Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module
Release Notes for Cisco ASDM, 7.4(x)
First Published: 2015-03-23
Last Modified: 2016-06-21
Release Notes for Cisco ASDM, 7.4(x)
This document contains release information for Cisco ASDM Version 7.4(x) for the Cisco ASA series.
Important Notes
• For the ASA 5506H-X, when you upgrade to ASA Version 9.5(2), the correct licensing level is applied.
Earlier ASA versions apply the same licensing as the ASA 5506-X base license. For earlier versions,
you can contact Cisco to receive the ASA 5506-X Security Plus license, which is equivalent to the correct
ASA 5506H-X base license; or simply upgrade to 9.5(2).
you can contact Cisco to receive the ASA 5506-X Security Plus license, which is equivalent to the correct
ASA 5506H-X base license; or simply upgrade to 9.5(2).
• Unified Communications Phone Proxy and Intercompany Media Engine Proxy are deprecated—In ASA
Version 9.4, the Phone Proxy and IME Proxy are no longer supported.
• Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to
the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client
with an elliptic curve certificate, even when the corresponding interface has been configured with an
RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator
needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an
interface configured with an RSA trustpoint, the administrator can execute the following command so
that only RSA based ciphers are negotiated:
with an elliptic curve certificate, even when the corresponding interface has been configured with an
RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator
needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an
interface configured with an RSA trustpoint, the administrator can execute the following command so
that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:
DES-CBC-SHA:RC4-SHA:RC4-MD5"
"AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:
DES-CBC-SHA:RC4-SHA:RC4-MD5"
• The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes
differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name
Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates
with an OU field name of 60 characters. Because of this difference, certificates that can be imported in
ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA
running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates
with an OU field name of 60 characters. Because of this difference, certificates that can be imported in
ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA
running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
Release Notes for Cisco ASDM, 7.4(x)
1