Cisco
ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 8.0.5(31) – 03/14/2013
File: asa805-31-k8.bin
Defects resolved since 8.0.5(28):
ASA 5580 page fault in
thread CERT API during pki validation |
|
ASA may traceback in thread
emweb/https |
|
flash in ASA5505 got corrupted |
Revision: Version 8.0.5(28) – 10/10/2012
File: asa805-28-k8.bin
Defects resolved since 8.0.5(27):
Configure fail state link
without IP addr causes LAND attack syslogs |
|
Standby Unit not getting
session replicated, rerr TCP and UDP increasing |
|
DHCP Memory Allocation
Denial of Service Vulnerability |
|
ASA may reload with
traceback related to SSH, PING, DHCP, or IPSEC |
|
skinny-inspect intermittently uses odd port for RTP stream |
Revision: Version 8.0.5(27) – 02/29/2012
File: asa805-27-k8.bin
Defects resolved since 8.0.5(25):
Multi-context ASA Resets a connection from Flooded packet |
|
EIGRP default-route is not displayed w/ "ip
default-route" route removed |
|
Protocol-Independent Multicast Denial of Service Vulnerability |
|
ASA 8.4.2 http inspection might break certain flows
intermittently |
|
Slow memory leak by skinny |
|
ASA 8.0(4)32 memory leak related to aaa
process |
|
wrong vpn-filter gets applied when peers have overlapping address
space |
|
Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition
for user |
|
Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit |
|
ActiveX RDP Plugin fails to connect from WIn7 PC after upgrade
to 8.4(3) |
|
|
|
Revision: Version 8.0.5(25) – 09/19/2011
File: asa805-25-k8.bin
Defects resolved since 8.0.5(23):
SNMP: ASA responds after two SNMP
requests |
|
SSH processes stuck in ssh_init state |
|
OpenSSL Ciphersuite Downgrade and
J-PAKE Issues |
|
ASA reload in thread name rtcli when
removing a plugin |
|
ASA may log negative values for
Per-client conn limit exceeded messg |
|
ASA MSN Inspection Watchdog Crash |
|
ESMTP Inspection Incorrectly Detects
End of Data |
|
CSCto40365 |
Crafted TACACS+ reply considered as
successful auth by ASA |
Traceback with phone-proxy Thread Name:
Dispatch Unit |
|
SunRPC inspection DUMP reply crash |
|
SunRPC inspection credential length
crash |
|
SunRPC inspection arithmetic overflow
in parse_transport_address |
|
SunRPC inspection arithmetic overflow
in portmap code |
|
CSCtq57697 |
ILS inspection traceback on malformed
ILS traffic |
Revision: Version 8.0.5(23) – 02/06/2011
File: asa805-23-k8.bin
Defects resolved since 8.0.5(20):
clear
crypto isakmp with high VPN load causes improper failover |
|
TFW ENH: Management interface should
operate in routed mode |
|
ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act |
|
SSH to the ASA may fail - ASA may send
Reset |
|
Cmd authorization fails for certain
commands on fallback to LOCAL db |
|
show
run all command causes SSH session hang |
|
Inspection triggers block depletion
resulting in traffic failure |
|
SMTP DATA packet ending with
<CRLF>. wrongly considered as end of DATA |
|
per-client-max
and conn-max does not count half-closed connections |
|
Transparent fw w/ASR group sets dstMAC
to other ctx for last ACK for 3WH |
|
"failover
exec standby" TACACS+ authorization failure |
|
Flood of random IPv6 router
advertisements causes high CPU and DoS |
|
Traceback Thread Name: IKE Daemon
Assert |
|
ASA SIP inspection does not rewrite
with interface pat |
|
Management connection
fail after multiple tries with SNMP connections. |
|
TFW mode regens cert every time 'no ip
address' applied to mgmt int |
|
rtcli:
traceback in rtcli async executor process, eip ci_set_mo |
|
Orphaned SSH sessions and High CPU |
|
Traceback in IKE Timekeeper |
|
ASA traceback when using a file
management on ASDM |
|
ASR trans FW rewrites wrong dst. MAC
when FO peers active on same ASA |
|
Cut-through proxy sends wrong
accounting stop packets |
|
Standby unit sends ARP request with
Active MAC during config sync |
|
Group enumeration possible on ASA |
|
H225 keepaplive ACK is dropped |
Revision: Version 8.0.5(20) – 08/27/2010
File: asa805-20-k8.bin
Defects resolved since 8.0.5(13):
Configure fail state link without IP addr causes LAND attack syslogs |
|
SIP builds many secondary conns with register msg but no registrar |
|
Removed ACL permits inbound packets |
|
child flows created via established cmd torn down when parent is removed |
|
PP: Incorrect Entry Installed in ASP Table for proxy-server command |
|
ASA 8.2.1.4 traceback when webvpn capture is configured |
|
MU sunrpc test for dump.call with truncated body cause traceback on |
|
1-hour threat-detection enabled by "clear threat-detection rate" |
|
TCP proxy in SIP inspection causing 1550 block deplete temporarily |
|
threshold checking for average rate not working in threat-detection |
|
WebVPN Application Access page not displayed if AES chosen |
|
FTP download for files larger than 2GB doesn't work properly |
|
NAT with ACL statements causing long time to reboot. |
|
ASA: Unable to pass traffic through an Airlink router w DTLS enabled |
|
ASA 8.04 - certificate chain not being sent during rekey w/ IPSEC RA |
|
Beta Box assertion: snp_tcp_timeout_cb+0 at np/soft-np/snp_tcp_norm.c:82 |
|
SSH process may exist after being orphaned from SSH session |
|
Actions attached to class class-default don't apply to traffic |
|
After failover, skinny message are decoded as SCCPv0 instead of SCCPv17 |
|
Slow memory leak in WebVPN related to CIFS cache |
|
Thread Name: netfs_thread_init |
|
ASA 8.0.5+ webvpn FTP bookmarks no longer will pass embedded user/pass |
|
SNAP frames are sent from Management interface in Transparent mode ASA |
|
Memory Leak In CIFS can casue memory depletion |
|
ASA Fails to assign available addresses from local pool |
|
Copy to disk0 without ":", prefills dest as disk0, cant delete/view file |
|
Memory leak happens due to huge number of LDAP authentication failure |
|
ASA 8.0.5 1550 block depletion with ASDM open |
|
Option to change Pane Title missing from customization editor |
|
ldap-dn password is in the clear within running config |
|
ASA/w 4-GE-SSM shows module status unresponsive after power surge |
|
DHCP learned route may not be removed at end of lease time |
|
quiting "show controller" command with 'q' key triggers failover |
|
RST sent over L2L is dropped by peer due to tcp-rstfin-ooo |
|
OpenSSL Record of death |
|
Removing HTTP server caused page fault traceback |
|
Flows torndown over VPN tunnel log 302014 with Flow closed by inspection |
|
RSA Crossrealm Authentication fails to authenticate for vpn users |
|
ASA tracebacks in Thread Name: IPsec message handler |
|
ASA: AAA Session limit [2048] reached when xauth is disabled for vpn |
|
Traceback: CP Processing |
|
ASA traceback in Thread Name: Dispatch Unit |
|
ASA traceback in Thread Name: RIP Send |
|
Clientless WebVPN: DWA 8.0.2 fails to forward attachments |
|
Webvpn with Citrix - Xenapp upgrade from 11.2 to 12.0 breaks app access |
|
PP: signaling sessions are not removed after phone disconnects |
|
Traceback typing "import webvpn webcontent /+CSCOU+/logon.inc stdin" |
|
Thread Name: lu_rx Page fault: Address not mapped |
|
ASA WebVPN : Forms don't get saved in CRM due to no pop-up |
|
Traceback in Unicorn Proxy Thread, address not mapped |
|
ASA HTTP response splitting on /+CSCOE+/logon.html |
|
Memory not released after EZVPN client with cert fails authentication |
Revision: Version 8.0.5(13) – 03/30/2010
File: asa805-13-k8.bin
Defects resolved since 8.0.5:
FT: workaround for read-only flashes |
|
Unable to Browse to Domain Based DFS
Namespaces |
|
ASA is dropping arp on SSM-4GE |
|
dhcp-network-scope
ip that matches interface can cause route deletion |
|
Radius Challenge not presented to
anyconnect users at login |
|
ASA stops accepting IP from DHCP when
DHCP Scope option is configured |
|
WARNING: The vlan id entered is not
currently configured under any int |
|
ASA 8.0(4) traceback in Dispatch Unit
due to stack corruption |
|
ASA: AnyConnect is allowed to connect
twice with same assigned IP |
|
MAC OSX: Smarttunnel applications don't
use name resolution |
|
ASA: Memory leak when secure desktop is
enabled |
|
Traceback in unicorn thread
(outway_buffer_i) |
|
DH group 5 freezes IKE processing for
about 80ms |
|
Service resetinbound send RST
unencrypted when triggered by vpn-filter |
|
WebVPN group-url with a trailing
"/" treated differently |
|
Standby ASA reloading because unable to
allocate ha msg buffer |
|
Need better error message for VLAN
Mapping for NEM Clients not supported |
|
ASA unable to assign IP address for VPN
client from DHCP intermittently |
|
ASA memory leak one-time ntlm
authentication |
|
Inspection with Messenger causes a
traceback |
|
Secondary language characters displayed
on Web Portal |
|
enable_15
user can execute some commands on fallback to LOCAL db. |
|
8.2 Auto Signon domain parameter does
not work with CIFS |
|
Removed ACL permits inbound packets |
|
Deleting group-policy removes
auto-signon config in other group-policies |
|
ASA: SIP inspect not opening pinhole
for contact header of SIP 183 msg |
|
tcp-intercept
doesn't start 3WH to inside |
|
ASA traceback thread name dispatch
unit, assertion calendar_queue.h |
|
Duplicate ASP crypto table entry causes
firewall to not encrypt traffic |
|
LDAP CRL Download Fails due to empty attribute |
|
Traceback in 'ci/console' when Failing
Over with Phone Proxy Configured |
|
ASA (8.2.1) traceback in dhcp_daemon |
|
AAA session limit reached with
cert-only authentication |
|
Webvpn- rewrite :
ASA inserts lang=VBScript incorrectly |
|
RDP SSO doesn't send pass |
|
On boot, TACACS server is marked FAILED
if defined by DNS name |
|
WebVPN: in DWA 8.5.1 404 occurs while
email preview |
|
Console hangs when trying to write mem
or view config |
|
Personalized Bookmarks do not account
for authentication realms |
|
memory
leaks after anyconnect test with packet drops |
|
ASA passes reset packets after a
connection is closed |
|
ASA traceback: Thread Name: IKE Daemon |
|
Malformed IKE traffic causes rekey to
fail |
|
ASA: Traceback during NTLM
authentication |
|
Clientless WebVPN: Errors with DWA 8.5
(Domino Web Access / Notes) |
|
SSM IPS sends TCP RST to wrong TCP seq
number |
|
When SAPI tcp-proxy buffer exceeding
limit generates misleading syslog |
|
WebVPN: Cisco Port Forwarder ActiveX does
not get updated automatically |
|
SSL lib error. Function: DO_SSL3_WRITE
while making cert only SSLVPN |
|
DHCP Proxy -2s delay between
consecutive DHCP lease renew after failover |
|
Radius authentication fails after SDI
new-pin or next-code challenge |
|
asa
https authentication (with/without listener) doesn't prompt |
|
Traceback: CTM message handler - L2TP
and crypto reset - stack overflow |
|
vpnlb_thread
traceback under low mem condition due to huge vpn acl |
|
emweb/https
traceback under low memory condition |
|
WebVPN: Firefox users have issues
searching with google |
|
Traceback in Thread Name: SiteMinder
SSO Request |
|
ASA watchdog when inspecting malformed
SIP traffic |
|
Personal Bookmark using plugins won't
use parameters other than the 1st |
|
IMPORTANT TLS/SSL SECURITY UPDATE |
|
Oversize SNMP poll may cause slow
memory leak |
|
Launching ASDM triggers ASA software
traceback |
|
assertion
"t->stack[0] == STKINIT" failed: file "thread.c", line
743 |
|
New active member should send SNAP
frames for MAC address table update |
|
ASA not displaying pictures on the
portal page |
|
ASA: Webvpn CIFs does not refresh
updated files |
|
Traceback when CSR is generated |
|
LDAP CRL Download Fails due to empty
attribute pki-cro |
|
ASA traceback in Thread Name:
Checkheaps |
|
SNAP frame with MAC address learned on
management-only interface is sent |
|
ASA traceback at dispatch unit |
|
Excessive memory allocation for large
routing tables |
|
IPsec: Outbound context may be deleted
prematurely |
|
Traceback on secondary with SIP
connection replication |
|
ASA - 1550 block leaking due to email
proxy |
|
re-adding
class in policy-map causes undesired behavior-see CSCte80609 |
|
ASA: ip IPSec SA not brought up if similar icmp SA is up |
|
ASA assert
"new_flow->conn->conn_set == NULL" failed: file
"snp_mcast.c" |
|
ASA traceback when new DHCPD commands
entered |
|
TCP RSTs returned from inline IPS are
dropped on multi-context ASA |
|
Connection once entered into discard
state and remains in discard state |
|
traceback
in checkheaps during backup of asa with smartcare appliance |
|
ASA fails SSO authentication with
Entrust GetAccess |
|
ASA running 8.0.4.32 traceback in
Thread Name: Dispatch Unit |
|
Remove uninformative Peer Tbl remove
messages |
|
CTA does not respond for EAP from ASA
8.0.5 with NAC |
|
Error event causes Syslog 199011
"Close on bad channel in process/fiber" |
|
VPN session not replicate to Standby
after Failover State Link failure |
|
FTP download for files larger than 2GB
doesn't work properly |
|
CA ServiceDesk hidden frame not showing |
|
Disable URL entry should only disable
http/https |
|
ASA 8.0.5 snmp-server re-configuration
can cause socket used messages |
|
Certificate authentication failing on
ASA: incorrect key for validation |
|
ASA may allow authentication of an
invalid username for NT auth |
|
ASA doesn't allow username length of
<4 characters |
|
msgid
in Language Localization are not synchronized |
|
SSL sockets stuck in CLOSE_WAIT status
using webvpn |
|
Encoded error message issue in
/+CSCOE+/logon.html |
|
Standby ASA tracebacks in Thread Name:
vpnfol_thread_msg |
|
ASA anyconnect DTLS CONN is torn down
when tftp error MSG
is rvd- CIPC |
|
Cookie being set improperly due to
webvpn misreading firefox flags |
|
WebVPN Smart Tunnel failing for
ProPalms Application |
|
VPN user cannot ping to inside
interface with management-access config |
|
WebVPN user-storage does not work if
user logon as DOMAIN\Username |
|
ASA 8.0(5) - "LU allocate
connection failed" |
|
ASA HW client: deny rule for DHCP
should account for remote subnets |
|
ASA - Memory depleting 1% per day due
to snmp-server ipsec configuration |
|
Traceback in Dispatch Unit (Old pc
0x08180444 ebp 0xc793d980) |