We introduced the following command: http-only-cookie. Other non-browser-based and browser plugin-based applications.Sharepoint features that require desktop applications (for example, MS Office applications).Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning. Note : Use this feature only if Cisco TAC advises you to do so. You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript. The ASA 5580/5585-X platforms already integrate this capability therefore, crypto engine commands are not applicable on these platforms.Ĭlientless SSL VPN session cookie access restriction If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment. Note : For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. (ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing using the crypto engine large-mod-accel command instead of software for large modulus operations such as 2048-bit certificates and DH5 keys.To track the progress of the enhancement request to allow WebVPN plug files to be cached on the ASA, refer to CSCud11756. Using Citrix web interface reduces the ASA rewrite overhead. With a heavy load of users (around 150 or more) using a WebVPN plugin, you may experience large delays because of the processing overload.ASA CX software module SSD-An SSD is required to install the ASA CX software module on the ASA 5500-X series.Upgrading to 9.1(2.8) or 9.1(3) or later-See Upgrading the Software.Note that due to CSCue72961, hitless upgrading is not supported. If you are running 9.0(1) or 9.1(1), you should upgrade to 9.0(2) or 9.1(2) or later. Upgrading ASA Clustering from 9.0(1) or 9.1(1)-Due to many bug fixes, we recommend the 9.0(2) or 9.1(2) release or later for ASA clustering.ASA 9.1(3) features for the ASA CX require ASA CX Version 9.2(1).You must alter your interface configuration to comply with supported interface types. If you configured any 4GE SSM interfaces as EtherChannel members, then upgrading to 9.0(1) or later will remove the channel-group membership configuration from those interfaces. However, although not supported, configuration was not disallowed until 9.0(1). EtherChannel configuration on the 4GE SSM disallowed-Interfaces on the 4GE SSM, including the built-in module on the ASA 5550 (GigabitEthernet 1/ x), are not supported as members of EtherChannels.Upgrading the ASA prevents this vulnerability from being exploited further, but it will not modify any customization objects that were already compromised and are still present on the system. If an attacker compromised a customization object in the past, then the compromised object stays persistent after you upgrade the ASA to a fixed version. Also, if you ever ran an earlier ASA version that had a vulnerable configuration, then regardless of the version you are currently running, you should verify that the portal customization was not compromised. See for details about the vulnerability and a list of fixed ASA versions. Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability-Multiple vulnerabilities have been fixed for clientless SSL VPN in ASA software, so you should upgrade your software to a fixed version.See Field Notice FN-64291 for affected versions and more information. In the meantime, you can reload the ASA to gain another 213 days of uptime. You must upgrade to a new version without this bug, when available. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. Potential Traffic Outage (9.1(7.9) through 9.1(7.15))-Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |