Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases.  They contain bug fixes which address specific issues found since the last Feature or Maintenance release.  The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important:  These images were not fully regression tested.  Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality.  Keep this testing status in mind if you decide to run them in a production environment.  We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

 

Revision:  Version 9.8(2)45 – 11/13/2018

Files:  asa982-45-smp-k8.bin

Defects resolved since 9.8(2)38:

 

CSCve53415

ASA traceback in DATAPATH thread while running captures

CSCvd28906

ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory

CSCvf96773

Standby ASA has high CPU usage due to extremely large PAT pool range

CSCvg01119

IPV4: Implementing buffered reliability mechanism for routing updates

CSCvg76652

Default DLY value of port-channel sub interface mismatch

CSCvh01213

An ASA may Traceback and reload when processing traffic

CSCvh16252

ASA may traceback and reload in Thread Name: fover_rep during conn replication

CSCvh91399

upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON)

CSCvh98781

ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'

CSCvi03103

BGP ASN cause policy deployment failures.

CSCvi06120

vpn-idle-timeout is not triggered after switching to rebooted failover pair

CSCvi07974

FTD: Layer 2 packets (ex: BPDUs) are dropped during snort restarts (Inline/Passive Interfaces Only)

CSCvi34164

ASA does not send 104001 and 104002 messages to TCP/UDP syslog

CSCvi59968

Firepower 2100 Incorrect reply for SNMP get request  1.3.6.1.2.1.1.2.0

CSCvi96442

Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master

CSCvi97729

To-the-box traffic being routing out a data interface when failover is transitioning on a New Active

CSCvj15572

Flow-offload rewrite rules not updated when MAC address of interface changes

CSCvj37924

CWE-20: Improper Input Validation

CSCvj42450

ASA traceback in Thread Name: DATAPATH-14-17303

CSCvj58342

Multicast dropped after deleting a security context

CSCvj72309

FTD does not send Marker for End-of-RIB after a BGP Graceful Restart

CSCvj75793

2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage

CSCvj89470

Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability

CSCvj91858

Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability

CSCvk02250

show memory binsize and "show memory top-usage" do not show correct information (Complete fix)

CSCvk04592

Flows get stuck in lina conn table in half-closed state

CSCvk18330

Active FTP Data transfers fail with FTP inspection and NAT

CSCvk31035

KVM (FTD): Mapping web server through outside not working consistent with other platforms

CSCvk34648

Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic

CSCvk45443

ASA cluster: Traffic loop on CCL with NAT and high traffic

CSCvk57516

Low DMA memory leading to VPN failures due to incorrect crypto maps

CSCvk66771

The CPU profiler stops running without having hit the threshold and without collecting any samples.

CSCvk67239

FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"

CSCvm23370

ASA: Memory leak due to PC cssls_get_crypto_ctxt

CSCvm43975

Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability

CSCvm80874

ASAv/FP2100 Smart Licensing - Unable to register/renew license

 

 

Revision:  Version 9.8(2)38 – 06/14/2018

Files:  asa982-38-smp-k8.bin

Defects resolved since 9.8(2)35:

 

CSCvh55035

Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000

CSCvh62705

KP 2110 ASA : Shared management across context unable to reach to GW

CSCvi95544

ASA not matching IPv6 traffic correctly in ACL with "any" keyword configured

CSCvj43591

Firepower 2110 with ASA DHCP does not work properly

 

 

Revision:  Version 9.8(2)35 – 05/29/2018

Files:  asa982-35-smp-k8.bin

Defects resolved since 9.8(2)33:

 

CSCvj56008

Scansafe feature doesn’t work at all for HTTPS traffic

 

 

Revision:  Version 9.8(2)33 – 05/09/2018

Files:  asa982-33-smp-k8.bin

Defects resolved since 9.8(2)28:

 

CSCuv68725

ASA unable to remove ACE with 'log disable' option

CSCvc82150

PSB Requirement SEC-HTP-HSTS.x4i : HTTP Strict-Transport-Security Header

CSCve79555

ASA/Threat Defense traceback when clearing capture-assertion "0" failed: mps_hash_table_debug.c file

CSCve94917

Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688

CSCvf18160

ASA traceback on failover sync with WebVPN and shared storage-url config

CSCvf39539

Netflow Returns Large Values for Bytes Sent/Received and IP address switch

CSCvf40179

ERROR: Unable to create crypto map '<name>' : limit reached, when adding entry

CSCvf82832

ASA : ICMPv6 syslog messages after upgrade to 962.

CSCvf92262

ASA Webvpn HTTP Strict-Transport-Security Header missing despite fix of CSCvc82150

CSCvg05368

Upon joining cluster slave unit generates ASA-3-202010: NAT/PAT pool exhausted for all PAT'd conns

CSCvg05442

ASA traceback due to deadlock between DATAPATH and webvpn processes

CSCvh14743

IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

CSCvh20742

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvh46202

Slow 2048 byte block leak due to fragmented traffic over VPN

CSCvh47057

ASA - ICMP flow drops with "no-adjacency" on interface configured in zone when inspection enabled

CSCvh53616

ASA on Firepower Threat Defense devices traceback due to SSL

CSCvh62164

9300 FTD standby stuck in Bulk-Sync state with high CPS traffics on active

CSCvh99159

RADIUS authentication/authorization fails for ASDM

CSCvi01312

webvpn: multiple rendering issues on Confluence and Jira applications

CSCvi08450

CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition

CSCvi19263

ASA 9.7.1.15 Traceback while releasing a vpn context spin lock

CSCvi22507

IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey

CSCvi37889

Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", even after removing captures

CSCvi45567

Not able to do snmpwalk when snmpv1&2c host group configured.

CSCvi55070

IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey

CSCvi58089

Memory leak on webvpn

CSCvi66905

PIM Auto-RP packets are dropped after cluster master switchover

CSCvi76577

ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group.

CSCvi77352

Illegal update occurs when device removes itself from the cluster

CSCvi82779

ASA  generate traceback in DATAPATH thread

CSCvi86799

ASA traceback during output of "show service-policy" with a high number of interfaces and qos

CSCvd13182

AVT : Missing X-Content-Type-Options in ASA 9.5.2

 

 

Revision:  Version 9.8(2)28 – 04/18/2018

Files:  asa982-28-smp-k8.bin

Defects resolved since 9.8(2)26:

 

CSCvg65072

ASA, Threat Defense, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability

CSCvh25433

New CLI for Supporting Legacy method SAML Auth using external browser on endpoint

 

 

 

Revision:  Version 9.8(2)26 – 04/04/2018

Files:  asa982-26-smp-k8.bin

Defects resolved since 9.8(2)24:

 

CSCuu67159

ASA: traceback in DATAPATH-2-1157

CSCve20395

ASA Portal Java plug-ins fail with the latest Java updates

CSCvf81672

ASA Routes flushed after failover when etherchannel fails

CSCvg23028

REST-API residues on SSP

CSCvg43389

ASA traceback due to 1550 block exhaustion.

CSCvg56122

SSL handshake fails with large certificate chain size

CSCvg62916

ASA: Software traceback in Thread Name: Dynamic Filter updater

CSCvg85982

ERSPAN not working on FTD 6.2.2

CSCvh23776

Both ASA traceback in HA pair on 4140 chassis

CSCvh32673

Freed memory not released back to the system quick enough on Kenton platforms

CSCvh54940

ASA traceback with thread name "idfw_proc "

CSCvh55035

FTD unable to stablish ERSPAN with Nexus 9000

CSCvh63896

ASA traceback in threadname CP Processing

CSCvh67981

ASA 9.8.2 Cluster Slave unit traceback when joining cluster and SNMPv3 sync

CSCvh69967

5506 traceback when SFR module and RestAPI both enabled

CSCvh73582

traceback related to SIP inspection processing

CSCvh75025

ASA traceback when failing over to standby unit

CSCvh77942

new Certificate configuration of primary unit does not sync to standy unit in a Active/Active setup

CSCvh83026

ASA tracebacks intermittently with Thread Name: CTM message handler

CSCvh83145

ASA interface IP and subnet mask changes to 0.0.0.0 0.0.0.0 causing outage of services on interface

CSCvh85514

ASA Traceback in Thread Name: Unicorn Proxy Thread

CSCvh90947

ASA traceback with Thread Name: fover_parse

CSCvh91053

ASA sending DHCP decline | not assiging address to AC clients via DHCP

CSCvh92381

ASA Traceback and goes to boot loop on 9.6.3.1

CSCvh95325

Standby ASA traceback during replication from mate 9.2(4)27

CSCvh97216

Mmapped bytes allocated incorrectly accounted in Free Memory of show memory detail

CSCvi01376

Upon reboot, non-default SSL commands are removed from the FP4100 device

CSCvi07636

ASA: Traceback in Thread Name UserFromCert

CSCvi09811

Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h", line 480

CSCvi33962

WebVPN rewriter: drop down menu doesn't work in BMC Remedy

CSCvi35805

ASA Cut-Through Proxy allowing user to access website, but displaying "authentication failed"

 

 

Revision:  Version 9.8(2)24 – 03/05/2018

Files:  asa982-24-smp-k8.bin

Defects resolved since 9.8(2)20:

 

CSCuy57310

FTD with low IPSec lifetime traceback with traffic

CSCva92997

9.7.1 traceback in snp_fp_qos

CSCve78652

ASA Traceback on  Kenton in Thread Name: CTM message handler

CSCve94349

SNMP::User is not added to a user-list or host ,after reconfigure it.

CSCvf30738

ASA crashes on DATAPATH due to SIP traffic hitting dynamic NAT rule

CSCvf64643

ERROR on Firepower Threat Defense device: Captive-portal port not available. Try again

CSCvf81672

ASA Routes flushed after failover when etherchannel fails

CSCvf89504

ASA cluster intermittently drop IP fragments when NAT is involved

CSCvg00265

ASA fails to rejoin the failover HA Or a cluster with insufficient memory error, OGS enabled

CSCvg32530

ASA broadcasting packets sent to subnet address as destination IP

CSCvg39694

FP4120 / ASA 9.6(3)230 "established tcp" not working anymore after SW upgrade

CSCvg56493

ASA L2TP/IPSEC SMB upload of big files fails - tcp-buffer-timeout drops

CSCvg58385

ASA reports incorrectly double input packets traffic on PPPoe/VPDN interface

CSCvg61799

Sysopt permit-vpn behavior change to prevent unintended clear-text traffic

CSCvg62916

ASA: Software traceback in Thread Name: Dynamic Filter updater

CSCvg83623

FTD: IPv6 traffic is not being load-balanced as per 5-tuple algorithm

CSCvg85765

Kenton: ASA5506(FTD) traceback on policy deploy

CSCvg87148

REST-API Daemon Process Stack Too Small

CSCvg90403

Blocks of size 80 leak observed when IRB is used in conjunction with multicast traffic

CSCvg90820

SSPs with ASA in multiple context moves in active-active situation while failover is occurring

CSCvg97541

Firepower Threat Defense prefilter policy only fast-paths single direction of bidirectional flow

CSCvh03889

Failover Master Passphrase Crash via ASDM

CSCvh13415

ASA:OpenSSL Vulnerabilities CVE-2017-3737 and  CVE-2017-3738

CSCvh23085

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

CSCvh27703

ASA - Traceback in thread name SSH while applying BGP show commands

CSCvh28309

ASDM stops working with hostscan enabled. ASDM works with hostscan disabled.

CSCvh28763

ASA takes significant time to send ICMPv6 echo when pinging.

CSCvh32323

Memory leak in idfw component on ASA

CSCvh44149

ASAv5: Low free DMA memory on 9.8(2) and later

CSCvh48662

'no snmp-server host <interface> <ip-address>' does not work

CSCvh95456

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

 

 

Revision:  Version 9.8(2)20 – 02/03/2018

Files:  asa982-20-smp-k8.bin

Defects resolved since 9.8(2)17:

 

CSCvh79732

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh81737

Memory leak in Agg-Auth SAML code

CSCvh81870

Memory leak in IKE for aggregate-auth

 

 

Revision:  Version 9.8(2)17 – 01/29/2018

Files:  asa982-17-smp-k8.bin

Defects resolved since 9.8(2)14:

 

CSCua53312

FQDN ACL entries might be incomplete if DNS response from server is large and truncated

CSCvd20408

Threat Defense: Interface capture on lina CLI causes all traffic to be dropped on data-plane

CSCvd86411

ASA 9.6.2.11 - Intermittent authentication with CTP uauth in cluster

CSCve77049

ASA Memory depletion due to scansafe inspection

CSCvf26463

ASA 9.8.1 BVI in routed mode is not doing route lookup for traffic generated from ASA

CSCvf43650

OSPF route not getting installed on peer devices when an ASA failover happens with NSF enabled

CSCvf49899

ENH: GOID allocation and sync cleanup

CSCvf72068

FXOS - ASA/FTD standby unit in transparent mode may still traffic for offloaded flows

CSCvf77377

Hostscan: Errors in cscan.log downloading Microsoft and Panda .dll files

CSCvf90278

ASA/FTD crashes when clearing the packet capture buffer

CSCvg08891

iPhone IKEv2 PKI leaks over Wi-Fi using local certificate authentication on ASA 5555 9.6.3

CSCvg21077

One node rejoined and traffic restarted will cause the unit 100% CPU due to snpi_untranslate

CSCvg25175

ASA getting stuck in hung state because of STATIC NAT configuration for SNMP ports

CSCvg25983

ASA Inter-Site Clustering - Extra ARP not generated when ASA receives unicast ARP request

CSCvg29442

When IPSec is enabled HA goes in Active-Failed state with 6.2.3 FMC and 6.2.1 KP

CSCvg29692

http-server component of ASA is not closing connections

CSCvg32530

ASA broadcasting packets sent to subnet address as destination IP

CSCvg39447

SNMP deployment failure causes policy rollback

CSCvg45952

ASA traceback: thread name scansafe

CSCvg51984

High CPU in IKE Daemon causing slow convergence of VPN tunnels in a scaled environment

CSCvg52995

Unable to save configuration in system context after enabling password encryption in ASA

CSCvg53981

dir /recursive cache:/stc and "dir cache:stc/2/" list AnyConnect.xsd differently on ASA9.8.2

CSCvg54185

ASA 5506 running on 9.8.2.8 version, memory block of size 80 is getting depleted

CSCvg57954

Modifying service object-groups (add and remove objects) removes ACE

CSCvg58941

Elevated CPU Using Flow-Offload & High Rate of Flow Table Collisions

CSCvg61829

SSH/Telnet Traffic, 3-WHS, ACK packets with data is getting dropped - reason (intercept-unexpected)

CSCvg66606

GTP echo response is dropped in ASA cluster

CSCvg67135

ASA backs out of connection when it receives Server Key exchange with named curve as x25519

CSCvg68914

segfault while processing TCP traffic (StreamQueue).

CSCvg81583

Split brain after recovery from interface failure when fover and then data ifc goes down in order.

CSCvg82932

Memory Leaking on ASA with vpnfol_memory_allocate and vpnfol_data_dyn_string_allocator

 

 

Revision:  Version 9.8(2)14 – 11/10/2017

Files:  asa982-14-smp-k8.bin

Defects resolved since 9.8(2)8:

 

CSCvb53233

ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528 syslog messages

CSCvd53381

ASA Traceback when saving/viewing the configuration due to time-range ACLs

CSCvd67907

ASA SSL client does not respond to renegotiation request

CSCve02467

ENH:  Lower timeout for igp stale-route should be reduced to a value lower than 10 seconds

CSCve18902

Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability

CSCve34335

Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability

CSCve38446

Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability

CSCve61540

Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities

CSCve72964

Traceback in DATAPATH-1-2084 ASA 9.(8)1

CSCve73025

All 1700 "4 byte blocks" were depleted after a weekend VPN load test.

CSCve85572

ASA should have a syslog message showing which side closed the connection

CSCve85996

Deployment timeouts after 30 minutes due to expand of ACE during deployment

CSCve94886

Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled

CSCve97874

ASA: Low free  DMA Memory on versions  9.6 and later

CSCvf25666

An ASA with low free memory fails to join existing cluster and could traceback and reload

CSCvf40650

Certificates not synced to Standby/All certificates cleared on Standby post deployment failure

CSCvf56917

ASA doesn't send LACP PDU during port flap in port-channel

CSCvf60220

Mgmt interface nameif "Diagnostic" getting removed after swapping mgmt interface from LD

CSCvf63718

Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability

CSCvf74218

ASAv image in AWS GovCloud not working in Hourly Billing Mode

CSCvf79262

OpenSSL CVE-2017-3735 "incorrect text display of the certificate"

CSCvf81222

Memory leak in 112 byte bin when packet hits PBR and connection is built

CSCvf85065

ASA: Traceback by Thread Name idfw_proc

CSCvf87899

ASA - rare scheduler corruption causes console lock

CSCvf94973

ASA on FP 2100 traceback when uploading AnyConnect image via ASDM

CSCvg01132

ASA : After upgrading from 9.2(4) to 9.2(4)18 serial connection hangs

CSCvg06695

FP2100 Threat Defense pair reporting failed status due to "Detect service module failure"

CSCvg09778

ASA-SSP HA reload in CP Processing due to DNS inspect

CSCvg20796

ASA local DNS resolution fails when DNS server is reachable over a site to site sec VPN tunnel

CSCvg25694

Assert Traceback, thread name : cli_xml_server

CSCvg35618

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

CSCvg55617

ASA 9.8.1+ IKEv2 vpn load-balancing sends DELETE following IKE_AUTH

 

 

Revision:  Version 9.8(2)8 – 10/09/2017

Files:  asa982-8-smp-k8.bin

Defects resolved since 9.8(2):

 

CSCuj98977

ASA Traceback in thread SSH when ran "show service set conn detail"

CSCvb97470

asa Rest-api - component monitoring - empty value/blank value

CSCvf10327

ENH: Unique IPv6 link-local addresses assigned when sub-interface is being created

CSCvf17214

ASA Exports ECDSA as corrupted PKCS12

CSCvf22930

FP9300 9.7.1.10 FTD HA  traceback in Datapath

CSCvf28749

ASA not sending register stop when mroute is configured

CSCvf37947

ASA creates a BVi0 interface on a custom routed context

CSCvf54981

ASA - 80 Byte memory block depletion

CSCvf56506

ASA 9.6(2), 9.6(3) traceback in DataPath

CSCvf57908

Transparent Firewall: Ethertype ACLs installed with incorrect DSAP value

CSCvf61419

Traceback in thread DATAPATH due to NAT

CSCvf63108

ASA drops the IGMP Report packet which has Source IP address 0.0.0.0

CSCvf72930

FTD may traceback in Thread Name appAgent_monitor_nd_thread during device registration

CSCvf76281

IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached

CSCvf81932

'Incomplete command' error with some inspects due to K7 license

CSCvf83537

Traceback with traffic in 3 node Intra Chassis Cluster

CSCvf83709

Slave kicked out due to CCL link failure and rejoins, but loses v3 user in multiple context mode

CSCvg01827

Permanent License Reservation license not installed on ASAv

CSCvg17478

traceback with Show OSPF Database Commands

CSCvg19809

Granular CPU hog can cause a crash