Usage Guidelines

Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, so that many applications run much more efficiently.

Note	Enabling the content cache may cause some systems to become less reliable. If you experience random crashes after enabling the content cache, disable it.

The following example shows how to enter cache mode:

ciscoasa
(config)#
 webvpn
ciscoasa
(config-webvpn)#
 cache 
hostname(config-webvpn-cache)#

Usage Guidelines

The basic constraints extension identifies whether the subject of the certificate is a Certificate Authority (CA), in which case the certificate can be used to sign other certificates. The CA flag is part of this extension. The presence of these items in a certificate indicates that the certificate’s public key can be used to validate certificate signatures.

Usage Guidelines

Configuring the security appliance to store all cache-able static content in the appliance cache increases the performance of back-end SSL VPN connections. Static content includes objects not rewritten by the security appliance, such as PDF files and images.

Usage Guidelines

Use the call-agent command to specify a group of call agents that can manage one or more gateways. The call agent group information is used to open connections for call agents in the group (other than the one to which a gateway sends a command) so that any of the call agents can send the response. Call agents with the same >group_id belong to the same group. A call agent may belong to more than one group.

Usage Guidelines

After you enter the call-home command, the prompt changes to hostname (cfg-call-home)#, and you have access to the following Call Home configuration commands:

• [no] alert-group {group name | all}—Enables or disables the Smart Call Home group. The default is enabled for all alert-groups.group name: Syslog, diagnostic, environment, inventory, configuration, snapshot, threat, telemetry, test.

• [no] contact-e-mail-addr e-mail-address—Specifies the customer contact e-mail address. This field is required.e-mail-address: A customer e-mail address of up to 127 characters.

• [no] contact-name contact name—Specifies the customer name.e-mail-address: A customer name of up to 127 characters.

• [no] contract-id contract-id-string—Specifies customer contract identification.contract-id-string: An identification number up to 128 characters. Spaces are allowed, but you must use quotes around the string if it includes spaces.

• copy profile src-profile-name dest-profile-name—Copies the content of an existing profile (src-profile-name ) to a new profile (dest-profile-name ).src-profile-name: An existing profile name of up to 23 characters.dest-profile-name: A new profile name of up to 23 characters.

• rename profile src-profile-name dest-profile-name—Changes the name of an existing profile.src-profile-name: An existing profile name of up to 23 characters.dest-profile-name: A new profile name of up to 23 characters.

• source-interface—Specifies the source interface.

• no configuration all—Clears the Smart Call-home configuration.[no] customer-id customer-id-string—Specifies the customer ID.customer-id-string: A customer ID of up to 64 characters. This field is required for XML format messages.

• [no] event-queue-size queue_size—Specifies the event queue size.queue-size: The number of events from 5-60. The default is 10.

• [no] mail-server ip-address | name priority 1-100 all—Specifies the SMTP mail server. Customers can specify up to five mail servers. At least one mail server is required for using e-mail transport for Smart Call Home messages. ip-address: The IPv4 or IPv6 address of the mail server.name: The hostname of the mail server.1-100: The priority of the mail server. The lower the number, the higher the priority.

• [no] phone-number phone-number-string—Specifies the customer phone number. This field is optional.phone-number-string: The phone number.

• [no] rate-limit msg-count—Specifies the number of messages that Smart Call Home can send per minute.msg-count: The number of messages per minute. The default is 10.

• [no] sender {from e-mail-address | reply-to e-mail-address} —Specifies the from/reply-to e-mail address of an e-mail message. This field is optional.e-mail-address: The from and reply-to e-mail address.

• [no] site-id site-id-string—Specifies the customer site ID. This field is optional.site-id-string: A site ID to identify the location of the customer.

• [no] street-address street-address—Specifies the customer address. This field is optional.street-address: A free-format string of up to 255 characters.

• [no] alert-group-config environment—Enters environment group configuration mode.[no] threshold {cpu | memory} low-high—Specifies the environmental resource threshold.low, high: Valid values are 0-100. The default is 85-90.

• [no] alert-group-config snapshot—Enters snapshot group configuration mode.system, user: To run the CLI in sysem or user context (available only in multimode).

• [no] add-command “cli command” [{system | user}] —Specifies CLI commands to capture in the snapshot group.cli command: The CLI command to be entered.system, user: To run the CLI in the system or in user context (available only in multiple mode). If both the system and user are not specified, the CLI will be run in both the system and user contexts. The default is the user context.

• All bullets below moved to profile command.

• [no] profile profile-name | no profile all—Creates, deletes, or edits a profile. Enters profile configuration mode and changes the prompt to hostname (cfg-call-home-profile)#. profile-name: A profile name of up to 20 characters.

• [no] active—Enables or disables a profile. The default is enabled.no destination address {e-mail | http} all | [no] destination {address {e-mail | http} e-mail-address | http-url [msg-format short-text | long-text | xml] | message-size-limit max-size | preferred-msg-format short-text | long-text | xml | transport-method e-mail | http}—Configures the destination, message size, message format, and transport method for the Smart Call Home message receiver. The default message format is XML, and the default enabled transport method is e-mail.e-mail-address: The e-mail address of the Smart Call Home receiver, which can be up to 100 characters.http-url: The HTTP or HTTPS URL.max-size: The maximum message size in bytes. 0 means no limit. The default is 5 MB.

• [no] subscribe-to-alert-group alert-group-name [severity {catastrophic | disaster | emergencies | alert | critical | errors | warning | notifications | informational | debugging}]—Subscribes to events of a group with a specified severity level.alert-group-name: Syslog, diagnostic, environment, or threat are valid values.

• [no] subscribe-to-alert-group syslog [{severity {catastrophic | disaster | emergencies | alert | critical | errors | warning | notifications | informational | debugging} | message start [-end]}]—Subscribes to syslogs with a severity level or message ID.start-[end]: One syslog message ID or a range of syslog message IDs.

  Note

  Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debugging only to troubleshoot specific problems or during troubleshooting sessions with Cisco technical support staff. Also, use it during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood of increasing the processing overhead that will affect system use.

• [no] subscribe-to-alert-group inventory [periodic {daily | monthly day_of_month | weekly day_of_week [hh:mm]]—Subscribes to inventory events.day_of_month: Day of the month, 1-31.day_of_week: Day of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday).hh, mm: Hours and minutes of a day, in 24-hour time.

• [no] subscribe-to-alert-group configuration [export full | minimum] [periodic {daily | monthly day_of_month | weekly day_of_week [hh:mm]]—Subscribes to configuration events.full: Configuration to export the running configuration, startup configuration, feature list, number of elements in an access list, and the context name in multimode.minimum: Configuration to export-only feature list, number of elements in an access list, and the context name in multimode.day_of_month: Day of the month, 1-31.day_of_week: Day of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday).hh, mm: Hours and minutes of a day, in 24-hour time.

• [no] subscribe-to-alert-group telemetry periodic {hourly | daily | monthly day_of_month | weekly day_of_week [hh:mm]—Subscribes to telemetry periodic events.day_of_month: Day of the month, 1-31.day_of_week: Day of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday).hh, mm: Hours and minutes of a day, in 24-hour time.

• [no] subscribe-to-alert-group snapshot periodic {interval minutes | hourly [mm] | daily | monthly day_of_month |weekly day_of_week [hh:mm]}—Subscribes to snapshot periodic events.minutes: The interval in minutes.day_of_month: Day of the month, 1-31.day_of_week: Day of the week (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday).hh, mm: Hours and minutes of a day, in 24-hour time.

Usage Guidelines

This command causes the specified CLI command to be executed on the system. The specified CLI command must be enclosed in quotes (“”), and can be any run or show command, including commands for all modules.

The command output is then sent by e-mail to the specified e-mail address. If no e-mail address is specified, the command output is sent to the Cisco TAC at attach@cisco.com. The e-mail is sent in long text format with the service number, if specified, in the subject line.

Usage Guidelines

If you do not specify the profile profile-name , the message is sent to all subscribed destination profiles.

Only the configuration, diagnostic, and inventory alert groups can be manually sent. The destination profile need not be subscribed to the alert group.

Usage Guidelines

This command sends a test message to the specified destination profile. If you enter test message text, you must enclose the text in quotes (“”) if it contains spaces. If you do not enter a message, a default message is sent.

Note	The call-home test command is applicable only for Smart Software Managers that manage the device licenses online, and not for Smart Software Manager On-Prem servers.

Usage Guidelines

You might want to disable NSF awareness by disabling the use of the LLS data block in originated OSPF packets. You might want to disable NSF awareness if the router has no applications using LLS.

If NSF is configured and you try to disable LLS, you will receive the error message, “OSPF Non-Stop Forwarding (NSF) must be disabled first.”

If LLS is disabled and you try to configure NSF, you will receive the error message, “OSPF Link-Local Signaling (LLS) capability must be enabled first.”

Usage Guidelines

The capability opaque command floods MPLS TE information (Types 1 and 4) through opaque LSAs of all scope (Types 9, 10, and 11).

Control opaque LSA support capability must be enabled for OSPF to support MPLS TE.

The MPLS TE topology information is flooded to the area through opaque LSAs by default.

Usage Guidelines

Captive portal works in conjunction with the identity policy defined on the ASA FirePOWER module.

For HTTP/HTTPS connections, you can define identity rules that collect user identification through active authentication. If you want to implement active authentication identity rules, you must configure captive portal on the ASA to act as the authentication proxy port. When a connection matches an identity rule that requests active authentication, the ASA FirePOWER module redirects the authentication request to the ASA interface IP address/captive portal. The default port is 885, which you can change.

If you do not enable captive portal for the authentication proxy, only passive authentication is available.

Usage Guidelines

Capturing packets is useful when troubleshooting connectivity problems or monitoring suspicious activity. You can create multiple captures. The capture command is not saved to the running configuration, and is not copied to the standby unit during failover.

The ASA is capable of tracking all IP traffic that flows across it and of capturing all the IP traffic that is destined to it, including all the management traffic (such as SSH and Telnet traffic).

The ASA architecture consists of three different sets of processors for packet processing; this architecture poses certain restrictions on the capability of the capture feature. Typically most of the packet forwarding functionality in the ASA is handled by the two front-end network processors, and packets are sent to the control-plane general-purpose processor only if they need application inspection. The packets are sent to the session management path network processor only if there is a session miss in the accelerated path processor.

Because all the packets that are forwarded or dropped by the ASA hits the two front-end network processors, the packet capture feature is implemented in these network processors. So all the packets that hit the ASA can be captured by these front end processors, if an appropriate capture is configured for those traffic interfaces. On the ingress side, the packets are captured the moment the packet hits the ASA interfaces, and on the egress side the packets are captured just before they are sent out on the wire.

Note	Enabling WebVPN capture affects the performance of the ASA. Be sure to disable the capture after you generate the capture files that you need for troubleshooting.

Save the Capture

The contents of any active capture on ASA are saved when the box crashes.

When you activate captures as part of the troubleshooting process, you must note the following points:

• The size of capture buffer to use and if there is enough space on flash/disk.

• The capture buffer should be marked as circular for all the use cases, so that captured packets are the most recent before crash.

The name of the file for saving contents of an active capture is in the format of:

[<context_name>.]<capture_name>.pcap

The context_name indicates the name of the user context in which capture is activated in the multi-context mode. For the single context mode, the context_name is not applicable.

The capture_name indicates the name of the capture that is activated.

The capture save happens before the console or crash dump. This increases the crash downtime by about 5 seconds for a 33 MB capture buffer. The risk of a nested crash is minimal because copying the captured contents to a file is a simple process.

View the Capture

• To view the packet capture at the CLI, use the show capture name command.

• To save the capture to a file, use the copy capture command.

• To see the packet capture information with a web browser, use the https://ASA-ip-address/admin/capture/capture_name[/pcap] command.

  You are prompted for a username and password. See the username command to add a username to the local database.

  If you specify the pcap keyword, then a libpcap-format file is downloaded to the web browser and can be saved using the web browser. (A libcap file can be viewed with TCPDUMP or Ethereal.)

If you copy the buffer contents to a TFTP server in ASCII format, you will see only the headers, not the details and hexadecimal dump of the packets. To see the details and hexadecimal dump, you need to transfer the buffer in PCAP format and read it with TCPDUMP or Ethereal.

Stop and Start the Capture

The packets can be stopped from being captured without removing them from the buffer. The stopped status of the capture is displayed. The captured packet is retained in the buffer.

Use the following command to manually stop packet capture:

capture name stop

Use the following command to start capturing packets:

no capture name stop

Delete the Capture

Entering no capture without any keywords deletes the capture. To preserve the capture, specify the access-list or interface keyword; the capture is detached from the specified ACL or interface and the capture is preserved.

Real Time Operations

You cannot perform any operations on a capture while the real-time display is in progress. Using the real-time keyword with a slow console connection may result in an excessive number of non-displayed packets because of performance considerations. The fixed limit of the buffer is 1000 packets. If the buffer fills up, a counter is maintained of the captured packets. If you open another session, you can disable the real-time display be entering the no capture real-time command.

Clustering

You can precede the capture command with cluster exec to issue the capture command on one unit and run the command in all the other units at the same time. After you have performed cluster-wide capture, to copy the same capture file from all units in the cluster at the same time to a TFTP server, enter the cluster exec copy command on the master unit.

ciscoasa# cluster exec capture 
capture_name arguments
ciscoasa# cluster exec copy
 /pcap capture
: cap_name
 tftp
://location
/path
/filename
.pcap

Multiple PCAP files, one from each unit, are copied to the TFTP server. The destination capture file name is automatically attached with the unit name, such as filename_A.pcap, filename_B.pcap, and so on. In this example, A and B are cluster unit names.

When you capture traces on cluster units, they are persistent on each cluster node until you manually clear them from the buffer. Decrypted IPsec packets are captured once they enter ASA. The captured packet includes both normal and decapsulated traffic.

Note	A different destination name is generated if you add the unit name at the end of the filename.

Limitations

The following are some of the limitations of the capture feature. Most of the limitations are caused by the distributed nature of the ASA architecture and by the hardware accelerators that are being used in the ASA.

• You can configure captures on the cluster control link within a context; only the packet that is associated with the context sent in the cluster control link is captured.

• For a shared VLAN, the following guidelines apply:

  • You can only configure one capture for the VLAN; if you configure a capture in multiple contexts on the shared VLAN, then only the last capture that was configured is used.

  • If you remove the last-configured (active) capture, no captures become active, even if you have previously configured a capture in another context; you must remove and readd the capture to make it active.

  • All traffic that enters the interface to which the capture is attached (and that matches the capture access list) is captured, including traffic to other contexts on the shared VLAN.

  • Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both Context A and Context B ingress traffic are captured.

• For egress traffic, only the traffic of the context with the active capture is captured. The only exception is when you do not enable the ICMP inspection (therefore the ICMP traffic does not have a session in the accelerated path). In this case, both ingress and egress ICMP traffic for all contexts on the shared VLAN is captured.

• Configuring a capture typically involves configuring an access list that matches the traffic that needs to be captured. After an access list that matches the traffic pattern is configured, then you need to define a capture and associate this access list to the capture, along with the interface on which the capture needs to be configured. Note that a capture only works if an access list and an interface are associated with a capture for capturing IPv4 traffic. The access list is not required for IPv6 traffic.

• For the ASA CX module traffic, captured packets contain an additional AFBP header that your PCAP viewer might not understand; be sure to use the appropriate plugin to view these packets.

• For inline SGT tagged packets, captured packets contain an additional CMD header that your PCAP viewer might not understand.

• If there is no ingress interface and therefore no global interface, packets sent on the backplane are treated as control packets in the system context. These packets bypass the access list check and are always captured. This behavior applies in both single mode and multiple context mode.

• The show capture command shows the correct reason when capturing a specific asp-drop. However, the show capture command does not show the correct reason when capturing all asp-drops.

Usage Guidelines

The CDP is an extension that can be included in issued certificates to specify the location where a validating party can obtain revocation status for the certificate. Only one CDP can be configured at a time.

Note	If a CDP URL is specified, it is the responsibility of the administrator to maintain access to the current CRL from that location.

Usage Guidelines

When this command is issued, the ASA interprets the data included with it as the certificate in hexadecimal format. A quit string indicates the end of the certificate.

A CA is an authority in a network that issues and manages security credentials and public key for message encryption. As part of a public key infrastructure, a CA checks with a RA to verify information provided by the requester of a digital certificate. If the RA verifies the requester information, the CA can then issue a certificate.

Usage Guidelines

With the certificate-group-map command in effect, if a certificate received from a WebVPN client corresponds to a map entry, the resulting tunnel group is associated with the connection, overriding any tunnel group choice made by the user.

Multiple instances of the certificate-group-map command allow multiple mappings.

Usage Guidelines

You can apply this attribute to all IPsec tunnel group types.

Entering this command includes the root certificate and any subordinate CA certificates in the transmission.

Usage Guidelines

If users omit the passwords, the ASA prompts them for input. When users enter the change-password command, they are asked to save their running configuration. After a user has successfully changed the password, a message appears to remind the user to save configuration changes.

Usage Guidelines

If you log into the system execution space or the admin context, you can change between contexts and perform configuration and monitoring tasks within each context. The “running” configuration that you edit in configuration mode, or that is used in the copy or write commands, depends on which execution space you are in. When you are in the system execution space, the running configuration consists only of the system configuration; when you are in a context execution space, the running configuration consists only of that context. For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration appears.

Usage Guidelines

Each channel group can have eight active interfaces. Note that you can assign up to 16 interfaces to a channel group. While only eight interfaces can be active, the remaining interfaces can act as standby links in case of interface failure.

All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed.

If the port-channel interface for this channel ID does not yet exist in the configuration, one will be added:

interface port-channel
 channel_id

The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices. LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group. “On” mode cannot use standby interfaces in the channel group when an interface goes down, and the connectivity and configurations are not checked.

ASA Clustering

You can include multiple interfaces per ASA in a spanned EtherChannel. Multiple interfaces per ASA are especially useful for connecting to both switches in a VSS or vPC. If you are connecting the ASA to two switches in a VSS or vPC, then you should enable VSS load balancing by using the vss-load-balance keyword. This feature ensures that the physical link connections between the ASAs to the VSS (or vPC) pair are balanced. You must configure the vss-id keyword in the channel-group command for each member interface before enabling load balancing.

Usage Guidelines

Character encoding , also called “character coding” and “a character set,” is the pairing of raw data (such as 0s and 1s) and characters to represent the data. The language determines the character encoding method to use. Some languages use the same method, while others do not. Usually, the geographic region determines the default encoding method used by the browser, but the user can change this. The browser can also detect the encoding specified on the page, and render the document accordingly. The character-encoding attribute lets the user specify the value of the character-encoding method into the WebVPN portal page to ensure that the browser renders it correctly, regardless of the region in which the user is using the browser, or any changes made to the browser.

The character-encoding attribute is a global setting that, by default, all WebVPN portal pages inherit. However, the user can override the file-encoding attribute for Common Internet File System (CIFS) servers that use character encoding that differs from the value of the character-encoding attribute. Use different file-encoding values for CIFS servers that require different character encodings.

The WebVPN portal pages downloaded from the CIFS server to the WebVPN user encode the value of the WebVPN file-encoding attribute identifying the server, or if one does not, they inherit the value of the character-encoding attribute. The remote user browser maps this value to an entry in its character encoding set to determine the proper character set to use. The WebVPN portal pages do not specify a value if WebVPN configuration does not specify a file-encoding entry for the CIFS server and the character-encoding attribute is not set. The remote browser uses its own default encoding if the WebVPN portal page does not specify the character encoding or if it specifies a character encoding value that the browser does not support.

The mapping of CIFS servers to their appropriate character encoding, globally with the webvpn character-encoding attribute, and individually with file-encoding overrides, provides for the accurate handling and display of CIFS pages when the correct rendering of file names or directory paths, as well as pages, is an issue.

Note

The character-encoding and file-encoding values do not exclude the font family to be used by the browser. The user needs to complement the setting of one these values with the page style command in webvpn customization command mode to replace the font family if you are using Japanese Shift_JIS character encoding, as shown in the following example, or enter the no page style command in webvpn customization command mode to remove the font family.

The encoding type set on the remote browser determines the character set for WebVPN portal pages when this attribute does not have a value.

Usage Guidelines

Checkheaps is a periodic process that verifies the sanity of the heap memory buffers (dynamic memory is allocated from the system heap memory region) and the integrity of the code region.

Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. To prevent against TCP retransmission style attacks that arise from end-system interpretation of inconsistent retransmissions, use the check-retransmission command in tcp-map configuration mode.

The ASA will make efforts to verify if the data in retransmits are the same as the original. If the data does not match, then the connection is dropped by the ASA. When this feature is enabled, packets on the TCP connection are only allowed in order. For more details, see the queue-limit command.

Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the checksum-verification command in tcp-map configuration mode to enable TCP checksum verification. If the check fails, the packet is dropped.

Usage Guidelines

The tcp-map command is used along with the Modular Policy Framework infrastructure. Define the class of traffic using the class-map command and customize the TCP inspection with tcp-map commands. Apply the new TCP map using the policy-map command. Activate TCP inspection with service-policy commands.

Use the tcp-map command to enter tcp-map configuration mode. Use the checksum-verification command in tcp-map configuration mode to enable TCP checksum verification. If the check fails, the packet is dropped.

Usage Guidelines

Separating voice and data traffic by using VLANs is a security best practice to hide voice streams from security threats that attempt to penetrate the data VLAN. However, Cisco IP Communicator (CIPC) softphone applications must connect to their respective IP phones, which reside on the voice VLAN. This requirement makes segregating voice and data VLANs an issue because the SIP and SCCP protocols dynamically negotiate the RTP/RTCP ports on a wide range of ports. This dynamic negotiation requires that a range of ports be open between the two VLANs.

Note	Earlier versions of CIPC that do not support Authenticated mode are not supported with the Phone Proxy.

To allow CIPC softphones on the data VLAN to connect to their respective IP phones on the voice VLAN without requiring access between the VLANs on a wide range of ports, you can configure the Phone Proxy with the cipc security-mode authenticated command.

This command allows the Phone Proxy to look for CIPC configuration files and force CIPC softphones to be in authenticated mode rather than encrypted mode, because current versions of CIPC do not support encrypted mode.

When this command is enabled, the Phone Proxy parses the phones configuration file to determine if the phone is a CIPC softphone and changes the security mode to authenticated. Additionally, CIPC softphones support authenticated mode only while the Phone Proxy, by default, forces all phones to be in encrypted mode.

Usage Guidelines

Some switches do not support dynamic port priority, so this command improves switch compatibility. Moreover, it enables support of more than 8 active spanned EtherChannel members, up to 32 members. Without this command, only 8 active members and 8 standby members are supported.

ASA EtherChannels support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority with the clacp static-port-priority command. The switches must support EtherChannels with 16 active links, for example, the Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can configure 16 active links in the spanned EtherChannel (8 connected to each switch).

Note	If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

Usage Guidelines

When using spanned EtherChannels, the ASA uses cLACP to negotiate the EtherChannel with the neighbor switch. ASAs in a cluster collaborate in cLACP negotiation so that they appear as a single (virtual) device to the switch. One parameter in cLACP negotiation is a system ID, which is in the format of a MAC address. All ASAs use the same system ID: auto-generated by the master unit (the default) and replicated to all slaves; or manually specified in this command. You might want to manually configure the MAC address for troubleshooting purposes, for example, so you can use an easily identified MAC address. Typically, you would use the auto-generated MAC address.

This command is not part of the bootstrap configuration, and is replicated from the master unit to the slave units. However, you cannot change this value after you enable clustering.

Usage Guidelines

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced. However, if you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context.

The ASA manages resources by assigning contexts to resource classes. Each context uses the resource limits set by the class.

When you create a class, the ASA does not set aside a portion of the resources for each context assigned to the class; rather, the ASA sets the maximum limit for a context. If you oversubscribe resources, or allow some resources to be unlimited, a few contexts can “use up” those resources, potentially affecting service to other contexts. See the limit-resource command to set the resources for the class.

All contexts belong to the default class if they are not assigned to another class; you do not have to actively assign a context to the default class.

If a context belongs to a class other than the default class, those class settings always override the default class settings. However, if the other class has any settings that are not defined, then the member context uses the default class for those limits. For example, if you create a class with a 2 percent limit for all concurrent connections, but no other limits, then all other limits are inherited from the default class. Conversely, if you create a class with limits for all resources, the class uses no settings from the default class.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

• Telnet sessions—5 sessions.

• SSH sessions—5 sessions.

• MAC addresses—65,535 entries.

Usage Guidelines

To use the class command, use the Modular Policy Framework. To use a class in a Layer 3/4 policy map, enter the following commands:

1. class-map —Identify the traffic on which you want to perform actions.

2. policy-map —Identify the actions associated with each class map.

   1. class —Identify the class map on which you want to perform actions.

   2. commands for supported features —For a given class map, you can configure many actions for various features, including QoS, application inspection, CSC or AIP SSM, TCP and UDP connections limits and timeout, and TCP normalization. See the CLI configuration guide for more details about the commands available for each feature.

3. service-policy —Assigns the policy map to an interface or globally.

To use a class in an inspection policy map, enter the following commands:

1. class-map type inspect —Identify the traffic on which you want to perform actions.

2. policy-map type inspect —Identify the actions associated with each class map.

   1. class —Identify the inspection class map on which you want to perform actions.

   2. commands for application types —See the CLI configuration guide for commands available for each application type. Actions supported in class configuration mode of an inspection policy map include:

   3. Dropping a packet

   4. Dropping a connection

   5. Resetting a connection

   6. Logging

   7. Rate-limiting of messages

   8. Masking content

   9. parameters —Configure parameters that affect the inspection engine. The CLI enters parameters configuration mode. See the CLI configuration guide for available commands.

3. class-map —Identify the traffic on which you want to perform actions.

4. policy-map —Identify the actions associated with each class map.

   1. class —Identify the Layer 3/4 class map on which you want to perform actions.

   2. inspect application inspect_policy_map —Enables application inspection, and calls an inspection policy map to perform special actions.

5. service-policy —Assigns the policy map to an interface or globally.

The configuration always includes a class map called class-default that matches all traffic. At the end of every Layer 3/4 policy map, the configuration includes the class-default class map with no actions defined. You can optionally use this class map when you want to match all traffic, and do not want to bother creating another class map. In fact, some features are only configurable for the class-default class map, such as the shape command.

Including the class-default class map, up to 63 class and match commands can be configured in a policy map.

Usage Guidelines

This type of class map is for Layer 3/4 through traffic only. For management traffic destined to the ASA, see the class-map type management command.

A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map.

Default Class Maps

The configuration includes a default Layer 3/4 class map that the ASA uses in the default global policy. It is called inspection_default and matches the default inspection traffic:

class-map inspection_default
 match default-inspection-traffic

Another class map that exists in the default configuration is called class-default, and it matches all traffic:

class-map class-default
 match any

This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own match any class map. In fact, some features are only available for class-default, such as QoS traffic shaping.

Maximum Class Maps

The maximum number of class maps of all types is 255 in single mode or per context in multiple mode. Class maps include the following types:

• class-map

• class-map type management

• class-map type inspection

• class-map type regex

• match commands in policy-map type inspect configuration mode

This limit also includes default class maps of all types.

Configuration Overview

Configuring Modular Policy Framework consists of four tasks:

1. Identify the Layer 3 and 4 traffic to which you want to apply actions using the class-map or class-map type management command.

2. (Application inspection only) Define special actions for application inspection traffic using the policy-map type inspect command.

3. Apply actions to the Layer 3 and 4 traffic using the policy-map command.

4. Activate the actions on an interface using the service-policy command.

Use the class-map command to enter class-map configuration mode. From class-map configuration mode, you can define the traffic to include in the class using the match command. A Layer 3/4 class map contains, at most, one match command (with the exception of the match tunnel-group and match default-inspection-traffic commands) that identifies the traffic included in the class map.