Guest

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 7.2(3)

  • Viewing Options

  • PDF (640.6 KB)
  • Feedback
Cisco PIX Security Appliance Release Notes Version 7.2(3)

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 7.2(3)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Version

Supported Platforms and Feature Licenses

New Features

capture Command Enhancement

Support for ESMTP over TLS

DHCP Client

WAAS and PIX Interoperability

ASDM Banner Enhancement

Important Notes

User Upgrade Guide

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

Features not Supported

Downgrade to Previous Version

Caveats

Open Caveats - Version 7.2(3)

Resolved Caveats - Version 7.2(3)

Related Documentation

Obtaining Documentation and Submitting a Service Request


Cisco PIX Security Appliance Release Notes Version 7.2(3)


August 2007

Contents

This document includes the following sections:

Introduction

System Requirements

Supported Platforms and Feature Licenses

New Features

Important Notes

Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

Introduction


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).


The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.

For more information on all of the new features, see New Features.

Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.

System Requirements

The sections that follow list the system requirements for operating a security appliance.


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).


Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.2(3).

Table 1 Flash Memory Requirements 

Security Appliance Model
Flash Memory Required in Version 7.2(3)

PIX 515/515E

16 MB

PIX 525

16 MB

PIX 535

16 MB


For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.

Software Requirements

Version 7.2(3) requires the following:

1. The minimum software version required before performing an upgrade to PIX Version 7.2(3) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.

To upgrade your PIX software image, go to the following website:

http://www.cisco.com/public/sw-center/index.shtml

2. For information on specific licenses supported on each model of the security appliance, go to the following website: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html

3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "http://www.cisco.com/public/sw-center/index.shtml" for new installation requirements.

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(3). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(3). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 7.2(3) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 7.2(3) requires Cisco VPN 3000 concentrator Version 3.6 or later for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 7.2(3) supports the Cisco VPN client Version 3.6 or later that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN remote v6.3

Version 7.2(3) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote v3.x/4x

Version 7.2(3) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 7.2(3) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.

Upgrading to a New Software Version

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/index.shtml


Note PIX and ASDM images must be compatible for example PIX Version 7.2(3) is compatible to ASDM Version 5.2(3). ASDM will not work with an incompatible platform version. You will get an error message and ASDM will close.


You can also use the command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.1.(x) to 7.2(3), you must perform the following steps:


Step 1 Load the new Version 7.2(3) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device so that it will start using the Version 7.2(3) image.

Step 3 Copy new ASDM Version 5.2(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file


To downgrade from Version 7.2(3) to 7.1.(x), you must perform the following steps:


Step 1 Load the earlier Version 7.1(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device so that it will be use the Version 7.1(x) image.

Step 3 Copy the ASDM Version 5.1(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/ asdm file


Supported Platforms and Feature Licenses

This software version supports the following platforms; see the associated tables for the feature support for each model:

PIX 515/515E, Table 2

PIX 525, Table 3

PIX 535, Table 4


Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.


Table 2 PIX 515/515E Security Appliance License Features 

PIX 515/515E
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional license: 5

2

Optional license: 5

2

Optional license: 5

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

10

25

25

25

Concurrent Firewall Conns2

48 K

130 K

130 K

130 K

Max. Physical Interfaces

3

6

6

6

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

64 MB

128 MB

128 MB

128 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 3 PIX 525 Security Appliance License Features 

PIX 525
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

25

100

100

100

Concurrent Firewall Conns2

140 K

280 K

280 K

280 K

Max. Physical Interfaces

6

10

10

10

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

128 MB

256 MB

256 MB

256 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


Table 4 PIX 535 Security Appliance License Features 

PIX 535
R (Restricted)
UR (Unrestricted)
FO (Failover) 1
FO-AA (Failover Active/Active) 1

Users, concurrent

Unlimited

Unlimited

Unlimited

Unlimited

Security Contexts

No support

2

Optional licenses:

2

Optional licenses:

2

Optional licenses:

5

10

20

50

5

10

20

50

5

10

20

50

IPSec Sessions

2000

2000

2000

2000

WebVPN Sessions

No support

No support

No support

No support

VPN Load Balancing

No support

No support

No support

No support

TLS Proxy for SIP and Skinny Inspection

No support

No support

No support

No support

Failover

No support

Active/Standby
Active/Active

Active/Standby

Active/Standby
Active/Active

GTP/GPRS

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

None

Optional license:
Enabled

Max. VLANs

50

150

150

150

Concurrent Firewall Conns2

250 K

500 K

500 K

500 K

Max. Physical Interfaces

8

14

14

14

Encryption

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

None

Optional licenses:

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Base (DES)

Strong (3DES/
AES)

Min. RAM

512 MB

1024 MB

1024 MB

1024 MB

1 This license can only be used in a failover pair with another unit with a UR license. Both units must be the same model.

2 The concurrent firewall connections are based on a traffic mix of 80% TCP and 20% UDP, with 1 host and 1 dynamic translation for every 4 connections.


New Features

This section lists the new features for Version 7.2(3). All new features are supported in ASDM 5.2(3).

capture Command Enhancement

The enhancement to the capture command allows the user to capture traffic and display it in real time. It also allows the user to specify command line options to filter traffic without having to configure a separate access list. This enhancement adds the [real-time] and a five-tupple [match] options.

capture <cap_name> [[real-time] [dump] [detail [trace]] [match <prot> {host <ip> | <ip> 
<mask> | any} [eq | lt | gt <port>]  {host <ip> | <ip> <mask> | any} [eq | lt | gt 
<port>]]

Support for ESMTP over TLS

This enhancement adds the configuration parameter allow-tls [action log] in the esmtp policymap. By default, this parameter is not enabled. When it is enabled, ESMTP inspection would not mask the 250-STARTTLS echo reply from the server nor the STARTTLS command from the client. After the server replies with the 220 reply code, the ESMTP inspection turns off by itself— the ESMTP traffic on that session is no longer inspected. If the allow-tls action log parameter is configured, the system log message ASA-6-108007 is generated when TLS is started on an ESMTP session.

policy-map type inspect esmtp esmtp_map 
parameters 
allow-tls [action log]

A new line for displaying counters associated with the allow-tls parameter is added to the show

service-policy inspect esmtp command. It is only present if allow-tls is configured in policy map. By default, this parameter is not enabled.

show service-policy inspect esmtp
allow-tls, count 0, log 0

This enhancement adds a new system log message for the allow-tls parameter. It indicates on an esmtp session the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine will no longer inspect the traffic on this connection.

System log Number and Format:

%ASA-6-108007: TLS started on ESMTP session between client <client-side interface-name>:<client IP address>/<client port> and server <server-side interface-name>:<server IP address>/<server port>

DHCP Client

The dhcp-client client-id interface <interface name> command forces a MAC address to be stored inside a DHCP request packet instead of the default internally generated unique string. This CLI allows the security appliance to obtain a DHCP address from the ISP with this special requirement

WAAS and PIX Interoperability

The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under default inspection class and under a custom class-map. This inspection service is not enabled by default.

The keyword option waas is added to the show service-policy inspect command to display WAAS statistics.

show service-policy inspect waas

A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.

System Log Number and Format:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

A new connection flag "W" is added int he WAAS connection. The show conn detail command is updated to reflect the new flag.

ASDM Banner Enhancement

The security appliance Version 7.2(3) software supports an ASDM banner. If configured, when you start ASDM, this banner text will appear in a dialog box with the option to continue or disconnect. The Continue option dismisses the banner and completes login as usual whereas, the Disconnect option dismisses the banner and terminates the connection. This enhancement requires the customer to accept the terms of a written policy before connecting. Following is the new CLI associated with this enhancement:

banner {exec | login | motd | asdm} <text>
no banner {exec | login | motd | asdm} [<text>]
show banner [{exec | login | motd | asdm}]

clear banner

Important Notes

This section lists important notes related to Version 7.2(3).

User Upgrade Guide

Before upgrading to Version 7.2(3), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html


Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(3) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(3) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.

Readme Document for the Conduits and Outbound List Conversion Tool 1.2

The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:

ACE insertion capability—Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.

Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.

Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.

Features not Supported

The PPTP feature is not supported.

Downgrade to Previous Version

To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.

For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.


Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.

Caveats

The following sections describe the caveats for the Version 7.2(3).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Version 7.2(3)

Table 5 lists open caveats for Version 7.2(3).

Table 5 Open Caveats 

DDTS Number
Software Version 7.2(3)
 
 
Corrected
Caveat

CSCeh98117

No

Tunnel-group/ldap-login passwords in cleartext when viewed with more

CSCej04099

No

static xlate breaks management-access inside

CSCsc98412

No

PIX console accounting doesn't appear in ACS Logged-In User report

CSCse29407

No

pim accept-register list documentation issue

CSCse93941

No

add acl logging capability to vpn-filter

CSCsf25418

No

Traceback in Thread Name: tmatch compile after assert

CSCsg47023

No

L2TP Connections with Certificates to ASA Fail to Connect

CSCsg63145

No

Traceback with Thread Name: PIX Garbage Collector

CSCsg65434

No

Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list

CSCsg71579

No

Programming assertion malloc.c:3822 on secondary after failover from pri

CSCsg99492

No

SASL GSSAPI-Kerberos authentication not happening with Sunone Server

CSCsh48208

No

Directly connected network missing in route table

CSCsh78681

No

In use memory count displayed incorrectly

CSCsh91283

No

ASA/PIX: SunRPC inspect dropping packets on 7.0.6

CSCsi00074

No

Incorrect values returned by SSL VPN OIDs

CSCsi04673

No

FW may drop packets when VPN address pool overlaps with interface subnet

CSCsi32502

No

packet/byte counters are not populated for the session table of CRAS MIB

CSCsi35603

No

L2TP/IPSec sessions hanging when authenticating with EAP

CSCsi40796

No

ASA fails rekey with Checkpoint

CSCsi45911

No

ASA cpu approaches 100%, 80 byte blocks are leaked and mem>0 w/ssl str

CSCsi52176

No

TCP Normalizer Traceback in Thread Name: Dispatch Unit

CSCsi53577

No

OSPF goes DOWN after reload of VPN Peer

CSCsi68911

No

ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t

CSCsi80155

No

memory leak found during batch test of malformed HTTP messages

CSCsi94163

No

PPPOE connection does not renegotiate immediatly after short disconnect

CSCsi98617

No

VPNFO: Standby stale sessions not removed

CSCsj01620

No

Type 0 Client-ID for RA clients not supported by some DHCP servers

CSCsj01643

No

IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode

CSCsj02948

No

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error

CSCsj03437

No

WebVPN: RDP Icon fails after a redirect action to a Citrix Presentation

CSCsj07428

No

Idle IPSEC connections not closing out

CSCsj10151

No

Traceback in Dispatch Unit (possible double-free)

CSCsj12938

No

PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational

CSCsj18055

No

Traceroute fails through ASA if outside interface is pppoe and doing PAT

CSCsj19607

No

Traceback in Checkheaps - mem corruption PC on stride_list_node

CSCsj19904

No

Traceback in Thread Name: OSPF Router

CSCsj29444

No

VPN Client authentication fails with Novell Radius and Active Card

CSCsj32989

No

ASA traceback when running 100 user Avalanche webvpn goodput test

CSCsj42343

No

PIX 525 - bad vpif msgs are from the vpnfo module

CSCsj43076

No

Logging into standby ASA via SSH fails.

CSCsj43703

No

ASA mem leak on CRYPTO_malloc

CSCsj49481

No

WebVPN: HTTPS Page not rendered correctly while HTTP works fine

CSCsj56287

No

Traceback in Thread Name: ssh/timer

CSCsj61214

No

Lower cpu-hog syslog 711002 from Level 7 to Level 4

CSCsj66655

No

Duplicate ASP crypto table entry forwards VPN traffic using invalid SPI

CSCsj68874

No

Inspect HTTP invokes multiple times with interface service-policy

CSCsj74539

No

Traceback on Standby in Thread Name: fover_FSM_thread

CSCsj77641

No

Viewing QoS policing statistics may create traceback

CSCsj80196

No

Clientless WebVPN traffic not sent when matching crypto dynamic map ACL

CSCsj80563

No

ASA dynamic VPN match address disconnects some peers as duplicate proxy

CSCsj82413

No

QoS: class-map : match tunnel-group <tgrp-name> errors on reboot

CSCsj84640

No

Memory leak on CRYPTO_malloc

CSCsj87886

No

Failover conn replication fails while doing bidirectional NAT

CSCsj90274

No

Citrix sessions randomly disconnect

CSCsj90479

No

Traceback in Thread Name: Dispatch Unit

CSCsj92194

No

Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client

CSCsj96159

No

Traceback when freeing a packet from TCP_MOD function

CSCsj96831

No

half-closed tcp connection behaves as an absolute timer on ASA

CSCsj97241

No

80 byte block depletion with stateful failover enabled

CSCsj98622

No

SIP: Not translate c= address if first m= has port 0 in SDP body.

CSCsj99182

No

Traceback on Standby box in Thread IPsec message handler

CSCsj99242

No

Assert: Traceback in Thread Name: Dispatch Unit

CSCsj99660

No

ASA CONSOLE TIMEOUT does not timeout

CSCsk00072

No

ASA 7.2 Firewall-MIB : no snmp object for failover lan int status

CSCsk00089

No

ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status

CSCsk00589

No

Traceback in Thread Name: Dispatch Unit

CSCsk03550

No

ASA: Route injected through RRI disappear after failover

CSCsk04594

No

traceback: watchdog crash in uauth thread

CSCsk05453

No

Programming assertion while configuring http inspection policy

CSCsk06996

No

Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby


Resolved Caveats - Version 7.2(3)

Table 6 lists resolved caveats for Version 7.2(3).

Table 6 Resolved Caveats 

DDTS Number
Software Version 7.2(3)
 
 
Corrected
Caveat

CSCeg00330

Yes

DHCP relay: ACK in reply to INFORM may be dropped

CSCsb45561

Yes

standby instead of active keeps sending register to RP after failover

CSCsd43563

Yes

Crypto accelerator errors seen - connections failing

CSCsd51407

Yes

Dual ISP fails after failover, routing table have stale routes

CSCse14419

Yes

ASA 7.0(4) : not randomizing TCP SACK sequence numbers

CSCse21181

Yes

Decouple Passwd-Mngt checks from LDAP Authentication-Search

CSCse49440

Yes

SNMP: incorrect cpu usage sent for CISCO-PROCESS-MIB

CSCse88291

Yes

Traceback with WEBVPN user login when memory is running low.

CSCsf30571

Yes

Traceback in ssh_init

CSCsg08640

Yes

access-list damaged and frozen, clear config acl has no effect

CSCsg09071

Yes

L2TP over IPSEC disconnections syslog are always-'User requested'

CSCsg16149

Yes

data sent with Active MAC after switchover to standby

CSCsg39936

Yes

Pix/ASA: Disabling pim on subinterface causes other interface mcast fail

CSCsg43591

Yes

SCP connection to PIX fails

CSCsg52106

Yes

Embryonic value -1 under syslog and count to host = 42949672

CSCsg53120

Yes

ASA WebVPN Time-out on Database Requests

CSCsg56876

Yes

WebVPN: traceback after applying http or IM deep inspection

CSCsg60095

Yes

VPN traffic permitted by vpn-filter is denied

CSCsg61719

Yes

SNMP: Coldstart Trap is not sent

CSCsg68181

Yes

WebVpnPortForward Java applet Certificate Expired

CSCsg68186

Yes

Malformed Regex causes traceback on ASA/PIX

CSCsg69149

Yes

Policy NAT with large ACL and HA may traceback in tmatch compile thread.

CSCsg69408

Yes

Need warning when using time based ACLs with policy NAT/PAT

CSCsg70698

Yes

Session timer is not reset during WebVPN ActiveX and Java tunneling

CSCsg76777

Yes

7.2 transparent / change of behavior : ASA does not retain the src mac

CSCsg77099

Yes

WebVPN Java archives with uncompressed entries fail through rewriter

CSCsg78524

Yes

NT Authentication (NTLM) is attempted three times with a bad password

CSCsg80370

Yes

memory leak in ftp inspection causes high cpu

CSCsg81621

Yes

Cannot authenticate user on first attempt with Unite application.

CSCsg83130

Yes

Device reload with no crashinfo file

CSCsg86020

Yes

web terminal services through webvpn on ASA might not work.

CSCsg86507

Yes

Standby traceback in dispatch unit when enabling 'per-client-max' MPF

CSCsg86538

Yes

Dynamic L2L tunnel fails if the remote peer ip is changed

CSCsg86583

Yes

JavaScript rewriting of typeof followed by src

CSCsg87808

Yes

'wr mem' fails due to snmp config; Error: (Configuration line too long)

CSCsg87815

Yes

sync config with long snmp configuration causes traceback on active unit

CSCsg87891

Yes

WebVPN: Homepage is not accessible when url-entry is disabled.

CSCsg88048

Yes

WebVPN Terminal Server ActiveX control not installed when using WebVPN

CSCsg89271

Yes

PIX 7.2.1 corrupting SDP media attributes in RTSP

CSCsg90455

Yes

VPN:Traceback in Thread Name: Dispatch Unit with fragmented cTCP packets

CSCsg92979

Yes

copy ftp from firewall fails when default passive mode is used

CSCsg93050

Yes

Inspect DCERPC failure. Packet too small error

CSCsg94165

Yes

Device reload when quit (hit q) from <more> console paged display

CSCsg94167

Yes

Kerberos SASL uses the wrong name-type for TGS request

CSCsg94762

Yes

URL caching leads to invalid filter server status on PIX/ASA

CSCsg96150

Yes

dependence between sysopt connection permit-vpn and management commands

CSCsg96247

Yes

ASA traceback - RSA keypair generation SSH function calls

CSCsg96351

Yes

http regex matching fails to match http:\/\/

CSCsg96701

Yes

traceback at Thread PIM IPv4

CSCsg96891

Yes

ASA 7.2.2.1 Traceback: Unicorn Proxy Thread

CSCsg97348

Yes

FW replying to port application requests that are not active using VPN.

CSCsg99807

Yes

ICMP (type3, code4) is not sent after learning PMTU

CSCsh01646

Yes

pptp inspect does not alter Call ID in some packets

CSCsh05517

Yes

EAP state engine triggers retransmission. Clients reply terminates LCP

CSCsh05888

Yes

Standby traceback in vpnfol_thread_msg

CSCsh06232

Yes

PIX does not open RTP connections for H323 calls

CSCsh12413

Yes

FO: Syslog 111111: Memory requested from Null Chunk seen every min.

CSCsh12711

Yes

Traceback in TCP Normalizer

CSCsh14023

Yes

TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0

CSCsh15587

Yes

Garbage characters printed on console at end of long show cmd

CSCsh16767

Yes

WebVPN: DWA problem with sending attachments

CSCsh17164

Yes

ping command within CONTEXT causes SSH session to hang.

CSCsh18659

Yes

ASA-WebVPN: Java Applet for Cisco Unix ACS management doesn't load

CSCsh19536

Yes

VPN-FO: Sessions not cleaned up correctly on Standby

CSCsh20618

Yes

80-byte block memory leak with asn1 decoding

CSCsh21446

Yes

Req Method HEAD is dropped when proto-violation is on at inspect HTTP

CSCsh21984

Yes

When out of available URL requests, future HTTP GETs dropped silently

CSCsh22262

Yes

FTP authen fails if trailing <cr> exists in banner & aaa proxy enabled

CSCsh22531

Yes

ASA: Qos Policing only works when in input direction

CSCsh23012

Yes

data received after static pat is removed causes traceback

CSCsh23318

Yes

When a pending URL request times out the Buffered traffic is lost

CSCsh23865

Yes

Nailed Static configuration doesnt appear in config

CSCsh23910

Yes

ASDM Shows no IP & Line Down for all interfaces

CSCsh25317

Yes

TCP Norm: simultaneous close specific FIN sequence problem

CSCsh25337

Yes

LSA Flush Update from IBM mainframe running OSPF are being ignored

CSCsh26607

Yes

'inspect skinny' drops/corrupts packets with high network latency

CSCsh27267

Yes

Traceback in Thread Name: dns_process

CSCsh29038

Yes

syslog 302020 missing {in | out}bound

CSCsh29233

Yes

Device reload with no saved traceback - no crashinfo file present

CSCsh29621

Yes

new url-server requests are inserted into queue in wrong order

CSCsh30022

Yes

Traceback at IKE Receiver while applying initial config with ASDM

CSCsh32241

Yes

Block size 256 depletion causing failover issues

CSCsh33287

Yes

Users with priv 0 can get to level 15 when authen. ena. LOCAL configured

CSCsh33290

Yes

Transparent FW passes arp requests from standby, causing arp problems

CSCsh33982

Yes

(E)SMTP Multiple Content-Type headers check is wrong

CSCsh35400

Yes

Not able to login to a server through webvpn

CSCsh35548

Yes

Catalyst EEPROM in ASA5505 failed mfg testing.

CSCsh35715

Yes

ESMTP inspection drops emails with special characters in the email addr

CSCsh36387

Yes

ASA 5510 7.2.2 / traceback in Thread Name: IKE Daemon

CSCsh36559

Yes

SVC session not replicated to stdby when addr pool defined in grp policy

CSCsh37533

Yes

VPN Filter not applied to IOS EZVPN client with secondary inside address

CSCsh37755

Yes

Certificate installation fails if 2 CA certs have same issuer name

CSCsh37889

Yes

Cannot use certain Verisign certificates as from 7.1(2.5)

CSCsh38298

Yes

crashinfo file only captures 4KB of console history, lose important info

CSCsh38415

Yes

ASA5500 GE NIC flatlining on bootup when connected to Cat3750

CSCsh40829

Yes

LDAP: multiple Cisco-AV-Pair need to be enforced on vpn-session

CSCsh41155

Yes

ASA h323 inspect corrupts q931 packet

CSCsh41496

Yes

ldap-login-dn requires full path name of admin user

CSCsh42793

Yes

LDAP Authentication bypass Vulnerability

CSCsh43698

Yes

Audio and Video doesnot flow thru SIP Trunk after MOH and Resume

CSCsh44239

Yes

Tunnel might not establish with AO and OO connection types configured

CSCsh44467

Yes

Static ARP Entry Removed From the Configuration and ARP Table

CSCsh45169

Yes

ASA uses tunneled route to contact LDAP server instead of default GW

CSCsh45414

Yes

ASA Radius state machine reuses state attribute from failed auth

CSCsh46436

Yes

Radius NAS-Port-Type not sent in SSH authentication request

CSCsh47255

Yes

PIX 7.2.2 vpnfol_thread_timer traceback

CSCsh48962

Yes

Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI

CSCsh49714

Yes

Traceback inThread Name: emweb/cifs at Failover

CSCsh50277

Yes

Multiple DHCP ACKs to an INFORM message may cause 1550 block leak

CSCsh50399

Yes

Inspect FTP hold 254 MB memory after 12+ hr real world FTP test load

CSCsh50673

Yes

OSPF: redistributed default route not installed after route flap

CSCsh53246

Yes

Traceback when specifying ldap port.

CSCsh53299

Yes

routes inherited from RRI not redistributed into OSPF after failover

CSCsh53409

Yes

ASDM sessions authenticated using RADIUS have incorrect privilege level

CSCsh53603

Yes

Unable to resolve ARP entry for a directly connected host

CSCsh53681

Yes

ASA OCSP RESP CERT verification fails if response has no responder CERT

CSCsh54016

Yes

PIX 7.2.2 memory degradation

CSCsh56084

Yes

ASA CIFS over WebVPN : file created on server but write operation fails

CSCsh56439

Yes

Multicast: Crash in Thread Name: MFIB

CSCsh57791

Yes

Webvpn shows aspx file as blank pop-up page

CSCsh58003

Yes

IPCP not coming up when using 'ip address pppoe'

CSCsh58930

Yes

TFW: Static needs route for traffic

CSCsh59098

Yes

Traceback at ThreadName:Unicorn Proxy Thread(pc 0x00c5a9a4 ebp 0x0dd71cc

CSCsh60180

Yes

Traceback in snp flow bulk sync thread

CSCsh60848

Yes

Traceback in regex_nvclr() from fover_parse thread

CSCsh60896

Yes

ESMTP inspection hogging CPU

CSCsh61351

Yes

ASA DNS load balancing http redirect sends wrong ip if reverse DNS fails

CSCsh61431

Yes

VPNLB: http redirect does not work when using non-default webvpn port

CSCsh62358

Yes

CTIQBE Fixup does not work with Call Manager 4.2.1

CSCsh62362

Yes

Default for WebVPN Cache on 7.1/7.2 should be 'disabled'

CSCsh63333

Yes

Memory leak with CIFS share access via WebVPN

CSCsh65168

Yes

group policy name cannot contain spaces

CSCsh66209

Yes

Traceback at Thread Name: Dispatch Unit(Old pc 0x00218f77 ebp 0x018724a8

CSCsh66223

Yes

enhanced debug and behavior change for 'LU allocate xlate failed' syslog

CSCsh66576

Yes

L2TP: Connectivity issues with 1500 established sessions

CSCsh66814

Yes

SIP pinhole for inbound INVITE timesout before expires in outbound REGIS

CSCsh67105

Yes

ASA 7.2(2): high cpu usage with DHCP assigned IP addresses

CSCsh68174

Yes

Print warning when logging ftp-bufferwrap CLI is configured

CSCsh71039

Yes

PIX 7.2.2: L2TP client receives ip 255.255.255.255 from RADIUS server

CSCsh72961

Yes

connections matching nailed xlate never time out

CSCsh74009

Yes

Show/Clear uauth command will not work for username with spaces.

CSCsh74885

Yes

Traceback in thread accept/ssh_131071

CSCsh75977

Yes

Automatically added AAA commands break Easy VPN client after reboot

CSCsh78219

Yes

7.1.2.5 or later sw Will Not work in Fover with 7.1.1-7.1.2.4 on ASA/SSM

CSCsh78335

Yes

Webvpn - Non-standard JAR manifest digests

CSCsh80069

Yes

Traceback in Thread name: vpnfol_thread_sync

CSCsh80740

Yes

ifAdminStatus stays down when no shutdown is configured

CSCsh80889

Yes

LU allocate connection failed msg due to failed VPN flow replication

CSCsh80968

Yes

ASA traceback through memory corruption

CSCsh81111

Yes

Denial-of-Service in VPNs with password expiry

CSCsh82130

Yes

Command authorization for clear fails for priv level lower than 15

CSCsh82286

Yes

tcp transfers through firewall fail with inspect im enabled

CSCsh83148

Yes

Tcp Timestamp unexpectedly set to 0 for flows reordered by the firewall

CSCsh83925

Yes

ASA traceback in Thread Name: EAPoUDP

CSCsh84380

Yes

Traceback in Thread Name: fover_parse when reloading primary w/syst

CSCsh86334

Yes

Syslog 199002 not sent to external syslog server on bootup

CSCsh86444

Yes

VPN: TCP traffic allowed on any port with management-access enabled.

CSCsh86796

Yes

Process qos_metric_daemon hogging CPU

CSCsh89784

Yes

PIX/ASA Packet capture w/ ACL does not work for locally generated packet

CSCsh89816

Yes

ASA in transparent mode: answer-only vpn, but can still intiate VPN

CSCsh90659

Yes

Traceback: Thread Name:vpnlb_thread in standby after taking active role

CSCsh92960

Yes

broadcast flag set on dhcp request but not discover

CSCsh96805

Yes

ASA traceback in Dispatch Unit

CSCsh96817

Yes

L2TP: Can not connect more than one Vista client at the same time

CSCsh97584

Yes

video connection through ASA fails

CSCsh97976

Yes

show int ip brief shows incorrect line protocol status

CSCsh98679

Yes

ASA: WCCP packets redirected stops incrementing after 2-3 mins

CSCsh98826

Yes

WebVPN: Check CLSID in CSCO_is_java_obj

CSCsi00177

Yes

HTTP inspection does not properly support chunked transfer encoding

CSCsi01498

Yes

ESMTP inspect cannot handle content-type string in DKIM headers

CSCsi03576

Yes

Webvpn: OWA 2000 replies/forwards fail after upgrading to latest hotfix

CSCsi05471

Yes

webvpn crash with citrix

CSCsi05768

Yes

ASA: DPD thresholds over 300 are not accepted for remote access

CSCsi06469

Yes

Inactiviting then reactivating nat 0 multiple access-lists breaks nat 0

CSCsi08103

Yes

command author does not mark aaa-server dead when TACACS unavailable

CSCsi08957

Yes

SNMPv2-SMI enterprises.3076.2.1.2.26.1.2.0 not showing actual connection

CSCsi10396

Yes

ASA crashes at Thread Name: emweb/https while file uploading >1MB

CSCsi10874

Yes

Change priority of shun command

CSCsi11941

Yes

When URL filtering is enabled Streaming Media loads slowly

CSCsi12437

Yes

Traceback in Thread Name: IPsec message handler when under heavy load

CSCsi13865

Yes

SNMP in multi-mode creates message vPif_getVpif: bad vPifNum

CSCsi15805

Yes

SNMP interface counters incorrect on ASA-5505

CSCsi15853

Yes

SiteMinder SSO not sending cookie after authentication

CSCsi16248

Yes

Denial of Service in SSL VPNs

CSCsi17946

Yes

Traceback in Thread Name: accept/http while doing 'wr mem' in ASDM

CSCsi18097

Yes

Deleted SNMP command reappear after failover

CSCsi18736

Yes

IPSec RA session not replicated to standby if addr pool in group policy

CSCsi20384

Yes

ASDM: 5.2 and 6.0 does not display historic graphs for Blocks

CSCsi21160

Yes

ASA NAC revalidation timer triggers frequently under some conditions

CSCsi21431

Yes

Traceback in Thread Name: IP Address Assign

CSCsi21488

Yes

WebVPN: Traceback in Thread Name: vpnfol_thread_msg on Standby

CSCsi21595

Yes

Watch dog timeout crash due to large# of vlans cfgd on the 4GE port

CSCsi23369

Yes

VPNLB master may lose communication with cluster member

CSCsi23740

Yes

ESMTP inspect does not match content-type properly in mail headers

CSCsi24458

Yes

DHCP Client unable to obtain IP address because of Client-ID

CSCsi25877

Yes

Syslog 111008 not generated on Active when no failover active cmd issued

CSCsi27609

Yes

ASA may drop subsequent requests on INVITE dialog

CSCsi27755

Yes

ASA 7.2.2.16 Traceback in Thread Name: emweb/https

CSCsi31386

Yes

ASA OSPF router-id swap between multiple process after reboot

CSCsi34289

Yes

Traceback in Thread Name: ddns_update_process with DDNS update

CSCsi34789

Yes

ASA: Cut-Through Proxy fails over L2L tunnel with http error

CSCsi35953

Yes

Asa 7.2 webvpn session with certif cannot establish when CN contains /

CSCsi39655

Yes

SIP: Pinhole timeout for INVITE different from REGISTER expires value

CSCsi39669

Yes

Traceback in Thread Name: Dispatch Unit with app-fw

CSCsi39924

Yes

standby unit reloads when 'show access-list' is issued

CSCsi40553

Yes

Asa 7.2.2 Failover : the secondary gets a modified config from the prima

CSCsi41717

Yes

PIX/ASA Cannot Parse Large URI in SIP message

CSCsi41976

Yes

Jitter for established connection when compiling ACE's

CSCsi42073

Yes

ASA boot time around 4 hours when ACE config is very long

CSCsi42140

Yes

WebVPN: JavaScript menu is not expandable

CSCsi42338

Yes

PIX/ASA aaa authentication does not work over VPN tunnel : NT,LDAP,SDI

CSCsi43521

Yes

ASA does not include http host header in CRL request

CSCsi43722

Yes

ASA - MGCP inspection drops part of piggybacked MGCP messages

CSCsi43813

Yes

SVC clients are unable to connect to the standby after ASA failover

CSCsi44506

Yes

Traceback in Dispatch thread - softnp sending garbage to sal layer

CSCsi46292

Yes

SNMP coldstart trap not sent in failover scenario

CSCsi46497

Yes

Verisign certificate lost after ASA is reloaded.

CSCsi46950

Yes

npdisk password recovery does not work with multicontext mode

CSCsi47110

Yes

vpn-simultaneous-logins 0 denies management access to the ASA

CSCsi47957

Yes

WebVPN: Traceback in Thread Name: Unicorn Proxy Thread

CSCsi48208

Yes

assertion hdr->dispatch_last < NELTS(hdr->dispatch)

CSCsi48812

Yes

multicast: assert new_flow->conn->conn_set == NULL file snp_mcast.c

CSCsi50632

Yes

NAT: Exempt causing 5505 to crash in <nat_rule_to_cli+293 at pix/cmd/c_n

CSCsi51423

Yes

global cmd may fail using names with '-' and w/ name string overlap

CSCsi51600

Yes

Misleading prompt with radius/sdi authentication on 7.2.2

CSCsi52370

Yes

WCCP may result in 1550 block depletion & sends GRE packets >1500

CSCsi52538

Yes

wildcard mask accepted for ip local pool

CSCsi54132

Yes

Not getting syslog 302010 message

CSCsi54517

Yes

Traceroute not working using l2tp/ipsec client to the outside network

CSCsi55798

Yes

assert in webvpn functionality as CRLF not detected where expected

CSCsi56605

Yes

TCP connection opened for WebVPN on non WebVPN enabled interfaces.

CSCsi57504

Yes

Traceback in Dispatch Unit when no route for nat traffic from SSM

CSCsi58109

Yes

ASA requests username/password until next available aaa server found

CSCsi59403

Yes

Standby: Traceback Thread Name: fover_parse with fover and ifc mac cfgd

CSCsi60580

Yes

WebVPN: Incorrect rewriting of VBScript's parent.window.location.hr

CSCsi62588

Yes

Traceback in Thread Name: aaa

CSCsi63099

Yes

ASA traceback w/ Thread Name: Unicorn Proxy Thread

CSCsi67016

Yes

Traceback in Thread Name: Dispatch Unit

CSCsi68946

Yes

Inbound traffic is being dropped due to NAT-EXEMPT rpf-check

CSCsi70522

Yes

Traceback in Thread Name: Crypto CA

CSCsi72224

Yes

SSH connection allowed to be built from inside host to outside int

CSCsi73181

Yes

vpn-simultaneous-logins/access hrs controls the admin sessions SSH,ASDM

CSCsi73804

Yes

IPSec over UDP port could be 4500 as auth server pushed down attr

CSCsi74352

Yes

ESMTP blocking emails with nested MIME headers

CSCsi74710

Yes

WEBVPN: port-forwarding converts names to IP addresses

CSCsi75355

Yes

5505 WebVPN: hw accelerator errors with >1024 bit cert

CSCsi78808

Yes

Unable to convert dynamic ACL back to extended ACL

CSCsi79393

Yes

Standby ASA reloads in thread vpnfol_thread_msg

CSCsi83144

Yes

Need to mask password in debug aaa common output

CSCsi83395

Yes

show interface input hardware queue counters incorrect

CSCsi84498

Yes

Traceback in Thread Name: IKE Daemon

CSCsi85790

Yes

Traceback in Thread Name: IP Thread when configuring PPPoE

CSCsi85823

Yes

PIX/ASA 7.X should accept RIP V1 updates like 6.X

CSCsi85856

Yes

Syslog not sent when AAA server is marked as FAILED

CSCsi88508

Yes

WebVPN shows Blank Page

CSCsi89345

Yes

Failover: Standby Restart - 1550 block memory depletion

CSCsi89890

Yes

nat-exempt failed on non-outside interface

CSCsi91487

Yes

HTTP inspection evasion using Unicode encoding for HTTP-based attacks

CSCsi96469

Yes

asa 7.2.2 not using port specified in X509v3 CRL DP url

CSCsi98464

Yes

ASA injects another 'BrowserProtocol' keyword in ICA file

CSCsi99518

Yes

show asdm history does not show interface statistics

CSCsj01692

Yes

PKI: error installing Intermediate CA cert with 76 char CN

CSCsj03278

Yes

Traceback in Dispatch Unit thread (page fault)

CSCsj03706

Yes

activex or java filter suppresses the syslog message 304001

CSCsj05188

Yes

WEBVPN TSWeb fails: connect button is grayed out

CSCsj05830

Yes

Syslog 405001 reports incorrect IP when arp collision detected

CSCsj06153

Yes

TCP sessions to the box deny issue

CSCsj06868

Yes

ASA port of pix CSCsi95902 ppp freed memory access on session close

CSCsj10082

Yes

ASA - Traceback in tcp_send_pending

CSCsj10869

Yes

SNMP interface counters incorrect on PIX/ASA 7.2.2.22

CSCsj12843

Yes

SVC disconnects after idle-timeout even if traffic is passing

CSCsj16732

Yes

default-originate w/ route-map w/ acl permit host 0.0.0.0 doesn't work

CSCsj18218

Yes

ASA hangs when processing Citrix data

CSCsj19829

Yes

WebVPN: http-proxy interferes with port-forward

CSCsj20254

Yes

syslog 716046 on standby causing traceback

CSCsj20403

Yes

WebVPN: port-forward command shows up twice in the config

CSCsj20438

Yes

SSL VPN's logged off are not removed from standby sessiondb

CSCsj20942

Yes

ASA stops accetping IP from DHCP when DHCP Scope option is configured

CSCsj24810

Yes

vpn clients unable to connect due to DHCP Proxy processing

CSCsj24914

Yes

vpn-simultaneous-logins does not work when configuring PKI and no-xauth

CSCsj28634

Yes

WebVPN: BAAN ERP application with SSA Webtop fails

CSCsj31537

Yes

Interface keyword in ACL not permitting traffic

CSCsj36241

Yes

%ASA-1-111111: Invalid function called in NVGEN of 'port-forward'

CSCsj36655

Yes

ASA 5505 and 5550 continuous crash on bootup

CSCsj37564

Yes

Traceback in Thread Name: IP Thread

CSCsj38362

Yes

Traceback in Thread Name: fover_parse

CSCsj40248

Yes

ASA cifs: no error indication when file upload fails due to emweb server

CSCsj40295

Yes

Policy NAT not functioning properly after boot

CSCsj40648

Yes

Traceback in Thread Name: emweb/https

CSCsj42456

Yes

ASA 8.0: CSCOPF.CAB has expired Code Signing cert

CSCsj43454

Yes

New l2tp over ipsec sessions blocked due to AAA session limit

CSCsj44098

Yes

traceback caused by gtp inspect handling bad packets

CSCsj46729

Yes

ASA: Active and Standby unit have the same MAC address after failover

CSCsj47652

Yes

clear config all command does not remove the aaa-server config

CSCsj50691

Yes

traceback in Thread Name: Crypto CA (Old pc 0x009dcd56 ebp 0x041b7c18)

CSCsj50913

Yes

ASA : Copying file to OnStor Server via WebVPN fails.

CSCsj53102

Yes

SSH access through VPN tunnel to management interface not working

CSCsj53566

Yes

Traceback in Thread Name: Dispatch Unit continuously on upgrade to 8.0.2

CSCsj56051

Yes

AAA authorization commands LOCAL fallback broken

CSCsj56378

Yes

Traceback in Thread Name: Crypto CA with LDAP CRL query

CSCsj77560

Yes

ASA crash while CRL checking CRL_CheckCertRevocation pki_verify_certific

CSCsj77765

Yes

ASA crash at emweb/https thread

CSCsj78831

Yes

WebFO: Disconnecting clientless deletes local ACL from standby


Related Documentation

Use this document in conjunction with the Cisco PIX security appliance and Cisco VPN client Version 3.x documentation at the following websites:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.


All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)

© 2007 Cisco Systems, Inc.

All rights reserved.© 2006 Cisco Systems, Inc.

All rights reserved.