Cisco ASA 5505 User Manual

1-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

Compression for DTLS and
TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect
3.0 or later. Each tunneling method configures compression separately, and the preferred
configuration is to have both SSL and DTLS compression as LZS. This feature enhances
migration from legacy VPN clients.

Note

Using data compression on high speed remote access connections passing highly
compressible data requires significant processing power on the ASA. With other
activity and traffic on the ASA, the number of sessions that can be supported on the
platform is reduced.

We introduced or modified the following commands: anyconnect dtls compression [lzs |
none] and anyconnect ssl compression [deflate | lzs | none].

VPN Session Timeout Alerts Allows you to create custom messages to alert users that their VPN session is about to end

because of inactivity or a session timeout.

We introduced the following commands: vpn-session-timeout alert-interval,
vpn-idle-timeout alert-interval.

AAA Features

Increased maximum LDAP
values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased
from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message
is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA
detects that a single attribute has more than 1000 values, then the ASA generates informational
syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.

We introduced the following command: ldap-max-value-range number (Enter this command
in aaa-server host configuration mode).

Support for sub-range of
LDAP search results

When an LDAP search results in an attribute with a large number of values, depending on the
server configuration, it might return a sub-range of the values and expect the ASA to initiate
additional queries for the remaining value ranges. The ASA now makes multiple queries for
the remaining ranges, and combines the responses into a complete array of attribute values.

Key vendor-specific
attributes (VSAs) sent in
RADIUS access request and
accounting request packets
from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access
request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in
RADIUS accounting request packets from the ASA. All four attributes are sent for all
accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for
example, ACS and ISE) can then enforce authorization and policy attributes or use them for
accounting and billing purposes.

Troubleshooting Features

Regular expression
matching for the show asp
table classifier and show
asp table filter commands

You can now enter the show asp table classifier and show asp table filter commands with a
regular expression to filter output.

We modified the following commands: show asp table classifier match regex, show asp table
filter match regex.

Table 1-4

New Features for ASA Version 8.4(3) (continued)

Feature

Description