Cisco ASA Series Cli Configuration Manual page 913

Chapter 1 Configuring the ASA to Integrate with Cisco TrustSec
The ISE generates the PAC file. The ASA can import the PAC from flash or from a remote server via
TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC does not have to reside on the ASA flash before you can
import it.)
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Supports IPv6
Clustering Guideline
Supported only on the master device in a clustering setting.
High Availability Guideline
Supports a list of servers via configuration. If the first server is unreachable, the ASA will try to contact
the second server in the list, and so on. However, the server list downloaded as part of the Cisco TrustSec
environment data is ignored.
Limitations
•
•
•
•
•
•
The password (or encryption key) you enter to encrypt the PAC file is independent of the password
that was configured on the ISE as part of the device credentials.
The ASA can only be configured to interoperate in a single Cisco TrustSec domain.
The ASA does not support static configuration of SGT-name mappings on the device.
NAT is not supported in SXP messages.
SXP conveys IP-SGT mappings to enforcement points in the network. If an access layer switch
belongs to a different NAT domain than the enforcing point, the IP-SGT map it uploads is invalid
and an IP-SGT mappings database lookup on the enforcement device will not yield valid results;
therefore, the ASA cannot apply security group aware security policy on the enforcement device.
You can configure a default password for the ASA to use for SXP connections, or you can choose
not to use a password; however, connection-specific passwords are not supported for SXP peers. The
configured default SXP password should be consistent across the deployment network. If you
configure a connection-specific password, connections may fail and a warning message will appear.
If you configure the connection with the default password, but the default password is not
configured, the result is the same as when you have configured the connection with no password.
SXP connection loops can form when a device has bidirectional connections to a peer, or is part of
a unidirectionally connected chain of devices. (The ASA can learn IP-DGT mappings for resources
from the access layer in the data center. The ASA might need to propagate these tags to downstream
devices.) SXP connection loops can cause unexpected behavior of SXP message transport. In cases
where the ASA is configured to be a Speaker and Listener, an SXP connection loop can occur
causing SXP data to be received by the peer that originally transmitted it.
Guidelines and Limitations
Cisco ASA Series CLI Configuration Guide
1-9