Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module
11
Release Notes for Cisco ASDM, Version 7.1(x)
New Features
lists the new features for ASA Version 9.1(4)/ASDM Version 7.1(5).
Table 4
New Features for ASA Version 9.1(4)/ASDM Version 7.1(5)
Feature
Description
Remote Access Features
HTML5 WebSocket
proxying
proxying
HTML5 WebSockets provide persistent connections between clients and servers. During the
establishment of the clientless SSL VPN connection, the handshake appears to the server as an
HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a
relay after the handshake is complete. Gateway mode is not currently supported.
establishment of the clientless SSL VPN connection, the handshake appears to the server as an
HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a
relay after the handshake is complete. Gateway mode is not currently supported.
We did not modify any ASDM screens.
Inner IPv6 for IKEv2
IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to
AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6
traffic are being tunneled, and when both the client and headend support GRE. For a single
traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.
AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6
traffic are being tunneled, and when both the client and headend support GRE. For a single
traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.
Note
This feature requires AnyConnect Client Version 3.1.05 or later.
We did not modify any ASDM screens.
Mobile Devices running
Citrix Server Mobile have
additional connection
options
Citrix Server Mobile have
additional connection
options
Support for mobile devices connecting to Citrix server through the ASA now includes selection
of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different
tunnel-groups allows the administrator to use different authentication methods.
of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different
tunnel-groups allows the administrator to use different authentication methods.
We modified the following screen: Configuration > Remote Access VPN > Clientliess SSL
VPN Access > VDI Access.
VPN Access > VDI Access.
Split-tunneling supports
exclude ACLs
exclude ACLs
Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs.
Exclude ACLs were previously ignored.
Exclude ACLs were previously ignored.
Note
This feature requires AnyConnect Client Version 3.1.03103 or later.
We did not modify any ASDM screens.
High Availability and Scalability Features
ASA 5500-X support for
clustering
clustering
The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now support
2-unit clusters. Clustering for 2 units is enabled by default in the base license; for the ASA
5512-X, you need the Security Plus license.
2-unit clusters. Clustering for 2 units is enabled by default in the base license; for the ASA
5512-X, you need the Security Plus license.
We did not modify any ASDM screens.
Improved VSS and vPC
support for health check
monitoring
support for health check
monitoring
If you configure the cluster control link as an EtherChannel (recommended), and it is
connected to a VSS or vPC pair, you can now increase stability with health check monitoring.
For some switches, such as the Nexus 5000, when one unit in the VSS/vPC is shutting down
or booting up, EtherChannel member interfaces connected to that switch may appear to be Up
to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously
removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8
seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces.
When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages
on all EtherChannel interfaces in the cluster control link to ensure that at least one of the
switches can receive them.
connected to a VSS or vPC pair, you can now increase stability with health check monitoring.
For some switches, such as the Nexus 5000, when one unit in the VSS/vPC is shutting down
or booting up, EtherChannel member interfaces connected to that switch may appear to be Up
to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously
removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8
seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces.
When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages
on all EtherChannel interfaces in the cluster control link to ensure that at least one of the
switches can receive them.
We modified the following screen: Configuration > Device Management > High Availability
and Scalability > ASA Cluster
and Scalability > ASA Cluster