Cisco ASA 5500-X Series Next-Generation Firewalls

Release Notes for the Cisco ASA Series, 9.2(x)

  • Viewing Options

  • EPUB (78.7 KB)
  • MOBI (97.3 KB)
  • PDF (230.4 KB)
  • Feedback

Table of Contents

Release Notes for the Cisco ASA Series, Version 9.2(x)

Important Notes

System Requirements

New Features

New Features in Version 9.2(2.4)

New Features in Version 9.2(1)

Upgrading the Software

Open Caveats

Resolved Caveats

Resolved Caveats in Version 9.2(2.4)

Resolved Caveats in Version 9.2(1)

End-User License Agreement

Related Documentation

Obtaining Documentation and Submitting a Service Request

Release Notes for the Cisco ASA Series, Version 9.2(x)

Released: April 24, 2014

Revised: October 31, 2014

This document contains release information for Cisco ASA software Version 9.2(x). This document includes the following sections:

Important Notes

  • ASA 5505 with 256 MB DRAM—Starting in Version 8.3, the DRAM requirements for the ASA 5505 were increased to 512 MB. If you did not use the Unlimited Hosts license or the Security Plus license with failover enabled, then the ASA could continue to operate with 256 MB. As of Version 9.2 and later, all ASA 5505 licenses require 512 MB. If you only have 256 MB, the ASA image may not load into memory. See for memory requirements and upgrade information.
  • WinNT AAA server to be deprecated—In ASA Version 9.3, the WinNT AAA server will no longer be supported. If you use WinNT, you should start planning alternative server types.

System Requirements

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility :

For VPN compatibility, see the Supported VPN Platforms, Cisco ASA 5500 Series :

New Features

Note New, changed, and deprecated syslog messages are listed in the syslog message guide.

New Features in Version 9.2(2.4)

Released: August 12, 2014

Table 1 lists the new features for ASA Version 9.2(2.4).

Note Version 9.2(2) was removed from due to build issues; please upgrade to Version 9.2(2.4) or later.


Table 1 New Features for ASA Version 9.2(2.4)

Platform Features

ASA 5585-X (all models) support for the matching ASA FirePOWER SSP hardware module.

ASA 5512-X through ASA 5555-X support for the ASA FirePOWER software module.

The ASA FirePOWER module supplies next-generation firewall services, including Next-Generation IPS (NGIPS), Application Visibility and Control (AVC), URL filtering, and Advanced Malware Protection (AMP).You can use the module in single or multiple context mode, and in routed or transparent mode.

We introduced or modified the following commands: capture interface asa_dataplane , debug sfr , hw-module module 1 reload , hw-module module 1 reset , hw-module module 1 shutdown , session do setup host ip, session do get-config, session do password-reset, session sfr, sfr, show asp table classify domain sfr , show capture , show conn , show module sfr , show service-policy, sw-module sfr .

Remote Access Features

Internet Explorer 11 browser support on Windows 8.1 and Windows 7 for clientless SSL VPN

We added support for Internet Explorer 11 with Windows 7 and Windows 8.1 for clientless SSL VPN..

We did not modify any commands.


New Features in Version 9.2(1)

Released: April 24, 2014

Table 2 lists the new features for ASA Version 9.2(1).

Note The ASA 5510, ASA 5520, ASA 5540, ASA 5550, and ASA 5580 are not supported in this release or later. ASA Version 9.1 was the final release for these models.


Table 2 New Features for ASA Version 9.2(1)

Platform Features

The Cisco Adaptive Security Virtual Appliance (ASAv) has been added as a new platform to the ASA series.

The ASAv brings full firewall functionality to virtualized environments to secure data center traffic and multi-tenant environments. The ASAv runs on VMware vSphere. You can manage and monitor the ASAv using ASDM or the CLI.

Routing Features

BGP Support

We now support the Border Gateway Protocol (BGP). BGP is an inter autonomous system routing protocol. BGP is used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).

We introduced the following commands : router bgp, bgp maxas-limit, bgp log-neighbor-changes, bgp transport path-mtu-discovery, bgp fast-external-fallover, bgp enforce-first-as, bgp asnotation dot, timers bgp, bgp default local-preference, bgp always-compare-med, bgp bestpath compare-routerid, bgp deterministic-med, bgp bestpath med missing-as-worst, policy-list, match as-path, match community, match metric, match tag, as-path access-list, community-list, address-family ipv4, bgp router-id, distance bgp, table-map, bgp suppress-inactive, bgp redistribute-internal, bgp scan-time, bgp nexthop, aggregate-address, neighbor, bgp inject-map, show bgp, show bgp cidr-only, show bgp all community, show bgp all neighbors, show bgp community, show bgp community-list, show bgp filter-list, show bgp injected-paths, show bgp ipv4 unicast, show bgp neighbors, show bgp paths, show bgp pending-prefixes, show bgp prefix-list, show bgp regexp, show bgp replication, show bgp rib-failure, show bgp route-map, show bgp summary, show bgp system-config, show bgp update-group, clear route network, maximum-path, network.

We modified the following commands: show route , show route summary , show running-config router , clear config router , clear route all , timers lsa arrival , timers pacing , timers throttle , redistribute bgp .

Static route for Null0 interface

Sending traffic to a Null0 interface results in dropping the packets destined to the specified network. This feature is useful in configuring Remotely Triggered Black Hole (RTBH) for BGP.

We modified the following command: route .

OSPF support for Fast Hellos

OSPF supports the Fast Hello Packets feature, resulting in a configuration that results in faster convergence in an OSPF network.

We modified the following command: ospf dead-interval

New OSPF Timers

New OSPF timers were added; old ones were deprecated.

We introduced the following commands: timers lsa arrival, timers pacing, t imers throttle.

We removed the following commands: timers spf, timers lsa-grouping-pacing

OSPF Route filtering using ACL

Route filtering using ACL is now supported.

We introduced the following command: distribute-list

OSPF Monitoring enhancements

Additional OSPF monitoring information was added.

We modified the following commands: show ospf events, show ospf rib, show ospf statistics, show ospf border-routers [detail], show ospf interface brief

OSPF redistribute BGP

OSPF redistribution feature was added.

We added the following command: redistribute bgp

EIGRP Auto- Summary

For EIGRP, the Auto-Summary field is now disabled by default.

High Availability Features

Support for cluster members at different geographical locations (inter-site) for transparent mode

You can now place cluster members at different geographical locations when using Spanned EtherChannel mode in transparent firewall mode. Inter-site clustering with spanned EtherChannels in routed firewall mode is not supported.

We did not modify any commands.

Static LACP port priority support for clustering

Some switches do not support dynamic port priority with LACP (active and standby links). You can now disable dynamic port priority to provide better compatibility with spanned EtherChannels. You should also follow these guidelines:

  • Network elements on the cluster control link path should not verify the L4 checksum. Redirected traffic over the cluster control link does not have a correct L4 checksum. Switches that verify the L4 checksum could cause traffic to be dropped.
  • Port-channel bundling downtime should not exceed the configured keepalive interval.

We introduced the following command: clacp static-port-priority .

Support for 32 active links in a spanned EtherChannel for clustering

ASA EtherChannels now support up to 16 active links. With spanned EtherChannels, that functionality is extended to support up to 32 active links across the cluster when used with two switches in a vPC and when you disable dynamic port priority. The switches must support EtherChannels with 16 active links, for example, the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module.

For switches in a VSS or vPC that support 8 active links, you can now configure 16 active links in the spanned EtherChannel (8 connected to each switch). Previously, the spanned EtherChannel only supported 8 active links and 8 standby links, even for use with a VSS/vPC.

Note If you want to use more than 8 active links in a spanned EtherChannel, you cannot also have standby links; the support for 9 to 32 active links requires you to disable cLACP dynamic port priority that allows the use of standby links.

We introduced the following command: clacp static-port-priority .

Support for 16 cluster members for the ASA 5585-X

The ASA 5585-X now supports 16-unit clusters.

We did not modify any commands.

Support for clustering with the Cisco Nexus 9300

The ASA supports clustering when connected to the Cisco Nexus 9300.

Remote Access Features

ISE Change of Authorization

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

We introduced the following commands: dynamic-authorization, authorize-only , debug radius dynamic-authorization .

We modified the following commands: without-csd [ anyconnect ], interim-accounting-update [ periodic [ interval ]].

We removed the following commands: nac-policy , eou , nac-settings .

Improved clientless rewriter HTTP 1.1 compression handling

The rewriter has been changed so that if the client supports compressed content and the content will not be rewritten, then it will accept compressed content from the server. If the content must be rewritten and it is identified as being compressed, it will be decompressed, rewritten, and if the client supports it, recompressed.

We did not introduce or modify any commands.

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any commands.

Interface Features

Support for 16 active links in an EtherChannel

You can now configure up to 16 active links in an EtherChannel. Previously, you could have 8 active links and 8 standby links. Be sure your switch can support 16 active links (for example the Cisco Nexus 7000 with with F2-Series 10 Gigabit Ethernet Module).

Note If you upgrade from an earlier ASA version, the maximum active interfaces is set to 8 for compatibility purposes (the lacp max-bundle command).

We modified the following commands: lacp max-bundle and port-channel min-bundle .

Monitoring Features

Embedded Event Manager (EEM)

The EEM feature enables you to debug problems and provides general purpose logging for troubleshooting. The EEM responds to events in the EEM system by performing actions. There are two components: events that the EEM triggers, and event manager applets that define actions. You may add multiple events to each event manager applet, which triggers it to invoke the actions that have been configured on it.

We introduced or modified the following commands: event manager applet , description , event syslog id , event none , event timer , event crashinfo , action cli command , output , show running-config event manager , event manager run , show event manager , show counters protocol eem , clear configure event manager , debug event manager , debug menu eem .

SNMP hosts, host groups, and user lists

You can now add up to 4000 hosts. The number of supported active polling destinations is 128. You can specify a network object to indicate the individual hosts that you want to add as a host group. You can associate more than one user with one host.

We introduced or modified the following commands: snmp-server host-group , snmp-server user-list , show running-config snmp-server , clear configure snmp-server .

SNMP message size

The limit on the message size that SNMP sends has been increased to 1472 bytes.


The ASA now supports the cpmCPUTotal5minRev OID.

The ASAv has been added as a new product to the SNMP sysObjectID OID and entPhysicalVendorType OID.

The CISCO-PRODUCTS-MIB and CISCO-ENTITY-VENDORTYPE-OID-MIB have been updated to support the new ASAv platform.

The CISCO-VPN-LIC-USAGE-MONITOR-MIB, a new SNMP MIB for monitoring VPN shared license usage, has been added. The OID has the following index: This new OID polls the number of active and max-session connections.

We did not introduce or modify any commands.

Administrative Features
Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec .

Auto Update Server certificate verification enabled by default

The Auto Update Server certificate verification is now enabled by default; for new configurations, you must explicitly disable certificate verification. If you are upgrading from an earlier release, and you did not enable certificate verification, then certificate verification is not enabled, and you see the following warning:

WARNING: The certificate provided by the auto-update servers will not be verified. In order to verify this certificate please use the verify-certificate option.

The configuration will be migrated to explicitly configure no verification:

auto-update server no-verification

We modified the following command: auto-update server [ verify-certificate | no-verification ].


Open Caveats

Table 3 contains open caveats in the latest maintenance release.

If you are running an older release, and you need to determine the open caveats for your release, then add the caveats in these sections to the resolved caveats from later releases. For example, if you are running Version 9.2(1), then you need to add the caveats in this section to the resolved caveats from 9.2(2.4) and higher to determine the complete list of open caveats.

If you are a registered user, view more information about each caveat using the Bug Search at the following website:


Table 3 Open Caveats in ASA Version 9.2



Arsenal:twice NAT with service type ftp not working.


Smart Tunnel support for IE11 with Enhanced Protection Mode on Win8.1


Jumbo-frame reservation not getting enabled due to insufficient memory


Traceback in DATAPATH-0-1275


Traceback in fover_health_monitoring_thread after CX crashes


ASA configured with BGP drop packets with reason unexpected packet


921 crashed while downgrade test from


athens/fcs_throttle:ASAv-1 AnyConnect TLS Throughput Degraded ~3 %


Show memory app-cache command shows incorrect bytes if more than 2^32


ASA: Increased processor temperature after upgrade


PPPoE with static IP address deny packets after reload ASA

Resolved Caveats

Resolved Caveats in Version 9.2(2.4)

Table 4 contains resolved caveats in ASA Version 9.2(2.4).

If you are a registered user, view more information about each caveat using Bug Search at the following website:


Table 4 Resolved Caveats in ASA Version 9.2(2.4)



Double auth not triggered if using secondary-aaa-server per interface


ASA: Crash when out of stack memory with call-home configured


Asa 5580-20: object-group-search access-control causes failover problem


ASA5500-x: "speed nonegotiate" command not available for fiber interface


DNS: Inspection drops non PTR queries


Need Syslog containing assigned IP address for AnyConnect IKEv2


ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP via DHCPD


ASA: Last packet in PCAP capture file not readable


ASA 8.4.6 MAC Address flapping with Port-Channels and IPv6


ASA 5505 SIP packets may have extra padding one egress of 5505


ASA Transparent mode doesn't pass DHCP discover message


WEBVPN IE 11: CIFS bookmarks showing with unicode


ASA - DHCP Discover Sent out during boot process


ASA5585-SSP60 Teardown process is delayed under heavy traffic condition


ASA Backup scansafe tower is never polled


ASA: Watchdog traceback in Unicorn Admin Handler with TopN host stats


Traceback in Thread: IPsec message handler with rip-tlog_event_allocate


SunRPC GETPORT Reply dropped when two active sessions use same xid


Sourcefire Defense Center not able to be rendered via Clientless SSL VPN


ASA Traceback in DATAPATH-1-1400 with error message shrlock_join_domain


ASA-IC-6GE-SFP-C SFP port doesn't come up


AnyConnect Password Management Fails with SMS Passcode


When long line is entered on cli, all chars > 510 silentl y discarded


ASA IPSec - DNS reply for RA client dropped when LZS compression enabled


Hash calculated for multiple ACEs on ASA are same


ASA: Traceback in thread Name: DATAPATH-1-2581


ASA Tears Down Connections With Reason of 'snp_drop_none'


ASA cut a part of credential data during cut-thru proxy authentication


Cisco ASA DHCPv6 Denial of Service Vulnerability


ASDM interface graph showing bogus values in S/W and H/W output queue


IDM/IME/File Transfer Slow For Certain Source and Destination IP Pairs


Posture assement failing after HS upgrade to 3.1.05152


Cisco ASA Information Disclosure Vulnerability


Packet-tracer showing incorrect result for certain NAT configurations


Nameif command not allowed on TFW multimode ASA with clustering


'ASA modifies Request Host Part under 'ACK' packet for SIP connection'


ASA 5505 u-turned/hairpinned conn counts toward license local-host limit


High CPU with IKE daemon Process


ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule


ASA 8.4.6: Traceback with fover_FSM_thread


Saleen copper module port speed/duplex changes ineffective


To the box traffic dropped due to vpn load-balancing (mis)configuration


SNMP: cpmCPUTotal5sec/1min/5min return "0"


VPN client firewall and split-tunneling mishandle "inactive" acl rules


Clientless scrollbar on right hand side of the screen doesn't render


ASA 9.1 DMA Memory exhaustion in 240 binsize


ASA traceback in webvpn datapath


VPN-filter ACL drops all traffic after upgrade for pre 8.3 to 9.x


IPsec transform sets mode changes from transport to tunnel after editing


CSCub92315 fix is incomplete


Interop: relax PrintableString encoding enforcement in PKI


ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and Telnet


ASA SIP Inspect:'From: header' in the INVITE not NATed for outbound flow


ASA: Traceback in Thread Name: Dispatch Unit when enable debug ppp int


ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD enabled


Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog


ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address


Traceback with thread DATAPATH-2-1181


object nat config getting deleted after reloaded with vpdn config


Traceback DHCP 'IP Address Assign' while upgrading ASAs in Failover


ASA traceback (Page fault) during xlate replication in a failover setup


ASA does not relay BOOTP packets


ASA with SFP+4GE-SSM sends flow-control packets at line rate


Multicast - ASA doesn't populate mroutes after failover


CWS: Large downloads on HTTPS fail when server side seq number wraps


ASA: HTTP function failing over WebVPN


WebVPN capture causes conflict with other capture types


ASA IKEv2 "Duplicate entry in tunnel manager" (post 9.1.5)


ASA: Webvpn using incorrect password for auto-signon with Radius/OTP


ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec SA


ASA 9.1.(3)4 Memory Leak in KCD


ASA Rewriter does not support encoded values for characters like " ' "


WebVPN: Javascript rewrite issue with Secret Server Application


ASA 9.x Management Port-Channel Cannot configure management-only in TFW


Firewall may crash while clearing the configuration


Traceback when using IDFW ACL's with VPN VPN Filters


5585-20 9.2.1 Traceback in Thread Name: DATAPATH-1-1567


CIFS drag & drop not working with remote file explorer over webvpn


ASA NAT: Some NAT removed after upgrade from to 9.x


Giaddr to be set to the address of interface facing the client.


ASA allows to empty an access-list referenced elsewhere


Windriver: Traceback during AnyConnect IPv6 TLS TPS Test


ASA AnyConnect failure or crash in SSL Client compression with low mem


Standby ASA traceback on Fover_Parse with Botnet Filter


show vpn load-balancing shows Public addr as Cluster IP addr for Master


Inconsistencies seen while sending warmstart trap on reload


Failover Standby unit has higher memory utilization




Snmp-server hosts entries are lost when upgrading from 9.1(4) to 9.1(5)


ASA WebVPN: Script error when using port-forwarding


9.0(4)5 - Unable to access internal site via clientless SSLVPN


ASA SSLVPN Java plugins fail through proxy with Connection Exception


ASA WebVPN Rewriter: Custom HTTP Headers Not Properly Rewritten


L2TP/IPsec fragmentation change causing ICMP-PMTU being sent


show webvpn kcd Error code 2 (ERROR_FILE_NOT_FOUND)


ASA: Webvpn Clientless - certificate authentication fails intermittently


ASA - Traceback in thread name: sch_prompt anonymous reporting


ASA traceback in Thread Name : Checkheaps when snmp config is cleared


IKEv2 DPD is sent at an interval not correlating to the specified value


Jumbo frame calculations are incorrect or hard coded


TCP intercept does not work after embryonic connection ends


ASA Panic: CP Processing - ERROR: shrlock_join_domain


ASA EIGRP does not reset hold time after receiving update


ASA doesn't apply vpn-filter if group policy is assigned by Cisco VSA 25


WebVPN Problem- icons missing, buttons not working


SNMP: Unable to verify presence of second power supply in ASA 5545


ASA Traceback in Thread name: ci/console while modifying an object-group


ASA: Page fault traceback in DATAPATH when DNS inspection is enabled


ASA - Wrong object-group migration during upgrade from 8.2


ASA - Permitting/blocking traffic based on wrong IPs in ACL


No syslogs for ASDM or clientless access with blank username/password


WebVPN: uploading customized portal.css breaks the portal login page


ASA rewrites incorrect content-length in SIP message

Resolved Caveats in Version 9.2(1)

Table 5 contains resolved caveats in ASA Version 9.2(1).

If you are a registered user, view more information about each caveat using Bug Search at the following website:


Table 5 Resolved Caveats in ASA Version 9.2(1)



ASA SSLVPN/DTLS: Copy inner packet TOS field to outer header


Local CA rollover: reloading ASA deletes original CA cert before expiry


wr mem all produces traceback on console


ASA:Difference in replication result of initial sync and boot sequence


SNMP: OID( inadvertently added


ASA doesn't RST conn for same sec-level int (resetoutbound/inbound only)


vpn load-balancing configuration exits sub-command menu unexpectedly


ASA Page Fault Traceback in 'vpnfol_thread_msg' Thread


ASA IGMP receiver-specific filter blocks all multicast receivers


ASA TCP Proxy can corrupt data, cause ACK storms and session hangs


URLF: Websense v4 message length calculation is incorrect by 2 bytes


ASA: Auth failures for SNMPv3 polling after unit rejoins cluster


Problem configuring QOS priority with user-statistic on same policy-map


ASA 9.1.x should accept RIP V1 updates


ASA 5585 cluster indicating SSM card down but no SSM module

End-User License Agreement

For information on the end-user license agreement, go to:

Related Documentation

For additional information on the ASA, see Navigating the Cisco ASA Series Documentation :

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: .

Subscribe to What’s New in Cisco Product Documentation , which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.