Showing results for 
Search instead for 
Did you mean: 

ASA v9.0.1 and ASDM v7.0.1 released

Looks like v9 is now out...

Regards Simon       

Regards Simon

Thanks for spreading out the good news Simon.

People interested in these two releases can find them here:

ASA 9.0.1 and ASDM 7.0.1

Important points to consider before an upgrade to 9.0:

ASA and ASDM Compatibility



ASA Model:

ASA 5505

ASA 5510, 5520, 5540

ASA 5550

ASA 5580

ASA 5512-X, 5515-X,   5525-X, 5545-X, 5555-X

ASA 5585-X


ASA 1000V

ASA 9.0(1)

ASDM 7.0(1).









Limitations and Restrictions

•Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the "Confirm Security Exception" button is disabled. See: This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and later, use compatibility mode.

•Citrix Mobile Receiver and accessing Virtual Desktop Infrastructure (VDI):

–CSD is not supported.

–HTTP redirect is not supported.

–Using Citrix Receiver mobile clients to access web interface of Citrix servers is not supported.

–Certificate or smart card authentication is not supported as a means of auto sign-on.

–You must install XML service and configure on XenApp and XenDesktop servers.

–Make sure the ports 443, 1494, 2598, and 80 are open on any intermediate firewalls between the ASA and the XenApp/XenDesktop server.

–The password-expire-in-days notification on tunnel group that is used by VDI is not supported.

•When configuring for IKEv2, for security reasons you should use groups 21, 20, 19, 24, 14, and 5. We do not recommend Diffie Hellman Group1 or Group2. For example, use

crypto ikev2 policy 10

group 21 20 19 24 14 5

As always make sure you are familiar with the upgrade procedure Upgrading the Software.

Important Notes

•Downgrading issues—Upgrading to Version 9.0 includes ACL migration (see the "ACL Migration in Version 9.0" section). Therefore, you cannot downgrade from 9.0 with a migrated configuration. Be sure to make a backup copy of your configuration before you upgrade so you can downgrade using the old configuration if required.

•Per-session PAT disabled when upgrading— Starting in Version 9.0, by default, all TCP PAT traffic and all UDP DNS traffic use per-session PAT (see the xlate per-session command in the command reference). If you upgrade to Version 9.0 from an earlier release, to maintain the existing functionality of multi-session PAT, the per-session PAT feature is disabled during configuration migration. The ASA adds the following deny rules:

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

To enable per-session PAT after you upgrade, enter:

clear configure xlate

The above deny rules are cleared so that only the default permit rules are still in place, thus enabling per-session PAT.

•No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:

–Unified Communications


You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.

More information at:

Release Notes for the Cisco ASA Series, 9.0(x)



Please rate any helpful posts

Nicely put Portu. I logged in this evening to see if anyone had posted about 9.0 and I see it's already a thread.

I'll try to get our lab ASA up on 9.0 to see how it goes....

Hello Marvin,

5 stars back at you

Let us know your findings!



Hi all,

I stuck on the chapter 'Configuring the ASA for Cisco Cloud Web Security'. There is a link '' to generate a Key. But the link is not working.

Also I downloaded 'asdm-demo-701.msi' but all demo configurations are running ASA 8.4.x .

Any suggestions! :-)

Brgds Markus

The URL to ScanSafe should have been:

However, you would need to get in touch with your Cisco Account Rep to get the ScanSafe license before you can redirect your web traffic on the ASA towards ScanSafe.


Curious if using multiple mode you can still have a client VPN

You can have remote access VPN with multiple contexts. You cannot in an active-active setup.


Multi-context site-site VPN has a requirement to setup some resource-class parameters as described here.


Looking through the release notes an upgrade from a post 8.3 seems pretty straight forward. We will be moving from 8.4(4)1 to 9.0(x) and am wondering if anyone had any issues doing the same?


Content for Community-Ad