Cisco ASA Series Configuration Manual page 68
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Guidelines for the Identity Firewall
When a client is determined to be inactive by the active ASA, the information is propagated to the
•
standby ASA. User statistics are not propagated to the standby ASA.
•
When you have failover configured, you must configure the AD Agent to communicate with both
the active and standby ASAs. See the Installation and Setup Guide for the Active Directory Agent
for the steps to configure the ASA on the AD Agent server.
IPv6
•
The AD Agent supports endpoints with IPv6 addresses. It can receive IPv6 addresses in log events,
maintain them in its cache, and send them through RADIUS messages. The AAA server must use
an IPv4 address.
NetBIOS over IPv6 is not supported.
•
Additional Guidelines
A full URL as a destination address is not supported.
•
•
For NetBIOS probing to function, the network between the ASA, AD Agent, and clients must
support UDP-encapsulated NetBIOS traffic.
MAC address checking by the Identity Firewall does not work when intervening routers are present.
•
Users logged into clients that are behind the same router have the same MAC addresses. With this
implementation, all the packets from the same router are able to pass the check, because the ASA is
unable to ascertain the actual MAC addresses behind the router.
The following ASA features do not support using the identity-based object and FQDN in an
•
extended ACL:
–
–
–
–
–
–
You can use the user-identity update active-user-database command to actively initiate a user-IP
•
address download from the AD agent.
By design, if a previous download session has finished, the ASA does not allow you to issue this
command again.
As a result, if the user-IP database is very large, the previous download session is not finished yet,
and you issue another user-identity update active-user-database command, the following error
message appears:
"ERROR: one update active-user-database is already in progress."
You need to wait until the previous session is completely finished, then you can issue another
user-identity update active-user-database command.
Another example of this behavior occurs because of packet loss from the AD Agent to the ASA.
When you issue a user-identity update active-user-database command, the ASA requests the total
number of user-IP mapped entries to be downloaded. Then the AD Agent initiates a UDP connection
to the ASA and sends the change of authorization request packet.
Cisco ASA Series Firewall CLI Configuration Guide
5-8
Route maps
Crypto maps
WCCP
NAT
Group policy (except for VPN filters)
DAP
Chapter 5
Identity Firewall
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
