Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module Notas de publicación
3
Release Notes for the Cisco ASA Series, Version 9.0(x)
Limitations and Restrictions
You can still install the Strong Encryption (3DES/AES) license for use with management
connections and encrypted route messages for OSPFv3. For example, you can use ASDM
HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the
Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
connections and encrypted route messages for OSPFv3. For example, you can use ASDM
HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the
Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security.
•
Two ASA caches are used for processing server certificate verification information. The global
cache is 30 seconds while the session cache is 30 minutes, although the cache timeout values are not
configurable.
cache is 30 seconds while the session cache is 30 minutes, although the cache timeout values are not
configurable.
Limitations and Restrictions
•
Clientless SSL VPN with a self-signed certificate on the ASA—When the ASA uses a self-signed
certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security
exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the “Confirm
Security Exception” button is disabled. See
certificate or an untrusted certificate, Firefox 4 and later and Safari are unable to add security
exceptions when browsing using an IPv6 address HTTPS URL (FQDN URL is OK): the “Confirm
Security Exception” button is disabled. See
This caveat affects all SSL connections originating from Firefox or Safari to the ASA (including
clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper
certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and
later, use compatibility mode.
clientless SSL VPN connections, and ASDM connections). To avoid this caveat, configure a proper
certificate for the ASA that is issued by a trusted certificate authority. For Internet Explorer 9 and
later, use compatibility mode.
•
Citrix Mobile Receiver and accessing Virtual Desktop Infrastructure (VDI):
–
CSD is not supported.
–
HTTP redirect is not supported.
–
Using Citrix Receiver mobile clients to access web interface of Citrix servers is not supported.
–
Certificate or smart card authentication is not supported as a means of auto sign-on.
–
You must install the XML service and configure it on XenApp and XenDesktop servers.
–
Make sure that the ports 443, 1494, 2598, and 80 are open on any intermediate firewalls between
the ASA and the XenApp/XenDesktop server.
the ASA and the XenApp/XenDesktop server.
–
The password-expire-in-days notification on a tunnel group that is used by VDI is not
supported.
supported.
•
When configuring for IKEv2, for security reasons, you should use groups 21, 20, 19, 24, 14, and 5.
We do not recommend Diffie Hellman Group1 or Group2. For example, use
We do not recommend Diffie Hellman Group1 or Group2. For example, use
crypto ikev2 policy 10
group 21 20 19 24 14 5
•
With a heavy load of users (around 150 or more) using a WebVPN plugin, you may experience large
delays because of the processing overload. Using Citrix web interface reduces the ASA rewrite
overhead. To track the progress of the enhancement request to allow WebVPN plug files to be cached
on the ASA, refer to CSCud11756.
delays because of the processing overload. Using Citrix web interface reduces the ASA rewrite
overhead. To track the progress of the enhancement request to allow WebVPN plug files to be cached
on the ASA, refer to CSCud11756.
•
Inter-context OSPF adjacency is not supported. To work around this, use the point-to-point
non-broadcast options under the interface configuration and the neighbor command under the
router ospf section. See the following example for reference:
non-broadcast options under the interface configuration and the neighbor command under the
router ospf section. See the following example for reference:
interface Redundant1.189
description to core
nameif core
security-level 0
ip address 172.18.0.2 255.255.255.0
ospf network point-to-point non-broadcast
router ospf 1