Table Of Contents
Release Notes for Cisco ASDM, Version 6.3(x)
Important Notes
ASDM Client Operating System and Browser Requirements
Supported Platforms
New Features
Upgrading the Software
Viewing Your Current Version
Upgrading the Operating System and ASDM Images
Upgrading Using ASDM 6.2 or Below
Upgrading Using ASDM 6.3 or Above
Unsupported Commands
Ignored and View-Only Commands
Effects of Unsupported Commands
Discontinuous Subnet Masks Not Supported
Interactive User Commands Not Supported by the ASDM CLI Tool
Open Caveats for Software Version 6.3
Resolved Caveats for Software Version 6.3(1)
End-User License Agreement
Related Documentation
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco ASDM, Version 6.3(x)
March 2010
This document contains release information for the release of Cisco ASDM Version 6.3(1) on Cisco ASA 5500 series security appliances.
This document includes the following sections:
•
Important Notes
•ASDM Client Operating System and Browser Requirements
•Supported Platforms
•New Features
•Upgrading the Software
•Unsupported CommandsS
•Open Caveats for Software Version 6.3
•Resolved Caveats for Software Version 6.3(1)
•End-User License Agreement
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Note Before you upgrade to ASA Version 8.3, be sure to see the Cisco ASA 5500 Migration Guide for Version 8.3. The following major changes require configuration migration:
•NAT redesign.
•Real IP addresses in access rules instead of mapped addresses.
•Named network objects and service objects.
Important Notes
•Maximum configuration size—ASDM supports up to a maximum of a 512 KB configuration. If you exceed this amount, you may experience performance issues when you exceed the 512KB configuration.
•Memory requirements—To run Version 8.3 in a production environment, you need to upgrade the memory on the Cisco ASA 5505, 5510, 5520, or 5540. See the ASA release notes for more information. If you do not install a memory upgrade, you receive the following message upon logging in:
.
•ASDM Launcher Upgrade Failure—Upgrading from a previous version of ASDM, such as ASDM 6.1.5.51, which includes ASDM Launcher 1.5.30, sometimes fails in the following two ways on Windows XP or Vista:
–CSCsy75722: When using the ASDM Launcher to upgrade a Launcher installer wizard appears. After clicking the Install button on the Ready to Install the Program dialog, the status bar does not progress and a Cisco ASDM-IDM Launcher Installer Information dialog appears with the following: "The system cannot open the device or file specified". Pressing Retry does not help.
–CSCsz35267: When using a web browser, clicking the "Install ASDM Launcher and Run ASDM" button downloads the dm-launcher.msi installer.
Running dm-launcher.msi may produce an error 1307 or 1316 dialog giving the full pathname of the file that either cannot be found or for which a network error occurred.
Workaround: To recover from such events, use the Add or Remove Programs control panel to remove the Cisco ASDM Launcher or Cisco ASDM-IDM Launcher. (Any of the ASDM on IP address programs do not need to be removed.) Afterwards, evoke a web browser; access ASDM with a URL such as https://ip_address/admin; and install the new ASDM-IDM Launcher with the "Install ASDM Launcher and Run ASDM" button.
ASDM Client Operating System and Browser Requirements
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Table 1 Operating System and Browser Requirements
Operating System
|
Browser
|
|
Internet Explore
|
Firefox
|
Safari
|
Microsoft Windows (English and Japanese):
•7
•Vista
•2003 Server
•XP
|
6.0 or above
|
1.5 or above
|
No support.
|
•5.0 (1.5.0)
•6.0
|
Apple Macintosh OS X:
•10.6
•10.5
•10.4
|
No support.
|
1.5 or above
|
2.0 or above
|
•5.0 (1.5.0)
•6.0
|
Red Hat Enterprise Linux 5 (GNOME or KDE):
•Desktop
•WS
|
N/A
|
1.5 or above
|
N/A
|
•5.0 (1.5.0)
•6.0
|
Supported Platforms
See Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility for the minimum supported version of ASDM for each ASA and SSM version.
Note ASDM 6.3(1) and above is not supported on the PIX platforms. The last ASDM version supported on the PIX is 6.1(5).
Although ASDM 6.3 supports many ASA versions, the ASDM 6.3 documentation and online help only include features for ASA 8.3. For older ASA versions, you might find that using the ASDM 6.3 documentation is inaccurate for your older feature set. Instead, refer to the ASDM guide in which support for your platform version was added (to see when support was added, see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility for the minimum supported version of ASDM for each ASA version; this version is the one where support was added). Although the specific information about the ASDM GUI might be inaccurate in that guide, the platform feature set is documented correctly.
New Features
Hi
Table 2 lists the new features for ASDM Version 6.3(1). All features apply only to ASA Version 8.3(1), unless otherwise noted.
Table 2 New Features for ASDM Version 6.3(1)/ASA Version 8.3(1) (Unless Otherwise Noted)
Feature
|
Description
|
Remote Access Features
|
Smart Tunnel Enhancements
|
Logoff enhancement—Smart tunnel can now be logged off when all browser windows have been closed (parent affinity), or you can right click the notification icon in the system tray and confirm log out.
Tunnel Policy—An administrator can dictate which connections go through the VPN gateway and which do not. An end user can browse the Internet directly while accessing company internal resources with smart tunnel if the administrator chooses.
Simplified configuration of which applications to tunnel—When a smart tunnel is required, a user no longer needs to configure a list of processes that can access smart tunnel and in turn access certain web pages. An "enable smart tunnel" check box for either a bookmark or standalone application allows for an easier configuration process.
Group policy home page—Using a check box in ASDM, administrators can now specify their home page in group policy in order to connect via smart tunnel.
The following screen was modified: Configuration > Remote Access VPN > AAA/Local Users > Local Users > Edit > VPN Policy > Clientless SSL VPN.
|
Newly Supported Platforms for Browser-based VPN
|
Release 8.3(1) provides browser-based (clientless) VPN access from the following newly supported platforms:
•Windows 7 x86 (32-bit) and x64 (64-bit) via Internet Explorer 8.x and Firefox 3.x
•Windows Vista x64 via Internet Explorer 7.x/8.x, or Firefox 3.x.
•Windows XP x64 via Internet Explorer 6.x/7.x/8.x and Firefox 3.x
•Mac OS 10.6 32- and 64-bit via Safari 4.x and Firefox 3.x.
Firefox 2.x is likely to work, although we no longer test it.
Release 8.3(1) introduces browser-based support for 64-bit applications on Mac OS 10.5.
Release 8.3(1) now supports smart tunnel access on all 32-bit and 64-bit Windows and Mac OSs supported for browser-based VPN access. Port forwarding on 64-bit OSs is not supported.
Browser-based VPN access does not support Windows Shares (CIFS) Web Folders on Windows 7, Vista, and Internet Explorer 8. An ActiveX version of the RDP plug-in is unavailable for 64-bit browsers.
Note Windows 2000 and Mac OS X 10.4 are no longer supported for browser-based access.
|
IPv6 support for IKEv1 LAN-to-LAN VPN connections
|
For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:
•The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).
•The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).
•The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces).
Note The defect CSCtd38078 currently prevents the Cisco ASA 5500 series from connecting to a Cisco IOS device as the peer device of a LAN-to-LAN connection.
The following screens were modified or introduced:
Wizards > IPsec VPN Wizard, Configuration > Site-to-Site VPN > Connection Profiles
Configuration > Site-to-Site VPN > Connection Profiles > Basic > Add IPsec Site-to-Site Connection Profile
Configuration > Site-to-Site VPN > Group Policies
Configuration > Site-to-Site VPN > Group Policies > Edit Internal Group Policy
Configuration > Site-to-Site VPN > Advanced > Crypto Maps
Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Add > Create IPsec Rule
Configuration > Site-to-Site VPN > Advanced > ACL Manager
|
Plug-in for AnyConnect Profile Editor
|
The AnyConnect Profile Editor is a convenient GUI-based configuration tool you can use to configure the AnyConnect 2.5 or above client profile, an XML file containing settings that control client features. Previously, you could only change profile settings manually by editing the XML tags in the profile file. The AnyConnect Profile Editor is a plug-in binary file named anyconnectprof.sgz packaged with the ASDM image and installed in the root directory of disk0:/ in the flash memory on the security appliance. This design allows you to update the editor to be compatible with new AnyConnect features available in new client releases.
|
SSL VPN Portal Customization Editor
|
You can rebrand and customize the screens presented to clientless SSL VPN users using the new Edit Customization Object window in ASDM. You can customize the logon, portal and logout screens, including corporate logos, text messages, and the general layout. Previously, the customization feature was embedded in the security appliance software image. Moving it to ASDM provides greater usability for this feature and future enhancements.
The following screen was modified: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Customization.
|
Usability Improvements for Remote Access VPN
|
ASDM provides a step-by-step guide to configuring Clientless SSL VPN, AnyConnect SSL VPN Remote Access, or IPsec Remote Access using the ASDM Assistant. The ASDM Assistant is more comprehensive than the VPN wizards, which are designed only to get you up and running.
The following screen was modified: Configuration > Remote Access VPN > Introduction > ASDM Assistant.
|
Firewall Features
|
Interface-Independent Access Policies
|
You can now configure access rules that are applied globally, as well as access rules that are applied to an interface. If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.
The following screen was modified: Configuration > Firewall > Access Rules.
|
Network and Service Objects
|
You can now create named network objects that you can use in place of a host, a subnet, or a range of IP addresses in your configuration and named service objects that you can use in place of a protocol and port in your configuration. You can then change the object definition in one place, without having to change any other part of your configuration. This release introduces support for network and service objects in the following features:
•NAT
•Access rules
•Network object groups
Note ASDM used network objects internally in previous releases; this feature introduces platform support for network objects.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Groups, Configuration > Firewall > Objects > Service Objects/Groups
Configuration > Firewall > NAT Rules, Configuration > Firewall > Access Rules
|
Object-group Expansion Rule Reduction
|
Significantly reduces the network object-group expansion while maintaining a satisfactory level of packet classification performance.
The following screen was modified: Configuration > Firewall > Access Rules > Advanced.
|
NAT Simplification
|
The NAT configuration was completely redesigned to allow greater flexibility and ease of use. You can now configure NAT using auto NAT, where you configure NAT as part of the attributes of a network object, and manual NAT, where you can configure more advanced NAT options.
The following screens were modified or introduced:
Configuration > Firewall > Objects > Network Objects/Group
Configuration > Firewall > NAT Rules
|
Use of Real IP addresses in access lists instead of translated addresses
|
When using NAT, mapped addresses are no longer required in an access list for many features. You should always use the real, untranslated addresses when configuring these features. Using the real address means that if the NAT configuration changes, you do not need to change the access lists.
The following features that use access lists now use real IP addresses. These features are automatically migrated to use real IP addresses when you upgrade to 8.3, unless otherwise noted.
•Access rules
• Service policy rules
•Botnet Traffic Filter
•AAA rules
•WCCP redirect.
Note WCCP is not automatically migrated when you upgrade to 8.3.
|
Threat Detection Enhancements
|
You can now customize the number of rate intervals for which advanced statistics are collected. The default number of rates was changed from 3 to 1. For basic statistics, advanced statistics, and scanning threat detection, the memory usage was improved.
The following screen was modified: Configuration > Firewall > Threat Detection.
|
Unified Communication Features
|
SCCP v19 support
|
The IP phone support in the Cisco Phone Proxy feature was enhanced to include support for version 19 of the SCCP protocol on the list of supported IP phones.
|
Cisco Intercompany Media Engine Proxy
|
Cisco Intercompany Media Engine (UC-IME) enables companies to interconnect on-demand, over the Internet with advanced features made available by VoIP technologies. Cisco Intercompany Media Engine allows for business-to-business federation between Cisco Unified Communications Manager clusters in different enterprises by utilizing peer-to-peer, security, and SIP protocols to create dynamic SIP trunks between businesses. A collection of enterprises work together to end up looking like one large business with inter-cluster trunks between them.
The following screens were modified or introduced:
Wizards > Unified Communications Wizard > Cisco Intercompany Media Engine Proxy
Configuration > Firewall > Unified Communications, and then click UC-IME Proxy
Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection Map
|
SIP Inspection Support for IME
|
SIP inspection has been enhance to support the new Cisco Intercompany Media Engine (UC-IME) Proxy.
The following screen was modified: Configuration > Firewall > Service Policy Rules > Add/Edit Service Policy Rule > Rule Actions > Select SIP Inspection Map.
|
Unified Communication Wizard
|
The Unified Communications Wizard guides you through the complete configuration and automatically configures required aspects for the following proxies: Cisco Mobility Advantage Proxy, Cisco Presence Federation Proxy, Cisco Intercompany Media Engine proxy. Additionally, the Unified Communications wizard automatically configures other required aspects of the proxies.
The following screens were modified:
Wizards > Unified Communications Wizard
Configuration > Firewall > Unified Communications
|
Enhanced Navigation for Unified Communication Features
|
The Unified Communications proxy features, such as the Phone Proxy, TLS Proxy, CTL File, and CTL Provider pages, are moved from under the Objects category in the left Navigation panel. to the new Unified Communications category. In addition, this new category contains pages for the new Unified Communications wizard and the UC-IME Proxy page.
Note This feature applies to ASA Version 8.0 and above.
|
| |
The following screen was modified: Configuration > Device Setup > Interfaces > Add/Edit Interface > General.
|
Routing Features
|
Route map support
|
ASDM has added enhanced support for static and dynamic routes.
The following screen was modified: Configuration > Device Setup > Routing > Route Maps.
Note This feature applies to ASA Version 8.0 and above.
|
Monitoring Features
|
Time Stamps for Access List Hit Counts
|
Displays the timestamp, along with the hash value and hit count, for a specified access list.
The following screen was modified: Configuration > Firewall > Access Rules. (The timestamp appears when you hover the mouse over a cell in the Hits column.)
|
High Performance Monitoring for ASDM
|
You can now enable high performance monitoring for ASDM to show the top 200 hosts connected through the adaptive security appliance. Each entry of a host contains the IP address of the host and the number of connections initiated by the host, and is updated every 120 seconds.
The following screen was introduced: Home > Firewall Dashboard > Top 200 Hosts.
|
Licensing Features
|
Non-identical failover licenses
|
Failover licenses no longer need to be identical on each unit. The license used for both units is the combined license from the primary and secondary units.
Note For the ASA 5505 and 5510 adaptive security appliances, both units require the Security Plus license; the Base license does not support failover, so you cannot enable failover on a standby unit that only has the Base license.
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
|
Stackable time-based licenses
|
Time-based licenses are now stackable. In many cases, you might need to renew your time-based license and have a seamless transition from the old license to the new one. For features that are only available with a time-based license, it is especially important that the license not expire before you can apply the new license. The adaptive security appliance allows you to stack time-based licenses so you do not have to worry about the license expiring or about losing time on your licenses because you installed the new one early. For licenses with numerical tiers, stacking is only supported for licenses with the same capacity, for example, two 1000-session SSL VPN licenses. You can view the state of the licenses at Configuration > Device Management > Licensing > Activation Key.
|
Intercompany Media Engine License
|
The IME license was introduced.
|
Multiple time-based licenses active at the same time
|
You can now install multiple time-based licenses, and have one license per feature active at a time.
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
|
Discrete activation and deactivation of time-based licenses.
|
You can now activate or deactivate time-based licenses using a command.
The following command was modified: activation-key [activate | deactivate].
The following screen was modified: Configuration > Device Management > Licensing > Activation Key.
|
General Features
|
Master Passphrase
|
The master passphrase feature allows you to securely store plain text passwords in encrypted format. It provides a master key that is used to universally encrypt or mask all passwords, without changing any functionality. The Backup/Restore feature supports the master passphrase.
The following screens were introduced:
Configuration > Device Management > Advanced > Master Passphrase
Configuration > Device Management > Device Administration > Master Passphrase
|
ASDM Features
|
Upgrade Software from Cisco.com Wizard
|
The Upgrade Software from Cisco.com wizard has changed to allow you to automatically upgrade ASDM and the adaptive security appliance to more current versions. Note that this feature is only available in single mode and, in multiple context mode, in the System execution space. It is not available in a context.
The following screen was modified: Tools > Check for ASA/ASDM Updates.
Note This feature applies to ASA Version 8.0 and above.
|
Backup/Restore Enhancements
|
The Backup Configurations pane was re-ordered and re-grouped so you can choose the files you want to backup more easily. A Backup Progress pane was added allowing you to visually measure the progress of the backup. And you will see significant performance improvement when using backup or restore.
The following screen was modified: Tools > Backup Configurations or Tools > Restore Configurations.
Note This feature applies to ASA Version 8.0 and above.
|
Upgrading the Software
Note Before you upgrade, be sure to see the Cisco ASA 5500 Migration Guide for Version 8.3. The following major changes require configuration migration:
•NAT redesign.
•Real IP addresses in access rules instead of mapped addresses.
•Named network objects and service objects.
The Cisco ASA 5500 Migration Guide for Version 8.3 also describes how to downgrade.
This section describes how to upgrade to the latest version, and includes the following topics:
•Viewing Your Current Version
•Upgrading the Operating System and ASDM Images
Note For CLI procedures, see the ASA release notes.
Viewing Your Current Version
The software version appears on the ASDM home page; view the home page to verify the software version of your adaptive security appliance.
Upgrading the Operating System and ASDM Images
This section describes how to install the ASDM and operating system (OS) images .
We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however you cannot use an old ASDM image with a new OS.
Note If the adaptive security appliance is running version 8.0 or later, then you can upgrade to the latest version of ASDM (and disconnect and reconnect to start running it) before upgrading the OS.
If the adaptive security appliance is running a version earlier than 8.0, then use the already installed version of ASDM to upgrade both the OS and ASDM to the latest versions, and then reload.
This section includes the following topics:
•Upgrading Using ASDM 6.2 or Below
•Upgrading Using ASDM 6.3 or Above
Upgrading Using ASDM 6.2 or Below
Detailed Steps
Step 1 From the Tools menu, choose Tools > Upgrade Software from Cisco.com.
In multiple context mode, access this menu from the System.
The Upgrade Software from Cisco.com Wizard appears.
Note If you are running ASDM Version 5.2 or lower, then the Upgrade Software from Cisco.com Wizard is not available. You can download the software from the following URL:
http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=268438162
Then use Tools > Upgrade Software.
Step 2 Click Next.
The Authentication screen appears.
Step 3 Enter your Cisco.com username and password, and click Next.
The Image Selection screen appears.
Step 4 Check the Upgrade the ASA version check box and the Upgrade the ASDM version check box to specify the most current images to which you want to upgrade, and click Next.
The Selected Images screen appears.
Step 5 Verify that the image file you have selected is the correct one, and then click Next to start the upgrade.
The wizard indicates that the upgrade will take a few minutes. You can then view the status of the upgrade as it progresses.
The Results screen appears. This screen provides additional details, such as whether the upgrade failed or whether you want to save the configuration and reload the ASA.
If you upgraded the ASA version and the upgrade succeeded, an option to save the configuration and reload the ASA appears.
Step 6 Click Yes.
For the upgrade versions to take effect, you must save the configuration, reload the ASA, and restart ASDM.
Step 7 Click Finish to exit the wizard when the upgrade is finished.
Upgrading Using ASDM 6.3 or Above
Detailed Steps
Step 1 Choose Tools > Check for ASA/ASDM Updates.
In multiple context mode, access this menu from the System.
The Cisco.com Authentication dialog box appears.
Step 2 Enter your assigned Cisco.com username and the Cisco.com password, and then click Login.
The Cisco.com Upgrade Wizard appears.
Step 3 Complete the upgrade wizard.
Step 4 For the upgrade versions to take effect, check the Save configuration and reload device now check box to restart the adaptive security appliance and restart ASDM.
Step 5 Click Finish to exit the wizard and save the configuration changes that you made.
Unsupported Commands
ASDM supports almost all commands available for the adaptive adaptive security appliance, but ASDM ignores some commands in an existing configuration. Most of these commands can remain in your configuration; see Tools > Show Commands Ignored by ASDM on Device for more information.
This section includes the following topics:
•Ignored and View-Only Commands
•Effects of Unsupported Commands
•Discontinuous Subnet Masks Not Supported
•Interactive User Commands Not Supported by the ASDM CLI Tool
Ignored and View-Only Commands
Table 3 lists commands that ASDM supports in the configuration when added through the CLI, but that cannot be added or edited in ASDM. If ASDM ignores the command, it does not appear in the ASDM GUI at all. If the command is view-only, then it appears in the GUI, but you cannot edit it.
Table 3 List of Unsupported Commands
Unsupported Commands
|
ASDM Behavior
|
capture
|
Ignored.
|
coredump
|
Ignored. This can be configured only using the CLI.
|
dhcp-server (tunnel-group name general-attributes)
|
ASDM only allows one setting for all DHCP servers.
|
eject
|
Unsupported.
|
established
|
Ignored.
|
failover timeout
|
Ignored.
|
ipv6 nd prefix
|
Unsupported.
|
pager
|
Ignored.
|
pim accept-register route-map
|
Ignored. You can configure only the list option using ASDM.
|
prefix-list
|
Ignored if not used in an OSPF area.
|
service-policy global
|
Ignored if it uses a match access-list class. For example:
access-list myacl line 1 extended permit ip
any any
service-policy mypm global
|
set metric
|
Ignored.
|
sysopt nodnsalias
|
Ignored.
|
sysopt uauth allow-http-cache
|
Ignored.
|
terminal
|
Ignored.
|
Effects of Unsupported Commands
If ASDM loads an existing running configuration and finds other unsupported commands, ASDM operation is unaffected. To view the unsupported commands, choose Tools > Show Commands Ignored by ASDM on Device.
Discontinuous Subnet Masks Not Supported
ASDM does not support discontinuous subnet masks such as 255.255.0.255. For example, you cannot use the following:
ip address inside 192.168.2.1 255.255.0.255
Interactive User Commands Not Supported by the ASDM CLI Tool
The ASDM CLI tool does not support interactive user commands. If you enter a CLI command that requires interactive confirmation, ASDM prompts you to enter "[yes/no]" but does not recognize your input. ASDM then times out waiting for your response.
For example:
1. From the ASDM Tools menu, click Command Line Interface.
2. Enter the crypto key generate rsa command.
ASDM generates the default 1024-bit RSA key.
3. Enter the crypto key generate rsa command again.
Instead of regenerating the RSA keys by overwriting the previous one, ASDM displays the following error:
Do you really want to replace them? [yes/no]:WARNING: You already have RSA
ke0000000000000$A key
Input line must be less than 16 characters in length.
%Please answer 'yes' or 'no'.
Do you really want to replace them [yes/no]:
%ERROR: Timed out waiting for a response.
ERROR: Failed to create new RSA keys names <Default-RSA-key>
Workaround:
•You can configure most commands that require user interaction by means of the ASDM panes.
•For CLI commands that have a noconfirm option, use this option when entering the CLI command. For example:
crypto key generate rsa noconfirm
Open Caveats for Software Version 6.3
Table 4 lists the open caveats for Version 6.3.If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 4 Open Caveats in Version 6.3
Caveat ID
|
Description
|
CSCtb07337
|
Preview window shows wild characters under logon page/language
|
CSCtb19950
|
Route-map deletion: Requires a pop-up window when route-map is attached
|
CSCtb89469
|
ASDM Upgrade From CCO allows same version
|
CSCtc12577
|
Extra cmd related to shared redundant intf sent at every deployment
|
CSCtd05274
|
Standby unit console will show all the object XML file when editing obj
|
CSCte51943
|
Cannot expand some dialog boxes in Linux
|
CSCte58118
|
For policy NAT mapped address, options are incorrect
|
CSCte67748
|
Warning needed when direction is unidirectional for certain services
|
CSCte72290
|
ASDM: Navigation Panel being removed causes confusion
|
CSCte75929
|
ASDM: Upgrade from CCO wizard experiences ghosting on a Macintosh
|
CSCte83924
|
ASDM: Include the filename extension in the script name (i.e .bat)
|
CSCte91390
|
Public Server should support "--Any--" for Public Interface
|
CSCte95392
|
NAT: ASDM should generate error message on EDIT object used in NAT
|
CSCte95652
|
ASDM OLH: Smart Tunnels is a broken link
|
CSCtf01246
|
IM classmap cannot be deleted when policy map is deleted first
|
CSCtf03431
|
ASDM: TopN report showing as disabled after manual ASDM refresh.
|
CSCtf03898
|
Unable to add network object through NAT config window
|
CSCtf07747
|
Syslog-msgs.xml file inconsistent with the CCO user guide for ASA.
|
CSCtf07819
|
ASDM:NAT:Egress traffic, address not correctly captured in diagram
|
CSCtf07846
|
ASDM:Help section for Edit Static Nat rule is not appropriate
|
CSCtf08847
|
Timeout issues when using IPS Setup Wizard
|
CSCtf11495
|
ASDM AC Profile Editor: Indefinite XML validation when adding a profile
|
CSCtf11521
|
ASDM AC Profile Editor: Group Policy drop down arrow missing
|
CSCtf11752
|
ASDM AC Profile Editor: Inconsistent import profile behavior
|
CSCtf11811
|
ASDM AC Profile Editor: Incorrect device path can be displayed in export
|
CSCtf11944
|
ASDM AC Profile Editor: Unable to remove group policy
|
CSCtf12814
|
Nothing happens when no protocol specified with protocol type specified
|
CSCtf13860
|
Need a confirmation dialog when downgrading
|
CSCtf15050
|
The PREVIEW Window doesn't show preview customized GUI
|
CSCtf15065
|
Object NAT: Order of CLI send to ASA is not correct for object-group
|
CSCtf17658
|
Promoted implicit object not displayed correctly for object groups
|
CSCtf17774
|
ASDM: Rename Smart Tunnels "Parent Affinity"
|
CSCtf19237
|
Object NAT: Edit NAT rule is not enabling service in Advance tab
|
CSCtf19789
|
ASDM: AnyConnect Client Profile - Can't view all group policies
|
CSCtf19793
|
Custom Panes Help incorrectly redirects to Device Management
|
CSCtf20578
|
ASDM 6.3: Invalid values accepted for RTP min-max port with global MTA
|
CSCtf20616
|
ASDM 6.3: UCM address details not applied to ASA after uc-ime is enabled
|
CSCtf22030
|
DOC: ASDM does not support bookmark functionality
|
CSCtf22576
|
Unable to delete nested object groups (nested to the maximum level )
|
CSCtf23225
|
HAS Wizard stops after changing peer to multi mode for A/A failover
|
CSCtf23277
|
WebVPN http-proxy PAC configuration does not display
|
CSCtf25281
|
exporting ID cert as PEM sends wrong CLI and shouldn't require password
|
CSCtf26239
|
Custom Panes Help button pop up wrong online help information
|
CSCtf26413
|
ASDM sends useless cmds with master passphrase if empty red intf exists
|
CSCtf26441
|
ASDM: AC Profile Editor - Infinite refresh duration when in prof. editor
|
CSCtf26476
|
Route Map -> Edit -> help leads to page not found
|
CSCtf29954
|
Warning window pops up when we try to backup configuration
|
CSCtf31966
|
Unable to specify empty string for the value field in Bookmarks UI
|
CSCtf32083
|
Object NAT: Displaying blank if static translated addr as interface.
|
CSCtf32119
|
NAT not tunable to a NAT rule if obj grp name starts with a number
|
CSCtf33370
|
ASDM control for cert export are inaccurate + need info popup
|
CSCtf33394
|
ASDM backup does not save ldap-login-password to startup-config
|
CSCtf35115
|
Public Server: ASA Rejects CLI on "Edit Public Server"
|
CSCtf35237
|
Help for current screen not working for few screens such as rules table
|
CSCtf36957
|
Unable to add a redundant interface
|
Resolved Caveats for Software Version 6.3(1)
Table 5 lists the resolved caveats for Version 6.3(1).If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:
http://www.cisco.com/support/bugtools
Table 5 Resolved Caveats in Version 6.3(1)
Caveat ID
|
Description
|
CSCsu90066
|
Capability to Backup/Restore config/start-up configs
|
CSCsy47949
|
ASDM backup config - does not properly back up pre-shared key for TG
|
CSCsy60117
|
Unable to configure shun hosts in scanning threat detection
|
CSCsz34305
|
ASDM backup does not save ldap-login-password when exporting config
|
CSCta60218
|
ASDM: rewrite panel doesn't update screen after adding a rule
|
CSCta83701
|
VPN Peers licensing information is not shown on the Home page
|
CSCta83741
|
Tunnel Group authent CLI for Hide username from end user rejected by ASA
|
CSCtb11934
|
security scroll bar in DCERPC inspect maps not function properly
|
CSCtb12190
|
options in FTP Match Criterion does not match CLI
|
CSCtb53472
|
system resource usage: memory status bar chart does not work correctly
|
CSCtb70513
|
ASDM doesn't send cert chain Connection Profile change for IPv6 profile
|
CSCtb70615
|
VPN ASDM Assistant needs rework--better order flow and description
|
CSCtb89486
|
Smart tunnel list edit gives wrong CLI when inherit is select
|
CSCtb89646
|
DAP: Remove the error for 128 characters with combined URL lists
|
CSCtb98266
|
Site-to-site VPN: Cannot Add local/remote network to conn profile.
|
CSCtc01651
|
Class-map type inspect rtsp command is recognized by ASDM
|
CSCtc03470
|
DAP: Port-Forward Unchanged setting needs to gray out Add button
|
CSCtc13448
|
Redundant intf not deleted properly
|
CSCtc20263
|
Site-to-Site Wizard: entering invalid IP address creates bad tunn group.
|
CSCtc20331
|
Edit conn profile for L2L: Switch between v4 and v6 should clear nets
|
CSCtc20462
|
ASDM should not allow configuring no authorization + author required
|
CSCtc20820
|
L2L conn profile: the wrong ACL command sent when switch btw v4/v6.
|
CSCtc25081
|
Monitoring > VPN Sessions > Detail: Missing IPv6 ACL Tab.
|
CSCtc25382
|
IPsec Wizard - step 5: Local/remote nets do not correlate with net type.
|
CSCtc28937
|
IPsec Rules: bidirectional conn types should allow IPv4/IPv6 mixed peers
|
CSCtc53143
|
Erroneous warning when adding interface in System mode
|
CSCtc55353
|
Clicking cancel on Intrusion Prevention tab causes exception
|
CSCtc68210
|
Java exception when editing an originate only/ans only crypto map.
|
CSCtd01568
|
Site-to-site conn profile: Toggling network types only works once.
|
CSCtd35353
|
Failover status panel on homepage not working properly for A/A failover
|
CSCtd47400
|
ASDM: ACL Priority not saved in DAP
|
CSCtd64345
|
Unable to add more than one network object in an object group at a time.
|
CSCtd79439
|
Editing smart tunnel application failed
|
CSCtd82905
|
Long pre-shared key is truncated in the summary page of IPsec Wizard
|
CSCtd88278
|
Mac users unable to edit or view some fields in local CA Server options
|
CSCtd90392
|
IPv6 access rule will not allow ICMP6 service
|
CSCtd92261
|
Switching to another device throws an exception
|
CSCte04433
|
ASDM: Needs to gray out use LOCAL auth if Cert auth is being used
|
CSCte17617
|
Apply button causes exception when changing signature's configuration
|
CSCte36135
|
ASDM: SSHv2 plugin should be removed as an option
|
CSCte55748
|
ASDM: Incorrectly shows SVC compression as being enabled
|
CSCte58123
|
SVC Image Order modification not refreshed in ASDM
|
CSCte62006
|
ASDM ignores crypto maps with ipv6-local-address
|
CSCte70327
|
Failed to assign clientless sslvpn bookmark list with smart tunnel
|
CSCte83654
|
ASDM: AnyConnect Customization scripts facility
|
CSCte83873
|
ASDM: OnDisconnect script import fails for AnyConnect
|
CSCtf20814
|
ASDM HAS wizard waiting time is too short for A/A failover configuration
|
CSCtf21045
|
With Java 6, Update 18, IDM does not load due to heap size check
|
End-User License Agreement
For information on the end-user license agreement, go to: http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf
Related Documentation
For additional information on ASDM or its platforms, see Navigating the Cisco ASA 5500 Series Documentation:
http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
©2010 Cisco Systems, Inc. All rights reserved.
