Table Of Contents
Release Notes for the Cisco ASA 1000V, Version 8.7(x)
Important Notes
Limitations and Restrictions
System Requirements
Minimum Component Requirements for the ASA 1000V
Memory Information
Memory Requirements and Allocation
Viewing Flash Memory
DRAM, Flash Memory, and Failover
ASA 1000V and ASDM Compatibility
New Features
VMware Feature Support for the ASA 1000V
Upgrading the ASA and ASDM Software
Viewing Your Current Version
Upgrading the ASA and ASDM Images
Open Caveats
Licensing for the ASA 1000V
Release Notes for the Cisco Virtual Network Management Center, Version 2.0
Release Notes for the Cisco Nexus 1000V, Version 4.2(1)SV1(5.2)
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for the Cisco ASA 1000V, Version 8.7(x)
Updated: October 16, 2012
Released: August 20, 2012
This document contains release information for the Cisco ASA 1000V, Version 8.7(1.1) and includes the following sections:
•
Important Notes
•Limitations and Restrictions
•System Requirements
•New Features
•VMware Feature Support for the ASA 1000V
•Upgrading the ASA and ASDM Software, page 7
•Open Caveats
•Licensing for the ASA 1000V
•Release Notes for the Cisco Virtual Network Management Center, Version 2.0
•Release Notes for the Cisco Nexus 1000V, Version 4.2(1)SV1(5.2)
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Important Notes
Complete Solution Installation
•Neither the ASA 1000V nor VSG supports non-ASCII characters. To support localization, all components (that is, Cisco VNMC, Cisco VSG, and ASA 1000V) must meet this requirement.
•The ASA 1000V and Cisco VNMC require that the VMware vCenter installation, including keyboard and password or shared key settings, be set to American English.
ASA 1000V Installation
•You can use only one management mode (either VNMC or ASDM) on the ASA 1000V. They are mutually exclusive, and you need to decide on the mode before installation. If you want to switch management modes, you must reinstall the ASA 1000V.
•ASDM is used to monitor traffic on the ASA 1000V in both VNMC and ASDM modes.
•Routes through the management interface can only be configured using the CLI in VNMC mode.
•The VMs that are on the inside of the ASA 1000V need to be directly connected to a Nexus 1000V switch and in the same VLAN as the one you have configured on the inside of the ASA 1000V. Inside VMs must be layer 2 adjacent to the inside of the ASA 1000V. You cannot have a layer 3 hop, as with a physical router, on the inside of the ASA 1000V.
Limitations and Restrictions
The ASA 1000V does not support all features that are supported on ASA appliances. Table 1 lists the unsupported features on the ASA 1000V.
Note The commands that are associated with an unsupported feature are not available at the ASA 1000V CLI. Not all commands that are supported on ASA appliances are available on the ASA 1000V platform.
Table 1 Unsupported Features on the ASA 1000V
Feature
|
Description
|
AAA for network access
|
Not supported.
|
Active/Active failover and subsecond failover
|
Not supported.
|
Authentication using certificates
|
Not supported.
|
Shun
|
Not supported.
|
Botnet traffic filter
|
Not supported.
|
Dynamic DNS
|
Not supported.
|
Dynamic routing
|
Not supported.
|
GTP/GTPRS (Mobile Service Providers)
|
Not supported.
|
HTTP inspection maps for deep-packet inspection
|
Not supported.
|
Identity firewall
|
Not supported.
|
Inbound PAT
|
Not supported.
|
IPS and CSC modules
|
Not supported.
|
IPv6
|
Not supported
|
Multiple contexts
|
Not supported.
|
NetFlow
|
Not supported.
|
PPPoE/VPDN
|
Not supported.
|
QoS
|
Not supported.
|
Redundant interfaces, EtherChannel interfaces, and subinterfaces
|
Not supported.
|
Threat detection
|
Not supported.
|
Transparent mode
|
Not supported.
|
Unified communications
|
Not supported. (Includes TLS Proxy, Phone Proxy, Proxy Limit, and IME.)
|
URL filtering
|
Not supported.
|
VPN remote access
|
Not supported. (Includes Remote Access, Clientless (SSL) Access, Multi-site (SSL) Access, Easy VPN on the ASA 5505, VPN Phones, AnyConnect Essentials, and AnyConnect Mobile.)
|
WCCP
|
Not supported.
|
System Requirements
This section describes the system requirements for using the ASA 1000V and includes the following topics:
•Minimum Component Requirements for the ASA 1000V
•Memory Information
•ASA 1000V and ASDM Compatibility
Minimum Component Requirements for the ASA 1000V
Before you install the ASA 1000V, the following components must already be installed and configured:
•An x86 Intel server with a 64-bit processor, listed in the VMware Hardware Compatibility List, which runs VMware vSphere Hypervisor software 4.1 or 5.0 with a minimum of two processors of at least 1.5 GHz each, 8 GB of physical RAM, and 30 GB of disk space, with an Enterprise Plus license
•VMware vCenter 4.1 or 5.0 to manage the VMware vSphere Hypervisor, with an Enterprise Plus license
•Cisco Nexus 1000V Distributed Virtual Switch (DVS), version 4.2(1)SV1(5.2), created in VMware vCenter
•Cisco Nexus 1000V Virtual Ethernet Module (VEM) installed and running in the VMware vSphere Hypervisor host
•A VMware vSphere Hypervisor host added in the Cisco Nexus 1000V Distributed Virtual Switch (DVS)
•Four VLANs in the Cisco Nexus 1000V Virtual Supervisor Module (VSM): an inside VLAN for the ASA 1000V inside interface and an outside VLAN for the outside interface
•Internet Explorer 9.0 or Mozilla Firefox 10.0 with Adobe Flash Player 11.1
•Virtual Network Management Center (VNMC) Version 2.0
•(Optional) Virtual Security Gateway (VSG) Release 1.4
Memory Information
This section includes the following topics:
•Memory Requirements and Allocation
•Viewing Flash Memory
•DRAM, Flash Memory, and Failover
Memory Requirements and Allocation
VM resources are preset in the OVA file that is used to deploy the ASA 1000V. We recommend that you not change these settings.
The ASA 1000V allocates 1.5 GB of RAM per allocated CPU. One vCPU is allocated and a maximum of 5000 MHz is assigned to the ASA 1000V VM. Two virtual disks are created—one with 2 GB and one with 128 MB. If you have allocated less than this amount of memory, a warning message about insufficient memory appears on the console each time that you log in.
The following applies:
•If you allocate more than 100 percent of the allowable CPU limit (or of the allowable memory allocation), the ASA 1000V reboots after 24 hours.
•If you allocate more than 125 percent of the CPU limit, the ASA 1000V reboots after one hour.
•If you increase the vCPU limit, the ASA 1000V reboots immediately.
•If you decrease the amount of allocated memory, a warning message appears about insufficient memory and the ASA 1000V may not start.
•If you decrease both the amount of allocated memory and the CPU limit, performance will be degraded.
•Each ASA 1000V allocates 2.1 GB of hard disk space from the data store.
See the show memory and show cpu commands in the Cisco ASA 5500 Series Command Reference for more information.
Viewing Flash Memory
You can check the size of internal flash memory and the amount of free flash memory on the ASA 1000V by doing the following:
•ASDM—Choose Tools > File Management. The amounts of total and available flash memory appear on the bottom left in the pane.
•CLI—In privileged EXEC mode, enter the dir command. The amounts of total and available flash memory appear at the bottom of the output.
DRAM, Flash Memory, and Failover
In a failover configuration, the two ASA 1000V instances must have the same amount of assigned DRAM.
ASA 1000V and ASDM Compatibility
Table 2 lists information about the ASA 1000V and ASDM compatibility.
New Features
Note New, changed, and deprecated syslog messages are listed in the syslog messages guide.
Released: October 16, 2012
Table 3 lists the new features for ASA Version 8.7(1.1).
Note Version 8.7(1) was removed from Cisco.com due to build issues; please upgrade to Version 8.7(1.1) or later.
Table 3 New Features for ASA Version 8.7(1.1)
Feature
|
Description
|
Platform Features
|
Support for the ASA 1000V
|
We introduced support for the ASA 1000V for the Nexus 1000V switch.
|
Cloning the ASA 1000V
|
You can add one or multiple instances of the ASA 1000V to your deployment using the method of cloning VMs.
|
Management Features
|
ASDM mode
|
You can configure, manage, and monitor the ASA 1000V using the Adaptive Security Device Manager (ASDM), which is the single GUI-based device manager for the ASA.
|
VNMC mode
|
You can configure and manage the ASA 1000V using the Cisco Virtual Network Management Center (VNMC), which is a GUI-based multi-device manager for multiple tenants.
|
XML APIs
|
You can configure and manage the ASA 1000V using XML APIs, which are application programmatic interfaces provided through the Cisco VNMC. This feature is only available in VNMC mode.
|
Firewall Features
|
Cisco VNMC access and configuration
|
Cisco VNMC access and configuration are required to create security profiles. You can configure access to the Cisco VNMC through the Configuration > Device Setup > Interfaces pane in ASDM. Enter the login username and password, hostname, and shared secret to access the Cisco VNMC. Then you can configure security profiles and security profile interfaces. In VNMC mode, use the CLI to configure security profiles.
|
Security profiles and security profile interfaces
|
Security profiles are interfaces that correspond to an edge security profile that has been configured in the Cisco VNMC and assigned in the Cisco Nexus 1000V VSM. Policies for through-traffic are assigned to these interfaces and the outside interface. You can add security profiles through the Configuration > Device Setup > Interfaces pane. You create the security profile by adding its name and selecting the service interface. ASDM then generates the security profile through the Cisco VNMC, assigns the security profile ID, and automatically generates a unique interface name. The interface name is used in the security policy configuration.
We introduced or modified the following commands: interface security-profile, security-profile, mtu, vpath path-mtu, clear interface security-profile, clear configure interface security-profile, show interface security-profile, show running-config interface security-profile, show interface ip brief, show running-config mtu, show vsn ip binding, show vsn security-profile.
|
Service interface
|
The service interface is the Ethernet interface associated with security profile interfaces. You can only configure one service interface, which must be the inside interface.
We introduced the following command: service-interface security-profile all.
|
VNMC policy agent
|
The VNMC policy agent enables policy configuration through both the ASDM and VNMC modes. It includes a web server that receives XML-based requests from Cisco VNMC over HTTPS and converts it to the ASA 1000V configuration.
We introduced the following commands: vnmc policy-agent, login, shared-secret, registration host, vnmc org, show vnmc policy-agent, show running-config vnmc policy-agent, clear configure vnmc policy-agent.
|
VMware Feature Support for the ASA 1000V
Table 4 lists the VMware feature support for the ASA 1000V.
Table 4 VMware Feature Support for the ASA 1000V
Feature
|
Description
|
Support (Yes/No)
|
Comment
|
Cold clone
|
The VM is powered off before cloning.
|
Yes
|
—
|
DRS
|
Used for dynamic resource scheduling and distributed power management.
|
Yes
|
—
|
Hot clone
|
The VM is running during cloning.
|
No
|
—
|
Snapshot
|
Freezes the VM for a few seconds. You may loose traffic. Failover may occur.
|
See comment.
|
Use with care.
|
VM migration
|
Used for VM migration.
|
Yes
|
—
|
vMotion
|
Used for live migration of VMs.
|
Yes
|
—
|
VMware FT
|
Used for HA for VMs.
|
No
|
Use ASA failover for ASA VM failures.
|
VMware HA
|
Used for ESX and server failures.
|
Yes
|
Use ASA failover for ASA VM failures.
|
VMware HA with VM heartbeats
|
Used for VM failures.
|
No
|
Use ASA failover for ASA VM failures.
|
Upgrading the ASA and ASDM Software
This section describes how to upgrade to the latest version and includes the following topics:
•Viewing Your Current Version
•Upgrading the ASA and ASDM Images
For ASDM procedures, see the ASDM release notes.
Viewing Your Current Version
Use the show version command to verify the software version of your ASA.
Upgrading the ASA and ASDM Images
This section describes how to install the ASDM and ASA images using TFTP. For FTP or HTTP, see the "Managing Software and Configurations" chapter in the Cisco ASA 1000V CLI Configuration Guide for ASDM Mode.
We recommend that you upgrade the ASDM image before the ASA image. You must upgrade the ASA by copying files through the ASA CLI. You must use the 6.7(1) version of the ASDM image; you cannot use another older version of the ASDM image with the ASA.
Note The VNMC does not support ASA image upgrade.
For information about upgrading software in a failover pair, see the "Performing Zero Downtime Upgrades for Failover Pairs" chapter in the Cisco ASA 1000V CLI Configuration Guide for ASDM Mode.
Detailed Steps
Step 1 If you have a Cisco.com login, you can obtain the ASA and ASDM images from the following website:
http://www.cisco.com/cisco/software/navigator.html?mdfid=279513386&i=rm
Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command:
hostname# show running-config
Copy the output from this command, and then paste the configuration into a text file.
For other backup methods, see the "Managing Software and Configurations" chapter in the Cisco ASA 1000V CLI Configuration Guide for ASDM Mode.
Step 3 Install the new images using TFTP. Enter the following command separately for the ASA image and the ASDM image:
hostname# copy tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename
For example:
hostname# copy tftp://10.1.1.1/asa870-4-k8.bin disk0:/asa871-k8.bin
hostname# copy tftp://10.1.1.1/asdm-67099.bin disk0:/asdm-671.bin
If the ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.
Step 4 Restart the ASA by entering the following command.
Step 5 You can choose the new boot image manually if it is not the default image. Change the ASA boot image to the new image name by entering the following commands:
hostname(config)# clear configure boot
hostname(config)# boot system {disk0:/ | disk1:/}[path/]new_filename
For example:
hostname(config)# clear configure boot
hostname(config)# boot system disk0:/asa871-k8.bin
hostname(config)# show boot
Boot variable = (hd1,0)/cdisk.smp
Current BOOT variable = disk0:/cdisk.smp
Current CONFIG_FILE variable =
Step 6 Configure the ASDM image to the new image name by entering the following command:
hostname(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
Step 7 Save the configuration and reload by entering the following commands:
hostname(config)# write memory
Open Caveats
Table 5 lists open caveats in the ASA 1000V 8.7(1.1) release.
If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://tools.cisco.com/Support/BugToolKit/
.
Table 5 Open Caveats in ASA 1000V Version 8.7(1.1)
Caveat
|
Description
|
CSCty75440
|
Traceback after vMotion ASA1000V in a failover setup.
|
CSCua59019
|
ACL with vZone is accepted wtihout error.
|
CSCua73963
|
Security profile interface configuration is allowed from console in VNMC mode.
|
CSCua79561
|
Edge profile configuration may fail under rare conditions.
|
CSCua86888
|
SPID to edge profile mapping mismatch between Cisco VNMC and ASA 1000V.
|
CSCua86898
|
Setup command adds route for Cisco VNMC IP in same subnet.
|
CSCua89185
|
Ping to inside fails when static dest NAT applied on outside.
|
CSCub02459
|
TCP connection not reset after timeout.
|
CSCub24747
|
Failed to process certificate error in failover setup.
|
CSCub27241
|
Incorrect behavior when applying erroneous policies in Cisco VNMC.
|
CSCub29529
|
Smart call home does not work for ASA 1000V.
|
CSCub35003
|
Policy map not created before being used in VNMC mode.
|
CSCub41235
|
Unsupported VPN configuration allowed in the CLI.
|
CSCub49338
|
FDD msg not clear when configuring ACL IPv4 protocol and port number.
|
CSCub52140
|
Editing DHCP relay server IP does not push the config to ASA 1000V.
|
CSCub54235
|
Unsupported SNMP command fru-insert/fru-remove in CLI.
|
CSCub56227
|
Unable to export capture with /add-spid to TFTP/FTP from CLI.
|
CSCub62281
|
Incorrect error message if ACL contains vZones with no protocol.
|
CSCub66617
|
IP binding not displayed after no org and reconfigure org on VSM
|
Licensing for the ASA 1000V
The ASA 1000V is licensed per each CPU socket that it is protecting. The Cisco Nexus 1000V switch provisions and enforces licenses for the ASA 1000V. Licenses are installed on the Virtual Supervisor Module (VSM) in the Cisco Nexus 1000V switch.
For more information, see the Cisco Nexus 1000V License Configuration Guidelines document at: http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_2/license/configuration/guide/n1000v_license.html
Release Notes for the Cisco Virtual Network Management Center, Version 2.0
For information about the Cisco VNMC 2.0 release that supports the ASA 1000V, see the Release Notes for the Cisco Virtual Network Management Center, Version 2.0 at:
http://www.cisco.com/en/US/docs/unified_computing/vnmc/sw/2.0/release/notes/vnmc_rn.html
Release Notes for the Cisco Nexus 1000V, Version 4.2(1)SV1(5.2)
For information about the Cisco Nexus 1000V, Version 4.2(1)SV1(5.2) that supports the ASA 1000V, see the Cisco Nexus 1000V Release Notes, Release 4.2(1)SV1(5.2) at:
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_2/release/notes/n1000v_rn.html
Related Documentation
For more information about the individual components that comprise the ASA 1000V, see the following documentation:
•Cisco Nexus 1000V
http://www.cisco.com/en/US/products/ps9902/tsd_products_support_series_home.html
•Cisco VNMC and Cisco VSG
http://www.cisco.com/en/US/products/ps11213/tsd_products_support_series_home.html
•VMware
http://www.vmware.com/support/pubs/
•ASA 1000V
http://www.cisco.com/en/US/products/ps12233/tsd_products_support_series_home.html
•ASDM
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2012 Cisco Systems, Inc. All rights reserved.
Feedback
