Cisco Cisco ASA 5555-X Adaptive Security Appliance 發佈版本通知
9
Release Notes for the Cisco ASA 5500 Series, Version 8.3(x)
OL-18971-01
New Features
lists the new features forASA Version 8.3(2).
Table 6
New Features for ASA Version 8.3(2)
Feature
Description
Monitoring Features
Enhanced logging and
connection blocking
connection blocking
When you configure a syslog server to use TCP, and the syslog server is unavailable, the
adaptive security appliance blocks new connections that generate syslog messages until the
server becomes available again (for example, VPN, firewall, and cut-through-proxy
connections). This feature has been enhanced to also block new connections when the logging
queue on the adaptive security appliance is full; connections resume when the logging queue
is cleared.
adaptive security appliance blocks new connections that generate syslog messages until the
server becomes available again (for example, VPN, firewall, and cut-through-proxy
connections). This feature has been enhanced to also block new connections when the logging
queue on the adaptive security appliance is full; connections resume when the logging queue
is cleared.
This feature was added for compliance with Common Criteria EAL4+. Unless required, we
recommend allowing new connections when syslog messages cannot be sent. To allow new
connections, configure the syslog server to use UDP or use the logging permit-hostdown
command.
recommend allowing new connections when syslog messages cannot be sent. To allow new
connections, configure the syslog server to use UDP or use the logging permit-hostdown
command.
The following commands were modified: show logging.
The following syslog messages were introduced: 414005, 414006, 414007, and 414008
Remote Access Features
2048-bit RSA certificate and
Diffie-Hellman Group 5
(DH5) performance
improvement
Diffie-Hellman Group 5
(DH5) performance
improvement
(ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you
enable hardware processing instead of software for large modulus operations such as 2048-bit
certificates and DH5 keys. If you continue to use software processing for large keys, you
could experience significant performance degradation due to slow session establishment for
IPsec and SSL VPN connections. We recommend that you initially enable hardware
processing during a low-use or maintenance period to minimize a temporary packet loss that
can occur during the transition of processing from software to hardware.
enable hardware processing instead of software for large modulus operations such as 2048-bit
certificates and DH5 keys. If you continue to use software processing for large keys, you
could experience significant performance degradation due to slow session establishment for
IPsec and SSL VPN connections. We recommend that you initially enable hardware
processing during a low-use or maintenance period to minimize a temporary packet loss that
can occur during the transition of processing from software to hardware.
Note
For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may
want to continue to use software processing for large keys. If VPN sessions are added
very slowly and the ASA runs at capacity, then the negative impact to data throughput
is larger than the positive impact for session establishment.
want to continue to use software processing for large keys. If VPN sessions are added
very slowly and the ASA runs at capacity, then the negative impact to data throughput
is larger than the positive impact for session establishment.
The following commands were introduced or modified: crypto engine large-mod-accel, clear
configure crypto engine, show running-config crypto engine, and show running-config
crypto.
configure crypto engine, show running-config crypto engine, and show running-config
crypto.
Also available in Version 8.2(3).
Microsoft Internet Explorer
proxy lockdown control
proxy lockdown control
Enabling this feature hides the Connections tab in Microsoft Internet Explorer for the duration
of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections
tab unchanged; the default setting for the tab can be shown or hidden, depending on the user
registry settings.
of an AnyConnect VPN session. Disabling the feature leaves the display of the Connections
tab unchanged; the default setting for the tab can be shown or hidden, depending on the user
registry settings.
The following command was introduced: msie-proxy lockdown.
Also available in Version 8.2(3).
Secondary password
enhancement
enhancement
You can now configure SSL VPN support for a common secondary password for all
authentications or use the primary password as the secondary password.
authentications or use the primary password as the secondary password.
The following command was modified: secondary-pre-fill-username
[use-primary-password | use-common-password] ]
[use-primary-password | use-common-password] ]