Cisco
ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 8.5.1(24) – 04/08/2015
Files: asa851-24-smp-k8.bin
Defects resolved since 8.5.1(22):
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |
|
|
1550 block leak occur if DNS replies "refused" query
response |
|
|
Failover units should accept only traffic coming from the peer |
|
|
ASA : evaluation of
SSLv3 POODLE vulnerability |
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
|
2048-byte block leak if DNS server replies with "No such
name" |
Revision: Version 8.5.1(22) – 10/08/2014
Files: asa851-22-smp-k8.bin
Defects resolved since 8.5.1(21):
|
Cisco ASA VPN Failover Commands Injection Vulnerability |
Revision: Version 8.5.1(21) – 07/28/2014
Files: asa851-21-smp-k8.bin
Defects resolved since 8.5.1(19):
|
simultaneous config-changes on
multiple contexts can't be synchronized |
|
|
ASA traceback in Thread Name: fover_parse during command replication |
|
|
ASA:Tracebacks in thread
dispatch unit due to SunRPC inspection |
Revision: Version 8.5.1(19) – 04/09/2014
Files: asa851-19-smp-k8.bin
Defects resolved since 8.5.1(18):
|
Port Forwarder ActiveX control
contains a Buffer Overflow vulnerability |
|
|
Cookie usage in SSL VPN |
|
|
Add text section to coredump |
|
|
Page fault traceback
in DATAPATH under DoS, rip qos_topn_hosts_db_reset |
Revision: Version 8.5.1(18) – 10/09/2013
Files: asa851-18-smp-k8.bin
Defects resolved since 8.5.1(17):
|
ASA - SQL*Net Inspection
Engine Denial of Service Vulnerability |
|
|
ASA may traceback
in thread emweb/https |
|
|
HTTP Deep Packet Inspection
Denial of Service Vulnerability |
|
|
ASA may traceback
due to watchdog timer while getting mapped address |
|
|
ASA DNS Inspection Denial of
Service Vulnerability |
|
|
ASA OSPF LSA Injection
Vulnerability |
|
|
ASA Digital Certificate
HTTP Authentication Bypass Vulnerability |
Revision: Version 8.5.1(17) – 02/19/2013
Files: asa851-17-smp-k8.bin
Defects resolved since 8.5.1(14):
|
ASA may leave connection in
half-closed state |
||||
|
ASA: DHCP-Relay should
forward out interface based on internal gi-addr |
||||
|
Failover disabled due to
license incompatible different Licensed cores |
||||
|
Traceback with Netflow configuration |
||||
|
SMP ASA traceback
on periodic_handler for inspecting icmp or dns trafic |
||||
|
ASA: Page fault traceback when changing port-channel load balancing |
||||
|
Interface oversubscription
on active causes standby to disable failover |
||||
|
Traceback in CP Processing when enabling H323 Debug |
||||
|
ASA: Page fault traceback when copying new image to flash |
||||
|
FIFO queue oversubscription
drops packets to free RX Rings |
||||
|
unexpected policy-map is added on standby ASA when new context is made |
||||
|
Standby ASA traceback while replicating flow from Active |
||||
|
ASA traceback
under threadname Dispatch Unit due to multicast
traffic |
||||
|
Traceback in Thread Name: accept/http |
||||
|
OSPF routes were missing on
the Standby Firewall after the failover |
||||
|
TCP ts_val
for an ACK packet sent by ASA for OOO packets is incorrect |
||||
|
Multi-Mode traceback on ci/console copying config
tftp to running-config |
||||
|
HTTP inspection matches
incorrect line when using header host regex |
||||
|
ASA 5580 page
fault in thread CERT API during pki validation |
|
||
|
Cat6000/15.1(1)SY- ASASM/8.5(1.14) PwrDwn due
to SW Version Mismatch |
||||
|
ASA Logging command submits
invalid characters as port zero |
||||
|
ASASM platform is not exempt
from MAC move wait timer |
||||
|
ASASM forwards subnet
directed bcast back onto that subnet |
||||
|
data-path: ASA-SM: 8.5.1 traceback in
Thread Name: SSH |
||||
|
|
|
|||
Revision: Version 8.5.1(14) – 10/02/2012
Files: asa851-14-smp-k8.bin
Defects resolved since 8.5.1(7):
Note: If your Supervisor card is running version 15.1(1)SY, you should not use 8.5(1)14 for the ASA-SM. Due to CSCuc78176 15.1(1)SY/8.5(1)14 - WS-SVC-ASA-SM1 "PwrDown" due to SUP_LINE_CARD_COMPATIBILITY-6-SW_VERSION_MISMATCH, the ASA-SM will be shut down by the supervisor card. We recommend that you use ASASM 8.5(1)15 (target post date is early November). 8.5.1.14 will work fine with supervisor release 15.1(1)SY1 when it becomes available.
|
ASA -crasActGrNumUsers
does not update tunnel groups after upgrade |
|
|
ASA 8.2(1)11
failed to return MIB data for SNMPV3 GetBulk
request |
|
|
ASA 8.3 upgrade traceback in thread pix_flash_config_thread |
|
|
Change in Layered Object Group
Does Not Update NAT Table |
|
|
WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers |
|
|
SNMP: ifOutQLen
gives free blocks instead of used blocks in ACMilan |
|
|
assert traceback for ifc
cfg removal with same-security intra-interface |
|
|
ASA fails over under intensive
single-flow traffic |
|
|
ASA WebVPN
clientless not possible to access ipv6 services on the inside |
|
|
ASA calculates ACL hash inorrectly |
|
|
Active SSH connection
orphaned if 'clear config all' is run |
|
|
traceback in Crypto CA
during multiple ocsp requests |
|
|
Traceback seen while running packet-tracer due to Page fault |
|
|
ASA threat detection does
not show multicast sender IP in statistics |
|
|
IPV6 router advertisements
dropped by multicontext firewall |
|
|
Link outage in Etherchannel causes interface down and failover |
|
|
ASA with VoIP memory leak
1% per day on binsize 56 |
|
|
ASA logs
"INVALID_NICNUM" messages to console |
|
|
DCERPC inspection for RCI message
type broken |
|
|
Traceback in "clear config all" when active telnet connection exists |
|
|
ASA Multicontext:
allocated interface may not be configurable in context |
|
|
ASA may reload with traceback in Thread Name scmd
reader thread |
|
|
Inspect PPTP does not change
CALL-id for inbound Set-Link-Info Packet |
|
|
ASA: SSH process may exist
after being orphaned from SSH session |
|
|
'Route-Lookup' Option
Should be Allowed if One Real Interface is Known |
|
|
ASA: Manual NAT rules
inserted above others may fail to match traffic |
|
|
Allow Concurrency of 'Unidirectional' and 'No-Proxy-Arp'
Keywords |
|
|
npshim: Shared
License Registration Fails w/ Empty TP applied to Int |
|
|
ASA may traceback
citing Thread Name: qos_metric_daemon as culprit |
|
|
ASA 5580 traceback when CSM attempts deployment |
|
|
Traceback in Thread Name: CP Processing |
|
|
ASA: Traceback
after removing 'ip address dhcp
setroute' with DDNS |
|
|
ASA: Traceback
with Checkheaps related to GTP inspection |
|
|
ASA NAT fails to due route look
with any as destination interface |
|
|
Incorrect MPF conn counts
cause %ASA-3-201011 and DoS condition for user |
|
|
TCP sequence space check
ignored in some cases |
|
|
Traceback: assert failure on thread radius_snd |
|
|
Port Address Translation
(PAT) causes higher CPU after upgrade |
|
|
Page fault traceback with thread name "pix_flash_config_thread". |
|
|
ASA 5585-X does not provide
aggregate system CPU load value via SNMP |
|
|
ASA may reload with traceback in Dispatch Unit related to WAAS inspect |
|
|
ASA 8.4 Email Proxy causes
corruption of some email attachments |
|
|
Page fault traceback in crypto_lib_keypair_show_mypubkey_all |
|
|
ASA: May traceback in DATAPATH during capture |
|
|
Post request for OCSP using
non default port is missing the port number |
|
|
Nas-Port attribute
different for authentication and accounting |
|
|
ASA-SM requires ability to
change default password in system context |
|
|
Configuring a network object
with an invalid range causes traceback |
|
|
Standby ASA traceback while trying to replicate xlates |
|
|
TCP Proxy TCP Window Size
Update gets delayed |
|
|
cut through proxy authentication vulnerability |
|
|
Newly Added Failover Unit
With Lesser License Rejects Configuration |
|
|
Syslog 324001 Reason string
is missing |
|
|
ASA-SM may traceback in Thread Dispatch Unit |
|
|
ASA: 8.4 Page fault traceback while displaying "sh
run threat-detection" |
|
|
ASA: Traceback
in thread name EAPoUDP |
|
|
Traceback when Converting ACL Remarks of 100 Characters |
|
|
ASA: OSPF redist with prefix routemap
advertises all static after reboot |
|
|
tcp-proxy with
skinny v17 inspection not allowing 7962 phone to register |
|
|
ASA Multicontext
with shared port-channel interface shutdown error |
|
|
ASA traceback
with Thread Name: dhcp_daemon |
|
|
Standby ASA remains standby
after active ASA fails |
|
|
Migration of max_conn/em_limit to MPF is not
working for dynamic NAT |
|
|
ASA 5585: Traceback after Reload when TCP syslog server unavailable |
|
|
ASA: Traceback
in ldap_client_thread after changing aaa-server config |
|
|
ASA fails to reserve some
UDP ports for PAT w/ flow-export destination |
|
|
ASA: Active/Active failover
group stuck in Bulk Sync with SIP inspect |
|
|
Failover Cluster License
Must be Cleared When Failover is Unconfigured |
|
|
NAT rules specifying an
interface of any removed if an interface deleted |
|
|
New Create PDP Ctx Req with TEID 0 should
remove pre-existing active PDP |
|
|
ENH: Add Command to Allow
ARP Cache Entries from Non-Connected Subnets |
|
|
authentication in esmtp inspection breaks |
|
|
ASA - dhcp
relay - option 252 is not passed down to the clients |
|
|
Traceback in Thread Name accept/http |
|
|
ASA 8.2.5.27 secondary traceback after the upgrade - Thread Name: snmp |
|
|
Traceback: timer assert due to nf_block timer
race condition |
|
|
ASA sip inspect - duplicate
pre-allocate secondary pinholes created |
|
|
Incorrect MPF conn counts
cause %ASA-3-201011 and DoS condition |
|
|
ASDM Session Replication during
Failover |
|
|
ASA: CPU profile activate
command prints incorrect instructions |
|
|
1550 byte block depletion
related to TCP |
|
|
Traceback in Thread Name: Dispatch Unit |
|
|
ASA: May log 305006 regular
translation creation failed messages. |
|
|
ASA-SM: inspect ipsec-pass-thru command is not available |
|
|
Standby ASA traceback while replicating flow from Active |
|
|
Standby ASA allows L2
broadcast packets with asr-group command |
|
|
ASA-SM does not allow slot
number in prompt |
Revision: Version 8.5.1(7) – 02/29/2012
Files: asa851-7-smp-k8.bin
Defects resolved since 8.5.1(6):
|
HA conn replications on smp
platform needs to be throttled |
Revision: Version 8.5.1(6) – 01/27/2012
Files: asa851-6-smp-k8.bin
Defects resolved since 8.5.1:
|
ASA 5580 reboots with traceback in threat detection |
|
|
ASA 8.2 may calculate memory usage
incorrectly |
|
|
EIGRP :
static route redistribution with distribute-list not working |
|
|
Low performance over shared vlans in multi-mode |
|
|
Traceback
in Thread Name: Checkheaps due to logging |
|
|
ASA not sending all logging messages
via TCP logging |
|
|
Write Mem on
active ASA 8.3 produces log 742004 on standby |
|
|
Unable to edit the privilege level for cmd object & object-group in 8.3 |
|
|
Assert Failure caused Traceback in Thread Name: Dispatch Unit |
|
|
IPv6 :
ASA Stops responding to IPv6 ND sollicitation |
|
|
ASA 8.0.5.9 Standby with a traceback in Thread Name:Checkheaps |
|
|
ASA 8.2.2.x traceback
in Thread Name: Dispatch Unit |
|
|
EIGRP metrics will not update properly
on ASA |
|
|
OSPF default-info originate fails with
route-map matching sub-net routes |
|
|
Connections stay open w/ 'sysopt connection timewait'
& NetFlow |
|
|
ASA hitless upgrade from 8.2 to 8.3:
upgraded unit reload upon conf sync |
|
|
Syslog %ASA-7-108006 generated
erroneously |
|
|
Slow xlate expiration
rate |
|
|
NAT Xlate
idle timer doesn't reset with Conn. |
|
|
ASA may log negative values for
Per-client conn limit exceeded messg |
|
|
ASA traceback
when layer-2 adjacent TCP syslog server is unavailable |
|
|
ASA - Traceback
in thread DATAPATH-6-1330 |
|
|
ASA: Traceback
in fover_parse thread after making NAT changes |
|
|
ASA Unexpectedly Reloads with a Traceback due to a Watchdog Failure |
|
|
ASA reuses tcp
port too quickly |
|
|
the
packet is discarded when the specific xlate is
exist. |
|
|
"ERROR:doesn't match an existing object or
object-group" with context |
|
|
ASA 8.4.1 traceback
on thread name ldap_client_thread with kerberos |
|
|
ASA5580 traceback
in DATAPATH-7-1353 |
|
|
BTF DNS-Snooping TTL maxes out at 24
hours, less than actual TTL |
|
|
ASA Traceback
in Thread Name: snmp |
|
|
Tmatch:
Traceback on Primary when adding User Group based
ACL |
|
|
LDAP Authorization doesn't block AccountExpired VPN RA user session |
|
|
Traceback
while replicating xlates on standby |
|
|
ASA Broadview deny lines in NAT
exemption ACL are migrated as permits |
|
|
multicast
packets dropped in the first second after session creation |
|
|
Crafted TACACS+ reply considered as
successful auth by ASA |
|
|
ASA reset TCP socket when RTP/RTCP
arrives before SIP 200 OK using PAT |
|
|
Traceback
with phone-proxy Thread Name: Dispatch Unit |
|
|
OSPF Failover causes 5 second convergence
delay |
|
|
IPv6 traffic not updated after neighbor
changes |
|
|
Traceback
in Thread Name: gtp ha bulk sync with failover config |
|
|
ASA Sequence of ACL changes when
changing host IP of object network |
|
|
Access-list remarks are lost during
migration to 8.3 |
|
|
ASA: Traceback
in ci/console on Standby unit |
|
|
Host listed in object group TD shun
exception gest shunned |
|
|
asa
8.4, failover , ospf routing can not update
rightly. |
|
|
HA: Monitored interfaces fail to move
out of waiting state |
|
|
ASA-SM: Failover Cold Standby
"Unable to sync configuration from Active" |
|
|
ASA rebooted unit always become active
on failover setup |
|
|
Degraded Xlate
Teardown Performance |
|
|
ASA may reload in threadname
Dispatch unit |
|
|
invalid
command dhcp client xxx on ASA 8.4 |
|
|
ASA traceback
due to dcerpc inspection. |
|
|
High CPU and Orphaned SSH session for
on ASA 8.3(2.8) |
|
|
Traceback
in Thread Name: IP SLA Mon Event Processor |
|
|
ASA traceback
in thread Dispatch Unit |
|
|
Unable to get block detail about 2048
byte blocks |
|
|
ASA - LU allocate connection failed
with conn-max policy |
|
|
Failure to migrate named interfaces in ctx to 8.4 bridge group syntax |
|
|
Memory fragmentation issue with dscp |
|
|
EIGRP 'no default-information in' does
not work |
|
|
Standby ASA generates syslog 210005
while transmitting data on FTP |
|
|
ASA - panic traceback
when issuing show route interface_name |
|
|
ASA 5580 traceback
with DATAPATH-2-1024 thread |
|
|
Protocol-Independent Multicast Denial
of Service Vulnerability |
|
|
ASA: asr-group
in TFW A/A FO doesn't rewrite dst MAC for IP
fragments |
|
|
conns
are not fully replicated to standby if config has
many ACLs |
|
|
ASA reloads with traceback
in Thread Name : Dispatch Unit |
|
|
connections
are not replicated to standby unit |
|
|
Active ASA traceback
Thread: DATAPATH-3-1290, rip spin_lock_get_actual |
|
|
ASA 8.4.2 http inspection might break
certain flows intermittently |
|
|
LDAP authentication fails when no RootDSE info returned |
|
|
ASA: Local-host and all conns are torn
down when client hits conn limit |
|
|
ASA EIGRP route not updated after
failover |
|
|
ASA: Packet classifier fails with 'any'
in Object NAT rule |
|
|
Traceback
in sch_dispatcher thread |
|
|
100% CPU Object Group Search under low
traffic due to spin_lock |
|
|
ASA: WCCP with authentication fails in
8.3 and 8.4 |
|
|
ASA 5520 8.2.5 :
traceback at thread name snmp |
|
|
CPU spikes to 100% and causes traceback when Syslog interface is down |
|
|
NAC Framework - Status Query triggers
full Posture Revalidation |
|
|
ESMTP drops email with DKIM header |
|
|
8.4.2.2: Thread Name: DATAPATH-0-1272
Page fault: Unknown |
|
|
Slow memory leak by skinny |
|
|
Memory leak in DP udp
host logging resulting in 1550 byte blocks leak |
|
|
Unexpected packet denials during large
ACL compilation |
|
|
Mismatched Auto-Generated MACs on Etherchannel Interfaces in Failover |
|
|
Traceback
in Dispatch Unit on Standby with timeout floating-conn |
|
|
L2 table entried
for identity i/f not handle properly when add/del i/f |
|
|
xlate
objects with no associated conns and idle timer > timeout |
|
|
ASA5585 Page fault traceback
in Thread Name: DATAPATH-5-2312 |
|
|
DCERPC inspection does not properly fix
up port and IP in Map Response |
|
|
ASA: May traceback
when adding ipv6 route before enabling ipv6 |
|
|
ASA Radius User-Password attribute is
not included in Access-Request |
|
|
Traceback
in Thread Name: IP Address Assign |
|
|
Traceback
in Thread Name: tacplus_snd |
|
|
ASA traceback
cause by Global Policy |
|
|
ASA may traceback
in a DATAPATH thread |
|
|
ASA 5520 8.2.5 memory leak in the
inspect/gtp area |
|
|
Standby Firewall traceback
citing nat_remove_policy_from_np+383 |
|
|
AAA Command Authorization Reactivates
Failed Server on Every Attempt |
|
|
Specific closing sequence may cause
ESMTP inspect to hog CPU for 1+ sec |
|
|
ASASM traceback
in DATAPATH-3-2265 |
|
|
ASA traceback
in thread ci/console with names > 48 char in prefix-list |
|
|
SNMPv3 Information Disclosure
Vulnerability |
|
|
ASA - Dispatch unit traceback
- snp_nat_xlate_timeout |
|
|
ASA may reload with traceback
in Thread Name: kerberos_recv |
|
|
show
shared license' after toggle license-server causes traceback |
|
|
High CPU usage during bulk sync on spin_lock used by tmatch lookup |
|
|
High CPU usage during bulk sync when
allocating NAT xlate |
|
|
5580: assert failure in thread CP
Processing |
|
|
Threat Detection Denial Of Service
Vulnerability |