Cisco ASA 5505 User Manual

1-7

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

Support for maximum
number of management
sessions allowed and
Diffie-Hellman Key
Exchange Group 14 support
for SSH

The maximum number of simultaneous ASDM, SSH, and Telnet sessions allowed was added.
Support for Diffie-Hellman Key Exchange Group 14 for SSH was added.

We introduced or modified the following commands: quota management-session, show
running-config quota management-session, show quota management-session, ssh.

This feature is not available in 8.5(1) or 8.6(1).

Additional ephemeral
Diffie-Hellman ciphers for
SSL encryption

The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:

•

DHE-AES128-SHA1

•

DHE-AES256-SHA1

These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES)
Ciphersuites for Transport Layer Security (TLS).

When supported by the client, DHE is the preferred cipher because it provides Perfect Forward
Secrecy. See the following limitations:

•

DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the
SSL server.

!! set server version

hostname(config)# ssl server-version tlsv1 sslv3

!! set client version

hostname(config) # ssl client-version any

•

Some popular applications do not support DHE, so include at least one other SSL
encryption method to ensure that a cipher suite common to both the SSL client and server
can be used.

•

Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure
Desktop, and Internet Explorer 9.0.

We modified the following command: ssl encryption.

This feature is not available in 8.5(1) or 8.6(1).

File System Features

Image verification

Support for SHA-512 image integrity checking was added.

We modified the following command: verify.

This feature is not available in 8.5(1) or 8.6(1).

Failover Features

Configure the connection
replication rate during a bulk
sync

You can now configure the rate at which the ASA replicates connections to the standby unit
when using Stateful Failover. By default, connections are replicated to the standby unit during
a 15 second period. However, when a bulk sync occurs (for example, when you first enable
failover), 15 seconds may not be long enough to sync large numbers of connections due to a
limit on the maximum connections per second. For example, the maximum connections on the
ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K
connections per second. However, the maximum connections allowed per second is 300 K. You
can now specify the rate of replication to be less than or equal to the maximum connections per
second, and the sync period will be adjusted until all the connections are synced.

We introduced the following command: failover replication rate rate.

This feature is not available in 8.6(1). This feature is also in 8.5(1.7).

Table 1-3

New Features for ASA Version 8.4(4.1) (continued)

Feature

Description