Release Notes for the Secure Firewall ASA Series, 9.18(x)
This document contains release information for ASA software Version 9.18.
Important Notes
-
ASDM signed-image support in 9.18(2)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)
-
Downgrade issue from 9.18 or later—There is a behavior change in 9.18 where the access-group command will be listed before its access-list commands. If you downgrade, the access-group command will be rejected because it has not yet loaded the access-list commands. This outcome occurs even if you had previously enabled the forward-reference enable command, because that command is now removed. Before you downgrade, be sure to copy all access-group commands manually, and then after downgrading, re-enter them.
-
9.18(1) upgrade issue if you enabled HTTPS/ASDM (with HTTPS authentication) and SSL on the same interface with the same port—If you enable both SSL (webvpn > enable interface) and HTTPS/ASDM (http ) access on the same interface, you can access AnyConnect from https://ip_address and ASDM from https://ip_address/admin, both on port 443. However, if you also enable HTTPS authentication (aaa authentication http console), then you must specify a different port for ASDM access starting in 9.18(1). Make sure you change the port before you upgrade using the http command. (CSCvz92016)
-
Behavior change for Secure Firewall 3100 in 9.18(2.7)—When you set the FEC to Auto using the fec command on the Secure Firewall 3100 fixed ports, the default type is now set to cl108-rs instead of cl74-fc for 25 GB SR, CSR, and LR transceivers. (CSCwc75082)
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
 Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.18(4)
Released: October 3, 2023
|
Feature |
Description |
|---|---|
|
High Availability and Scalability Features |
|
|
Reduced false failovers for ASA high availability |
We now introduced an additional heartbeat module in the data plane of the ASA high availability. This heartbeat module helps to avoid false failovers or split-brain scenarios that can happen due to traffic congestion in the control plain or CPU overload. Also in 9.20(1). |
|
show failover statistics includes client statistics |
The failover client packet statistics are now enhanced to improve debuggability. The show failover statistics command is enhanced to display np-clients (data-path clients) and cp-clients (control-plane clients) information. Modified commands: show failover statistics cp-clients , show failover statistics dp-clients Also in 9.20(2). |
|
show failover statistics events includes new events |
The show failover statistics events command is now enhanced to identify the local failures notified by the App agent: failover link uptime, supervisor heartbeat failures, and disk full issues. Modified commands: show failover statistics events Also in 9.20(2). |
|
Interface Features |
|
| FXOS local-mgtm show command improvements |
See the following additions for interface show commands in FXOS local-mgmt:
New/Modified FXOS commands: show portmanager switch tail-drop-allocated buffers all , show portmanager switch status , show portmanager switch default-rule-drop-counter |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
show tech support improvements |
Added output to show tech support for:
New/Modified commands: show tech support |
New Features in ASA 9.18(3)
Released: February 16, 2023
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Firepower 1010E |
We introduced the Firepower 1010E. This model is the same as the Firepower 1010 except it doesn't have Power Over Ethernet ports. ASDM support in 7.19(1.90) or 7.18(2.1). ASDM 7.19(1) does not support this model. Also in 9.18(2.218). This model is not supported in 9.19(1). |
|
Interface Features |
|
|
Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to cl108-rs from cl74-fc for 25 GB+ SR, CSR, and LR transceivers |
When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to cl108-rs instead of cl74-fc for 25 GB SR, CSR, and LR transceivers. New/Modified commands: fec Also in 9.19(1) and 9.18(2.7). |
|
VPN Features |
|
|
AnyConnect connection authentication using SAML |
In a DNS load balancing cluster, when SAML authentication is configured on ASAs, you can specify a local base URL that uniquely
resolves to the device on which the configuration is applied.
New/Modified commands: local-base-urlurl |
New Features in ASA 9.18(2)
Released: August 10, 2022
|
Feature |
Description |
|---|---|
|
Interface Features |
|
|
Loopback interface support for BGP and management traffic |
You can now add a loopback interface and use it for the following features:
New/Modified commands: interface loopback , logging host , neighbor update-source , snmp-server host , ssh , telnet |
|
ping command changes |
To support pinging a loopback interface, the ping command now has changed behavior. If you specify the interface in the command, the source IP address matches the specified interface IP address, but the actual egress interface is determined by a route lookup using the data routing table. New/Modified commands: ping |
New Features in ASA 9.18(1)
Released: June 6, 2022
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
| ASAv-AWS Security center integration for AWS GuardDuty | You can now integrate Amazon GuardDuty service with ASAv. The integration solution helps you to capture and process the threat analysis data or results (malicious IP addresses) reported by Amazon GuardDuty. You can configure and feed these malicious IP addresses in the ASAv to protect the underlying networks and applications. | ||
|
Firewall Features |
|||
|
Forward referencing of ACLs and objects is always enabled. In addition, object group search for access control is now enabled by default. |
You can refer to ACLs or network objects that do not yet exist when configuring access groups or access rules. In addition, object group search is now enabled by default for access control for new deployments. Upgrading devices will continue to have this command disabled. If you want to enable it (recommended), you must do so manually.
We removed the forward-reference enable command and changed the default for new deployments for object-group-search access-control to enabled. |
||
|
Routing Features |
|||
|
Path monitoring metrics in PBR. |
PBR uses the metrics to determine the best path (egress interface) for forwarding the traffic. Path monitoring periodically notifies PBR with the monitored interface whose metric got changed. PBR retrieves the latest metric values for the monitored interfaces from the path monitoring database and updates the data path. New/Modified commands: clear path-monitoring , policy-route , show path-monitoring |
||
|
Interface Features |
|||
|
Pause Frames for Flow Control for the Secure Firewall 3100 |
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. New/Modified commands: flowcontrol send on |
||
|
Breakout ports for the Secure Firewall 3130 and 3140 |
You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140. New/Modified commands: breakout |
||
|
License Features |
|||
|
Secure Firewall 3100 support for the Carrier license |
The Carrier license enables Diameter, GTP/GPRS, SCTP inspection. New/Modified commands: feature carrier |
||
|
Certificate Features |
|||
|
Mutual LDAPS authentication. |
You can configure a client certificate for the ASA to present to the LDAP server when it requests a certificate to authenticate. This feature applies when using LDAP over SSL. If an LDAP server is configured to require a peer certificate, the secure LDAP session will not complete and authentication/authorization requests will fail. New/Modified commands: ssl-client-certificate . |
||
|
Authentication: Validate certificate name or SAN |
When a feature specific reference-identity is configured, the peer certificate identity is validated with the matching criteria specified under crypto ca reference-identity <name> submode commands. If there is no match found in the peer certificate Subject Name/SAN or if the FQDN specified with reference-identity submode command fail to resolve, the connection is terminated The reference-identity CLI is configured as a submode command for aaa-server host configuration and ddns configuration. New/Modified commands: ldap-over-ssl , ddns update method , and show update method . |
||
|
Administrative, Monitoring, and Troubleshooting Features |
|||
|
Multiple DNS server groups |
You can now use multiple DNS server groups: one group is the default, while other groups can be associated with specific domains. A DNS request that matches a domain associated with a DNS server group will use that group. For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface. New/Modified commands: dns-group-map , dns-to-domain |
||
|
Dynamic Logging Rate-limit |
A new option to limit logging rate when block usage exceeds a specified threshold value was added. It dynamically limits the logging rate as the rate limiting is disabled when the block usage returns to normal value. New/Modified commands: logging rate-limit |
||
|
Packet Capture for Secure Firewall 3100 devices |
The provision to capture switch packets was added. This option can be enabled only for Secure Firewall 3100 devices. New/Modified commands: capture real-time |
||
|
VPN Features |
|||
|
IPsec flow offload. |
On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance. New/Modified commands: clear flow-offload-ipsec , flow-offload-ipsec , show flow-offload-ipsec |
||
|
Certificate and SAML for Authentication |
You can configure remote access VPN connection profiles for certificate and SAML authentication. Users can configure VPN settings to authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes. New/Modified commands: authentication saml certificate , authentication certificate saml , authentication multiple-certificate saml |
||
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.17 |
— |
Any of the following: → 9.18 |
|
9.16 |
— |
Any of the following: → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 |
|
9.13 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.18(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
FXOS should provide an option to tag and display counters for selected flows/packets |
|
|
ACP deploy failed on KP-HA |
|
|
Snort3 crash in KP driver code in 7.2.4-114 |
|
|
ASAv VMware traceback and reload with Thread Name: PTHREAD-1549 |
|
|
Umbrella registration succeeds after cert validation failure |
|
|
Current connection count is negative on 'show service policy' - conn limit exceeded |
|
|
FTD traceback with Thread Name: PIM IPv4 |
|
|
Strong Encryption license is not getting applied to ASA firewalls in HA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
FP4110 crashing on asa code 9.18(3)53 with no direct cause |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
WM: Lina crash at dispatch_lb_poll_worker with invalid opcode(sig 4) |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
ASA/FTD: Traceback in Process Name: lina |
|
|
FTD FP2100: LDAP External authentication may fail for username containing backslash "\" |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
Cruz Adapter down in one of the modules |
|
|
ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
|
ASA/FTD: Traceback due to wrong calc leading to negative transfer bytes passed to memcpy function |
|
|
ASA/FTD drops multicast traffic when there is no mroute entry when using Bidir PIM. |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Interface connected with PPPoE may go down unexpectedly |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.18(4)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
|
|
Clean up session index handling in IKEv2/SNMP/Session-mgr for MIB usage |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
ASA/FTD may traceback and reload in process Lina |
|
|
duplicate log entry for /mnt/disk0/log/asa_snmp.log |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
Statsclient hap reset and boot loop after enabling SNMP unification in 92.13 |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
vti hub with NAT-T enabled pinholes connections are looping and causing snort busy drops |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASAv "Unable to retrieve license info. Please try again later" |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
logging/syslog is impacted by SNMP traps and logging history |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on 2100/3100 devices |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
User with no vpn-filter may get additional access when per-user-override is set |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
Memory depletion while running EMIX traffic profile on QP HA active node |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
|
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
|
ASA MIO-blade heartbeat failure due to kernel crash, leads to MEZZ core |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
30+ seconds data loss when unit re-join cluster |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
MI FTD running 7.0.4 is on High disk utilization |
|
|
High CPU Utilization on FXOS for processes smConlogger |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
FAN LED flashing amber on FPR2100 |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
41xx: Blade does not capture or log a reboot signal |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
High Lina memory use due to leaked SSL handles |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Traffic drop when primary device is active |
|
|
Open AC VPN Agent" can connect to a Multi-Cert Auth TG using a single cert & username/password |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
Multiple instances of nvram.out log rotated files under /opt/cisco/platform/logs/ |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Multiple traceback seen on standby unit. |
|
|
2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
Management interface link status not getting synced between FXOS and ASA |
|
|
SNMP on SFR module goes down and won't come back up |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat loss and "Communication with NPU lost" |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
ASA/FTD may traceback and reload |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
Connections not replicated to Standby FTD |
|
|
FTD 3100 Crash in Thead Name: CP Processing |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
Unable to login to FTD using external authentication |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
AnyConnect - mobile devices are not able to connect when hostscan is enabled |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
Lina core created during high traffic testing |
|
|
ASA traceback and reload with process name: cli_xml_request_process |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
Notification Daemon false alarm of Service Down |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
Threat-detection does not recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Threat-detection does not allow to clear individual IPv6 entries |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
7.2.4 - Block depletion using single crafted UDP SIP register request |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
Setting heartbeat timeout to 6sec for BS and QP |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
FPR3100: ASA/FTD High traffic impact on all data interfaces with high counter of "demux drops" |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
ASA Packet-tracer displays the first ACL rule always, though matches the right ACL |
|
|
SSH to Chassis allows a 3-way handshake for IPs that are not allowed by the config |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
Add CIMC reset as auto-recovery for CIMC IPMI hung issues |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FTD: GRE traffic is load balanced between CPU cores |
|
|
ASA: Traceback and reload while updating ACLs on ASA |
|
|
FXOS/SSP: System should provide better visibility of DIMM Correctable error events |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Priority-queue command causes silent egress packet drops on all port-channel interfaces |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Cisco ASA and FTD ACLs Not Installed upon Reload |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
switch ports in Trunk mode do not pass vlan traffic after power loss |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
Traceback @<capture_file_show+605 at ../infrastructure/capture/capture_file_finesse.c:282> |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
PSEQ (Power-Sequencer) firmware - remove device-id check |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
PAC Key file missing on standby on reload |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
|
|
ASA/FTD may traceback and reload while running show inventory all |
Resolved Bugs in Version 9.18(3)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
|
FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread Name 'lina' |
|
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
|
|
Standby unit failed to join failover due to large config size. |
|
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
Disable NLP rules installation workaround after mgmt-access into NLP is enabled |
|
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
|
ISA3000 in boot loop after powercycle |
|
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
|
ASA/FTD datapath threads may run into deadlock and generate traceback |
|
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
|
Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability |
|
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
ASA Traceback & reload in thread name: Datapath |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
|
No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
|
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
|
User without password prompted to change password when logged in from SSH Client |
|
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
|
Temporary HA split-brain following upgrade or device reboot |
|
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA/FTD Voltage information is missing in the command "show environment" |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
|
ASA/FTD Traceback and Reload in Thread name Lina or Datatath |
|
|
Traceback and Reload while HA sync after upgrading and reloading. |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
ASA Traceback and Reload on process name Lina |
|
|
ASA: SLA debugs not showing up on VTY sessions |
|
|
ASA process with cleartext token when not able to encrypt it |
|
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
SSL AnyConnect access blocked after upgrade |
|
|
ASA/FTD may traceback and reload while executing SCH code |
|
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
|
ASA/FTD traceback and reload when ssh using username with nopassword keyword |
|
|
ASA: 'no monitor-interface service-module' command gone after reload. |
|
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
ASA/FTD 2100 platform traceback and reload when fragments are coalesced and sent to PDTS |
|
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
|
syslog related to failover is not outputted in FPR2140 |
|
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
|
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
|
ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
|
|
TACACS Accounting includes an incorrect IPv6 address of the client |
|
|
Call home configuration on standby device is lost after reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
|
|
FTD - Traceback in Thread Name: DATAPATH |
|
|
FPR1120-ASA:Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
|
CGroups errors in ASA syslog after startup |
|
|
During the deployment time, device got stuck processing the config request. |
|
|
"inspect snmp" config difference between active and standby |
|
|
ASA/FTD traceback and reload caused by SNMP process failure |
|
|
Traffic on data unit gets dropped with "LU allocate xlate failed" on GCP cluster with interface NAT |
|
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
|
ASA NAT rules are not working as expected after an upgrade to 9.18.2 |
|
|
FTD Traceback and reload when applying long capture commands from FMC UI |
|
|
ASA/FTD Traceback and reload in Threadname: IKE Daemon |
|
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
|
Using write standby in a user context leaves secondary firewall license status in an invalid state |
|
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
|
ASA/FTD tracebacks due to ctm_n5 resets |
|
|
Lina Traceback and reload when issuing 'debug menu fxos_parser 4' |
|
|
ESP rule missing in vpn-context may cause IPSec traffic drop |
|
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
|
ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
|
ifAdminStatus output is abnormal via snmp polling |
|
|
Changing the buffer size impacting logging to buffer |
|
|
FTD Traceback and reload |
|
|
ASA Custom login page is not working through webvpn after an upgrade |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
FTD traceback on Lina due to syslog component. |
|
|
ASA/FTD Cluster Traceback and Reload during node leave |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
ASA might generate traceback in ikev2 process and reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
|
|
ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
|
|
GTP inspection drops packets for optional IE Header Length being too short |
|
|
GTP drops not always logged on buffer and syslog |
|
|
ASA/FTD traceback due to block data corruption |
|
|
ASA goes for traceback/reload with message - snmp_ma_kill_restart: vf is NULL |
|
|
FTD | Failure to join HA due to "Other unit has different set of hwidb index" |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
ASA/FTD: NAT configuration deployment failure |
|
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
|
ASA/FTD High CPU in SNMP Notify Thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
|
|
ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
|
|
With TCM enabled new ACL's are not working on ASA if non access-group command disabled twice |
|
|
Device should not move to Active state once Reboot is triggered |
|
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
|
Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
|
|
Management access over VPN not working when custom NAT is configured |
|
|
ASA/FTD traceback and reload on thread name fover_fail_check |
|
|
Syslog 106016 is not rate-limited by default |
|
|
LINA Traceback and reload at Thread Name: ci/console |
|
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
|
ASA traceback and reload due to DNS inspection |
|
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
ASA restore is not applying vlan configuration |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Misleading drop reason in "show asp drop" |
|
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
|
Recursive panic under lina_duart_write |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
Lina changes to support CSCwb04975 - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
|
System Crash on ICMPv6 Option Processing |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
ASA/FTD: External IDP SAML authentication fails with Bad Request message |
Resolved Bugs in Version 9.18(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic |
|
|
BGP table not removing connected route when interface goes down |
|
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
|
Unstable client processes may cause LINA zmqio traceback on FTD |
|
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
|
ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
|
ISA3000 in boot loop after powercycle |
|
|
Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543' |
|
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
|
SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels. |
|
|
Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability |
|
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
|
ASA DHCP server fails to bind reserved address to Linux devices |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
|
|
FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init |
|
|
ASA traceback in Thread Name: SXP CORE |
|
|
ASA unable to configure aes128-gcm@openssh.com when FIPS enabled |
|
|
ASA traceback in Thread Name: fover_parse and triggered by snmp related functions |
|
|
FW traceback in timer infra / netflow timer |
|
|
PBR not working on ASA routed mode with zone-members |
|
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
|
FTD offloads SGT tagged packets although it should not |
|
|
ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination |
|
|
ASA/FTD firewall may traceback and reload when tearing down IKE tunnels |
|
|
ASA HA Active/standby tracebacks seen approximately every two months. |
|
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
|
Snmpwalk output of memory does not match show memory/show memory detail |
|
|
Lina traceback and reload during EIGRP route update processing. |
|
|
ASA: Multiple Context Mixed Mode SFR Redirection Validation |
|
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
|
ASA/FTD traceback and reload with timer services assertion |
|
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
|
ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete |
|
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
|
AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject |
|
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
ASA: SLA debugs not showing up on VTY sessions |
|
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
Resolved Bugs in Version 9.18(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA displays cosmetic NAT warning message when making the interface config changes |
|
|
ASA: 256 byte block depletion when syslog rate is high |
|
|
Unable to configure ipv6 address/prefix to same interface and network in different context |
|
|
Management Sessions fail to connect after several weeks |
|
|
L2L VPN session bringup fails when using NULL encryption in ipsec configuration |
|
|
PKI "OCSP revocation check" failing due to sha256 request instead of sha1 |
|
|
ASA55XX: Expansion module interfaces not coming up after a software upgrade |
|
|
FTD may traceback and reload in Thread Name 'lina' |
|
|
Cluster unit in MASTER_POST_CONFIG state should transition to Disabled state after an interva |
|
|
SSL decryption not working due to single connection on multiple in-line pairs |
|
|
Unstable client processes may cause LINA zmqio traceback on FTD |
|
|
default-information originate is configured first then Stub command is not allowed for config |
|
|
High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby |
|
|
ASA/FTD may traceback and reload. "c_assert_cond_terminate" in stack trace |
|
|
While implementing management tunnel a user can use open connect to bypass anyconnect. |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS |
|
|
NTP will not change to *(synced) status after upgrade to asa-9.15.1/9.16.1.28 from asa-9.14.3 |
|
|
Primary ASA should send GARP as soon as split-brain is detected and peer becomes cold standby |
|
|
Lina traceback and reload during block free causing FTD boot loop |
|
|
ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM |
|
|
OSPFv2 flow missing cluster centralized "c" flag |
|
|
Low available DMA memory on ASA 9.14 at boot reduces AnyConnect sessions supported |
|
|
Statelink hello messages dropped on Standby unit due to interface ring drops on high rate traffic |
|
|
Cisco ASA and FTD Software Web Services Interface Privilege Escalation Vulnerability |
|
|
ASA show tech execution causing spike on CPU and impacting to IKEv2 sessions |
|
|
NTP sync on IPV6 will fail if the IPV4 address is not configured |
|
|
FTD Deployment failure post upgrade due to major version change on device |
|
|
FP1120 9.14.3 : temporary split brain happened after active device reboot |
|
|
Clear and show conn for inline-set is not working |
|
|
FTD Blocks Traffic with SSL Flow Error CORRUPT_MESSAGE |
|
|
Standby's sub interface mac doesn't revert to old mac with no mac-address command |
|
|
AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group |
|
|
SNMP Stopped Responding After Upgrading to Version- 9.14(2)15 |
|
|
ASA Failover Split Brain caused by delay on state transition after "failover active" command run |
|
|
Cisco Firepower Threat Defense Software Denial of Service Vulnerability |
|
|
ASA/FTD traceback and reload on IKE Daemon Thread |
|
|
ASA/FTD: remove unwanted process call from LUA |
|
|
ASA drops non DNS traffic with reason "label length 164 bytes exceeds protocol limit of 63 bytes" |
|
|
Clock drift observed between Lina and FXOS on multi-instance |
|
|
Flow Offload - Compare state values remains in error state for longer periods |
|
|
Traffic dropped by ASA configured with BVI interfaces due to asp drop type "no-adjacency" |
|
|
FTD moving UI management from FDM to FMC causes traffic to fail |
|
|
FTD SSL Decryption Traffic Latency | SSL Proxy to allow configurable/dynamic maximum TCP window size |
|
|
"Error:NAT unable to reserve ports" when using a range of ports in an object service |
|
|
Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability |
|
|
ASA: Loss of NTP sync following a reload after upgrade |
|
|
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
|
|
ASA on FPR4100 traceback and reload when running captures using ASDM |
|
|
Random FTD reloads with the traceback during deployment from FMC |
|
|
ASA NAT66 with big range as a pool don't works with IPv6 |
|
|
Traceback: Secondary firewall reloading in Threadname: fover_parse |
|
|
ASA/FTD traceback and reload due to pix_startup_thread |
|
|
Cisco FTD Bleichenbacher Attack Vulnerability |
|
|
ASA: IP Header check validation failure when GTP Header have SEQ and EXT field |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DAP DoS |
|
|
SNMP OID , stop working after around one hour and a half - FTD |
|
|
Lina Traceback and Reload Due to invalid memory access while accessing Hash Table |
|
|
Memory leaks in SAML native browser processing |
|
|
Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion |
|
|
FTD Service Module Failure: False alarm of "ND may have gone down" |
|
|
ASA traceback in HTTP cli EXEC code |
|
|
DHCP Offer not seen on control plane |
|
|
New access-list are not taking effect after removing non-existance ACL with objects. |
|
|
ASA/FTD Change in OGS compilation behavior causing boot loop |
|
|
Polling OID "1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the associated tunnel |
|
|
ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM |
|
|
Offloaded GRE tunnels may be silently un-offloaded and punted back to CPU |
|
|
FTP inspection stops working properly after upgrading the ASA to 9.12.4.x |
|
|
ASA reload and traceback in Thread Name: PIX Garbage Collector |
|
|
Traceback and reload after enabling debug webvpn cifs 255 |
|
|
ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
|
SNMP is responding to snmpgetbulk with unexpected order of results |
|
|
Traffic keep failing on Hub when IPSec tunnel from Spoke flaps |
|
|
SNMP get command in FPR does not show interface index. |
|
|
Cisco ASA and FTD Software VPN Authorization Bypass Vulnerability |
|
|
Traceback: ASA/FTD may traceback and reload in Thread Name 'Logger' |
|
|
Multiple issues with transactional commit diagnostics |
|
|
ASA/FTD may traceback and reload in Thread Name 'IP Address Assign' |
|
|
SNMP no longer responds to polls after upgrade to 9.15.1.17 |
|
|
SSL handshake logging showing unknown session during AnyConnect TLSv1.2 Session establishment |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-4-9608' |
|
|
Lina may traceback and reload on tcpmod_proxy_handle_mixed_mode |
|
|
ASA: Jumbo sized packets are not fragmented over the L2TP tunnel |
|
|
Console has an excessive rate of warnings during policy deployment |
|
|
Mempool_DMA allocation issue / memory leakage |
|
|
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
FP2140 ASA 9.16.2 HA units traceback and reload at lua_getinfo (getfuncname) |
|
|
Crash at IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
|
ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT on |
|
|
CPU profile cannot be reactivated even if previously active memory tracking is disabled |
|
|
FTD/ASA: Traceback on BFD function causing unexpected reboot |
|
|
Single Pass - Traceback due to stale ifc |
|
|
ASA DHCP server fails to bind reserved address to Linux devices |
|
|
Cisco Firepower Threat Defense Software Generic Routing Encapsulation DoS Vulnerability |
|
|
ASA unable to configure aes128-gcm@openssh.com when FIPS enabled |
|
|
ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination |
|
|
Snmpwalk output of memory does not match show memory/show memory detail |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback