Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知
3
Release Notes for the Cisco ASA 5500 Series, Version 8.3(x)
OL-18971-01
Limitations and Restrictions
•
The Advanced Inspection and Prevention Security Services Card (AIP SSC) can take up to 20
minutes to initialize the first time it boots after a new image is applied. This initialization process
must complete before configuration changes can be made to the sensor. Attempts to modify and save
configuration changes before the initialization completes will result in an error.
minutes to initialize the first time it boots after a new image is applied. This initialization process
must complete before configuration changes can be made to the sensor. Attempts to modify and save
configuration changes before the initialization completes will result in an error.
•
If you are upgrading from a pre-8.2 release, see the 8.2 release notes for downgrade issues after you
upgrade the Phone Proxy and MTA instance, or for downgrade issues if you upgrade the activation
key with new 8.2 features.
upgrade the Phone Proxy and MTA instance, or for downgrade issues if you upgrade the activation
key with new 8.2 features.
•
When using Clientless SSL VPN Post-SSO parameters for the Citrix Web interface bookmark,
Single-Signon (SSO) works, but the Citrix portal is missing the Reconnect and Disconnect buttons.
Only the Log Off button shows. When not using SSO over Clientless, all three buttons show up
correctly.
Single-Signon (SSO) works, but the Citrix portal is missing the Reconnect and Disconnect buttons.
Only the Log Off button shows. When not using SSO over Clientless, all three buttons show up
correctly.
Workaround: Use the Cisco HTTP-POST plugin to provide single signon and correct Citrix portal
behavior.
behavior.
•
Connection Profile/Tunnel Group terminology in CLI vs. ASDM—The adaptive security appliance
tunnel groups define the initial connection parameters and attributes (such as AAA, client address
assignment, and connection alias/group-url) for a remote access VPN session. In CLI they are
referred to as tunnel groups, whereas in ASDM they are referred to as Connection Profiles. A VPN
policy is an aggregation of Connection Profile, Group Policy, and Dynamic Access Policy
authorization attributes.
tunnel groups define the initial connection parameters and attributes (such as AAA, client address
assignment, and connection alias/group-url) for a remote access VPN session. In CLI they are
referred to as tunnel groups, whereas in ASDM they are referred to as Connection Profiles. A VPN
policy is an aggregation of Connection Profile, Group Policy, and Dynamic Access Policy
authorization attributes.
Limitations and Restrictions
•
The SSL SHA-2 digital signature capability for authentication of AnyConnect SSL VPN sessions
(Versions 2.5.1 and above) is not currently supported on ASA Version 8.3.x. The feature was
introduced in ASA interim Version 8.2.3.9.
(Versions 2.5.1 and above) is not currently supported on ASA Version 8.3.x. The feature was
introduced in ASA interim Version 8.2.3.9.
•
Stateful Failover with Phone Proxy—When using Stateful Failover with phone proxy, information
is not passed to the standby unit; when the active unit goes down, the call fails, media stops flowing,
and the call must be re-established.
is not passed to the standby unit; when the active unit goes down, the call fails, media stops flowing,
and the call must be re-established.
•
Clientless SSL VPN .NET limitation—Clientless SSL sessions might not properly support .NET
framework applications. In some cases you need to enable the application for use with Smart
Tunnels; however, there is a chance it could still fail. For example, it might fail when an executable
binary (.exe) is created using the .NET framework (CSCsv29942).
framework applications. In some cases you need to enable the application for use with Smart
Tunnels; however, there is a chance it could still fail. For example, it might fail when an executable
binary (.exe) is created using the .NET framework (CSCsv29942).
•
The adaptive security appliance does not support phone proxy with CIPC for remote access.
•
The AIP SSC-5 does not support virtualization, unretiring default retired signatures, creating custom
signatures, adding signatures, cloning signatures, or anomaly detection.
signatures, adding signatures, cloning signatures, or anomaly detection.
•
An IPv6 Site-to-Site tunnel between an adaptive security appliance and an IOS router will fail
during phase 2 negotiation. (CSCtd38078)
during phase 2 negotiation. (CSCtd38078)
•
ASA cannot fully support domain based DFS. To support this, the ASA would need to join the
Active Directory and query the Active Directory server for DFS referral. Instead the ASA sends the
DFS referral to the DNS servers configured for the users. Since the AD server is the DNS server in
most cases, the majority of customer configurations are covered.
Active Directory and query the Active Directory server for DFS referral. Instead the ASA sends the
DFS referral to the DNS servers configured for the users. Since the AD server is the DNS server in
most cases, the majority of customer configurations are covered.