Onboard ASA Device to CDO
Use this procedure to onboard a single live ASA device, not an ASA model, to CDO. If you want to onboard multiple ASAs at once, see Onboard ASAs in Bulk.
Before you begin
-
Device must be running at least version 8.4+.
Note
TLS 1.2 was not available for the ASA management-plane until version 9.3(2). With version 9.3(2), a local SDC is required to onboard to CDO.
-
The running configuration file of your ASA must be less than 4.5 MB. To confirm the size of your running configuration file, see Confirming ASA Running Configuration Size.
-
IP addressing: Each ASA, ASAv, or ASA security context must have a unique IP address and the SDC must connect to it on the interface configured to receive management traffic.
If your ASA device does not have a compatible certificate, onboarding the device may fail. Ensure the following requirements are met:
-
The device uses a TLS version equal to or greater than 1.0.
-
The certificate presented by the device is not expired, and its issuance date is in the past (i.e. it is already valid, not scheduled to become valid at a later date).
-
The certificate must be a SHA-256 certificate. SHA1 certificates are not accepted.
-
One of these conditions is true:
-
The device uses a self-signed certificate, and it is the same as the most recent one trusted by an authorized user.
-
The device uses a certificate signed by a trusted Certificate Authority (CA), and provides a certificate chain linking the presented leaf certificate to the relevant CA.
-
If you experience certificate errors during the onboarding process, see Cannot onboard ASA due to certificate errorfor more information.
If the device does not have a compatible SSL cipher suite, the device cannot successfully communicate to the Secure Device Connector (SDC). Use any of the following cipher suites:
-
ECDHE-RSA-AES128-GCM-SHA256
-
ECDHE-ECDSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES256-GCM-SHA384
-
ECDHE-ECDSA-AES256-GCM-SHA384
-
DHE-RSA-AES128-GCM-SHA256
-
ECDHE-RSA-AES128-SHA256
-
DHE-RSA-AES128-SHA256
-
ECDHE-RSA-AES256-SHA384
-
DHE-RSA-AES256-SHA384
-
ECDHE-RSA-AES256-SHA256
-
DHE-RSA-AES256-SHA256
If the cipher suite you use on your ASA is not in this list, the SDC does not support it and you will need to update the cipher suite on your ASA.
Procedure
Step 1 |
In the navigation bar, click Inventory. |
||
Step 2 |
Click the blue plus button to onboard an ASA. |
||
Step 3 |
Click the ASA tile. |
||
Step 4 |
In the Locate Device step, perform the following:
|
||
Step 5 |
In the Credentials step, enter the username and password of the ASA administrator, or similar highest-privilege ASA user, that CDO will use to connect to the device and click Next. |
||
Step 6 |
(Optional) In the Done step, enter a label for the device. You will be able to filter your list of devices by this label. See Labels and Label Groups for more information. |
||
Step 7 |
After labeling your device or service, you can view it in the Inventory list.
|