Release Notes for the Cisco ASA Device Package Software, Version 1.2(5.21) for ACI
Downloading the Software from Cisco.com
Resolved Caveats in the ASA Device Package Version 1.2(5.21)
Resolved Caveats in the ASA Device Package Version 1.2(5.5)
Obtaining Documentation and Submitting a Service Request
This document contains release information for the Cisco ASA Device Package software, Version 1.2(5.21) for ACI, and includes the following sections:
Cisco ASA Device Package Software supports only the version of APIC that it is shipped with.
Three caveats were resolved in release 1.2(5.21). For details, see the “Resolved Caveats in the ASA Device Package Version 1.2(5.21)” section.
This release includes support for Cisco TrustSec.
Cisco TrustSec enables you to avoid the extensive manual maintenance required for traditional network segmentation, which uses VLANs and access control lists (ACLs) that are based on IP addresses. Cisco TrustSec simplifies network segmentation by dynamically organizing machines into logical groups, called security groups, and enabling security policies to be written using security group tags.
Cisco TrustSec uses the Cisco Identity Services Engine as a centralized policy management platform to gather contextual data about who and what is accessing your network. You can then use this information to create security groups and to assign access rights based on role, function, location, and other criteria. For more information about Cisco TrustSec, see Cisco TrustSec “At-a-Glance”.
The following support for the Cisco TrustSec functionality is included in ASA Device Package 1.2(5):
– Server group used for environment data retrieval, specifically the Security Group table from ISE
– The source IP address of SXP connections and SXP peer IP address and their role
– The authentication password between SXP peers
– The retry interval for SXP connections
– The Cisco TrustSec SXP reconcile period
In the example below, only IP addresses that belong to the Security Group “Engineering” are allowed to access EPG App, while denying all other Security Groups.
Figure 1-1 Example Configuration
The PAC file from the ISE will need to be imported as part of pre-provisioning. Refreshing the environment data from the ISE will need to be done out-of-band.
For details about Configuring the ASA to Integrate with Cisco TrustSec, see: http://www.cisco.com/
c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_trustsec.pdf
Note Cisco Application Centric Infrastructure (ACI) does not have native support of the Security-group eXchange Protocol (SXP). Therefore, in order to use TrustSec in ASA for ACI, you must have an SXP-capable switch.
Cisco ACI is a distributed, scalable, multi-tenant infrastructure with external end-point connectivity controlled and grouped through application-centric policies. SXP is the protocol used to propagate the IP-to-SGT mapping database across network devices that do not have SGT-capable hardware support. The Cisco Application Policy Infrastructure Controller (APIC) is a unified point of automation, management, monitoring, and programmability for the Cisco ACI.
Tip To use TrustSec in ASA for ACI, changes to your network topology might be required. For details about the required topology and configuration examples, see the Cisco listing page shown below. This information will be available by March 14, 2016.
If you are running APIC 1.2(x) with ASA 9.3(1), which has a default SSL configuration, you will see the following error:
The workaround is to have ssl encryption aes128-sha1 configured on the ASA, or to upgrade the ASA to version 9.3(2) or later.
Symptom The Policy Manager crashes when the l3Out that is used for BGP peering for the service appliance has an incomplete configuration (CSCuw03425).
Conditions The l3Out used for BGP peering for the service appliance is missing l3extRsNodeL3OutAtt.
Workaround Make sure that the l3Out contains l3extRsNodeL3OutAtt. This problem will be fixed in a subsequent release.
The following shows the BGP XML example with l3extRsNodeL3OutAtt:
To upgrade, you do not need to remove the previous package if your APIC release has the fix for CSCuv4353. Otherwise, to upgrade from an older version to a newer, you need to remove the old version from APIC first, then install the new version.
To install the ASA Device Package software, see Cisco ASA Quick Start Guide for APIC Integration, 1.2 for instructions.
If you have a Cisco.com login, you can obtain the ASA Device Package image from the following website:
https://software.cisco.com/download/release.html?i=!y&mdfid=286119613&softwareid=286279676&release=1.2.4.1&os=
If you are a registered Cisco.com user, view more information about each caveat using Bug Search at the following website:
The following table contains the resolved caveats in ASA Device Package Version 1.2(5.21):
The following table contains the resolved caveats in ASA Device Package Version 1.2(5):
For additional information about the Cisco ASA, see Navigating the Cisco ASA Series Documentation.
For additional information about the Cisco APIC, see the APIC Documentation website and the Cisco Application Centric Infrastructure Security Solution website.
For additional information about Cisco TrustSec, see Cisco TrustSec “At-a-Glance”.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS feeds are a free service