Release Notes for Cisco ASDM,

Version 7.5(x)
First Published: August 31, 2015
This document contains release information for Cisco ASDM Version 7.5(x) for the Cisco ASA series.

Important Notes, page 1

System Requirements, page 1

New Features, page 8

Upgrade the Software, page 12

Open and Resolved Bugs, page 12

End-User License Agreement, page 13

Related Documentation, page 13

Obtaining Documentation and Submitting a Service Request, page 13

Important Notes

E-mail proxy commands to be deprecatedIn ASA Version 9.5(2), the e-mail proxy commands (imap4s,
pop3s, smtps) and subcommands will no longer be supported.

Select AAA commands to be deprecatedIn ASA Version 9.5(2), these AAA commands and subcommands
(override-account-disable, authentication crack) will no longer be supported.

CSD commands to be deprecated or migratedIn ASA Version 9.5(2), the CSD commands (csd image, show
webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image)
will no longer be supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image
migrates to hostscan image.

System Requirements

ASDM Client Operating System and Browser Requirements, page 2

Java and Browser Compatibility, page 2

Install an Identity Certificate for ASDM, page 7

Increase the ASDM Configuration Memory, page 7

ASA and ASDM Compatibility, page 8

VPN Compatibility, page 8

Cisco Systems, Inc.

www.cisco.com
1

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

ASDM Client Operating System and Browser Requirements

The following table lists the supported and recommended client operating systems and Java for ASDM.
Table 1

Operating System and Browser Requirements

Operating System

Internet
Explorer

Firefox

Safari

Chrome

Java SE
Plug-in

Yes

Yes

No support

Yes

7.0 or later

Apple OS X 10.4 and later

No support

Yes

Yes

Yes (64-bit
version only)

7.0 or later

Red Hat Enterprise Linux 5 (GNOME

or KDE):

N/A

Yes

N/A

Yes

7.0 or later

Microsoft Windows (English and

Japanese):

Browser

8
7
Server 2008
Server 2012

Desktop
Desktop with Workstation

Java and Browser Compatibility

The following table lists compatibility caveats for Java, ASDM, and browser compatibility.

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

Table 2

Java Caveats for ASDM Compatibility

Java
Version

Conditions

Notes

7 update
51

ASDM Launcher requires trusted

certificate

To continue using the Launcher, do one of the following:

Upgrade to Java 8 or downgrade Java to 7 update 45 or earlier.

Install a trusted certificate on the ASA from a known CA.

Install a self-signed certificate and register it with Java. See

Install an Identity Certificate for ASDM.

Alternatively use Java Web Start.

Note: ASDM 7.1(5) and earlier are not supported with Java 7 update
51. If you already upgraded Java, and can no longer launch ASDM in
order to upgrade it to Version 7.2 or later, then you can either use the
CLI to upgrade ASDM, or you can add a security exception in the Java
Control Panel for each ASA you want to manage with ASDM. See the
Workaround section at:
http://java.com/en/download/help/java_blocked.xml
After adding the security exception, launch the older ASDM and then
upgrade to 7.2 or later.
In rare cases, online help does not
load when using Java Web Start

In rare cases, when launching online help, the browser window loads,
but the content fails to appear. The browser reports an error: Unable
to connect.
Workaround:

Use the ASDM Launcher

Or:

Clear the -Djava.net.preferIPv6Addresses=true parameter in

Java Runtime Parameters:
a. Launch the Java Control Panel.
b. Click the Java tab.
c. Click View.
d. Clear this parameter: -Djava.net.preferIPv6Addresses=true
e. Click OK, then Apply, then OK again.

7 update
45

ASDM shows a yellow warning

about the missing Permissions
attribute when using an untrusted
certificate

Due to a bug in Java, if you do not have a trusted certificate installed

on the ASA, you see a yellow warning about a missing Permissions
attribute in the JAR manifest. It is safe to ignore this warning; ASDM
7.2 and later includes the Permissions attribute. To prevent the
warning from appearing, install a trusted certificate (from a known
CA); or generate a self-signed certificate on the ASA by choosing
Configuration > Device Management > Certificates > Identity
Certificates. Launch ASDM, and when the certificate warning is
shown, check the Always trust connections to websites check box.

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

Table 2

Java Caveats for ASDM Compatibility (continued)

Java
Version

Conditions

Notes

Requires strong encryption

license (3DES/AES) on ASA

ASDM requires an SSL connection to the ASA. You can request a

3DES license from Cisco:
1. Go to www.cisco.com/go/license.
2. Click Continue to Product License Registration.
3. In the Licensing Portal, click Get Other Licenses next to the text
field.
4. Choose IPS, Crypto, Other... from the drop-down list.
5. Type ASA in to the Search by Keyword field.
6. Select Cisco ASA 3DES/AES License in the Product list, and
click Next.
7. Enter the serial number of the ASA, and follow the prompts to
request a 3DES/AES license for the ASA.

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

Table 2

Java Caveats for ASDM Compatibility (continued)

Java
Version

Conditions

Notes

All

Self-signed certificate or an
untrusted certificate

IPv6

Firefox and Safari

When the ASA uses a self-signed certificate or an untrusted

certificate, Firefox and Safari are unable to add security exceptions
when browsing using HTTPS over IPv6. See
https://bugzilla.mozilla.org/show_bug.cgi?id=633001. This caveat
affects all SSL connections originating from Firefox or Safari to the
ASA (including ASDM connections). To avoid this caveat, configure a
proper certificate for the ASA that is issued by a trusted certificate
authority.

SSL encryption on the ASA

must include both RC4-MD5
and RC4-SHA1 or disable
SSL false start in Chrome.

Chrome

If you change the SSL encryption on the ASA to exclude both

RC4-MD5 and RC4-SHA1 algorithms (these algorithms are enabled
by default), then Chrome cannot launch ASDM due to the Chrome
SSL false start feature. We suggest re-enabling one of these
algorithms (see the Configuration > Device Management >
Advanced > SSL Settings pane); or you can disable SSL false start
in Chrome using the --disable-ssl-false-start flag according to Run
Chromium with flags.

IE9 for servers

For Internet Explorer 9.0 for servers, the Do not save encrypted
pages to disk option is enabled by default (See Tools > Internet
Options > Advanced). This option causes the initial ASDM download
to fail. Be sure to disable this option to allow ASDM to download.

OS X

On OS X, you may be prompted to install Java the first time you run
ASDM; follow the prompts as necessary. ASDM will launch after the
installation completes.

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

Table 2

Java Caveats for ASDM Compatibility (continued)

Java
Version

Conditions

Notes

All

OS X 10.8 and later

You need to allow ASDM to run because it is not signed with an Apple
Developer ID. If you do not change your security preferences, you see
an error screen.

1. To allow ASDM to run, right-click (or Ctrl-Click) the Cisco

ASDM-IDM Launcher icon, and choose Open.

2. You see a similar error screen; however, you can open ASDM
from this screen. Click Open. The ASDM-IDM Launcher opens.

Release Notes for Cisco ASDM, Version 7.5(x)

System Requirements

Install an Identity Certificate for ASDM

When using Java 7 update 51 and later, the ASDM Launcher requires a trusted certificate. An easy approach to
fulfill the certificate requirements is to install a self-signed identity certificate. You can use Java Web Start to launch
ASDM until you install a certificate.
See Install an Identity Certificate for ASDM to install a self-signed identity certificate on the ASA for use with
ASDM, and to register the certificate with Java.

Increase the ASDM Configuration Memory

ASDM supports a maximum configuration size of 512 KB. If you exceed this amount you may experience
performance issues. For example, when you load the configuration, the status dialog box shows the percentage
of the configuration that is complete, yet with large configurations it stops incrementing and appears to suspend
operation, even though ASDM might still be processing the configuration. If this situation occurs, we recommend
that you consider increasing the ASDM system heap memory.

Increase the ASDM Configuration Memory in Windows, page 7

Increase the ASDM Configuration Memory in Mac OS, page 7

Increase the ASDM Configuration Memory in Windows

To increase the ASDM heap memory size, edit the run.bat file by performing the following procedure.
Procedure
1. Go to the ASDM installation directory, for example C:\Program Files (x86)\Cisco Systems\ASDM.
2. Edit the run.bat file with any text editor.
3. In the line that starts with start javaw.exe, change the argument prefixed with -Xmx to specify your desired
heap size. For example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.
4. Save the run.bat file.

Increase the ASDM Configuration Memory in Mac OS

To increase the ASDM heap memory size, edit the Info.plist file by performing the following procedure.
Procedure
1. Right-click the Cisco ASDM-IDM icon, and choose Show Package Contents.
2. In the Contents folder, double-click the Info.plist file. If you have Developer tools installed, it opens in the
Property List Editor. Otherwise, it opens in TextEdit.
3. Under Java > VMOptions, change the string prefixed with -Xmx to specify your desired heap size. For
example, change it to -Xmx768M for 768 MB or -Xmx1G for 1 GB.

Release Notes for Cisco ASDM, Version 7.5(x)

New Features

4. If this file is locked, you see an error such as the following:

5. Click Unlock and save the file.

If you do not see the Unlock dialog box, exit the editor, right-click the Cisco ASDM-IDM icon, choose Copy
Cisco ASDM-IDM, and paste it to a location where you have write permissions, such as the Desktop. Then
change the heap size from this copy.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module
compatibility, see Cisco ASA Compatibility.

VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.

New Features

New Features in ASA 9.5(1.200)/ASDM 7.5(1), page 8

New Features in ASA 9.5(1)/ASDM 7.5(1), page 9

New Features in ASA 9.5(1.200)/ASDM 7.5(1)

Released: August 31, 2015
The following table lists the new features for ASA Version 9.5(1.200)/ASDM Version 7.5(1).
Note: This release supports only the ASAv.

Release Notes for Cisco ASDM, Version 7.5(x)

New Features

Table 3

New Features for ASA Version 9.5(1.200)/ASDM Version 7.5(1)

Feature

Description

Platform Features
Microsoft Hyper-V supervisor
support

Extends the hypervisor portfolio for the ASAv.

ASAv5 low memory support

The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For
already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you
will see an error that you are using more memory than is licensed.

New Features in ASA 9.5(1)/ASDM 7.5(1)

Note: New, changed, and deprecated syslog messages are listed in the syslog message guide.
Released: August 12, 2015
The following table lists the new features for ASA Version 9.5(1)/ASDM Version 7.5(1).
Note: This version does not support the Firepower 9300 ASA security module.
Table 4

New Features for ASA Version 9.5(1)/ASDM Version 7.5(1)

Feature

Description

Firewall Features
GTPv2 inspection and
improvements to GTPv0/1
inspection

GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions
now supports IPv6 addresses.

IP Options inspection
improvements

IP Options inspection now supports all possible IP options. You can tune the
inspection to allow, clear, or drop any standard or experimental options, including
those not yet defined. You can also set a default behavior for options not explicitly
defined in an IP options inspection map.

We modified the following screen: Configuration > Firewall > Objects > Inspect
Maps > GTP

We modified the following screen: Configuration > Firewall > Objects > Inspect
Maps > IP Options
Carrier Grade NAT
enhancements

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host,
rather than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following screen: Configuration > Firewall > Advanced > PAT
Port Block Allocation. We added Enable Block Allocation the object NAT and twice
NAT dialog boxes.

High Availability Features

Inter-site clustering support for
Spanned EtherChannel in
Routed firewall mode

You can now use inter-site clustering for Spanned EtherChannels in routed mode.
To avoid MAC address flapping, configure a site ID for each cluster member so that
a site-specific MAC address for each interface can be shared among a sites units.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Cluster Configuration

Release Notes for Cisco ASDM, Version 7.5(x)

New Features

Table 4

New Features for ASA Version 9.5(1)/ASDM Version 7.5(1) (continued)

Feature

Description

ASA cluster customization of

the auto-rejoin behavior when
an interface or the cluster
control link fails

You can now customize the auto-rejoin behavior when an interface or the cluster
control link fails.

The ASA cluster supports

GTPv1 and GTPv2

The ASA cluster now supports GTPv1 and GTPv2 inspection.

Cluster replication delay for TCP

connections

This feature helps eliminate the unnecessary work related to short-lived flows by
delaying the director/backup flow creation.

We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Auto Rejoin

We did not modify any screens.

We introduced the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster Replication
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a
hardware module in ASA
clustering

By default when using clustering, the ASA monitors the health of an installed
hardware module such as the ASA FirePOWER module. If you do not want a
hardware module failure to trigger failover, you can disable module monitoring.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

Enable use of the Management

1/1 interface as the failover link
on the ASA 5506H

On the ASA 5506H only, you can now configure the Management 1/1 interface as
the failover link. This feature lets you use all other interfaces on the device as data
interfaces. Note that if you use this feature, you cannot use the ASA Firepower
module, which requires the Management 1/1 interface to remain as a regular
management interface.
We modified the following screen: Configuration > Device Management > High
Availability and Scalability > Failover > Setup

Routing Features
Support for IPv6 in Policy Based
Routing

IPv6 addresses are now supported for Policy Based Routing.

We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy
Based Routing
Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match
Clause

VXLAN support for Policy Based

Routing

You can now enable Policy Based Routing on a VNI interface.

Policy Based Routing support

for Identity Firewall and Cisco
Trustsec

You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall
and Cisco TrustSec ACLs in Policy Based Routing route maps.

Separate routing table for

management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now
supports a separate routing table for management-only interfaces.

We modified the following screen: Configuration > Device Setup > Interface
Settings > Interfaces > Add/Edit Interface > General

We modified the following screen: Configuration > Device Setup > Routing > Route
Maps > Add Route Maps > Match Clause

We did not modify any screens.

10

Release Notes for Cisco ASDM, Version 7.5(x)

New Features

Table 4

New Features for ASA Version 9.5(1)/ASDM Version 7.5(1) (continued)

Feature

Description

Protocol Independent Multicast

Source-Specific Multicast
(PIM-SSM) pass-through
support

The ASA now allows PIM-SSM packets to pass through when you enable multicast
routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility
in choosing a multicast group while also protecting against different attacks; hosts
only receive traffic from explicitly-requested sources.
We did not modify any screens.

Remote Access Features

IPv6 VLAN Mapping

ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration
change is necessary for the administrator.

Clientless SSL VPN SharePoint

2013 Support

Added support and a predefined application template for this new SharePoint
version.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select
Bookmark Type > Predefined application templates

Dynamic Bookmarks for

Clientless VPN

Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the

list of macros when using bookmarks. These macros allow the administrator to
configure a single bookmark that can generate multiple bookmark links on the
clientless users portal and to statically configure bookmarks to take advantage of
arbitrarily sized lists provided by LDAP attribute maps.
We modified the following screen: Configuration > Remote Access VPN >
Clientless SSL VPN Access > Portal > Bookmarks

VPN Banner Length Increase

The overall banner length, which is displayed during post-login on the VPN remote
client portal, has increased from 500 to 4000.
We modified the following screen: Configuration > Remote Access VPN > ....
Add/Edit Internal Group Policy > General Parameters > Banner

Cisco Easy VPN client on the

ASA 5506-X, 5506W-X,
5506H-X, and 5508-X

This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA
5508-X. The ASA acts as a VPN hardware client when connecting to the VPN
headend. Any devices (computers, printers, and so on) behind the ASA on the Easy
VPN port can communicate over the VPN; they do not have to run VPN clients
individually. Note that only one ASA interface can act as the Easy VPN port; to
connect multiple devices to that port, you need to place a Layer 2 switch on the port,
and then connect your devices to the switch.
We introduced the following screen: Configuration > VPN > Easy VPN Remote

Monitoring Features
Show invalid usernames in
syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login
attempts. The default setting is to hide usernames when the username is invalid or
if the validity is unknown. If a user accidentally types a password instead of a
username, for example, then it is more secure to hide the username in the
resultant syslog message. You might want to show invalid usernames to help with
troubleshooting login issues.
We modified the following screen: Configuration > Device Management > Logging
> Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).

11

Release Notes for Cisco ASDM, Version 7.5(x)

Upgrade the Software

Upgrade the Software

See the following table for the upgrade path for your version. Some versions require an interim upgrade before
you can upgrade to the latest version.
Note: There are no special requirements for Zero Downtime Upgrades for failover and ASA clustering with the
following exception. Upgrading ASA clustering from 9.0(1) or 9.1(1): due to CSCue72961, hitless upgrading is not
supported.
Current ASA Version

First Upgrade to:

Then Upgrade to:

8.2(x)

8.4(6)

9.5(1) or later

8.3(x)

8.4(6)

9.5(1) or later

8.4(1) through 8.4(4)

8.4(6), 9.0(4), or 9.1(2)

9.5(1) or later

8.4(5) and later

9.5(1) or later

8.5(1)

9.0(4) or 9.1(2)

9.5(1) or later

8.6(1)

9.0(4) or 9.1(2)

9.5(1) or later

9.0(1)

9.0(4) or 9.1(2)

9.5(1) or later

9.0(2) or later

9.5(1) or later

9.1(1)

9.1(2)

9.5(1) or later

9.1(2) or later

9.5(1) or later

9.2(x)

9.5(1) or later

9.3(x)

9.5(1) or later

9.4(x)

9.5(1) or later

For detailed steps about upgrading, see the 9.5 upgrade guide.

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based
tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and
vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one,
you can register for an account.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs
All open bugs severity 3 and higher for each version are included in the following searches:

7.5(1) open bug search.

Resolved Bugs
All resolved bugs for each version are included in the following searches:

7.5(1) fixed bug search.

12

Release Notes for Cisco ASDM, Version 7.5(x)

End-User License Agreement

End-User License Agreement

For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.

Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.

Obtaining Documentation and Submitting a Service

Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request,
and gathering additional information, see Whats New in Cisco Product Documentation at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to Whats New in Cisco Product Documentation, which lists all new and revised Cisco technical
documentation as an RSS feed and delivers content directly to your desktop using a reader application. The RSS
feeds are a free service.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To
view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property
of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other
company. (1110R)

2015 Cisco Systems, Inc. All rights reserved.

13

Release Notes for Cisco ASDM, Version 7.5(x)

Obtaining Documentation and Submitting a Service Request

14