Java Control pane.
Supported Platforms and Feature Licenses
For information on supported platforms and feature licenses, see:
•Cisco ASA 5500 series adaptive security appliance
http://www.cisco.com/en/US/docs/security/asa/asa72/release/notes/asarn723.html
•Cisco PIX 500 series security appliance
http://www.cisco.com/en/US/docs/security/pix/pix72/release/notes/pixrn723.html
ASDM and SSM Compatibility
For a table showing ASDM compatibility with SSMs, see:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html
Upgrading ASDM
This section describes how to upgrade ASDM to a new ASDM release. If you have a Cisco.com login, you can obtain ASDM from the following website:
http://www.cisco.com/cisco/software/navigator.html
Note If you are upgrading from PIX Version 6.3, first upgrade to Version 7.0 according to the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0. Then upgrade PDM to ASDM according to the ASDM 5.0 release notes.
If you have a previous release of ASDM on your adaptive security appliance and want to upgrade to the latest release, you can do so from within ASDM. We recommend that you upgrade the ASDM image before the platform image. You cannot use a previous version of ASDM with a new platform image.
To upgrade ASDM, perform the following steps:
Step 1 Download the new ASDM image to your PC.
Step 2 Launch ASDM.
Step 3 On the Tools menu:
a. In ASDM 5.0 and 5.1, click Upload Image from Local PC.
b. In ASDM 5.2, click Upgrade Software.
Step 4 With ASDM selected, click Browse Local to select the new ASDM image.
Step 5 To specify the location in flash memory where you want to install the new image, enter the directory path in the field or click Browse Flash.
If your adaptive security appliance does not have enough memory to hold two ASDM images, overwrite the old image with the new one by specifying the same destination filename. You can rename the image after it was uploaded using the Tools > File Management tool.
If you have enough memory for both versions, you can specify a different name for the new version. If you need to revert to the old version, it is still in your flash memory.
Step 6 Click Upload Image.
When ASDM is finished uploading, the following message appears:
"ASDM Image is Uploaded to Flash Successfully."
Step 7 If the new ASDM image has a different name than the old image, then you must configure the adaptive security appliance to load the new image in the Configuration > Properties > Device Administration > Boot System/Configuration pane.
Step 8 Similar to ASDM, you need to do the same for the ASA/PIX image. Repeat steps 1, 3, 4, 5, 6 and 7 for the ASA/PIX image. Then go to Tools > System Reload and be sure to enable "Save the running configuration at time of reload" before clicking the "Schedule Reload" button.
Getting Started with ASDM
This section describes how to connect to ASDM and start your configuration. If you are using the adaptive security appliance for the first time, your adaptive security appliance might include a default configuration. You can connect to a default IP address with ASDM so that you can immediately start to configure the adaptive security appliance from ASDM. If your platform does not support a default configuration, you can log in to the CLI and run the setup command to establish connectivity. See Before You Begin for more detailed information about networking.
This section includes the following topics:
•Before You Begin
•Downloading the ASDM Launcher
•Starting ASDM from the ASDM Launcher
•Using ASDM in Demo Mode
•Starting ASDM from a Web Browser
•Using the Startup Wizard
•Using the VPN Wizard
•Configuring Stateful Failover
•Printing from ASDM
Before You Begin
If your security appliance includes a factory default configuration, you can connect to the default management address of 192.168.1.1 with ASDM. On the ASA 5500 series adaptive security appliance, the interface to which you connect with ASDM is Management 0/0. For the Cisco PIX 500 series security appliance, the interface to which you connect with ASDM is Ethernet 1. To restore the default configuration, enter the configure factory-default command at the adaptive security appliance CLI.
Make sure the PC is on the same network as the adaptive security appliance. You can use DHCP on the client to obtain an IP address from the adaptive security appliance, or you can set the IP address to a 192.168.1.0/24 network address.
If your platform does not support the factory default configuration, or you want to add to an existing configuration to make it accessible for ASDM, access the adaptive security appliance CLI according to the Cisco Security Appliance Command Line Configuration Guide, and enter the setup command. The setup command prompts you for a minimal configuration to connect to the adaptive security appliance using ASDM.
Note You must have an inside interface already configured to use the setup command. The Cisco PIX 500 series security appliance default configuration includes an inside interface, but the Cisco ASA adaptive security appliance default configuration does not. Before using the setup command, enter the interface gigabitethernet slot/port command, and then the nameif inside command. The slot for interfaces that are built in to the chassis is 0. For example, enter interface gigabitethernet 0/1. The Cisco PIX 500 series security appliance and the ASA 5510 adaptive security appliance have an Ethernet-type interface.
Downloading the ASDM Launcher
The ASDM Launcher is for Windows only. The ASDM Launcher is an improvement over running ASDM in a Java Applet, because you can avoid double authentication and certificate dialog boxes, the application launches faster, and caches previously entered IP addresses and usernames.
To download the ASDM Launcher, perform the following steps:
Step 1 From a supported web browser on the adaptive security appliance network, enter the following URL:
https://interface_ip_address
In transparent firewall mode, enter the management IP address.
Note Be sure to enter https, not http.
Step 2 Click OK or Yes to all prompts, including the name and password prompt. Leave the name and password blank (default).
A page displays with the following buttons:
•Download ASDM Launcher and Start ASDM
•Run ASDM as a Java Applet
Step 3 Click Download ASDM Launcher and Start ASDM.
The installer downloads the file to your PC.
Step 4 Run the installer to install the ASDM Launcher.
Starting ASDM from the ASDM Launcher
The ASDM Launcher is for Windows only.
To start ASDM from the ASDM Launcher, perform the following steps:
Step 1 Double-click the Cisco ASDM Launcher shortcut on your desktop, or launch it from the Start menu.
Step 2 Enter the adaptive security appliance IP address or hostname, your username, and your password, and then click OK.
If there is a new version of ASDM on the adaptive security appliance, the ASDM Launcher automatically downloads it before starting ASDM.
Using ASDM in Demo Mode
ASDM Demo Mode is available as a separately installed application running Windows. This mode makes use of the ASDM Launcher and pre-packaged configuration files to let you run ASDM without having a live device available. ASDM Demo Mode lets you do the following:
•Perform configuration and select monitoring tasks via ASDM as though you were interacting with an actual device.
•Demonstrate ASDM or adaptive security appliance features using the ASDM interface.
•Perform configuration and monitoring tasks with the Content Security and Control (CSC) SSM.
ASDM Demo Mode provides simulated monitoring data, including real-time system log messages. The data shown is randomly generated, but the experience is identical to what you would see when connecting to an actual device.
ASDM Demo Mode has the following limitations:
•Changes made to the configuration will appear in the GUI, but are not applied to the configuration file. That is, when you click Refresh, the GUI will revert to the original configuration. The changes are never saved to the configuration file.
•File and disk operations are not supported.
•Monitoring and logging data are simulated. Historical monitoring data is not available.
•You can only log in as an admin user; you cannot log in as a monitor-only or read-only user.
•Demo Mode does not support the following features:
–File menu:
Save Running Configuration to Flash
Save Running Configuration to TFTP Server
Save Running Configuration to Standby Unit
Save Internal Log Buffer to Flash
Clear Internal Log Buffer
–Tools menu:
Command Line Interface
Ping
File Management
Update Image
File Transfer
Upload image from Local PC
System Reload
–Toolbar/Status bar > Save
–Configuration > Interface > Edit Interface > Renew DHCP Lease
–Failover—Configuring a standby device
•These operations cause a reread of the configuration and therefore will revert the configuration to the original settings.
–Switching contexts
–Making changes in the Interface pane
–NAT pane changes
–Clock pane changes
To run ASDM in Demo Mode, perform the following steps:
Step 1 If you have not yet installed the Demo Mode application, perform the following steps:
a. Download the ASDM Demo Mode installer, asdm-demo-version.msi, from the following website:
http://www.cisco.com/cisco/software/navigator.html
b. Double-click the asdm-demo-version.msi file to install the software.
Step 2 Double-click the Cisco ASDM Launcher shortcut on your desktop, or access it from the Start menu.
Step 3 Check Run in Demo Mode.
Step 4 To set the platform, context and firewall modes, and ASDM Version, click Demo and make your selections from the Demo Mode area.
Step 5 Click OK to launch ASDM in Demo Mode.
A Demo Mode label appears in the title bar of the window.
Starting ASDM from a Web Browser
To start ASDM from a web browser, perform the following steps:
Step 1 From a supported web browser on the adaptive security appliance network, enter the following URL:
https://interface_ip_address
In transparent firewall mode, enter the management IP address.
Note Be sure to enter https, not http.
Step 2 Click OK or Yes to all browser prompts.
A page displays with the following buttons:
•Download ASDM Launcher and Start ASDM
•Run ASDM as a Java Applet
Step 3 Click Run ASDM as a Java Applet.
Step 4 Click OK or Yes to all Java prompts, including the name and password prompt. By default, leave the name and password blank.
Using the Startup Wizard
The Startup Wizard helps you configure a single mode adaptive security appliance or a context in multiple context mode.
To use the Startup Wizard to configure the adaptive security appliance, perform the following steps:
Step 1 Launch the wizard according to the steps for the correct security context mode.
•In single context mode, choose Wizards > Startup Wizard.
•In multiple context mode, for each new context, perform the following steps:
a. Choose System > Configuration > Security Context.
b. Be sure to allocate interfaces to the context.
c. When you apply the changes, ASDM prompts you to use the Startup Wizard.
d. Click the System/Contexts icon on the toolbar, and choose the context name.
e. Choose Wizards > Startup Wizard.
Step 2 Click Next as you proceed through the Startup Wizard panes, completing the appropriate information in each one, such as the device name, domain name, passwords, interface names, IP addresses, basic server configuration, and access permissions.
Step 3 Click Finish in the last pane to send the configuration to the adaptive security appliance.
Step 4 If the IP address of the connection changes, reconnect to ASDM using the new IP address.
Step 5 Enter other configuration details in the Configuration panes.
Using the VPN Wizard
The VPN Wizard configures basic VPN access for LAN-to-LAN or remote client access. The VPN Wizard is available only for adaptive security appliances running in single context mode and routed (not transparent) firewall mode.
To use the VPN Wizard to configure VPN, perform the following steps:
Step 1 Click Wizards > VPN Wizard.
Step 2 Supply information in each wizard screen. Click Next to move through the VPN Wizard screens. You may use the default IPSec and IKE policies. Click Help for more information about each field.
Step 3 After you complete the VPN Wizard, click Finish in the last screen to send the configuration to the adaptive security appliance.
Configuring Stateful Failover
This section describes how to implement Stateful Failover on adaptive security appliances connected via a LAN.
If you are connecting two adaptive security appliance for failover, you must connect them via a LAN. If you are connecting two adaptive security appliance, you can connect them using either a LAN or a serial cable.
Tip If your security appliances are located near each other, you might prefer to connect them with a serial cable instead of via the LAN. Although a serial connection is slower than a LAN connection, using a cable obviates the need for an interface or for the LAN and Stateful Failover to share an interface, which could affect performance. Also, using a cable enables the detection of power failure on the peer device.
As specified in the Cisco Security Appliance Command Line Configuration Guide, both devices must have appropriate licenses and have the same hardware configuration.
Before you begin, decide on active and standby IP addresses for the interfaces that ASDM connects through on the primary and secondary devices. These IP addresses must be assigned to device interfaces with HTTPS access.
To configure LAN Stateful Failover on your security appliance, perform the following steps:
Step 1 Configure the secondary device for HTTPS IP connectivity. See the section Before You Begin, and use a different IP address on the same network as the primary device.
Step 2 Connect the pair of devices together and to their networks in their Stateful Failover LAN cable configuration.
Step 3 Start ASDM from the primary device through a supported web browser. See the section Downloading the ASDM Launcher.
Step 4 Perform one of the following steps, depending on the context mode:
•If your device is in multiple context mode, click Context. Choose admin from the Context drop-down menu, and then choose Configuration > Properties > Failover.
•If your device is in single mode, choose Configuration > Properties > Failover, and then click the Interfaces tab.
Step 5 Perform one of the following steps, depending on your firewall mode:
•If your device is in routed mode, configure standby addresses for all routed mode interfaces.
•If your device is in transparent mode, configure a standby management IP address.
Note Interfaces used for failover connectivity should not have names (in single mode) or be allocated to security contexts (in multiple security context mode). In multiple context mode, other security contexts may also have standby IP addresses configured.
Step 6 Perform one of the following steps, depending on the security context mode:
a. If your device is in multiple security context mode, choose System > Configuration > Failover.
b. If your device is in single mode, choose Configuration > Properties > Failover.
Step 7 In the Setup tab of the Failover pane under LAN Failover, select the interface that is cabled for LAN Stateful Failover.
Step 8 Configure the remaining LAN Failover fields.
Step 9 (Optional) Provide information for other fields in all of the failover tabs. If you are configuring Active/Active failover, you must configure failover groups in multiple security context mode. If more than one failover pair of devices coexists on a LAN in Active/Active Stateful Failover, provide failover-group MAC addresses for any interfaces on shared LAN networks.
Step 10 In the Setup tab, check the Enable Failover check box. If you are using the PIX 500 series security appliance, check the Enable LAN rather than serial cable failover check box.
Step 11 Click Apply, read the warning dialog that appears, and click OK. A dialog box about configuring the peer appears.
Step 12 Enter the IP address of the secondary device, which you configured as the standby IP address of the ASDM interface. Wait about 60 seconds. The standby peer still could become temporarily inaccessible.
Step 13 Click OK. Wait for the configuration to be synchronized to the standby device over the failover LAN connection.
The secondary device should enter standby failover state using the standby IP addresses. Any further configuration of the active device or an active context is replicated to the standby device or the corresponding standby context.
Reenabling Stateful Failover and Securing the Failover Key
To prevent the failover key from being replicated to the peer unit in clear text for an existing failover configuration, perform the following steps:
Step 1 Disable failover in the active unit (or in the system execution space on the unit that has failover group 1 in the active state).
Step 2 Enter the failover key on both units.
Step 3 Reenable failover.
When Stateful Failover is reenabled, the failover communication is encrypted with the key.
To secure the failover key on the active device, perform the following steps:
Step 1 Perform one of the following steps, according to the security context mode:
a. If your device is in single mode, choose Configuration > Properties > Failover > Setup.
b. If you device is in multiple mode, choose System > Configuration> Failover > Setup.
Step 2 Turn off failover. The standby should switch to pseudo-standby mode.
a. Uncheck the Enable failover check box.
b. Click Apply. (Click OK if CLI preview is enabled.)
Step 3 Enter the failover key in the Shared Key field.
Step 4 Reenable failover.
a. Check the Enable failover check box.
b. Click Apply. (Click OK if CLI preview is enabled.) A dialog box about configuring the peer appears.
Step 5 Enter the IP address of the peer. Wait about 60 seconds. Although the standby peer does not have the shared failover key, the standby peer still could become inaccessible.
Step 6 Click OK. Wait for the configuration to be synchronized to the standby device over the encrypted failover LAN connection.
Troubleshooting Java Problems
If your Java console is set to display, you might notice one or more of the following errors. If ASDM is functioning correctly, you do not need to take any action. However, if these messages appear and ASDM crashes, install the most recent Java Plug-in (version 1.5.0 or above) from the following Cisco site:
http://www.cisco.com/cisco/software/navigator.html
or from the Sun Microsystems site:
http://www.oracle.com/technetwork/java/javase/downloads/index-jdk5-jsp-142662.html
Java console errors:
You might see errors in your Java console similar to those following. They are the result of a bug in Java. Sun Microsystems will provide information about when a Java plug-in will be available with a fix for this bug. The bug number is 5089429. See this link:
http://bugs.sun.com/
•java.lang.NullPointerException
at sun.java2d.pipe.DrawImage.copyImage(DrawImage.java:50)
at sun.java2d.pipe.DrawImage.copyImage(DrawImage.java:736)
at sun.java2d.SunGraphics2D.drawImage(SunGraphics2D.java:2759)
at sun.java2d.SunGraphics2D.drawImage(SunGraphics2D.java:2749)
•The Java bug can also cause a text file to appear on your Windows destop. The file has a name like hs_err_pid12345.txt and contains text similar to the following:
Content of text file (hs_err_pid1384.txt) Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x8077E4B Function=[Unknown.] Library=C:\PROGRA~1\Java\J2RE14~1.2_0\bin\client\jvm.dll
NOTE: We are unable to locate the function name symbol for the error just occurred. Please refer to release documentation for possible reason and solutions.
Current Java thread:
at sun.java2d.loops.FillRect.FillRect(Native Method)
at sun.java2d.pipe.LoopPipe.fillRect(Unknown Source)
at sun.java2d.SunGraphics2D.fillRect(Unknown Source)
•Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x8077CCA
Function=[Unknown.] Library=C:\PROGRA~1\Java\J2RE14~2.2_0\bin\client\jvm.dll
NOTE: We are unable to locate the function name symbol for the error just occurred. Please refer to release documentation for possible reason and solutions.
Current Java thread: at sun.java2d.loops.DrawLine.DrawLine(Native Method)
at sun.java2d.pipe.LoopPipe.drawLine(Unknown Source)
at sun.java2d.SunGraphics2D.drawLine(Unknown Source)
•An unexpected exception has been detected in native code outside the VM. Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x6964182 Function=Java_sun_java2d_loops_MaskFill_MaskFill+0xFA42 Library=C:\Program Files\Java\j2re1.4.2_05\bin\awt.dll
Current Java thread:
at sun.java2d.loops.DrawGlyphList.DrawGlyphList(Native Method)
at sun.java2d.pipe.SolidTextRenderer.drawGlyphList(Unknown Source) - locked <0x161a8468> (a java.lang.Class)
at sun.java2d.pipe.GlyphListPipe.drawString(Unknown Source) at sun.java2d.SunGraphics2D.drawString(Unknown Source)
Printing from ASDM
Note Printing is supported only for Microsoft Windows 2000 or XP in this release. There is a known caveat (CSCse15764) for printing from Windows XP that causes printing to be extremely slow.
ASDM supports printing for the following features:
•The Configuration > Interfaces table
•All Configuration > Security Policy tables
•All Configuration > NAT tables
•The Configuration > VPN > IPSec > IPSec Rules table
•Monitoring > Connection Graphs and its related table
ASDM Limitations
This section describes ASDM limitations, and includes the following:
•Unsupported Commands
•One-Time Password Not Supported
•Interactive User Commands Not Supported in ASDM CLI Tool
Unsupported Commands
ASDM does not support the complete command set of the CLI. In most cases, ASDM ignores unsupported commands, and they can remain in the configuration.
One-Time Password Not Supported
ASDM does not support the one-time password (OTP) authentication mechanism.
Effects of Unsupported Commands
•If ASDM loads an existing running configuration and finds IPv6-related commands, ASDM displays a dialog box informing you that it does not support IPv6. You cannot configure any IPv6 commands in ASDM, but all other configuration is available.
•If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Options > Show Commands Ignored by ASDM on Device.
•If ASDM loads an existing running configuration and reads the alias command, it enters Monitor-only mode.
Monitor-only mode allows access to the following functions:
–The Monitoring area
–The CLI tool (choose Tools > Command Line Interface), which lets you use the CLI commands
To exit Monitor-only mode, use the CLI tool or access the adaptive security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. For more information, see the Cisco Security Appliance Command Reference.
Note You might also be in Monitor-only mode because your user account privilege level, indicated in the status bar at the bottom of the main ASDM window, was set up as less than or equal to three by your system administrator, which allows Monitor-only mode. For more information, choose Configuration > Properties > Device Administration > User Accounts and Configuration > Properties > Device Administration > AAA Access.
Ignored and View-Only Commands
The following table lists commands that ASDM supports in the configuration when you add them through the CLI, but that you cannot add or edit in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Unsupported Commands
|
ASDM Behavior
|
access-list
|
Ignored if not used, except for use in VPN group policy screens
|
capture
|
Ignored
|
established
|
Ignored
|
failover timeout
|
Ignored
|
ipv6, any IPv6 addresses
|
Ignored
|
pager
|
Ignored
|
pim accept-register route-map
|
Ignored. You can only configure the list option using ASDM.
|
prefix-list
|
Ignored if not used in an OSPF area
|
route-map
|
Ignored
|
service-policy global
|
Ignored if it uses a match access-list class. For example:
access-list myacl line 1 extended permit ip any any
service-policy mypm global
|
sysopt nodnsalias
|
Ignored
|
sysopt uauth allow-http-cache
|
Ignored
|
terminal
|
Ignored
|
Other CLi Limitations
•ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255
Interactive User Commands Not Supported in ASDM CLI Tool
The ASDM CLI tool, Tools > Command Line Interface, does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "Yes" or "No," but does not recognize your input. ASDM then times out waiting for your response.
For example:
1. From the ASDM Tools menu, click Command Line Interface.
2. Enter the crypto key generate rsa command.
ASDM generates the default 1024-bit RSA key.
3. Reenter the crypto key generate rsa command.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:
Do you really want to replace them? [yes/no]:WARNING: You already have RSA
ke0000000000000$A key
Input line must be less than 16 characters in length.
%Please answer 'yes' or 'no'.
Do you really want to replace them [yes/no]:
%ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys names <Default-RSA-key>
Workaround:
•You can configure most commands that require user interaction through ASDM.
•For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:
crypto key generate rsa noconfirm
Caveats
The following sections describe caveats for Version 5.2(3).
For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are taken directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences, because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling and typographical errors may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://tools.cisco.com/Support/BugToolKit/
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Version 5.2(3)
Table 3 lists the open caveats for Version 5.2(3):
Table 3 Open Caveats
ID Number
|
Caveat Title
|
CSCsd75599
|
Modifying a shared extended ACL should warn user of sharing implications
|
CSCse07045
|
Service policy classes not listed in same order as the CLI
|
CSCse23663
|
Status window and command preview window pop up at same time on Linux
|
CSCse43201
|
HTTP map advanced view inspection tab causes error
|
CSCse53604
|
ASDM is not detecting FTP inspection not enabled scenario
|
CSCse74616
|
HAS Wizard, Load Balancing: Wrong error order
|
CSCse74662
|
HAS Wizard: Cancelling multi-mode change cause ASDM to quit
|
CSCse81738
|
ASDM 5.2 performance very slow when ASDM syslog level is 6 or 7
|
CSCse93458
|
Existing network object group name for service group is allowed.
|
CSCsf05395
|
Error in configuring aaa authentication include
|
CSCsf18305
|
Wrong cli generation in dynamic crypto map, IPSec rules panel
|
CSCsf28179
|
Name string/URL list is not displayed correctly from ASDM after 'Apply'
|
CSCsg64625
|
5505 Startup Wizard PPPoE finish button enabled in error
|
CSCsg71825
|
Network Object Groups should be removed from browse real address
|
CSCsg82384
|
Global Policy ACL cannot be added to like interface policy acl
|
CSCsh16092
|
ASDM 5.2(2) not generating correct error for wrong CSC password
|
CSCsh24222
|
Multiple networks cannot be defined in the ASDM VPN wizard
|
CSCsh39808
|
PFS group 2 added in ASDM VPN Wizard - no option to remove
|
CSCsh84513
|
Add/Edit Regex Class Map - wrong topic ID
|
CSCsi65804
|
CSC SSM failed to login through ASDM
|
CSCsj61215
|
display incorrect Interface Status on active secondary unit
|
CSCsj61309
|
Routing/Static: Editing metric value - one failure case
|
CSCsj61586
|
Hit return in single line of Command Line Interface closes the window
|
CSCsj70866
|
Packet-tracer: change default value of icmp identifier to non-zero
|
CSCsj74335
|
ASDM: trustpoint fields become editable after clicking New
|
CSCsj81132
|
refresh function for "show wccp web hash" is not working
|
CSCsj85297
|
Cannot set sla mon timeout to greater than 60000
|
CSCsj90600
|
Obj-gp:Exception when delete obj-gp which associated with ACL w/o AG
|
CSCsj90833
|
PPPoE:When switch from Specify to Obtain address, asdm sends the addr
|
CSCsj96262
|
Startup Wiz:When switch from static IP to PPPoE, sends ip addr also
|
Resolved Caveats - Version 5.2(3)
Table 4 lists the resolved caveats for Version 5.2(3):
Table 4 Resolved Caveats
ID Number
|
Caveat Title
|
CSCsb90798
|
Time Set is off on the main page graphs.
|
CSCse26266
|
RIP/Default Setup: Deletion of default-info originate has some issues
|
CSCse85179
|
ASDM:hide LDAP aaa-server Login DN Password
|
CSCsf10418
|
Inactivity/absolute time of aaa is not shown in Monitoring.
|
CSCsf16560
|
File Management: Cut and Paste flash file hangs the dailog
|
CSCsf18287
|
Post error message due to deprecated authentication-server-group none
|
CSCsf32361
|
MPF: Direction check box in Police should't have input value
|
CSCsf32446
|
Wrong CLI Generation in MPF, while editing a service policy.
|
CSCsg16688
|
ASDM hangs at 56%: switching from context to no configuration context
|
CSCsg29740
|
ASDM should not allow non-ascii chars to be entered into desc
|
CSCsg40595
|
ASDM unable to show already configured rule actions/connection settings
|
CSCsg47138
|
ASDM Configuration of DHCP Option 2 Will not accept values > 0xFFFF
|
CSCsg47162
|
ASDM will not take a DHCP option 2 hex value greater than 0xFFFF
|
CSCsg48207
|
'Hardware' shows different in 'show version' between like devices.
|
CSCsg68119
|
Monitoring/Routing/RIP .... Type is set to blank for RIP/Conn/Static
|
CSCsg68633
|
HAS wizard confusing intro message on standby IP page
|
CSCsg69530
|
Help for Gateways and Call Agents panel is not present
|
CSCsg71388
|
HTTP server enable command incorrect in multiple mode
|
CSCsg76794
|
Last 30 day counter is not updating correctly
|
CSCsg76796
|
Interactive authentication sub-panel note needs to be reworded.
|
CSCsg78913
|
Clock: timezone modifications have caused regression
|
CSCsg80019
|
Unable to Add/modify/delete limits set to default class from ASDM
|
CSCsg80675
|
ASDM: Authorization-DN Email attribute incorrectly set as DNQ attribute
|
CSCsg80846
|
ASDM fails to remove certian DHCP options (2 and 15)
|
CSCsg81046
|
ASDM fails to show DHCP Options that were configured via the CLI
|
CSCsg87965
|
Enable password set incorrectly
|
CSCsg92142
|
The authorization tab for the vpn tunnel groups is blank
|
CSCsg97395
|
ASDM Err Management interface cannot be the lowest security interface
|
CSCsh18165
|
HAS wizard complains VPN-3DES-AES license incompatible incorrectly
|
CSCsh27751
|
Network Reputation Service (NRS) Messages Are Not Displayed in ASDM
|
CSCsh30718
|
ASDM: Add new user fails when modifying VPN Group Policy
|
CSCsh33301
|
Font used to display DHCP option Information is hard to read
|
CSCsh38434
|
'clear configure crypto map' cmd not sent if IPSec rule deleted in ASDM
|
CSCsh40144
|
SSM Password Recovery is missing under System > Tools in 5.2(2)
|
CSCsh40324
|
ASDM: second certificate prompt seen when using client cert authentication
|
CSCsh56326
|
Need ASDM support of redirect-fqdn cli
|
CSCsh58108
|
Unable to create custom time range in ASDM
|
CSCsh60259
|
ASDM 5.2.2 HAS wizard reports license mismatch
|
CSCsh62831
|
Default for WebVPN Cache on7.1/7.2 should be 'disabled'
|
CSCsh66442
|
VPN wiz not creating static tunnel if last entry is dynamic vpn tunnel
|
CSCsh74700
|
ASDM not updating correctly DefaultRAgroup authentication ppp-attibutes
|
CSCsh75120
|
HAS Wizard check compatibilty may fail with -K8 string in PID
|
CSCsh85087
|
ASDM - Getting Events Connection Started events
|
CSCsh86539
|
Feature search for IPS is wrong
|
CSCsh97080
|
Unable to login to CSC module when using Java version 1.6.0
|
CSCsi10406
|
ASDM - a page to configure PPPoE info is missing on Startup Wizard
|
CSCsi26290
|
Unable to delete activex/java filter rules after adding duplicate entries
|
CSCsi43650
|
ASDM: add configuration check for WebVPN memory size config
|
CSCsi43660
|
ASDM error when adding SNMP server
|
CSCsi58878
|
Change the allowed VLAN range on an ASA 5505
|
CSCsi61378
|
ASDM: comma cannot be used in certificate parameters
|
CSCsi61555
|
VPN wizard to create RA makes incorrect ACLs and NATs for NAT exemption
|
CSCsi64723
|
ASDM: cannot select existing class-map in service-policy
|
CSCsi71458
|
JRE 6.0 shows ASDM signed jar certificate as expired
|
CSCsi82833
|
HAS wizard does not send vlan command when fail links are subinterfaces
|
CSCsi87860
|
ASDM is missing Linux and Mac support for client update
|
CSCsi88121
|
IPSec VPN Wizard: cannot add Site-to-Site if Remote Access is configured
|
CSCsj01003
|
New cache static content parameter added to webVPN cache
|
CSCsj22131
|
Support new dhcp-client options in ASA 7.2(3)
|
CSCsj36806
|
ASDM 5.0 does not allow spaces in group-policy names
|
CSCsj37968
|
DHCP server issues
|
CSCsj40666
|
ASDM: no control for configuring vpn load-balancing trustpoint
|
CSCsj41931
|
Implement ASDM banner
|
CSCsj45755
|
CSC ASDM not reporting Damage Cleanup Services events and statistics
|
CSCsj50266
|
ASDM stop at loading current configuration while there is regexp
|
CSCsj51135
|
Support ESMTP over TLS in ASDM
|
CSCsj51143
|
Add WAAS inspection support in ASDM
|
CSCsj56815
|
Startup Wizard Auto Update User and Device Identity problems
|
CSCsj57083
|
Authentication test fails when using ASDM and FQDN is configured.
|
CSCsj60413
|
Exception in VPN Wizard prevents config completion
|
CSCsj62045
|
Support DNS Guard function
|
CSCsj62776
|
Invalid vlan id for an added vlan interface
|
CSCsj62928
|
ASDM reads wrong 5505 vlan configuration
|
CSCsj66280
|
new CLI for smartcard-removal-disconnect not configurable in ASDM
|
CSCsj67420
|
ASDM Monitor mode displays failover interface in Interface Status
|
CSCsj69181
|
Config Modified dialog displayed/not displayed incorrectly
|
CSCsj74510
|
Menu separators have a white background
|
CSCsj75235
|
Enhancement: show PFS config in the VPN Wizard summary page
|
CSCsj77373
|
Help for File Transfer displays wrong content
|
CSCsj78672
|
ASDM Null Pointer exception when trying to delete a trustpoint
|
CSCsj83806
|
Add DNS Inspect:adding "no match criteria for domain name" fails on ASDM
|
CSCsj89744
|
ASDM listing object-group by IP selects wrong objects to be added
|
Related Documentation
For additional information on ASDM or its platforms, see the ASDM online Help or the following documentation found on Cisco.com:
•Cisco ASA 5500 Series Hardware Installation Guide
•Cisco ASA 5500 Series Getting Started Guide
•Cisco ASA 5500 Series Release Notes
•Migrating to ASA for VPN 3000 Series Concentrator Administrators
•Cisco Security Appliance Command Line Configuration Guide
•Cisco Security Appliance Command Reference
•Cisco PIX Security Appliance Release Notes
•Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0
•Release Notes for Cisco Intrusion Prevention System 5.0
•Installing and Using Cisco Intrusion Prevention System Device Manager 5.0
•Release Notes for Cisco Intrusion Prevention System 5.1
•Installing and Using Cisco Intrusion Prevention System Device Manager 5.1
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Feedback
