Guest

Cisco Services Modules

Release Notes for the Cisco Catalyst 6500 Series ASA Services Module, 8.5(x)

Hierarchical Navigation

Downloads

Table Of Contents

Release Notes for the Cisco ASA Services Module, Version 8.5(x)

Limitations and Restrictions

System Requirements

New Features

New Features in Version 8.5(1.7)

New Features in Version 8.5(1.6)

New Features in Version 8.5(1)

Upgrading the Software

Upgrading the ASA Image

Viewing Your Current Version

Upgrading the Operating System and ASDM Images

Upgrading the FPD Image

Open Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request


Release Notes for the Cisco ASA Services Module, Version 8.5(x)

Released: July 7, 2011

Updated: March 5, 2012

This document contains release information for the Cisco ASA Services Module (ASASM) Version 8.5(x).

This document includes the following sections:

Limitations and Restrictions

System Requirements

New Features

Upgrading the Software

Open Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request, page 11

Limitations and Restrictions

(8.5(1.7) and later) To use the Catalyst 6500E Supervisor 2T, you may need to upgrade the FPD image on the ASASM. See the "Upgrading the FPD Image" section for more information.

The ASASM is only available as a No Payload Encryption model for this release. The ASA software senses a No Payload Encryption model and disables the following features:

Unified Communications

VPN

You can still install the Strong Encryption (3DES/AES) license for use with management connections. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL).

When you view the license, VPN and Unified Communications licenses will not be listed.

System Requirements

For information about ASDM and Catalyst 6500 compatibility, see Cisco ASA Compatibility:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

New Features

New Features in Version 8.5(1.7)

New Features in Version 8.5(1.6)

New Features in Version 8.5(1)

New Features in Version 8.5(1.7)

Released: March 1, 2012

Table 1 lists the new features for ASA interim Version 8.5(1.7).

Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.

Table 1 New Features for ASA Interim Version 8.5(1.7) 

Feature
Description
Hardware Features

Support for the Catalyst 6500 Supervisor 2T

The ASA now interoperates with the Catalyst 6500 Supervisor 2T. For hardware and software compatibility, see: http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html.

Note You may have to upgrade the FPD image on the ASA. See the Upgrading procedure the in the release notes.

Multiple Context Features
Failover Features

Configure the connection replication rate during a bulk sync

You can now configure the rate at which the ASA replicates connections to the standby unit when using stateful failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533K connections per second. However, the maximum connections allowed per second is 300K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.

We introduced the following command: failover replication rate rate.

 


New Features in Version 8.5(1.6)

Released: January 27, 2012

Table 1 lists the new features for ASA interim Version 8.5(1.6).

Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.

Table 2 New Features for ASA Interim Version 8.5(1.6) 

Feature
Description
Multiple Context Features

Automatic generation of a MAC address prefix

In multiple context mode, the ASA now converts the automatic MAC address generation configuration to use a default prefix. The ASA auto-generates the prefix based on the last two bytes of the backplane MAC address. This conversion happens automatically when you reload, or if you reenable MAC address generation. The prefix method of generation provides many benefits, including a better guarantee of unique MAC addresses on a segment. You can view the auto-generated prefix by entering the show running-config mac-address command. If you want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy method of MAC address generation is no longer available.

Note To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC address method in an existing configuration upon a reload if failover is enabled. However, we strongly recommend that you manually change to the prefix method of generation when using failover. Without the prefix method, ASASMs installed in different slot numbers experience a MAC address change upon failover, and can experience traffic interruption. After upgrading, to use the prefix method of MAC address generation, reenable MAC address generation to use the default prefix.

We modified the following command: mac-address auto.

 


New Features in Version 8.5(1)

Released: July 8, 2011

Table 3 lists the new features for ASA Version 8.5(1). This ASA software version is only supported on the ASASM.

Note Version 8.5(1) includes all features in 8.4(1), plus the features listed in this table. The following features, however, are not supported in No Payload Encryption software, and this release is only available as a No Payload Encryption release:

VPN

Unified Communications

Features added in 8.4(2) are not included in 8.5(1) unless they are explicitly listed in this table.

Table 3 New Features forASA Version 8.5(1) 

Feature
Description
Hardware Features

Support for the ASA Services Module

We introduced support for the ASASM for the Cisco Catalyst 6500 E switch.

Firewall Features

Mixed firewall mode support in multiple context mode

You can set the firewall mode independently for each security context in multiple context mode, so some can run in transparent mode while others run in routed mode.

We modified the following command: firewall transparent.

 

Interface Features

Automatic MAC address generation is now enabled by default in multiple context mode

Automatic generation of MAC addresses is now enabled by default in multiple context mode.

We modified the following command: mac address auto.

 

NAT Features

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [no-proxy-arp] [route-lookup] (object network) and nat source static [no-proxy-arp] [route-lookup] (global).

Also available in Version 8.4(2).

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.5(1), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] (object network) and nat source dynamic [pat-pool mapped_object [round-robin]] (global).

Also available in Version 8.4(2).

Switch Integration Features

Autostate

The switch supervisor engine can send autostate messages to the ASASM about the status of physical interfaces associated with ASA VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the ASA that the VLAN is down. This information lets the ASA declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the ASA takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support).

Note The switch supports autostate messaging only if you install a single ASA in the chassis.

See the following Cisco IOS command: firewall autostate.

Virtual Switching System

The ASASM supports VSS when configured on the switches. No ASA configuration is required.


Upgrading the Software

Note For users migrating from the FWSM, see Migrating to the Cisco ASA Services Module from the FWSM.

This section describes how to upgrade to the latest version of the ASA image or the Field-Programmable Device (FPD) image and includes the following topics:

Upgrading the ASA Image

Upgrading the FPD Image

Note For ASDM procedures, see the ASDM release notes.

Upgrading the ASA Image

Viewing Your Current Version

Upgrading the Operating System and ASDM Images

Viewing Your Current Version

Use the show version command to verify the software version of your ASA.

Upgrading the Operating System and ASDM Images

This section describes how to install the ASDM and operating system (OS) images using TFTP. For FTP or HTTP, see the "Managing Software and Configurations" chapter in the configuration guide.

We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however you cannot use an old ASDM image with a new OS.

For information about upgrading software in a failover pair, see the "Performing Zero Downtime Upgrades for Failover Pairs" chapter in the configuration guide.

Detailed Steps

Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/cisco/pub/software/portal/select.html?&i=!m&mdfid=283783691

Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command: 

hostname# show running-config

Copy the output from this command, then paste the configuration in to a text file.

For other methods of backing up, see the "Managing Software and Configurations" chapter in the configuration guide.

Step 3 Install the new images using TFTP. Enter this command separately for the OS image and the ASDM image: 

hostname# copy tftp://server[/path]/filename disk0:/[path/]filename

For example: 

hostname# copy tftp://10.1.1.1/asa851-k8.bin disk0:/asa851-k8.bin

...

hostname# copy tftp://10.1.1.1/asdm-651.bin disk0:/asdm-651.bin

If your ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.

Step 4 To change the OS boot image to the new image name, enter the following commands: 

hostname(config)# clear configure boot

hostname(config)# boot system disk0:/[path/]new_filename

For example: 

hostname(config)# clear configure boot

hostname(config)# boot system disk0:/asa851-k8.bin

Step 5 To configure the ASDM image to the new image name, enter the following command: 

hostname(config)# asdm image disk0:/[path/]new_filename

For example: 

hostname(config)# asdm image disk0:/asdm-651.bin

Step 6 To save the configuration and reload, enter the following commands: 

hostname(config)# write memory

hostname(config)# reload

Upgrading the FPD Image

The ASA includes a separate FPD image that you can update using Cisco IOS software on the switch.

Detailed Steps

Step 1 Determine if an FPD upgrade is required using the show hw-module all fpd IOS command on the switch.

If the ASA has the minimum required version, no further action is necessary. If an FPD image package needs an upgrade, proceed to the next step.

The following sample output indicates that the ASA does not meet the minimum version requirements. 

Router# show hw-module all fpd

==== ====================== ====== =============================================

                             H/W   Field Programmable   Current   Min. Required

Slot Card Type               Ver.  Device: "ID-Name"    Version      Version

==== ====================== ====== ================== =========== ==============

   1 WS-SVC-ASA-SM1          1.0   1-TRISUL FPGA          1.8        1.10

==== ====================== ====== =============================================

Step 2 If you have a Cisco.com login, you can obtain the FPD image from the following website:

http://www.cisco.com/cisco/pub/software/portal/select.html?&i=!m&mdfid=283783691

Step 3 Download the FPD image package to the switch flash memory.

See the switch documentation for more information about downloading files to flash memory.

Step 4 Verify the contents of the FPD image package using the show upgrade fpd file file-url command.

The file-url argument is the location and name of the FPD image package file. For example, the following command successfully verifies the image (see the TRIFECTA card type for the ASASM): 

Router# show upgrade fpd file disk0:c6500-fpd-pkg.1.10.pkg

Cisco Field Programmable Device Image Package for IOS

C6500 Family FPD Image Package (c6500-fpd-pkg.1.10.pkg), Version 15.0(0)SY99.41

Copyright (c) 2004-2012 by cisco Systems, Inc.

Built Thu 12-Jan-2012 14:46 by integ

=============================== ================================================

                                        Bundled FPD Image Version Matrix

                                ================================================

                                                                       Min. Req.

Supported Card Types            ID  Image Name                Version  H/W Ver.

=============================== == ========================= ========= =========

2-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0

                                 2 T3E3 SPA I/O FPGA            0.24      0.0

                                 3 T3E3 SPA E3 FPGA             1.4       0.0

                                 4 T3E3 SPA T3 FPGA             1.4       0.0

------------------------------- -- ------------------------- --------- ---------

4-port T3/E3 Serial SPA          1 T3E3 SPA ROMMON              2.12      0.0

                                 2 T3E3 SPA I/O FPGA            0.24      0.0

                                 3 T3E3 SPA E3 FPGA             1.4       0.0

                                 4 T3E3 SPA T3 FPGA             1.4       0.0

...

------------------------------- -- ------------------------- --------- ---------

TRIFECTA                         1 Trifecta  DPFPGA             1.10      0.0

=============================== ================================================

Step 5 Upgrade the FPD using the upgrade hw-module slot slot-number fpd file file-url command.

The slot-number argument indicates the chassis slot location of the ASA. The file-url argument is the location and name of the FPD image package file. For example, to upgrade the ASA in slot 2, enter the following command: 

Router# upgrade hw-module slot 2 fpd file disk0:c6500-fpd-pkg.1.10.pkg

% The following FPD will be upgraded for WS-SVC-ASA-SM1 (H/W ver = 1.0) in slot 2:

 ================== =========== =========== ============ 

 Field Programmable   Current     Upgrade   Estimated 

 Device: "ID-Name"    Version     Version   Upgrade Time 

 ================== =========== =========== ============ 

 1-TRISUL FPGA          1.8         1.10      00:06:30

 ================== =========== =========== ============ 

% NOTES:

  - Use 'show upgrade fpd progress' command to view the progress of the FPD

    upgrade.

   - Since the target card is currently in disabled state, it will be 

     automatically reloaded after the upgrade operation for the changes to 

     take effect.

WARNING: The target card will be reloaded in order to start FPD image 

         upgrade. This action will interrupt normal operation of the card.

         If necessary, ensure that appropriate actions have been taken to 

         redirect card traffic before starting the upgrade operation.

% Are you sure that you want to perform this operation? [no]: yes

% Reloading the target card for FPD image upgrade ... Done!

% Upgrade operation will start in the background once the target card gets 

  initialized after the reload operation. Please wait ...

  (Use "show upgrade fpd progress" command to see upgrade progress)

Step 6 Verify that the FPD upgrade is complete using the show upgrade fpd progress command.

The following example shows that the FPD upgrade is updating: 

Router# show upgrade fpd progress

FPD Image Upgrade Progress Table:

 ==== =================== ====================================================

                                               Approx.

                          Field Programmable    Time     Elapsed

 Slot Card Type           Device : "ID-Name"   Needed      Time    State

 ==== =================== ================== ========== ========== ===========

    2 WS-SVC-ASA-SM1      1-TRISUL FPGA       00:06:30   00:00:24  Updating...

 ==== =================== ====================================================

The following example shows that the FPD upgrade is complete, because the upgrade is no longer in progress: 

Router# show upgrade fpd progress

% There is no FPD image upgrade in progress.

Step 7 Verify that the FPD upgrade was successful using the show hw-module all fpd command.

Open Caveats

Table 4 contains open caveats in the latest maintenance release.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolKit/

.

Table 4 Open Caveats in ASA Version 8.5

Caveat
Description

CSCtq41035

incorrect interface MAC address after failover


End-User License Agreement

For information on the end-user license agreement, go to the following URL:

http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf

Related Documentation

For additional information about ASDM or its platforms, see Navigating the Cisco ASA Documentation:

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

This document is to be used in conjunction with the documents listed in the "Related Documentation" section.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

©2011-2012 Cisco Systems, Inc. All rights reserved