|
Feature
|
Description SF-ASA-X-9.1-K8
|
|
Remote Access Features SF-ASA-X-9.1-K8
|
|
HTML5 WebSocket proxying
SF-ASA-X-9.1-K8
|
HTML5 WebSockets provide persistent connections between clients and servers. During the establishment of the clientless SSL VPN connection, the handshake appears to the server as an HTTP Upgrade request. The ASA will now proxy this request to the backend and provide a relay after the handshake is complete. Gateway mode is not currently supported.
We did not modify any commands.
We did not modify any ASDM screens.
|
|
Inner IPv6 for IKEv2
SF-ASA-X-9.1-K8
|
IPv6 traffic can now be tunneled through IPsec/IKEv2 tunnels. This makes the ASA to AnyConnect VPN connections fully IPv6 compliant. GRE is used when both IPv4 and IPv6 traffic are being tunneled, and when both the client and headend support GRE. For a single traffic type, or when GRE is not supported by the client or the headend, we use straight IPsec.
Note This feature requires AnyConnect Client Version 3.1.05 or later.
Output of the show ipsec sa and show vpn-sessiondb detail anyconnectcommands has been updated to reflect the assigned IPv6 address, and to indicate the GRE Transport Mode security association when doing IKEv2 dual traffic.
The vpn-filter command must now be used for both IPv4 and IPv6 ACLs. If the depracated ipv6-vpn-filter command is used to configure IPv6 ACLs the connection will be terminated.
We did not modify any ASDM screens.
|
|
Mobile Devices running Citrix Server Mobile have additional connection options
SF-ASA-X-9.1-K8
|
Support for mobile devices connecting to Citrix server through the ASA now includes selection of a tunnel-group, and RSA Securid for authorization. Allowing mobile users to select different tunnel-groups allows the administrator to use different authentication methods.
We introduced the application-type command to configure the default tunnel group for VDI connections when a Citrix Receiver user does not choose a tunnel-group. A none action was added to the vdi command to disable VDI configuration for a particular group policy or user.
We modified the following screen: Configuration > Remote Access VPN > Clientliess SSL VPN Access > VDI Access.
|
|
Split-tunneling supports exclude ACLs
SF-ASA-X-9.1-K8
|
Split-tunneling of VPN traffic has been enhanced to support both exclude and include ACLs. Exclude ACLs were previously ignored.
NoteThis feature requires AnyConnect Client Version 3.1.03103 or later.
We did not modify any commands.
We did not modify any ASDM screens.
|
|
High Availability and Scalability Features SF-ASA-X-9.1-K8
|
|
ASA 5500-X support for clustering
SF-ASA-X-9.1-K8
|
The ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X now support 2-unit clusters. Clustering for 2 units is enabled by default in the base license; for the ASA 5512-X, you need the Security Plus license.
We did not modify any commands.
We did not modify any ASDM screens.
|
|
Improved VSS and vPC support for health check monitoring
SF-ASA-X-9.1-K8
|
If you configure the cluster control link as an EtherChannel (recommended), and it is connected to a VSS or vPC pair, you can now increase stability with health check monitoring. For some switches, when one unit in the VSS/vPC is shutting down or booting up, EtherChannel member interfaces connected to that switch may appear to be Up to the ASA, but they are not passing traffic on the switch side. The ASA can be erroneously removed from the cluster if you set the ASA holdtime timeout to a low value (such as .8 seconds), and the ASA sends keepalive messages on one of these EtherChannel interfaces. When you enable the VSS/vPC health check feature, the ASA floods the keepalive messages on all EtherChannel interfaces in the cluster control link to ensure that at least one of the switches can receive them.
We modified the following command: health-check [vss-enabled]
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster
|
|
Support for cluster members at different geographical locations (inter-site); Individual Interface mode only
|
You can now place cluster members at different geographical locations when using individual interface mode. See the configuration guide for inter-site guidelines.
We did not modify any commands.
We did not modify any ASDM screens.
|
|
Basic Operation Features SF-ASA-X-9.1-K8
|
|
DHCP rebind function
SF-ASA-X-9.1-K8
|
During the DHCP rebind phase, the client now attempts to rebind to other DHCP servers in the tunnel group list. Prior to this release, the client did not rebind to an alternate server, when the DHCP lease fails to renew.
We introduced the following commands: show ip address dhcp lease proxy, show ip address dhcp lease summary, and show ip address dhcp lease server.
We introduced the following screen: Monitoring > Interfaces > DHCP> DHCP Lease Information.
|
|
Troubleshooting Features SF-ASA-X-9.1-K8
|
|
Crashinfo dumps include AK47 framework information
SF-ASA-X-9.1-K8
|
Application Kernel Layer 4 to 7 (AK47) framework-related information is now available in crashinfo dumps. A new option, ak47, has been added to the debug menu command to help in debugging AK47 framework issues. The framework-related information in the crashinfo dump includes the following:
•Creating an AK47 instance.
•Destroying an AK47 instance.
•Generating an crashinfo with a memory manager frame.
•Generating a crashinfo after fiber stack overflow.
•Generating a crashinfo after a local variable overflow.
•Generating a crashinfo after an exception has occurred.
|
