Release Notes for Cisco ASDM, Version 7.2(x)
ASDM Client Operating System and Browser Requirements
Java and Browser Compatibility
Installing an Identity Certificate for ASDM
Maximum Configuration Size in ASDM
New Features in Version 7.2(2)
New Features in Version 7.2(1)
Open Caveats in Version 7.2(2)
Open Caveats in Version 7.2(1)
Obtaining Documentation and Submitting a Service Request
This document contains release information for Cisco ASDM Version 7.2(x) for the Cisco ASA series. This document includes the following sections:
a. Choose Configuration > Device Management > Users/AAA > AAA Access > Authorization, and click Configure Command Privileges.
b. Select more, and click Edit.
Table 1 lists the supported and recommended client operating systems and Java for ASDM.
Table 2 lists compatibility caveats for Java, ASDM, and browser compatibility.
To continue using the Launcher, do one of the following:
Note ASDM 7.1(5) and earlier are not supported with Java 7 update 51. If you already upgraded Java, and can no longer launch ASDM in order to upgrade it to Version 7.2, then you can either use the CLI to upgrade ASDM, or you can add a security exception in the Java Control Panel for each ASA you want to manage with ASDM. See the “Workaround” section at: http://java.com/en/download/help/java_blocked.xml After adding the security exception, launch the older ASDM and then upgrade to 7.2. |
||
In rare cases, online help does not load when using Java Web Start |
In rare cases, when launching online help, the browser window loads, but the content fails to appear. The browser reports an error: “Unable to connect”. a. Launch the Java Control Panel. d. Clear this parameter: -Djava.net.preferIPv6Addresses=true |
|
ASDM shows a yellow warning about the missing Permissions attribute when using an untrusted certificate |
Due to a bug in Java, if you do not have a trusted certificate installed on the ASA, you see a yellow warning about a missing Permissions attribute in the JAR manifest. It is safe to ignore this warning ; ASDM 7.2 includes the Permissions attribute. To prevent the warning from appearing, install a trusted certificate (from a known CA); or generate a self-signed certificate on the ASA by choosing Configuration > Device Management > Certificates > Identity Certificates. Launch ASDM, and when the certificate warning is shown, check the Always trust connections to websites check box. |
|
ASDM requires an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you cannot launch ASDM. You must uninstall Java 7, and install Java 6 ( http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html). Note that a workaround is required for weak encryption and Java 6 (see below, in this table). |
||
Due to a Java bug, ASDM does not support usernames longer than 50 characters when using Java 6. Longer usernames work correctly for Java 7. |
||
Requires strong encryption license (3DES/AES) on ASA or workaround |
When you initially connect a browser to the ASA to load the ASDM splash screen, the browser attempts to make an SSL connection to the ASA. If the ASA has only the base encryption license (DES), and therefore has weak encryption ciphers for the SSL connection, you may not be able to access the ASDM splash screen; most current browsers do not support weak encryption ciphers. Therefore, without the strong encryption license (3DES/AES), use one of the following workarounds:
|
|
When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using HTTPS over IPv6. See https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. |
||
If you change the SSL encryption on the ASA to exclude both RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled by default), then Chrome cannot launch ASDM due to the Chrome “SSL false start” feature. We suggest re-enabling one of these algorithms (see the Configuration > Device Management > Advanced > SSL Settings pane); or you can disable SSL false start in Chrome using the --disable-ssl-false-start flag according to http://www.chromium.org/developers/how-tos/run-chromium-with-flags. |
||
For Internet Explorer 9.0 for servers, the “Do not save encrypted pages to disk” option is enabled by default (See Tools > Internet Options > Advanced). This option causes the initial ASDM download to fail. Be sure to disable this option to allow ASDM to download. |
||
On OS X, you may be prompted to install Java the first time you run ASDM; follow the prompts as necessary. ASDM will launch after the installation completes. |
||
You need to allow ASDM to run because it is not signed with an Apple Developer ID. If you do not change your security preferences, you see an error screen. 1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco ASDM-IDM Launcher icon, and choose Open. 2. You see a similar error screen; however, you can open ASDM from this screen. Click Open. The ASDM-IDM Launcher opens. |
When using the current Java version, the ASDM Launcher requires a trusted certificate. An easy approach to fulfill the certificate requirements is to generate a self-signed identity certificate and to configure the ASA to use it when establishing an SSL connection. After you generate the identity certificate and configure the ASA, you need to register it with the Java Control Panel on your computer. You can use Java Web Start to launch ASDM until you install a certificate.
See the following document to install a self-signed identity certificate on the ASA for use with ASDM, and to register the certificate with Java.
For information about ASA/ASDM requirements and compatibility, see Cisco ASA Compatibility :
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html
To increase the ASDM heap memory size, download the ASDM-IDM Launcher, and then modify the ASDM-IDM Launcher shortcut by performing the following steps.
a. Right-click the shortcut for the Cisco ASDM-IDM Launcher, and choose Properties.
c. In the Target field, change the argument prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
a. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
b. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the Property List Editor. Otherwise, it opens in TextEdit.
c. Under Java > VMOptions, change the string prefixed with “-Xmx” to specify your desired heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
d. If this file is locked, you see an error such as the following:
e. Click Unlock and save the file.
If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then change the heap size from this copy.
Table 3 lists the new features for ASA Version 9.2(2.4)/ASDM Version 7.2(2).
Note Version 9.2(2) was removed from Cisco.com due to build issues; please upgrade to Version 9.2(2.4) or later.
Table 4 lists the new features for ASA Version 9.2(1)/ASDM Version 7.2(1).
Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.
See http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/upgrade/upgrade92.html.
Table 5 contains open caveats in ASDM software Version 7.2(2).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
https://tools.cisco.com/bugsearch
Table 6 contains open caveats in ASDM software Version 7.2(1).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
Table 7 contains the resolved caveats in ASDM software Version 7.2(1).
Registered Cisco.com users can view more information about each caveat by using Bug Search at the following website:
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.
To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What’s New in Cisco Product Documentation RSS feed. The RSS feeds are a free service.