Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

ASA 5500 Tips for OnPlus


Read this section for important information about limitations and caveats that apply to Cisco OnPlus Portal service for ASA 5500


The ASA5500 Series routers do not support CDP, Bonjour, UPnP, or any other portal-supported discovery protocols. Its MAC and IP addresses will be discovered, but it will show up in the Topology as an Unknown Device.

In order to properly interface with the device, you must assign a device driver, at which point discovery can proceed. (Device Information > Credentials tab, Device Driver).

The command interface to the ASA 5505 uses the HTTP interface, which must be enabled on the VLAN that the OnPlus Agent is attached to. The discovery process uses the ARP table on the VLAN that the OnPlus Agent is attached to in order to discover attached devices. Devices that are attached to other VLANs are not discovered. The ASA has no defined WAN port; the canonical configuration creates a VLAN that is used for WAN access and attaches it to one or more switch ports. The remaining ports will normally be attached to another VLAN defined for the LAN side. Using the standard configuration, these VLANs are named 'inside' and 'outside'.

The OnPlus Agent must be connected to the LAN VLAN.

Device TestingThe ASA5505 and 5510 have been tested with OnPlus.
Firmware Upgrade

ASA 5500 Series routers have two significant firmware packages resident on their drive: a system software load and a device manager load.

The OnPlus Portal Firmware Upgrade feature supports both of those, with the following constraints:

•    The only files that will be accepted for upgrade are files that match the two wildcard names: asa*.bin and adsm*.bin.

•    If a firmware file matches asa*.bin, it is assumed to be a system software load.

•    If a firmware file matches adsm*.bin, it is assumed to be a device manager load.

•    System software will not be ugpraded if a 'boot image' command is present in the startup-config, since it is likely that the administrator of the router would not want this overridden.

•    Device manager software will not be upgraded if an 'adsm image' command is present in the startup-config.

•    Neither package will be upgraded if there is insufficient room on the boot drive to store the upgraded file during the upgrade.

•    An update of either type of firmware causes a device reboot. •    When either type of firmware is updated, the file it replaces will be deleted.

Remote Access

The ASA 5500 device manager can not be run over a tunnel created by the Cisco OnPlus Agent device. Remote ASA management can be performed if SSH access is enabled and a generic tunnel connection for SSH is created by the Cisco OnPlus Agent for command line administration.

Note: Cisco OnPlus Service was tested with the ASA5505 model, with feature support expected to apply to all other models in the series.


I know that under Remote Access it states "The ASA 5500 device manager can not be run over a tunnel created by the Cisco OnPlus Agent device" however please see my response on the thread below for a workaround that does allow you to leverage ASDM-IDM over a tunnel created by the Cisco OnPlus Agent device.