Cisco
ASA Interim Release Notes
The
software images listed below are Interim releases. They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which is resolved by an
Interim release, we recommend that you use the Feature or Maintenance release
images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.6(3)20 – 11/28/2017
Files: asa963-20-smp-k8.bin
Defects resolved since 9.6(3)17:
|
ASA traceback
when trying to remove configured capture |
|
|
ASA should have a syslog message
showing which side closed the connection |
|
|
An ASA with low free memory
fails to join existing cluster and could traceback
and reload |
|
|
ASA 9.x: DNS inspection
appending "0" on PTR query |
|
|
Hostscan: Errors in cscan.log downloading Microsoft and Panda .dll files |
|
|
ASA cluster intermittently drop IP fragments when NAT is involved |
|
|
ASA/FTD traceback
when clearing capture - assertion "0" failed: file "mps_hash_table_debug.c" |
|
|
ASA on FP 2100 traceback when uploading AnyConnect image via ASDM |
|
|
ASA : After upgrading from 9.2(4) to 9.2(4)18 serial
connection hangs |
|
|
ASA-SSP HA reload in CP
Processing due to DNS inspect |
|
|
traceback with Show OSPF Database Commands |
|
|
ASA local DNS resolution fails
when DNS server is reachable over a site to site sec VPN tunnel |
|
|
Assert Traceback,
thread name : cli_xml_server |
|
|
Cisco Adaptive
Security Appliance Remote Code Execution and Denial of Service Vulnerability |
|
|
ASA traceback:
thread name scansafe |
|
|
High CPU in IKE Daemon causing
slow convergence of VPN tunnels in a scaled environment |
|
|
Unable to save configuration in
system context after enabling password encryption in ASA |
Revision: Version 9.6(3)17 – 10/20/2017
Files: asa963-17-smp-k8.bin
Defects resolved since 9.6(3)14:
|
Resolve any vulnerabilities in
ASA/FTD lina Heimdal
Kerberos code |
|
|
ASA 9.1(7)9 Traceback
with %ASA-1-199010 and %ASA-1-716528 syslog messages |
|
|
asa Rest-api - component
monitoring - empty value/blank value |
|
|
VTI - Some sessions do not get cleared
from vpn-sessiondb |
|
|
ASA Traceback
when saving/viewing the configuration due to time-range ACLs |
|
|
Cisco Firepower Detection Engine
SSL Decryption Memory Consumption Denial of Service Vulnerability |
|
|
Routes do not sync properly
between different minor versions during hitless upgrade |
|
|
Traceback in DATAPATH-1-2084 ASA 9.(8)1 |
|
|
All 1700 "4 byte
blocks" were depleted after a weekend VPN load test. |
|
|
Traceback on ASA with Firepower Services during NAT rule changes
and packet capture enabled |
|
|
ASA: Low free DMA Memory on versions 9.6 and later |
|
|
ENH: Unique IPv6 link-local
addresses assigned when sub-interface is being created |
|
|
ASA Exports ECDSA as corrupted
PKCS12 |
|
|
ASA not sending register stop
when mroute is configured |
|
|
Install 6.2.2-1290 sfr on a ASA with firepower - asa cores |
|
|
OSPF route not getting installed
on peer devices when an ASA failover happens with NSF enabled |
|
|
ASA - 80 Byte memory block
depletion |
|
|
ASA doesn't send LACP PDU during
port flap in port-channel |
|
|
Transparent Firewall: Ethertype ACLs installed with incorrect DSAP value |
|
|
Traceback in thread DATAPATH due to NAT |
|
|
ASA drops the IGMP Report packet
which has Source IP address 0.0.0.0 |
|
|
ASAv image in AWS GovCloud not
working in Hourly Billing Mode |
|
|
Memory leak in 112 byte bin when packet hits PBR and connection is built |
|
|
'Incomplete command' error with
some inspects due to K7 license |
|
|
crypto ikev1 enable command not
installed on FTD CLI |
|
|
Slave kicked out due to CCL link
failure and rejoins, but loses v3 user in multiple context mode |
|
|
ASA: Traceback
by Thread Name idfw_proc |
|
|
ASA - rare scheduler corruption
causes console lock |
Revision: Version 9.6(3)14 – 09/01/2017
Files: asa963-14-smp-k8.bin
Defects resolved since 9.6(3)12:
|
ASA Traceback
in thread SSH when ran "show service set conn detail" |
|
|
ASA traceback
in Thread Name:ci/console while running show ospf commands |
|
|
print the thread name for
non-crashing threads in crash info |
|
|
ASA Issue with bgp route summarization(auto-summary)and
route advertisement |
|
|
SSH Connections to ASA fail with
SLA monitoring & nonzero floating-conn timeout |
|
|
Traceback in Unicorn Proxy Thread due to Webvpn |
|
|
ASA - Crypto accelerator traceback in a loop |
|
|
Traceback: Duplicate host entries in flow-export action cause
crash after policy deployment |
|
|
multicast traffic sourced from anyconnect pool dropped due to reverse path checked. |
|
|
ASA-5-720012:(VPN-Secondary)Failed to update IPSec
failover runtime data in ASA cluster environment |
|
|
ASA5585 traceback
in DATAPATH - snp_vpn_process_natt_pkt |
|
|
ASA Connections stuck in idle
state with DCD enabled |
|
|
ASA crash in fover_parse
after version up |
|
|
traceback in watchdog process |
|
|
Contexts are missing on ASA once
Chassis reloads after becoming Master on 9.6 code |
|
|
TLS version 1.1 connection
failed no shared signature algorithms@t1_lib.c:3106 |
|
|
ASA 9.6(2), 9.6(3) traceback in DataPath |
|
|
IKEv2 RA cert auth. Unable to
allocate new session. Max sessions reached |
Revision: Version 9.6(3)12 – 08/11/2017
Files: asa963-12-smp-k8.bin
Defects resolved since 9.6(3)11:
|
Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled |
|
|
iOS and OS X IKEv2 Native Clients unable to connect to ASA with EAP-TLS |
Revision: Version 9.6(3)11 – 08/08/2017
Files: asa963-11-smp-k8.bin
Defects resolved since 9.6(3)9:
|
FTP data conn scaling fails with
dynamic PAT |
|
|
ASA dropping packets with "novalid adjacency" though valid ARP entry avail |
|
|
OSPF Rogue LSA with maximum
sequence number vulnerability |
|
|
ASA 5506-X Firepower Threat
Defense Reset Button |
|
|
ASA - Incorrect interface-based
route-lookup if more specific route exist out
different interface |
|
|
FSCK Files created and stored in
flash with incorrect timestamp of Jan 01 1980 03:00:00 |
|
|
ASA does not respond to IPv6 MLD
Query. |
|
|
ASA: IKEv2 ipsec-proposal
command removed if more than 9 proposals configured in single command |
|
|
ASA TCP SIP inspection
translation not working when IP phone is behind VPN tunnel |
|
|
ASA Traceback
in Unicorn Proxy Thread |
|
|
Show Crypto Acclerator
shows status as booting for hardware devices |
|
|
Memory leak with capture with
trace and clear capture |
|
|
ASA: Active FTP not working with
extended keyword in NAT. |
|
|
Standby ASA not learning routes
via RIP |
|
|
ASA traceback
observed in datapath |
|
|
Smart Licensing ID cert renewal
failure should not deregister product instance |
|
|
Calls not working with CUCI Lync
version 11.6.3 on ASA |
|
|
ASA does not install routes learned
via OSPF over IPSec using UDP/4500 |
|
|
NSF IETF/CISCO commands getting
removed on reload |
|
|
ASA sends the ICMP unreachable
type 3 code 4 in the wrong direction when SFR redirection enabled |
|
|
FTD Diagnostic Interface does
Proxy ARP for br1 management subnet |
|
|
OSPF Rogue LSA with maximum
sequence number vulnerability |
|
|
vpn vlan mapping issue |
|
|
CPU hog in CP Processing thread
due to huge number of sunrpc sessions |
|
|
ASA 9.5.1 onwards, Traffic
incorrectly routed instead of management interface |
|
|
ASA Cluster :
Potential UDP loop on cluster link with PAT pool |
|
|
ASA Log message 414003 may be generated
with bogus IP data when TCP Syslog Server down |
|
|
ASASM: Interface vlans going to admin down after reload. |
|
|
Memory leak at location "snp_fp_encrypt" when syslog server is reachable over
the VPN tunnel |
|
|
IPsec SA fail to come up and
flap with more than 1000 IPsec SA count in ASA5506/5508/5516 |
|
|
ASA traceback
on websns_rcv_tcp |
|
|
ASA/ 9.6.3 // WebVPN Smart tunnel works but floods windows with event
viewer |
|
|
Cisco Adaptive Security
Appliance HREF Cross Site Scripting Vulnerability |
|
|
Unable to scale the flash virtualisation feature up to 250 contexts |
|
|
CDA agent stucks
in 'Probing' when domain-lookup is enable |
|
|
Evaluation for the
vulnerabilities CVE-2017-1000364 and CVE-2017-1000366 |
|
|
Regex is not matching for HTTP
argument field |
|
|
Ikev2 Remote Access client
sessions stuck in Delete state |
|
|
EC Certificates that are
imported to the ASA in PKCS12s cannot be used for SSL |
Revision: Version 9.6(3)9 – 07/19/2017
Files: asa963-9-smp-k8.bin
Defects resolved since 9.6(3)8:
|
ASA: Multicast packets getting dropped
starting code 9.6.3 |
|
|
ASA SNI connection fails after
upgrade - no shared cipher |
|
|
ICMP Unreachables
(PMTU) dropped indicating "Routing failed to locate next hop" |
|
|
ASA - Traceback
in DATAPATH during PAT pool socket allocation |
|
|
ASA: IPv6 protocol X rule for
passing through FW is dropping packets with Invalid IP length message |
Revision: Version 9.6(3)8 – 06/22/2017
Files: asa963-8-smp-k8.bin
Defects resolved since 9.6(3)3:
|
ASA 'show memory' output may not
properly report total available memory in 9.5(2) and later |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
ASA dropping packets with novalid adjacency though valid ARP entry avail |
|
|
STS:BS - Cluster is disabled
because chassis-blade out-of-sync detected |
|
|
9.7.1 traceback
in snp_fp_qos |
|
|
EZVPN NEM client can't reconnect
after no vpnclient enable is entered |
|
|
TCP connections might fail
through a FTD cluster with inline mode interfaces |
|
|
CEP records edit page take
minutes to load |
|
|
Traffic drops for reverse
UDP/TCP IPv6 traffic over IPv4 tunnel |
|
|
ASA 1550 block gradual depletion |
|
|
gzip compression not working via Webvpn |
|
|
Traceback in Thread Name: IPsec message handler on EZVPN client |
|
|
ASA erroneously triggers syslog
ID 201011 |
|
|
Traceback in thread name DATAPATH |
|
|
ASA traceback
in Thread name: idfw_proc on running show access-list,
while displaying remark |
|
|
ASA in cluster results in
incorrect user group mappings between the Master and Slave |
|
|
%ASA-3-216001: internal error in
ci_cons_shell: thread data misuse |
|
|
ASA traceback
in ARP thread, PBR configured |
|
|
Web folder filebrowser
applet code signing certificate expired |
|
|
Traceback in Thread Name: Unicorn Admin Handler |
|
|
ASA: slow memory leak when using
many DNS queries |
|
|
ASA local dns
resolution fails when dns server is reachable
through a site to site ipsec tunnel |
|
|
FTD OSPF with ECMP, packets are
sent to peer in down state for existing connections |
|
|
FTD-VPN: VPN RRI not getting
synced between Master and Slave units |
|
|
Increase memory allocated to
rest-agent on ASAv5 |
|
|
ASA traceback
in Thread Name: fover_parse performing upgrade from
9.1.5 to 9.4.3 |
|
|
ASA traceback
observed in Datapath due to SIP inspection |
|
|
Unable to switch standby unit of
the failover pair to active |
|
|
WebVPN forces IE to use IE8 mode |
|
|
FTD traceback
observed during failover synchronization. |
|
|
The interactive icons on
internal bookmark site not showing properly (+CSCO+0undefined) |
|
|
ASA may drop DNS reply
containing only additional RR of type TXT |
|
|
SFR Backplane is pulling the
public address for policy match instead of ASA inside address |
|
|
Proxy ARP information for SSH
NLP NAT is not updating on the FTD upon failover |
|
|
ASA with FirePOWER
services module generates traceback and reload |
|
|
Slave should have use CCL to
forward traffic instead of blackholing when egress
interface is down |
|
|
ASA reloaded while joining
cluster and active as slave |
|
|
CRL verification fails due to
incorrect KU after CSCvd41423 |
|
|
Dist-S2S: tunnels stay up even
after passing vpn idle timeout in Multimode |
|
|
In multi-context ASA drops
traffic sourced from certain ports when interface PAT is used |
|
|
ASA clustering to support
rollback feature with CSM |
|
|
Upgrading the ASA results in No
Valid adjacency due to track configure on the route |
|
|
Username is not fetched from
certificate when certificate map is used in clientless portal |
|
|
FP4100 SSP 9.6.2 / cluster - Tx queue stuck causing traffic drop to occur |
|
|
activate-tunnel-group-scripts
not available in 9.6.3.1 |
|
|
Auto-RP packet is dropped due to
no-route - No route to host |
|
|
ASA may traceback
on displaying access-list config or saving running config |
|
|
Traceback in Thread Name: IP RIB Update when routes are
redistributed |
|
|
ASA corrupt dst
mac address of return traffic from l2tp client |
|
|
network_udpmod_get not releasing shr_lock in rare
error case |
|
|
ASA interfaces may stop passing
traffic after ASA reload with FIPS mode enabled |
|
|
AnyConnect new customization
creation fails on ASDM for all ASA versions above 9.5(3) |
|
|
Slave reports Master's interface
status as init while it is up |
|
|
ASA Memory Leak - RSA toolkit |
|
|
ASA- Traceback
in 'Thread Name : Datapath'
on crypto_SSL functions |
Revision: Version 9.6(3)3 – 04/27/2017
Files: asa963-3-smp-k8.bin
Defects resolved since 9.6(3)1:
|
ASA block new conns with
"logging permit-hostdown" & TCP
syslog is down |
|
|
OSPF multicast filter rules
missing in cluster slave |
|
|
Unable to run show counters protocol
ip |
|
|
Implement detection and auto-fix
capability for scheduler corruption problems |
|
|
Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel |
|
|
Unable to deploy policy on FTD
devices due to wrong XML parsing |
|
|
Slow Memory leak in ASA |
|
|
ASA traceback
in DATAPATH-41-16976 thread |
|
|
Port Forwarding Session times
out due to "vpn-idle-timeout" in
group-policy while passing data |
|
|
ASA drops web traffic when IM
inspection is enabled. |
|
|
SNMP lists same Hostname for all
FTD managed devices |
|
|
Mgmt route deletion removes data plane route too. |
|
|
FTD crash at "cli_xmlserver_thread" while deploying access-control
policy |
|
|
Assertion in syslog.c
due to uauth |
|
|
FXOS may allocate a CPU core to
both control and dataplane which may cause system
instability |
|
|
Access-lists not being matched
for a newly created object-group |
|
|
timeout conn-holddown
shows incorrect syntax help |
|
|
Traceback when trying to save/view access-list with giant object
groups (display_hole_og) |
|
|
ASA with 9.5.1 and above does
not show SXP socket when managment0/0 is used as src-ip |
|
|
RT#687120: Bookmark Issue with
clientless VPN - SAML |
|
|
DCERPC inspection drops packets
and breaks communication |
|
|
ASA backup in multicontext fails due to [Running Configurations] ERROR |
|
|
ASA traceback
in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
|
ASA All contexts use the same
EIGRP router-ID upon a reload |
|
|
EIGRP routes wrongly being
advertising on mgmt routing table vrf after disabling and enabling EIGRP |
|
|
ASA May crash when changing a
NAT related object to fqdn |
|
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
|
ASA - Interface status change
causes VPN traffic disconnect while using ipsec
inner-routing-lookup |
|
|
Cluster director connection gets
timed out with reason idle timeout |
|
|
ASA policy-map configuration is
not replicated to cluster slave |
|
|
ASA may generate an assert traceback while modifying access-group |
Revision: Version 9.6(3)1 – 04/03/2017
Files: asa963-1-smp-k8.bin
Defects resolved since 9.6(3):
|
ARP functions fail after 213
days of uptime, drop with error 'punt-rate-limit-exceeded' |