Cisco
ASA Interim Release Notes
The
software images listed below are Interim releases. They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and
will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which is resolved by an
Interim release, we recommend that you use the Feature or Maintenance release
images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a
production environment. We strongly
encourage you to upgrade to a fully tested Maintenance or Feature release when
it becomes available.
Revision: Version 9.7(1)24 – 04/18/2018
Files: asa971-24-smp-k8.bin
Defects resolved since 9.7(1)21:
|
Blade got stuck in slave bulk
sync after changing the CCL |
|
|
Asymetric path ICMP traffic
fails through distributed clustering |
|
|
Threat Defense: Interface
capture on ASA CLI causes all traffic to be dropped on data-plane |
|
|
Offloaded flows fail to update
their idle timer resulting in connections being incorrectly timed out |
|
|
9300 pair NGFWs in inlineIPS
mode do not trigger SNAP packet updates with proper VLAN tags |
|
|
Default DLY value of
port-channel sub interface mismatch |
|
|
Blocks of size 80 leak
observed when IRB is used in conjunction with multicast traffic |
|
|
Firepower Threat Defense
prefilter policy only fast-paths single direction of bidirectional flow |
|
|
Cisco Adaptive Security
Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
|
Cisco Adaptive Security
Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
Revision: Version 9.7(1)21 – 02/03/2018
Files: asa971-21-smp-k8.bin
Defects resolved since 9.7(1)16:
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
|
|
ERROR on Firepower Threat
Defense device: Captive-portal port not available. Try again |
|
|
|
ASA/FTD traceback when enabling
or clearing the packet capture buffer |
|
|
|
Unable to save configuration in
system context after enabling password encryption in ASA |
|
|
|
Elevated CPU Using Flow-Offload
& High Rate of Flow Table Collisions |
|
|
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
||
|
Memory leak in Agg-Auth SAML code |
||
|
Memory leak in IKE for aggregate-auth |
||
Revision: Version 9.7(1)16 – 11/10/2017
Files: asa971-16-smp-k8.bin
Defects resolved since 9.7(1)15:
|
Resolve any vulnerabilities in
ASA/FTD lina Heimdal Kerberos code |
|
|
ASA Traceback in thread SSH when
ran "show service set conn detail" |
|
|
ASA 9.1(7)9 Traceback with
%ASA-1-199010 and %ASA-1-716528 syslog messages |
|
|
asa Rest-api - component
monitoring - empty value/blank value |
|
|
VTI - Some sessions do not get
cleared from vpn-sessiondb |
|
|
ASA Traceback when
saving/viewing the configuration due to time-range ACLs |
|
|
ASA SSL client does not respond
to renegotiation request |
|
|
Routes do not sync properly
between different minor versions during hitless upgrade |
|
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
|
Traceback in DATAPATH-1-2084 ASA
9.(8)1 |
|
|
All 1700 "4 byte
blocks" were depleted after a weekend VPN load test. |
|
|
ASA should have a syslog message
showing which side closed the connection |
|
|
Deployment timeouts after 30
minutes due to expand of ACE during deployment |
|
|
ASA: Low free DMA Memory on versions 9.6 and later |
|
|
ASA Exports ECDSA as corrupted
PKCS12 |
|
|
An ASA with low free memory
fails to join existing cluster and could traceback and reload |
|
|
ASA not sending register stop
when mroute is configured |
|
|
ASA Connections stuck in idle
state with DCD enabled |
|
|
Install 6.2.2-1290 sfr on a ASA
with firepower - asa cores |
|
|
ASA creates a BVi0 interface on
a custom routed context |
|
|
OSPF route not getting installed
on peer devices when an ASA failover happens with NSF enabled |
|
|
ASA 9.x: DNS inspection
appending "0" on PTR query |
|
|
TLS version 1.1 connection
failed no shared signature algorithms@t1_lib.c:3106 |
|
|
ASA - 80 Byte memory block
depletion |
|
|
ASA 9.6(2), 9.6(3) traceback in
DataPath |
|
|
ASA doesn't send LACP PDU during
port flap in port-channel |
|
|
Transparent Firewall: Ethertype
ACLs installed with incorrect DSAP value |
|
|
Traceback in thread DATAPATH due
to NAT |
|
|
ASA drops the IGMP Report packet
which has Source IP address 0.0.0.0 |
|
|
Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability |
|
|
FTD may traceback in Thread Name
appAgent_monitor_nd_thread during device registration |
|
|
ASAv image in AWS GovCloud not
working in Hourly Billing Mode |
|
|
IKEv2 RA cert auth. Unable to
allocate new session. Max sessions reached |
|
|
OpenSSL CVE-2017-3735
"incorrect text display of the certificate" |
|
|
Memory leak in 112 byte bin when
packet hits PBR and connection is built |
|
|
'Incomplete command' error with
some inspects due to K7 license |
|
|
Slave kicked out due to CCL link
failure and rejoins, but loses v3 user in multiple context mode |
|
|
ASA: Traceback by Thread Name
idfw_proc |
|
|
ASA - rare scheduler corruption
causes console lock |
|
|
ASA on FP 2100 traceback when uploading
AnyConnect image via ASDM |
|
|
ASA : After upgrading from
9.2(4) to 9.2(4)18 serial connection hangs |
|
|
ASA-SSP HA reload in CP
Processing due to DNS inspect |
|
|
traceback with Show OSPF
Database Commands |
|
|
Assert Traceback, thread name :
cli_xml_server |
|
|
Cisco Adaptive
Security Appliance Remote Code Execution and Denial of Service Vulnerability |
Revision: Version 9.7(1)15 – 09/05/2017
Files: asa971-15-smp-k8.bin
Defects resolved since 9.7(1)8:
|
ASA block new conns with
"logging permit-hostdown" & TCP syslog is down |
|
|
ASA traceback in Thread
Name:ci/console while running show ospf commands |
|
|
FTP data conn scaling fails with
dynamic PAT |
|
|
ASA 'show memory' output may not
properly report total available memory in 9.5(2) and later |
|
|
Evaluation of pix-asa for
OpenSSL May 2016 |
|
|
ASA dropping packets with
"novalid adjacency" though valid ARP entry avail |
|
|
OSPF multicast filter rules
missing in cluster slave |
|
|
9.7.1 traceback in snp_fp_qos |
|
|
Default inspect statements are
missing on ASA 5500-x and 2100 device running Threat Defense |
|
|
ASA 5506-X Firepower Threat
Defense Reset Button |
|
|
EZVPN NEM client can't reconnect
after "no vpnclient enable" is entered |
|
|
ASA - Incorrect interface-based
route-lookup if more specific route exist out different interface |
|
|
print the thread name for
non-crashing threads in crash info |
|
|
CEP records edit page take
minutes to load |
|
|
Traffic drops for reverse
UDP/TCP IPv6 traffic over IPv4 tunnel |
|
|
ASA 1550 block gradual depletion |
|
|
gzip compression not working via
Webvpn |
|
|
ASA does not respond to IPv6 MLD
Query. |
|
|
ASA: IKEv2 ipsec-proposal
command removed if more than 9 proposals configured in single command |
|
|
ASA TCP SIP inspection
translation not working when IP phone is behind VPN tunnel |
|
|
Unable to configure SSH public
key auth for non-system contexts |
|
|
ASA erroneously triggers syslog
ID 201011 |
|
|
Traceback in thread name
DATAPATH |
|
|
CRL must be signed by
certificate containing cRLSign key usage |
|
|
Traceback when trying to
save/view access-list with giant object groups (display_hole_og) |
|
|
ASA with 9.5.1 and above does
not show SXP socket when managment0/0 is used as src-ip |
|
|
ASA traceback in Thread name:
idfw_proc on running "show access-list", while displaying remark |
|
|
RT#687120: Bookmark Issue with
clientless VPN - SAML |
|
|
ASA in cluster results in
incorrect user group mappings between the Master and Slave |
|
|
%ASA-3-216001: internal error in
ci_cons_shell: thread data misuse |
|
|
ASA traceback in ARP thread, PBR
configured |
|
|
Web folder filebrowser applet
code signing certificate expired |
|
|
DCERPC inspection drops packets
and breaks communication |
|
|
ASA backup in multicontext fails
due to [Running Configurations] ERROR |
|
|
Error deploying ASAv on ESXi vCenter
6.5 |
|
|
Traceback in Thread Name:
Unicorn Admin Handler |
|
|
ASA: slow memory leak when using
many DNS queries |
|
|
ASA policy-map configuration is
not replicated to cluster slave |
|
|
ASA may generate an assert traceback
while modifying access-group |
|
|
ASA local dns resolution fails
when dns server is reachable through a site to site ipsec tunnel |
|
|
FTD OSPF with ECMP, packets are
sent to peer in down state for existing connections |
|
|
FTD-VPN: VPN RRI not getting
synced between Master and Slave units |
|
|
Cisco Adaptive Security
Appliance Authenticated Cross-Site Scripting Vulnerability |
|
|
Increase memory allocated to
rest-agent on ASAv5 |
|
|
ASA traceback when trying to
remove configured capture |
|
|
ASA traceback in Thread Name:
fover_parse performing upgrade from 9.1.5 to 9.4.3 |
|
|
ASA traceback observed in
Datapath due to SIP inspection |
|
|
Unable to switch standby unit of
the failover pair to active |
|
|
Allow ASAv5 to operate using
> 1GB memory |
|
|
ASAv5: Reduce DMA packet memory
to 64MB |
|
|
WebVPN forces IE to use IE8 mode |
|
|
ASA Traceback in Unicorn Proxy
Thread |
|
|
Firepower Threat Defense: block
depletion with continuous SSL traffic and decrypt resign enabled. |
|
|
FTD traceback observed during
failover synchronization. |
|
|
The interactive icons on
internal bookmark site not showing properly (+CSCO+0undefined) |
|
|
ASA may drop DNS reply
containing only additional RR of type TXT |
|
|
ASA traceback when customer was
authenticating to AnyConnect |
|
|
ASA Issue with bgp route
summarization(auto-summary)and route advertisement |
|
|
SFR Backplane is pulling the
public address for policy match instead of ASA inside address |
|
|
Proxy ARP information for SSH
NLP NAT is not updating on the FTD upon failover |
|
|
ASA with FirePOWER services
module generates traceback and reload |
|
|
Slave should have use CCL to
forward traffic instead of blackholing when egress interface is down |
|
|
ASAv Azure: Allow 750 VPN
sessions on ASAv30 |
|
|
ASA reloaded while joining
cluster and active as slave |
|
|
Show Crypto Acclerator shows
status as booting for hardware devices |
|
|
CRL verification fails due to
incorrect KU after CSCvd41423 |
|
|
Dist-S2S: tunnels stay up even
after passing vpn idle timeout in Multimode |
|
|
Memory leak with capture with
trace and clear capture |
|
|
In multi-context ASA drops
traffic sourced from certain ports when interface PAT is used |
|
|
ASA: Active FTP not working with
extended keyword in NAT. |
|
|
ASA clustering to support
rollback feature with CSM |
|
|
Upgrading the ASA results in No
Valid adjacency due to track configure on the route |
|
|
Standby ASA not learning routes
via RIP |
|
|
ASA: Multicast packets getting
dropped starting code 9.6.3 |
|
|
ASA traceback observed in
datapath |
|
|
Username is not fetched from
certificate when certificate map is used in clientless portal |
|
|
Cisco Adaptive Security
Appliance WebVPN Cross-Site Scripting Vulnerability |
|
|
FP4100 SSP 9.6.2 / cluster - Tx
queue stuck causing traffic drop to occur |
|
|
ASA SNI connection fails after
upgrade - no shared cipher |
|
|
activate-tunnel-group-scripts
not available in 9.6.3.1 |
|
|
hostscan data-limit
service-internal command must be exposed and documented |
|
|
ICMP Unreachables (PMTU) dropped
indicating "Routing failed to locate next hop" |
|
|
Auto-RP packet is dropped due to
no-route - No route to host |
|
|
ASA may traceback on displaying
access-list config or saving running config |
|
|
Smart Licensing ID cert renewal
failure should not deregister product instance |
|
|
Traceback in Thread Name: IP RIB
Update when routes are redistributed |
|
|
Calls not working with CUCI Lync
version 11.6.3 on ASA |
|
|
ASA - Traceback in DATAPATH
during PAT pool socket allocation |
|
|
ASA corrupt dst mac address of
return traffic from l2tp client |
|
|
network_udpmod_get not releasing
shr_lock in rare error case |
|
|
ASA interfaces may stop passing
traffic after ASA reload with FIPS mode enabled |
|
|
ASA does not install routes
learned via OSPF over IPSec using UDP/4500 |
|
|
NSF IETF/CISCO commands getting
removed on reload |
|
|
ASA: IPv6 protocol X rule for
passing through FW is dropping packets with Invalid IP length message |
|
|
AnyConnect new customization
creation fails on ASDM for all ASA versions above 9.5(3) |
|
|
ASA sends the ICMP unreachable
type 3 code 4 in the wrong direction when SFR redirection enabled |
|
|
FTD Diagnostic Interface does
Proxy ARP for br1 management subnet |
|
|
OSPF Rogue LSA with maximum
sequence number vulnerability |
|
|
Slave reports Master's interface
status as "init" while it is up |
|
|
ASA Memory Leak - RSA toolkit |
|
|
SSH Connections to ASA fail with
SLA monitoring & nonzero floating-conn timeout |
|
|
vpn vlan mapping issue |
|
|
ASA- Traceback in 'Thread Name :
Datapath' on crypto_SSL functions |
|
|
ASA 9.5.1 onwards, Traffic
incorrectly routed instead of management interface |
|
|
ASA Cluster : Potential UDP loop
on cluster link with PAT pool |
|
|
ASA Log message 414003 may be
generated with bogus IP data when TCP Syslog Server down |
|
|
ASASM: Interface vlans going to
admin down after reload. |
|
|
FTD - Multicast and BPDU traffic
dropped due to dst-l2_lookup-fail |
|
|
Memory leak at location
"snp_fp_encrypt" when syslog server is reachable over the VPN
tunnel |
|
|
IPsec SA fail to come up and
flap with more than 1000 IPsec SA count in ASA5506/5508/5516 |
|
|
ASA traceback on websns_rcv_tcp |
|
|
Traceback in Unicorn Proxy
Thread due to Webvpn |
|
|
ASA/ 9.6.3 // WebVPN Smart
tunnel works but floods windows with event viewer |
|
|
Contexts are missing on ASA once
Chassis reloads after becoming Master on 9.7 and later code |
|
|
Cisco Adaptive Security
Appliance HREF Cross Site Scripting Vulnerability |
|
|
Traceback on ASA with Firepower
Services during NAT rule changes and packet capture enabled |
|
|
Unable to scale the flash
virtualisation feature up to 250 contexts |
|
|
CDA agent stucks in 'Probing'
when domain-lookup is enable |
|
|
Edit Second password on ASDM AC
downloads but ignores the change ASA 9.8.1 higher |
|
|
Regex is not matching for HTTP
argument field |
|
|
ASA - Crypto accelerator
traceback in a loop |
|
|
Duplicate host entries in
flow-export action cause traceback after policy deployment |
|
|
multicast traffic sourced from
anyconnect pool dropped due to reverse path checked. |
|
|
ASA-5-720012:(VPN-Secondary)Failed
to update IPSec failover runtime data in ASA cluster environment |
|
|
Ikev2 Remote Access client
sessions stuck in Delete state |
|
|
ASAv: Upgrade issues to the
9.7.1.4 and 9.8.1 when installed on Hyper-V Windows Server 2012-R2 |
|
|
FP9300 9.7.1.10 FTD HA traceback in Datapath |
|
|
ASA5585 traceback in DATAPATH -
snp_vpn_process_natt_pkt |
|
|
EC Certificates that are
imported to the ASA in PKCS12s cannot be used for SSL |
|
|
ASA traceback in fover_parse
after version up |
|
|
traceback in watchdog process |
|
|
iOS and OS X IKEv2 Native
Clients unable to connect to ASA with EAP-TLS |
Revision: Version 9.7(1)8 – 04/27/2017
Files: asa971-8-smp-k8.bin
Defects resolved since 9.7(1)4:
|
ASA block new conns with
"logging permit-hostdown" & TCP syslog is down |
|
|
incorrect failover status for
contexts via SNMP |
|
|
Unable to run show counters
protocol ip |
|
|
ASA matches incorrect ACL with
object-group-search enabled |
|
|
Implement detection and auto-fix
capability for scheduler corruption problems |
|
|
Pre-fill feature extracts
username from wrong cert (cert 1-machine) for double cert vs.(cert 2-user) |
|
|
Traceback on thread name IKE
Daemon at mqc_enable_qos_for_tunnel |
|
|
FTD Cluster 9K block depletion
with fragmented Traffic |
|
|
ASA: IPSec SA failed to come up |
|
|
CTP after failed attempt sends
the domain along with the username |
|
|
RDP plugin activex Full Screen
option is not available with ASA 9.6.2 version |
|
|
Logs lost when TCP is used as transport protocol for Syslogs |
|
|
ASA does not respond to IPv6 MLD
Query. |
|
|
Traceback with ASA 9.5(2)11 on
active unit during DNS inspection |
|
|
ASA traceback and Reload on
Config Sync Failure |
|
|
Unable to deploy policy on FTD
devices due to wrong XML parsing |
|
|
Unable to delete Configured Auto
NAT from FMC |
|
|
ASA(9.1.7.12):Connection entries
created for multicast streams through standby ASA. |
|
|
Deployment fails when
management-only enabled on port-channel interface |
|
|
L2TP connects only sometimes
when DHCP used |
|
|
ASAv Goes Unresponsive / VPN
fails to function after restart |
|
|
SNMPv3 linkup/linkdown should be
generated through admin context |
|
|
Slow Memory leak in ASA |
|
|
ASA traceback in
DATAPATH-41-16976 thread |
|
|
Port Forwarding Session times
out due to "vpn-idle-timeout" in group-policy while passing data |
|
|
ASA traceback in thread name
DATAPATH |
|
|
5585 does not unbundle its data
intfs for 30 seconds after leaving cluste |
|
|
Cannot delete port-object once
created under the Service object group in ASA 944 |
|
|
ASA w/ RRI and OSPF : Fails to
flush route from ASP routing table |
|
|
ASA may traceback when copying
capture out using tftp |
|
|
ASA may traceback while loading
a large context config during bootup |
|
|
ASA drops web traffic when IM
inspection is enabled. |
|
|
SNMP lists same Hostname for all
FTD managed devices |
|
|
ASA: PBR Memory leak for ICMP
traffic |
|
|
Mgmt route deletion removes data
plane route too. |
|
|
FTD traceback at
"cli_xmlserver_thread" while deploying access-control policy |
|
|
Assertion in syslog.c due to
uauth |
|
|
Cluster C-Hash table is updated
with one more unit despite the new unit didn't join the setup |
|
|
Scheduler Queue Corruption leads
to connectivity failures or failover problems after 9.6(2) |
|
|
CRL must be signed by
certificate containing cRLSign key usage |
|
|
Access-lists not being matched
for a newly created object-group |
|
|
timeout conn-holddown shows
incorrect syntax help |
|
|
ASA traceback while doing
in-service upgrade |
|
|
Firepower (SFR) module data
plane down after reload of module |
|
|
Traceback in Thread Name:
dhcp_daemon |
|
|
Default
"global_policy" service-policy removed after reboot |
|
|
Cisco Adaptive Security
Appliance Authentication Denial of Service Vulnerability |
|
|
ASA traceback in Thread Name:
accept/http when ASDM is displaying "Access Rules" |
|
|
ASA-FP9300 traceback in thread
name IPSEC MESSAGE HANDLER |
|
|
ASA All contexts use the same
EIGRP router-ID upon a reload |
|
|
EIGRP routes wrongly being
advertising on mgmt routing table vrf after disabling and enabling EIGRP |
|
|
ASA may traceback when changing
a NAT related object to fqdn |
|
|
ASA - Interface status change c |
Revision: Version 9.7(1)4 – 04/04/2017
Files: asa971-4-smp-k8.bin
Defects resolved since 9.7(1)2:
|
9K Blocks counters has issues
which stops the traffic punted to snort, stating snort busy |
|
|
ARP functions fail after 213
days of uptime, drop with error 'punt-rate-limit-exceeded' |
Revision: Version 9.7(1)2 – 02/28/2017
Files: asa971-2-smp-k8.bin
Defects resolved since 9.7(1):
|
CWS redirection on ASA may
corrupt sequence numbers with https traffic |
|
|
ASA: Protocol and Status showing
UP without connecting the interface |
|
|
ASA : memory leak due to ikev2 |
|
|
Error synchronizing the SNMPv3
user after rebooting a cluster unit |
|
|
SSL connection hangs between ASA
and backend server in clientless WebVPN |
|
|
ASA with FirePOWER module
generates traceback and reloads |
|
|
ASA not update access-list
dynamically when forward-reference enable is configured |
|
|
Webvpn portal not displayed
corrrectly for connections landing on default webvpn group. |
|
|
ASA inspection-MPF ACL changes
are not getting ordered correctly in the ASP Table |
|
|
Reloading Active unit in
Active/Standby ASA failover pair is not triggering a failover. |
|
|
ASA incorrectly processing
negative numbers in wrappers, resulting in graphical webvpn issue |
|
|
SIP: 200 OK messages with
multiple seqments not reassembled correctly |
|
|
ASA L3 Cluster: DHCP relay drops
DHCPOFFER in case of asymmetric routing |
|
|
Tracking route is up while the
reachability is down |
|
|
Traceback in ASA Cluster Thread
Name: qos_metric_daemon |
|
|
Traceback observed on
gtpv2_process_msg on cluster |
|
|
ASA may traceback in
network_tcpmod_close_conn with AnyConnect IPv6 DTLS stress scenario |
|
|
ASA watchdog traceback during
cluster config sync with rest-api enabled |
|
|
ASA nat pool not getting updated
correctly. |
|
|
Unable to configure ssh public
auth for script users |
|
|
ASA traceback in threadname
Datapath |
|
|
1550-byte block depletion seen
due to Radius Accounting packets |
|
|
ASA - TO the box traffic break
due to int. missing in asp table routing |
|
|
ASA: Auth failures for SNMPv3
polling after unit rejoins cluster |
|
|
ASA traceback in thread name
fover_health_monitoring_thread |