Cisco
ASA Interim Release Notes
The
software images listed below are Interim releases. They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which is resolved by an
Interim release, we recommend that you use the Feature or Maintenance release
images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.8(2)45 – 11/13/2018
Files: asa982-45-smp-k8.bin
Defects resolved since 9.8(2)38:
ASA traceback in DATAPATH thread while running captures |
|
ASA traceback at first boot in 5506 due
to unable to allocate enough LCMB memory |
|
Standby ASA has high CPU usage due to extremely large PAT pool
range |
|
IPV4: Implementing buffered reliability mechanism for routing
updates |
|
Default DLY value of port-channel sub interface mismatch |
|
An ASA may Traceback and reload when processing traffic |
|
ASA may traceback and reload in Thread Name: fover_rep
during conn replication |
|
upgrade of ASA5500 series firewalls results in boot loop (not
able to get past ROMMON) |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as
Data is in use by this instance' |
|
BGP ASN cause policy deployment failures. |
|
vpn-idle-timeout is not triggered after switching to rebooted
failover pair |
|
FTD: Layer 2 packets (ex: BPDUs) are dropped during snort
restarts (Inline/Passive Interfaces Only) |
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0 |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of
redirecting to Master |
|
To-the-box traffic being routing out a data interface when
failover is transitioning on a New Active |
|
Flow-offload rewrite rules not updated when MAC address of
interface changes |
|
CWE-20: Improper Input Validation |
|
ASA traceback in Thread Name: DATAPATH-14-17303 |
|
Multicast dropped after deleting a security context |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful
Restart |
|
2100/4100/9300: stopping/pausing capture from Management Center
doesn't lower the CPU usage |
|
Cisco Adaptive Security Appliance Direct Memory Access Denial of
Service Vulnerability |
|
Cisco Adaptive Security Appliance Access Control List Bypass
Vulnerability |
|
show memory binsize and "show
memory top-usage" do not show correct information (Complete fix) |
|
Flows get stuck in lina conn table in
half-closed state |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
KVM (FTD): Mapping web server through outside not working
consistent with other platforms |
|
Firepower 2100 tunnel flap at data rekey with high throughput
Lan-to-Lan VPN traffic |
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
Low DMA memory leading to VPN failures due to incorrect crypto
maps |
|
The CPU profiler stops running without having hit the threshold
and without collecting any samples. |
|
FTD or ASA traceback and reload in "Thread Name: Logger
Page fault: Address not mapped" |
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
Cisco ASA and FTD Denial of Service or High CPU due to SIP
inspection Vulnerability |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
Revision: Version 9.8(2)38 – 06/14/2018
Files: asa982-38-smp-k8.bin
Defects resolved since 9.8(2)35:
Firepower Threat Defense device unable to stablish ERSPAN with
Nexus 9000 |
|
KP 2110 ASA : Shared management across
context unable to reach to GW |
|
ASA not matching IPv6 traffic correctly in ACL with
"any" keyword configured |
|
Firepower 2110 with ASA DHCP does not work properly |
Revision: Version 9.8(2)35 – 05/29/2018
Files: asa982-35-smp-k8.bin
Defects resolved since 9.8(2)33:
Scansafe feature doesn’t work at all for HTTPS traffic |
Revision: Version 9.8(2)33 – 05/09/2018
Files: asa982-33-smp-k8.bin
Defects resolved since 9.8(2)28:
ASA unable to remove ACE with 'log disable' option |
|
PSB Requirement SEC-HTP-HSTS.x4i : HTTP
Strict-Transport-Security Header |
|
ASA/Threat Defense traceback when clearing capture-assertion
"0" failed: mps_hash_table_debug.c file |
|
Stale VPN Context issue seen in 9.1 code despite fix for
CSCvb29688 |
|
ASA traceback on failover sync with WebVPN and shared storage-url config |
|
Netflow Returns Large Values for Bytes Sent/Received
and IP address switch |
|
ERROR: Unable to create crypto map '<name>' : limit reached, when adding entry |
|
ASA : ICMPv6 syslog messages after upgrade to 962. |
|
ASA Webvpn HTTP
Strict-Transport-Security Header missing despite fix of CSCvc82150 |
|
Upon joining cluster slave unit generates ASA-3-202010: NAT/PAT
pool exhausted for all PAT'd conns |
|
ASA traceback due to deadlock between DATAPATH and webvpn processes |
|
IKEv2 MOBIKE session with Strongswan/3rd
party client fails due to DPD with NAT detection payload. |
|
Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site
Scripting Vulnerability |
|
Slow 2048 byte block leak due to
fragmented traffic over VPN |
|
ASA - ICMP flow drops with "no-adjacency" on interface
configured in zone when inspection enabled |
|
ASA on Firepower Threat Defense devices traceback due to SSL |
|
9300 FTD standby stuck in Bulk-Sync state with high CPS traffics
on active |
|
RADIUS authentication/authorization fails for ASDM |
|
webvpn: multiple rendering issues on Confluence and Jira
applications |
|
CWS redirection on ASA doesn't treat SSL Client Hello
retransmission properly in specific condition |
|
ASA 9.7.1.15 Traceback while releasing a vpn
context spin lock |
|
IKEv1 RRI : With Answer-only Reverse
Route gets deleted during Phase 1 rekey |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing
packet", even after removing captures |
|
Not able to do snmpwalk when
snmpv1&2c host group configured. |
|
IKEv1 RRI : With Originate-only Reverse
Route gets deleted during Phase 1 rekey |
|
Memory leak on webvpn |
|
PIM Auto-RP packets are dropped after cluster master switchover |
|
ASA:netsnmp:Snmpwalk is failed on some
group of IPs of a host-group. |
|
Illegal update occurs when device removes itself from the
cluster |
|
ASA generate traceback in
DATAPATH thread |
|
ASA traceback during output of "show service-policy"
with a high number of interfaces and qos |
|
AVT : Missing X-Content-Type-Options in ASA 9.5.2 |
Revision: Version 9.8(2)28 – 04/18/2018
Files: asa982-28-smp-k8.bin
Defects resolved since 9.8(2)26:
ASA, Threat Defense, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
New CLI for Supporting Legacy method SAML Auth
using external browser on endpoint |
|
|
|
Revision: Version 9.8(2)26 – 04/04/2018
Files: asa982-26-smp-k8.bin
Defects resolved since 9.8(2)24:
ASA: traceback in DATAPATH-2-1157 |
|
ASA Portal Java plug-ins fail with the latest Java updates |
|
ASA Routes flushed after failover when etherchannel
fails |
|
REST-API residues on SSP |
|
ASA traceback due to 1550 block exhaustion. |
|
SSL handshake fails with large certificate chain size |
|
ASA: Software traceback in Thread Name: Dynamic Filter updater |
|
ERSPAN not working on FTD 6.2.2 |
|
Both ASA traceback in HA pair on 4140 chassis |
|
Freed memory not released back to the system quick enough on
Kenton platforms |
|
ASA traceback with thread name "idfw_proc
" |
|
FTD unable to stablish ERSPAN with Nexus 9000 |
|
ASA traceback in threadname CP
Processing |
|
ASA 9.8.2 Cluster Slave unit traceback when joining cluster and
SNMPv3 sync |
|
5506 traceback when SFR module and RestAPI
both enabled |
|
traceback related to SIP inspection processing |
|
ASA traceback when failing over to standby unit |
|
new Certificate configuration of primary unit does not sync to standy unit in a
Active/Active setup |
|
ASA tracebacks intermittently with Thread Name: CTM message
handler |
|
ASA interface IP and subnet mask changes to 0.0.0.0 0.0.0.0
causing outage of services on interface |
|
ASA Traceback in Thread Name: Unicorn Proxy Thread |
|
ASA traceback with Thread Name: fover_parse |
|
ASA sending DHCP decline | not assiging
address to AC clients via DHCP |
|
ASA Traceback and goes to boot loop on 9.6.3.1 |
|
Standby ASA traceback during replication from mate 9.2(4)27 |
|
Mmapped bytes allocated incorrectly accounted in Free
Memory of show memory detail |
|
Upon reboot, non-default SSL commands are removed from the
FP4100 device |
|
ASA: Traceback in Thread Name UserFromCert |
|
Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h",
line 480 |
|
WebVPN rewriter: drop down menu doesn't work in BMC Remedy |
|
ASA Cut-Through Proxy allowing user to access website, but
displaying "authentication failed" |
Revision: Version 9.8(2)24 – 03/05/2018
Files: asa982-24-smp-k8.bin
Defects resolved since 9.8(2)20:
FTD with low IPSec lifetime traceback with traffic |
|
9.7.1 traceback in snp_fp_qos |
|
ASA Traceback on Kenton in Thread
Name: CTM message handler |
|
SNMP::User is not added to a user-list or host
,after reconfigure it. |
|
ASA crashes on DATAPATH due to SIP traffic hitting dynamic NAT
rule |
|
ERROR on Firepower Threat Defense device: Captive-portal port
not available. Try again |
|
ASA Routes flushed after failover when etherchannel
fails |
|
ASA cluster intermittently drop IP fragments when NAT is
involved |
|
ASA fails to rejoin the failover HA Or a cluster with
insufficient memory error, OGS enabled |
|
ASA broadcasting packets sent to subnet address as destination
IP |
|
FP4120 / ASA 9.6(3)230 "established tcp"
not working anymore after SW upgrade |
|
ASA L2TP/IPSEC SMB upload of big files fails - tcp-buffer-timeout drops |
|
ASA reports incorrectly double input packets traffic on PPPoe/VPDN interface |
|
Sysopt permit-vpn behavior
change to prevent unintended clear-text traffic |
|
ASA: Software traceback in Thread Name: Dynamic Filter updater |
|
FTD: IPv6 traffic is not being load-balanced as per 5-tuple
algorithm |
|
Kenton: ASA5506(FTD) traceback on policy deploy |
|
REST-API Daemon Process Stack Too Small |
|
Blocks of size 80 leak observed when IRB is used in conjunction
with multicast traffic |
|
SSPs with ASA in multiple context moves in active-active
situation while failover is occurring |
|
Firepower Threat Defense prefilter policy only fast-paths single
direction of bidirectional flow |
|
Failover Master Passphrase Crash via ASDM |
|
ASA:OpenSSL Vulnerabilities
CVE-2017-3737 and CVE-2017-3738 |
|
Cisco Adaptive Security
Appliance Application Layer Protocol Inspection DoS
Vulnerabilities |
|
ASA - Traceback in thread name SSH while applying BGP show
commands |
|
ASDM stops working with hostscan
enabled. ASDM works with hostscan disabled. |
|
ASA takes significant time to send ICMPv6 echo when pinging. |
|
Memory leak in idfw component on ASA |
|
ASAv5: Low free DMA memory on 9.8(2) and later |
|
'no snmp-server host <interface>
<ip-address>' does not work |
|
Cisco Adaptive Security Appliance Application Layer
Protocol Inspection DoS Vulnerabilities |
Revision: Version 9.8(2)20 – 02/03/2018
Files: asa982-20-smp-k8.bin
Defects resolved since 9.8(2)17:
Cisco Adaptive Security
Appliance Denial of Service Vulnerability |
|
Memory leak in Agg-Auth SAML code |
|
Memory leak in IKE for
aggregate-auth |
Revision: Version 9.8(2)17 – 01/29/2018
Files: asa982-17-smp-k8.bin
Defects resolved since 9.8(2)14:
FQDN ACL entries might be incomplete if DNS response from server
is large and truncated |
|
Threat Defense: Interface capture on lina
CLI causes all traffic to be dropped on data-plane |
|
ASA 9.6.2.11 - Intermittent authentication with CTP uauth in cluster |
|
ASA Memory depletion due to scansafe
inspection |
|
ASA 9.8.1 BVI in routed mode is not doing route lookup for
traffic generated from ASA |
|
OSPF route not getting installed on peer devices when an ASA failover
happens with NSF enabled |
|
ENH: GOID allocation and sync cleanup |
|
FXOS - ASA/FTD standby unit in transparent mode may still
traffic for offloaded flows |
|
Hostscan: Errors in cscan.log downloading Microsoft and Panda .dll files |
|
ASA/FTD crashes when clearing the packet capture buffer |
|
iPhone IKEv2 PKI leaks over Wi-Fi using local certificate
authentication on ASA 5555 9.6.3 |
|
One node rejoined and traffic restarted will cause the unit 100%
CPU due to snpi_untranslate |
|
ASA getting stuck in hung state because of STATIC NAT
configuration for SNMP ports |
|
ASA Inter-Site Clustering - Extra ARP not generated when ASA
receives unicast ARP request |
|
When IPSec is enabled HA goes in Active-Failed state with 6.2.3
FMC and 6.2.1 KP |
|
http-server component of ASA is not closing connections |
|
ASA broadcasting packets sent to subnet address as destination
IP |
|
SNMP deployment failure causes policy rollback |
|
ASA traceback: thread name scansafe |
|
High CPU in IKE Daemon causing slow convergence of VPN tunnels
in a scaled environment |
|
Unable to save configuration in system context after enabling
password encryption in ASA |
|
dir /recursive cache:/stc and "dir cache:stc/2/"
list AnyConnect.xsd differently on ASA9.8.2 |
|
ASA 5506 running on 9.8.2.8 version, memory block of size 80 is
getting depleted |
|
Modifying service object-groups (add and remove objects) removes
ACE |
|
Elevated CPU Using Flow-Offload & High Rate of Flow Table
Collisions |
|
SSH/Telnet Traffic, 3-WHS, ACK packets with data is getting dropped
- reason (intercept-unexpected) |
|
GTP echo response is dropped in ASA cluster |
|
ASA backs out of connection when it receives Server Key exchange
with named curve as x25519 |
|
segfault while processing TCP traffic (StreamQueue). |
|
Split brain after recovery from interface failure when fover and then data ifc goes
down in order. |
|
Memory Leaking on ASA with vpnfol_memory_allocate
and vpnfol_data_dyn_string_allocator |
Revision: Version 9.8(2)14 – 11/10/2017
Files: asa982-14-smp-k8.bin
Defects resolved since 9.8(2)8:
ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528
syslog messages |
|
ASA Traceback when saving/viewing the configuration due to
time-range ACLs |
|
ASA SSL client does not respond to renegotiation request |
|
ENH: Lower timeout for igp stale-route should be reduced to a value lower than
10 seconds |
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
Cisco Adaptive Security
Appliance TLS Denial of Service Vulnerability |
|
Cisco Adaptive
Security Appliance Application Layer Protocol Inspection DoS
Vulnerabilities |
|
Traceback in DATAPATH-1-2084 ASA 9.(8)1 |
|
All 1700 "4 byte blocks" were
depleted after a weekend VPN load test. |
|
ASA should have a syslog message showing which side closed the
connection |
|
Deployment timeouts after 30 minutes due to expand of ACE during
deployment |
|
Traceback on ASA with Firepower Services during NAT rule changes
and packet capture enabled |
|
ASA: Low free
DMA Memory on versions 9.6
and later |
|
An ASA with low free memory fails to join existing cluster and
could traceback and reload |
|
Certificates not synced to Standby/All certificates cleared on
Standby post deployment failure |
|
ASA doesn't send LACP PDU during port flap in port-channel |
|
Mgmt interface nameif
"Diagnostic" getting removed after swapping mgmt
interface from LD |
|
Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability |
|
ASAv image in AWS GovCloud not working in Hourly Billing Mode |
|
OpenSSL CVE-2017-3735 "incorrect text display of the
certificate" |
|
Memory leak in 112 byte bin when packet
hits PBR and connection is built |
|
ASA: Traceback by Thread Name idfw_proc |
|
ASA - rare scheduler corruption causes console lock |
|
ASA on FP 2100 traceback when uploading AnyConnect image via
ASDM |
|
ASA : After upgrading from 9.2(4) to 9.2(4)18 serial connection hangs |
|
FP2100 Threat Defense pair reporting failed status due to
"Detect service module failure" |
|
ASA-SSP HA reload in CP Processing due to DNS inspect |
|
ASA local DNS resolution fails when DNS server is reachable over
a site to site sec VPN tunnel |
|
Assert Traceback, thread name : cli_xml_server |
|
Cisco Adaptive
Security Appliance Remote Code Execution and Denial of Service Vulnerability |
|
ASA 9.8.1+ IKEv2 vpn load-balancing
sends DELETE following IKE_AUTH |
Revision: Version 9.8(2)8 – 10/09/2017
Files: asa982-8-smp-k8.bin
Defects resolved since 9.8(2):
ASA Traceback in thread SSH when ran "show service set conn
detail" |
|
asa Rest-api - component monitoring -
empty value/blank value |
|
ENH: Unique IPv6 link-local addresses assigned when
sub-interface is being created |
|
ASA Exports ECDSA as corrupted PKCS12 |
|
FP9300 9.7.1.10 FTD HA traceback in Datapath |
|
ASA not sending register stop when mroute
is configured |
|
ASA creates a BVi0 interface on a custom routed context |
|
ASA - 80 Byte memory block depletion |
|
ASA 9.6(2), 9.6(3) traceback in DataPath |
|
Transparent Firewall: Ethertype ACLs
installed with incorrect DSAP value |
|
Traceback in thread DATAPATH due to NAT |
|
ASA drops the IGMP Report packet which has Source IP address
0.0.0.0 |
|
FTD may traceback in Thread Name appAgent_monitor_nd_thread
during device registration |
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions
reached |
|
'Incomplete command' error with some inspects due to K7 license |
|
Traceback with traffic in 3 node Intra Chassis Cluster |
|
Slave kicked out due to CCL link failure and rejoins, but loses
v3 user in multiple context mode |
|
Permanent License Reservation license not installed on ASAv |
|
traceback with Show OSPF Database Commands |
|
Granular CPU hog can cause a crash |