cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

What’s New in CSM 4.19 and ASDM 7.12.1 Releases

822
Views
0
Helpful
3
Comments
Cisco Employee

CSM 4.19

We recently announced the release of ASA 9.12.1 containing a rich feature set targeting our customers to help solve their higher throughput needs with the support for new SM-40,48 modules for the FPR9300 platforms along with support for 4115, 4125, 4145 for the FPR4100 platforms. The release also focused on our service provider customers by bridging the gap with features such as CGNAT interim logging for port block allocation and updated GTPv1 to RLS10. This release also introduces the integration of ASA with Umbrella.

What’s New

This release includes the following new features and enhancements:

Support for ASA 9.12 (1) version

  • Support for CGNAT enhancements— The CGNAT interim logging feature allows you to configure a timer interval to generate syslog for all the active port blocks allocated at that point in time. You can configure in the Policies> NAT > Global Options page. This feature is supported on Cluster and Failover topologies of ASA 9.12(1) and higher devices.
  • Support for Umbrella connector global enhancements— In Cisco Security Manager 4.18, the Umbrella Connector Global Configuration page was introduced under Device Administration. In Cisco Security Manager 4.19, further enhancements are made—configuring umbrella IPv4 resolver, the umbrella IPv6 resolver, and configuring local domain bypass regex value.
  • OSPF key chain support—Beginning with version 4.19, Cisco Security Manager supports the OSPF key chain authentication. This authentication feature allows you to configure key chain authentication for OSPF virtual link and OSPF interface. In Cisco Security Manager, you can add the key chain in the policy object manager and configure it in OSPF authentication page for ASA 9.12(1) or higher devices.
  • Support security requirements over IPv6—Earlier, IPv6 support was not available for NTP server. Beginning with Cisco Security Manager 4.19, IPv6 support is provided.
  • Deprecation of DH Group 1—Cisco Security Manager supports numerous DH group algorithms in various policies. DH groups determine the strength of the key used in the key exchange process. DH Group1 is no longer considered to be secured against threats prevailing in current networking world. Hence, beginning from CSM 4.19, DH group1 support is removed for ASA 9.12(1) or higher devices.
  • Removal of trustpool import default bundle—In order to comply with PSB requirement, Trustpool Import Default Bundle option is removed from trusted pool policy (under Remote Access VPN) for ASA 9.12(1) or higher devices.
  • Provision for management access sessions on ASA devices—Beginning with 4.19, Cisco Security Manager allows you to configure enforcement of limits for the maximum number of admin sessions across all connection types and usernames. The quota is also provisioned for maximum number of concurrent sessions per username as well as per protocol limits on ASA 9.12(1) devices or higher. The configured session concurrence limits is enforced prior to authenticating the incoming administrative session.
  • Support to capture control packets on cluster interface—Beginning with 4.19, Cisco Security Manager allows capture of control packets on cluster interface of ASA devices. This new static interface option allows you to capture cluster control plane packets. This information is useful to troubleshoot issues on cluster especially in multi-context mode.

Resolved and Open Bugs

For information on fixes for various problems, see Resolved caveats—Release 4.19.

Related Documents

For additional information on CSM, see Release Notes.

ASDM 7.12.1

Cisco's Adaptive Security Device Manager (ASDM) is the GUI tool used to manage the Cisco ASA security appliances. This section contains the new features, bugs fixed and open, and related documentation for ASDM 7.12.1 release.

What’s New

This release includes the following new features and enhancements:

Feature

Description

Platform Features

Support for ASA and FTD on separate modules of the same Firepower 9300

You can now deploy ASA and FTD logical devices on the same Firepower 9300.

Requires FXOS 2.6.1.

No modified screens.

Firewall Features

GTPv1 release 10.12 support.

The system now supports GTPv1 release 10.12. Previously, the system supported release 6.1. The new support includes recognition of 25 additional GTPv1 messages and 66 information elements.

In addition, there is a behavior change. Now, any unknown message IDs are allowed. Previously, unknown messages were dropped and logged.

No modified screens.

Cisco Umbrella Enhancements.

You can now identify local domain names that should bypass Cisco Umbrella. DNS requests for these domains go directly to the DNS servers without Umbrella processing. You can also identify which Umbrella servers to use for resolving DNS requests. Finally, you can define the Umbrella inspection policy to fail open, so that DNS requests are not blocked if the Umbrella server is unavailable.

New/Modified screens: Configuration > Firewall > Objects > Umbrella, Configuration > Firewall > Objects > Inspect Maps> DNS.

The object group search threshold is now disabled by default.

If you enabled object group search, the feature was subject to a threshold to help prevent performance degradation. That threshold is now disabled by default. You can enable it by using the object-group-search threshold command.

We changed the following screen: Configuration > Access Rules > Advanced.

Interim logging for NAT port block allocation.

When you enable port block allocation for NAT, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates message 305017 at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block.

New/Modified screen: Configuration > Firewall > Advanced > PAT Port Block Allocation.

VPN Features

New condition option for debug aaa .

The condition option was added to the debug aaa command. You can use this option to filter VPN debugging based on group name, user name, or peer IP address.

No modified screens.

Support for RSA SHA-1 in IKEv2

You can now generate a signature using the RSA SHA-1 hashing algorithm for IKEv2.

New/Modified screens:

View the default SSL configuration for both DES and 3DES encryption licenses as well as available ciphers

You can now view the default SSL configuration with and without the 3DES encryption license. In addition, you can view all the ciphers supported on the device.

New/Modified commands: show ssl information

No modified screens.

Add subdomains to webVPN HSTS

Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers.

New/Modified screens:

Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Proxies > Enable HSTS Subdomains field

High Availability and Scalability Features

Per-site gratuitous ARP for clustering

The ASA now generates gratuitous ARP (GARP) packets to keep the switching infrastructure up to date: the highest priority member at each site periodically generates GARP traffic for the global MAC/IP addresses. When using per-site MAC and IP addresses, packets sourced from the cluster use a site-specific MAC address and IP address, while packets received by the cluster use a global MAC address and IP address. If traffic is not generated from the global MAC address periodically, you could experience a MAC address timeout on your switches for the global MAC address. After a timeout, traffic destined for the global MAC address will be flooded across the entire switching infrastructure, which can cause performance and security concerns. GARP is enabled by default when you set the site ID for each unit and the site MAC address for each Spanned EtherChannel.

New/Modified screens: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration > Site Periodic GARP field

Routing Features

OSPF Keychain support for authentication

OSPF authenticates the neighbor and route updates using MD5 keys. In ASA, the keys that are used to generate the MD5 digest had no lifetime associated with it. Thus, user intervention was required to change the keys periodically. To overcome this limitation, OSPFv2 supports MD5 authentication with rotating keys.

Based on the accept and send lifetimes of Keys in KeyChain, OSPF authenticates, accepts or rejects keys and forms adjacency.

New/Modified screens:

  • Configuration > Device Setup > Key Chain
  • Configuration > Device Setup > Routing > OSPF > Setup > Authentication
  • Configuration > Device Setup > Routing > OSPF > Setup > Virtual Link

Certificate Features

Local CA configurable FQDN for enrollment URL

To make the FQDN of the enrollment URL configurable instead of using the ASA's configured FQDN, a new CLI option is introduced. This new option is added to the smtp mode of crypto ca server .

New/Modified commands: fqdn

Administrative, Monitoring, and Troubleshooting Features

enable password change now required on a login

The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to a value of 3 characters or longer. You cannot keep it blank. The no enable password command is no longer supported.

At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password.

This password change requirement is not enforced for ASDM logins. In ASDM, by default, you can log in without a username and with the enable password.

No modified screens.

Configurable limitation of admin sessions

You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at five sessions. The quota management-session command is also no longer accepted in the system configuration and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15.

New/Modified screens: Configuration > Device Management > Management Access > Management Session Quota

Notifications for administrative privilege level changes

When you authenticate for enable access (aaa authentication enable console ) or allow privileged EXEC access directly (aaa authorization exec auto-enable ), then the ASA now notifies users if their assigned access level has changed since their last login.

New/Modified screens:

Status bar > Login History icon

NTP support on IPv6

You can now specify an IPv6 address for the NTP server.

New/Modified screens: Configuration > Device Setup > System Time > NTP > Add button > Add NTP Server Configuration dialog box

SSH stronger security

See the following SSH security improvements:

  • SSH version 1 is no longer supported; only version 2 is supported.
  • Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default. The former default was Group 1 SHA1.
  • HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256). The former default was the medium set.

New/Modified screens:

  • Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH
  • Configuration > Device Management > Advanced > SSH Ciphers

Allow non-browser-based HTTPS clients to access the ASA

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.

New/Modified screens.

Configuration > Device Management > Management Access > HTTP Non-Browser Client Support

Capture control plane packets only on the cluster control link

You can now capture control plane packets only on the cluster control link (and no data plane packets). This option is useful in the system in multiple context mode where you cannot match traffic using an ACL.

New/Modified screens:

Wizards > Packet Capture Wizard > Cluster Option

debug conn command

The debug conn command was added to provide two history mechanisms that record connection processing. The first history list is a per-thread list that records the operations of the thread. The second history list is a list that records the operations into the conn-group. When a connection is enabled, processing events such as a connection lock, unlock, and delete are recorded into the two history lists. When a problem occurs, these two lists can be used to look back at the processing to determine the incorrect logic.

New/Modified commands: debug conn

show tech-support includes additional output

The output of the show tech-support is enhanced to display the output of the following:

  • show ipv6 interface
  • show aaa-server
  • show fragment

New/Modified commands: show tech-support

ASDM support to enable and disable the results for free memory and used memory statistics during SNMP walk operations

To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations.

New or modified screen: Configuration > Device Management > Management Access > SNMP

Configurable graph update interval for the ASDM Home pane for the System in multiple-context mode

For the System in multiple context mode, you can now set the amount of time between updates for the graphs on the Home pane.

New/Modified screens:

Tools > Preferences > Graph User time interval in System Context

Resolved and Open Bugs

For information on fixes for various problems, see Resolved Bugs in Version 7.12(1).

Related Documents

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.

- Authored by Kaushik Swaminathan

3 Comments
Beginner

Just found out a hard way today couple issues on ASDM version 7.12(1):

-  Site to site VPN tunnel quit working after changing the key using ASDM.  Had to change the key via CLI 

-  Major issue which took entire sites down:  When I tried to move the NAT rule using ASDM, whichever existing rule slot that I moved it to (i.e. moving a NAT rule from position 70 to 72), it would overtook the position and removed the existing rule out completely.  I've tested with my colleague several times and it's true every single time.  It's very convenience way to move NAT rules around using ASDM (upper/lower arrows tabs), but this is just freaking scary.  I am not sure if this also affects ACL or not, but I rather not testing that on our live system right now.

Cisco Employee

Hi  fnguyen,

The NAT related issue has already been fixed as part of CSCvp67520 and is available as part of ASDM 7.12.2 release. For the VPN issue, could you please reach out to TAC for support?

Thanks

Kaushik Swaminathan

Beginner

ASDM 7.12.2 seems to have created a problem involving Access Control lists that I posted here

https://community.cisco.com/t5/firewalls/cisco-asa5516-x-9-12-2-asdm-7-12-2-access-list-mode-manual/td-p/3878554