Release Notes for the Cisco ASA 5500 Series, Version 8.2(x) January 2010 This document contains release information for the following Cisco ASA 5500 Versions: • 8.2(2) • 8.2(1) This document includes the following sections: • Important Notes, page 1 • Limitations and Restrictions, page 3 • Upgrading the Software, page 3 • System Requirements, page 5 • New Features, page 7 • Open Caveats, page 16 • Resolved Caveats in Version 8.
Important Notes class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp service-policy global_policy global Workaround: Configure a class-map, and then add the
Limitations and Restrictions • Connection Profile/Tunnel Group terminology in CLI vs. ASDM—The adaptive security appliance tunnel groups define the initial connection parameters and attributes (such as AAA, client address assignment, and connection alias/group-url) for a remote access VPN session. In the CLI, they are referred to as tunnel groups, whereas in ASDM they are referred to as Connection Profiles.
Upgrading the Software Upgrading the AIP SSC or SSM Software When upgrading the AIP SSC or SSM, do not use the upgrade command within the IPS software; instead use the hw-module 1 recover configure command within the adaptive security appliance software. Upgrading the Phone Proxy and MTA Instance In Version 8.0(4), you configured a global media-termination address (MTA) on the adaptive security appliance. In Version 8.2, you can now configure MTAs for individual interfaces (with a minimum of two MTAs).
System Requirements System Requirements The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics: • Memory Requirements, page 5 • ASDM, SSM, SSC, and VPN Compatibility, page 7 Memory Requirements The adaptive security appliance includes DRAM and an internal CompactFlash card. You can optionally use an external CompactFlash card as well.
System Requirements Memory Upgrade Kits The ASA 5510 DRAM upgrade kit is available from Cisco with the following part number: • ASA 5510 DRAM, 512 MB—ASA5510-MEM-512= 256 MB and 512 MB CompactFlash upgrades are avilable from Cisco with the following part numbers: • ASA 5500 Series CompactFlash, 256 MB—ASA5500-CF-256MB= • ASA 5500 Series CompactFlash, 512 MB—ASA5500-CF-512MB= Viewing Flash Memory You can check the size of internal flash and the amount of free flash memory on the adaptive security appl
New Features ASDM, SSM, SSC, and VPN Compatibility Table 2 lists information about ASDM, SSM, SSC, and VPN compatibility with the ASA 5500 series. Table 2 ASDM, SSM, SSC, and VPN Compatibility Application Description ASDM ASA 5500 Version 8.2 requires ASDM Version 6.2 or later. For information about ASDM requirements for other releases, see Cisco ASA 5500 Series and PIX 500 Series Security Appliance Hardware and Software Compatibility: http://www.cisco.
New Features Table 3 New Features for ASA Version 8.2(2) (continued) Feature Description Inspection for IP Options You can now control which IP packets with specific IP options should be allowed through the adaptive security appliance. You can also clear IP options from an IP packet, and then allow it through the adaptive security appliance. Previously, all IP options were denied by default, except for some special cases. Note This inspection is enabled by default.
New Features Table 3 New Features for ASA Version 8.2(2) (continued) Feature Description Botnet Traffic Filter Enhancements The Botnet Traffic Filter now supports automatic blocking of blacklisted traffic based on the threat level. You can also view the category and threat level of malware sites in statistics and reports. Reporting was enhanced to show infected hosts. The 1 hour timeout for reports for top hosts was removed; there is now no timeout.
New Features Table 3 New Features for ASA Version 8.2(2) (continued) Feature Description Monitoring Features Smart Call Home Smart Call Home offers proactive diagnostics and real-time alerts on the adaptive security appliance and provides higher network availability and increased operational efficiency. Customers and TAC engineers get what they need to resolve problems quickly when an issue is detected. Note Smart Call Home server Version 3.
New Features Table 4 New Features for ASA Version 8.2(1) (continued) Feature Description Pre-fill Username from Certificate The pre-fill username feature enables the use of a username extracted from a certificate for username/password authentication. With this feature enabled, the username is “pre-filled” on the login screen, with the user being prompted only for the password.
New Features Table 4 New Features for ASA Version 8.
New Features Table 4 New Features for ASA Version 8.2(1) (continued) Feature Description Shared license for SSL VPN sessions You can purchase a shared license with a large number of SSL VPN sessions and share the sessions as needed among a group of adaptive security appliances by configuring one of the adaptive security appliances as a shared license server, and the rest as clients. The following commands were introduced: license-server commands (various), show shared license.
New Features Table 4 New Features for ASA Version 8.2(1) (continued) Feature Description Processing H.323 Endpoints When the Endpoints Do Not Send OLCAck H.323 application inspection has been enhanced to process common H.323 endpoints. The enhancement affects endpoints using the extendedVideoCapability OLC with the H.239 protocol identifier. Even when an H.
New Features Table 4 New Features for ASA Version 8.2(1) (continued) Feature Description SNMP version 3 and encryption This release provides DES, 3DES, or AES encryption and support for SNMP Version 3, the most secure form of the supported security models. This version allows you to configure authentication characteristics by using the User-based Security Model (USM).
Open Caveats Open Caveats This section contains open caveats in the latest maintenance release. If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in this section to the resolved caveats from later releases. For example, if you are running Release 8.2(1), then you need to add the caveats in this section to the resolved caveats from 8.2(1) and above to determine the complete list of open caveats. If you are a registered Cisco.
Open Caveats Table 5 Open Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Resolved Caveats in Version 8.2(2) The caveats listed in Table 6 were resolved in software Version 8.2(2). If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website: https://www.cisco.com/authc/forms/CDClogin.fcc? Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCsy86769 ASA5505 should not allow pkts to go thru prior to loading config CSCsy86795 ASA - Log messages for all subinterfaces seen when adding just one vlan CSCsy87867 ASA inspect pptp does not alter Call ID in inbound Set-Link-info packets CSCsy88084 Smart Tunnel failing on MAC 10.5.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCsz70555 WebVPN: ST on Mac should popup the tunneled application when started CSCsz70846 Strip Realm for WebVPN broken in 8.2, also implement strip-group CSCsz70906 IPsec/TCP fails due to corrupt SYN+ACK from ASA when SYN has TCP options CSCsz72175 CSD: flash:/sdesktop/data.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCta03382 SQLNET query via inspection cause communication errors CSCta06294 ASA traceback in Thread Name: Unicorn Proxy Thread CSCta06806 traceback: netfs_request+289 at netfs/netfs_api.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCta45256 WebVPN group-url with a trailing "/" treated differently CSCta47556 WebVPN: Plugin parameter "csco_sso=1" doesn't work in browser favorites CSCta47685 WebVPN: Plugin parameter "csco_sso=1" doesn't work with "=" in password CSCta47769 WebVPN: XML parser and tags with dot.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCtb64913 WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put CSCtb65464 ASA (8.2.
Resolved Caveats in Version 8.2(2) Table 6 Resolved Caveats in Version 8.2(2) (continued) Caveat ID Description CSCtc30413 Traceback with SIP pinhole replication Thread Name: Dispatch Unit CSCtc32826 ASA 8.0.4 Smarttunnel Relay.dll crashes browser if proxy is configured CSCtc34355 4GE interfaces with OSPF is broken starting from 100.5.0.
End-User License Agreement Table 6 Resolved Caveats in Version 8.
Related Documentation Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.
Related Documentation Release Notes for the Cisco ASA 5500 Series, Version 8.
