Guest

Cisco PIX Firewall Software

Cisco PIX Security Appliance Release Notes Version 8.0(3)

  • Viewing Options

  • PDF (324.9 KB)
  • Feedback
Cisco PIX Security Appliance Release Notes Version 8.0(3)

Table Of Contents

Cisco PIX Security Appliance Release Notes Version 8.0(3)

Contents

Introduction

System Requirements

Memory Requirements

Software Requirements

Maximum Recommended Configuration File Size

Cisco VPN Software Interoperability

Cisco VPN Client Interoperability

Cisco Easy VPN Remote Interoperability

Determining the Software Version

Upgrading to a New Software Version

New Features

IP Address Reuse Delay

WAAS and PIX Interoperability

Caveats

Open Caveats - Version 8.0(3)

Resolved Caveats - Version 8.0(3)

Related Documentation

Obtaining Documentation and Submitting a Service Request


Cisco PIX Security Appliance Release Notes Version 8.0(3)


January 6, 2010, OL-11905-04

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Caveats

Related Documentation

Obtaining Documentation and Submitting a Service Request

Introduction


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 8.0(3).


The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.

For more information on all the new features, see New Features.

Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.

System Requirements

The sections that follow list the system requirements for operating a security appliance.


Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 8.0(3).


Memory Requirements

If you are using a PIX 515/515E running PIX Version 6.2/6.3, you must increase your memory before upgrading to PIX Version 8.0(3). This version requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. Table 1 lists the default value for the memory that ships with each security appliance and flash memory requirements for Version 8.0(3).

Table 1 Default Memory Shipped and Flash Memory Requirements 

PIX Security Appliance Model
Default Memory (MB)
Flash Memory Required (MB)

515/515E

64

16

525

128

535

512


For more information about minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0.

Software Requirements

Version 8.0(3) requires the following:

The minimum software version required before upgrading to PIX Version 8.0(3) is PIX Version 7.2. If you are running a PIX version earlier than Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can upgrade to PIX Version 7.2.

To upgrade your PIX software image, go to the following website: http://www.cisco.com/public/sw-center/index.shtml

For information on specific licenses supported on each model of the security appliance, go to the following website: http://www.cisco.com/en/US/docs/security/asa/asa80/license/license80.html

If you are upgrading from a previous PIX version, save your configuration and record your activation key and serial number. For new installation requirements, go to the following website: http://www.cisco.com/public/sw-center/index.shtml

Maximum Recommended Configuration File Size

For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 8.0(3). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 8.0(3). If you are using ASDM, we recommend no more than a 500 KB configuration file, because larger configuration files can interfere with the performance of ASDM on your workstation.

While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:

While executing commands such as the write terminal and show running-config commands

Failover (the configuration synchronization time)

During a system reload

Cisco VPN Software Interoperability

Cisco VPN Series
Interoperability Comments

Cisco IOS routers

Version 8.0(3) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.

Cisco VPN 3000 concentrators

Version 8.0(3) requires Cisco VPN 3000 concentrator Version 4.1 or later for correct VPN interoperability.


Cisco VPN Client Interoperability

Cisco VPN Client
Interoperability Comments

Cisco VPN client v3.x/4x

(Unified VPN client framework)

Version 8.0(3) supports the Cisco VPN client Version 5.x or later that runs on all Microsoft Windows platforms. This version also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.


Cisco Easy VPN Remote Interoperability

Cisco Easy VPN Remote
Interoperability Comments

Cisco PIX Security Appliance Easy VPN remote V6.3

Version 8.0(3) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.

VPN 3000 Easy VPN remote V3.x/4x

Version 8.0(3) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.

Cisco IOS Easy VPN remote Release 12.2(16.4)T

Version 8.0(3) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.


Determining the Software Version

Use the show version command to verify the software version installed on your security appliance. Alternatively, you can view the software version on the Cisco ASDM home page.

Upgrading to a New Software Version

If you have a Cisco.com (CDC) login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/index.shtml

If you want to upgrade from Version 7.1.(x) to 7.2(x) or downgrade from Version 7.2(x) to Version 7.1(x), you must follow the subsequent procedure, because older versions of the security appliance images do not recognize new ASDM images, and new security appliance images does not recognize old ASDM images.

You can also use the CLI to download the image. For more information, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.2.(x) to Version 8.0(3), perform the following steps:


Step 1 Load the new Version 8.0(3) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device to upgrade to the Version 8.0(3) image.

Step 3 Copy the new ASDM Version 6.0 image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command to tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/asdmfile


To downgrade from Version 8.0(3) to 7.2.(x), perform the following steps:


Step 1 Load the earlier Version 7.2(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 2 Reload the device to downgrade to the Version 7.2(x) image.

Step 3 Copy the earlier ASDM Version 5.2(x) image from the following website:

http://www.cisco.com/public/sw-center/index.shtml

Step 4 Enter the following command to tell the security appliance where to find the ASDM image:

hostname(config)# asdm image flash:/asdmfile


New Features

This section lists the new feature for Version 8.0(3). All new features are supported in ASDM 6.0(2).

IP Address Reuse Delay

Delays the reuse of an IP address after it has been returned to the IP address pool. Increasing the delay prevents problems the security appliance may experience when an IP address is returned to the pool and reassigned quickly.

WAAS and PIX Interoperability

The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under a default inspection class and under a custom class-map. This inspection service is not enabled by default.

The keyword option waas is added to the show service-policy inspect command to display WAAS statistics.

show service-policy inspect waas

A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.

System Log Number and Format:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

A new connection flag "W" is added in the WAAS connection. The show conn detail command is updated to reflect the new flag.

Caveats

This section lists the open and resolved caveats for Version 8.0(3).

For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.


Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Version 8.0(3)

Table 2 Open Caveats 

DDTS Number
Software Version 8.0(3)
 
 
Corrected
Caveat

CSCsf25418

No

Traceback in Thread Name: tmatch compile after assert

CSCsg71579

No

Programming assertion malloc.c:3822 on secondary after failover from pri

CSCsg99492

No

SASL GSSAPI-Kerberos authentication not happening with Sunone Server

CSCsh91747

No

SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE

CSCsj08209

No

clear ospf process causes traceback

CSCsj25672

No

1550 block leak when running multiple tls codenomicon suites.

CSCsj28099

No

ASA can hang on certain tasks if disk is corrupt.

CSCsj32989

No

ASA traceback when running 100 user Avalanche webvpn goodput test

CSCsj83081

No

traceback after clear conf filter. eip 0x00beb377.

CSCsj84640

No

Memory leak on CRYPTO_malloc

CSCsk08454

No

ASA 8.0 fails to send TACACS request over L2L tunnel

CSCsk19065

No

Excessive High CPU and packets drops when applying ACL to an interface

CSCsk21548

No

2048 byte Block depletion related to Fragmented multicast traffic

CSCsk21641

No

Traceback in Dispatch unit related to fragmented multicast traffic

CSCsk36399

No

Traceback in PIX Garbage Collector (Old pc 0x008b619d ebp 0x0261ed60)

CSCsk36703

No

Traceback in thread name IP Thread

CSCsk36952

No

Traceback in Thread: accept/http when changing DHCP config via ASDM

CSCsk37533

No

SIP: Traceback in 7.0(7) with segmented SIP packets

CSCsk38848

No

ASA crashes in Active/Standby Routed Mode causing voice failures

CSCsk40743

No

system miss ticks when cpu-hog is present

CSCsk42958

No

Traceback in thread https_proxy

CSCsk45220

No

Regex used in CLI command filtering causes device reload

CSCsk48344

No

Inspect http is not matching server response fields

CSCsk48629

No

ASA crashes with Unicorn Proxy Thread

CSCsk55665

No

reload with panic: route_process inconsistent annotation

CSCsk60581

No

Device reload when the SIP PROTOS Suite is launched

CSCsk69537

No

Traceback in Dispatch Unit during ASDM access

CSCsk70941

No

Traceback in Thread Name: Dispatch Unit

CSCsk78634

No

ASA Traceback in thread MFIB

CSCsk84529

No

Reload with Thread Name: ssh

CSCsk88517

No

ASA stops servicing WebVPN login page

CSCsk89022

No

ASA dhcp server crashed while removing dhcpd configuration.

CSCsk89600

No

Reload in Dispatch Unit thread with ESMTP inspection enabled

CSCsk89639

No

Reload with Thread Name: Checkheaps

CSCsk90689

No

telnet to the box and vpn tunnels fail due to 0-byte block depletion

CSCsk95246

No

no router rip, followed by router rip & network cause vPifnum & tracebac

CSCsk96804

No

Traceback in Thread Name: Dispatch Unit with inspect h323

CSCsk97830

No

Traceback in thread name Dispatch Unit

CSCsl01792

No

ASA traceback in Thread Name: Dispatch Unit

CSCsl02630

No

WebVPN: Traceback in Thread Name: emweb/https

CSCsl04124

No

ASA 8.0.2 - SIP call from outside w/o sound : SIP::Error - fail to NAT

CSCsl04893

No

ASA: Traceback with threadname Dispatch Unit

CSCsl04953

No

Need to add additional support for DECNET multicast in Transparent mode

CSCsl05707

No

ASA: crash when removing h323 h225 inspection

CSCsl06247

No

ASA-0-716507: Fiber scheduler has reached unreachable code causes outage

CSCsl07386

No

WebVPN: Traceback in Thread Name: vpnfol_thread_sync at failover sync

CSCsl08970

No

Downgrade from 8.0.2 to 7.2.3.5 can cause traceback

CSCsl10562

No

DAP_TRACE: Username: fatemeh, Selected DAPs: <error>

CSCsl11435

No

telnet over VPN hangs when ASA failover occurs

CSCsl11572

No

Traceback - emweb/https - Watchdog Timeout in 0x00909c3d:_vpn_put_uauth

CSCsl12010

No

flash memory corruption issues

CSCsl17136

No

ASA-PIX: H323 Video breaks with inspection enabled.

CSCsl17381

No

ASA crashes with Thread Name: CTM message handler

CSCsl18071

No

Windows Media Player can not play media file with/without L-2-L Ipsec

CSCeh98117

No

Tunnel-group/ldap-login passwords in cleartext when viewed with more

CSCsf07135

No

ASDM connection may cause packet loss

CSCsh78681

No

In use memory count displayed incorrectly

CSCsh79097

No

Syslog message displaying reason why flow is closed by ESMTP inspection

CSCsi49983

No

Periodic HW crypto errors 402123 & 402125 see with L2TP/IPSEC

CSCsi79159

No

admin connections via management-access fail

CSCsi94163

No

PPPOE connection does not renegotiate immediatly after short disconnect

CSCsj02948

No

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error

CSCsj07428

No

Idle IPSEC connections not closing out

CSCsj61214

No

Lower cpu-hog syslog 711002 from Level 7 to Level 4

CSCsj71788

No

Slow response when entering commands via Telnet

CSCsk00089

No

ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status

CSCsk10088

No

LDAPS / LDAP over SSL suddenly stops working

CSCsk14532

No

ASA - FTP Type Mount remains inaccessible if FTP server goes offline

CSCsk14695

No

WebVPN with SDI in new pin mode does not prompt user

CSCsk18083

No

nat exemption access-list not checked for protocol or port when applied

CSCsk18084

No

cikeTunnelTable does not populate for some of the ISAKMP SA's.

CSCsk19485

No

syslog TCP_CONN_END shows Reset-O for ASA generated TCP RST

CSCsk29306

No

ASA 8.0 - Error Contacting Host error when accessing CIFS Shares

CSCsk30698

No

PIX/ASA may stop generating syslogs all together

CSCsk33310

No

PIX SIP fixup does not correctly open RTP conns using NAT 0

CSCsk34404

No

Multicontext mode: static nat overlap check not valid when no classifier

CSCsk40210

No

Auth-Proxy DACLs may become stale and impossible to delete

CSCsk42595

No

ASA:: 2 Factor Authentication with Password-Management Fails for SSL VPN

CSCsk47949

No

ASDM hangs at 47% if packet losses on the network

CSCsk47999

No

TCP session stays half-open when FIN sequence problem.

CSCsk48355

No

ISAKMP SA stuck in AM_WAIT_DELETE after ASA upgrade

CSCsk48377

No

Clear Xlate doesn't clear for a host in a static entry

CSCsk49506

No

Local-host for u-turn traffic on lowest sec level used for license limit

CSCsk50537

No

ASA Javascript error with webvpn and mail server (SUN iPlanet)

CSCsk54728

No

Citrix applications do not close automatically when Logging off WebVPN

CSCsk64428

No

High CPU when polling VPN MIBs via SNMP

CSCsk65211

No

ASA5505 inside interface w/23bit or smaller subnet mask becomes unstable

CSCsk65788

No

FO: Webvpn customization import not replicated to Standby device

CSCsk65940

No

crashinfo file corrupted, extra text appended to bottom

CSCsk71006

No

ipv6 acl don't have acl options when using MPF

CSCsk71413

No

Traceback: chunk memory corruption with caller occam_arena__get_block.

CSCsk73047

No

Crash in Thread Name: IKE Receiver

CSCsk75944

No

ASA configuration of NTP - NTP process fails to initialise

CSCsk80789

No

RTSP inspection changes Media Player version to 0.0.0.0

CSCsk84107

No

Standby uses active sub-interface ip address after enabling monitoring

CSCsk88563

No

Answers to DHCPINFORM packets use wrong destination MAC address

CSCsk89474

No

URL filtering not performed for u-turn vpn traffic

CSCsk91598

No

Sip inspection on ASA fails to NAT record-route entries in invite packet

CSCsk93067

No

no management-access Inside still allows telnet over IPSec tunnel

CSCsk94835

No

UDP SIP not being inspected by default-inspection-class

CSCsk97671

No

VPN client with NULL Encryption L2TP-IPSec behind NAT drops on 71st sec

CSCsl02675

No

ASDM>Tools> ping fails when entering hostname in IP address field

CSCsl02821

No

VPN tunnel might not reestablish after failover

CSCsl03839

No

WebVPN does not modify URLs in Sharepoint .iqy files

CSCsl04448

No

Cannot remove url-server despite having removed url-block cmd in 7.2.3

CSCsl04900

No

SIP invite fixup'd with name rather than IP address

CSCsl05751

No

Citrix with Client Detection is not working

CSCsl05777

No

Citrix Apps hanging when opening multiple Apps

CSCsl08857

No

warning message with certificate based authentication

CSCsl10052

No

new L2TP sessions are denied after %ASA-4-403103 is seen in the logs

CSCsl11321

No

ASA doesn't send coldStart trap when speed/duplex is fixed as 100/full

CSCsl14914

No

webvpn rewriter causing webpage to fail with Cisco clientless webvpn

CSCsl15013

No

DHCPrelay broken with 2 DHCPrelay servers when second one out of service

CSCsl16873

No

CSD version 3.2 installed on ASA shows some unwanted garbage characters

CSCsl17191

No

PIX/ASA PMTUD: ICMP type 3 code 4 uses wrong source interface

CSCsl18668

No

last configured dhcprelay server shows up first in configuration


Resolved Caveats - Version 8.0(3)

Table 3 Resolved Caveats 

DDTS Number
Software Version 8.0(3)
 
 
Corrected
Caveat

CSCeg00330

Yes

DHCP relay: ACK in reply to INFORM may be dropped

CSCsb45561

Yes

standby instead of active keeps sending register to RP after failover

CSCsc98412

Yes

Pix console accounting doesn't appear in ACS Logged-In User report

CSCsd51407

Yes

Dual ISP fails after failover, routing table have stale routes

CSCsd65922

Yes

webvpn acls should allow wilcard * hostnames

CSCse31519

Yes

OCSP: CRL checking of externally signed responder cert fails

CSCse99033

Yes

tracked route removed from Standby firewall after failover

CSCsf30571

Yes

Traceback in ssh_init

CSCsg16149

Yes

data sent with Active MAC after switchover to standby

CSCsg25616

Yes

ASA put PATed src port in ICMP (type3, code4)

CSCsg43591

Yes

SCP connection to PIX fails

CSCsg52106

Yes

Embryonic value -1 under syslog and count to host = 42949672

CSCsg61719

Yes

SNMP: Coldstart Trap is not sent

CSCsg78524

Yes

NT Authentication (NTLM) is attempted three times with a bad password

CSCsg93050

Yes

Inspect DCERPC failure. Packet too small error

CSCsg96150

Yes

dependence between sysopt connection permit-vpn and management commands

CSCsg96247

Yes

ASA traceback - RSA keypair generation SSH function calls

CSCsg96351

Yes

http regex matching fails to match http:\/\/

CSCsg99807

Yes

ICMP (type3, code4) is not sent after learning PMTU

CSCsh21984

Yes

When out of available URL requests, future HTTP GETs dropped silently

CSCsh22262

Yes

FTP authen fails if trailing <cr> exists in banner & aaa proxy enabled

CSCsh23012

Yes

data received after static pat is removed causes traceback

CSCsh23318

Yes

When a pending URL request times out the Buffered traffic is lost

CSCsh23865

Yes

Nailed Static configuration doesnt appear in config

CSCsh26607

Yes

'inspect skinny' drops/corrupts packets with high network latency

CSCsh32241

Yes

Block size 256 depletion causing failover issues

CSCsh33290

Yes

Transparent FW passes arp requests from standby, causing arp problems

CSCsh35715

Yes

ESMTP inspection drops emails with special characters in the email addr

CSCsh36387

Yes

ASA 5510 7.2.2 / traceback in Thread Name: IKE Daemon

CSCsh40829

Yes

LDAP: multiple Cisco-AV-Pair need to be enforced on vpn-session

CSCsh41155

Yes

ASA h323 inspect corrupts q931 packet

CSCsh41496

Yes

ldap-login-dn requires full path name of admin user

CSCsh44467

Yes

Static ARP Entry Removed From the Configuration and ARP Table

CSCsh45414

Yes

ASA Radius state machine reuses state attribute from failed auth

CSCsh46436

Yes

Radius NAS-Port-Type not sent in SSH authentication request

CSCsh48962

Yes

Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI

CSCsh53246

Yes

Traceback when specifying ldap port.

CSCsh53603

Yes

Unable to resolve ARP entry for a directly connected host

CSCsh54016

Yes

PIX 7.2.2 memory degradation

CSCsh55107

Yes

DHCP relay fails when static translation for all hosts configured

CSCsh56084

Yes

ASA CIFS over WebVPN : file created on server but write operation fails

CSCsh56439

Yes

Multicast: Crash in Thread Name: MFIB

CSCsh58003

Yes

IPCP not coming up when using 'ip address pppoe'

CSCsh59098

Yes

Traceback at ThreadName:Unicorn Proxy Thread(pc 0x00c5a9a4 ebp 0x0dd71cc

CSCsh60896

Yes

ESMTP inspection hogging CPU

CSCsh62358

Yes

CTIQBE Fixup does not work with Call Manager 4.2.1

CSCsh65168

Yes

group policy name cannot contain spaces

CSCsh66209

Yes

Traceback at Thread Name: Dispatch Unit(Old pc 0x00218f77 ebp 0x018724a8

CSCsh66576

Yes

L2TP: Connectivity issues with 1500 established sessions

CSCsh66814

Yes

SIP pinhole for inbound INVITE timesout before expires in outbound REGIS

CSCsh67105

Yes

ASA 7.2(2): high cpu usage with DHCP assigned IP addresses

CSCsh68174

Yes

Print warning when logging ftp-bufferwrap CLI is configured

CSCsh74009

Yes

Show/Clear uauth command will not work for username with spaces.

CSCsh74885

Yes

Traceback in thread accept/ssh_131071

CSCsh80968

Yes

ASA traceback through memory corruption

CSCsh81111

Yes

Denial-of-Service in VPNs with password expiry

CSCsh82130

Yes

Command authorization for clear fails for priv level lower than 15

CSCsh83148

Yes

Tcp Timestamp unexpectedly set to 0 for flows reordered by the firewall

CSCsh83925

Yes

ASA traceback in Thread Name: EAPoUDP

CSCsh86334

Yes

Syslog 199002 not sent to external syslog server on bootup

CSCsh86444

Yes

VPN: TCP traffic allowed on any port with management-access enabled.

CSCsh86796

Yes

Process qos_metric_daemon hogging CPU

CSCsh89816

Yes

ASA in transparent mode: answer-only vpn, but can still intiate VPN

CSCsh90659

Yes

Traceback: Thread Name:vpnlb_thread in standby after taking active role

CSCsh91283

Yes

Inspect SunRPC drops segmented packets

CSCsh96817

Yes

L2TP: Can not connect more than one Vista client at the same time

CSCsh97584

Yes

video connection through ASA fails

CSCsh97976

Yes

show int ip brief shows incorrect line protocol status

CSCsh98679

Yes

ASA: WCCP packets redirected stops incrementing after 2-3 mins

CSCsh98791

Yes

OCSP with CA signed responder cert failing verification check

CSCsi01498

Yes

ESMTP inspect cannot handle content-type string in DKIM headers

CSCsi03576

Yes

Webvpn: OWA 2000 replies/forwards fail after upgrading to latest hotfix

CSCsi05471

Yes

webvpn crash with citrix

CSCsi05768

Yes

ASA: DPD thresholds over 300 are not accepted for remote access

CSCsi07349

Yes

SAA/tracking traceback under specific CLI sequence

CSCsi08103

Yes

command author does not mark aaa-server dead when TACACS unavailable

CSCsi08317

Yes

PIX using Authentication Proxy and Wildcard causes Certificates error

CSCsi08957

Yes

SNMPv2-SMI enterprises.3076.2.1.2.26.1.2.0 not showing actual connection

CSCsi10396

Yes

ASA crashes at Thread Name: emweb/https while file uploading >1MB

CSCsi10466

Yes

SIP inspect fails for INVITE where display name contains string 'tel'

CSCsi11941

Yes

When URL filtering is enabled Streaming Media loads slowly

CSCsi13865

Yes

SNMP in multi-mode creates message vPif_getVpif: bad vPifNum

CSCsi15805

Yes

SNMP interface counters incorrect on ASA-5505

CSCsi17946

Yes

Traceback in Thread Name: accept/http while doing 'wr mem' in ASDM

CSCsi18097

Yes

Deleted SNMP command reappear after failover

CSCsi18736

Yes

IPSec RA session not replicated to standby if addr pool in group policy

CSCsi20384

Yes

ASDM: 5.2 and 6.0 does not display historic graphs for Blocks

CSCsi21431

Yes

Traceback in Thread Name: IP Address Assign

CSCsi21595

Yes

Watch dog timeout crash due to large# of vlans cfgd on the 4GE port

CSCsi23369

Yes

VPNLB master may lose communication with cluster member

CSCsi23740

Yes

ESMTP inspect does not match content-type properly in mail headers

CSCsi24458

Yes

DHCP Client unable to obtain IP address because of Client-ID

CSCsi27609

Yes

ASA may drop subsequent requests on INVITE dialog

CSCsi27755

Yes

ASA 7.2.2.16 Traceback in Thread Name: emweb/https

CSCsi31386

Yes

ASA OSPF router-id swap between multiple process after reboot

CSCsi34289

Yes

Traceback in Thread Name: ddns_update_process with DDNS update

CSCsi35603

Yes

L2TP/IPSec sessions hanging when authenticating with EAP

CSCsi35943

Yes

FO: WebVPN Customization/webcontent fails when Failover is initiated

CSCsi35953

Yes

Asa 7.2 webvpn session with certif cannot establish when CN contains /

CSCsi36169

Yes

WebVPN: Aware server becomes unresponsive

CSCsi39924

Yes

standby unit reloads when 'show access-list' is issued

CSCsi40553

Yes

Asa 7.2.2 Failover : the secondary gets a modified config from the prima

CSCsi41717

Yes

PIX/ASA Cannot Parse Large URI in SIP message

CSCsi41976

Yes

Jitter for established connection when compiling ACE's

CSCsi42073

Yes

ASA boot time around 4 hours when ACE config is very long

CSCsi42140

Yes

WebVPN: JavaScript menu is not expandable

CSCsi42338

Yes

PIX/ASA aaa authentication does not work over VPN tunnel : NT,LDAP,SDI

CSCsi43722

Yes

ASA - MGCP inspection drops part of piggybacked MGCP messages

CSCsi43813

Yes

SVC clients are unable to connect to the standby after ASA failover

CSCsi46292

Yes

SNMP coldstart trap not sent in failover scenario

CSCsi46497

Yes

Verisign certificate lost after ASA is reloaded.

CSCsi46950

Yes

npdisk password recovery does not work with multicontext mode

CSCsi47110

Yes

vpn-simultaneous-logins 0 denies management access to the ASA

CSCsi48208

Yes

assertion hdr->dispatch_last < NELTS(hdr->dispatch)

CSCsi51600

Yes

Misleading prompt with radius/sdi authentication on 7.2.2

CSCsi52370

Yes

WCCP may result in 1550 block depletion & sends GRE packets >1500

CSCsi53577

Yes

OSPF goes DOWN after reload of VPN Peer

CSCsi54132

Yes

Not getting syslog 302010 message

CSCsi55798

Yes

assert in webvpn functionality as CRLF not detected where expected

CSCsi56605

Yes

TCP connection opened for WebVPN on non WebVPN enabled interfaces.

CSCsi57504

Yes

Traceback in Dispatch Unit when no route for nat traffic from SSM

CSCsi58109

Yes

ASA requests username/password until next available aaa server found

CSCsi59403

Yes

Standby: Traceback Thread Name: fover_parse with fover and ifc mac cfgd

CSCsi60580

Yes

WebVPN: Incorrect rewriting of VBScript's parent.window.location.hr

CSCsi62588

Yes

Traceback in Thread Name: aaa

CSCsi63099

Yes

ASA traceback w/ Thread Name: Unicorn Proxy Thread

CSCsi65122

Yes

Overlapping static with NAT exemption causes xlate errors on standby

CSCsi68911

Yes

ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t

CSCsi72224

Yes

SSH connection allowed to be built from inside host to outside int

CSCsi73181

Yes

vpn-simultaneous-logins/access hrs controls the admin sessions SSH,ASDM

CSCsi74352

Yes

ESMTP blocking emails with nested MIME headers

CSCsi78808

Yes

Unable to convert dynamic ACL back to extended ACL

CSCsi81504

Yes

RDP plug-in Connection Failed due to host name sent to ASA instead of IP

CSCsi84498

Yes

Traceback in Thread Name: IKE Daemon

CSCsi85823

Yes

PIX/ASA 7.X should accept RIP V1 updates like 6.X

CSCsi85856

Yes

Syslog not sent when AAA server is marked as FAILED

CSCsi89345

Yes

Failover: Standby Restart - 1550 block memory depletion

CSCsi96469

Yes

asa 7.2.2 not using port specified in X509v3 CRL DP url

CSCsi98464

Yes

ASA injects another 'BrowserProtocol' keyword in ICA file

CSCsi98616

Yes

The TCP connections in SVC won't survive after consecutive failovers.

CSCsj01643

Yes

IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode

CSCsj01692

Yes

PKI: error installing Intermediate CA cert with 76 char CN

CSCsj02842

Yes

AnyConnect failed to establish:syslog 716023 even with 0 vpn sessions

CSCsj03278

Yes

Traceback in Dispatch Unit thread (page fault)

CSCsj03437

Yes

WebVPN: RDP Icon fails after a redirect action to a Citrix Presentation

CSCsj03706

Yes

activex or java filter suppresses the syslog message 304001

CSCsj05830

Yes

Syslog 405001 reports incorrect IP when arp collision detected

CSCsj06868

Yes

ASA port of pix CSCsi95902 ppp freed memory access on session close

CSCsj10082

Yes

ASA - Traceback in tcp_send_pending

CSCsj10869

Yes

SNMP interface counters incorrect on PIX/ASA 7.2.2.22

CSCsj12843

Yes

SVC disconnects after idle-timeout even if traffic is passing

CSCsj19829

Yes

WebVPN: http-proxy interferes with port-forward

CSCsj20475

Yes

WebVPN: Group-URL fails without a /

CSCsj20942

Yes

ASA stops accetping IP from DHCP when DHCP Scope option is configured

CSCsj24810

Yes

vpn clients unable to connect due to DHCP Proxy processing

CSCsj24914

Yes

vpn-simultaneous-logins does not work when configuring PKI and no-xauth

CSCsj25910

Yes

http admin access broken for if access rule matches inside network

CSCsj28634

Yes

WebVPN: BAAN ERP application with SSA Webtop fails

CSCsj31537

Yes

Interface keyword in ACL not permitting traffic

CSCsj33267

Yes

traceback in SSH/console with show runn access-list <webtype-CL-name>

CSCsj34537

Yes

ASA 8.0 show vpn-sessiondb detail remote does not show client version

CSCsj36241

Yes

%ASA-1-111111: Invalid function called in NVGEN of 'port-forward'

CSCsj36700

Yes

Assert in ctm_utils after term mon in ssh vty session

CSCsj37564

Yes

Traceback in Thread Name: IP Thread

CSCsj37760

Yes

h323 inspection does not open RTP pinholes in certain scenarios

CSCsj38269

Yes

webvpn load balancing wrong certificate is send to browser

CSCsj38362

Yes

Traceback in Thread Name: fover_parse

CSCsj40295

Yes

Policy NAT not functioning properly after boot

CSCsj40648

Yes

Traceback in Thread Name: emweb/https

CSCsj41977

Yes

cert handling inconsistent between physical and LB interfaces

CSCsj42456

Yes

ASA 8.0: CSCOPF.CAB has expired Code Signing cert

CSCsj43076

Yes

Logging into standby ASA via SSH fails.

CSCsj43454

Yes

New l2tp over ipsec sessions blocked due to AAA session limit

CSCsj44098

Yes

traceback caused by gtp inspect handling bad packets

CSCsj44460

Yes

UDP/500 not removed from global PAT pool when crypto map is applied

CSCsj46062

Yes

Inconsistent state of failover pair may exist during config sync.

CSCsj46729

Yes

ASA: Active and Standby unit have the same MAC address after failover

CSCsj47652

Yes

clear config all command does not remove the aaa-server config

CSCsj49481

Yes

WebVPN: HTTPS Page not rendered correctly while HTTP works fine

CSCsj50691

Yes

traceback in Thread Name: Crypto CA (Old pc 0x009dcd56 ebp 0x041b7c18)

CSCsj50913

Yes

ASA : Copying file to OnStor Server via WebVPN fails.

CSCsj51849

Yes

cpu-hog observed in process nic status poll thread

CSCsj52557

Yes

WebVPN: Traceback in Thread Name: emweb/https

CSCsj52581

Yes

no crypto isakmp nat-traversal inconsistent configuration after reboot

CSCsj53102

Yes

SSH access through VPN tunnel to management interface not working

CSCsj53566

Yes

Traceback in Thread Name: Dispatch Unit continuously on upgrade to 8.0.2

CSCsj56051

Yes

AAA authorization commands LOCAL fallback broken

CSCsj56378

Yes

Traceback in Thread Name: Crypto CA with LDAP CRL query

CSCsj56692

Yes

WebVPN CIFS file dates are incorrect when using Firefox 2

CSCsj59397

Yes

memory leak with sysopt connection reclassify-vpn

CSCsj60659

Yes

emweb/https traceback when portscanned on tcp/443

CSCsj62895

Yes

traceback in Crypto CA - eip crypto_pki_poll_crl+149

CSCsj63345

Yes

DAP radius.25(Class) selection attribute doesn't trigger DAP selection

CSCsj64118

Yes

WebVPN:Mozilla returns undefined for mangled document.location.port

CSCsj64247

Yes

Traceback in Thread Name: Unicorn Admin Thread

CSCsj64523

Yes

WebVPN Webtop to be fixed in 8.0.2

CSCsj64760

Yes

WebVPN: Traceback in Thread Name: Unicorn Proxy Thread

CSCsj66077

Yes

Watchdog: traceback in Thread Name: ssh

CSCsj66185

Yes

ASA: Switching primary and secondary unit can cause duplicate MAC

CSCsj66667

Yes

group-url hostname should not be case-sensitive

CSCsj66819

Yes

ASA - Citrix Client not connecting through WebVPN - SSL Error 35

CSCsj72903

Yes

Additional sanitization needed for syslog message %ASA-5-111008

CSCsj77560

Yes

ASA crash while CRL checking CRL_CheckCertRevocation pki_verify_certific

CSCsj77765

Yes

ASA crash at emweb/https thread

CSCsj78551

Yes

WebVPN - smart-tunnel doesn't enforce ACLs

CSCsj78675

Yes

HTTP host header not included in PKI requests with terminal enrollment

CSCsj78831

Yes

WebFO: Disconnecting clientless deletes local ACL from standby

CSCsj80196

Yes

Clientless WebVPN traffic not sent when matching crypto dynamic map ACL

CSCsj80563

Yes

ASA dynamic VPN match address disconnects some peers as duplicate proxy

CSCsj82370

Yes

WebVPN: OWA left pane unresponsive when trying to access the folders

CSCsj83531

Yes

Dynamic VPN phase 2 neg with ID_IPV4_ADDR_RANGE accepted as 0.0.0.0/0

CSCsj87980

Yes

Traceback in Thread Name: Checkheaps when applying ips command

CSCsj89976

Yes

WEBVPN: Traceback in Thread Session Manager

CSCsj90479

Yes

IPS and fragments cause Traceback in Thread Name: Dispatch Unit

CSCsj92194

Yes

Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client

CSCsj93677

Yes

ASA cache not overwritten when anyconnect profile is updated

CSCsj96065

Yes

TunnelGroup not showing in DAP attributes

CSCsj96831

Yes

half-closed tcp connection behaves as an absolute timer on ASA

CSCsj97241

Yes

80 byte block depletion with stateful failover enabled

CSCsj98072

Yes

Unable to configure http access to management interface for ASDM

CSCsj98458

Yes

LDAP CRL checking failure for Cert Chain

CSCsj98622

Yes

SIP: Not translate c= address if first m= has port 0 in SDP body.

CSCsj99242

Yes

Assert: Traceback in Thread Name: Dispatch Unit

CSCsj99660

Yes

ASA CONSOLE TIMEOUT does not timeout

CSCsk00547

Yes

Traceback in ci/console when modifying cmap inspection_default

CSCsk03033

Yes

ASA, Issues with Local CA Server/Certificate Backup/Restore Procedures

CSCsk03550

Yes

ASA: Route injected through RRI disappear after failover

CSCsk05252

Yes

WebVPN: RDP Plug-in Rendering Issues..screen partially-cutoff

CSCsk05432

Yes

PKI: Default attribute for an LDAP CRL query should include a binary CRL

CSCsk05689

Yes

RDP Layout Manager Incompatible with some JDK versions

CSCsk06996

Yes

Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby

CSCsk08556

Yes

Frames offset incorrect in automation

CSCsk10156

Yes

VPN traffic with static PAT to outside ip address denied by outside ACL

CSCsk12859

Yes

ASA 8.0.2 Traceback under heavy loads of traffic

CSCsk14556

Yes

Local CA - Invalid user cert generated when using FTP Mount DB Store

CSCsk17475

Yes

Smart Tunnel may cause applications to crash

CSCsk19882

Yes

Memory leak in ASA due to WEBVPN compression

CSCsk25164

Yes

IPSec VPN Client Update not working for mac-> headend issue

CSCsk26830

Yes

Certificate authorization broken when using all DN fields as username

CSCsk27085

Yes

ASA 5505 switch stops forwarding arp packets to ASA

CSCsk27950

Yes

WebVPN: JNLP files are not rewritten

CSCsk28847

Yes

ASA only sends six (6) Radius IETF class 25 attributes for accounting

CSCsk28972

Yes

Traceback:Thread Name: IKE Daemon when connecting w/ certain certificate

CSCsk30589

Yes

Memory leak in snp_mp_ssl_new_conn

CSCsk30787

Yes

Syslogs 605004 and 605005 list IPs as 0.0.0.0 for ASDM connections

CSCsk31007

Yes

SIP: traceback in Thread Name: Dispatch Unit

CSCsk31129

Yes

SIP inspection breaks SIP authentication

CSCsk31414

Yes

WebVPN-CIFS: wrong error message: ...blocked for security reasons!

CSCsk33293

Yes

Traceback in IKE daemon when vlan configured under group-policy

CSCsk33563

Yes

ASA webvpn- CIFS browsing fails when using French language

CSCsk33925

Yes

WebVPN: Regression with OWA as a result of CSCsj82370

CSCsk34125

Yes

debug webvpn javascript trace user does not show up in show debug

CSCsk36854

Yes

DAP: Lua runtime error for strings embedded with double quotes

CSCsk38046

Yes

WebVPN: customization within the tunnel group

CSCsk38962

Yes

memory leak in webvpn failover

CSCsk39154

Yes

PIX/ASA dynamic l2l vpn does not work in 8.0.2.16

CSCsk39286

Yes

ASA5505:Setting Duplex causes a 5 or 6 second outage on the interface.

CSCsk41405

Yes

Traceback in Private Build: Thread Name: Unicorn Proxy Thread

CSCsk41454

Yes

Traceback in thread name: ssh

CSCsk42468

Yes

Transparent firewall allows Telnet access via outside interface

CSCsk42683

Yes

FT: Crash while FTP'ing new ASA image

CSCsk43103

Yes

Traceback in Thread Name emweb/https

CSCsk43257

Yes

ASA - AAA Authorization hang at login when authentication server is down

CSCsk45117

Yes

Traceback in webvpn_url_mangle.c

CSCsk45943

Yes

PIX: proxy-arps on all interfaces for the vpn-pool

CSCsk46821

Yes

ASDM configuration window is blank on initial connect

CSCsk48199

Yes

Traceback in Dispatch Unit thread (page fault)

CSCsk48794

Yes

CSD: SecureDesktopSpace click on clientless link goes to logon page

CSCsk49149

Yes

mem leak with inspect esmtp

CSCsk50639

Yes

WebVPN Thread Name: netfs_thread_init when browsing with cifs

CSCsk55097

Yes

WebVPN: OWA new contact functionality not working

CSCsk59029

Yes

Webvpn: terminal service client6 failed with smart tunnel when name used

CSCsk59816

Yes

Traceback in the process Crypto CA when retrieving the CRL

CSCsk60110

Yes

ASA webvpn APCF command is accepted but not seen in the config

CSCsk61945

Yes

ASA incompatible with routers using EIGRP version 3

CSCsk63982

Yes

ASA with EzVPN client does not send DHCP renew packets, tunnel flaps

CSCsk64111

Yes

Memory Leak in WebVPN Subsystem (1782 & 1856 byte segments)

CSCsk65425

Yes

failing to verify OCSP for RemoteAccess VPN - EJBCA CA infrastructure

CSCsk65863

Yes

traceback in ppp_timer_thread

CSCsk67715

Yes

During Ipsec negotiation, peer ip address is seen reversed in the debugs

CSCsk68658

Yes

ICMP (type 3 code 4) messages generated against ESP flow dropped by ASA

CSCsk68895

Yes

Traceback in thread name Dispatch Unit with IDS packet recv

CSCsk70716

Yes

ASDM issuer address changes after failover

CSCsk71135

Yes

ASA 7.2.3 - Traceback in Unicorn Proxy Thread

CSCsk73724

Yes

ASA 5505 default route via dhcp setroute goes away after link flap

CSCsk76401

Yes

set connection decrement-ttl does not work for traceroute

CSCsk77197

Yes

RDP and citrix plugins fail with java error when ACL applied in DAP

CSCsk77613

Yes

webvpn: 3 MB/day mem leak with 76288 byte frag on lightly used device

CSCsk79263

Yes

On link flap, DHCP REQUEST sent only once

CSCsk79728

Yes

ASA5550 7.2.3 crash with Dispatch Unit (Old pc 0x00223a67 ebp 0x018b1318

CSCsk81616

Yes

PIX/ASA Crashes in 'dhcp_daemon'

CSCsk83113

Yes

emweb memory accounting is incorrect.

CSCsk84808

Yes

Unable to remove WebVPN capture CLI, ERROR:Unable to get real-time

CSCsk85428

Yes

Crash in Thread name: snmp

CSCsk85441

Yes

Traceback in thread https_proxy

CSCsk86002

Yes

Memory accounting for aaa chunks is incorrect.

CSCsk87093

Yes

L2TP /EAP-TLS sessions disconnect with 734 error the first time

CSCsk93628

Yes

Packet dropped when mss-exceed is configured to allow

CSCsk95133

Yes

Traceback in Thread Unicorn Proxy related to WebVPN page rewrite

CSCsk96050

Yes

ASA - traceback in Thread Name: ssh


Related Documentation

Use this document in conjunction with the PIX firewall and Cisco VPN client Version 3.x documentation at the following websites:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.