Downloads |
Table Of Contents
Cisco ASDM Release Notes Version 5.0
Client PC Operating System and Browser Requirements
Upgrading to a New Software Release
ASA Interface Supports Either WebVPN or ASDM Admin Session
ASDM CLI Does Not Support Intertactive User Commands
Effects of Unsupported Commands
Ignored and View-Only Commands
Obtaining Documentation and Submitting a Service Request
Cisco ASDM Release Notes Version 5.0
May 2005
Contents
This document contains release information for Cisco ASDM Version 5.0 on Cisco PIX 500 series and Cisco ASA 5500 series security appliances 7.0(1). It includes the following sections:
•
Obtaining Documentation and Submitting a Service Request
Introduction
Cisco Adaptive Security Device Manager (ASDM) delivers world-class security management and monitoring services for Cisco PIX 500 and ASA 5500 series security appliances through an intuitive, easy-to-use, web-based management interface. Bundled with supported security appliances, the device manager accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced security and networking features offered by Cisco PIX 500 and ASA 5500 series security appliance software Version 7.0(1). Its secure, web-based design enables anytime, anywhere access to security appliances.
New Platform Features
The PIX 500 and ASA 5500 series security appliances 7.0(1) introduce significant enhancements to firewall and inspection capabilities, VPN services, network integration, high availability, and management/monitoring features. ASDM supports these new platform features.
This document contains release information about ASDM only. For detailed information on new platform features, see Cisco ASA 5500 Series Release Notes or Cisco PIX Security Appliance Release Notes.
New Device Manager Features
The following table highlights the new device manager features in this release.
Dynamic Dashboard (ASDM Home Page)
•
•
Real-time Log Viewer
•
•
Improved Java Web-Based Architecture
•
•
Downloadable ASDM Launcher (on Microsoft Windows 2000 or XP operating systems only)
•
•
•
Comprehensive Cisco PIX and ASA Security Appliances Software Version 7.0(1) Feature Support
Provides support for more than 50 new features introduced in Cisco PIX 500 and ASA 5500 series security appliance software Version 7.0(1), such as transparent firewall, PIM sparse mode, QoS, and Active/Active failover, in addition to existing features such as OSPF and VLAN.
Advanced Application and Protocol Inspection Configuration
Delivers robust management and monitoring capabilities for 30 specialized inspection engines that provide rich application control security services for numerous protocols, including HTTP, FTP, Extended Simple Mail Transfer Protocol (ESMTP), Domain Name System (DNS), Simple Network Management Protocol (SNMP), ICMP, SQL*Net, Network File System (NFS), H.323 Versions 1-4, SIP, Cisco Skinny Client Control Protocol (SCCP), Real-Time Streaming Protocol (RTSP), GTP, Internet Locator Service (ILS), and SunRPC.
World-class Management of Virtualized Security Services
•
•
•
Robust Security Features
•
•
Multiple Language Operating System Support
Supports both the English and Japanese versions of the Microsoft Windows operating systems listed under System Requirements.
System Requirements
This section includes the following topics:
•
Hardware Requirements
ASDM software runs on the following platforms:
•
•
•
•
•
•
•
•
Note
For more information on minimum hardware requirements, see:
http://www.cisco.com/en/US/docs/security/asa/asa70/asdm50/webhelp/sysreq.html
Certain features, such as load balancing and QoS, require particular hardware platforms. Other features require licensing. For more information on feature support for each platform license, see:
http://www.cisco.com/en/US/docs/security/asa/asa70/asdm50/webhelp/gen_info_licenses.html
Client PC Operating System and Browser Requirements
Table 1 lists the supported and recommended PC operating systems and browsers for Version 5.0.
Table 1 Operating System and Browser Requirements
Windows1
Windows 2000 (Service Pack 4) or Windows XP operating systems
Internet Explorer 6.0 with Sun Java2 Plug-in 1.4.2 or 1.5.0
Note
Netscape 7.1/7.2 with Sun Java Plug-in 1.4.2 or 1.5.0
SSL Encryption Settings—All available encryption options are enabled for SSL in the browser preferences.
Sun Solaris
Sun Solaris 8 or 9 running CDE window manager
Mozilla 1.7.3 with Sun Java Plug-in 1.4.2 or 1.5.0
Linux
Red Hat Linux 9.0 or Red Hat Linux WS, Version 3 running GNOME or KDE
Mozilla 1.7.3 with Sun Java Plug-in 1.4.2
1 ASDM is not supported on Windows 3.1, 95, 98, ME or Windows NT4.
2 Get Sun Java from java.sun.com
Usage Notes
This section includes the following topics:
•
•
Upgrading to a New Software Release
If you have a Cisco Connection Online (CCO) login, you can obtain software from the following website:
http://www.cisco.com/cisco/web/download/index.html
Refer to the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0 for more information.
Note
To upgrade from PIX Device Manager to ASDM, perform the following steps:
Step 1
Step 2
Step 3
Step 4
delete flash:/pdmStep 5
•
•
Note
Step 6
asdm image flash:/asdm501.binStep 7
http server enableStep 8
http 10.1.1.1 255.255.255.255 insidewhere IP address 10.1.1.1 is a host that can access ASDM and which is connected via the inside interface. Refer to Cisco Security Appliance Command Reference for more information on the options to the http command.
Step 9
https://10.1.1.254/admin/where 10.1.1.254 is the IP address of the inside interface of the device in Step 8.
Note
Deleting Your Old Cache
In early beta releases of ASDM and in previous releases of PDM (Versions 4.1 and earlier), the device manager stored its cache in: <userdir>\pdmcache. For example, D:\Documents and Settings\jones\pdmcache.
Now, the cache directory for ASDM is in: <user dir>\.asdm\cache.
The File > Clear ASDM Cache option in ASDM clears this new cache directory. It does not clear the old one. To free up space on your system, if you are no longer using your older versions of PDM or ASDM, delete your pdmcache directory manually.
Getting Started with ASDM
If you are using ASDM for the first time on a new security appliance, follow the instructions in this section to get started using ASDM. If you are upgrading an existing device, see Upgrading to a New Software Release.
Because ASDM uses a GUI interface, it requires that you access it from a PC using a supported web browser. For the supported browsers, see the "Client PC Operating System and Browser Requirements" section.
Before You Begin
Before using ASDM for the first time, do the following:
Step 1
Step 2
Step 3
–
–
•
Starting ASDM
To start ASDM for the first time, perform the following steps:
Step 1
https://192.168.1.1/admin/where 192.168.1.1 is the IP address of the security appliance.
Note
Step 2
If ASDM does not start, check the device configuration. Your security appliance should be configured to accept ASDM configuration on its inside interface. (A new security appliance is configured this way by default.) If you need to modify the configuration to reestablish this default setting, use the CLI. Include configuration information similar to the following.
Note
interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 http server enable http 0.0.0.0 0.0.0.0 insidewhere the IP address 192.168.1.1 is on the same subnet as your security appliance and inside is the default name of the interface. (You might give your interface a different name, such as "management.")
The http server enable command with the inside argument enables the HTTP(S) server on the security appliance interface named inside. The http command with the 0.0.0.0 0.0.0.0 arguments allows HTTP traffic from any and all IP addresses and subnet masks to the HTTP server through the interface named inside. For more information, see the http and http server enable commands in the Cisco Security Appliance Command Reference.
Note
Using the Startup Wizard
The Startup Wizard helps you easily configure a single mode device or a context of a multiple mode device.
Use the Startup Wizard to configure the basic set-up of your security appliance:
Step 1
a.
b.
c.
d.
e.
f.
If your security appliance is in single mode:
a.
b.
Step 2
Step 3
(Optional.) You can now enter other configuration details on the Configuration > Features panels.
VPN Wizard
The VPN Wizard configures basic VPN access for site-to-site or remote-client access. The VPN Wizard is available only for security appliances running in single context mode with routed (not transparent) firewall mode.
Step 1
Step 2
Step 3
Step 4
You can now test the configuration.
Bootstrapping LAN Failover
This section describes how to implement failover on security appliances connected via a LAN.
If you are connecting two ASA security appliances for failover, you must connect them via a LAN. If you are connecting two PIX security appliances, you can connect them using either a LAN or a serial cable.
Tip
As specified in the Cisco Security Appliance Command Line Configuration Guide, both devices must have appropriate licenses and have the same hardware configuration.
Before you begin, decide on active and standby IP addresses for the interfaces ASDM connects through on the primary and secondary devices. These IP addresses must be assigned to device interfaces with HTTPS access.
To configure LAN failover on your security applicance, perform the following steps:
Step 1
Step 2
interface Ethernet1nameif insidesecurity-level 100 ip address 192.168.1.2 255.255.255.0http server enablehttp 0.0.0.0 0.0.0.0 insidewhere in this example IP address 192.168.1.2 is the standby IP address of the ASDM interface on the secondary device.
Step 3
Step 4
Step 5
Step 6
a.
b.
Step 7
a.
b.
Note
Step 8
a.
b.
Step 9
Step 10
Step 11
Step 12
Step 13
Step 14
Step 15
The secondary device should now enter standby failover state using the standby IP addresses. Any further configuration of the active device or an active context is replicated to the standby device or the corresponding standby context.
ASA Interface Supports Either WebVPN or ASDM Admin Session
The security appliance supports either WebVPN or an ASDM administrative session on an interface, but not both simultaneously. To use ASDM and WebVPN at the same time, configure them on different interfaces.
Unsupported Characters
ASDM does not support any non-English characters or any other special characters. If you enter non-English characters in any text entry field, they become unrecognizable when you submit the entry, and you cannot delete or edit them.
If you are using a non-English keyboard or usually type in language other than English, be careful not to enter non-English characters accidentally.
Workaround:
For workarounds, see CSCeh39437 under Caveats.
ASDM CLI Does Not Support Intertactive User Commands
ASDM provides a CLI tool (click Tools > Command Line Interface...) that allows you to enter certain CLI commands from ASDM. For a list of specific commands that are not support, see Unsupported Commands.
The ASDM CLI feature also does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
For example:
1.
2.
ASDM generates the default 1024-bit RSA key.
3.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:
Do you really want to replace them? [yes/no]:WARNING: You already have RSA ke0000000000000$A keyInput line must be less than 16 characters in length.%Please answer 'yes' or 'no'.Do you really want to replace them [yes/no]:%ERROR: Timed out waiting for a response.ERROR: Failed to create new RSA keys names <Default-RSA-key>Workaround:
•
•
crypto key generate rsa noconfirmPrinting from ASDM
Note
If you want to print from within ASDM, start ASDM in application mode. Printing is not supported in applet mode in this release.ASDM supports printing for the following features:
•
•
•
•
•
Unsupported Commands
ASDM does not support the complete command set of the CLI. In most cases, ASDM ignores unsupported commands, and they can remain in your configuration. In the case of the alias command, ASDM enters into Monitor-only mode until you remove the command from your configuration.
Effects of Unsupported Commands
•
•
•
Monitor-only mode allows access to the following functions:
–
–
To exit Monitor-only mode, use the CLI tool or access the security appliance console, and remove the alias command. You can use outside NAT instead of the alias command. See the Cisco Security Appliance Command Reference for more information.
Note
Ignored and View-Only Commands
The following table lists commands that ASDM supports in the configuration when added by the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If it is view-only, then the command appears in the GUI, but you cannot edit it.
ASDM Limitations
ASDM does not support the one-time password (OTP) authentication mechanism.
Other CLI Limitations
•
ip address inside 192.168.2.1 255.255.0.255Securing the Failover Key
To prevent the failover key from being replicated to the peer unit in clear text for an existing failover configuration, disable failover on the active unit (or in the system execution space on the unit that has failover group 1 in the active state), enter the failover key on both units, and then reenable failover. When failover is reenabled, the failover communication is encrypted with the key.
Follow this procedure on the active device:
Step 1
a.
b.
Step 2
a.
b.
Step 3
Step 4
a.
b.
Step 5
Step 6
Caveats
The following sections describe caveats for the 5.0 release.
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 5.0
•
A newly-created Access Rule might be lost if you cancel when adding a subsequent rule.
This sequence of steps causes the error:
1.
2.
3.
4.
5.
6.
7.
8.
The "No changes were made" dialog erroneously appears.
Workaround:
–
–
–
•
On Mozilla 1.7.3 on Linux with Java 1.5.0, if you convert the failover type from serial failover to LAN-based failover then click Apply, the ASDM panel locks up and becomes unresponsive.
This sequence of steps produces the error:
1.
2.
3.
–
LAN failover interface gigabit0Logical name:foveractive IP:10.7.7.1standby IP:10.7.7.2subnet mask: 255.255.255.0State failover interface gigabt0–
The whole panel locks up.
This problem also occurs when you click the Refresh button on the Failover panel.
Workaround:
–
–
•
If you are using Mozilla 1.7.3 on SunOS 2.8/2.9 with Java 1.5.0_01, when you launch ASDM, it might not accept any keyboard input.
Workaround:
Remove and re-create the link to the java library twice. (The first time it may not work. The second time it usually works.)
•
On a Linux client with Mozilla 1.7.3 and JRE 1.5.0, when AAA authorization is enabled for commands, it is not possible to start ASDM. This problem also occurs if the device is using any form of authentication, including AAA Authentication or even enable password.
When you enter a user name and password with privilege level 3, 5 or 15, ASDM does not launch. No errors display and no log is created.
If you do not use login userid/password to log in, this error does not occur.
Note
(See: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6226589 for details of the Sun bug.)Workaround:
The problem does not occur if you use JRE 1.4.2. Java 1.5.0 is not supported at this time on Linux.
•
When you invoke ASDM as an applet, the Print feature is unavailable.
Workaround:
Invoke ASDM using the ASDM Launcher. Printing is supported when ASDM is invoked from the Launcher.
•
On the Configuration > Features > Security Policy > Service Policy Rules panel:
1.
2.
3.
Workaround:
Use a different traffic classification for the rule. (For example: RTP port range, any/any ACL, DSCP, IP Precedence.)
•
If interfaces are available, then a user should not be able to proceed beyond step 4, "Other Interfaces Configuration," until at least one interface has been named. Setting up address translation (NAT/PAT) or administrative access without named interfaces is subsequent step in futile.
In multiple context mode, if no interfaces have been allocated to a context, the user should be warned that they cannot proceed beyond naming the context (Basic Configuration step 2) until interfaces are allocated to the context in system mode.
If no interfaces are available currently, evoking the Startup Wizard produces an exception, java.lang.NullPointerException:
at com.cisco.pdm.gui.startupwiz.StartupWizModel.getOutsideIf(StartupWizModel.java:426)at com.cisco.pdm.gui.startupwiz.StartupWizModel.<init>(StartupWizModel.java:72)at com.cisco.pdm.gui.startupwiz.StartupWizModel.<init>(StartupWizModel.java:64)at com.cisco.pdm.gui.startupwiz.StartupWizController.<init>(StartupWizController.java:40)at com.cisco.pdm.gui.startupwiz.StartupWizard.<init>(StartupWizard.java:49)at com.cisco.pdm.gui.startupwiz.StartupWizDialog.<init>(StartupWizDialog.java:36)at com.cisco.pdm.gui.startupwiz.StartupWizDialog.<init>(StartupWizDialog.java:25)at com.cisco.pdm.gui.Startup.menuItem_ActionPerformed(Startup.java:1853)at com.cisco.pdm.gui.Startup.actionPerformed(Startup.java:1518)at java.awt.MenuItem.processActionEvent(Unknown Source)at java.awt.MenuItem.processEvent(Unknown Source)at java.awt.MenuComponent.dispatchEventImpl(Unknown Source)at java.awt.MenuComponent.dispatchEvent(Unknown Source)at java.awt.EventQueue.dispatchEvent(Unknown Source)at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source)at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)at java.awt.EventDispatchThread.pumpEvents(Unknown Source)at java.awt.EventDispatchThread.pumpEvents(Unknown Source)at java.awt.EventDispatchThread.run(Unknown Source)After the java.lang.NullPointerException, the Startup Wizard may no longer be evoked from the Wizards menu nor any other menu items.
If no interface is named, a nat () 0 0.0.0.0 0.0.0.0 command will be generated on clicking finish, which has erroneous syntax.
Workaround:
Do not attempt to finish the Startup Wizard until at least one interface has been named.
•
If you are using the CLI and you shut down and then bring up the interface through which ASDM is connected, ASDM live logging does not reconnect. It does not show a disconnection message.
Workaround:
Close ASDM, then restart it.
•
ASDM sometimes allows more than two traffic match criteria for a service policy rule. The CLI does not allow more than two match criteria for a service policy rule and may result an error when this configuration is delivered to the security appliance.
As an example, the following CLIs may be generated by ASDM:
class-map dmz-classmatch port udp eq 5060match precedence 0 1 2 3match tunnel-group DefaultL2LGroupBut when the commands are sent to the device, the following error is received:
[OK] class-map dmz-classclass-map dmz-class[OK] match port udp eq 5060[ERR]match precedence 0 1 2 3ERROR: multiple match commands are not supported except for the 'match tunnel-group or default-inspect-traffic' command.The following steps cause the error to occur:
1.
2.
3.
4.
For example, in this case the following three criteria were allowed after couple of attempts:
–
–
–
Workaround:
Only select the traffic match criteria that is required for the service policy rule.
•
ASDM port values for WebType ACLs do not match the CLI implementation.
The following CLI help shows the ranges supported for the TCP ports when using the greater than or less than operators:
hostname(config)# access-list 1234 webtype permit tcp any gt ?configure mode commands/options:<0-65534> Enter port number (0 - 65534)hostname(config)# access-list 1234 webtype permit tcp any lt ?configure mode commands/options:<2-65536> Enter port number (2 - 65536)ASDM, however, supports 1-65535, regardless of whether the greater than or less than operator has been specified.
ASDM does not support:
access-list 1234 webtype permit tcp any gt 0access-list 1234 webtype permit tcp any lt 65536ASDM does not reject the following, which are not accepted by the CLI:
access-list 1234 webtype permit tcp any gt 65535access-list 1234 webtype permit tcp any lt 1When specifying the > or < operator for the WebTCP ACL port values, ASDM does not follow the platform implementation.
Workaround:
To effect this:
access-list 1234 webtype permit tcp any gt 0Use ASDM to configure this:
access-list 1234 webtype permit tcp any eq 1access-list 1234 webtype permit tcp any gt 1To effect this:
access-list 1234 webtype permit tcp any lt 65536Use ASDM to configure this:
access-list 1234 webtype permit tcp any eq 65535access-list 1234 webtype permit tcp any lt 65535Do not use ASDM to configure:
access-list 1234 webtype permit tcp any lt 1access-list 1234 webtype permit tcp any gt 65535•
ASDM, and PIX and ASA 7.0 (1) only support English characters. Many fields in ASDM incorrectly allow you to enter non-English characters. If you enter non-English characters in any text entry field, they become unrecognizable once you submit the entry, and you cannot delete or edit them.
The unrecognizable characters also appear in the show running-config output.
Note that the CLI prompt does not accept non-English characters.
Note
Workaround:
If you accidentally enter a non-English character in your running configuration, use one of these workarounds:
–
–
–
For example, to remove the network object group with a non-English character group name, enter:
clear conf object-group networkUnfortunately, this command also removes all network object groups, so you need to reconfigure them to restore the original configuration.
•
ASDM allows the user to attempt to create the same static NAT for different addresses.
[OK]static (inside,outside) 21.1.1.0 1.1.1.0 netmask 255.255.255.0 tcp 0 0 udp 0[ERR]static (inside,outside) 21.1.1.0 2.2.2.0 netmask 255.255.255.0 tcp 0 0 udp 0ERROR: mapped-address conflict with existing static inside:1.1.1.0 to outside:21.1.1.0 netmask 255.255.255.0Workaround:
Only create a translation once. No specific workaround is required. The security appliance does not accept the conflicting translation, and ASDM re-reads the configuration after the error.
•
Starting with a PIX 500 series security appliance configured for serial-cable failover, either Active/Active or Active/Standby in single mode, an attempt to switch to LAN failover with ASDM results in both devices becoming active. Thus neither device is reliably accessible via its interfaces.
Similarly, switching from LAN to serial-based failover may leave the standby unable to communicate.
One possible scenario starts with serial-based failover configured and operating, but no LAN failover configuration in place. ASDM enables LAN failover, supplies required LAN failover parameters, and processes the Apply button. After the commands are submitted to the primary device, which turns failover off and then back on again, a dialog requesting to configure the failover peer appears. Unfortunately, both devices are in active state since the secondary, which had failover enabled over the serial cable, does not find its active peer and switches to active itself. Previously, the "failover lan enable" command was replicated, which allowed the devices to use compatible configurations.
With LAN failover enabled and operating properly on both devices, a similar scenario results in somewhat different behavior. ASDM disables LAN failover, removes LAN failover parameters if requested, and processes the Apply button. After the commands are submitted to the primary device, which turns failover off and then back on again, a dialog requesting to configure the failover peer appears. The secondary sometimes attempts to synchronize configuration unsuccessfully at this point, eventually recognizing failure, and restarting synchronization, repeating this in a loop without the ability to disable failover because of the synchronization. Only reloading both devices recovers from the loop: the secondary reenters the loop if it alone is reloaded.
Workaround:
To switch from an operating serial-cable failover to LAN failover, ensure that failover is operating with a show failover command and that the primary is the active device.
1.
failover lan interface <IfName> <PortName>failover lan interface ip <IfName> <IP_prime> <IP_mask> standby <IP_second>2.
3.
(ASDM can submit steps 1, 2, and 3 with a single Apply selection.)
4.
a.
https://<Second_IP>/exec/changeto%20system/failover%20lan%20unit%20secondary/failo ver%20lan%20enableThe browser probably should request authorization.
b.
https://<Second_IP>/exec/failover%20lan%20unit%20secondary/failover%20lan%20enableThe browser probably should request authorization.
c.
- changeto system (if in multiple context mode)
- configure terminal
- failover lan unit secondary
- failover lan enable
5.
To switch from LAN failover operation to serial-cable failover, ensure that failover is operating with a show failover command and that the primary is the active device.
1.
2.
a.
- changeto system (if in multiple context mode)
- configure terminal
- no failover lan enable
- no failover lan unit secondary
b.
https://<Second_IP>/exec/no%20failover%20lan%20unit%20secondary/failover%20lan%20e nableThe browser probably should request authorization.
c.
https://<Second_IP>/exec/no%20failover%20lan%20enable/no%20failover%20lan%20unit%2 0secondaryThe browser probably should request authorization.
3.
•
On the Add Priority Queue screen, the upper range limit value is too high.
Workaround:
The upper range limit for the priority queue should be 2048 and the transmission ring limit should be 128.
•
When running on Linux with the Java 1.5 plug-in, the user is unable to select an IP Audit policy for an interface using the mouse.
Workaround:
Click the Choice list with the mouse to drop down the list. Then, use the keyboard arrow keys to move the cursor up and down to select the desired IP Audit policy.
•
When turning on NSSA default-information originate with metric and metric-type, the metric and metric-type are ignored. This is found in Configuration > Features > Routing > OSPF > Setup under Process Instances > Advanced. The section heading is "Default Information Originate."
Workaround:
Do one of the following. Either:
–
–
•
ASDM Live Logging and Log Buffer may fail to yield any output. While in this state, within your Java console you see errors such as:
Exception in thread "AWT-EventQueue-2" java.lang.OutOfMemoryError: Java heap space
After excessive toggling between the logging levels and viewing each log level in the Log Viewer, you may encounter an out-of-memory error.
For example, repeating this sequence of steps produces the error.
1.
2.
3.
4.
5.
Workaround:
Do not toggle excessively between the views and logging levels.
•
After editing the key value of an NTP server that was previously configured with a key value, attempting to apply the change results in a dialog saying: "No changes were made."
Workaround:
Delete the NTP server and add it again with the new key value.
•
On the Monitoring > Features > VPN > VPN Connection Graphs > IPSec Tunnels panel, IPSec/IKE Active Tunnels are not being reported correctly sometimes.
A system with VPN sessions may, over time, show incorrect numbers of IKE and/or IPSec tunnels.
Workaround:
Ignore the information from the graphs and use the Monitoring > Features > VPN > VPN
Statistics > Sessions panel to see the correct number of active tunnels.
•
On the Configuration -> Routing -> OSPF -> Setup -> Route Summarization panel, when there are two OSPF processes defined, you cannot edit the route summarization of the second OSPF process. After you try to edit it, clicking the OK button does nothing. An exception occurs in the Java console.
Workaround:
Delete the route summarization entry and create a new route summarization entry.
•
On the Configuration > Features > Properties > Logging > Syslog Servers panel, when you select the check box for Allow user traffic to pass when TCP syslog server is down, the Apply button is not enabled and the CLI cannot be generated.
Workaround:
Make another change in the same panel and cancel that change, then the Apply button is enabled. Click Apply and ASDM generates the proper CLI.
•
The wrong commands are sent to the security appliance when a network-object for which a static NAT exists is added to a network object-group for which policy NAT already exists.
For example, network object-group "A" exists and has a policy NAT present. Network "B" exists for which static NAT is configured. Network "B" is added to object-group "A". ASDM generates an invalid command.
Workaround:
Avoid adding network/hosts which have static NAT to an object-group which is using policy-NAT.
Related Documentation
For additional information on ASDM or its platforms, refer to the ASDM online Help or the following documentation found on Cisco.com:
•
•
•
•
•
•
•
•
•
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
