- Diffie-Hellman groups: 2 and 24
- Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256, NULL, ESP-3DES, ESP-DES, ESP-MD5-HMAC
- Hash algorithms: MD5
Low-security SSH and SSL ciphers have not yet been removed.
Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:
- The command will use the default cipher.
- The command will be removed.
Fixing your configuration before upgrading is especially important for clustering or failover deployments. For example, if the secondary unit is upgraded to 9.15(1), and the removed ciphers are synced to this unit from the primary, then the secondary unit will reject the configuration. This rejection might cause unexpected behavior, like failure to join the cluster.
IKEv1: The following subcommands are removed:
IKEv2: The following subcommands are removed:
IPsec: The following subcommands are removed:
- crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac
- crypto ipsec ikev2 ipsec-proposal name
- protocol esp integrity md5
- protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des
- set pfs group2 group24
Crypto Map: The following subcommands are removed:
- crypto map name sequence set pfs group2
- crypto map name sequence set pfs group24
- crypto map name sequence set ikev1 phase1-mode aggressive group2
- revocation-check crl none
- revocation-check ocsp none
- revocation-check crl ocsp none
- revocation-check ocsp crl none
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
New Features
This section lists new features for each release.
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in ASA 9.15(1)
Released: November 2, 2020
Platform Features
ASAv for the Public Cloud
We introduced the ASAv for the following Public Cloud offerings:
- Oracle Cloud Infrastrucure (OCI)
- Google Cloud Platform (GCP)
No modified commands.
ASAv support for Autoscale
The ASAv now supports Autoscale for the following Public Could offerings:
- Amazon Web Services (AWS)
- Miscrosoft Azure
Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements.
No modified commands.
ASAv for Microsoft Azure support for Accelerated Networking (SR-IOV).
The ASAv on the Microsoft Azure Public Cloud now supports Azure's Accelerated Networking (AN), which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance.
No modified commands.
Firewall Features
Changes to PAT address allocation in clustering. The PAT pool flat option is now enabled by default and it is not configurable.
The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the master instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally included the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address.
As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1023 - 65535. Previously, you could optionally use a flat range by including the flat keyword in a PAT pool rule. The flat keyword is no longer supported: the PAT pool is now always flat. The include-reserve keyword, which was previously a sub-keyword to flat , is now an independent keyword within the PAT pool configuration. With this option, you can include the 1 - 1023 port range within the PAT pool.
Note that if you configure port block allocation (the block-allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster.
New/Modified commands: nat , show nat pool
XDMCP inspection disabled by default in new installations.
Previously, XDMCP inspection was enabled by default for all traffic. Now, on new installations, which includes new systems and reimaged systems, XDMCP is off by default. If you need this inspection, please enable it. Note that on upgrades, your current settings for XDMCP inspection are retained, even if you simply had it enabled by way of the default inspection settings.
High Availability and Scalability Features
Disable failover delay
When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions.
New/Modified commands: failover wait-disable
Routing Features
Multicast IGMP interface state limit raised from 500 to 5000
The multicast IGMP state limit per interface was raised from 500 to 5000.
New/Modified commands: igmp limit
Interface Features
DDNS support for the web update method
You can now configure an interface to use DDNS with the web update method.
New/Modified commands: show ddns update interface , show ddns update method , web update-url , web update-type
Certificate Features
Modifications to Match Certificate commands to support static CRL Distribution Point URL
The static CDP URL configuration commands allowed CDPs to be mapped uniquely to each certificate in a chain that is being validated. However, only one such mapping was supported for each certificate. This modification allows statically configured CDPs to be mapped to a chain of certificates for authentication.
New/Modified commands: match certificate override cdp ,
Administrative and Troubleshooting Features
Manual import of node secret file from the RSA Authentication Manager for SDI AAA server groups.
You can import the node secret file that you export from the RSA Authentication Manager for use with SDI AAA server groups.
We added the following commands: aaa sdi import-node-secret , clear aaa sdi node-secret , show aaa sdi node-secrets .
show fragment command output enhanced
The output for show fragment command was enhanced to include IP fragment related drops and error counters.
No modified commands.
show tech-support command output enhanced
The output for show tech-support command was enhanced to include the bias that is configured for the crypto accelerator. The bias value can be ssl, ipsec, or balanced.
No modified commands.
Monitoring Features
Support to configure cplane keepalive holdtime values
Due to communication delays caused by high CPU usage, the response to the keepalive event fails to reach ASA, resulting in trigerring failover due to card failure. You can now configure the keepalive timeout period and the maximum keepalive counter value to ensure sufficient time and retries are given.
New/Modified commands: service-module
VPN Features
You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed.
New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value
ASA provides protection against CSRF attacks for WebVPN handlers. If a CSRF attack is detected, a user is notified by warning messages. This feature is enabled by default.
Kerberos server validation for Kerberos Constrained Delegation (KCD).
When configured for KCD, the ASA initiates an AD domain join with the configured server in order to acquire Kerberos keys. These keys are required for the ASA to request service tickets on behalf of clientless SSL VPN users. You can optionally configure the ASA to validate the identity of the server during domain join.
We modified the kcd-server command to add the validate-server-certificate keyword.
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
- ASDM: Choose Home > Device Dashboard > Device Information .
- CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.
ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.
ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.
ASA 9.2(x) was the final version for the ASA 5505.
ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.
Current Version
Interim Upgrade Version
Target Version
