Cisco Asdm

Important Notes. ASDM login issue in 9.1(3) and later—You can no longer log into ASDM with no username and the enable password. You must configure ASDM AAA authentication (Configuration Device Management Users/AAA AAA Access Authentication and associated username configuration) and/or ASDM certificate authentication (Configuration Device Management Management Access ASDM/HTTPS/Telnet/SSH). Before you upgrade to 9.1(3), be sure to configure one of these authentication methods.

1. Cisco Asdm Launcher

(CSCuj50862). ASA 9.1(3) features for the ASA CX require ASA CX Version 9.2(1). Upgrading to 9.1(2.8) or 9.1(3) or later—See the.

Notes7 update 51. ASDM Launcher requires trusted certificate. Java Web Start requires newer ASDM version or workaroundTo continue using the Launcher, do one of the following:.

Install a trusted certificate on the ASA from a known CA. Install a self-signed certificate and register it with Java. See the ASDM certificate procedure in this document. Downgrade Java to 7 update 45 or earlier.

Alternatively use Java Web Start.To use Java Web Start, do one of the following:. Upgrade ASDM to Version 7.1(5.100) or later. This ASDM version includes the Permissions attribute in the JAR manifest, which is required as of Java 7 Update 51. To use ASDM 7.1(5) or earlier, add a security exception in the Java Control Panel for each ASA you want to manage with ASDM.

See the “Workaround” section at:If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.1(5.100) or later, then you can either use the CLI to upgrade ASDM, or you can use the above security exception workaround to launch the older ASDM, after which you can upgrade to a newer version.7 update 45ASDM shows a yellow warning about the missing Permissions attributeJava 7 update 45 shows a warning when an application does not have the Permissions attribute in the JAR manifest. It is safe to ignore this warning. To prevent this warning from appearing, upgrade to ASDM 7.1(5.100) or later; this ASDM version includes the Permissions attribute, which will be required as of Java 7 Update 51.Note Due to a bug in Java, even if you upgrade to ASDM 7.1(5.100) or later, if you also do not have a trusted certificate installed on the ASA, you continue to see the yellow warning about the missing Permissions attribute.

To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration Device Management Certificates Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites checkbox.7Requires strong encryption license (3DES/AES) on ASAASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( ).

Note that a workaround is required for weak encryption and Java 6 (see below, in this table). ASDM 7.1(3) and earlier. MacOSYou may see the following error message when opening the ASDM Launcher. In this case, Java 7 is the currently-preferred Java version. Either upgrade ASDM to 7.1(4) or later, or you need to set Java 6 as the preferred Java version: Open the Java Preferences application (under Applications Utilities), select the preferred Java version, and drag it up to be the first line in the table.6No usernames longer than 50 charactersDue to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7.Requires strong encryption license (3DES/AES) on ASA or workaroundWhen you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA.

If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:. If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.

For Windows Internet Explorer, you can enable DES as a workaround. See for details.

For Firefox on any operating system, you can enable the security.ssl3.dhedssdessha setting as a workaround. See to learn how to change hidden configuration preferences.All.

Self-signed certificate or an untrusted certificate. IPv6. Firefox and SafariWhen the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections).

To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome. ChromeIf you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration Device Management Advanced SSL Settings pane); or you can disable SSL false start in Chrome using the -disable-ssl-false-start flag according to.IE9 for serversFor Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools Internet Options Advanced). This option causes the initial ASDM download to fail.

Be sure to disable this option to allow ASDM to download.MacOSOn MacOS, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.AllMacOS 10.8 and laterYou need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen. Maximum Configuration Size in ASDM.

ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues. For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration.

If this situation occurs, we recommend that you consider increasing the ASDM system heap memory.To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.Windows:a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties.b. Click the Shortcut tab.c.

In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB. Administrative FeaturesSecure Copy clientThe ASA now supports the Secure Copy (SCP) client to transfer files to and from a SCP server.We modified the following screens:Tools File Management File Transfer Between Remote Server and FlashConfiguration Device Management Management Access File Access Secure Copy (SCP) ServerImproved one-time password authenticationAdministrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once.

The auto-enable option was added to the aaa authorization exec command.We modified the following screen: Configuration Device Management Users/AAA AAA Access Authorization. Remote Access FeaturesAnyConnect DTLS Single session Performance ImprovementUDP traffic, such as streaming media, was being affected by a high number of dropped packets when sent over an AnyConnect DTLS connection. For example, this could result in streaming video playing poorly or cease streaming completely. The reason for this was the relatively small size of the flow control queue.We increased the DTLS flow-control queue size and offset this by reducing the admin crypto queue size. For TLS sessions, the priority of the crypto command was increased to high to compensated for this change. For both DTLS and TLS sessions, the session will now persist even if packets are dropped.

This will prevent media streams from closing and ensure that the number of dropped packets is comparable with other connection methods.We did not modify any ASDM screens.Webtype ACL enhancementsWe introduced URL normalization. URL normalization is an additional security feature that includes path normalization, case normalization and scheme normalization. URLs specified in an ACE and portal address bar are normalized before comparison; for making decisions on webvpn traffic filtering.We did not modify any ASDM screens. Remote Access FeaturesHTML5 WebSocket proxyingHTML5 WebSockets provide persistent connections between clients and servers.

During the establishment of the clientless SSL VPN connection, the handshake appears to the server as an HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a relay after the handshake is complete.

Cisco Asdm Launcher

Gateway mode is not currently supported.We did not modify any ASDM screens.Inner IPv6 for IKEv2IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6 traffic are being tunneled, and when both the client and headend support GRE. For a single traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.Note This feature requires AnyConnect Client Version 3.1.05 or later.We did not modify any ASDM screens.Mobile Devices running Citrix Server Mobile have additional connection optionsSupport for mobile devices connecting to Citrix server through the ASA now includes selection of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different tunnel-groups allows the administrator to use different authentication methods.We modified the following screen: Configuration Remote Access VPN Clientliess SSL VPN Access VDI Access.Split-tunneling supports exclude ACLsSplit-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs.

Exclude ACLs were previously ignored.Note This feature requires AnyConnect Client Version 3.1.03103 or later.We did not modify any ASDM screens. High Availability and Scalability FeaturesASA 5500-X support for clusteringThe ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now support 2-unit clusters.

Clustering for 2 units is enabled by default in the base license; for the ASA 5512-X, you need the Security Plus license.We did not modify any ASDM screens.Improved VSS and vPC support for health check monitoringIf you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, you can now increase stability with health check monitoring. For some switches, such as the Nexus 5000, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as.8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.We modified the following screen: Configuration Device Management High Availability and Scalability ASA ClusterSupport for cluster members at different geographical locations (inter-site); Individual Interface mode onlyYou can now place cluster members at different geographical locations when using individual interface mode. See the configuration guide for inter-site guidelines.We did not modify any ASDM screens.Support for clustering with the Cisco Nexus 5000 and Cisco Catalyst 3750-XThe ASA supports clustering when connected to the Cisco Nexus 5000 and Cisco Catalyst 3750-X.We modified the following screen: Configuration Device Management High Availability and Scalability ASA Cluster. Troubleshooting FeaturesCrashinfo dumps include AK47 framework informationApplication Kernel Layer 4 to 7 (AK47) framework-related information is now available in crashinfo dumps.

A new option, ak47, has been added to the debug menu command to help in debugging AK47 framework issues. The framework-related information in the crashinfo dump includes the following:. Creating an AK47 instance. Destroying an AK47 instance. Generating an crashinfo with a memory manager frame.

Generating a crashinfo after fiber stack overflow. Generating a crashinfo after a local variable overflow. Generating a crashinfo after an exception has occurred. Monitoring FeaturesSmart Call HomeWe added a new type of Smart Call Home message to support ASA clustering.A Smart Call Home clustering message is sent for only the following three events:. When a unit joins the cluster.

When a unit leaves the cluster. When a cluster unit becomes the cluster masterEach message that is sent includes the following information:.

The active cluster member count. The output of the show cluster info command and the show cluster history command on the cluster masterWe did not modify any ASDM screens.Also available in 9.0(3).

Monitoring FeaturesSmart Call HomeWe added a new type of Smart Call Home message to support ASA clustering.A Smart Call Home clustering message is sent for only the following three events:. When a unit joins the cluster. When a unit leaves the cluster. When a cluster unit becomes the cluster masterEach message that is sent includes the following information:. The active cluster member count.

The output of the show cluster info command and the show cluster history command on the cluster master. Certification FeaturesFIPS and Common Criteria certificationsThe FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, and the ASA Services Module.The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions. DHCP FeaturesDHCP relay servers per interface (IPv4 only)You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay.We modified the following screen: Configuration Device Management DHCP DHCP Relay.DHCP trusted interfacesYou can now configure interfaces as trusted interfaces to preserve DHCP Option 82.

DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default.

You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface.We modified the following screen: Configuration Device Management DHCP DHCP Relay. Module FeaturesASA 5585-X support for network modulesThe ASA 5585-X now supports additional interfaces on network modules in slot 1. NetFlow FeaturesSupport for NetFlow flow-update events and an expanded set of NetFlow templatesIn addition to adding the flow-update events, there are now NetFlow templates that allow you to track flows that experience a change to their IP version with NAT, as well as IPv6 flows that remain IPv6 after NAT.Two new fields were added for IPv6 translation support.Several NetFlow field IDs were changed to their IPFIX equivalents.For more information, see the Cisco ASA Implementation Note for NetFlow Collectors. Remote Access FeaturesIKE security and performance improvementsThe number of IPsec-IKE security associations (SAs) can be limited for IKE v1 now, as well as IKE v2.We modified the following screen: Configuration Site-to-Site VPN Advanced IKE Parameters.The IKE v2 Nonce size has been increased to 64 bytes.There are no ASDM screen or CLI changes.For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm used by child IPsec SAs is not higher strength than the parent IKE. Higher strength algorithms will be downgraded to the IKE level.This new algorithm is enabled by default. We recommend that you do not disable this feature.We did not modify any ASDM screens.For Site-to-Site, IPsec data-based rekeying can be disabled.We modified the following screen: Configuration Site-to-Site IKE Parameters.Improved Host Scan and ASA InteroperabilityHost Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. Monitoring FeaturesAbility to view top 10 memory usersYou can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size.

Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.No ASDM changes were made.This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).CPU profile enhancementsThe cpu profile activate command now supports the following:. Delayed start of the profiler until triggered (global or specific thread CPU%). Sampling of a single threadNo ASDM changes were made.This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1). Management FeaturesThe default Telnet password was removedTo improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note: The login password is only used for Telnet if you do not configure Telnet user authentication.Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.The login password is also used for Telnet sessions from the switch to the ASA SM (see the session command). For initial ASA SM access, you must use the service-module session command, until you set a login password.We did not modify any ASDM screens.

DescriptionCSCuh28694ASDM on Mac: System font issues (font too large)CSCui24893ASDM Launcher is not working with java7u25CSCui39567ASDM 7.x certificate maps mapped to IPsec and SSL only show under IPSecCSCui85113ASDM 7.1 Unable to delete object nat when object conflicts with nameCSCui91127ASDM Error: Number of IP address in the pool exceeds the limit 65536.CSCui97678VDI Server proxy applied to DfltGrpPolicy instead of Tunnel GroupPoliyCSCuj02930No Change dialog pop up after VDI Server proxy was changedCSCuj06653ASDM:Credentials displayed in clear text when using Cisco.com wizard. DescriptionCSCud40686Entering Incorrect Credentials Makes the ASDM HangCSCud68382Java Web Start may not work on MacOSCSCud75192client profile not properly bound to group policyCSCud80033ASDM: Cannot specify 'anyconnect profiles none' in webvpn group-policyCSCud96465HTTP authen: username greater than 50 characters failedCSCue17774ASDM Loses Connectivity after 24 hrs when Monitoring some Traffic's.CSCue31262ASDM: cannot configure BIOS check in DAPCSCue48827ASA Local CA server add user-db in ASDM fails if blank line Subject (DN). DescriptionCSCui39567ASDM 7.x certificate maps mapped to IPsec and SSL only show under IPSecCSCui91127ASDM Error: Number of IP address in the pool exceeds the limit 65536.CSCuj06653ASDM:Credentials displayed in clear text when using Cisco.com wizardCSCuj21794ASDM: ID FW Monitor user-group defined with 'Space' char.