Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important:
These images were not fully regression tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status
in mind if you decide to run them in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.16(2)14 – 2/23/2022
Files: asa9-16-2-14-smp-k8.bin, cisco-asa-fp1k.9.16.2.14.SPA, cisco-asa-fp2k.9.16.2.14.SPA, cisco-asa.9.16.2.14.SPA.csp
Defects resolved since 9.16(2)13:
|
Unable to configure ipv6
address/prefix to same interface and network in different context |
|
|
Management Sessions fail to
connect after several weeks |
|
|
FTDv throughput degredation due to
frequent PDTS read/write |
|
|
ASA/FTD Memory block location
not updating for fragmented packets in data-path |
|
|
ASA55XX: Expansion module
interfaces not coming up after a software upgrade |
|
|
Snort down after deploying the
policy |
|
|
SSL decryption not working due
to single connection on multiple in-line pairs |
|
|
Cisco Adaptive Security Appliance Software and Firepower
Threat Defense Software DNS DoS |
|
|
FP1120 9.14.3
: temporary split brain happened after active device reboot |
|
|
FTD Blocks Traffic with SSL Flow
Error CORRUPT_MESSAGE |
|
|
FTD moving UI management from
FDM to FMC causes traffic to fail |
|
|
Error:NAT
unable to reserve ports when using a range of ports in an object service |
|
|
Cisco Adaptive Security Appliance Software Clientless SSL VPN
Heap Overflow Vulnerability |
|
|
ASA: Loss of NTP sync following
a reload after upgrade |
|
|
ASA NAT66 with big range as a
pool don't works with IPv6 |
|
|
ASA: IP Header check validation
failure when GTP Header have SEQ and EXT field |
|
|
Lina Traceback and Reload Due to
invalid memory access while accessing Hash Table |
|
|
New access-list are not taking
effect after removing non-existance ACL with
objects. |
|
|
ASA/FTD Change in OGS
compilation behavior causing boot loop |
|
|
ASA traceback and reload in
Unicorn Admin Handler when change interface configuration via ASDM |
|
|
Offloaded GRE tunnels may be
silently un-offloaded and punted back to CPU |
|
|
Traceback and reload after
enabling debug webvpn cifs
255 |
|
|
SNMP is responding to snmpgetbulk with unexpected order of results |
|
|
SNMP get command in FPR does not
show interface index. |
Revision: Version 9.16(2)13 – 1/25/2022
Files: asa9-16-2-13-smp-k8.bin, cisco-asa-fp1k.9.16.2.13.SPA, cisco-asa-fp2k.9.16.2.13.SPA, cisco-asa.9.16.2.13.SPA.csp
Defects resolved since 9.16(2)11:
|
FDM failover pair - new
configured sVTI IPSEC SA is not synced to standby. FDM shows HA not in sync |
|
|
L2L VPN session bringup fails when using NULL encryption in ipsec configuration |
|
|
FTD may traceback and reload in
Thread Name 'lina' |
|
|
Cluster unit in
MASTER_POST_CONFIG state should transition to Disabled state after an interva |
|
|
CPU hogs in update_mem_reference |
|
|
While implementing management
tunnel a user can use open connect to bypass anyconnect. |
|
|
NTP will not change to *(synced)
status after upgrade to asa-9.15.1/9.16.1.28 from asa-9.14.3 |
|
|
Primary ASA should send GARP as
soon as split-brain is detected and peer becomes
cold standby |
|
|
ASDM session/quota count
mismatch in ASA when multiple context switchover is done from ASDM |
|
|
OSPFv2 flow missing cluster
centralized "c" flag |
|
|
Low available DMA memory on ASA 9.14
at boot reduces AnyConnect sessions supported |
|
|
Statelink hello messages dropped on Standby unit due to interface
ring drops on high rate traffic |
|
|
ASA Privilege Escalation with valid user in AD |
|
|
ASA show tech execution causing
spike on CPU and impacting to IKEv2 sessions |
|
|
Clear and show conn for inline-set is not working |
|
|
SNMP Stopped Responding After
Upgrading to Version- 9.14(2)15 |
|
|
ASA Failover Split Brain caused
by delay on state transition after "failover active" command run |
|
|
Cisco Firepower Threat Defense Software Denial of Service
Vulnerability |
|
|
ASA/FTD traceback and reload on
IKE Daemon Thread |
|
|
ASA/FTD: remove unwanted process
call from LUA |
|
|
ASA drops non
DNS traffic with reason "label length 164 bytes exceeds protocol
limit of 63 bytes" |
|
|
Clock drift observed between
Lina and FXOS on multi-instance |
|
|
Flow Offload - Compare state
values remains in error state for longer periods |
|
|
Traffic dropped by ASA configured
with BVI interfaces due to asp drop type "no-adjacency" |
|
|
ASA on FPR4100 traceback and
reload when running captures using ASDM |
|
|
Random FTD traceback during
deployment from FMC |
|
|
Traceback: Secondary firewall
reloading in Threadname: fover_parse |
|
|
ASA/FTD traceback and reload due
to pix_startup_thread |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DAP DoS |
|
|
Different CG-NAT port-block allocated
for same source IP causing per-host PAT port block exhaustion |
|
|
FTD Service Module Failure:
False alarm of "ND may have gone down" |
Revision: Version 9.16(2)11 – 11/30/2021
Files: asa9-16-2-11-smp-k8.bin, cisco-asa-fp1k.9.16.2.11.SPA, cisco-asa-fp2k.9.16.2.11.SPA, cisco-asa.9.16.2.11.SPA.csp
Defects resolved since 9.16(2)7:
|
FTD/ASA: Adding new ACE entries
to ACP causes removal and re-add of ACE elements in LINA |
|
|
Crypto archive generated with SE
ring timeout on 7.0 |
|
|
PKI "OCSP revocation
check" failing due to sha256 request instead of sha1 |
|
|
FTDv - Lina Traceback and reload |
|
|
[IMS 7.1.0] Nat hitcount not updated in FQDN_NAT |
|
|
ASA traffic dropped by Implicit
ACL despite the fact of explicit rules present on Access-list |
|
|
FPR2100: Unable to form L2L VPN
tunnels when using ESP-Null encryption |
|
|
FTD Traceback and Reload on process LINA |
|
|
Traceback on MI FTD at boot time |
|
|
ASA traceback and reload in SSH
process when executing the command "show access-list" |
|
|
FTD - Traceback in Thread Name:
DATAPATH |
|
|
FTD traceback and reload when
using DTLS1.2 on RA tunnels |
|
|
FTD 100G interfaces down after
upgrade of FXOS and FTD to 2.10.1.159 and 6.6.4 |
|
|
SSL VPN performance degraded and
significant stability issues after upgrade |
|
|
NTP sync on IPV6 will fail if
the IPV4 address is not configured |
|
|
FTD Deployment failure post
upgrade due to major version change on device |
|
|
Loss of NTP sync following an
upgrade |
|
|
BGP routes shows unresolved and
dropping packet with asp-drop reason "No route to host" |
|
|
IPv6 PIM packets are dropped in
ASP with invalid-ip-length drop reason |
|
|
Cisco ASA Software and FTD Software Remote Access SSL VPN
Denial of Service |
|
|
AnyConnect users with mapped
group-policies take attributes from default GP under the tunnel-group |
|
|
ASA/FTD: remove unwanted process
call from LUA |
Revision: Version 9.16(2)7 – 10/27/2021
Files: asa9-16-2-7-smp-k8.bin, cisco-asa-fp1k.9.16.2.7.SPA, cisco-asa-fp2k.9.16.2.7.SPA, cisco-asa.9.16.2.7.SPA.csp
Defects resolved since 9.16(2)3:
|
Traceback on ASA by Smart Call
Home process |
|
|
Traceback of master and one
slave when a particular lock is contended for long |
|
|
Unit may traceback and reload
citing datapath as crashing thread |
|
|
High CPU and massive "no
buffer" drops during HA bulk sync and during
normal conn sync |
|
|
FTD traceback and reload during anyconnect package verification |
|
|
VTI tunnel interface stays down
post reload on KP/WM platform in HA |
|
|
ASA Traceback and reload in
Thread Name: SNMP ContextThread |
|
|
PAT pool exhaustion with
stickiness traffic could lead to new connection drop. |
|
|
FP21xx -traceback "Panic:DATAPATH-10-xxxx -remove_mem_from_head:
Error - found a bad header" |
|
|
FTD tracebacks and reloads on
Thread name Lina |
|
|
FTDv - Lina Traceback and reload |
|
|
ASDM session is not served for
new user after doing multiple context switches in existing user |
|
|
FTD/ASA - Stuck in boot loop
after upgrade from 9.14.2.15 to 9.14.3 |
|
|
ASAv traceback in snmp_master_callback_thread
and reload |
|
|
ASA/AnyConnect - Stale RADIUS
sessions |
|
|
Internal ldap
attribute mappings fail after HA failover |
|
|
ASAv observed traceback while upgrading hostscan |
|
|
Traceback and reload in Thread
Name: DATAPATH-15-18621 |
|
|
TLS server discovery uses
incorrect source IP address for probes in AnyConnect deployment |
|
|
ASA does not use the interface
specified in the name-server command to reach IPv6 DNS servers |
|
|
FTD/ASA Traceback and reload due
to SSL null checks under low memory conditions |
|
|
TCP connections are cleared
after configured idle-timeout even though traffic is
present |
|
|
conf t is converted to disk0:/t
under context-config mode |
|
|
ASA traceback due to SCTP
traffic. |
|
|
ASA traceback on DATAPATH when
handling ICMP error message |
|
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of
Service Vulnerability |
|
|
Unexpected traceback on the ASA
Primary Unit running on 9.8.4.39 |
|
|
ASDM session count and quota
management's count mismatch. 'Lost connection firewall' msg in ASDM |
|
|
ASA log shows wrong value of the
transferred data after the anyconnect session
terminated. |
|
|
LINA may generate traceback and
reload |
|
|
Traceback observed on ASA while handling SAML handler |
|
|
ASA/FTD Standby unit fails to
join HA |
|
|
Inconsistent logging timestamp
with RFC5424 enabled |
|
|
OSPFv3: FTD Wrong
"Forwarding address" added in ospfv3 database |
|
|
ASA/FTD traceback and reload
caused by "timer services" function |
Revision: Version 9.16(2)3 – 09/08/2021
Files: asa9-16-2-3-smp-k8.bin, cisco-asa-fp1k.9.16.2.3.SPA, cisco-asa-fp2k.9.16.2.3.SPA, cisco-asa.9.16.2.3.SPA.csp
Defects resolved since 9.16(2):
|
FMC generates Connection Events
from a SYN flood attack |
|
|
Crypto engine errors when GRE
header protocol field doesn't match protocol field in inner ip header |
|
|
Snmpwalk showing traffic counter as 0 for failover interface |
|
|
VPN conn fails from same user if
Radius server sends a dACL and vpn-simultaneous-logins
is set to 1 |
|
|
High CPU and massive "no
buffer" drops during HA bulk sync and during
normal conn sync |
|
|
ASA in PLR mode,"license
smart reservation" is failing. |
|
|
Active tries to send CoA update
to Standby in case of "No Switchover" |
|
|
After upgrading ASA to
9.15(1)10, ASDM 7.15(1)150 One Time Password (OTP) field does not appear |
|
|
UN-NAT created on FTD once a
prior dynamic xlate is created |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-15-14815' |
|
|
RSA keys & Certs get removed
post reload on WS-SVC-ASA-SM1-K7 with ASA code 9.12.x |
|
|
SNMP MIB value for crasLocalAddress is not showing the IP address |
|
|
ASAv on Azure loses connectivity to Metadata server once
default outside route is used |
|
|
Revert 'fix' introduced by
CSCvr33428 and CSCvy39659 |
|
|
FTD lina
traceback and reload in thread Name Checkheaps |
|
|
FTD reload with Lina traceback
during xlate replication in Cluster |
|
|
ASA: Orphaned SSH session not
allowing us to delete a policy-map from CLI |
|
|
ASA traceback and reload thread
name: Datapath |
|
|
ASA/FTD may traceback and reload
in loop processing Anyconnect profile |
|
|
Twice nat's
un-nat not happening if nat
matches a pbr acl that
matches a port number instead of IP |
|
|
SNMP agent restarts when show
commands are issued |
|
|
ASA: ARP entries from custom
context not removed when an interface flap occurs on system context |
|
|
FTD/Lina may traceback when
"show capture" command is executed |
|
|
If ASA fails to download DACL it
will never stop trying |
|
|
BGP packets dropped for non directly connected neighbors |