Important Notes. ASDM login issue in 9.1(3) and later—You can no longer log into ASDM with no username and the enable password.
You must configure ASDM AAA authentication (Configuration Device Management Users/AAA AAA Access Authentication and associated username configuration) and/or ASDM certificate authentication (Configuration Device Management Management Access ASDM/HTTPS/Telnet/SSH). Before you upgrade to 9.1(3), be sure to configure one of these authentication methods. (CSCuj50862). ASA 9.1(3) features for the ASA CX require ASA CX Version 9.2(1). Upgrading to 9.1(2.8) or 9.1(3) or later—See the. Notes 7 update 51. ASDM Launcher requires trusted certificate.
![Launcher Launcher](http://blog.dnt.md/wp-content/uploads/uncategorized/2016-04-20/How-To-setup-ASDM-demo-mode-launcher-for-demo-mode.png)
Cisco ASDM, Free Download by Cisco Systems, Inc. Secure Bytes has recently released a new program to decrypt user passwords.
Java Web Start requires newer ASDM version or workaround To continue using the Launcher, do one of the following:. Install a trusted certificate on the ASA from a known CA.
Install a self-signed certificate and register it with Java. See the ASDM certificate procedure in this document. Downgrade Java to 7 update 45 or earlier. Alternatively use Java Web Start. To use Java Web Start, do one of the following:.
Upgrade ASDM to Version 7.1(5.100) or later. This ASDM version includes the Permissions attribute in the JAR manifest, which is required as of Java 7 Update 51. To use ASDM 7.1(5) or earlier, add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at: If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.1(5.100) or later, then you can either use the CLI to upgrade ASDM, or you can use the above security exception workaround to launch the older ASDM, after which you can upgrade to a newer version. 7 update 45 ASDM shows a yellow warning about the missing Permissions attribute Java 7 update 45 shows a warning when an application does not have the Permissions attribute in the JAR manifest.
It is safe to ignore this warning. To prevent this warning from appearing, upgrade to ASDM 7.1(5.100) or later; this ASDM version includes the Permissions attribute, which will be required as of Java 7 Update 51. Note Due to a bug in Java, even if you upgrade to ASDM 7.1(5.100) or later, if you also do not have a trusted certificate installed on the ASA, you continue to see the yellow warning about the missing Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration Device Management Certificates Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites checkbox.
7 Requires strong encryption license (3DES/AES) on ASA ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( ).
Note that a workaround is required for weak encryption and Java 6 (see below, in this table). ASDM 7.1(3) and earlier. MacOS You may see the following error message when opening the ASDM Launcher. In this case, Java 7 is the currently-preferred Java version.
Either upgrade ASDM to 7.1(4) or later, or you need to set Java 6 as the preferred Java version: Open the Java Preferences application (under Applications Utilities), select the preferred Java version, and drag it up to be the first line in the table. 6 No usernames longer than 50 characters Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7. Requires strong encryption license (3DES/AES) on ASA or workaround When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers.
Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:. If available, use an already downloaded ASDM launcher or Java Web Start shortcut. The Launcher and Web Start shortcut work with Java 6 and weak encryption, even if the browsers do not.
For Windows Internet Explorer, you can enable DES as a workaround. See for details. For Firefox on any operating system, you can enable the security.ssl3.dhedssdessha setting as a workaround. See to learn how to change hidden configuration preferences. All. Self-signed certificate or an untrusted certificate.
IPv6. Firefox and Safari When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. SSL encryption on the ASA must include both RC4-MD5 and RC4-SHA1 or disable SSL false start in Chrome.
Chrome If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration Device Management Advanced SSL Settings pane); or you can disable SSL false start in Chrome using the -disable-ssl-false-start flag according to. IE9 for servers For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools Internet Options Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download. MacOS On MacOS, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes.
All MacOS 10.8 and later You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen.
Maximum Configuration Size in ASDM. ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience performance issues.
For example, when you load the configuration, the status dialog shows the percentage of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend that you consider increasing the ASDM system heap memory. To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties.
Click the Shortcut tab. In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB. Administrative Features Secure Copy client The ASA now supports the Secure Copy (SCP) client to transfer files to and from a SCP server. We modified the following screens: Tools File Management File Transfer Between Remote Server and Flash Configuration Device Management Management Access File Access Secure Copy (SCP) Server Improved one-time password authentication Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command. We modified the following screen: Configuration Device Management Users/AAA AAA Access Authorization.
Remote Access Features AnyConnect DTLS Single session Performance Improvement UDP traffic, such as streaming media, was being affected by a high number of dropped packets when sent over an AnyConnect DTLS connection. For example, this could result in streaming video playing poorly or cease streaming completely.
The reason for this was the relatively small size of the flow control queue. We increased the DTLS flow-control queue size and offset this by reducing the admin crypto queue size. For TLS sessions, the priority of the crypto command was increased to high to compensated for this change. For both DTLS and TLS sessions, the session will now persist even if packets are dropped. This will prevent media streams from closing and ensure that the number of dropped packets is comparable with other connection methods. We did not modify any ASDM screens. Webtype ACL enhancements We introduced URL normalization.
URL normalization is an additional security feature that includes path normalization, case normalization and scheme normalization. URLs specified in an ACE and portal address bar are normalized before comparison; for making decisions on webvpn traffic filtering. We did not modify any ASDM screens. Remote Access Features HTML5 WebSocket proxying HTML5 WebSockets provide persistent connections between clients and servers. During the establishment of the clientless SSL VPN connection, the handshake appears to the server as an HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a relay after the handshake is complete.
Gateway mode is not currently supported. We did not modify any ASDM screens. Inner IPv6 for IKEv2 IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to AnyConnect VPN connections fully IPv6 compliant.
GRE is used when both IPv4 and IPv6 traffic are being tunneled, and when both the client and headend support GRE. For a single traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec. Note This feature requires AnyConnect Client Version 3.1.05 or later. We did not modify any ASDM screens. Mobile Devices running Citrix Server Mobile have additional connection options Support for mobile devices connecting to Citrix server through the ASA now includes selection of a tunnel-group, and RSA Securid for authorization.
Allowing mobile users to select different tunnel-groups allows the administrator to use different authentication methods. We modified the following screen: Configuration Remote Access VPN Clientliess SSL VPN Access VDI Access. Split-tunneling supports exclude ACLs Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs. Exclude ACLs were previously ignored.
Note This feature requires AnyConnect Client Version 3.1.03103 or later. We did not modify any ASDM screens. High Availability and Scalability Features ASA 5500-X support for clustering The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now support 2-unit clusters.
Clustering for 2 units is enabled by default in the base license; for the ASA 5512-X, you need the Security Plus license. We did not modify any ASDM screens. Improved VSS and vPC support for health check monitoring If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, you can now increase stability with health check monitoring. For some switches, such as the Nexus 5000, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as.8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces.
When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them. We modified the following screen: Configuration Device Management High Availability and Scalability ASA Cluster Support for cluster members at different geographical locations (inter-site); Individual Interface mode only You can now place cluster members at different geographical locations when using individual interface mode. See the configuration guide for inter-site guidelines. We did not modify any ASDM screens.
Support for clustering with the Cisco Nexus 5000 and Cisco Catalyst 3750-X The ASA supports clustering when connected to the Cisco Nexus 5000 and Cisco Catalyst 3750-X. We modified the following screen: Configuration Device Management High Availability and Scalability ASA Cluster. Troubleshooting Features Crashinfo dumps include AK47 framework information Application Kernel Layer 4 to 7 (AK47) framework-related information is now available in crashinfo dumps. A new option, ak47, has been added to the debug menu command to help in debugging AK47 framework issues.
The framework-related information in the crashinfo dump includes the following:. Creating an AK47 instance. Destroying an AK47 instance. Generating an crashinfo with a memory manager frame. Generating a crashinfo after fiber stack overflow.
Generating a crashinfo after a local variable overflow. Generating a crashinfo after an exception has occurred.
Module Features Support for the ASA CX module in multiple context mode You can now configure ASA CX service policies per context on the ASA. Note Although you can configure per context ASA service policies, the ASA CX module itself (configured in PRSM) is a single context mode device; the context-specific traffic coming from the ASA is checked against the common ASA CX policy.
Requires ASA CX 9.2(1) or later. We did not modify any ASDM screens.
ASA 5585-X with SSP-40 and -60 support for the ASA CX SSP-40 and -60 ASA CX SSP-40 and -60 modules can be used with the matching level ASA 5585-X with SSP-40 and -60. Requires ASA CX 9.2(1) or later. We did not modify any screens. Filtering packets captured on the ASA CX backplane You can now filter packets that have been captured on the ASA CX backplane using the match or access-list keyword with the capture interface asadataplane command.
Control traffic specific to the ASA CX module is not affected by the access-list or match filtering; the ASA captures all control traffic. In multiple context mode, configure the packet capture per context. Note that all control traffic in multiple context mode goes only to the system execution space. Because only control traffic cannot be filtered using an access list or match, these options are not available in the system execution space. Requires ASA CX 9.2(1) or later.
A new option, Use backplane channel, was added to the Ingress Traffic Selector screen and the Egress Selector screen, in the Packet Capture Wizard to enable filtering of packets that have been captured on the ASA CX backplane. Monitoring Features Smart Call Home We added a new type of Smart Call Home message to support ASA clustering.
A Smart Call Home clustering message is sent for only the following three events:. When a unit joins the cluster. When a unit leaves the cluster. When a cluster unit becomes the cluster master Each message that is sent includes the following information:. The active cluster member count. The output of the show cluster info command and the show cluster history command on the cluster master We did not modify any ASDM screens.
Also available in 9.0(3). Monitoring Features Smart Call Home We added a new type of Smart Call Home message to support ASA clustering. A Smart Call Home clustering message is sent for only the following three events:. When a unit joins the cluster. When a unit leaves the cluster.
When a cluster unit becomes the cluster master Each message that is sent includes the following information:. The active cluster member count. The output of the show cluster info command and the show cluster history command on the cluster master. Certification Features FIPS and Common Criteria certifications The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, and the ASA Services Module. The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions. Encryption Features Support for IPsec LAN-to-LAN tunnels to encrypt failover and state link communications Instead of using the proprietary encryption for the failover key, you can now use an IPsec LAN-to-LAN tunnel for failover and state link encryption.
Note Failover LAN-to-LAN tunnels do not count against the IPsec (Other VPN) license. We modified the following screen: Configuration Device Management High Availability Failover Setup. Additional ephemeral Diffie-Hellman ciphers for SSL encryption The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:. DHE-AES128-SHA1. DHE-AES256-SHA1 These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy.
See the following limitations:. DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server. Some popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used. Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.
We modified the following screen: Configuration Device Management Advanced SSL Settings. Also available in 8.4(4.1). Management Features Support for administrator password policy when using the local database When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters. We introduced the following screen: Configuration Device Management Users/AAA Password Policy. Also available in 8.4(4.1). Support for SSH public key authentication You can now enable public key authentication for SSH connections to the ASA on a per-user basis. You can specify a public key file (PKF) formatted key or a Base64 key.
The PKF key can be up to 4096 bits. Use PKF format for keys that are too large to for the ASA support of the Base64 format (up to 2048 bits). We introduced the following screens: Configuration Device Management Users/AAA User Accounts Edit User Account Public Key Authentication Configuration Device Management Users/AAA User Accounts Edit User Account Public Key Using PKF Also available in 8.4(4.1); PKF key format support is only in 9.1(2). AES-CTR encryption for SSH The SSH server implementation in the ASA now supports AES-CTR mode encryption. Improved SSH rekey interval An SSH connection is rekeyed after 60 minutes of connection time or 1 GB of data traffic. Support for Diffie-Hellman Group 14 for the SSH Key Exchange Support for Diffie-Hellman Group 14 for SSH Key Exchange was added.
Formerly, only Group 1 was supported. We modified the following screen: Configuration Device Management Management Access ASDM/HTTPS/Telnet/SSH. Also available in 8.4(4.1). Support for a maximum number of management sessions You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions. We introduced the following screen: Configuration Device Management Management Access Management Session Quota. Also available in 8.4(4.1). Support for a pre-login banner in ASDM Administrator can define a message that appears before a user logs into ASDM for management access.
This customizable content is called a pre-login banner, and can notify users of special requirements or important information. The default Telnet password was removed To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet.
Note: The login password is only used for Telnet if you do not configure Telnet user authentication. Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed. The login password is also used for Telnet sessions from the switch to the ASA SM (see the session command). For initial ASA SM access, you must use the service-module session command, until you set a login password. We did not modify any ASDM screens.
Also available in 9.0(2). Platform Features Support for Power-On Self-Test (POST) The ASA runs its power-on self-test at boot time even if it is not running in FIPS 140-2-compliant mode. Additional tests have been added to the POST to address the changes in the AES-GCM/GMAC algorithms, ECDSA algorithms, PRNG, and Deterministic Random Bit Generator Validation System (DRBGVS). Improved pseudo-random number generation (PRNG) The X9.31 implementation has been upgraded to use AES-256 encryption instead of 3DES encryption to comply with the Network Device Protection Profile (NDPP) in single-core ASAs. Support for image verification Support for SHA-512 image integrity checking was added. We did not modify any ASDM screens. Also available in 8.4(4.1).
Support for private VLANs on the ASA Services Module You can use private VLANs with the ASA SM. Assign the primary VLAN to the ASA SM; the ASA SM automatically handles secondary VLAN traffic. There is no configuration required on the ASA SM for this feature; see the switch configuration guide for more information.
CPU profile enhancements The cpu profile activate command now supports the following:. Delayed start of the profiler until triggered (global or specific thread CPU%). Sampling of a single thread We did not modify any ASDM screens.
Also available in 8.4(6). DHCP Features DHCP relay servers per interface (IPv4 only) You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface. IPv6 is not supported for per-interface DHCP relay. We modified the following screen: Configuration Device Management DHCP DHCP Relay.
DHCP trusted interfaces You can now configure interfaces as trusted interfaces to preserve DHCP Option 82. DHCP Option 82 is used by downstream switches and routers for DHCP snooping and IP Source Guard. Normally, if the ASA DHCP relay agent receives a DHCP packet with Option 82 already set, but the giaddr field (which specifies the DHCP relay agent address that is set by the relay agent before it forwards the packet to the server) is set to 0, then the ASA will drop that packet by default. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface. We modified the following screen: Configuration Device Management DHCP DHCP Relay. Module Features ASA 5585-X support for network modules The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:.
ASA 4-port 10G Network Module. ASA 8-port 10G Network Module. ASA 20-port 1G Network Module Also available in 8.4(4.1). ASA 5585-X DC power supply support Support was added for the ASA 5585-X DC power supply. Also available in 8.4(5).
Support for ASA CX monitor-only mode for demonstration purposes For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected. Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a service policy in monitor-only mode.
The traffic-forwarding interface sends all traffic directly to the ASA CX module, bypassing the ASA. We modified the following screen: Configuration Firewall Service Policy Rules Add Service Policy Rule Rule Actions ASA CX Inspection. The traffic-forwarding feature is supported by CLI only. Support for the ASA CX module and NAT 64 You can now use NAT 64 in conjunction with the ASA CX module. We did not modify any ASDM screens. NetFlow Features Support for NetFlow flow-update events and an expanded set of NetFlow templates In addition to adding the flow-update events, there are now NetFlow templates that allow you to track flows that experience a change to their IP version with NAT, as well as IPv6 flows that remain IPv6 after NAT. Two new fields were added for IPv6 translation support.
Several NetFlow field IDs were changed to their IPFIX equivalents. For more information, see the Cisco ASA Implementation Note for NetFlow Collectors. Firewall Features EtherType ACL support for IS-IS traffic (transparent firewall mode) In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL. We modified the following screen: Configuration Device Management Management Access EtherType Rules.
Also available in 8.4(5). Decreased the half-closed timeout minimum value to 30 seconds The half-closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection. We modified the following screens: Configuration Firewall Service Policy Rules Connection Settings Configuration Firewall Advanced Global Timeouts.
Remote Access Features IKE security and performance improvements The number of IPsec-IKE security associations (SAs) can be limited for IKE v1 now, as well as IKE v2. We modified the following screen: Configuration Site-to-Site VPN Advanced IKE Parameters. The IKE v2 Nonce size has been increased to 64 bytes. There are no ASDM screen or CLI changes. For IKE v2 on Site-to-Site, a new algorithm ensures that the encryption algorithm used by child IPsec SAs is not higher strength than the parent IKE. Higher strength algorithms will be downgraded to the IKE level. This new algorithm is enabled by default.
We recommend that you do not disable this feature. We did not modify any ASDM screens. For Site-to-Site, IPsec data-based rekeying can be disabled. We modified the following screen: Configuration Site-to-Site IKE Parameters.
Improved Host Scan and ASA Interoperability Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy. Also available in 8.4(5). Clientless SSL VPN: Windows 8 Support This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems. We support the following browsers on Windows 8:.
Internet Explorer 10 (desktop only). Firefox (all supported Windows 8 versions). Chrome (all supported Windows 8 versions) See the following limitations:. Internet Explorer 10: – The Modern (AKA Metro) browser is not supported. – If you enable Enhanced Protected Mode, we recommend that you add the ASA to the trusted zone. – If you enable Enhanced Protected Mode, Smart Tunnel and Port Forwarder are not supported. A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8 PC is not supported.
Also available in 9.0(2). Cisco Secure Desktop: Windows 8 Support CSD 3.6.6215 was updated to enable selection of Windows 8 in the Prelogin Policy operating system check.
See the following limitations:. Secure Desktop (Vault) is not supported with Windows 8.
Also available in 9.0(2). Dynamic Access Policies: Windows 8 Support ASDM was updated to enable selection of Windows 8 in the DAP Operating System attribute. Also available in 9.0(2).
Monitoring Features Ability to view top 10 memory users You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues. No ASDM changes were made. This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1). CPU profile enhancements The cpu profile activate command now supports the following:.
Delayed start of the profiler until triggered (global or specific thread CPU%). Sampling of a single thread No ASDM changes were made. This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).
Remote Access Features Clientless SSL VPN: Windows 8 Support This release adds support for Windows 8 x86 (32-bit) and Windows 8 x64 (64-bit) operating systems. We support the following browsers on Windows 8:. Internet Explorer 10 (desktop only). Firefox (all supported Windows 8 versions).
Chrome (all supported Windows 8 versions) See the following limitations:. Internet Explorer 10: – The Modern (AKA Metro) browser is not supported.
– If you enable Enhanced Protected Mode, we recommend that you add the ASA to the trusted zone. – If you enable Enhanced Protected Mode, Smart Tunnel and Port Forwarder are not supported. A Java Remote Desktop Protocol (RDP) plugin connection to a Windows 8 PC is not supported. Management Features The default Telnet password was removed To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet.
Note: The login password is only used for Telnet if you do not configure Telnet user authentication. Formerly, when you cleared the password, the ASA restored the default of “cisco.” Now when you clear the password, the password is removed.
The login password is also used for Telnet sessions from the switch to the ASA SM (see the session command). For initial ASA SM access, you must use the service-module session command, until you set a login password. We did not modify any ASDM screens. Description CSCuj75028 SSL VPN bookmark's form parameter has unclear value CSCuj95685 Can't add EC with mode set to On (cluster control link requirement) CSCuj98126 In spanned EC mode (Cluster), can't set any EC member interface params CSCul11018 Cluster wizard fails ungracefully with CCL issues CSCul38916 ASDM:Not able to configure 'Shun Duration' for threat-detection CSCum08151 ASDM: Clicking whitespace after chkbox text should not change its state. CSCum09750 ASDM Top 10 Protected Servers graph shows large Others value for cluster CSCum39889 ASDM does not show upgrade options for few OS versions: CSCum57517 ASDM launcher is not working with Java 7u51 CSCum62475 ASDM sending wrong encrypted password CSCum67073 ASDM: No warning while activating AC essentials license CSCum98114 ASDM not responding properly when group url doesn't contain http/https CSCun64783 ASDM 'not used' treats object with auto-NAT as not in use. Description CSCuj75028 SSL VPN bookmark's form parameter has unclear value CSCuj95685 Can't add EC with mode set to On (cluster control link requirement) CSCuj98126 In spanned EC mode (Cluster), can't set any EC member interface params CSCul11018 Cluster wizard fails ungracefully with CCL issues CSCul38916 ASDM:Not able to configure 'Shun Duration' for threat-detection CSCum08151 ASDM: Clicking whitespace after chkbox text should not change its state. CSCum09750 ASDM Top 10 Protected Servers graph shows large Others value for cluster CSCum39889 ASDM does not show upgrade options for few OS versions: CSCum57517 ASDM launcher is not working with Java 7u51 CSCum62475 ASDM sending wrong encrypted password CSCum67073 ASDM: No warning while activating AC essentials license CSCum98114 ASDM not responding properly when group url doesn't contain http/https CSCun64783 ASDM 'not used' treats object with auto-NAT as not in use.
Description CSCuh28694 ASDM on Mac: System font issues (font too large) CSCui24893 ASDM Launcher is not working with java7u25 CSCui39567 ASDM 7.x certificate maps mapped to IPsec and SSL only show under IPSec CSCui85113 ASDM 7.1 Unable to delete object nat when object conflicts with name CSCui91127 ASDM Error: Number of IP address in the pool exceeds the limit 65536. CSCui97678 VDI Server proxy applied to DfltGrpPolicy instead of Tunnel GroupPoliy CSCuj02930 No Change dialog pop up after VDI Server proxy was changed CSCuj06653 ASDM:Credentials displayed in clear text when using Cisco.com wizard. Description CSCud40686 Entering Incorrect Credentials Makes the ASDM Hang CSCud68382 Java Web Start may not work on MacOS CSCud75192 client profile not properly bound to group policy CSCud80033 ASDM: Cannot specify 'anyconnect profiles none' in webvpn group-policy CSCud96465 HTTP authen: username greater than 50 characters failed CSCue17774 ASDM Loses Connectivity after 24 hrs when Monitoring some Traffic's. CSCue31262 ASDM: cannot configure BIOS check in DAP CSCue48827 ASA Local CA server add user-db in ASDM fails if blank line Subject (DN).
Description CSCui39567 ASDM 7.x certificate maps mapped to IPsec and SSL only show under IPSec CSCui91127 ASDM Error: Number of IP address in the pool exceeds the limit 65536. CSCuj06653 ASDM:Credentials displayed in clear text when using Cisco.com wizard CSCuj21794 ASDM: ID FW Monitor user-group defined with 'Space' char. Not reflected CSCuj29282 ASDM session does not timeout after idle-timeout expires CSCuj37962 Group Policies are not bound to AnyConnect Profiles CSCuj40436 ASDM Local CA Server Certificate Expiration Reminder update issue CSCuj67380 Cluster wizard asking for MTU to join cluster but no place to enter CSCuj67511 Cluster wizard: cannot edit an interface CSCuj70997 ASDM is sending wrong cli when copy,paste group policy which has + sign. CSCuj72318 Enable IPv6 checkbox is unchecked when editing interface CSCuj72362 ASDM: Does not allow to configure EIGRP key using Special Characters CSCuj75131 WebVPN configs not synced with standby - ASDM symptom. Description CSCub14386 Upgrade image to whole cluster: sometime fail to copy images CSCud07583 ASDM 7.0 ASA 9.0 multi context L2L needs more explicit warning/error.