Usage Guidelines

For the ASA virtual, when you request the feature tier for the first time, you must exit license smart configuration mode for your changes to take effect. If you change the feature tier after you are authorized with the Cisco License Authority, you must reload the ASA virtual for your changes to take effect.

Usage Guidelines

Set the FEC on the physical interface only. You need to set the FEC to EtherChannel member interfaces before you add them to the EtherChannel.

The setting chosen when you use auto depends on the transceiver type and whether the interface is fixed (built-in) or on a network module.

Usage Guidelines

The style option is expressed as any valid CSS parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the W3C website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

• You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

• RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma-separated entry indicates the level of intensity of each color to combine with the others.

• HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.

Note	To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Usage Guidelines

The following usage notes apply to file browsing:

• File browsing does not support internationalization.

• Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured, use DNS.

The ASA can apply attribute values from a variety of sources. It applies them according to the following hierarchy:

1. DAP record

2. Username

3. Group policy

4. Group policy for the tunnel group

5. Default group policy

It follows that DAP values for an attribute have a higher priority than those configured for a user, group policy, or tunnel group.

When you enable or disable an attribute for a DAP record, the ASA applies that value and enforces it. For example, when you disable file browsing in dap webvpn configuration mode, the ASA looks no further for a value. When you instead set no value for the file-browsing command, the attribute is not present in the DAP record, so the ASA moves down to the AAA attribute in the username, and if necessary, the group policy to find a value to apply.

Usage Guidelines

Enter file encoding entries for all CIFS servers that require character encoding entries that differ from the value of the webvpn character encoding attribute.

The WebVPN portal pages downloaded from the CIFS server to the WebVPN user encode the value of the WebVPN file encoding attribute identifying the server, or if one does not, they inherit the value of the character encoding attribute. The remote user’s browser maps this value to an entry in its character encoding set to determine the correct character set to use. The WebVPN portal pages do not specify a value if WebVPN configuration does not specify a file encoding entry for the CIFS server and the character encoding attribute is not set. The remote browser uses its own default encoding if the WebVPN portal page does not specify the character encoding, or if it specifies a character encoding value that the browser does not support.

The mapping of CIFS servers to their appropriate character encoding, globally with the WebVPN character encoding attribute, and individually with file encoding overrides, provides for the accurate handling and display of CIFS pages when the correct rendering of file names or directory paths, as well as pages, are an issue.

Note

The character encoding and file encoding values do not exclude the font family to be used by the browser. You need to complement the setting of one of these values with the page style command in webvpn customization command mode to replace the font family if you are using Japanese Shift_JIS character encoding, as shown in the following example, or enter the no page style command in webvpn customization command mode to remove the font family.

Usage Guidelines

The ASA can apply attribute values from a variety of sources according to the following hierarchy:

1. DAP record

2. Username

3. Group policy

4. Group policy for the Connection Profile (tunnel group)

5. Default group policy

It follows that DAP values for an attribute have a higher priority than those configured for a user, group policy, or Connection Profile.

When you enable or disable an attribute for a DAP record, the ASA applies that value and enforces it. For example, when you disable file entry in dap webvpn configuration mode, the ASA looks no further for a value. When you instead set no value for the file-entry command, the attribute is not present in the DAP record, so the ASA moves down to the AAA attribute in the username, and if necessary, the group policy to find a value to apply.

Usage Guidelines

The no option allows inheritance of a value from another group policy. To prevent inheriting filter values, use the filter value none command.

You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the filter command to apply those ACLs for WebVPN traffic.

WebVPN does not use ACLs defined in the vpn-filter command.

Usage Guidelines

ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with the filter activex command.

ActiveX controls, formerly known as OLE or OCX controls, are components that you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.

The filter activex command blocks the HTML object commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <applet> and </applet> and <object classid> and </object> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.

Caution

The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by this command.

If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the ASA cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command or for WebVPN traffic.

Usage Guidelines

The filter ftp command lets you identify the FTP traffic to be filtered by a Websense or N2H2 server.

After enabling this feature, when a user issues an FTP GET request to a server, the ASA sends the request to the FTP server and to the Websense or N2H2 server at the same time. If the Websense or N2H2 server permits the connection, the ASA allows the successful FTP return code to reach the user unchanged. For example, a successful return code is “250: CWD command successful.”

If the Websense or N2H2 server denies the connection, the ASA alters the FTP return code to show that the connection was denied. For example, the ASA would change code 250 to “550 Requested file is prohibited by URL filtering policy.” Websense only filters FTP GET commands and not PUT commands.

Use the interactive-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. You must identify and enable the URL filtering server before using these commands.

Usage Guidelines

The ASA supports filtering of HTTPS and FTP sites using an external Websense or N2H2 filtering server.

HTTPS filtering works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as “The Page or the content cannot be displayed.”

Because HTTPS content is encrypted, the ASA sends the URL lookup without directory and filename information.

Usage Guidelines

Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.

The filter java command filters out Java applets that return to the ASA from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute. The filter java command does not filter WebVPN traffic.

If the <applet> or </applet> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the ASA cannot block the tag. If Java applets are known to be in <object> tags, use the filter activex command to remove them.

Usage Guidelines

The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.

Note	The url-server command must be configured before issuing the filter url command.

The allow option of the filter url command determines how the ASA behaves if the N2H2 or Websense server goes off line. If you use the allow option with the filter url command and the N2H2 or Websense server goes offline, port 80 traffic passes through the ASA without filtering. If used without the allow option and with the server offline, the ASA stops outbound port 80 (Web) traffic until the server is back online, or if another URL server is available, passes control to the next URL server.

Note	With the allow option set, the ASA passes control to an alternate server if the N2H2 or Websense server goes offline.

The N2H2 or Websense server works with the ASA to deny users from access to websites based on the company security policy.

Using the Filtering Server

Websense protocol Version 4 enables group and username authentication between a host and an ASA. The ASA performs a username lookup, and then Websense server handles URL filtering and username logging.

The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.

Websense protocol Version 4 contains the following enhancements:

• URL filtering allows the ASA to check outgoing URL requests with the policy defined on the Websense server.

• Username logging tracks username, group, and domain name on the Websense server.

• Username lookup enables the ASA to use the user authentication table to map the host's IP address to the username.

Information on Websense is available at the following website:

http://www.websense.com/

Configuration Procedure

Follow these steps to filter URLs:

1. Designate an N2H2 or Websense server with the appropriate vendor-specific form of the url-server command.

2. Enable filtering with the filter command.

3. If needed, improve throughput with the url-cache command. However, this command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command.

4. Use the show url-cache statistics and the show perfmon commands to view run information.

Working with Long URLs

Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 3 KB for the N2H2 filtering server.

Use the longurl-truncate and cgi-truncate options to allow handling of URL requests longer than the maximum permitted size.

If a URL is longer than the maximum, and you do not enable the longurl-truncate or longurl-deny options, the ASA drops the packet.

The longurl-truncate option causes the ASA to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.

Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect ASA performance.

Buffering HTTP Responses

By default, when a user issues a request to connect to a specific website, the ASA sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.

By enabling the HTTP response buffer, replies from web content servers are buffered and the responses will be forwarded to the requesting user if the filtering server allows the connection. This prevents the delay that may otherwise occur.

To enable the HTTP response buffer, enter the following command:

ciscoasa(config)# url-block block
 block-buffer-limit

Replace the block-buffer-limit argument with the maximum number of blocks that will be buffered. The permitted values are from 1 to 128, which specifies the number of 1550-byte blocks that can be buffered at one time.

Usage Guidelines

To run in a FIPS-compliant mode of operation, you must apply both the fips enable command and the correct configuration specified in the security policy. The internal API allows the device to migrate toward enforcing correct configuration at run time.

When the FIPS-compliant mode is present in the startup configuration, FIPS POST will run and print the following console message:

Copyright (c) 1996-2005 by Cisco Systems, Inc.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013.
 
                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706
 
....
Cryptochecksum (unchanged): 6c6d2f77 ef13898e 682c9f94 9c2d5ba9
 
INFO: FIPS Power-On Self-Test in process.  Estimated completion in 90 seconds.
......................................................
INFO: FIPS Power-On Self-Test complete.
Type help or '?' for a list of available commands.
sw8-5520>

Note	FIPS mode is not supported in clustering mode.

Note	If all interfaces are configured as members of port-channels, then the FIPS self-test will fail during boot. At least one interface must be enabled and not be configured as a member of a port-channel for the FIPS self-test to succeed during boot.

Usage Guidelines

Entering this command causes the device to run all self-tests required for FIPS 140-2 compliance. Tests include the cryptographic algorithm test, software integrity test, and critical functions test.

Usage Guidelines

A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.

You can set this command per context in multiple context mode.

When you change modes, the ASA clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.

If you download a text configuration to the ASA that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the ASA changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the ASA clears all the preceding lines in the configuration.

Usage Guidelines

If you have already configured the flow-export delay flow-create command, and you then configure the flow-export active refresh-interval command with an interval value that is not at least 5 seconds more than the delay value, the following warning message appears at the console:

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation events.

If you have already configured the flow-export active refresh-interval command, and you then configure the flow-export delay flow-create command with a delay value that is not at least 5 seconds less than the interval value, the following warning message appears at the console:

WARNING: The current delay flow-create value configuration may cause flow-update events to appear before flow-creation events.

Usage Guidelines

If the flow-export delay flow-create command is not configured, the flow-create event is exported without a delay.

If the flow is torn down before the configured delay, the flow-create event is not sent; an extended flow teardown event is sent instead.

Usage Guidelines

You can use the flow-export destination command to configure the ASA to export NetFlow data to a NetFlow collector.

Note

You can enter a maximum of five export destinations (collectors) per security context. When you enter a new destination, the template records are sent to the newly added collector. If you try to add more than five destinations, the following error message appears:“ERROR: A maximum of 5 flow-export destinations can be configured.”

If the ASA is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command.

Usage Guidelines

NetFlow events are configured through Modular Policy Framework. If Modular Policy Framework is not configured for NetFlow, no events are logged. Traffic is matched based on the order in which classes are configured. After a match is detected, no other classes are checked. For NetFlow events, the configuration requirements are as follows:

• A flow-export destination (that is, a NetFlow collector) is uniquely identified by its IP address.

• Supported event types are flow-create, flow-teardown, flow-denied, flow-update, and all, which include the four previously listed event types.

• Flow-export actions are not supported in interface policies.

• Flow-export actions are only supported in the class-default command and in classes with the match any or match access-list command.

• If no NetFlow collector has been defined, no configuration actions occur.

• NetFlow Secure Event Logging filtering is order-independent.

Note

To create a valid NetFlow configuration, you must have both the flow-export destination configuration and the flow-export event-type configuration. The flow-export destination configuration alone does nothing. You must also configure a class map for the flow-export event-type configuration. This can either be the default class map or one that you create.

Usage Guidelines

You should configure the timeout rate based on the collector being used and at what rate the collectors expect the templates to be refreshed.

If the security appliance is configured to export NetFlow data, to improve performance, we recommend that you disable redundant syslog messages (those also captured by NetFlow) by entering the logging flow-export-syslogs disable command.

Usage Guidelines

If you deploy a appliance with an ASA security module in a data center, you can identify select traffic to be off-loaded to a super fast path, where the flows are switched in the NIC itself. Off-loading can help you improve performance for data-intensive applications such as large file transfers.

Before being off-loaded, the ASA first applies normal security processing, such as access rules and inspection, during connection establishment. The ASA also does session tear-down. But once a connection is established, if it is eligible to be off-loaded, further processing happens in the NIC rather than the ASA.

While offloaded, the flow does not receive security policy checking or other services, so that it can move through the system as fast as possible. For off-loaded flows, there is no inspection, TCP normalization (except for checksum verification, if you configure it), QoS, or sequence number checking.

To identify flows that can be off-loaded, you create a service policy rule that applies the flow off-loading service. A matching flow is then off-loaded if it meets the following conditions:

• IPv4 addresses only.

• TCP, UDP, GRE only.

• Standard or 802.1q tagged Ethernet frames only.

• (Transparent mode only.) Multicast flows for bridge groups that contain two and only two interfaces.

• It is not receiving services that cannot be applied to off-loaded flows, such as inspection, decryption, IPSec and VPN flows, or flows directed to a service module.

Reverse flows for off-loaded flows are also off-loaded.

In multiple-context mode, enabling or disabling flow offload enables or disables it for all contexts. You cannot have different settings per context.

Prior to 9.15(1), you must reload the system whenever you enable or disable flow off-load. Starting with version 9.15(1), reload is no longer required, and the following special considerations do not apply.

For versions previous to 9.15(1), there are special considerations for changing the mode for clusters or failover pairs if you want a hitless change:

• Clustering—First enter the command on the master unit, but do not reboot the master unit immediately. Instead, reboot each member of the cluster first, then return to the master and reboot it. You can then configure the offloading service policy on the master unit.

• Failover—First enter the command on the active unit, but do not reboot it immediately. Instead, reboot the standby unit, then reboot the active unit. You can then configure the offloading service policy on the active unit.

Note	For more specific information on device support, see http://www.cisco.com/c/en/us/td/docs/security/firepower/9300/compatibility/fxos-compatibility.html .

Usage Guidelines

The Cisco Secure Firewall 4200 and 3100 series devices, with the help of the FPGA and the Nitrox V crypto accelerator, support DTLS cryptographic acceleration. This feature improves the throughput of the DTLS encrypted and decrypted traffic. Both IPv4 and IPv6 traffic is supported. This feature works only for DTLS 1.2.

Supported Devices

• Cisco Secure Firewall 4200 Series: 4215, 4225, 4245

• Cisco Secure Firewall 3100 Series: 3105, 3110, 3120, 3130, 3140

Supported Network Processing Unit FPGA Firmware Versions

• Cisco Secure Firewall 4200 Series: 1024.11.00

• Cisco Secure Firewall 3100 Series:

  • 3100 Low SKU: 1792.4.00

  • 3100 High SKU: 1792.3.00

If you upgrade your devices to Version 9.22(1) and later, the firmware is automatically upgraded.

To view the Network Processing Unit (NPU) FPGA firmware of the device, use the show version detail | inc Fpga command:

device# show version detail | inc Fpga
Fpga-Vers: 0.21.00
Fpga-Golden-Vers: 0.21.00
NpuFpga-Vers: 1792.4.00
TamFpga-Vers: 2.6.d
Epm-Fpga-Version: UNKNOWN

Usage Guidelines

The Cisco Secure Firewall 4200 and 3100 series devices, with the help of the FPGA and the Nitrox V crypto accelerator, support DTLS cryptographic acceleration. This feature improves the throughput of the DTLS encrypted and decrypted traffic. Both IPv4 and IPv6 traffic is supported. This feature works only for DTLS 1.2.

Supported Devices

• Cisco Secure Firewall 4200 Series: 4215, 4225, 4245

• Cisco Secure Firewall 3100 Series: 3105, 3110, 3120, 3130, 3140

Supported Network Processing Unit FPGA Firmware Versions

• Cisco Secure Firewall 4200 Series: 1024.11.00

• Cisco Secure Firewall 3100 Series:

  • 3100 Low SKU: 1792.4.00

  • 3100 High SKU: 1792.3.00

If you upgrade your devices to Version 9.22(1) and later, the firmware is automatically upgraded.

To view the Network Processing Unit (NPU) FPGA firmware of the device, use the show version detail | inc Fpga command:

device# show version detail | inc Fpga
Fpga-Vers: 0.21.00
Fpga-Golden-Vers: 0.21.00
NpuFpga-Vers: 1792.4.00
TamFpga-Vers: 2.6.d
Epm-Fpga-Version: UNKNOWN

Usage Guidelines

This feature works only for DTLS 1.2. The hardware performs optimization of the egress encrypted packets to improve latency. The data path is optimized to enhance performance for single tunnel flows. Both IPv4 and IPv6 traffic is supported.

Supported Devices

• Cisco Secure Firewall 4200 Series: 4215, 4225, 4245

• Cisco Secure Firewall 3100 Series: 3105, 3110, 3120, 3130, 3140

Supported Network Processing Unit FPGA Firmware Versions

• Cisco Secure Firewall 4200 Series: 1024.11.00

• Cisco Secure Firewall 3100 Series:

  • 3100 Low SKU: 1792.4.00

  • 3100 High SKU: 1792.3.00

If you upgrade your devices to Version 9.22(1) and later, the firmware is automatically upgraded.

To view the Network Processing Unit (NPU) FPGA firmware of the device, use the show version detail | inc Fpga command:

device# show version detail | inc Fpga
Fpga-Vers: 0.21.00
Fpga-Golden-Vers: 0.21.00
NpuFpga-Vers: 1792.4.00
TamFpga-Vers: 2.6.d
Epm-Fpga-Version: UNKNOWN

Usage Guidelines

You can configure supporting device models to use IPsec flow offload. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

Offloaded operations specifically relate to the pre-decryption and decryption processing on ingress, and the pre-encryption and encryption processing on egress. The system software handles the inner flow to apply your security policies.

IPsec flow offload is enabled by default, and applies to the following device types:

• Secure Firewall 3100

The following IPsec flows are not offloaded:

• IKEv1 tunnels. Only IKEv2 tunnels will be offloaded. IKEv2 supports stronger ciphers.

• Flows that have volume-based rekeying configured.

• Flows that have compression configured.

• Transport mode flows. Only tunnel mode flows will be offloaded.

• AH format. Only ESP/NAT-T format will be supported.

• Flows that have post-fragmentation configured.

• Flows that have anti-replay window size other than 64bit and anti-replay is not disabled.

• Flows that have firewall filter enabled.

Usage Guidelines

This command is supported on 1-GigabitEthernet and higher interfaces. This command does not support management interfaces.

Enter this command for a physical interface.

Note	Only flow control frames defined in 802.3x are supported. Priority-based flow control is not supported.

Secure Firewall 3100

Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. If the ASA port experiences congestion (exhaustion of queuing resources on the internal switch) and cannot receive any more traffic, it notifies the other port by sending a pause frame to stop sending until the condition clears. Upon receipt of a pause frame, the sending device stops sending any data packets, which prevents any loss of data packets during the congestion period.

Note	The ASA supports transmitting pause frames so that the remote peer can rate-control the traffic. However, receiving of pause frames is not supported.

The internal switch has a global pool of 8000 buffers of 250 bytes each, and the switch allocates buffers dynamically to each port. A pause frame is sent out every interface with flowcontrol enabled when the buffer usage exceeds the global high-water mark (2 MB (8000 buffers)); and a pause frame is sent out of a particular interface when its buffer exceeds the port high-water mark (.3125 MB (1250 buffers)). After a pause is sent, an XON frame can be sent when the buffer usage is reduced below the low-water mark (1.25 MB globally (5000 buffers); .25 MB per port (1000 buffers)). The link partner can resume traffic after receiving an XON frame.

ASA Hardware

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

When you enable this command, pause (XOFF) and XON frames are generated automatically by the NIC hardware based on the FIFO buffer usage:

1. The NIC sends a pause frame when the buffer usage exceeds the high watermark.

2. After a pause is sent, the NIC sends an XON frame when the buffer usage is reduced below the low watermark.

3. The link partner can resume traffic after receiving an XON, or after the XOFF expires, as controlled by the timer value in the pause frame.

4. If the buffer usage is consistently above the high watermark, the NIC sends pause frames repeatedly, controlled by the pause refresh threshold value.

When you use this command on ASA models, the following warning message appears:

Changing flow-control parameters will reset the interface. Packets may be lost during the reset.
Proceed with flow-control changes?

To change the parameters without being prompted, use the noconfirm keyword.

Usage Guidelines

This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or applications.

About LISP Inspection for Cluster Flow Mobility

The ASA inspects LISP traffic for location changes and then uses this information for seamless clustering operation. With LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router and the ETR or ITR, and can then change the flow owner to be at the new site.

Cluster flow mobility includes several inter-related configurations:

1. (Optional) Limit inspected EIDs based on the host or server IP address—The first hop router might send EID-notify messages for hosts or networks the ASA cluster is not involved with, so you can limit the EIDs to only those servers or networks relevant to your cluster. For example, if the cluster is only involved with 2 sites, but LISP is running on 3 sites, you should only include EIDs for the 2 sites involved with the cluster. See the policy-map type inspect lisp , allowed-eid, and validate-key commands.

2. LISP traffic inspection—The ASA inspects LISP traffic for the EID-notify message sent between the first hop router and the ITR or ETR. The ASA maintains an EID table that correlates the EID and the site ID. For example, you should inspect LISP traffic with a source IP address of the first hop router and a destination address of the ITR or ETR. See the inspect lisp command.

3. Service Policy to enable flow mobility on specified traffic—You should enable flow mobility on business-critical traffic. For example, you can limit flow mobility to only HTTPS traffic, and/or to traffic to specific servers. See the cluster flow-mobility lisp command.

4. Site IDs—The ASA uses the site ID for each cluster unit to determine the new owner. See the site-id command.

5. Cluster-level configuration to enable flow mobility—You must also enable flow mobility at the cluster level. This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or applications. See the flow-mobility lisp command.

Usage Guidelines

ASA must have the SAML configuration. This command is necessary when you require direct re-authentication with the IdP.

Usage Guidelines

The format command erases all data on the specified file system and then rewrites the FAT information to the device.

Caution

Use the format command with extreme caution, only when necessary, to clean up corrupted flash memory.

To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the format command.

Note

On the ASA 5500 series, the erase command destroys all user data on the disk with the 0xFF pattern. In contrast, the format command only resets the file system control structures. If you used a raw disk read tool, you could still see the information. To repair a corrupt file system, try entering the fsck command before entering the format command.

Usage Guidelines

You might need to restrict one VLAN depending on how many VLANs your license supports.

In routed mode, you can configure up to three active VLANs with the ASA 5505 Base license, and up to five active VLANs with the Security Plus license. An active VLAN is a VLAN with a nameif command configured. You can configure up to five inactive VLANs on the ASA 5505 for either license, but if you make them active, be sure to follow the guidelines for your license.

With the Base license, the third VLAN must be configured with the no forward interface command to restrict this VLAN from initiating contact to one other VLAN.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside work network, and a third VLAN assigned to your home network. The home network does not need to access the work network, so you can use the no forward interface command on the home VLAN; the work network can access the home network, but the home network cannot access the work network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameif command on the third interface; the ASA does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505.

Usage Guidelines

This command is most useful when used in conjunction with the configure session command, which creates isolated sessions for editing ACLs and their objects. For example, within a session, you could delete an ACL that is currently referenced by an access-group command, and create a new ACL with the same name. After committing the session, the new version of the ACL is compiled, and after compilation, becomes the active version of the access group.

Similarly, you can delete and recreate objects that are used by active access rules.

Forward referencing is designed for access rule ACL usage. You cannot delete an object currently used by other features, such as NAT or VPN.

Enable forward referencing with caution. The default behavior ensures that you do not make simple typos when configuring objects, access lists, and access groups. With forward referencing, the ASA cannot tell the difference between a typo and an intentional reference to something you intend to create in the future.

Any rule, access group, or object that points to a non-existent object or ACL is ignored during operation. It does not become operational until you create the missing item.

Usage Guidelines

If you are configuring the ASA to support authentication of a Nokia VPN Client using certificates, use the none keyword. See the crypto isakmp identity or isakmp identity command for more information about supporting certificate authentication of the Nokia VPN Client.

Usage Guidelines

If you configure an existing network object with a different value, the new configuration will replace the existing configuration.

Usage Guidelines

By default, the ASA accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the ASA to prevent fragmented packets from traversing the ASA by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.

If a large percentage of the network traffic through the ASA is NFS, additional tuning might be necessary to avoid database overflow.

In an environment where the MTU size is small between the NFS server and client, such as a WAN interface, the chain keyword might require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.

Setting the size limit to a large value can make the ASA more vulnerable to a DoS attack by fragment flooding. Do not set the size limit equal to or greater than the total number of blocks in the 1550 or 16384 pool.

The default values will limit DoS attacks caused by fragment flooding.

The following processes are performed regardless of the reassembly option setting:

• IP fragments are collected until a fragment set is formed or until a timeout interval has elapsed (see the timeout option).

• If a fragment set is formed, integrity checks are performed on the set. These checks include no overlapping, no tail overflow, and no chain overflow (see the chain option).

If the fragment reassembly virtual command is configured, the fragment set is forwarded to the transport layer for further processing.

If the fragment reassembly full command is configured, the fragment set is first coalesced into a single IP packet. The single IP packet is then forwarded to the transport layer for further processing.

Usage Guidelines

An SLA operation repeats at a given frequency for the lifetime of the operation. For example:

• An ipIcmpEcho operation with a frequency of 60 seconds repeats by sending the echo request packets once every 60 seconds for the lifetime of the operation.

• The default number of packets in an echo operation is 1. This packet is sent when the operation is started and is then sent again 60 seconds later.

If an individual SLA operation takes longer to execute than the specified frequency value, a statistics counter called “busy” is increased rather than immediately repeating the operation.

The value specified for the frequency command cannot be less than the value specified for the timeout command.

Usage Guidelines

The fsck command checks and tries to repair corrupt file systems. Use this command before trying more permanent procedures.

If the FSCK utility fixes an instance of disk corruption (due to a power failure or abnormal shutdown, for example), it creates recovery files named FSCKxxx .REC. These files can contain a fraction of a file or a whole file that was recovered while FSCK was running. In rare circumstances, you might need to inspect these files to recover data; generally, these files are not needed, and can be safely deleted.

Note	The FSCK utility runs automatically at startup, so you may see these recovery files even if you did not manually enter the fsck command.