Released: January 31, 2011
Updated: March 24, 2011
This document contains release information for Cisco ASA 5500 software Version 8.4(1).
This document includes the following sections:
Important Notes, page 2
Limitations and Restrictions, page 3
System Requirements, page 4
New Features in Version8.4(1), page 7
Upgrading the Software, page 12
Open Caveats, page 14
Resolved Caveats, page 14
End-User License Agreement, page 18
Related Documentation, page 18
Obtaining Documentation and Submitting a Service Request, page 18
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2011 Cisco Systems, Inc.All rights reserved.
Configuration Migration for Transparent Mode—In 8.4, all transparent mode interfaces now belong
to a bridge group. When you upgrade to 8.4, the existing two interfaces are placed in bridge group 1,
and the management IP address is assigned to the Bridge Group Virtual Interface (BVI). The
functionality remains the samewhen using one bridge group. You can now take advantage of the
bridge group feature to configure up to four interfaces per bridge group and to create up to eight
bridge groups in single mode or per context.
In 8.3 and earlier, as an unsupported configuration, you could configure a management interface
without an IP address, and you could access the interface using the device managementaddress.
In 8.4, the device management address is assigned to the BVI, and the management interface is
no longer accessible using that IP address; the management interface requires its own IP address.
You can upgrade from any previous release directly to 8.4. If you are upgrading from a pre-8.3
release, see the Cisco ASA 5500 Migration Guide for Version 8.3 for important information aboutmigrating your configuration to release 8.3 and later.
Upgrading from some releases may have consequences for downgrading; be sure to back up your
configuration file in case you want to downgrade. For example, If you are upgrading from a pre-8.2
release, see the 8.2 release notes for downgrade issues after you upgrade the Phone Proxy and MTA
instance, or for downgrade issues if you upgrade theactivation key with new 8.2 features.
(For upgrading from Version 8.2 and earlier to Version 8.3(2) and later) NAT exemption (the nat 0
access-list command) is migrated to a twice NAT rule with the unidirectional keyword. The
unidirectional keyword only allows traffic on the source network to initiate connections. This
migration change was made to fix CSCtf89372. Upgrading to Version 8.3(1)does not add the
Because NAT exemption is normally bidirectional, you might need to remove the
unidirectional keyword to restore the original function. Specifically, this change adversely
affects many VPN configurations that include NAT exemption rules (see CSCti36048 for
this new issue). To avoid manual intervention, we recommend upgrading to 8.3(1) first,and
then upgrade to a later release.
If you are impacted by this issue, you will see a syslog message like the following:
%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows;
Connection for icmp src Outside:192.168.1.5 dst inside:10.10.5.20 (type 8, code
0) denied due to NAT reverse path failure
To run Version 8.3 and later in a production environment, you mightneed to upgrade the memory
on the Cisco ASA 5505, 5510, 5520, or 5540. (For more information about upgrading, see the
“Memory Information” section on page 4.) If you do not have enough memory, you receive the
following message upon logging in:
*** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***