I got this working without using an Airespace ACL. Mine looks like this:
Access Type = ACCESS_ACCEPT cisco-av-pair = url-redirect=https://10.40.2.111:port/blacklistportal/gateway?portal=0eed9e80-6d90-11e5-978e-005056bf2f0a cisco-av-pair = url-redirect-acl=BLACKHOLE
... View more
Compatibility with ASA Features
The ASA includes many advanced application inspection features, including HTTP inspection. However, the ASA FirePOWER module provides more advanced HTTP inspection than the ASA provides, as well as additional features for other applications, including monitoring and controlling application usage.
You must follow these configuration restrictions on the ASA:
Do not configure ASA inspection on HTTP traffic that you send to the ASA FirePOWER module.
Do not configure Cloud Web Security (ScanSafe) inspection on traffic that you send to the ASA FirePOWER module. If traffic matches both your Cloud Web Security and ASA FirePOWER service policies, the traffic is forwarded to the ASA FirePOWER module only. If you want to implement both services, ensure there is no overlap between the traffic matching criteria for each service.
Do not enable the Mobile User Security (MUS) server; it is not compatible with the ASA FirePOWER module.
Other application inspections on the ASA are compatible with the ASA FirePOWER module, including the default inspections.
... View more
We recently deployed an ASAv in AWS and just applied the smart licensing. While the licensing was successful, we are showing Out of compliance. I'm trying to figure out exactly why we are out of compliance, but I don't see anything that gives me that info.
ciscoasa# show license features Serial Number: 9ARQQNLTL2W Export Compliant: YES
License mode: Smart Licensing ASAv Platform License State: Licensed Active entitlement: ASAv-STD-1G, enforce mode: Out of compliance Licensed for maximum of 2 vCPUs
Licensed features for this platform: Maximum Physical Interfaces : 10 Maximum VLANs : 50 Inside Hosts : Unlimited Failover : Active/Standby Encryption-DES : Enabled Encryption-3DES-AES : Enabled Security Contexts : 0 Carrier : Enabled AnyConnect Premium Peers : 250 AnyConnect Essentials : Disabled Other VPN Peers : 250 Total VPN Peers : 250 AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Enabled Advanced Endpoint Assessment : Enabled Shared License : Disabled Total UC Proxy Sessions : 500 Botnet Traffic Filter : Enabled Cluster : Disabled
Of the reasons listed below, I believe this must be related to the ASAv using unavailable licenses. Just can't figure out which one.
The ASAv can become out of compliance in the following situations:
Over-utilization—When the ASAv uses unavailable licenses.
License expiration—When a time-based license expires.
Lack of communication—When the ASAv cannot reach the Licensing Authority for re-authorization.
After 90 days of reauthorization attempts, the ASAv will be severely rate-limited until you are able to successfully reauthorize.
... View more