Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 New Features in Version 8.4(2)/6.4(5)

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter1 Introduction to the Cisco ASA 5500 Series

New Features

New Features in Version 8.4(2)/6.4(5)

Released: June 20, 2011

VPN Session Timeout Alerts Allows you to create custom messages to alert users that their VPN session is about to end

because of inactivity or a session timeout.

We introduced the following screens:

Remote Access VPN > Configuration > Clientless SSL VPN Access > Portal > Customizations

> Add/Edit > Timeout Alerts

Remote Access VPN > Configuration > Clientless SSL VPN Access > Group Policies >

Add/Edit General

AAA Features

Increased maximum LDAP

values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased

from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message

is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA

detects that a single attribute has more than 1000 values, then the ASA generates informational

syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.

We introduced the following command: ldap-max-value-range number (Enter this command

in aaa-server host configuration mode).

ASDM does not support this command; enter the command using the Command Line Tool.

Support for sub-range of

LDAP search results

When an LDAP search results in an attribute with a large number of values, depending on the

server configuration, it might return a sub-range of the values and expect the ASA to initiate

additional queries for the remaining value ranges. The ASA now makes multiple queries for

the remaining ranges, and combines the responses into a complete array of attribute values.

Key vendor-specific

attributes (VSAs) sent in

RADIUS access request and

accounting request packets

from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access

request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in

RADIUS accounting request packets from the ASA. All four attributes are sent for all

accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for

example, ACS and ISE) can then enforce authorization and policy attributes or use them for

accounting and billing purposes.

Troubleshooting Features

Regular expression

matching for the show asp

table classifier and show

asp table filter commands

You can now enter the show asp table classifier and show asp table filter commands with a

regular expression to filter output.

We modified the following commands: show asp table classifier match regex, show asp table

filter match reg ex.

ASDM does not support this command; enter the command using the Command Line Tool.

Table1-4 New Features for ASA Version 8.4(3)/ASDM Version 6.4(7) (continued)

Feature Description

Contents

Cisco Systems New Features in Version 8.4(2)/6.4(5)

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505