Cisco ASA 5505 User Manual

1-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

Compression for DTLS and
TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect
3.0 or later. Each tunneling method configures compression separately, and the preferred
configuration is to have both SSL and DTLS compression as LZS. This feature enhances
migration from legacy VPN clients.

Note

Using data compression on high speed remote access connections passing highly
compressible data requires significant processing power on the ASA. With other
activity and traffic on the ASA, the number of sessions that can be supported on the
platform is reduced.

We introduced or modified the following commands: anyconnect dtls compression [lzs |
none] and anyconnect ssl compression [deflate | lzs | none].

Also available in Version 8.4(3).

Clientless SSL VPN Session
Timeout Alerts

Allows you to create custom messages to alert users that their VPN session is about to end
because of inactivity or a session timeout.

We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.

Also available in Version 8.4(3).

Multiple Context Mode Features

Automatic generation of a
MAC address prefix

In multiple context mode, the ASA now converts the automatic MAC address generation
configuration to use a default prefix. The ASA auto-generates the prefix based on the last two
bytes of the interface MAC address. This conversion happens automatically when you reload,
or if you reenable MAC address generation. The prefix method of generation provides many
benefits, including a better guarantee of unique MAC addresses on a segment. You can view
the auto-generated prefix by entering the show running-config mac-address command. If you
want to change the prefix, you can reconfigure the feature with a custom prefix. The legacy
method of MAC address generation is no longer available.

Note

To maintain hitless upgrade for failover pairs, the ASA does not convert the MAC
address method in an existing configuration upon a reload if failover is enabled.
However, we strongly recommend that you manually change to the prefix method of
generation. After upgrading, to use the prefix method of MAC address generation,
reenable MAC address generation to use the default prefix.

We modified the following command: mac-address auto.

AAA Features

Increased maximum LDAP
values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased
from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message
is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA
detects that a single attribute has more than 1000 values, then the ASA generates informational
syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.

We introduced the following command: ldap-max-value-range number (Enter this command
in aaa-server host configuration mode).

Also available in Version 8.4(3).

Table 1-1

New Features forASA Version 8.6(1) (continued)

Feature

Description