1-9
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring the ASA to Integrate with Cisco TrustSec
  Guidelines and Limitations
The password (or encryption key) you enter to encrypt the PAC file is independent of the password 
that was configured on the ISE as part of the device credentials. 
The ISE generates the PAC file. The ASA can import the PAC from flash or from a remote server via 
TFTP, FTP, HTTP, HTTPS, or SMB. (The PAC does not have to reside on the ASA flash before you can 
import it.)
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Supports IPv6
Clustering Guideline
Supported only on the master device in a clustering setting. 
High Availability Guideline
Supports a list of servers via configuration. If the first server is unreachable, the ASA will try to contact 
the second server in the list, and so on. However, the server list downloaded as part of the Cisco TrustSec 
environment data is ignored.
Limitations
• The ASA can only be configured to interoperate in a single Cisco TrustSec domain. 
• The ASA does not support static configuration of SGT-name mappings on the device.
• NAT is not supported in SXP messages.
• SXP conveys IP-SGT mappings to enforcement points in the network. If an access layer switch 
belongs to a different NAT domain than the enforcing point, the IP-SGT map it uploads is invalid 
and an IP-SGT mappings database lookup on the enforcement device will not yield valid results; 
therefore, the ASA cannot apply security group aware security policy on the enforcement device.
• You can configure a default password for the ASA to use for SXP connections, or you can choose 
not to use a password; however, connection-specific passwords are not supported for SXP peers. The 
configured default SXP password should be consistent across the deployment network. If you 
configure a connection-specific password, connections may fail and a warning message will appear. 
If you configure the connection with the default password, but the default password is not 
configured, the result is the same as when you have configured the connection with no password.
• SXP connection loops can form when a device has bidirectional connections to a peer, or is part of 
a unidirectionally connected chain of devices. (The ASA can learn IP-DGT mappings for resources 
from the access layer in the data center. The ASA might need to propagate these tags to downstream 
devices.) SXP connection loops can cause unexpected behavior of SXP message transport. In cases 
where the ASA is configured to be a Speaker and Listener, an SXP connection loop can occur 
causing SXP data to be received by the peer that originally transmitted it.