Page 1
Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, First Published: 2017-01-18 Last Modified: 2019-03-15 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html.
Deploy the ASAv Using the OVF Tool and Day 0 Configuration Access the ASAv Console Use the VMware vSphere Console Configure a Network Serial Console Port Upgrade the vCPU or Throughput License Performance Tuning for the ASAv on VMware Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 4
C H A P T E R 5 Deploy the ASAv On the Microsoft Azure Cloud About ASAv Deployment On the Microsoft Azure Cloud Prerequisites and System Requirements for the ASAv and Azure Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 5
Start ASDM Perform Initial Configuration Using ASDM Run the Startup Wizard (Optional) Allow Access to Public Servers Behind the ASAv (Optional) Run VPN Wizards (Optional) Run Other Wizards in ASDM Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
For hypervisor support, see Cisco ASA Compatibility. Licensing for the ASAv The ASAv uses Cisco Smart Software Licensing. For complete information, see Smart Software Licensing. Note You must install a smart license on the ASAv. Until you install a license, throughput is limited to 100 Kbps so you can perform preliminary connectivity tests.
Page 8
Introduction to the ASAv Licensing for the ASAv Note The ASAv uses Cisco Smart Software Licensing. A smart license is required for regular operation. Until you install a license, throughput is limited to 100 Kbps so you can perform preliminary connectivity tests.
Page 9
• 1 vCPU • 2 GB RAM • 100,000 concurrent firewall connections • Supports AWS on c3.large, c4.large, and m4.large instances • Supports Azure on a Standard D3 and Standard D3_v2 instances Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
ASAv console. Failover functionality may also be affected. Unsupported ASA Features The ASAv does not support the following ASA features: • Clustering (for all entitlements, except KVM and VMware) • Multiple context mode Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• Beginning with 9.5(1.200), the memory requirement for the AVAv5 was reduced to 1GB. Downgrading the available memory on an ASAv5 from 2 GB to 1 GB is not supported. To run with 1 GB of memory, the ASAv5 VM must be redeployed with version 9.5(1.200) or later. Similarly, if you try to downgrade to a version earlier than 9.5(1.200), you must increase the memory to 2 GB.
However, LRO can lead to TCP perfomance problems where network packet delivery may not flow consistently and could be "bursty" in congested networks. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 13
7. Click OK to save your changes and exit the Configuration Parameters dialog box. 8. Click Save. See the following VMware support articles for more information: • VMware KB 1027511 • VMware KB 2055140 Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 14
Introduction to the ASAv Supported vNICs Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Make sure to conform to the specifications below to ensure optimal performance. The ASAvASAv has the following requirements: • The host CPU must be a server class x86-based Intel or AMD CPU with virtualization extension. For example, ASAv performance test labs use as minimum the following: Cisco Unified Computing ™ ®...
Page 16
VMware for more information. 5. Enter the property values for , and UserPrivilege OvfDeployment ControllerType For example: - <Property ovf:qualifiers="ValueMap{"ovf", "ignore", "installer"}" ovf:type="string" ovf:key="OvfDeployment"> + <Property ovf:qualifiers="ValueMap{"ovf", "ignore", "installer"}" ovf:type="string" Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 17
In these cases, you can enable the ASAv5 to be deployed in a VM with 1.5 GB of memory. To change from 1GB to 1.5GB, power down your VM, modify the memory, and power the VM back on.
Graphs > CPU pane to view the resource allocation and any resources that are over- or under-provisioned. Transparent Mode on UCS B Series Hardware Guidelines MAC flaps have been observed in some ASAv configurations running in transparent mode on Cisco UCS B Series hardware. When MAC addresses appear from different locations you will get dropped packets.
Page 19
Used for VM failures. Use ASAv failover for heartbeats ASAv machine failures. VMware vSphere Used to deploy VMs. Standalone Windows ¯ Client VMware vSphere Web Used to deploy VMs. ¯ Client Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
The day0.iso file (either your custom day0.iso or the default day0.iso) must be available during first boot. Before you begin We are using Linux in this example, but there are similar utilities for Windows. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 21
• To automatically license the ASAv during initial deployment, place the Smart Licensing Identity (ID) Token that you downloaded from the Cisco Smart Software Manager in a text file named ‘idtoken’ in the same directory as the Day 0 configuration file.
Page 22
2G Step 4 (Optional) Download the Smart License identity token file issued by the Cisco Smart Software Manager to your PC. Step 5 (Optional) Copy the ID token from the download file and put it in a text file named ‘idtoken’ that only contains the ID token.
(OVF). You use the Deploy OVF Template wizard in the vSphere Web Client to deploy the Cisco package for the ASAv. The wizard parses the ASAv OVF file, creates the virtual machine on which you will run the ASAv, and installs the package.
Page 24
Deploy the ASAv Using VMware Deploy the ASAv Using the VMware vSphere Web Client Step 1 Download the ASAv ZIP file from Cisco.com, and save it to your PC: http://www.cisco.com/go/asa-software Note A Cisco.com login and Cisco service contract are required.
Page 25
After you complete the wizard, the vSphere Web Client processes the VM; you can see the “Initialize OVF deployment” status in the Global Information area Recent Tasks pane. When it is finished, you see the Deploy OVF Template completion status. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 26
Deploy the ASAv Using VMware Deploy the ASAv Using the VMware vSphere Web Client The ASAv machine instance then appears under the specified data center in the Inventory. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 27
• Enter the exact same IP address settings as for the primary unit. The bootstrap configurations on both units are identical except for the parameter identifying a unit as primary or secondary. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
(asav-vi.ovf for a vCenter deployment or asav-esxi.ovf for a non-vCenter deployment). You use the Deploy OVF Template wizard in the vSphere Client to deploy the Cisco package for the ASAv. The wizard parses the ASAv OVF file, creates the virtual machine on which you will run the ASAv, and installs the package.
In some cases with ASDM, you may need to use the CLI for troubleshooting. By default, you can access the built-in VMware vSphere console. Alternatively, you can configure a network serial console, which has better capabilities, including copy and paste. • Use the VMware vSphere Console Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
All nonconfiguration commands are available in privileged EXEC mode. You can also enter configuration mode from privileged EXEC mode. To exit privileged mode, enter the disable, exit, or quit command. Step 5 Access global configuration mode: ciscoasa# configure terminal Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
If you want to increase (or decrease) the number of vCPUs for your ASAv, you can request a new license, apply the new license, and change the VM properties in VMware to match the new values. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 32
• ASDM: Choose Monitoring > Properties > Failover > Status, and click Make Standby. • CLI: failover active c. Repeat Steps 3 through 9 for the active unit. What to do next Licensing for the ASAv, on page 1 for more information. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
The following figure shows a server with two CPU sockets with each CPU having 18 cores. The 8-core ASAv requires that each socket on the host CPU have a minimum of 8 cores. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
You need ASAv Version 9.13(1) or greater to use multiple RX queues. For an 8-core VM with an inside/outside pair of interfaces, each interface will have 4 RX queues, as shown Figure 2: 8-Core ASAv RSS RX Queues, on page Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 35
SR-IOV ixgbe PCI Passthrough The ixgbe driver (in PCI Passthrough mode) has 6 RX queues. Performance is on par with i40evf (SR-IOV). vmxnet3 Para-virtualized 8 max Not recommended for ASAv100. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 36
–n <nic name> Note General network adapter information can also be viewed from the VMware vSphere Client. The adapter and driver are found under Physical Adapters within the Configure tab. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Make sure to conform to the specifications below to ensure optimal performance. The ASAv has the following requirements: • The host CPU must be a server class x86-based Intel or AMD CPU with virtualization extension. For example, ASAv performance test labs use as minimum the following: Cisco Unified Computing ™ ®...
A separate management network is also configured. Figure 3: Sample ASAv Deployment Using KVM Prerequisites for the ASAv and KVM • Download the ASAv qcow2 file from Cisco.com and put it on your Linux host: http://www.cisco.com/go/asa-software Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
SSH server for public key authentication, but it can also contain a complete ASA configuration. The day0.iso file (either your custom day0.iso or the default day0.iso) must be available during first boot: Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 40
• To automatically license the ASAv during initial deployment, place the Smart Licensing Identity (ID) Token that you downloaded from the Cisco Smart Software Manager in a text file named ‘idtoken’ in the same directory as the Day 0 configuration file.
Step 3 (Optional) Download the Smart License identity token file issued by the Cisco Smart Software Manager to your computer, copy the ID token from the download file, and put it a text file named ‘idtoken’ that only contains the ID token.
Use a virt-install based deployment script to launch the ASAv. Step 1 Create a virt-install script called “virt_install_asav.sh.” The name of the ASAv machine must be unique across all other VMs on this KVM host. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
(CPU) or a range of CPUs, so that the process or thread will execute only on the designated CPU or CPUs rather than any CPU. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
I/O is referred to as a NUMA node. To efficiently read packets from memory, guest applications and associated peripherals (such as the NIC) should reside within the same node. For optimum ASAv performance: Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
For an 8-core VM with an inside/outside pair of interfaces, each interface will have 4 RX queues, as shown Figure 5: 8-Core ASAv RSS RX Queues, on page Figure 5: 8-Core ASAv RSS RX Queues Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
These are some additional considerations for optimizing VPN performance with the ASAv. • IPSec has higher throughput than DTLS. • Cipher - GCM has about 2x the throughput of CBC. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• Overhead: 45% The overhead is used to perform hypervisor functions and to move packets between NICs and vNICs using the vSwitch. KVM CPU Usage Reporting virsh cpu-stats domain --total start count Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
CPU usage is 100%, the virtual machine is using one physical CPU completely. The virtual CPU usage calculation is Usage in MHz / number of virtual CPUs x core frequency Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 50
Deploy the ASAv Using KVM ASA Virtual and KVM Graphs Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
We do not recommend the • ASAv30 c4.large 3.75 ASAv30 on large instances m4.large due to resource underprovisioning. c3.xlarge ASAv30 Only the ASAv30 is c4.xlarge supported on xlarge instances. m4.xlarge Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• Deployment in the Virtual Private Cloud (VPC) • Enhanced networking (SR-IOV) where available • Deployment from Amazon Marketplace • Maximum of four vCPUs per instance • User deployment of L3 networks Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
(if you enabled ASDM access) to fix the configuration. The following is a sample original configuration for a username "admin": username admin nopassword privilege 15 username admin attributes ssh authentication publickey 55:06:47:eb:13:75:fc:5c:a8:c1:2c:bb: 07:80:3a:fc:d9:08:a9:1f:34:76:31:ed:ab:bd:3a:9e:03:14:1e:1b hashed Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
The following figure shows the recommended topology for the ASAv in Routed Firewall Mode with four subnets configured in AWS for the ASAv (management, inside, outside, and DMZ). Figure 6: Sample ASAv on AWS Deployment Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Management0/0 interface will be up and gets the IP configured with DHCP address. See IP Addressing in your for information about Amazon EC2 and Amazon VPC IP addressing. • Sample Day 0 Configuration - ! ASA Version 9.x.1.200 Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 56
Click My Account > AWS Management Console > EC2 > Launch an Instance > My AMIs. Step 7 Make sure that the Source/Destination Check is disabled per interface for the ASAv. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 57
IP address (IPv4 ) . To enable the ASAv to act as a routed hop, you must disable the Source/Destination Check on each of the ASAv's traffic interfaces (inside, outside, and DMZ). Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 58
Deploy the ASAv On the AWS Cloud Deploy the ASAv on AWS Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Note The ASAv defaults to the ASAv30 entitlement when deployed on Azure. The use of the ASAv5, ASAv10, ASAv30, ASAv50, and ASAv100 entitlement is allowed. However, the throughput level must be explicitly configured to use the ASAv5, ASAv10, ASAv30, ASAv50, and ASAv100 entitlement.
30 seconds. But, the standby ASAv does not receive hello packets with the right timestamp because the clock is synchronized every ~2 minutes. This causes a failover from the primary ASAv to the standby ASAv. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
For more information about the Azure DDoS Protection feature, see Azure DDoS Protection Standard overview. Resources Created During Deployment When you deploy the ASAv in Azure the following resources are created: Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 63
• A Storage account (unless you chose an existing storage account) Note When you delete a VM, you must delete each of these resources individually, except for any resources you want to keep. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
The ASAv cannot use dynamic interior routing protocols like EIGRP and OSPF due to the nature of Azure cloud routing. The Effective Routing Table determines the next hop, regardless of whether a virtual client has any static/dynamic route configured. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
IP addresses, and route tables. You can further manage these configurations after deployment. For example, you may want to change the Idle Timeout value from the default, which is a low timeout. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 66
The Azure portal shows virtual elements associated with the current account and subscription regardless of data center location. Step 2 Search Marketplace for Cisco ASAv, and then click on the ASAv you would like to deploy. Step 3 Configure the basic settings.
Page 67
Deploy the ASAv from Azure Resource Manager What to do next • Continue configuration using CLI commands available for input via SSH or use ASDM. See Start ASDM for instructions for accessing the ASDM. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 68
Deploy the ASAv On the Microsoft Azure Cloud Deploy the ASAv from Azure Resource Manager Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
SSH. The following figure shows the recommended topology for the ASAv in Routed Firewall Mode. There are three subnets set up in Hyper-V for the ASAv—management, inside, and outside. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
The ASAv should run on most modern, 64-bit high-powered platforms used for virtualization today. • File format Supports the VHDX format for initial deployment of the ASAv on Hyper-V. • Day 0 configuration Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• Download the ASAv VHDX file from Cisco.com. http://www.cisco.com/go/asa-software Note A Cisco.com login and Cisco service contract are required. • Hyper-V switch configured with at least three subnets/VLANs. • For Hyper-V system requirements, see Cisco ASA Compatibility. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• To automatically license the ASAv during initial deployment, place the Smart Licensing Identity (ID) Token that you downloaded from the Cisco Smart Software Manager in a text file named ‘idtoken’ in the same directory as the Day 0 configuration file.
LOCAL Step 2 (Optional) Download the Smart License identity token file issued by the Cisco Smart Software Manager to your computer. Step 3 (Optional) Copy the ID token from the download file and put it a text file that only contains the ID token.
Deploy the ASAv: Example: new-vm -name $fullVMName -MemoryStartupBytes $memorysize -Generation 1 -vhdpath C:\Users\jsmith.CISCO\ASAvHyperV\$ImageName.vhdx -Verbose Step 3 Depending on your ASAv model, change the CPU count from the default of 1. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Install the ASAv on Hyper-V Using the Hyper-V Manager You can use the Hyper-V Manager to install the ASAv on Hyper-V. Step 1 Go to Server Manager > Tools > Hyper-V Manager. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 76
The Hyper-V Manager appears. Figure 10: Hyper-V Manager Step 3 From the list of hypervisors on the right, right-click the desired Hypervisor in the list and choose New > Virtual Machine. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 77
Deploy the ASAv Using Hyper-V Install the ASAv on Hyper-V Using the Hyper-V Manager Figure 11: Launch New Virtual Machine Step 4 The New Virtual Machine Wizard appears. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 78
The only Generation supported for the ASAv is Generation 1. • Amount of memory for your ASAv (1024 MB for ASAv5, 2048 MB for ASAv 10, 8192 MB for ASAv30) • Network adapter (connect to the virtual switch you have already set up) •...
Page 79
Processor pane. Change the Number of virtual processors to 4. The ASAv5 and ASAv10 have one vCPU, and the ASAv 30 have four vCPUs. The default is 1. The 100Mbps and 1Gbps entitlements have one vCPU, and the 2Gbps entitlement has four vCPUs. The default is 1.
Page 80
In the Virtual Machines menu, connect to your ASAv by right-clicking on the name of the ASAv in the list and clicking Connect. The console opens with the stopped ASAv. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 81
Figure 15: Connect to the Virtual Machine Step 9 In the Virtual Machine Connection console window, click the turquoise Start button to start the ASAv. Figure 16: Start the Virtual Machine Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Click Settings on the right side of the Hyper-V Manager. The Settings dialog box opens. Under the Hardware menu on the left, click Add Hardware, and then click Network Adapter. Note Do NOT use the Legacy Network Adapter. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 83
Figure 18: Add Network Adapter Step 2 After the network adapter has been added, you can modify the virtual switch and other features. You can also set the VLAN ID here if needed. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
You cannot modify the name using the Hyper-V Manager. You must modify it using the Windows Powershell commands. Step 1 Open a Windows Powershell. Step 2 Modify the network adapters as needed. Example: Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
You can use the the Windows Powershell command line to configure MAC spoofing on Hyper-V. Step 1 Open a Windows Powershell. Step 2 Configure MAC address spoofing. Example: Set-VMNetworkAdapter -VMName $vm_name\ -ComputerName $computer_name -MacAddressSpoofing On\ -VMNetworkAdapterName $network_adapter\r" Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
• ASA Virtual idle time • %SYS overhead used for the ASA virtual machine CPU Usage Example The show cpu usage command can be used to display CPU utilization statistics. Example Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 87
The following is an example in which the reported vCPU usage is substantially different: • ASA Virtual reports: 40% • DP: 35% • External Processes: 5% • ASA (as ASA Virtual reports): 40% • ASA idle polling: 10% • Overhead: 45% Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Page 88
Deploy the ASAv Using Hyper-V CPU Usage Example Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
To use Java Web Start: a) Click Run ASDM or Run Startup Wizard. b) Save the shortcut to your computer when prompted. You can optionally open it instead of saving it. Cisco Adaptive Security Virtual Appliance (ASAv) Quick Start Guide, 9.7...
Start Java Web Start from the shortcut. d) Accept any certificates according to the dialog boxes that appear. The Cisco ASDM-IDM Launcher appears. e) Leave the username and password blank (for a new installation), and then click OK. If you enabled HTTPS authentication, enter your username and associated password.
• Site-to-Site VPN Wizard—Creates an IPsec site-to-site tunnel between the ASAv and another VPN-capable device. • AnyConnect VPN Wizard—Configures SSL VPN remote access for the Cisco AnyConnect VPN client. AnyConnect Client provides secure SSL connections to the ASA for remote users with full VPN tunneling to corporate resources.
Need help?
Do you have a question about the ASAv5 and is the answer not in the manual?
Questions and answers