Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA 5500 Series, 8.4(x)

  • Viewing Options

  • PDF (813.4 KB)
  • EPUB (138.9 KB)
  • MOBI (288.9 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA 5500 Series, Version 8.4(x)

Important Notes

Limitations and Restrictions

System Requirements

New Features

New Features in Version 8.4(7)

New Features in Version 8.4(6)

New Features in Version 8.4(5)

New Features in Version 8.4(4.5)

New Features in Version 8.4(4.1)

New Features in Version 8.4(3)

New Features in Version 8.4(2.8)

New Features in Version 8.4(2)

New Features in Version 8.4(1.11)

New Features in Version 8.4(1)

Open Caveats

Resolved Caveats

Resolved Caveats in Version 8.4(7)

Resolved Caveats in Version 8.4(6)

Resolved Caveats in Version 8.4(5)

Resolved Caveats in Version 8.4(4.1)

Resolved Caveats in Version 8.4(3)

Resolved Caveats in Version 8.4(2)

Resolved Caveats in Version 8.4(1)

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA 5500 Series, Version 8.4(x)

Released: January 31, 2011

Updated: February 18, 2014

This document contains release information for Cisco ASA 5500 software Version 8.4(1) through 8.4(7).

This document includes the following sections:

Important Notes

  • Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.
  • Configuration Migration for Transparent Mode—In 8.4, all transparent mode interfaces now belong to a bridge group. When you upgrade to 8.4, the existing two interfaces are placed in bridge group 1, and the management IP address is assigned to the Bridge Group Virtual Interface (BVI). The functionality remains the same when using one bridge group. You can now take advantage of the bridge group feature to configure up to four interfaces per bridge group and to create up to eight bridge groups in single mode or per context.

Note In 8.3 and earlier, as an unsupported configuration, you could configure a management interface without an IP address, and you could access the interface using the device management address. In 8.4, the device management address is assigned to the BVI, and the management interface is no longer accessible using that IP address; the management interface requires its own IP address.


  • You can upgrade from any previous release directly to 8.4. If you are upgrading from a pre-8.3 release, see the Cisco ASA 5500 Migration Guide for Version 8.3 and Later for important information about migrating your configuration to Version 8.3 and later.

    Upgrading from some releases may have consequences for downgrading; be sure to back up your configuration file in case you want to downgrade. For example, If you are upgrading from a pre-8.2 release, see the 8.2 release notes for downgrade issues after you upgrade the Phone Proxy and MTA instance, or for downgrade issues if you upgrade the activation key with new 8.2 features.
  • When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.
  • The Advanced Inspection and Prevention Security Services Card (AIP SSC) can take up to 20 minutes to initialize the first time it boots after a new image is applied. This initialization process must complete before configuration changes can be made to the sensor. Attempts to modify and save configuration changes before the initialization completes will result in an error.
  • Connection Profile/Tunnel Group terminology in CLI vs. ASDM—The ASA tunnel groups define the initial connection parameters and attributes (such as AAA, client address assignment, and connection alias/group-url) for a remote access VPN session. In the CLI they are referred to as tunnel groups , whereas in ASDM they are referred to as Connection Profiles . A VPN policy is an aggregation of Connection Profile, Group Policy, and Dynamic Access Policy authorization attributes.

• Cosmetic startup message issue on the ASA 5585-X—Cisco manufacturing recently discovered a process error that resulted in loading a test build of BIOS firmware on many early shipments of the ASA 5585-X. On the affected units, more text than usual displays on the console during startup before reaching the “rommon>” prompt. Included in the extra output is the following message banner:

CISCO SYSTEMS Spyker Build, TEST build not for Customer Release
Embedded BIOS Version 2.0(7)2 19:59:57 01/04/11
 

While you may see this additional text, there is no functional impact to the ASA operation; you can ignore the additional text. The test build provides additional information that can be used by engineers to pinpoint hardware problems during the manufacturing process. Unfortunately, there is no field-upgradeable resolution to eliminate this message that does not require replacing the hardware.

Hardware with a serial number that falls within the following ranges could be impacted by this cosmetic issue. Note that not all serial numbers within these ranges are impacted.

JMX1449xxxx – JMX1520xxxx

JAF1450xxxx – JAF1516xxxx (for ASA-SSP-20-K8= only)

Hardware with the following Product IDs for the preceding serial numbers could be impacted by this cosmetic issue:

ASA5585-S20-K8

ASA5585-S20-K9

ASA5585-S20P20-K8

ASA5585-S20P20-K9

ASA5585-S20P20XK9

ASA5585-S20X-K9

ASA-SSP-20-K8=

Limitations and Restrictions

  • No SNMP Traps during insertion/removal of power supply (CSCul90037)—The power supplies in the ASA 5585-X are hot swappable field replaceable units. In the event of a power supply failure, an SNMP trap is sent from the ASA to the configured trap receiver. However, when you restore power, the ASA does not send an additional SNMP trap.

Workaround: When using Cisco Prime Network to monitor ASA 5585s, the network operator must manually clear a power supply fault condition within the EMS.

  • Currently in 8.4(2) and later, the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT. For example, if you enter the following twice NAT command that configures a PAT pool (object2) for fallback when the addresses in object1 are used up, you see the following error message:
hostname(config)# nat (inside,outside) source dynamic any object1 pat-pool object2 interface round-robin
ERROR: Same mapped parameter cannot be used to do both NAT and PAT.
ERROR: NAT pool allocation failed.
 

You can alter this command to make it PAT-pool only by removing object1; the PAT pool is used as the primary method, instead of as a fallback method:

hostname(config)# nat (inside,outside) source dynamic any pat-pool object2 interface round-robin
 

(CSCtq20634)

  • Clientless SSL VPN .NET limitation—Clientless SSL sessions might not properly support .NET framework applications. In some cases, you need to enable the application for use with Smart Tunnels; however, there is a chance it could still fail. For example, it might fail when an executable binary (.exe) is created using the .NET framework (CSCsv29942).
  • With a heavy load of users (around 150 or more) using a WebVPN plugin, you may experience large delays because of the processing overload. Using Citrix web interface reduces the ASA rewrite overhead. To track the progress of the enhancement request to allow WebVPN plug files to be cached on the ASA, refer to CSCud11756.
  • (ASA 5510, ASA 5520, ASA 5540, and ASA 5550 only) We strongly recommend that you enable hardware processing using the crypto engine large-mod-accel command instead of software for large modulus operations such as 2048-bit certificates and DH5 keys. If you continue to use software processing for large keys, you could experience significant performance degradation due to slow session establishment for IPsec and SSL VPN connections. We recommend that you initially enable hardware processing during a low-use or maintenance period to minimize a temporary packet loss that can occur during the transition of processing from software to hardware.

Note For the ASA 5540 and ASA 5550 using SSL VPN, in specific load conditions, you may want to continue to use software processing for large keys. If VPN sessions are added very slowly and the ASA runs at capacity, then the negative impact to data throughput is larger than the positive impact for session establishment.

The ASA 5580/5585-X platforms already integrate this capability; therefore, crypto engine commands are not applicable on these platforms.


System Requirements

Table 1 lists information about ASDM, module, and VPN compatibility with the ASA 5500 series.

 

Table 1 ASDM, SSM, SSC, and VPN Compatibility

Application
Description

ASDM

For information about ASDM requirements, see Cisco ASA Compatibility :

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

VPN

For the latest OS and browser test results, see the Supported VPN Platforms, Cisco ASA 5500 Series :

http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

Module applications

For information about module application requirements, see Cisco ASA Compatibility :

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

New Features

This section includes the following topics:


Note New, changed, and deprecated syslog messages are listed in the syslog message guide.



Note Version 8.4(4) and 8.4(4.3) were removed from Cisco.com due to build issues; please upgrade to a later version.


New Features in Version 8.4(7)

Released: September 3, 2013

There are no new features in Version 8.4(7).

New Features in Version 8.4(6)

Released: April 29, 2013

Table 9 lists the new features for ASA Version 8.4(6).

 

Table 2 New Features for ASA Version 8.4(6)

Feature
Description
Monitoring Features

Ability to view top 10 memory users

You can now view the top bin sizes allocated and the top 10 PCs for each allocated bin size. Previously, you had to enter multiple commands to see this information (the show memory detail command and the show memory binsize command); the new command provides for quicker analysis of memory issues.

We introduced the following command: show memory top-usage .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

CPU profile enhancements

The cpu profile activate command now supports the following:

  • Delayed start of the profiler until triggered (global or specific thread CPU %)
  • Sampling of a single thread

We modified the following command: cpu profile activate [ n-samples ] [ sample-process process-name ] [ trigger cpu-usage cpu% [ process-name ].

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

Remote Access Features

user-storage value command password is now encrypted in show commands

The password in the user-storage value command is now encrypted when you enter show running-config .

We modified the following command: user-storage value .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

New Features in Version 8.4(5)

Released: October 31, 2012

Table 9 lists the new features for ASA Version 8.4(5).

 

Table 3 New Features for ASA Version 8.4(5)

Feature
Description
Firewall Features

EtherType ACL support for IS-IS traffic (transparent firewall mode)

In transparent firewall mode, the ASA can now pass IS-IS traffic using an EtherType ACL.

We modified the following command: access-list ethertype { permit | deny } is-is .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

  • Secondary subnets.
  • Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected .

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Increased maximum connection limits for service policy rules

The maximum number of connections for service policy rules was increased from 65535 to 2000000.

We modified the following commands: set connection conn-max , set connection embryonic-conn-max , set connection per-client-embryonic-max , set connection per-client-max .

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Remote Access Features

Improved Host Scan and ASA Interoperability

Host Scan and the ASA use an improved process to transfer posture attributes from the client to the ASA. This gives the ASA more time to establish a VPN connection with the client and apply a dynamic access policy.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

Monitoring Features

NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

This data is equivalent to the show xlate count command.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

NSEL

Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector. You can filter to which collectors flow-update records will be sent.

We introduced the following command: flow-export active refresh-interval .

We modified the following command: flow-export event-type .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

Hardware Features

ASA 5585-X DC power supply support

Support was added for the ASA 5585-X DC power supply.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

New Features in Version 8.4(4.5)

Released: August 13, 2012

Table 9 lists the new features forASA interim Version 8.4(4.5).


Note Version 8.4(4.3) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.5) or later.



Note We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the interim release notes available on the Cisco.com software download site.


 

Table 4 New Features for ASA Version 8.4(4.5)

Feature
Description
Firewall Features

ARP cache additions for non-connected subnets

The ASA ARP cache only contains entries from directly-connected subnets by default. You can now enable the ARP cache to also include non-directly-connected subnets. We do not recommend enabling this feature unless you know the security risks. This feature could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.

You may want to use this feature if you use:

  • Secondary subnets.
  • Proxy ARP on adjacent routes for traffic forwarding.

We introduced the following command: arp permit-nonconnected .

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Monitoring Features

NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to allow polling for Xlate count.

Support was added for the NAT-MIB cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs to support xlate_count and max_xlate_count for SNMP.

This data is equivalent to the show xlate count command.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), or 9.1(1).

New Features in Version 8.4(4.1)

Released: June 18, 2012

Table 5 lists the new features for ASA Version 8.4(4.1).


Note Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or later.


 

Table 5 New Features for ASA Version 8.4(4.1)

Feature
Description
Certification Features

FIPS and Common Criteria certifications

The FIPS 140-2 Non-Proprietary Security Policy was updated as part of the Level 2 FIPS 140-2 validation for the Cisco ASA 5500 series, which includes the Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5580, and ASA 5585-X.

The Common Criteria Evaluation Assurance Level 4 (EAL4) was updated, which provides the basis for a specific Target of Evaluation (TOE) of the Cisco ASA and VPN platform solutions.

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Support for administrator password policy when using the local database

When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters.

We introduced or modified the following commands: change-password , password-policy lifetime , password-policy minimum changes , password-policy minimum-length , password-policy minimum-lowercase , password-policy minimum-uppercase , password-policy minimum-numeric , password-policy minimum-special , password-policy authenticate enable , clear configure password-policy , show running-config password-policy .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Support for SSH public key authentication

You can now enable public key authentication for SSH connections to the ASA on a per-user basis using Base64 key up to 2048 bits.

We introduced the following commands: ssh authentication .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Support for Diffie-Hellman Group 14 for the SSH Key Exchange

Support for Diffie-Hellman Group 14 for SSH Key Exchange was added. Formerly, only Group 1 was supported.

We introduced the following command: ssh key-exchange .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Support for a maximum number of management sessions

You can set the maximum number of simultaneous ASDM, SSH, and Telnet sessions.

We introduced the following commands: quota management-session , show running-config quota management-session , show quota management-session .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Additional ephemeral Diffie-Hellman ciphers for SSL encryption

The ASA now supports the following ephemeral Diffie-Hellman (DHE) SSL cipher suites:

  • DHE-AES128-SHA1
  • DHE-AES256-SHA1

These cipher suites are specified in RFC 3268, Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS ).

When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy. See the following limitations:

  • DHE is not supported on SSL 3.0 connections, so make sure to also enable TLS 1.0 for the SSL server.
!! set server version
hostname(config)# ssl server-version tlsv1 sslv3
!! set client version
hostname(config) # ssl client-version any
 
  • Some popular applications do not support DHE, so include at least one other SSL encryption method to ensure that a cipher suite common to both the SSL client and server can be used.
  • Some clients may not support DHE, including AnyConnect 2.5 and 3.0, Cisco Secure Desktop, and Internet Explorer 9.0.

We modified the following command: ssl encryption .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Image verification

Support for SHA-512 image integrity checking was added.

We modified the following command: verify .

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Improved pseudo-random number generation

Hardware-based noise for additional entropy was added to the software-based random number generation process. This change makes pseudo-random number generation (PRNG) more random and more difficult for attackers to get a repeatable pattern or guess the next random number to be used for encryption and decryption operations. Two changes were made to improve PRNG:

  • Use the current hardware-based RNG for random data to use as one of the parameters for software-based RNG.
  • If the hardware-based RNG is not available, use additional hardware noise sources for software-based RNG. Depending on your model, the following hardware sensors are used:

ASA 5505—Voltage sensors.

ASA 5510 and 5550—Fan speed sensors.

ASA 5520, 5540, and 5580—Temperature sensors.

ASA 5585-X—Fan speed sensors.

We introduced the following commands: show debug menu cts [ 128 | 129 ]

This feature is not available in 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.0(2), or 9.1(1).

Remote Access Features

Clientless SSL VPN:
Enhanced quality for rewriter engines

The clientless SSL VPN rewriter engines were significantly improved to provide better quality and efficacy. As a result, you can expect a better end-user experience for clientless SSL VPN users.

We did not add or modify any commands for this feature.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Failover Features

Configure the connection replication rate during a bulk sync

You can now configure the rate at which the ASA replicates connections to the standby unit when using Stateful Failover. By default, connections are replicated to the standby unit during a 15 second period. However, when a bulk sync occurs (for example, when you first enable failover), 15 seconds may not be long enough to sync large numbers of connections due to a limit on the maximum connections per second. For example, the maximum connections on the ASA is 8 million; replicating 8 million connections in 15 seconds means creating 533 K connections per second. However, the maximum connections allowed per second is 300 K. You can now specify the rate of replication to be less than or equal to the maximum connections per second, and the sync period will be adjusted until all the connections are synced.

We introduced the following command: failover replication rate rate .

This feature is not available in 8.6(1) or 8.7(1). This feature is also in 8.5(1.7).

Application Inspection Features

SunRPC change from dynamic ACL to pin-hole mechanism

Previously, Sun RPC inspection does not support outbound access lists because the inspection engine uses dynamic access lists instead of secondary connections.

In this release, when you configure dynamic access lists on the ASA, they are supported on the ingress direction only and the ASA drops egress traffic destined to dynamic ports. Therefore, Sun RPC inspection implements a pinhole mechanism to support egress traffic. Sun RPC inspection uses this pinhole mechanism to support outbound dynamic access lists.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Inspection reset action change

Previously, when the ASA dropped a packet due to an inspection engine rule, the ASA sent only one RST to the source device of the dropped packet. This behavior could cause resource issues.

In this release, when you configure an inspection engine to use a reset action and a packet triggers a reset, the ASA sends a TCP reset under the following conditions:

  • The ASA sends a TCP reset to the inside host when the service resetoutbound command is enabled. (The service resetoutbound command is disabled by default.)
  • The ASA sends a TCP reset to the outside host when the service resetinbound command is enabled. (The service resetinbound command is disabled by default.)

For more information, see the service command in the ASA Cisco ASA 5500 Series Command Reference .

This behavior ensures that a reset action will reset the connections on the ASA and on inside servers; therefore countering denial of service attacks. For outside hosts, the ASA does not send a reset by default and information is not revealed through a TCP reset.

This feature is not available in 8.5(1), 8.6(1), or 8.7(1).

Module Features

ASA 5585-X support for the ASA CX SSP-10 and -20

The ASA CX module lets you enforce security based on the complete context of a situation. This context includes the identity of the user (who), the application or website that the user is trying to access (what), the origin of the access attempt (where), the time of the attempted access (when), and the properties of the device used for the access (how). With the ASA CX module, you can extract the full context of a flow and enforce granular policies such as permitting access to Facebook but denying access to games on Facebook or permitting finance employees access to a sensitive enterprise database but denying the same to other employees.

We introduced or modified the following commands: capture , cxsc , cxsc auth-proxy , debug cxsc , hw-module module password-reset , hw-module module reload , hw-module module reset , hw-module module shutdown , session do setup host ip, session do get-config, session do password-reset, show asp table classify domain cxsc , show asp table classify domain cxsc-auth-proxy , show capture , show conn , show module , show service-policy .

ASA 5585-X support for network modules

The ASA 5585-X now supports additional interfaces on network modules in slot 1. You can install one or two of the following optional network modules:

  • ASA 4-port 10G Network Module
  • ASA 8-port 10G Network Module
  • ASA 20-port 1G Network Module

This feature is not available in 9.0(1), 9.0(2), or 9.1(1).

New Features in Version 8.4(3)

Released: January 9, 2012

Table 6 lists the new features for ASA Version 8.4(3).

 

Table 6 New Features for ASA Version 8.4(3)

Feature
Description
NAT Features

Round robin PAT pool allocation uses the same IP address for existing hosts

When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.

We did not modify any commands.

This feature is not available in 8.5(1).

Flat range of PAT ports for a PAT pool

If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool.

If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.

We modified the following commands: nat dynamic [ pat-pool mapped_object [ flat [ include-reserve ]]] (object network configuration mode) and nat source dynamic [ pat-pool mapped_object [ flat [ include-reserve ]]] (global configuration mode).

This feature is not available in 8.5(1).

Extended PAT for a PAT pool

Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service , as opposed to per IP address, by including the destination address and port in the translation information.

We modified the following commands: nat dynamic [ pat-pool mapped_object [ extended ]] (object network configuration mode) and nat source dynamic [ pat-pool mapped_object [ extended ]] (global configuration mode).

This feature is not available in 8.5(1).

Configurable timeout for PAT xlate

When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a new translation, some upstream routers might reject the new connection because the previous connection might still be open on the upstream device. The PAT xlate timeout is now configurable, to a value between 30 seconds and 5 minutes.

We introduced the following command: timeout pat-xlate .

This feature is not available in 8.5(1).

Automatic NAT rules to translate a VPN peer’s local IP address back to the peer’s real IP address

In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address.

You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command.

Note Because of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations:

  • Only supports Cisco IPsec and AnyConnect Client.
  • Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied.
  • Does not support load-balancing (because of routing issues).
  • Does not support roaming (public IP changing).

We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group general-attributes configuration mode).

Remote Access Features

Clientless SSL VPN browser support

The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.

Compression for DTLS and TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.

Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.

We introduced or modified the following commands: anyconnect dtls compression [ lzs | none ] and anyconnect ssl compression [ deflate | lzs | none ].

Clientless SSL VPN Session Timeout Alerts

Allows you to create custom messages to alert users that their VPN session is about to end because of inactivity or a session timeout.

We introduced the following commands: vpn-session-timeout alert-interval , vpn-idle-timeout alert-interval .

AAA Features

Increased maximum LDAP values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA detects that a single attribute has more than 1000 values, then the ASA generates informational syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.

We introduced the following command: ldap-max-value-range number (Enter this command in aaa-server host configuration mode).

Support for sub-range of LDAP search results

When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges. The ASA now makes multiple queries for the remaining ranges, and combines the responses into a complete array of attribute values.

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

Troubleshooting Features

Regular expression matching for the show asp table classifier and show asp table filter commands

You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.

We modified the following commands: show asp table classifier match regex , show asp table filter match regex .

New Features in Version 8.4(2.8)

Released: August 31, 2011

Table 7 lists the new features for ASA interim Version 8.4(2.8).


Note We recommend that you upgrade to a Cisco.com-posted ASA interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will usually remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available.

We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.


 

Table 7 New Features for ASA Interim Version 8.4(2.8)

Feature
Description
Remote Access Features

Clientless SSL VPN browser support

The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.

Also available in Version 8.2(5.13) and 8.3.2(25).

Compression for DTLS and TLS

To improve throughput, Cisco now supports compression for DTLS and TLS on AnyConnect 3.0 or later. Each tunneling method configures compression separately, and the preferred configuration is to have both SSL and DTLS compression as LZS. This feature enhances migration from legacy VPN clients.

Note Using data compression on high speed remote access connections passing highly compressible data requires significant processing power on the ASA. With other activity and traffic on the ASA, the number of sessions that can be supported on the platform is reduced.

We introduced or modified the following commands: anyconnect dtls compression [ lzs | none ] and anyconnect ssl compression [ deflate | lzs | none ].

Also available in Version 8.2(5.13) and 8.3.2(25).

Clientless SSL VPN Session Timeout Alerts

Allows you to create custom messages to alert users that their VPN session is about to end because of inactivity or a session timeout.

We introduced the following commands: vpn-session-timeout alert-interval , vpn-idle-timeout alert-interval .

AAA Features

Increased maximum LDAP values per attribute

The maximum number of values that the ASA can receive for a single attribute was increased from 1000 (the default) to 5000, with an allowed range of 500 to 5000. If a response message is received that exceeds the configured limit, the ASA rejects the authentication. If the ASA detects that a single attribute has more than 1000 values, then the ASA generates informational syslog 109036. For more than 5000 attributes, the ASA generates error level syslog 109037.

We introduced the following command: ldap-max-value-range number (Enter this command in aaa-server host configuration mode).

Support for sub-range of LDAP search results

When an LDAP search results in an attribute with a large number of values, depending on the server configuration, it might return a sub-range of the values and expect the ASA to initiate additional queries for the remaining value ranges. The ASA now makes multiple queries for the remaining ranges, and combines the responses into a complete array of attribute values.

Troubleshooting Features

Regular expression matching for the show asp table classifier and show asp table filter commands

You can now enter the show asp table classifier and show asp table filter commands with a regular expression to filter output.

We modified the following commands: show asp table classifier match regex , show asp table filter match regex .

Also available in Version 8.2(5.13) and 8.3.2(25).

New Features in Version 8.4(2)

Released: June 20, 2011

Table 8 lists the new features for ASA Version 8.4(2).

 

Table 8 New Features for ASA Version 8.4(2)

Feature
Description
Firewall Features

Identity Firewall

Typically, a firewall is not aware of the user identities and, therefore, cannot apply security policies based on identity.

The Identity Firewall in the ASA provides more granular access control based on users’ identities. You can configure access rules and security policies based on usernames and user groups name rather than through source IP addresses. The ASA applies the security policies based on an association of IP addresses to Windows Active Directory login information and reports events based on the mapped usernames instead of network IP addresses.

The Identity Firewall integrates with Window Active Directory in conjunction with an external Active Directory (AD) Agent that provides the actual identity mapping. The ASA uses Windows Active Directory as the source to retrieve the current user identity information for specific IP addresses.

In an enterprise, some users log onto the network by using other authentication mechanisms, such as authenticating with a web portal (cut-through proxy) or by using a VPN. You can configure the Identity Firewall to allow these types of authentication in connection with identity-based access policies.

We introduced or modified the following commands: user-identity enable , user-identity default-domain , user-identity domain , user-identity logout-probe , user-identity inactive-user-timer , user-identity poll-import-user-group-timer , user-identity action netbios-response-fail , user-identity user-not-found , user-identity action ad-agent-down , user-identity action mac-address-mismatch , user-identity action domain-controller-down , user-identity ad-agent active-user-database , user-identity ad-agent hello-timer , user-identity ad-agent aaa-server , user-identity update import-user , user-identity static user , ad-agent-mode , dns domain-lookup , dns poll-timer , dns expire-entry-timer , object-group user, show user-identity, show dns , clear configure user-identity , clear dns, debug user-identity, test aaa-server ad-agent .

Identity NAT configurable proxy ARP and route lookup

In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup . The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following commands: nat static [ no-proxy-arp ] [ route-lookup ] (object network) and nat source static [ no-proxy-arp ] [ route-lookup ] (global).

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.4(2), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [ pat-pool mapped_object [ round-robin ]] (object network) and nat source dynamic [ pat-pool mapped_object [ round-robin ]] (global).

IPv6 Inspection

You can configure IPv6 inspection by configuring a service policy to selectively block IPv6 traffic based on the extension header. IPv6 packets are subjected to an early security check. The ASA always passes hop-by-hop and destination option types of extension headers while blocking router header and no next header.

You can enable default IPv6 inspection or customize IPv6 inspection. By defining a policy map for IPv6 inspection you can configure the ASA to selectively drop IPv6 packets based on following types of extension headers found anywhere in the IPv6 packet:

  • Hop-by-Hop Options
  • Routing (Type 0)
  • Fragment
  • Destination Options
  • Authentication
  • Encapsulating Security Payload

We modified the following commands: policy-map type inspect ipv6, verify-header, match header, match header routing-type , match header routing-address count gt, match header count gt .

Remote Access Features

Portal Access Rules

This enhancement allows customers to configure a global clientless SSL VPN access policy to permit or deny clientless SSL VPN sessions based on the data present in the HTTP header. If denied, an error code is returned to the clients. This denial is performed before user authentication and thus minimizes the use of processing resources.

We modified the following command: webvpn portal-access-rule .

Also available in Version 8.2(5).

Clientless support for Microsoft Outlook Web App 2010

The ASA 8.4(2) clientless SSL VPN core rewriter now supports Microsoft Outlook Web App 2010.

Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF

This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.

We modified the following commands: integrity , prf, show crypto ikev2 sa detail , show vpn-sessiondb detail remote .

Secure Hash Algorithm SHA-2 Support for Digital Signature over IPsec IKEv2

This release supports the use of SHA-2 compliant signature algorithms to authenticate IPsec IKEv2 VPN connections that use digital certificates, with the hash sizes SHA-256, SHA-384, and SHA-512.

SHA-2 digital signature for IPsec IKEv2 connections is supported with the AnyConnect Secure Mobility Client, Version 3.0.1 or later.

Split Tunnel DNS policy for AnyConnect

This release includes a new policy pushed down to the AnyConnect Secure Mobility Client for resolving DNS addresses over split tunnels. This policy applies to VPN connections using the SSL or IPsec/IKEv2 protocol and instructs the AnyConnect client to resolve all DNS addresses through the VPN tunnel. If DNS resolution fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers.

By default, this feature is disabled. The client sends DNS queries over the tunnel according to the split tunnel policy: tunnel all networks, tunnel networks specified in a network list, or exclude networks specified in a network list.

We introduced the following command: split-tunnel-all-dns.

Also available in Version 8.2(5).

Mobile Posture

(formerly referred to as AnyConnect Identification Extensions for Mobile Device Detection)

You can now configure the ASA to permit or deny VPN connections to mobile devices, enable or disable mobile device access on a per group bases, and gather information about connected mobile devices based on a mobile device’s posture data. The following mobile platforms support this capability: AnyConnect for iPhone/iPad/iPod Versions 2.5.x and AnyConnect for Android Version 2.4.x.

Licensing Requirements

Enforcing remote access controls and gathering posture data from mobile devices requires an AnyConnect Mobile license and either an AnyConnect Essentials or AnyConnect Premium license to be installed on the ASA. You receive the following functionality based on the license you install:

  • AnyConnect Premium License Functionality

Enterprises that install the AnyConnect Premium license will be able to enforce DAP policies, on supported mobile devices, based on these DAP attributes and any other existing endpoint attributes. This includes allowing or denying remote access from a mobile device.

  • AnyConnect Essentials License Functionality

Enterprises that install the AnyConnect Essentials license will be able to do the following:

Enable or disable mobile device access on a per group basis and to configure that feature using ASDM.

Display information about connected mobile devices via CLI or ASDM without having the ability to enforce DAP policies or deny or allow remote access to those mobile devices.

Also available in Version 8.2(5).

SSL SHA-2 digital signature

You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2 for other uses or products.

Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image.

We modified the following command: show crypto ca certificate (the Signature Algorithm field identifies the digest algorithm used when generating the signature).

Also available in Version 8.2(5).

SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients

ASA supports SHA2 certificate signature support for Microsoft Windows 7 and Android-native VPN clients when using the L2TP/IPsec protocol.

We did not modify any commands.

Also available in Version 8.2(5).

Enable/disable certificate mapping to override the group-url attribute

This feature changes the preference of a connection profile during the connection profile selection process. By default, if the ASA matches a certificate field value specified in a connection profile to the field value of the certificate used by the endpoint, the ASA assigns that profile to the VPN connection. This optional feature changes the preference to a connection profile that specifies the group URL requested by the endpoint. The new option lets administrators rely on the group URL preference used by many older ASA software releases.

We introduced the following command: tunnel-group-preference .

Also available in Version 8.2(5).

ASA 5585-X Features

Support for Dual SSPs for SSP-40 and SSP-60

For SSP-40 and SSP-60, you can use two SSPs of the same level in the same chassis. Mixed-level SSPs are not supported (for example, an SSP-40 with an SSP-60 is not supported). Each SSP acts as an independent device, with separate configurations and management. You can use the two SSPs as a failover pair if desired.

Note When using two SSPs in the chassis, VPN is not supported; note, however, that VPN has not been disabled.

We modified the following commands: show module , show inventory , show environment .

Support for the IPS SSP-10, -20, -40, and -60

We introduced support for the IPS SSP-10, -20, -40, and -60 for the ASA 5585-X. You can only install the IPS SSP with a matching-level SSP; for example, SSP-10 and IPS SSP-10.

Also available in Version 8.2(5).

CSC SSM Features

CSC SSM Support

For the CSC SSM, support for the following features has been added:

  • HTTPS traffic redirection: URL filtering and WRS queries for incoming HTTPS connections.
  • Configuring global approved whitelists for incoming and outgoing SMTP and POP3 e-mail.
  • E-mail notification for product license renewals.

We did not modify any commands.

Monitoring Features

Smart Call-Home Anonymous Reporting

Customers can now help to improve the ASA platform by enabling Anonymous Reporting, which allows Cisco to securely receive minimal error and health information from the device.

We introduced the following commands: call-home reporting anonymous, call-home test reporting anonymous .

Also available in Version 8.2(5).

IF-MIB ifAlias OID support

The ASA now supports the ifAlias OID. When you browse the IF-MIB, the ifAlias OID will be set to the value that has been set for the interface description.

Also available in Version 8.2(5).

Interface Features

Support for Pause Frames for Flow Control on 1-Gigabit Ethernet Interface

You can now enable pause (XOFF) frames for flow control on 1-Gigabit Ethernet interfaces; support was previously added for 10-Gigabit Ethernet interfaces in 8.2(2).

We modified the following command: flowcontrol .

Also available in Version 8.2(5).

Management Features

Increased SSH security; the SSH default username is no longer supported

Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method.

Unified Communications Features

ASA-Tandberg Interoperability with H.323 Inspection

H.323 Inspection now supports uni-directional signaling for two-way video sessions. This enhancement allows H.323 Inspection of one-way video conferences supported by Tandberg video phones. Supporting uni-directional signaling allows Tandberg phones to switch video modes (close their side of an H.263 video session and reopen the session using H.264, the compression standard for high-definition video).

We did not modify any commands.

Also available in Version 8.2(5).

Routing Features

Timeout for connections using a backup static route

When multiple static routes exist to a network with different metrics, the ASA uses the one with the best metric at the time of connection creation. If a better route becomes available, then this timeout lets connections be closed so a connection can be reestablished to use the better route. The default is 0 (the connection never times out). To take advantage of this feature, change the timeout to a new value.

We modified the following command: timeout floating-conn .

Also available in Version 8.2(5).

 

New Features in Version 8.4(1.11)

Released: May 20, 2011

Table 9 lists the new features forASA interim Version 8.4(1.11).


Note We recommend that you upgrade to a Cisco.com-posted interim release only if you have a specific problem that it resolves. If you decide to run an interim release in a production environment, keep in mind that only targeted testing is performed on interim releases. Interim releases are fully supported by Cisco TAC and will remain on the download site only until the next maintenance release is available. If you choose to run an interim release, we strongly encourage you to upgrade to a fully-tested maintenance or feature release when it becomes available. We will document interim release features at the time of the next maintenance or feature release. For a list of resolved caveats for each interim release, see the interim release notes available on the Cisco.com software download site.


 

Table 9 New Features for ASA Version 8.4(1.11)

Feature
Description
Firewall Features

PAT pool and round robin address assignment

You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

Note Currently in 8.4(1.11), the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT (CSCtq20634).

We modifed the following commands: nat dynamic [ pat-pool mapped_object [ round-robin ]] (object network) and nat source dynamic [ pat-pool mapped_object [ round-robin ]] (global).

New Features in Version 8.4(1)

Released: January 31, 2011

Table 10 lists the new features for ASA Version 8.4(1).

 

Table 10 New Features for ASA Version 8.4(1)

Feature
Description
Hardware Features

Support for the ASA 5585-X

We introduced support for the ASA 5585-X with Security Services Processor (SSP)-10, -20, -40, and -60.

Note Support was previously added in 8.2(3) and 8.2(4); the ASA 5585-X is not supported in 8.3(x).

No Payload Encryption hardware for export

You can purchase the ASA 5585-X with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:

  • Unified Communications
  • VPN

You can still install the Strong Encryption (3DES/AES) license for use with management connections. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL).

Remote Access Features

L2TP/IPsec Support on Android Platforms

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client. Mobile devices must be using the Android 2.1, or later, operating system.

Also available in Version 8.2(5).

UTF-8 Character Support for AnyConnect Passwords

AnyConnect 3.0 used with ASA 8.4(1), supports UTF-8 characters in passwords sent using RADIUS/MSCHAP and LDAP protocols.

IPsec VPN Connections with IKEv2

Internet Key Exchange Version 2 (IKEv2) is the latest key exchange protocol used to establish and control Internet Protocol Security (IPsec) tunnels. The ASA now supports IPsec with IKEv2 for the AnyConnect Secure Mobility Client, Version 3.0(1), for all client operating systems.

On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect client, you specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile.

IPsec remote access VPN using IKEv2 was added to the AnyConnect Essentials and AnyConnect Premium licenses.

Site-to-site sessions were added to the Other VPN license (formerly IPsec VPN). The Other VPN license is included in the Base license.

We modified the following commands: vpn-tunnel-protocol , crypto ikev2 policy , crypto ikev2 enable , crypto ipsec ikev2 , crypto dynamic-map , crypto map .

SSL SHA-2 digital signature

This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes.

Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.

SCEP Proxy

SCEP Proxy provides the AnyConnect Secure Mobility Client with support for automated third-party certificate enrollment. Use this feature to support AnyConnect with zero-touch, secure deployment of device certificates to authorize endpoint connections, enforce policies that prevent access by non-corporate assets, and track corporate assets. This feature requires an AnyConnect Premium license and will not work with an Essentials license.

We introduced or modified the following commands: crypto ikev2 enable , scep-enrollment enable , scep-forwarding-url , debug crypto ca scep-proxy , secondary-username-from-certificate , secondary-pre-fill-username .

Host Scan Package Support

This feature provides the necessary support for the ASA to install or upgrade a Host Scan package and enable or disable Host Scan. This package may either be a standalone Host Scan package or one that ASA extracts from an AnyConnect Next Generation package.

In previous releases of AnyConnect, an endpoint’s posture was determined by Cisco Secure Desktop (CSD). Host Scan was one of many features bundled in CSD. Unbundling Host Scan from CSD gives AnyConnect administrators greater freedom to update and install Host Scan separately from the other features of CSD.

We introduced the following command: csd hostscan image path .

Kerberos Constrained Delegation (KCD)

This release implements the KCD protocol transition and constrained delegation extensions on the ASA. KCD provides Clientless SSL VPN (also known as WebVPN) users with SSO access to any web services protected by Kerberos. Examples of such services or applications include Outlook Web Access (OWA), Sharepoint, and Internet Information Server (IIS).

Implementing protocol transition allows the ASA to obtain Kerberos service tickets on behalf of remote access users without requiring them to authenticate to the KDC (through Kerberos). Instead, a user authenticates to ASA using any of the supported authentication mechanisms, including digital certificates and Smartcards, for Clientless SSL VPN (also known as WebVPN). When user authentication is complete, the ASA requests and obtains an impersonate ticket, which is a service ticket for ASA on behalf of the user. The ASA may then use the impersonate ticket to obtain other service tickets for the remote access user.

Constrained delegation provides a way for domain administrators to limit the network resources that a service trusted for delegation (for example, the ASA) can access. This task is accomplished by configuring the account under which the service is running to be trusted for delegation to a specific instance of a service running on a specific computer.

We modified the following commands: kcd-server , clear aaa , show aaa , test aaa-server authentication .

Clientless SSL VPN browser support

The ASA now supports clientless SSL VPN with Apple Safari 5.

Clientless VPN Auto Sign-on Enhancement

Smart tunnel now supports HTTP-based auto sign-on on Firefox as well as Internet Explorer. Similar to when Internet Explorer is used, the administrator decides to which hosts a Firefox browser will automatically send credentials. For some authentication methods, if may be necessary for the administrator to specify a realm string on the ASA to match that on the web application (in the Add Smart Tunnel Auto Sign-on Server window). You can now use bookmarks with macro substitutions for auto sign-on with Smart tunnel as well.

The POST plug-in is now obsolete. The former POST plug-in was created so that administrators could specify a bookmark with sign-on macros and receive a kick-off page to load prior to posting the the POST request. The POST plug-in approach allows requests that required the presence of cookies, and other header items, fetched ahead of time to go through. The administrator can now specify pre-load pages when creating bookmarks to achieve the same functionality. Same as the POST plug-in, the administrator specifies the pre-load page URL and the URL to send the POST request to.

You can now replace the default preconfigured SSL VPN portal with your own portal. The administrators do this by specifying a URL as an External Portal. Unlike the group-policy home page, the External Portal supports POST requests with macro substitution (for auto sign-on) as well as pre-load pages.

We introduced or modified the following command: smart-tunnel auto-signon .

Expanded Smart Tunnel application support

Smart Tunnel adds support for the following applications:

  • Microsoft Outlook Exchange Server 2010 (native support).

Users can now use Smart Tunnel to connect Microsoft Office Outlook to a Microsoft Exchange Server.

  • Microsoft Sharepoint/Office 2010.

Users can now perform remote file editing using Microsoft Office 2010 Applications and Microsoft Sharepoint by using Smart Tunnel.

Interface Features

EtherChannel support (ASA 5510 and higher)

You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.

Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.

We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

Bridge groups for transparent mode

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to 8 bridge groups in single mode or per context in multiple mode, with 4 interfaces maximum per bridge group.

Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2 data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1 bridge group.

We introduced the following commands: interface bvi , bridge-group , show bridge-group .

Scalability Features

Increased contexts for the ASA 5550, 5580, and 5585-X

For the ASA 5550 and ASA 5585-X with SSP-10, the maximum contexts was increased from 50 to 100. For the ASA 5580 and 5585-X with SSP-20 and higher, the maximum was increased from 50 to 250.

Increased VLANs for the ASA 5580 and 5585-X

For the ASA 5580 and 5585-X, the maximum VLANs was increased from 250 to 1024.

Additional platform support

Google Chrome has been added as a supported platform for ASA Version 8.4. Both 32-bit and 64-bit platforms are supported on Windows XP, Vista, and 7 and Mac OS X Version 6.0.

Increased connections for the ASA 5580 and 5585-X

We increased the firewall connection limits:

  • ASA 5580-20—1,000,000 to 2,000,000.
  • ASA 5580-40—2,000,000 to 4,000,000.
  • ASA 5585-X with SSP-10: 750,000 to 1,000,000.
  • ASA 5585-X with SSP-20: 1,000,000 to 2,000,000.
  • ASA 5585-X with SSP-40: 2,000,000 to 4,000,000.
  • ASA 5585-X with SSP-60: 2,000,000 to 10,000,000.

Increased AnyConnect VPN sessions for the ASA 5580

The AnyConnect VPN session limit was increased from 5,000 to 10,000.

Increased Other VPN sessions for the ASA 5580

The other VPN session limit was increased from 5,000 to 10,000.

High Availability Features

Stateful Failover with Dynamic Routing Protocols

Routes that are learned through dynamic routing protocols (such as OSPF and EIGRP) on the active unit are now maintained in a Routing Information Base (RIB) table on the standby unit. Upon a failover event, traffic on the secondary active unit now passes with minimal disruption because routes are known. Routes are synchronized only for link-up or link-down events on an active unit. If the link goes up or down on the standby unit, dynamic routes sent from the active unit may be lost. This is normal, expected behavior.

We modified the following commands: show failover , show route , show route failover .

Unified Communication Features

UC Protocol Inspection Enhancements

SIP Inspection and SCCP Inspection are enhanced to support new features in the Unified Communications Solutions; such as, SCCP v2.0 support, support for GETPORT messages in SCCP Inspection, SDP field support in INVITE messages with SIP Inspection, and QSIG tunneling over SIP. Additionally, the Cisco Intercompany Media Engine supports Cisco RT Lite phones and third-party video endpoints (such as, Tandberg).

We did not modify any commands.

Inspection Features

DCERPC Enhancement

DCERPC Inspection was enhanced to support inspection of RemoteCreateInstance RPC messages.

We did not modify an commands.

Troubleshooting and Monitoring Features

SNMP traps and MIBs

Supports the following additional keywords: connection-limit-reached , entity cpu-temperature , cpu threshold rising , entity fan-failure , entity power-supply , ikev2 stop | start , interface-threshold , memory-threshold , nat packet-discard , warmstart .

The entPhysicalTable reports entries for sensors, fans, power supplies, and related components.

Supports the following additional MIBs: ENTITY-SENSOR-MIB, CISCO-ENTITY-SENSOR-EXT-MIB, CISCO-ENTITY-FRU-CONTROL-MIB, CISCO-PROCESS-MIB, CISCO-ENHANCED-MEMPOOL-MIB, CISCO-L4L7MODULE-RESOURCE-LIMIT-MIB, NAT-MIB, EVENT-MIB, EXPRESSION-MIB

Supports the following additional traps: warmstart, cpmCPURisingThreshold, mteTriggerFired, cirResourceLimitReached, natPacketDiscard, ciscoEntSensorExtThresholdNotification.

We introduced or modified the following commands: snmp cpu threshold rising , snmp interface threshold , snmp-server enable traps .

TCP Ping Enhancement

TCP ping allows users whose ICMP echo requests are blocked to check connectivity over TCP. With the TCP ping enhancement you can specify a source IP address and a port and source interface to send pings to a hostname or an IPv4 address.

We modified the following command: ping tcp .

Show Top CPU Processes

You can now monitor the processes that run on the CPU to obtain information related to the percentage of the CPU used by any given process. You can also see information about the load on the CPU, broken down per process, at 5 minutes, 1 minute, and 5 seconds prior to the log time. Information is updated automatically every 5 seconds to provide real-time statistics, and a refresh button in the pane allows a manual data refresh at any time.

We introduced the following command: show process cpu-usage sorted .

General Features

Password Encryption Visibility

You can show password encryption in a security context.

We modified the following command: show password encryption .

Upgrading the Software


Note You can upgrade from any previous release (if available for your model) directly to the latest release. If you are upgrading from a pre-8.3 release to a post-8.3 release, see the Cisco ASA 5500 Migration Guide to Version 8.3 and Later for important information about migrating your configuration to Version 8.3 or later.

Upgrading from some releases may have consequences for downgrading; be sure to back up your configuration file in case you want to downgrade.


This section describes how to upgrade to the latest version and includes the following topics:


Note For ASDM procedures, see the ASDM release notes.


Viewing Your Current Version

Use the show version command to verify the software version of your ASA.

Upgrading the Operating System and ASDM Images

This section describes how to install the ASDM and operating system (OS) images using TFTP. For FTP or HTTP, see the “Managing Software and Configurations” chapter in CLI configuration guide.

We recommend that you upgrade the ASDM image before the OS image. ASDM is backward compatible, so you can upgrade the OS using the new ASDM; however, you cannot use an old ASDM image with a new OS.

For information about upgrading software in a failover pair, see the “Performing Zero Downtime Upgrades for Failover Pairs” chapter in the CLI configuration guide.

Detailed Steps


Step 1 If you have a Cisco.com login, you can obtain the OS and ASDM images from the following website:

http://www.cisco.com/go/asa-software

Step 2 Back up your configuration file. To print the configuration to the terminal, enter the following command:

hostname# show running-config
 

Copy the output from this command, then paste the configuration in to a text file.


Note If you are upgrading from a pre-8.3 version, then the running configuration is backed up automatically.


For other methods of backing up, see the “Managing Software and Configurations” chapter in the CLI configuration guide.

Step 3 Install the new images using TFTP. Enter this command separately for the OS image and the ASDM image:

hostname# copy tftp://server[/path]/filename {disk0:/ | disk1:/}[path/]filename
 

For example:

hostname# copy tftp://10.1.1.1/asa840-4-k8.bin disk0:/asa841-k8.bin
...
hostname# copy tftp://10.1.1.1/asdm-64099.bin disk0:/asdm-641.bin
 

If your ASA does not have enough memory to hold two images, overwrite the old image with the new one by specifying the same destination filename as the existing image.

Step 4 To change the OS boot image to the new image name, enter the following commands:

hostname(config)# clear configure boot
hostname(config)# boot system {disk0:/ | disk1:/}[path/]new_filename
 

For example:

hostname(config)# clear configure boot
hostname(config)# boot system disk0:/asa841-k8.bin
 

Step 5 To configure the ASDM image to the new image name, enter the following command:

hostname(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
 

Step 6 To save the configuration and reload, enter the following commands:

hostname(config)# write memory
hostname(config)# reload
 


 

Open Caveats

Table 11 contains open caveats in the latest maintenance release.

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in these sections to the resolved caveats from later releases. For example, if you are running Version 8.4(1), then you need to add the caveats in this section to the resolved caveats from 8.4(2) and later to determine the complete list of open caveats.

If you are a registered Cisco.com user, view more information about each caveat using the Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 11 Open Caveats in ASA Version 8.4

Caveat
Description

CSCtk60416

Config load time of 500k ACLs in Routed is 3 times faster than Transp

CSCtl44287

Routing:Traceback observed on standby unit when exec clear conf all

CSCtq94990

Stale context present on active unit after vpn system test against 5585

CSCtr67875

HW accelerator error PKCS1 v1.5 RSA - cert auth fails with certain certs

CSCtu30620

Missing input validation for specific code functions

CSCtw31001

Unexpected overrun during connection high load test

CSCtw82904

ESP packet drop due to failed anti-replay checking after HA failovered

CSCtx43526

ASA 8.4.2.8 fill_cpu_hog_entry

CSCty22380

USG-IPv6 / ReadyLogo P2 Conformance Bug NA changes Running Config

CSCty79405

If 1st rule is dynamic source and dest any,no correct for exit inetrface

CSCty80078

ASASM shows duplicate link local address on failover

CSCua36964

ASA active unit crash, Thread Name: vpnfol_sync/Bulk Sync - Import Data

CSCua68278

SYSRET 64-bit operating system privilege escalation

CSCua92694

Traceback on Configuration Manipulation over Telnet/SSH Sessions

CSCub43580

Traceback when changing ipsec lifetime when IKEv2 tunnel is passing traf

CSCuc51614

Weblaunch of AC IKEv2 connection should re-DAP if NAC is not configured

CSCud16208

ASA 8.4.4.5 - Traceback in Thread Name: Dispatch Unit

CSCue51351

ASA: Huge NAT config causes traceback due to unbalanced p3 tree

CSCug48732

Crash when loading configuration from TFTP multiple contexts

CSCug66471

ASA: Form on sharepoint 2010 does not open when accessing through webvpn

CSCug89590

Hostscan 3.1.03104 does not detect Kaspersky AV 6.0

CSCuh03193

ASA - Not all GRE connections are replicated to the standby unit

CSCuh09400

ASA OSPF route stuck in database and routing table

CSCuh12279

ASA: Data packets with urgent pointer dropped with IPS as bad-tcp-cksum

CSCuh17787

ASA traceback in Thread Name : DATAPATH-6-1849

CSCuh40465

Observed slow phone registration traffic with tftp inspect

CSCuh49686

slow memory leak due to webvpn cache

CSCuh59097

ASA doesn't open a pinhole for the embedded address

CSCuh66630

ASA 8.4(5) - Traceback and reload on standby unit

CSCuh73530

ASA 8.4.6 ARP reply not sent on 10Gig Portchannel subinterface

CSCuh90740

WebVPN configs not synchronized when configured in certain order 2

CSCuh99686

ASA5585 - Multiple context -: block depletion - 256 and 1550 byte

CSCui00048

ASA crashes with 'debug menu webvpn 160' command

CSCui01258

limitation of session-threshold-exceeded value is incorrect

CSCui06895

Scaled SIP Traffic failure due to SIP Inspect on FCS image

CSCui24669

ASA PAT rules are not applied to outbound SIP traffic version 8.4.5/6

CSCui37980

ASA traceback in thread name hostscan_token_cleaner

CSCui40122

ASA traceback in thread name DATAPATH-1-1043

CSCui41794

ASA A/A fover automatic MAC address change causes i/f monitoring to fail

CSCui46469

ASA: Multicast traffic silently dropped on port-channel interfaces

CSCui53708

Some custom applications dosent work with Java 1.7 via smart tunnels

CSCui53710

ACL Migration to 8.3+ Software Unnecessarily Expands Object Groups

CSCui54667

ASA can't recognize BER encoding of digital certificate

CSCui55510

ASA traceback in Thread Name: DATAPATH-2-1140

CSCui55978

ASA 8.2.5 snmpEngineTime displays incorrect values

CSCui57181

ASA: Do not allow two IPsec tunnels with identical proxy IDs

CSCui63322

ASA Traceback When Debug Crypto Archives with Negative Pointers

CSCui66542

Traceback in tmatch compile thread

CSCui66657

Safari crashes when use scroll in safari on MAC 10.8 with smart-tunnel

CSCui70448

ASA 5580 ver 8.4.4.1 traceback with thread name CP HA Processing

CSCui70562

AnyConnect Copyright Panel and Logon Form message removed after upgrade

CSCui76170

Traceback in Thread Name: Dispatch Unit

CSCui79984

ASA DCERPC Pinhole Timeout Should be Idle not Absolute

CSCui80835

ASA drops packet as PAWS failure after incorrect TSecr is seen

CSCui82337

ASA SNMPv2-MIB ColdStart trap not sent on reload on data interfaces

CSCui83088

After upgrade ASA on 8.2 to 8.4.5 OID crasWebvpnNumSessions ret 0 count

CSCui85750

ASA SCH Inventory message incorrectly set at Severity 10

CSCui91247

ASA does not pass calling-station-id when doing cert base authentication

CSCul90037

No SNMP Traps during insertion/removal of power supply

Resolved Caveats

This section includes the following topics:


Note For a list of resolved caveats for each ASA interim release, see the interim release notes available on the Cisco.com software download site.


Resolved Caveats in Version 8.4(7)

Table 12 contains resolved caveats in ASA software Version 8.4(7).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 12 Resolved Caveats in ASA Version 8.4(7)

Caveat
Description

CSCsv41155

reload due to block depletion needs post-event detection mechanism

CSCsy66494

4GE-SSM: interface counter is not incremented after media-type changed

CSCtw57080

Protocol Violation does not detect violation from client without a space

CSCua69937

Traceback in DATAPATH-1-1143 thread: abort with unknown reason

CSCua98219

Traceback in ci/console during context creation - ssl configuration

CSCub50435

Proxy ARP Generated for Identity NAT Configuration in Transparent Mode

CSCub52207

Nested Traceback from Watchdog in tmatch_release_recursive_locks()

CSCuc66362

CP Processing hogs in SMP platform causing failover problems, overruns

CSCud05798

FIPS Self-Test failure,fips_continuous_rng_test [-1:8:0:4:4]

CSCud21312

ASA verify /md5 shows incorrect sum for files

CSCud34973

ASA stops decrypting traffic after phase2 rekey under certain conditions

CSCud50997

ASA IKEv2 fails to accept incoming IKEV2 connections

CSCud76481

ASA 8.6/9.x : Fails to parse symbols in LDAP attribute name

CSCud80242

UDP port 10000 reserved without any crypto configured

CSCud98455

ASA: 256 byte blocks depleted when syslog server unreachable across VPN

CSCue27223

Standby sends proxy neighbor advertisements after failover

CSCue30158

Traceback while editing objects attached to NAT

CSCue34342

ASA may crash due to watchdog timer while getting mapped address

CSCue46275

Connections not timing out when the route changes on the ASA

CSCue51796

OSPF routes missing for 10 secs when we failover one of ospf neighbour

CSCue62422

Multicast,Broadcast traffic is corrupted on a shared interface on 5585

CSCue78836

ASA removes TCP connection prematurely when RPC inspect is active

CSCue88423

ASA traceback in datapath thread with netflow enabled

CSCue98716

move OSPF from the punt event queue to its own event queue

CSCuf27008

Webvpn: Cifs SSO fails first attempt after AD password reset

CSCuf31253

Floating route takes priority over the OSPF routes after failover

CSCuf46296

Unable to add static NAT/PAT after upgrade to 8.4.5

CSCuf67469

ASA sip inspection memory leak in binsize 136

CSCuf68858

ASA: Page fault traceback in dbgtrace when running debug in SSH session

CSCuf71119

Incorrect NAT rules picked up due to divert entries

CSCuf79091

Cisco ASA time-range object may have no effect

CSCuf85295

ASA changes user privilege by vpn tunnel configuration

CSCuf85524

Traceback when NULL pointer was passed to the l2p function

CSCuf90410

ASA LDAPS authorization fails intermittently

CSCuf93071

ASA 8.4.4.1 traceback in threadname Datapath

CSCuf93843

No value or incorrect value for SNMP OIDs needed to identify VPN clients

CSCug03975

ASA 9.1(1) Reboot while applying regex dns

CSCug08285

Webvpn: OWA 2010 fails to load when navigating between portal and OWA

CSCug10123

ASA sends ICMP Unreach. thro wrong intf. under certain condn.

CSCug14707

ASA 8.4.4.1 Keeps rebooting when FIPS is enabled: FIPS Self-Test failure

CSCug23031

Clientless plugins are not working

CSCug23311

cannot access Oracle BI via clentless SSL VPN

CSCug24584

ASA console hangs with duplicate nat statements of sh nat

CSCug25761

ASA has inefficient memory use when cumulative AnyConnect session grows

CSCug29809

Anyconnect IKEv2:Truncated/incomplete debugs,missing 3 payloads

CSCug30086

ASA traceback on thread Session Manager

CSCug31704

ASA - "Show Memory" Output From Admin Context is Invalid

CSCug45645

Standby ASA continues to forward Multicast Traffic after Failover

CSCug51148

Responder uses pre-changed IP address of initiator in IKE negotiation

CSCug53708

Thread Name: Unicorn Proxy Thread

CSCug55969

ASA uses different mapped ports for SDP media port and RTP stream

CSCug56940

ASA Config Locked by another session prevents error responses.

CSCug59177

Page fault on ssh thread

CSCug71714

DHCPD appends trailing dot to option 12 [hostname] in DHCP ACK

CSCug74860

Multiple concurrent write commands on ASA may cause failure

CSCug75709

ASA terminates SIP connections prematurely generating syslog FIN timeout

CSCug76763

Cannot login webvpn portal when Passwd mgmt is enabled for Radius server

CSCug77782

ASA5585 - 9.1.1 - Traceback on IKEv2Daemon Thread

CSCug78561

ASA Priority traffic not subject to shaping in Hierarchical QoS

CSCug82031

ASA traceback in Thread Name: DATAPATH-4-2318

CSCug83036

L2TP/IPSec traffic fails because UDP 1701 is not removed from PAT

CSCug83080

Cross-site scripting vulnerability

CSCug86386

Inconsistent behavior with dACL has syntax error

CSCug87482

webvpn redirection fails when redirection FQDN is same as ASA FQDN

CSCug90225

ASA: EIGRP Route Is Not Updated When Manually Adding Delay on Neighbor

CSCug94308

ASA: "clear config all" does not clear the enable password

CSCug95287

ASA IDFW: idle users not marked as 'inactive' after default idle timeout

CSCug97772

Watchdog due to access-list change during uauth

CSCug98852

Traceback when using VPN Load balancing feature

CSCug98894

Traceback in Thread Name: OSPF Router during interface removal

CSCuh01167

Unable to display webpage via WebVPN portal, ASA 9.0(2)9

CSCuh01983

ASA tearsdown TCP SIP phone registration conn due to SIP inspection

CSCuh05021

"show inventory" displays no Power Supply if PS0 module pulled out

CSCuh05791

Single Sign On with BASIC authentication does not work

CSCuh10827

Cisco ASA config rollback via CSM doesnt work in multi context mode

CSCuh12375

ASA multicontext transparent mode incorrectly handles multicast IPv6

CSCuh13899

ASA protcol inspection connection table fill up DOS Vulnerability

CSCuh14302

quota management-session not working with ASDM

CSCuh19234

Traceback after upgrade from 8.2.5 to 8.4.6

CSCuh20716

Re-transmitted FIN not allowed through with sysopt connection timewait

CSCuh22344

ASA: WebVPN rewriter fails to match opening and closing parentheses

CSCuh23347

ASA:Traffic denied 'licensed host limit of 0 exceeded

CSCuh27912

ASA does not obfuscate aaa-server key when timeout is configured.

CSCuh34147

ASA memory leaks 3K bytes each time executing the show tech-support.

CSCuh40372

ASA Round-Robin PAT doesn't work under load

CSCuh45559

ASA: Page fault traceback when changing ASP drop capture buffer size

CSCuh48005

ASA doesn't send NS to stale IPv6 neighbor after failback

CSCuh48577

Slow memory leak on ASA due to SNMP

CSCuh52326

ASA: Service object-group not expanded in show access-list for IDFW ACLs

CSCuh58576

Different SNMPv3 Engine Time and Engine Boots in ASA active / standby

CSCuh66892

ASA: Unable to apply "http redirect <interface_name> 80" for webvpn

CSCuh73195

Tunneled default route is being preferred for Botnet updates from ASA

CSCuh74597

ASA-SM multicast boundary command disappears after write standby

CSCuh80522

nat config is missing after csm rollback operation.

CSCuh90799

ASA 5505 Ezvpn Client fails to connect to Load Balance VIP on ASA server

CSCuh99164

Multiple syslogs generated on port channel subinterfaces

CSCui10904

Macro substitution fails on External portal page customization

CSCui25277

ASA TFW doesn't rewrite VLAN in BPDU packets containing Ethernet trailer

CSCui38495

ASA Assert in Checkheaps chunk create internal

CSCui42956

ASA registers incorrect username for SSHv2 Public Key Authenticated user

CSCui48221

ASA removes RRI-injected route when object-group is used in crypto ACL

Resolved Caveats in Version 8.4(6)

Table 13 contains resolved caveats in ASA software Version 8.4(6).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Search at the following website:

https://tools.cisco.com/bugsearch

 

Table 13 Resolved Caveats in ASA Version 8.4(6)

Caveat
Description

CSCsk06824

Syslog 103005 should include reason for failure

CSCsr58601

SCCP does not handle new msg StartMediaTransmissionACK

CSCte46553

ENH: show memory detail top-usage

CSCti07431

1/5 minute input rate and output rate are always 0 with user context.

CSCti14272

Time-based License Expires Pre-maturely

CSCti38856

Elements in the network object group are not converted to network object

CSCtj87870

Failover disabled due to license incompatible different Licensed cores

CSCtn15254

Message: 'Link is down as 10Gbps support is not licensed' always shown

CSCto50963

ASA SIP inspection - To: in INVITE not translated after 8.3/8.4 upgrade

CSCto87674

ST not injected in mstsc.exe on 32-bit Win 7 when started through TSWeb

CSCtq12090

ACL remark line is missing when range object is configured in ACL

CSCtr04553

Traceback while cleaning up portlist w/ clear conf all or write standby

CSCtr17899

Some legitimate traffic may get denied with ACL optimization

CSCtr92976

ESMTP inspection corrupts data

CSCts15825

RRI routes are not injected after reload if IP SLA is configured.

CSCtx32727

GTP inspect not working in Asymmetric Routing Envirement with ASR group:

CSCtx55513

ASA: Packet loss during phase 2 rekey

CSCty59567

Observing traceback @ ipigrp2_redist_metric_incompatible+88

CSCty85328

PPPOE manual address allocation changes subnet into /32

CSCtz00381

RADIUS client too busy - try later

CSCtz56155

misreported high CPU

CSCtz64218

ASA may traceback when multiple users make simultaneous change to ACL

CSCtz70573

SMP ASA traceback on periodic_handler for inspecting icmp or dns trafic

CSCtz79578

Port-Channel Flaps at low traffic rate with single flow traffic

CSCtz83605

Clientless SSL VPN causes UAC on Win 7 to fail when CSD and ST are used

CSCua13405

Failover Unit Stuck in Cold Standby After Boot Up

CSCua22709

ASA traceback in Unicorn Proxy Thread while processing lua

CSCua44723

ASA nat-pat: 8.4.4 assert traceback related to xlate timeout

CSCua50058

PP : TFTP ACK to last block dropped

CSCua51319

simultaneous config-changes on multiple contexts can't be synchronized

CSCua93764

ASA: Watchdog traceback from tmatch_element_release_actual

CSCub04470

ASA: Traceback in Dispatch Unit with HTTP inspect regex

CSCub08224

ASA 210005 and 210007 LU allocate xlate/conn failed with simple 1-1 NAT

CSCub15394

unexpected policy-map is added on standby ASA when new context is made

CSCub16427

Standby ASA traceback while replicating flow from Active

CSCub16573

ASA: Memory leak due to SNP RT Inspect

CSCub58996

Cisco ASA Clientless SSLVPN CIFS Vulnerability

CSCub61578

ASA: Assert traceback in PIX Garbage Collector with GTP inspection

CSCub62584

ASA unexpectedly reloads with traceback in Thread Name: CP Processing

CSCub63148

With inline IPS and heavy load ASA could drop ICMP or DNS replies

CSCub72990

ASA is max-aging OSPF LSAs after 50 minutes

CSCub84164

ASA traceback in threadname Logger

CSCub86331

HA ASA Zero downtime upgrade on HA pair is not working

CSCub89078

ASA standby produces traceback and reloads in IPsec message handler

CSCub98434

ASA: Nested Crash in Thread Dispatch Unit - cause: SQLNet Inspection

CSCub99578

High CPU HOG when connnect/disconnect VPN with large ACL

CSCuc12119

ASA: Webvpn cookie corruption with external cookie storage

CSCuc12967

OSPF routes were missing on the Standby Firewall after the failover

CSCuc14644

SIP inspect NATs Call-ID in one direction only

CSCuc16455

ASA packet transmission failure due to depletion of 1550 byte block

CSCuc16513

'clear config crypto ipsec ikev1' removes ikev2 proposals as well

CSCuc16670

ASA - VPN connection remains up when DHCP rebind fails

CSCuc17257

ASA Traceback - MD5_Update

CSCuc19882

Flash filesystem does not recognize filenames > 63 characters

CSCuc20974

ASA: MTU value does not change for PPPoE interface

CSCuc23984

ASA: Port-channel config not loaded correctly when speed/duplex are set

CSCuc24007

Show NAT pool reference object that is not used in translation

CSCuc24547

TCP ts_val for an ACK packet sent by ASA for OOO packets is incorrect

CSCuc24919

ASA: May traceback in Thread Name: fover_health_monitoring_thread

CSCuc25787

Per tunnel webvpn customizations ignored after ASA 8.2 upgraded to 8.4

CSCuc28903

ASA 8.4.4.6 and higher: no OSPF adj can be build with Portchannel port

CSCuc34345

Multi-Mode treceback on ci/console copying config tftp to running-config

CSCuc36831

Traceback when removing group-policy

CSCuc40005

PRTG app Javascript as a stream (not content) fails through the rewriter

CSCuc40450

error 'Drop-reason: (punt-no-mem) Punt no memory' need to be specific

CSCuc44179

Static routes not getting redistributed into EIGRP table via prefixlist

CSCuc45011

ASA may traceback while fetching personalized user information

CSCuc46026

ASA traceback: ASA reloaded when call home feature enabled

CSCuc46270

ASA never removes qos-per-class ASP rules when VPN disconnects

CSCuc46561

OWA doesn't work after the ASA upgrade

CSCuc48355

ASA webvpn - URLs are not rewritten through webvpn in 8.4(4)5

CSCuc50544

Error when connecting VPN: DTLS1_GET_RECORD Reason: wrong version number

CSCuc56078

Traceback in threadname CP Processing

CSCuc60478

Management access fails via L2TP VPN client on SMP platform

CSCuc60566

ASA IPSEC error: Internal Error, ike_lock trying to unlock bit

CSCuc60950

Traceback in snpi_divert with timeout floating-conn configured

CSCuc63592

HTTP inspection matches incorrect line when using header host regex

CSCuc64108

ASA:DAP User Messages is truncated when action is terminate

CSCuc65775

ASA CIFS UNC Input Validation Issue

CSCuc72408

Denial of Service During Validation of Crafted Certificates.

CSCuc74333

EZVPN: User gets unexpected IUA prompt

CSCuc74488

ASA upgrade fails with large number of static policy-nat commands

CSCuc74758

Traceback: deadlock between syslog lock and host lock

CSCuc75090

Crypto IPSec SA's are created by dynamic crypto map for static peers

CSCuc75093

Log indicating syslog connectivity not created when server goes up/down

CSCuc79825

5580 - Thread Name: CP Midpath Processing eip pkp_free_ssl_ctm

CSCuc83059

traceback in fover_health_monitoring_thread

CSCuc83170

ipsecvpn-ike:IKEv1 rekey fails when IPCOMP proposal is sent

CSCuc83323

XSS in SSLVPN

CSCuc83828

ASA Logging command submits invalid characters as port zero

CSCuc84079

ASA: Multiple context mode does not allow configuration of 'mount'

CSCuc86512

Encrypt ftp/smb creds in config and asdm

CSCuc89163

Race condition can result in stuck VPN context following a rekey

CSCuc92292

ASA may not establish EIGRP adjacency with router due to version issues

CSCuc96911

ASASM platform is not exempt from MAC move wait timer

CSCuc97552

Deny rules in crypto acl blocks inbound traffic after tunnel formed

CSCuc98398

ASA writes past end of file system then can't boot

CSCud02647

traffic is resetting uauth timer

CSCud04867

Incorrect and duplicate logs about status change of port-channel intfs

CSCud07436

APCF Flag no-toolbar fails after upgrade to 8.4.4.9

CSCud07930

ASA webvpn plugin files Expires header incorrectly set

CSCud08203

Smart-tunnel failing to forward tcp connections for certain application

CSCud08385

Smart Tunnel failed for Safari 6.0.1/6.0.2 on OSX10.7 and 10.8

CSCud12924

CA certificates expiring after 2038 display wrong end date on 5500-X

CSCud16105

Called-Station-Id in RADIUS acct stop after failover is standby address.

CSCud16590

ASA may traceback in thread emweb/https

CSCud17993

ASA-Traceback in Dispatch unit due to dcerpc inspection

CSCud21714

BTF traceback in datapth when apply l4tm rule

CSCud28106

IKEv2: ASA does not clear entry from asp table classify crypto

CSCud29007

License server becomes unreachable due to "signature invalid" error

CSCud32111

Deny rules in crypto acl blocks inbound traffic after tunnel formed

CSCud33260

ASDM 7.0(2) reports ERROR when sending 'exit' command to ASA

CSCud36686

Deny ACL lines in crypto-map add RRI routes

CSCud37333

Increase stack size in VPN Load Balancing feature

CSCud40898

TLS-Proxy does not Send issuer name in the certificate

CSCud41507

Traffic destined for L2L tunnels can prevent valid L2L from establishing

CSCud41670

ASA nested traceback with url-filtering policy during failover

CSCud42001

Smart Tunnel hangs when list contains more than 80 entries

CSCud43999

Prioritize Failover Control Packets on ASA5585-X CPU Uplinks

CSCud46746

DNS resolution for "from-the-box" traffic not working with "names"

CSCud47900

ASA: adding nested object group fails with "IP version mismatch"

CSCud51281

"Failed to update IPSec failover runtime data" msg on the standby unit

CSCud56558

Standby ASA reloads unexpectedly after config sync with netflow enabled

CSCud57759

DAP: debug dap trace not fully shown after +1000 lines

CSCud62661

STI Flash write failure corrupts large files

CSCud64725

VPNLB: Lost packet during IKEv1 not retransmitted

CSCud65506

ASA5585: Traceback in Thread Name:DATAPATH when accessing webvpn urls

CSCud67392

ASA hitless upgrade from 8.2 to 8.4 - ERROR: unable to download policy

CSCud69251

traceback in ospf_get_authtype

CSCud69535

OSPF routes were missing on the Active Firewall after the failover

CSCud70273

ASA may generate Traceback while running packet-tracer

CSCud72383

IKEV2-L2L: DH handle leak when PFS enabled only on one peer

CSCud72855

ASA5585-X zeroes out dest MAC address after IPS processing

CSCud74941

ASA LDAP Mapping should not map 0 to values with no match

CSCud81304

TRACEBACK, DATAPATH-8-2268, Multicast

CSCud84454

ASA in HA lose shared license post upgrade to 9.x

CSCud84827

ASA 5580 running 8.2(5)13 traceback

CSCud85831

Netbios insp translating ip in answer field to mapped ip of WINS server

CSCud86142

Anyconnect using Ikev2 is missing username in syslog messages

CSCud89380

ASA: Username with ampersand disconnects ASDM Firewall Dashboards

CSCud89974

flash in ASA5505 got corrupted

CSCue00850

Traceback: snp_syslog fails to recognise parent syslog flow

CSCue04309

TCP connection to multicast MAC - unicast MAC S/ACK builds new TCP conn

CSCue05458

16k blocks near exhaustion - process emweb/https (webvpn)

CSCue06072

quota-level shows negative value cutting off remote access SSH/ASDM

CSCue09762

Revert change in subnetting rules for splittunnel policy for smarttunnel

CSCue11669

ASA 5505 not Forming EIGRP neighborship after failover

CSCue11738

ACL migration issues with NAT

CSCue15533

ASA:Crash while deleting trustpoint

CSCue17876

Some java applets won't connect via smart tunnel on windows with jre1.7

CSCue23700

ASA not in ha becomes pseudo standby after "no fail active"

CSCue25524

Webvpn: Javascript based applications not working

CSCue31622

Secondary Flows Lookup Denial of Service Vulnerability

CSCue32221

LU allocate xlate failed (for NAT with service port)

CSCue33354

Mac version Smart Tunnel with Safari 6.0.1/6.0.2 issue

CSCue35150

ASA in multicontext mode provides incorrect SNMP status of failover

CSCue35343

Memory leak of 1024B blocks in webvpn failover code

CSCue36084

RADIUS Memory Leak on ASA using AD-Agent

CSCue41939

IKEv2 reply missing 4bytes of 0's after UDP header

CSCue45615

Portchannel keeps sending packets through down/down interface

CSCue46757

Make default behavior for LZS compression the same for DTLS and TLS

CSCue47775

after-auto NAT rule (section 3) is not evaluated after double add/remove

CSCue48276

ASA drops packets with IP Options received via a VPN tunnel

CSCue55461

ESMTP drops due to MIME filename length >255

CSCue56047

IPv6 ACL can't be modified after used as vpn-filter

CSCue56901

secondary-authentication-server-group cmd breaks Ikev1/IPsec RA VPN auth

CSCue59676

ASA shared port-channel subinterfaces and multicontext traffic failure

CSCue60069

ENH: Reload ASA when free memory is low

CSCue61123

config changes are not reflecting to standby ASA

CSCue62470

mrib entries mayy not be seen upon failover initiated by auto-update

CSCue63881

ASA SSHv2 Denial of Service Vulnerability

CSCue68555

Hostscan data greater than 100K will cause an Invalid Token from ASA

CSCue71411

Objects-groups missing from config after upgrading from 8.4.2 to 8.4.5.5

CSCue73708

Group enumeration still possible on ASA

CSCue74372

Anyconnect DTLS idle-timeout is being reset by transmit traffic only

CSCue74649

When specifying two same OID in GETBULK, reply has no duplicate OID

CSCue77969

Character encoding not visible on webvpn portal pages.

CSCue82544

ASA5585 8.4.2 Traceback in Thread Name aaa while accessing Uauth pointer

CSCue84586

re-write fails for javascript generated URL with "\"

CSCue88560

ASA Traceback in Thread Name : CERT API

CSCuf02988

ASA: Page fault traceback in aaa_shim_thread

CSCuf06633

ASA crash in Thread Name: UserFromCert

CSCuf07810

DTLS drops tunnel on a crypto reset

CSCuf16850

split-dns cli warning msg incorrect after client increasing the limit

CSCuf27811

ASA: Pending DHCP relay requests not flushed from binding table

CSCuf34123

ASA 8.3+ l2l tunnel-group name with a leading zero is changed to 0.0.0.0

CSCuf34754

Framed-IP-Address not sent with AC IKEv2 and INTERIM-ACCOUNTING-UPDATE

CSCuf58624

snmp engineID abnormal for asa version 8.4.5 after secondary asa reload

CSCuf65912

IKEv2: VPN filter ACL lookup failure causing stale SAs and crash

CSCuf77294

ASA traceback with Thread Name: DATAPATH-3-1041

CSCuf89220

ASA IDFW : Unable to handle contacts in DC user groups

CSCug22787

Change of behavior in Prefill username from certificate SER extraction

Resolved Caveats in Version 8.4(5)

Table 14 contains resolved caveats in ASA software Version 8.4(5).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolkit/

 

Table 14 Resolved Caveats in ASA Version 8.4(5)

Caveat
Description

CSCee19547

show failover does not show interface shutdown status

CSCsk06824

Syslog 103005 should include reason for failure

CSCsr58601

SCCP does not handle new msg StartMediaTransmissionACK

CSCsy84937

AUTOCOMPLETE attribute is not disabled for SSL VPNs

CSCte92599

ACL Hitcount incorrect for network objects containing range

CSCtf59088

Active LED stays green without active failover group

CSCtg58074

ASA CRYPTO: Hardware Accelerator Archive File Created

CSCth40745

ENH: Support IS-IS routing protocol passthrough in transparent mode

CSCtj12159

ASA (8.3.2) traceback in Thread Name: DATAPATH-1-1295

CSCtj18386

Cannot redirect all ports traffic to some server/port with Twice NAT

CSCtj39083

ASA 8.3.x not passing multicast traffic when RP address is NAT-ed

CSCtj68732

ASA: DHCP-Relay should forward out interface based on internal gi-addr

CSCtl96793

ASA5550 allows configuration of Jumbo MTU although unsupported

CSCtn69856

Memory Block Leak Denial of Service Vulnerability

CSCto32012

Routing: page fault traceback in Thread Name: EIGRP-IPv4: PDM

CSCto92860

During failover interface testing ASA might test old ARP entries

CSCtq47028

ASA: Manual NAT rules are not processed in order

CSCtq78296

ASA 5505 prints message %ASA-1-111111 when adding a new vlan interface

CSCtq84922

ASA admin context memory usage is invalid

CSCtr24705

Traceback seen while running packet-tracer due to Page fault

CSCtr35503

IPV6 router advertisements dropped by multicontext firewall

CSCtr65014

vpn-filter removed incorrectly from ASP table blocks L2L traffic

CSCtr65927

dynamic policy PAT fails with FTP data due to latter static NAT entry

CSCtr79885

ASA with VoIP memory leak 1% per day on binsize 56

CSCtr83416

Incorrect results returned by SNMP object cipSecGlobalActiveTunnels

CSCtr85499

ASA: Radius MS-CHAPV2 with challenge fails

CSCts15825

RRI routes are not injected after reload if IP SLA is configured.

CSCts16081

ASA Multicontext: allocated interface may not be configurable in context

CSCts50723

ASA: Builds conn for packets not destined to ASA's MAC in port-channel

CSCts72188

ASA: SSH process may exist after being orphaned from SSH session

CSCtt02427

5585 producing 402123 logs and denying AC users w/ aaa failing

CSCtu32847

ASA 8.4(2.1) high memory and traceback in aaa_shim_thread

CSCtw95262

ASA sends unidirectional RST when a packet is dropped via MPF

CSCtw99054

VPN: Bytes RCV and XMT incorrect in session disconnect message

CSCtx03901

1550 byte block leak in socks_proxy_datarelay

CSCtx10196

Webvpn : Javascript rewrite causing login button to be inactive

CSCtx29666

Smart Call Home error on transmission of message - Duplicate Message ID

CSCtx33347

Standby ASA traceback while trying to replicate xlates

CSCtx42698

Traceback in Thread Name: Dispatch Unit

CSCtx43083

Syslog 199011 "Close on bad channel in process/fiber"

CSCtx49751

nat command allows the interface keyword to be chosen as a pat-pool

CSCtx52020

Traceback in Thread Name: rtcli async executor process

CSCtx55176

Packet fragmentation issue on IPSec Over TCP

CSCtx55814

Newly Added Failover Unit With Lesser License Rejects Configuration

CSCtx60431

Traceback in Thread Name: Dispatch Unit due to Websense URL Filtering

CSCtx61991

Show proc memory columns too small producing unreadable output.

CSCtx71103

Allow route next-hop as 127.0.0.1 in lieu of Null0

CSCtx82335

Reserve 256 byte block pool for ARP processing

CSCtx83820

ASA 8.x AAA Authentication Listener HTTP Redirect not working with IE9

CSCtx84986

Different PowerSupply number between show inventory/environment

CSCtx86924

ASA: Traceback in purgatory in release of DSH (datastructure handle)

CSCtx98905

ASA traceback with Thread Name: dhcp_daemon

CSCty00372

IPV6 extension header inspection On the ASA 8.4.2 does not work

CSCty03086

To-the-box traffic fails from hosts over L2L vpn tunnel & AnyConnect VPN

CSCty04934

logging debug-trace has issues with lines starting with numbers

CSCty12813

ASA 5585: Traceback after Reload when TCP syslog server unavailable

CSCty18976

ASA sends user passwords in AV as part of config command authorization.

CSCty27179

NAT Migration Fails with Large Policy NAT ACLs

CSCty28215

ASA : error message during upgrade from 8.0.5 to 8.2.4 or 8.2.2

CSCty32412

ASA: Anyconnect u-turn to ipsec tunnel fails

CSCty33946

ASA5580 traceback after upgrade to 8.4.3.2

CSCty38807

VPN Remote user address assignment failed after RADIUS authentication

CSCty41149

Failover Cluster License Must be Cleared When Failover is Unconfigured

CSCty45900

NAT rules specifying an interface of any removed if an interface deleted

CSCty47007

CSC: Secondary goes to pseudo standby state when failover is enabled

CSCty62368

Traceback with Netflow configuration

CSCty62526

Password management not working with external group-policy

CSCty63269

Traceback in Thread Name: IKEv2 Daemon

CSCty63897

ASA5585-standby traceback during hitless upgrade: 8.4.2.8-->8.4.3

CSCty67141

ASA Traceback when applying Regexes via script

CSCty70661

HTTP Inspection does not understand verb without trailing LWSP

CSCty74915

Chassis serial number is incorrect in call-home message on 5585 platform

CSCty75087

dACLs not removed from ASA after AC IKEv2 clients log out

CSCty75967

Xlate not replicated to standby when pat used

CSCty80349

ASA IKEV2 :Unable to establish site to site VPN for specific ident-pairs

CSCty81963

ASA sends User-Password RADIUS attribute wrongly with EAP authentication

CSCty93931

ASA generates traceback message when connected with L2TP/IPsec

CSCty95468

ENH: Add Command to Allow ARP Cache Entries from Non-Connected Subnets

CSCty95742

ASA-4-402116 - error message displays outer instead of inner packet

CSCty99200

ASA stops sending PADI for PPPoE when config applied via AUS

CSCtz00381

RADIUS client too busy - try later

CSCtz00753

Active ASA5505 interface remains in Waiting state

CSCtz01680

IDFW: SYSLOG 746012 appears twice

CSCtz04768

Emails from Smart Call Home are not RFC 2822 Section 2.3 compliant

CSCtz05457

authentication in esmtp inspection breaks

CSCtz06058

ASA NAT: LU allocate xlate failed (for NAT with service port)

CSCtz11129

ASA Radius Acct-Delay-Time does not work

CSCtz12435

ASA - dhcp relay - option 252 is not passed down to the clients

CSCtz14107

AJAX - Mis-rendered page layout on IE over WebVPN

CSCtz14749

Traceback in Thread Name: CP Midpath Processing

CSCtz15503

ASA: Assert tracebacks with GTP inspection

CSCtz16780

observing taceback @ og_check_subgrp+158

CSCtz26123

ASA traceback in SiteMinder SSO when users log into ssl vpn web portal

CSCtz27402

ASA WebVPN URL Rewrite Failing - Form action with special characters

CSCtz31686

SNMP ciscoRasTooManySessions trap is sent from Standby ASA

CSCtz32065

Traceback in Thread Name accept/http

CSCtz33266

Http Not found when logging off a RDP session with RDP ActiveX Plugin

CSCtz34603

ASA: webvpn removes secure tag from cookies sent by remote server

CSCtz39418

multiple clients can connect with "vpn-simultaneous-logins 1"

CSCtz40094

ASA 8.2.5.27 secondary traceback after the upgrade - Thread Name: snmp

CSCtz41926

RA VPN license client fails to request more licenses from the server

CSCtz41928

Traceback: timer assert due to nf_block timer race condition

CSCtz43942

skinny-inspect intermittently uses odd port for RTP stream

CSCtz44586

ASA VPN IPSEC load balancing causes 1550 block depletion

CSCtz46845

ASA 5585 with IPS inline -VPN tunnel dropping fragmented packets

CSCtz47034

ASA 5585- 10 gig interfaces may not come up after asa reload

CSCtz47144

ASA: webvpn secure content should not be cached in local disks

CSCtz56155

misreported high CPU

CSCtz56971

ASA SCH - Traceback in thread name: sch_prompt anonymous reporting

CSCtz57006

IPv6 traffic to standby fails in transparent mode

CSCtz58744

Java applet failing at launch over Clientless WebVPN

CSCtz59915

ASA assigned IP address from DHCP to VPN clients randomly fails

CSCtz63143

ASA sip inspect - duplicate pre-allocate secondary pinholes created

CSCtz64589

ASA: Downloading capture via HTTP returns incorrect content-length

CSCtz71022

(VPN-Secondary) Failed to update IPSec failover runtime data on the stan

CSCtz78693

ASA SSLVPN Java RDP Plugin traceback with socket write error exception

CSCtz78718

ASA: access-list with name "ext" is changed to "extended" on boot

CSCtz79983

Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition

CSCtz80888

ASDM Session Replication during Failover

CSCtz81677

Aggregate Auth does not send "88" error code for radius-reject-message

CSCtz82438

Syslog %ASA-4-402123 Printed incorrectly for webvpn traffic

CSCtz82865

SNMP MIB: Equivalent of "show xlate count" command

CSCtz83605

Clientless SSL VPN causes UAC on Win 7 to fail when CSD and ST are used

CSCtz85987

IKEv2 tunnels fail in one direction following rekey-on-data

CSCtz86333

ASA may reload with traceback in Thread Name: vpnfol_thread_msg

CSCtz87164

Deny lines in NAT exemption ACL causes ASA config migration to fail

CSCtz92315

ASA Authorization fails with LDAP for user with any expiration date set

CSCtz92779

ASA accept IKEv2 AC reconnect request once then tear it down

CSCtz92900

ASA generates "The ASA hardware accelerator encountered an error"

CSCtz94135

Syslog 324001 Reason string missing when pkt dropped because of Null TID

CSCtz94191

ASA cut-though proxy stops working if using FQDN ACL

CSCtz94894

ASA: CPU profile activate command prints incorrect instructions

CSCtz97792

Block depletion, embedded web client transmit queue

CSCtz98516

Observed Traceback in SNMP while querying GET BULK for 'xlate count'

CSCtz99950

ASA VPN client connection fails if 'name' is configured the same as TG

CSCua02570

ASA nointeractive trustpoint auth fails with Incorrect fingerprint

CSCua05034

WebVPN: OWA server sending error message due to missing Canary Value

CSCua12570

Clientless: failed ntlm authentication leads to iobuffer uninitialized

CSCua12688

debug ctl-provider causes traceback

CSCua12795

ASA: High CPU with DTLS sessions and 'crypto engine large-mod-accel'

CSCua16597

Webvpn: RDP ActiveX plugin causes high cpu with IE

CSCua21363

1550 byte block depletion related to TCP

CSCua22779

ASA 5585-Able to ping shut shared port channel/gig shared sub interface

CSCua24960

Traceback in CP Midpath Processing - SSL DHE cipher

CSCua27134

Traceback in Thread Name: Dispatch Unit

CSCua28838

ASA:IKEv2 tunnel failure due to IPsec rekey collision

CSCua29269

ASA: WebVPN Rewrite issue - drop down menu rendering is incorrect

CSCua30564

CPU-hog during line-protocol-up event of 4GE-SSM ports

CSCua35337

Local command auth not working for certain commands on priv 1

CSCua35666

ASA: traceback in Thread Name: IPsec message handler,Syslog 602305.

CSCua44445

ASA sends too large TCP payload when ASA MSS < Client MSS

CSCua44530

ASA RA tunnel fails when vlan is set in grppol and XAUTH disabled

CSCua45564

Add a CLI to configure SSL FCADB timeout

CSCua45611

pki: import from terminal fails when 'quit' embedded in certificate

CSCua50160

ASA: Page fault traceback in lu_rx with failover and GTP inspection

CSCua51319

simultaneous config-changes on multiple contexts can't be synchronized

CSCua58478

Traceback in Thread Name: CERT API

CSCua58718

ASA pre-defined objects have incorrect port values

CSCua60417

8.4.3 system log messages should appear in Admin context only

CSCua61119

ASA: Page fault traceback when changing port-channel load balancing

CSCua61386

Websense URL Filtering triggers syslog 216004

CSCua62162

Clientless SSL VPN rewriter fails with javascript

CSCua64808

logging debug-trace has issues with radius debugs

CSCua67463

Anyconnect fails to connect after ASA failover due to IP conflict

CSCua71378

ERROR: IKE cannot reserve the IPSec UDP port 10000

CSCua72585

Error returned while removing pfs from dynamic crypto map

CSCua74427

Some AAA Server Group names result in blank AAA config

CSCua75061

ASA (8.4.4) Traceback in Thread Name: IKE Daemon, Syslog 402142

CSCua76973

ASA: Some NAT configuration removed on failover upgrade to 8.4(4)

CSCua83032

Some parts of the WebVPN login susceptible to HTTP Response Splitting

CSCua86676

aaa-radius: ASA sending duplicate Radius access request

CSCua87170

Interface oversubscription on active causes standby to disable failover

CSCua88376

ASA vulnerable to CVE-2003-0001

CSCua89506

ipsecvpn-ikev2: assert Traceback in Thread Name: IKEv2 Daemon

CSCua91108

ASA unexpected system reboot with Thread Name: UserFromCert Thread

CSCua91189

Traceback in CP Processing when enabling H323 Debug

CSCua92333

Flowcontrol status is OFF on ASA, after enabling it on ASA and switch.

CSCua92556

ASA sip inspect - Pre-allocate SIP NOTIFY TCP secondary channel

CSCua93764

ASA: Watchdog traceback from tmatch_element_release_actual

CSCua95621

ASA:write standby command brings down port-channel interface on standby

CSCua98019

Cisco script injected in html tags, JS conditional comments

CSCua99003

WebVPN:"My Mail" option doesn't work for OWA2010

CSCua99091

ASA: Page fault traceback when copying new image to flash

CSCub02268

Maximum TCP intercept config values too low for larger FWs

CSCub05888

Asa 5580-20: object-group-search access-control causes failover problem

CSCub06626

ASA may traceback while loading a large context config during bootup

CSCub07976

config factory-default does not clear ssl commands

CSCub09280

ASA Content rewrite HTML content was treated as ajax response

CSCub10537

4096 byte block depletion due to ak47_np_read

CSCub11582

ASA5550 continous reboot with tls-proxy maximum session 4500

CSCub13022

ASA updates arp entry with an invalid GARP

CSCub14196

FIFO queue oversubscription drops packets to free RX Rings

CSCub15394

unexpected policy-map is added on standby ASA when new context is made

CSCub17664

ASA 5585 8.4.4.1 duplicated log when tengiga interface up/down

CSCub23840

ASA crashes due to nested protocol object-group used in ACL

CSCub24113

ASA does not check aaa-server use before removing commands

CSCub28198

ASA Webvpn rewriter compression not working

CSCub28721

Standby ASA has duplicate ACEs for webtype ACLs after 'write standby'

CSCub31151

"idle-timeout = 0" is not able to configure with AnyConnect IKEv2

CSCub37344

ASA ospf redistributing failover interface network

CSCub37882

Standby ASA allows L2 broadcast packets with asr-group command

CSCub39677

ASA Webvpn form POST is not rewritten 8.4.1.8 or later

CSCub52102

ASA 8.3.2 'name' command is not mapped to 'show crypto ipsec sa' output

CSCub56239

ASA Auth-Proxy should reject aaa listner if port already in use

CSCub59136

ASA: Manual NAT rules are not processed in order

CSCub59536

NAT Config Rejected on Upgrade when Objects Overlap with Failover IP

CSCub68349

Port-channel interface uses incorrect delay value

CSCub70946

ASA traceback under threadname Dispatch Unit due to multicast traffic

CSCub72545

syslog 113019 reports invalid address when VPN client disconnects.

CSCub75522

ASA TFW sends broadcast arp traffic to all interfaces in the context

CSCub83472

VPNFO should return failure to HA FSM when control channel is down

CSCub84711

OID used for authentication by EKU is trunkated

CSCub88739

ASA5585: May crash in Thread Name: DATAPATH-1-1141

CSCub94635

Deleting ip local pool cause disconnect of VPN session using other pools

CSCub97263

WebVpn PortForward code signning issue

CSCub99704

WebVPN - mishandling of request from Java applet

CSCuc04636

Traceback in Thread Name: accept/http

CSCuc06857

Accounting STOP with caller ID 0.0.0.0 if admin session exits abnormally

CSCuc09055

Nas-Port attribute different for authentication/accounting Anyconnect

CSCuc14191

ASA: Webvpn rewriter not rewriting eval function call properly

CSCuc14255

Enhance RTCLI implementation of password type (BNF)

CSCuc15034

The "clear crypto ca crls <trustpoint>" command does not work

CSCuc16455

ASA packet transmission failure due to depletion of 1550 byte block

CSCuc17257

ASA Traceback - MD5_Update

CSCuc23984

ASA: Port-channel config not loaded correctly when speed/duplex are set

CSCuc25787

Per tunnel webvpn customizations ignored after ASA 8.2 upgraded to 8.4

CSCuc45011

ASA may traceback while fetching personalized user information

CSCuc48355

ASA webvpn - URLs are not rewritten through webvpn in 8.4(4)5

Resolved Caveats in Version 8.4(4.1)

Table 15 contains resolved caveats in ASA software Version 8.4(4.1).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolkit/


Note Version 8.4(4) was removed from Cisco.com due to build issues; please upgrade to Version 8.4(4.1) or later.


 

Table 15 Resolved Caveats in ASA Version 8.4(4.1)

Caveat
Description

CSCsv94848

Warning message for, "igmp static-group" - affective should be effective

CSCsz04730

PIX/ASA: When route changes connections over IPSEC tunnel not torn down

CSCta06013

Fuzzing testbed, traceback in the javascript parser

CSCte76002

Low performance over shared vlans in multi-mode

CSCtf44231

Shun: inconsistent behavior for to the box and through the box conn

CSCtf79704

ASA -crasActGrNumUsers does not update tunnel groups after upgrade

CSCtg01763

ENH - call-home email Subject should be configurable

CSCtg71572

vpn-simultaneous-logins does not work for cert-only AnyConnect

CSCth37641

Write Mem on active ASA 8.3 produces log 742004 on standby

CSCth48476

ASA WebVPN doesnt rewrite URL Encoded Data in Location Response Header

CSCth58048

Assert Failure caused Traceback in Thread Name: Dispatch Unit

CSCth77370

IPv6 : ASA Stops responding to IPv6 ND sollicitation

CSCti16586

ASA 8.2(1)11 failed to return MIB data for SNMPV3 GetBulk request

CSCti54387

ASA 8.2.2.x traceback in Thread Name: Dispatch Unit

CSCtj45148

ASA 8.3 upgrade traceback in thread pix_flash_config_thread

CSCtj45688

ASA: SYN may change close-wait conn to SYN state

CSCtj79795

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtk97719

WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers

CSCtl06156

NAT Xlate idle timer doesn't reset with Conn.

CSCtl54580

Telnet connection is permitted inappropriately in some situation

CSCtl93641

ASA: Traceback in fover_parse thread after making NAT changes

CSCtn00318

ASA Unexpectedly Reloads with a Traceback due to a Watchdog Failure

CSCtn14091

ASA reuses tcp port too quickly

CSCtn40707

assert traceback for ifc cfg removal with same-security intra-interface

CSCtn48877

Traceback in fover_FSM_thread with IPv6 failover on SSM-4GE-INC

CSCtn56517

"Failed to update IPSec failover runtime data" msg on the standby unit

CSCtn66992

egress ACL packet drops erroneously counted on ingress interface

CSCtn99416

WebVPN: Dropdown menu doesn't work in customized SharePoint 2010

CSCto05449

WebVPN:Ability to configure and show session timer countdown on portal

CSCto09313

Traceback with high http taffic at active muti-routed unit

CSCto09465

FTP transfers fail with NAT configured on multi-core ASAs (5580/5585)

CSCto23039

Add LZS compression support to AnyConnect DTLS and TLS

CSCto31425

ASA: L2TP and NAT-T overhead not included in fragmentation calculation

CSCto32012

Routing: page fault traceback in Thread Name: EIGRP-IPv4: PDM

CSCto34765

ASA may traceback in Thread Name: DATAPATH-1-1235 (ipsecvpn-crypto)

CSCto49472

ASA running 8.4.1 does not detect external flash, needs a reload

CSCto88412

Radius Proxy to SDI - AnyConnect prompts for next PASSCODE but shouldn't

CSCtq13070

DAP VPN-Filter Not Applied When AC Initiated Through Weblaunch

CSCtq15197

WebVPN:flv file within the Flowplayer object is not mangled correctly

CSCtq55088

Code refactoring for shared interface listening macs

CSCtq75817

Oracle Jinitiator over WebVPN sends incorrect HTTP request

CSCtq88111

object group not cleared when used for pat pool

CSCtq94775

Unable to get block detail about 2048 byte blocks

CSCtr00165

Port Forwarder ActiveX control contains a Buffer Overflow vulnerability

CSCtr00526

L2TP over IPSec session fails after IPSec P2 rekey

CSCtr15722

Memory fragmentation issue with dscp

CSCtr20809

ICMP inspection permits echo-reply packets with code set to non-zero

CSCtr31788

Standby ASA generates syslog 210005 while transmitting data on FTP

CSCtr38739

Link outage in Etherchannel causes interface down and failover

CSCtr44913

ASA 5580 traceback with DATAPATH-2-1024 thread

CSCtr44930

Nested obj does not work if contained in src and dst of ACL

CSCtr66582

Memory leak on ASA 5585-increase of 1% everyday

CSCtr94429

ASA: Local-host and all conns are torn down when client hits conn limit

CSCts10661

SSM-4GE doesn't handle unicast packets after "hw-module module 1 reset"

CSCts18480

ASA IKEv1 Traceback in vpnfol_thread_msg ike_fo_create_new_sa on Standby

CSCts33551

NAT-T compatibility improvement with Windows 7

CSCts35498

ICMP and TCP Ping command should honor a timeout of zero seconds

CSCts42362

Message from ASA is not displayed about password complexity requirements

CSCts50584

ASA may reload with traceback in Thread Name scmd reader thread

CSCts52885

Unexpected packet denials during large ACL compilation

CSCts54522

Inspect PPTP does not change CALL-id for inbound Set-Link-Info Packet

CSCts69531

Traceback in Dispatch Unit on Standby with timeout floating-conn

CSCts72188

ASA: SSH process may exist after being orphaned from SSH session

CSCts73200

sh int det in ASA5580-40 still show topology information which for 5585

CSCts76258

xlate objects with no associated conns and idle timer > timeout

CSCts89642

'show mroute' has null Outgoing Interface List for (*,G) entry w/ bidir

CSCts89806

'Route-Lookup' Option Should be Allowed if One Real Interface is Known

CSCts98806

Standby ASA 5585 Reporting Service Card Failure on Signature Update

CSCtt03492

ASA should not send data in the 3rd message of TCP 3WHS w/ LDAP over SSL

CSCtt11890

ASA: Manual NAT rules inserted above others may fail to match traffic

CSCtt13455

netflow: template only send once with default timeout-rate

CSCtt18185

ASA traceback cause by Global Policy

CSCtt19760

ASA may traceback in a DATAPATH thread

CSCtt34959

ASA and apple L2TP IPSec client disconnects

CSCtt36737

After upgrade, AnyConnect causes 1550 or 2048 block depletion

CSCtt45090

ASA5505: Primary active unit crash due to mismatched host-limit license

CSCtt47502

show vpn-sessiondb does not show LZS compression stats for Anyconnect

CSCtt74695

wrong vpn-filter gets applied when peers have overlapping address space

CSCtt96526

SharePoint2010:Cannot create new document

CSCtt96550

ASA - Dispatch unit traceback - snp_nat_xlate_timeout

CSCtt98033

Allow Concurrency of 'Unidirectional' and 'No-Proxy-Arp' Keywords

CSCtt98991

ASA: Decrypted VPN packets dropped due to bad-tcp-cksum when using NAT-T

CSCtu00961

Some specific flash file doesn't work through WebVPN on ASA

CSCtu02353

Unable to access ASDM when webvpn is enabled on ASA

CSCtu03117

npshim: Shared License Registration Fails w/ Empty TP applied to Int

CSCtu04723

vpnclient mac-exempt cmd inconsistent when adding more than 16 entries

CSCtu04754

ASA may traceback citing Thread Name: qos_metric_daemon as culprit

CSCtu10620

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtu14396

ASA has stale ASP classification entries for Anyconnect tunnels

CSCtu21128

cannot pass "=" sign within the value of a parameter for the SSH plugin

CSCtu26615

Clientless VPN paging application failure

CSCtu27846

Backup Shared license server remains ACTIVE even when the Master is up

CSCtu30581

ASA 5580 traceback when CSM attempts deployment

CSCtu33068

WebVPN URL Mangler does not handle encoded value of "&#47"

CSCtu34220

High CPU usage during bulk sync when allocating NAT xlate

CSCtu34793

ASA 5580 Multicontext ERROR: unable to create listener on interface

CSCtu34878

HA conn replications on smp platform needs to be throttled

CSCtu39200

ASA traceback in emweb/https while bringing up many webvpn sessions

CSCtu40752

5580: assert failure in thread CP Processing

CSCtu42772

ASA webvpn doesn't rewrite some redirect messages properly

CSCtu42856

ASA: May fail FIPS Self-Test

CSCtu43137

ASA traceback in Thread Name: IKE Daemon

CSCtu51799

Traceback in Thread Name: CP Processing

CSCtu57453

ASA: Traceback after removing 'ip address dhcp setroute' with DDNS

CSCtv00813

ASA NAT fails to due route look with any as destination interface

CSCtv19046

DACL is not applied to AC when connection via the webportal

CSCtv19854

Incorrect MPF conn counts cause %ASA-3-201011 and DoS condition for user

CSCtw35765

Threat Detection Denial Of Service Vulnerability

CSCtw45576

TCP sequence space check ignored in some cases

CSCtw45723

WebVPN: CIFS: Incorrect MIME type for PDF files - iPad/iPhone

CSCtw50362

ASA - Failover message may be lost during transition to active state

CSCtw52591

Environmental SNMP Traps Are Not Available on ASA5585 SSP-40

CSCtw52716

ASA5585 show inventory not updated

CSCtw55462

Traceback: assert failure on thread radius_snd

CSCtw56707

%ASA-3-201011: Connection limit exceeded when not hitting value

CSCtw56859

Natted traffic not getting encrypted after reconfiguring the crypto ACL

CSCtw58640

When ASA sends a username with a "\", WSA logs errors.

CSCtw58682

SSLVPN Portal uses incorrect DNS Group after failover

CSCtw58945

L2TP over IPSec connections fail with ldap authorization and mschapv2

CSCtw59136

ASA: 8.3+ NAT overlap with failover IP cause both units to go active

CSCtw59562

ACL Hashes calculated during config migration are wrong

CSCtw60220

Port Address Translation (PAT) causes higher CPU after upgrade

CSCtw62745

Inspection configurations do not appear after disk format and reload

CSCtw63996

Page fault traceback with thread name "pix_flash_config_thread".

CSCtw71420

ASA 5585-X does not provide aggregate system CPU load value via SNMP

CSCtw72728

AdvCrypt: AnyConnect can connect but can't pass data

CSCtw75613

ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM

CSCtw78059

print warning if interface in logging host cmd conflicts with routes

CSCtw78415

ASA may reload with traceback in Dispatch Unit related to WAAS inspect

CSCtw81408

Apple Lion OS L2TP Client behind NAT device does not connect

CSCtw82147

ASA lets static NAT mapped IP to be same as standby address on interface

CSCtw82573

Failover monitor may unexpectedly become Unknown (Waiting) status.

CSCtw84007

ASA does not recognize IPv6 VPN filter access-list for AnyConnect client

CSCtw84087

IKEv2: ASA does not re-establish more than one SA after disconnect

CSCtw84249

ASA 8.4 Email Proxy causes corruption of some email attachments

CSCtw89522

Cut-through proxy - users unable to log in

CSCtw90179

ASA:In a rare corner case ASA may crash while modifying FQDN object/acl

CSCtw93059

Page fault traceback in crypto_lib_keypair_show_mypubkey_all

CSCtw93804

CPU-HOG is detected after configuring speed 10/100,duplex full on MGMT

CSCtw95262

ASA sends unidirectional RST when a packet is dropped via MPF

CSCtw95487

ASA mem leak w/EZVPN when Subject DN has Multiple C,O,OU,CN fields.

CSCtx01251

ASA: May traceback in DATAPATH during capture

CSCtx02122

Post request for OCSP using non default port is missing the port number

CSCtx03464

Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit

CSCtx08182

Nas-Port attribute different for authentication and accounting

CSCtx08346

tunnel-group-preference not respected for AnyConnect 3.0 aggregate_auth

CSCtx08354

Traceback when memory low and memory profile enabled

CSCtx11578

ASA does not start DPD when phase 1 up but phase 2 down

CSCtx16166

ASA may not log syslogs 611101, 605005 for asdm sessions to certain int

CSCtx20108

TCP conns between ASA and Websense server disappear over lossy link

CSCtx22242

HTTP TRACE method allowed when EASY-VPN enabled

CSCtx25170

Configuring a network object with an invalid range causes traceback

CSCtx25910

class-map doesn't work after replacing ACL

CSCtx28628

Clientless - VLAN assign't under group-policy breaks tunneled dflt route

CSCtx32455

SunRpc: Change from dynamic ACL to pin-hole mechanism

CSCtx33347

Standby ASA traceback while trying to replicate xlates

CSCtx33853

TCP Proxy TCP Window Size Update gets delayed

CSCtx36026

VPN session failure due to auth handle depletion

CSCtx38644

Webvpn: Can't copy & paste in web portal with IE8 and IE9

CSCtx40951

NAT warning message needs additional information

CSCtx41025

Failed to replicate xlate debug messages not clear

CSCtx42632

Match option on ISAKMP captures not working

CSCtx42643

Received unexpected event EV_REMOVE in state AM_WAIT_DELETE

CSCtx42746

cut through proxy authentication vulnerability

CSCtx43083

Syslog 199011 "Close on bad channel in process/fiber"

CSCtx47019

ASA reloads and produces Coredump but no crashinfo.

CSCtx57966

ASA5585 8.4.2 Traceback DATAPATH-8-2321 rate_limiter_t from console

CSCtx58556

ActiveX RDP Plugin fails to connect from IE6-9 after upgrade to 8.4(3)

CSCtx59893

Mem leak in occam/unicorn when webvpn smb user-storage connection fails.

CSCtx61116

NAT unreasonably drops all traffic for random source ports with 305006

CSCtx62037

"X-CSTP-Tunnel-All-DNS" not properly set in SMP images for split-dns

CSCtx65353

ASA: 8.4 Page fault traceback while displaying "sh run threat-detection"

CSCtx66538

ASA: Traceback in thread name EAPoUDP

CSCtx68075

ASA WebVPN breaking when Windows Patch KB2585542 is applied

CSCtx69008

ASA: Page Fault traceback in ssh thread when changing IKEv2 config

CSCtx69018

MSFT KB2585542 breaks cut-thru proxy and IUA

CSCtx69059

Traceback in Unicorn Proxy Thread under heavy WebVPN load

CSCtx69498

Traceback when Converting ACL Remarks of 100 Characters

CSCtx70122

ASA traceback in thread fover_parse while upgrading from 8.4.2 to 8.4.3

CSCtx73124

WEBVPN - upload of files larger then 2GB fails through CIFS

CSCtx81792

ASA: OSPF redist with prefix routemap advertises all static after reboot

CSCtx82292

numerous PAT statements cause long boot time

CSCtx82637

tcp-proxy with skinny v17 inspection not allowing 7962 phone to register

CSCtx92801

ASA: Failover due to data channel failure when making IPS config changes

CSCtx98402

ASA Multicontext with shared port-channel interface shutdown error

CSCty01573

Blank page returns when move away from portal using group-url and return

CSCty02513

Standby ASA remains standby after active ASA fails

CSCty05763

ASA5585X PS0 does not send "entity power-supply" trap

CSCty06491

Certificate-map prevents access to group-url with AAA

CSCty07416

Migration of max_conn/em_limit to MPF is not working for dynamic NAT

CSCty11414

ASA Crashes or Simply Reloads With Signal 11 in Unicorn Proxy Thread

CSCty13871

AJAX XML file fails to be processed causing script failure

CSCty13927

ASA: Traceback in ldap_client_thread after changing aaa-server config

CSCty16661

ASA fails to reserve some UDP ports for PAT w/ flow-export destination

CSCty16864

5505 HW vpnclient in NEM + mac-bypass fails negotiating the NEM tunnel

CSCty32412

ASA: Anyconnect u-turn to ipsec tunnel fails

CSCty32558

SNMP power supply sensor values on ASA 5585 oscillate

CSCty32899

PDP context idle timer is reset when using the TID option in show cmd

CSCty33480

Clientless vpn: Accessing Citrix bookmark reveals DAP configuration

CSCty36034

ASA: Active/Active failover group stuck in Bulk Sync with SIP inspect

CSCty36675

Smarttunneled RDP client on MAC doesn't throw error after incorrect auth

CSCty37057

ASA5585 reloads after adding IPS card due to stale SunRPC action access

CSCty43366

Local CA can be enabled via CLI with Failover enabled

CSCty47140

New Create PDP Ctx Req with TEID 0 should remove pre-existing active PDP

CSCty54051

Bogus IPv6 link-local address is shown on show failover

CSCty54520

Flowplayer URL reference fails

CSCty62526

Password management not working with external group-policy

CSCty63269

Traceback in Thread Name: IKEv2 Daemon

CSCty65474

DAP test Feature broken for Multiple LDAP attributes

CSCty71842

ASA :Traceback while copying via TFTP/ASDM with no Thread Name

CSCty74915

Chassis serial number is incorrect in call-home message on 5585 platform

CSCty75087

dACLs not removed from ASA after AC IKEv2 clients log out

CSCty77132

ASA 5585: Context Failover Slow due to ipv6 Configuration

CSCty81963

ASA sends User-Password RADIUS attribute wrongly with EAP authentication

CSCty84843

ASA not able to install intermediate certificate when using pkcs12

CSCty99200

ASA stops sending PADI for PPPoE when config applied via AUS

CSCtz03292

ASA may reload with traceback related to SSH, PING, DHCP, or IPSEC

CSCtz40094

ASA 8.2.5.27 secondary traceback after the upgrade - Thread Name: snmp

Resolved Caveats in Version 8.4(3)

Table 16 contains resolved caveats in ASA software Version 8.4(3).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolkit/

.

Table 16 Resolved Caveats in ASA Version 8.4(3)

Caveat
Description

CSCsi29725

SIP: options/update_handler do not open pinhole for response

CSCsy68961

ASA 5580 reboots with traceback in threat detection

CSCta94935

show failover shows incorrect interface status when Standby powered off

CSCtc79873

ASA 8.2 may calculate memory usage incorrectly

CSCtc95264

ASA Increase LDAP & DAP max instances per attribute > 999

CSCtd73605

ASA RIP: "no redistribute static" breaks "default-information originate"

CSCtd73901

Linkdown, Coldstart SNMP Traps not sent with certain snmp-server config

CSCte01475

EIGRP : static route redistribution with distribute-list not working

CSCte08816

ASA NAT: LU allocate xlate failed error with Twice NAT

CSCtf09840

ENH: Enable Flow Control (Sending Pause Frames) on 1GE Interfaces

CSCtf51346

ASA may leave connection in half-closed state

CSCtg06320

DHCP ACK not sent by the firewall.

CSCtg76404

Traceback in Thread Name: Checkheaps due to logging

CSCth14248

ASA not sending all logging messages via TCP logging

CSCth34278

Clientless WebVPN Memory Leak Causes Blank Page after Authentication

CSCth37641

Write Mem on active ASA 8.3 produces log 742004 on standby

CSCth40316

Unable to edit the privilege level for cmd object & object-group in 8.3

CSCth48476

ASA WebVPN doesnt rewrite URL Encoded Data in Location Response Header

CSCth58048

Assert Failure caused Traceback in Thread Name: Dispatch Unit

CSCth77370

IPv6 : ASA Stops responding to IPv6 ND sollicitation

CSCth96829

IPv6 ACL Allowing IPv4 Addresses

CSCti10186

ASA 8.0.5.9 Standby with a traceback in Thread Name:Checkheaps

CSCti11757

SNMP: ASA responds after two SNMP requests

CSCti16604

ASA fails to delete an existing object in object-group

CSCti29274

Cannot switchover member with two 10G interfaces redundant interface

CSCti54387

ASA 8.2.2.x traceback in Thread Name: Dispatch Unit

CSCti54545

EIGRP metrics will not update properly on ASA

CSCti62667

Connections stay open w/ 'sysopt connection timewait' & NetFlow

CSCtj20724

ASA hitless upgrade from 8.2 to 8.3: upgraded unit reload upon conf sync

CSCtj32735

DAP: Change error message when adding non supported IPv6 or standard ACL

CSCtj76066

L2TPOverIPsecOverNatT public IP displayed in reverse octet order

CSCtj80580

ASA route-map doesn't have correct set metric statement for EIGRP

CSCtk07521

ASA slow response to autocomplete word host in cmd "network-object host"

CSCtk09626

traceback in AAA eip AAA_BindServer+118 during AC connection

CSCtk19285

ASA H323 allow unidirectional OpenLogicalChannel media through

CSCtk84288

Syslog %ASA-7-108006 generated erroneously

CSCtk93754

Change in Layered Object Group Does Not Update NAT Table

CSCtk98431

Slow xlate expiration rate

CSCtl06156

NAT Xlate idle timer doesn't reset with Conn.

CSCtl21765

Cut-through Proxy - Inactive users unable to log out

CSCtl22195

ASA CLI split dns should warn that AnyConnect supports ten (10) entries

CSCtl23397

ASA may log negative values for Per-client conn limit exceeded messg

CSCtl41335

ASA traceback when layer-2 adjacent TCP syslog server is unavailable

CSCtl54580

Telnet connection is permitted inappropriately in some situation

CSCtl86184

ASA 8.2 flow control might not work for redundant interfaces

CSCtl93641

ASA: Traceback in fover_parse thread after making NAT changes

CSCtl93907

TCP state bypass flags shown as "b" and "-b"

CSCtn00318

ASA Unexpectedly Reloads with a Traceback due to a Watchdog Failure

CSCtn09117

ASA 8.2.4 402126: CRYPTO: The ASA created Crypto Archive File

CSCtn14091

ASA reuses tcp port too quickly

CSCtn38474

Interface warning on ASA - install the interface in a PCI-e x"nn" slot

CSCtn38584

the packet is discarded when the specific xlate is exist.

CSCtn41118

ASA fails over under intensive single-flow traffic

CSCtn48877

Traceback in fover_FSM_thread with IPv6 failover on SSM-4GE-INC

CSCtn56501

ASA 8.2 Crypto Engine Tracebacks Multiple Times

CSCtn60457

ASA 8.4.1 traceback on thread name ldap_client_thread with kerberos

CSCtn66992

egress ACL packet drops erroneously counted on ingress interface

CSCtn74485

ASA5580 traceback in DATAPATH-7-1353

CSCtn74652

Search query timeout/errors in SAP purchasing portal via clientless

CSCtn77962

Tmatch: Traceback on Primary when adding User Group based ACL

CSCtn93345

ASA Broadview deny lines in NAT exemption ACL are migrated as permits

CSCtn96679

IPv6 HA: Standby uses same Link-Local as ACTIVE if standby IP not cfg'd

CSCtn99124

Dynamic Filter DNS Snooping Database size too small

CSCtn99416

WebVPN: Dropdown menu doesn't work in customized SharePoint 2010

CSCto05449

WebVPN:Ability to configure and show session timer countdown on portal

CSCto06207

ASA 8.4.1 traceback in Thread UserFromCert

CSCto08497

ASA: dynamic-filter database update may trigger cpu-hogs

CSCto08752

ASA traceback in 8.4.1 with memory failure errors on IKE daemon

CSCto11365

ASA: Ldap attributes not returned for disabled account

CSCto16917

DAP terminate msg not showing for clientless, cert only authentication

CSCto23149

Standby ASA sends out IPv6 RA when IPv6 address is configured.

CSCto31425

ASA: L2TP and NAT-T overhead not included in fragmentation calculation

CSCto34150

ASA SMR - multicast packets no longer forwarded upon interface failure

CSCto34573

ASA: 8.3 upgrade to 8.4, Shared VPN Licensing config lost unable to conf

CSCto34823

multicast packets dropped in the first second after session creation

CSCto42990

ASA fails to process the OCSP response resulting in the check failure

CSCto43075

'help clock' output needs to reflect usage of command better

CSCto49160

can not access cifs folder with japanese character

CSCto49472

ASA running 8.4.1 does not detect external flash, needs a reload

CSCto50936

SAP Portal - Event Tracking Script fails to display correclty

CSCto53199

Traceback with phone-proxy Thread Name: Dispatch Unit

CSCto62660

ASA 8.4.1 traceback in Thread Name: Unicorn Proxy Thread

CSCto63702

ASA's ARP table will populate with non connected subnets

CSCto67979

ASA with SSM - specifying "sensor vs0" breaks ASA<->IPS configuration

CSCto73569

ASA WebVPN clientless not possible to access ipv6 services on the inside

CSCto76621

FO cluster lic doesnt work if primary reboots while secondary is down

CSCto76775

ASA AC failure due to slow memory leak: "Lua runtime: not enough memory"

CSCto80254

ASA does not send Anyconnect profile when Radius pushes profile

CSCto81636

IPv6 traffic not updated after neighbor changes

CSCto82315

Traceback in Thread Name: gtp ha bulk sync with failover config

CSCto83156

ASA Sequence of ACL changes when changing host IP of object network

CSCto87589

Access-list remarks are lost during migration to 8.3

CSCto87674

ST not injected in mstsc.exe on 32-bit Win 7 when started through TSWeb

CSCto89607

ASA sends invalid XML when tunnel-group name contains &

CSCto96832

Unable to login to SAP application via WebVPN portal

CSCto99389

External Portal Page Macro substitution fails

CSCtq00144

VPN RA session DAP processing fails with memberOf from OpenLDAP

CSCtq07658

ASA: Traceback in ci/console on Standby unit

CSCtq08208

ISAKMP dropped after boot if ASA doesn't have IP address while booting

CSCtq10528

Host listed in object group TD shun exception gest shunned

CSCtq10654

Threat-detecton stats showing incorrect output

CSCtq12037

WebVPN : bytes lost in ftp uploading using IE via smart tunnel

CSCtq13070

DAP VPN-Filter Not Applied When AC Initiated Through Weblaunch

CSCtq15197

WebVPN:flv file within the Flowplayer object is not mangled correctly

CSCtq19611

IPSec - Error message trying to reserve UDP port in Multicontext mod

CSCtq21535

ASA traceback when connecting with Android L2TP/IPsec client

CSCtq27530

Java RDP plugin doesn't work with sslv3 on ASAs

CSCtq27873

AC can not connect to the ASA if the no. of group aliases is >190

CSCtq28561

ASA 8.4 failover, OSPF routing can not update correctly.

CSCtq30051

ASA5580: Mate ASA5580 card in slot 0 is different from mine ASA5580

CSCtq30094

CSD scan happens for SSL VPN when connecting via group alias

CSCtq33081

Traceback during certificate operation in IKEv2 EAP processing

CSCtq34233

ASA traceback in thread emweb/https

CSCtq35045

HA: Monitored interfaces fail to move out of waiting state

CSCtq37772

asa 8.2(2) traceback with TN : Unicorn Proxy Thread

CSCtq40553

Unable to remove trustpoint - ERROR: The trustpoint appears to be in use

CSCtq42954

ASA calculates ACL hash inorrectly

CSCtq45177

1550 or 2048 byte block leak due to originate-only keyword in crypto map

CSCtq46808

ASA rebooted unit always become active on failover setup

CSCtq50523

Using non-ASCII chars in interf desc makes the ASA reload with no config

CSCtq52342

OWA 2007 via WebVPN Sessions fail to get notifications of new emails

CSCtq57642

Cannot point IPv6 route to a link-local that matches other intf

CSCtq57752

ASA: IPSec outbound SA data lifetime rekey fails

CSCtq58884

AC 3.0x - LDAP Secondary Auth successfully connects with blank password

CSCtq60450

Degraded Xlate Teardown Performance

CSCtq62572

Webvpn/mus memory leak observed in 8.4.1.63

CSCtq65262

ASA: SSH sessions return extra characters when using CR+LF

CSCtq65479

IKEv2 - ASA does not send intermediate certs for server cert

CSCtq67230

IKEv2 DPD is sent at an interval not correlating to the specified value

CSCtq70326

Interface "description" command allows for more than 200 characters.

CSCtq72776

ASA may reload in threadname Dispatch unit

CSCtq73340

After the interface IP is changed, ASA does not allow UDP 500 to new IP

CSCtq75817

Oracle Jinitiator over WebVPN sends incorrect HTTP request

CSCtq78280

invalid command dhcp client xxx on ASA 8.4

CSCtq79834

ASA traceback due to dcerpc inspection.

CSCtq84364

High CPU and Orphaned SSH session for on ASA 8.3(2.8)

CSCtq84759

ASA wont take "ip audit info action alarm" under "crypto ca" subcommand

CSCtq86859

Traceback in Thread Name: IP SLA Mon Event Processor

CSCtq90084

ASA traceback in thread Dispatch Unit

CSCtq94775

Unable to get block detail about 2048 byte blocks

CSCtq96332

ASA 5505 logs "INVALID_NICNUM" messages to console

CSCtq96616

ASA - LU allocate connection failed with conn-max policy

CSCtq97430

Coverity 100595: FORWARD_NULL in ppp_auth_process_attributes()

CSCtr00315

Active SSH connection orphaned if 'clear config all' is run

CSCtr00526

L2TP over IPSec session fails after IPSec P2 rekey

CSCtr03453

Zimbra email suite not usable through WebVPN

CSCtr03856

Failure to migrate named interfaces in ctx to 8.4 bridge group syntax

CSCtr12176

L2L - IPSEC Backup- Peer list is not rotated/cycled with dual failure

CSCtr12333

Webvpn portal contents disappear once bookmark user-storage is enabled

CSCtr14920

lightview based Modal Elements do not work with webvpn

CSCtr15722

Memory fragmentation issue with dscp

CSCtr16184

To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2

CSCtr20809

ICMP inspection permits echo-reply packets with code set to non-zero

CSCtr23854

traceback in Crypto CA during multiple ocsp requests

CSCtr23914

ASA: Certificate renewal from same CA breaks SSLVPN

CSCtr26724

ASA threat detection does not show multicast sender IP in statistics

CSCtr27000

ASA fails to send Radius attribute 8 framed IP address for IKEv2

CSCtr27161

EIGRP 'no default-information in' does not work

CSCtr33228

Traceback in Dispatch Unit when replicating xlates to standby

CSCtr36022

Java AJAX session does not work over SSLVPN

CSCtr39013

ASA - panic traceback when issuing show route interface_name

CSCtr44913

ASA 5580 traceback with DATAPATH-2-1024 thread

CSCtr47517

Protocol-Independent Multicast Denial of Service Vulnerability

CSCtr50413

Clientless webvpn remove forward slash in POST Request-URI

CSCtr55374

ASA: asr-group in TFW A/A FO doesn't rewrite dst MAC for IP fragments

CSCtr63071

5585 735XXX syslogs reporting wrong id

CSCtr63101

5585 show environment power output unclear

CSCtr63728

ASA reloads with traceback in Thread Name : Dispatch Unit

CSCtr65785

Enabling AC Essentials should logoff webvpn sess automatically

CSCtr66582

Memory leak on ASA 5585-increase of 1% everyday

CSCtr69771

backslash in username for ftp over webvpn changed to semi-colon

CSCtr72514

ASA: Traceback in telnet/ci thread when running 'show webvpn svc'

CSCtr74940

Active ASA traceback Thread: DATAPATH-3-1290, rip spin_lock_get_actual

CSCtr74983

ASA LDAP support for searching with value range retrieval

CSCtr78703

ASA 8.4.2 http inspection might break certain flows intermittently

CSCtr80605

ASA5580 traceback with Thread name telnet/ci

CSCtr83349

ASA logs "INVALID_NICNUM" messages to console

CSCtr91981

LDAP authentication fails when no RootDSE info returned

CSCtr93086

ASA Failover: 106017 Deny IP due to Land Attack on Normal(Waiting) ifc

CSCtr93621

Show resource usage displays wrong Conns Limit for ASA5580-20

CSCtr94429

ASA: Local-host and all conns are torn down when client hits conn limit

CSCtr96686

Java RDP plugin traceback when using empty user in URL to Win2008 server

CSCtr99598

ASA doesn't classify MIME type correctly for .exe and .dmg in Firefox

CSCts00158

ASA EIGRP route not updated after failover

CSCts07069

ASA: Packet classifier fails with 'any' in Object NAT rule

CSCts07650

Traceback in "clear config all" when active telnet connection exists

CSCts09257

Traceback in sch_dispatcher thread

CSCts10797

Webvpn :Support for XFRAME: DENY option in portal

CSCts10887

ASA sends Server Identifier field in DHCP REQUESTS duirng renewal

CSCts13848

ASA may crash in dns_process

CSCts14130

100% CPU Object Group Search under low traffic due to spin_lock

CSCts15920

ASA: WCCP with authentication fails in 8.3 and 8.4

CSCts18026

ASA 5520 8.2.5 : traceback at thread name snmp

CSCts24804

ASA 5580 DAP Network ACL Errors:user, user-group or FQDN objects

CSCts26909

CPU spikes to 100% and causes traceback when Syslog interface is down

CSCts30839

ASA5510, 8.4(2) - page fault traceback accessing a bookmarked DFS share

CSCts32313

ASA 8.4(1) - mailto for xmpp protocol mail clients fails

CSCts32474

Incorrect time displayed on cut through proxy auth page

CSCts33551

NAT-T compatibility improvement with Windows 7

CSCts35339

Close non-persistent CSD conns

CSCts36777

Manual Redundant Failover Link Switchover Causes a Flap

CSCts41215

NAC Framework - Status Query triggers full Posture Revalidation

CSCts43136

ESMTP drops email with DKIM header

CSCts45638

8.4.2.2: Thread Name: DATAPATH-0-1272 Page fault: Unknown

CSCts46366

Slow memory leak by skinny

CSCts48937

Memory leak in DP udp host logging resulting in 1550 byte blocks leak

CSCts52885

Unexpected packet denials during large ACL compilation

CSCts54522

Inspect PPTP does not change CALL-id for inbound Set-Link-Info Packet

CSCts61811

idfw_nb_process traceback because thread stack appears corrupt

CSCts64849

ASA: 8.3/8.4 no longer logs %ASA-3-713167 syslog for rejected user

CSCts68268

PIX-ASA: Route command should validate next hop IP before accepting

CSCts69531

Traceback in Dispatch Unit on Standby with timeout floating-conn

CSCts72339

L2 table entried for identity i/f not handle properly when add/del i/f

CSCts76258

xlate objects with no associated conns and idle timer > timeout

CSCts80367

AnyConnect 3.0 for Mac gets "Certificate Validation Failure" w/ ASA 8.4

CSCtt00286

ASA5585 Page fault traceback in Thread Name: DATAPATH-5-2312

CSCtt02123

WebVPN: Multiple tracebacks seen in WebVPN in Unicorn Proxy thread

CSCtt02413

DCERPC inspection does not properly fix up port and IP in Map Response

CSCtt02423

ASA: May traceback when adding ipv6 route before enabling ipv6

CSCtt03480

ASA Radius User-Password attribute is not included in Access-Request

CSCtt04614

webvpn - ES keyboard diacritics incorrectly managed by RDP plugin

CSCtt04665

Traceback in Thread Name: IP Address Assign

CSCtt07749

ASA is responding to IKE request when in vpnclient mode

CSCtt11835

Traceback in Thread Name: tacplus_snd

CSCtt14922

ASA5585: Redundant interface doesn't switchover on IPS module shutdown

CSCtt18185

ASA traceback cause by Global Policy

CSCtt19760

ASA may traceback in a DATAPATH thread

CSCtt22540

Secondary Auth successfully connects with blank password

CSCtt25173

ASA 5520 8.2.5 memory leak in the inspect/gtp area

CSCtt27599

Standby Firewall traceback citing nat_remove_policy_from_np+383

CSCtt29654

Outbound IPsec traffic interruption after successful Phase2 rekey

CSCtt29810

AAA Command Authorization Reactivates Failed Server on Every Attempt

CSCtt32565

Specific closing sequence may cause ESMTP inspect to hog CPU for 1+ sec

CSCtt34959

ASA and apple L2TP IPSec client disconnects

CSCtt36737

After upgrade, AnyConnect causes 1550 or 2048 block depletion

CSCtt41809

ASASM traceback in DATAPATH-3-2265

CSCtt42405

AnyConnect fails authentication for some passwords with brackets

CSCtt45496

ASA traceback in thread ci/console with names > 48 char in prefix-list

CSCtt96550

ASA - Dispatch unit traceback - snp_nat_xlate_timeout

CSCtu02060

Changing IPv4 FQDN network object to IPv6 FQDN causes traceback

CSCtu07278

Corrupted route-map output for 'config' URL used by ASDM

CSCtu10620

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtu19300

ASA may reload with traceback in Thread Name: kerberos_recv

CSCtu25253

'show shared license' after toggle license-server crashed ASA

CSCtu33068

WebVPN URL Mangler does not handle encoded value of "&#47"

CSCtu34217

High CPU usage during bulk sync on spin_lock used by tmatch lookup

CSCtu34220

High CPU usage during bulk sync when allocating NAT xlate

CSCtu40752

5580: assert failure in thread CP Processing

CSCtu43137

ASA traceback in Thread Name: IKE Daemon

CSCtw35765

Thread Detection Denial Of Service Vulnerability

CSCtw81408

Apple Lion OS L2TP Client behind NAT device does not connect

Resolved Caveats in Version 8.4(2)

Table 17 contains resolved caveats in ASA software Version 8.4(2).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolkit/

.

Table 17 Resolved Caveats in ASA Version 8.4(2)

Caveat
Description

CSCsg26647

CS: undebug all command doesn't disable debug crypto ca server

CSCsy19222

Conns should update when using dynamic protocol and floating statics

CSCsy93944

Traceback on ACL modify: assertion "status" at "stride_terminal_node.c"

CSCtb63515

Clientless webvpn on ASA cannot save .html attached file with IE6 OWA

CSCtd73901

Linkdown, Coldstart SNMP Traps not sent with certain snmp-server config

CSCte08816

ASA NAT: LU allocate xlate failed error

CSCte76002

Low performance over shared vlans in multi-mode

CSCtf96635

Removing HTTP server caused page fault traceback

CSCtg41691

dynamic-filter database update triggers cpu-hog

CSCtg50770

Mngt-access (ASDM,SSH) to inside intf of 5580 fails over RA VPN session

CSCtg99798

ASA Traceback in Thread Name: snmp / checkheaps

CSCth08903

WebVPN: "Invalid Canary" error for different options in OWA 2010

CSCth08965

WebVPN: Bad performance on Internet Explorer 8 for OWA 2010 Premium

CSCth12612

ASA - VPN load balancing is disabled after failover

CSCth35722

WebVPN CIFS: 'Authentication error', when DFS host is not reachable

CSCth35961

WebVPN: Preview mode for emails works improperly for DWA 8.5.1

CSCth77370

IPv6 : ASA Stops responding to IPv6 ND sollicitation

CSCth81601

ASA tracebacks in Thread Name: Dispatch Unit

CSCth84519

PIM packet with own source address seen after failover on standby peer

CSCti07859

AC reports 'certificate validation failed' with VPN LB intermittently

CSCti11757

SNMP: ASA responds after two SNMP requests

CSCti13482

BG: Same MAC-address not allowed in two different bridge groups

CSCti16604

ASA fails to delete an existing object in object-group

CSCti26874

Control-plane feature not working for https traffic to-the-box

CSCti34213

The file name is garbled as downloading through SSLVPN and CIFS.

CSCti54545

EIGRP metrics will not update properly on ASA

CSCti88463

WebVPN: Empty emails content for OWA 2010 through Firefox

CSCti89628

ARP table not updated by failover when interface is down on standby

CSCtj14005

Traceback with thread name netfs_thread_init

CSCtj16627

DAP:Control access of AnyConnect Apple iOS Mobile without CSD

CSCtj20691

ASA traceback when using a file management on ASDM

CSCtj25717

CPU Hog in "NIC status poll" when failing over redundant intf members

CSCtj29076

ASR trans FW rewrites wrong dst. MAC when FO peers active on same ASA

CSCtj37404

Traceback in mmp inspection when connecting using CUMA proxy feature.

CSCtj45688

ASA: SYN may change close-wait conn to SYN state

CSCtj47335

Problems with Intranet Page displaying when defined as Home Page w/ASA

CSCtj48788

Page fault traceback on standby in QOS metrics during idb_get_ifc_stats

CSCtj50580

ASA - VPN outbound traffic stalling intermittently after phase 2 rekey

CSCtj55822

ASA webvpn; certain ASP elements may fail to load/display properly

CSCtj58420

Failed to update IPSec failover runtime data on the standby unit

CSCtj62266

ldap-password-management fails if user password contained & (ampersand)

CSCtj73930

IPSec/TCP fails due to corrupt SYN ACK from ASA when SYN has TCP option

CSCtj77222

WebVPN: ASA fails to save HTTP basic authentication credential

CSCtj77909

ASA: multiple rules in Name Contraints certificate extension fails

CSCtj78200

certificate name contraints parsing fails when encoding is IA5String

CSCtj78425

Customers Application HQMS being broken by Webvpn Rewriter

CSCtj79795

WebVPN:flv file within the Flowplayer object is not played over webvpn

CSCtj83995

ASA - no names applied to the config when refreshing the config on ASDM

CSCtj84665

Primary stays in Failed state while all interfaces are up

CSCtj85005

ASA as EasyVPN Client failure on WAN IP Change when using 'mac-exempt'

CSCtj90315

Traceback in transparent mode due to tcp reset

CSCtj93922

Standby unit sends ARP request with Active MAC during config sync

CSCtj95695

Webvpn: Java-Trustpoint cmd error, doesn't accept MS code-signing cert

CSCtj96108

Group enumeration possible on ASA

CSCtj97800

a space inserted behind video port number after SIP inspect with PAT on

CSCtk00068

Watchdog timeout traceback following "show route"

CSCtk04293

Webvpn, SSO with Radius, CSCO_WEBVPN_PASSWORD rewritten with OTP, 8.3

CSCtk10185

OWA login page strip "\" from "domain\username"

CSCtk10911

HA replication code stuck - "Unable to sync configuration from Active"

CSCtk12556

timeout command for LDAP in aaa-server section doesn't work

CSCtk12864

Memory leak in occam new arena

CSCtk15258

ASA traceback in Thread Name:radius_rcv_auth

CSCtk15538

IKE Session : Cumulative Tunnel count always shows Zero

CSCtk34526

SSH processes stuck in ssh_init state

CSCtk54282

Webvpn memory pool may report negative values in "% of current" field.

CSCtk61257

ASA locks up port with mus server command

CSCtk62536

WebVPN incorrectly rewrite logout link of Epic app through Firefox

CSCtk63515

MUS debugs are running with no mus configured

CSCtk84716

IKE proposal for L2TP over IPSec global IKE entry match is duplicated

CSCtk95435

ASA rewriter: radcontrols based AJAX/ASP website not working properly

CSCtk96848

snmpwalk for crasLocalAddress reports: No Such Instance currently exists

CSCtl05205

Error entering object group with similar name as network object

CSCtl06889

Failover interface monitoring only works with the first ten interfaces.

CSCtl09314

"clear conn" behaviour is inconsistent with "show conn"

CSCtl10398

Traceback in Dispatch Unit due to dcerpc inspection

CSCtl10877

ASA reload in thread name rtcli when removing a plugin

CSCtl17877

SSL handshake - no certificate for uauth users after 8.2.3 upgrade

CSCtl18462

ASA not posting correct link with Protegent Surveillance application

CSCtl20963

DAP ACL in L2TP doesn't get applied after successful connection

CSCtl20966

The javascript is truncated when accessing via WebVPN portan on ASA

CSCtl21314

vpn-filter removed incorrectly from ASP table with EzVPN hw clients

CSCtl21765

Cut-through Proxy - Inactive users unable to log out

CSCtl51919

ASA 8.3 with Static NAT - passes traffic with translated IP in the acl

CSCtl54976

Redundant switchover occurs simultaneously on failover pair

CSCtl56719

Default "username-from-certificate CN OU" doesn't work after reload

CSCtl57784

ASA TCP sending window 700B causing CSM deployment over WAN slow

CSCtl58069

ASA - Traceback in thread DATAPATH-6-1330

CSCtl66155

Invalid internal Phone Proxy trustpoint names generated by imported CTL

CSCtl66339

Traceback in DATAPATH-2-1361, eip snp_fp_punt_block_free_cleanup

CSCtl72355

ASA WEBVPN: POST plugin - Can not find server .plugins. or DNS error

CSCtl74435

VPN ports not removed from PAT pool

CSCtl86372

IKE fails to initialize when minimal data is sent to pub int.

CSCtl87114

'show mem' reports erroneous usage in a virtual context

CSCtl95958

Timeout needs twice time of configured timeout for LDAP in aaa-server

CSCtn01794

IPv6 ping fails when ping command includes interface name.

CSCtn02684

ASA SAP purchasing app may display incorrectly over webvpn

CSCtn07431

L2L IPv6 tunnel with failover not supported Syslog Broken

CSCtn08326

ESMTP Inspection Incorrectly Detects End of Data

CSCtn09117

ASA 8.2.4 402126: CRYPTO: The ASA created Crypto Archive File

CSCtn11061

ASA 5520 traceback in thread emweb/https

CSCtn20148

EIGRP default-route is not displayed w/ "ip default-route" route removed

CSCtn25702

URLs in Hidden Input Fields not Rewritten Across WebVPN

CSCtn27365

ASDM causes traceback during context creation

CSCtn40210

FTP transfer fails on Standby ASA - uses wrong IP add. in PORT command

CSCtn41118

ASA fails over under intensive single-flow traffic

CSCtn42704

One-to-many NAT with "any" interface not working with PPTP and FTP

CSCtn53896

ASA: police command with exceed-action permit will not replicate to Stby

CSCtn57080

Bookmark macro in post parameters is not replaced with correct user/pass

CSCtn60457

ASA 8.4.1 traceback on thread name ldap_client_thread with kerberos

CSCtn61148

ASA stops handling ikev2 sessions after some time

CSCtn65995

ASA(8.3) adds a trailing space to the object name and the description

CSCtn69941

VPN ports not removed from PAT pool (UDP cases)

CSCtn74649

BTF DNS-Snooping TTL maxes out at 24 hours, less than actual TTL

CSCtn74652

Search query timeout/errors in SAP purchasing portal via clientless

CSCtn75476

ASA Traceback in Thread Name: snmp

CSCtn79449

Traceback: Thread Name: DATAPATH-3-1276

CSCtn80637

"Clear conf all" reboots ASA with EIGRP authentication key configuraiton

CSCtn80920

LDAP Authorization doesn't block AccountExpired VPN RA user session

CSCtn84047

ASA: override-account-disable does not work without password-management

CSCtn84312

AnyConnect DTLS Handshake failure during rekey causes packet loss

CSCtn89300

ASA: Memory leak in PKI CRL

CSCtn90643

Traceback while replicating xlates on standby

CSCtn93052

WebVPN: Office WebApps don't work for SharePoint 2010 in IE

CSCtn93345

ASA Broadview deny lines in NAT exemption ACL are migrated as permits

CSCtn96841

"ip local pool" incorrectly rejected due to overlap with existing NAT

CSCtn99847

Easy VPN authentication may consume AAA resources over time

CSCto05036

DTLS handshake fails on ASA when client retransmits ClientHello

CSCto05478

asa traceback on 8.3.2.13 Thread Name: Dispatch Unit

CSCto05640

call-home config auto repopulates after reboot

CSCto08752

ASA traceback in 8.4.1 with memory failure errors on IKE daemon

CSCto09465

FTP transfers fail with NAT configured on multi-core ASAs (5580/5585)

CSCto11365

ASA: Ldap attributes not returned for disabled account

CSCto14043

ASA may traceback when using trace feature in capture

CSCto15003

ASA 8.4.1 traceback in Thread Name: ssh with Page fault

CSCto16917

DAP terminate msg not showing for clientless, cert only authentication

CSCto23713

ASA uses a case-sensitive string compare with IBM LDAP server

CSCto34573

ASA: 8.3 upgrade to 8.4, Shared VPN Licensing config lost unable to conf

CSCto48254

ASA reset TCP socket when RTP/RTCP arrives before SIP 200 OK using PAT

CSCto49499

HA: Failover LU xmit/rcv statistics is different on Active and Standby

CSCto62499

OSPF Failover causes 5 second convergence delay

CSCto62660

ASA 8.4.1 crashed in Thread Name: Unicorn Proxy Thread

CSCto80254

ASA does not send Anyconnect profile when Radius pushes profile

CSCto82315

Traceback in Thread Name: gtp ha bulk sync with failover config

CSCto83156

ASA Sequence of ACL changes when changing host IP of object network

CSCto87674

ST not injected in mstsc.exe on 32-bit Win 7 when started through TSWeb

CSCto96832

Unable to login to SAP application via WebVPN portal

CSCto99389

External Portal Page Macro substitution fails

CSCtq00144

VPN RA session DAP processing fails with memberOf from OpenLDAP

CSCtq10528

Host listed in object group TD shun exception gest shunned

Resolved Caveats in Version 8.4(1)

Table 18 contains resolved caveats in ASA software Version 8.4(1).

If you are a registered Cisco.com user, view more information about each caveat using the Bug Toolkit at the following website:

http://tools.cisco.com/Support/BugToolkit/

:.

Table 18 Resolved Caveats in ASA Version 8.4(1)

Caveat
Description

CSCeg69627

DHCPD: show binding should display client-id instead of hw address

CSCsk97762

ENH: Allow DCERPC inspect to open pin-holes for WMI queries. non epm map

CSCsw15355

ASA may crash when executing packet-tracer via console/ssh/telnet

CSCtc12240

Webvpn- rewrite : ASA inserts lang=VBScript incorrectly

CSCtc32872

TFW ENH: Management interface should operate in routed mode

CSCtc40183

8.2.1.11 Webvpn not able to show dropdowns items written in javascripts

CSCtd02193

Heap memory head magic verification failed on asdm access

CSCtd71913

WebVPN Application Access page not displayed if AES chosen

CSCte55834

sev1 syslog seen after three failed authentication attempts

CSCte79575

ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act

CSCtf01287

SSH to the ASA may fail - ASA may send Reset

CSCtf06303

Citrix plugin error with HTTPBrowserAddress parameter

CSCtf13774

ASA Traceback Thread Name: Dispatch Unit

CSCtf23147

ASA/PIX may generate an ACK packet using TTL received by sender

CSCtf25270

PP: MTA can be replaced with static/dynamic route

CSCtf28466

ASA Fails to assign available addresses from local pool

CSCtf50185

when doing DTLS rekey, AC may get disconnected with reason idle-timeout

CSCtf52903

Wrong url message is generated when access to group-url ended with "/"

CSCtf99449

Traceback in thread name Dispatch Unit

CSCtg09840

debug webvpn response does not generate any output

CSCtg22656

ASA local CA: not redirected to cert download page when user first login

CSCtg31015

EIGRP bandwidth value listed incorrectly for SFP gig link on SSM-4GE

CSCtg41163

ASA:high memory usage seen on ASA version 8.0.x onwards

CSCtg45489

Access List for L2L "show crypt ipsec sa" blank after FO and rekey

CSCtg65421

CIFS SSO fails with non-ASCII characters in username or password

CSCtg66583

RIP denial of service vulnerability

CSCtg74608

WEBVPN: PDF form button doesn't work with secure link

CSCtg78505

Cannot SSH to ASA after making changes to webvpn portal via ASDM

CSCtg80816

Clientless WebVPN: DWA 8.0.2 fails to forward attachments

CSCtg86810

show run all command causes SSH session hang

CSCtg89586

RTSP is not translating the client-ports correctly

CSCtg90646

ASA - webtype ACLs are not replicated to the standby

CSCtg94369

ASA 8.3 reboots after installing memory upgrade and copying file

CSCth06056

CWA doesn't login with IE 7 and IE8 or render properly with FireFox 3.x

CSCth09546

ASA 8.3 cut-through-proxy behavior change when authenticating to ASA ip

CSCth11779

ASA sends invalid XML when group-alias contains &

CSCth24465

show nat command shows incorrect line numbers for NAT config lines

CSCth26474

Inspection triggers block depletion resulting in traffic failure

CSCth28251

ASA:UDP conns not properly reclassified when tunnel bounces

CSCth31814

Changing interface config to dhcp will add AAA cmd and break EasyVPN

CSCth38721

Timer error on console not useful: init with uninitialized master

CSCth42526

ASA:vpn-sessiondb logoff ipaddress <peer> does not clear tunnelled flows

CSCth42839

show conn port functionality change

CSCth43128

ASA WebVPN : Forms don't get saved in CRM due to no pop-up

CSCth48178

ha :Watchdog fover_FSM_thread during failover IPv6 on SSM-4GE-INC

CSCth49826

Traceback in Unicorn Proxy Thread, address not mapped

CSCth56065

DAP_ERROR:...dap_add_csd_data_to_lua: Unable to load Host Scan data:

CSCth60460

"show service-policy inspect <engine>" may leak 16384 bytes per output

CSCth63101

ASA HTTP response splitting on /+CSCOE+/logon.html

CSCth67419

WebVPN - rewriter inteprets "application/pdf" as generic link

CSCth67506

ST not injected in mstsc.exe on 64-bit Win 7 when started through TSWeb

CSCth68948

Memory not released after EZVPN client with cert fails authentication

CSCth72642

NAT on 8.3 fails during RPF check

CSCth75120

ASA 8.3; vpn db; IP information not consistent with previous versions

CSCth79877

ASA traceback due to memory corruption

CSCth85185

WebVPN: DWA 8.0.2 will hung up for message forwarding process

CSCth89217

After failover, CPU-hog and send out ND packet using Secondary MAC

CSCth91572

per-client-max and conn-max does not count half-closed connections

CSCth97330

MS-CHAP-Response generated by ASA has incorrect flags (0x11)

CSCti00289

ASA (8.3.1.9) traceback in Thread Name: DATAPATH-5-1315

CSCti03135

Search using Dojo Toolkit fails across WebVPN with 404 Error

CSCti06385

ASA XSS on /+CSCOE+/portal.html webvpnLang variable

CSCti06749

ASA: Session Cookies not Marked Secure

CSCti09288

crashed Thread Name: lu_rx - gtp_lu_process_pdpmcb_info

CSCti09672

vpn-access-hours does not work if client authenticated by certificate

CSCti16527

WEBVPN: Copying >2 GB files fails through CIFS

CSCti20506

Transparent fw w/ASR group sets dstMAC to other ctx for last ACK for 3WH

CSCti21427

Webvpn Customization, DfltCustomization form-order XML error

CSCti22636

"failover exec standby" TACACS+ authorization failure

CSCti24526

Flood of random IPv6 router advertisements causes high CPU and DoS

CSCti24787

Traceback: watchdog in tmatch_release_actual with large tmatch tree

CSCti26495

NAT portlist with failover enabled triggers tmatch assert

CSCti30663

TS Web AppSharing stops working across WebVPN in 8.3.2

CSCti34942

Changing configuration on FT INT not possible after disabling failover

CSCti35310

ISAKMP Phase 1 failure from Remote->ASA with default Phase 1 Values

CSCti35966

Traceback Thread Name: IKE Daemon Assert

CSCti37845

ASA - failover - packet loss when hw-mod reset of SSM mod in fail-open

CSCti38496

ASA SIP inspection does not rewrite with interface pat

CSCti39571

re-enter ipv6 enable does not bring back RRI routes

CSCti39588

invalid ipv6 RRI routes remains after crypto acl changes

CSCti41422

VPN-Filter rules not being cleared even after all vpn sessions gone.

CSCti42879

ASA Crash in thread Dispatch Unit when executing command alias via https

CSCti43193

webvpn-other: assert crash Thread Name: Unicorn Proxy Thread

CSCti43763

Management connection fail after multiple tries with SNMP connections.

CSCti47991

timed mode does not fallback to LOCAL if all aaa server are FAILED

CSCti49212

interface command on vpn load-balancing should be shown

CSCti56362

ASA/ASDM history shows total SSL VPN sessions for clientless only

CSCti57516

ASA traceback when assigning priv level to mode ldap command "map-value"

CSCti57626

IUA Authentication appears to be broken

CSCti57825

ASA L2L VPN Negative packet encapsulation figures

CSCti62191

ASA traceback in Thread Name: emweb/https when DAP has IPv6 acl on it

CSCti62358

TFW mode regens cert every time 'no ip address' applied to mgmt int

CSCti65237

slow mem leak in ctm_sw_generate_dh_key_pair

CSCti70936

PKI session exhaustion

CSCti72411

ASA 8.2.3 may not accept management connections after failover

CSCti74419

Standby ASA may traceback in IKE Daemon while deleting a tunnel

CSCti76899

rtcli: traceback in rtcli async executor process, eip ci_set_mo

CSCti77545

ASA 5550 8.3.2 crashed in Thread Name: OSPF Router

CSCti87144

L2L traffic recovery fails following intermediary traffic disruption

CSCti88676

ASA Captures will not capture any traffic when match icmp6 is used

CSCti90767

ASA 5505 may traceback when booting with an AIP SSC card installed

CSCti92851

Deleting group-policy removes auto-signon config in other group-policies

CSCti93910

ASA automatically enables the 'service resetoutside' command

CSCti94480

Orphaned SSH sessions and High CPU

CSCti98855

Traceback in IKE Timekeeper

CSCti99476

Email Proxy leaking 80 block w/ each email sent

CSCtj01814

page fault traceback in IKE Daemon

CSCtj03800

Second L2TP session disconnects first one if NATed to the same public IP

CSCtj09945

Host Scan with Blank OU field in personal cert causes DAP to fail

CSCtj15898

ASA webvpn "csco_HTML" may be added to form

CSCtj19221

SYSLOG message 106102 needs to show Username for DAP/vpn-filter

CSCtj28057

Quitting "show controller"command with 'q' degrades firewall performance

CSCtj36804

Cut-through proxy sends wrong accounting stop packets

CSCtj43084

Tmatch insert and remove from datapath via NAT portlist causes crash

CSCtj46900

Last CSD data element is not being loaded into DAP

CSCtj60839

WebVPN vmware view does not work after upgrade to ASA 8.2.3 and 8.3.2

CSCtj62266

ldap-password-management fails if user password contained & (ampersand)

CSCtj68188

Traceback in Thread Name: ldap_client_thread

CSCtj96230

H225 keepaplive ACK is dropped

End-User License Agreement

For information on the end-user license agreement, go to:

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation , which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.