Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco ASA 5500 Series Adaptive Security Appliances

Cisco ASA 5500 Series Release Notes Version 8.0(3)

Downloads

Table Of Contents

Cisco ASA 5500 Series Release Notes Version 8.0(3)

Contents

Introduction

Cisco ASA 5500 Series Adaptive Security Appliance

Cisco AnyConnect VPN Client

Cisco Intrusion Prevention System

System Requirements

Memory Requirements

Operating System and Browser Requirements

Determining the Software Version

Upgrading to a New Software Version

Upgrading to Version 8.0 for Portal Customization and URL Lists

Downgrading to Version 7.2(x) Software

Installing or Upgrading Cisco Secure Desktop

New Features

AnyConnect RSA SoftID API Integration

IP Address Reuse Delay

WAAS and ASA Interoperability

Important Notes

ASA Compatible with EIGRP Version 3

Caveats

Open Caveats - Version 8.0(3)

Resolved Caveats - Version 8.0(3)

End-User License Agreement

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Cisco ASA 5500 Series Release Notes Version 8.0(3)

January 2008

Contents

This document includes the following sections:

Introduction

System Requirements

New Features

Important Notes

Caveats

End-User License Agreement

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines

Introduction

This version supports the following products:

Cisco ASA 5500 series adaptive security appliance, Version 8.0(3)

ASDM, Version 6.0(3)

Cisco AnyConnect VPN client, Version 2.1

Cisco Secure Desktop, Version 3.2(1)

Cisco Intrusion Prevention System, Version 6.0

Cisco ASA 5500 Series Adaptive Security Appliance

The Cisco ASA 5500 series adaptive security appliances are purpose-built solutions that combine the most effective security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture.

Designed as a key component of the Cisco Self-Defending Network, the adaptive security appliance provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network adaptive security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.

For more information on all of the new features, see New Features.

Additionally, the adaptive security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the adaptive security appliance, ASDM accelerates adaptive security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the adaptive security appliance. Its secure, web-based design enables anytime, anywhere access to adaptive security appliances. For more information on ASDM, see the Cisco ASDM Release Notes Version 6.0(3).

Cisco AnyConnect VPN Client

The Cisco AnyConnect VPN client is also supported in this version. It works with the adaptive security appliance to connect remote users running Microsoft Windows Vista, Windows XP, Windows 2000, Linux, or Macintosh OS X with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection. For more information, see the Release Notes for Cisco AnyConnect VPN Client, Version 2.0.

Cisco Intrusion Prevention System

IPS is also supported in this version. For more information, go to the following URL:

www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

System Requirements

The sections that follow list the system requirements for operating an adaptive security appliance. This section includes the following topics:

Memory Requirements

Operating System and Browser Requirements

Determining the Software Version

Upgrading to a New Software Version

Memory Requirements

Table 1 lists the DRAM memory requirements for the adaptive security appliance. The memory listed in this table is the default value that ships with each adaptive security appliance.

Table 1 DRAM Memory Requirements 

ASA Model
Default DRAM Memory (MB)

5505

256

5510

256

5520

512

5540

1024

5550

4096


All adaptive security appliances require a minimum of 64 MB of internal CompactFlash, and they all ship with a minimum of 128 MB of internal CompactFlash.

If your adaptive security appliance has only 64 MB of internal CompactFlash, you should not store multiple system images, or multiple images of the new AnyConnect VPN client components, client/server plugins, or Cisco Secure Desktop.

We recommend that you purchase a 256 MB or 512 MB CompactFlash upgrade from Cisco, choosing from the following part numbers:

ASA5500-CF-256 MB = ASA 5500 Series CompactFlash, 256 MB

ASA5500-CF-512 MB = ASA 5500 Series CompactFlash, 512 MB

You can check the size of internal flash and the amount of free flash memory on the adaptive security appliance by doing the following:

ASDM—Click Tools > File Management. The amounts of total and available flash memory appear on the bottom left in the pane.

CLI—In Privileged EXEC mode, enter the dir command. The amounts of total and available flash memory appear on the bottom of the output.

For example: 

hostname # dir

Directory of disk0:/


2      drwx  4096        11:22:00 Dec 01 2006  csco_config

43     -rwx  14358528    08:46:02 Feb 19 2007  cdisk.bin

44     -rwx  4634        14:32:48 Sep 17 2004  first-backup

45     -rwx  4096        09:55:02 Sep 21 2004  fsck-2451

46     -rwx  4096        09:55:02 Sep 21 2004  fsck-2505

47     -rwx  774         10:48:04 Nov 21 2006  profile.tmpl

48     -rwx  406963      12:45:34 Feb 06 2007  svc

3      drwx  8192        03:35:24 Feb 02 2007  log

49     drwx  4096        07:10:54 Aug 09 2006  1

50     -rwx  21601       14:20:40 Dec 17 2004  tftp

51     -rwx  17489       06:36:40 Dec 06 2006  custom.xml

136    -rwx  12456368    10:25:08 Feb 20 2007  asdmfile

53     -rwx  20498       13:04:54 Feb 12 2007  tomm_english

54     drwx  4096        14:18:56 Jan 14 2007  sdesktop

56     -rwx  14358528    08:32:30 Feb 19 2007  asa800-215-k8.bin

57     -rwx  10971       09:38:54 Apr 20 2006  cli.lua

58     -rwx  6342320     08:44:54 Feb 19 2007  asdm-600110.bin

59     -rwx  0           04:38:52 Feb 12 2007  LOCAL-CA-SERVER.udb

60     -rwx  322         15:47:42 Nov 29 2006  tmpAsdmCustomization1848612400

8      -rwx  65111       10:27:48 Feb 20 2007  tomm_backup.cfg

61     -rwx  416354      11:50:58 Feb 07 2007  sslclient-win-1.1.3.173.pkg

62     -rwx  23689       08:48:04 Jan 30 2007  asa1_backup.cfg

63     -rwx  45106       07:19:18 Feb 12 2007  securedesktop_asa_3_2_0_54.pkg

64     -rwx  224         01:22:44 Oct 02 2006  LOCAL-CA-SERVER.crl

65     drwx  4096        12:37:24 Feb 20 2007  LOCAL-CA-SERVER

66     -rwx  425         11:45:52 Dec 05 2006  anyconnect

67     -rwx  1555        10:18:04 Sep 29 2006  LOCAL-CA-SERVER_00001.p12

68     -rwx  0           12:33:54 Oct 01 2006  LOCAL-CA-SERVER.cdb

69     -rwx  3384309     07:21:46 Feb 12 2007  securedesktop_asa_3_2_0_57.pkg

70     -rwx  774         05:57:48 Nov 22 2006  cvcprofile.xml

71     -rwx  338         15:48:40 Nov 29 2006  tmpAsdmCustomization430406526

72     -rwx  32          09:35:40 Dec 08 2006  LOCAL-CA-SERVER.ser

73     -rwx  2205678     07:19:22 Jan 05 2007  vpn-win32-Release-2.0.0156-k9.pkg

74     -rwx  3380111     11:39:36 Feb 12 2007  securedesktop_asa_3_2_0_56.pkg


62881792 bytes total (3854336 bytes free)


hostname #

In a failover configuration, the two units must have the same hardware configuration, must be the same model, must have the same number and types of interfaces, and must have the same amount of RAM. For more information, see the "Configuring Failover" chapter in the Cisco Security Appliance Command Line Configuration Guide.

Note If you use two units with different flash memory sizes, make sure that the unit with the smaller flash memory has enough space for the software images and configuration files.

Operating System and Browser Requirements

For the latest OS and browser test results, see the Cisco ASA 5500 Series VPN Compatibility Reference.

Determining the Software Version

Use the show version command to verify the software version of your adaptive security appliance. Alternatively, the software version appears on the Cisco ASDM home page.

Upgrading to a New Software Version

ASA Version 8.0(3) delivers major enhancements to SSL VPN Remote Access services providing advanced capabilities that simplify the management and deployment of SSL VPNs while enhancing end-user services and ease-of-use. Highlights of Version 8.0(3) for Remote Access include:

Secure access anywhere, even unmanaged endpoints, through customizable, localizable clientless access

Flexible access policies on a per-user, per-session, per-machine basis, enabling appropriate access for employees and partners based on their identity and the posture of their endpoints

Always up-to-date full-tunnel access through the new AnyConnect client, including Dynamic Transport Layer Security support for latency-sensitive applications like VoIP

Microsoft Windows Vista (32- and 64-bit) and MacOS X support

SSL VPN customers are encouraged to upgrade to Version 8.0(3).

ASA Version 8.0(3) also provides new functionality for firewall customers, as listed below. However, given this release is primarily targeted towards our SSL VPN customers, customers who remain satisfied with the firewall feature content of the ASA Version 7.x series are encouraged to remain on 7.x until such time as they have a business requirement for Version 8.0(3). To support customers choosing to remain on 7.x versions, release updates across all 7.x have been made available.

If you have a Cisco.com login, you can obtain software from the following website:

http://www.cisco.com/public/sw-center/

You must upgrade from Version 7.2.(x) to Version 8.0(3) and vice versa, because older versions of the ASA images do not recognize new ASDM images, and new ASA images do not recognize old ASDM images.

You can also use the CLI to download the image. For more information, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.

To upgrade from Version 7.2.(x) to Version 8.0(3), perform the following steps:

Step 1 Make a backup copy of your current configuration file.

Step 2 To retain and use an existing portal customization or URL list, make sure that clientless SSL VPN is enabled on the adaptive security appliance by doing the following:

ASDM—Choose Configuration > Remote Access VPN > Clientless SSL VPN to enable clientless SSL VPN connections on the appropriate interface.

CLI—Enter the webvpn enable command in global configuration mode to enable clientless SSL VPN connections on the appropriate interface.

Step 3 Load the new Version 8.0(3) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 4 Restart the device to load the Version 8.0(3) image.

Step 5 Load the new ASDM 6.0 image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa.

Step 6 Enter the following command to tell the adaptive security appliance where to find the ASDM image: 

hostname(config)# asdm image disk0:/asdmfilename (no spaces after the / character, or 
within the filename itself)

Upgrading to Version 8.0 for Portal Customization and URL Lists

Version 8.0 extends the functionality for configuring customization and URL lists, and the new process is incompatible with previous versions. During the software upgrade to 8.0, the adaptive security appliance preserves your current configuration by using old settings to generate new customization objects and URL lists. This process occurs only once, and is more than a simple transformation from the old format to the new one, because the old values are only a partial subset of the new ones.

Note Version 7.2 portal customizations and URL lists work only if clientless SSL VPN (WebVPN) configuration is enabled on the appropriate interface in the Version 7.2(x) configuration file before you upgrade to Version 8.0(3).

To make any changes to existing URL lists or customizations, after you upgrade to Version 8.0(3), you must use the new export/import webvpn url-list commands that replace the 7.2 url-list commands in webvpn mode.

Similarly, to make changes to the portal customization, use the new export/import webvpn customization commands. For a complete description of the command syntax, see the Cisco Security Appliance Command Reference.

The group policy, username, and tunnel group still enforce the url-list and customization objects.

Downgrading to Version 7.2(x) Software

To downgrade from Version 8.0(3) to 7.2(x), perform the following steps:

Step 1 Load the 7.2(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa

Step 2 Restart the device to load the 7.2(x) image.

Step 3 Load the ASDM 5.2(x) image from the following website:

http://www.cisco.com/pcgi-bin/tablebuild.pl/asa.

Step 4 Enter the following command to tell the adaptive security appliance where to find the ASDM image: 

hostname(config)# asdm image disk0:/asdmfilename (no spaces after the / character, or 
within the filename itself)

Installing or Upgrading Cisco Secure Desktop

Cisco Secure Desktop Release 3.2 requires ASA Version 8.0(3). You do not need to restart the adaptive security appliance after you install or upgrade Cisco Secure Desktop.

Note Archive and delete the Secure Desktop desktop/data.xml configuration file before upgrading to Cisco Secure Desktop 3.2. To create a clean configuration file, uninstall Cisco Secure Desktop before reinstalling it.

The expanded flexibility provided by a prelogin assessment sequence editor, and replacement of the Cisco Secure Desktop feature policies with a dynamic access policy (DAP) configured on the adaptive security appliance, are incompatible with Cisco Secure Desktop 3.1.1 configurations. Cisco Secure Desktop automatically inserts a new, default configuration file when it detects that one is not present.

For consistency with the previous release notes, these instructions provide the CLI commands needed to install Secure Desktop. You may, however, prefer to use ASDM. To do so, choose Configuration > Remote Access VPN > Secure Desktop Manager > Setup and click Help.

To install or upgrade the Cisco Secure Desktop software, perform the following steps:

Step 1 Retrieve the securedesktop_asa_3_2_0_build.pkg file from the following website and install it on the flash memory card of the adaptive security appliance:

http://www.cisco.com/pcgi-bin/tablebuild.pl/securedesktop

Step 2 Enter the following commands to access webvpn configuration mode:

hostname# config terminal

hostname(config)# webvpn

hostname(config-webvpn)#

Step 3 To validate the Cisco Secure Desktop distribution package and add it to the running configuration, enter the following command in webvpn configuration mode:

hostname(config-webvpn)# csd image disk0:/securedesktop_asa_3_2_0_build.pkg

hostname(config-webvpn)#

Step 4 To enable Cisco Secure Desktop for management and remote user access, use the csd enable command in webvpn configuration mode. To disable Cisco Secure Desktop, use the no form of this command.

hostname(config-webvpn)# csd enable

hostname(config-webvpn)#

New Features

This section lists the new features for Version 8.0(3). All new features are supported in ASDM Version 6.0(3).

AnyConnect RSA SoftID API Integration

Provides support for AnyConnect VPN clients to communicate directly with RSA SoftID for obtaining user token codes. It also provides the ability to specify SoftID message support for a connection profile (tunnel group), and the ability to configure SDI messages on the security appliance that match SDI messages received through a RADIUS proxy. This feature ensures the prompts displayed to the remote client user are appropriate for the action required during authentication and the AnyConnect client responds successfully to authentication challenges.

IP Address Reuse Delay

Delays the reuse of an IP address after it has been returned to the IP address pool. Increasing the delay prevents problems the security appliance may experience when an IP address is returned to the pool and reassigned quickly.

WAAS and ASA Interoperability

The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under a default inspection class and under a custom class-map. This inspection service is not enabled by default.

The keyword option waas is added to the show service-policy inspect command to display WAAS statistics. 

show service-policy inspect waas

A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.

System Log Number and Format:

%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.

A new connection flag "W" is added in the WAAS connection. The show conn detail command is updated to reflect the new flag.

Important Notes

ASA Compatible with EIGRP Version 3

EIGRP support was added in Version 8.0(2). However, due to a packet format change, Version 8.0(3) and later are not compatible with Version 8.0(2). Therefore, if you upgrade an adaptive security appliance to Version 8.0(3) or later, and it is peering with another adaptive security appliance running Version 8.0(2), then the peer must also be upgraded, or EIGRP will not operate correctly.

Caveats

The following sections describe the caveats for Version 8.0(3).

For your convenience in locating caveats in the Cisco Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:

Commands are in boldface type.

Product names and acronyms may be standardized.

Spelling errors and typos may be corrected.

Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/support/bugtools

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do

Open Caveats - Version 8.0(3)

Table 2 Open Caveats 

DDTS Number
Software Version 8.0(3)
 
 
Corrected
Caveat

CSCsf25418

No

Traceback in Thread Name: tmatch compile after assert

CSCsg71579

No

Programming assertion malloc.c:3822 on secondary after failover from pri

CSCsg99492

No

SASL GSSAPI-Kerberos authentication not happening with Sunone Server

CSCsh91747

No

SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE

CSCsj08209

No

clear ospf process causes traceback

CSCsj25672

No

1550 block leak when running multiple tls codenomicon suites.

CSCsj28099

No

ASA can hang on certain tasks if disk is corrupt.

CSCsj32989

No

ASA traceback when running 100 user Avalanche webvpn goodput test

CSCsj83081

No

traceback after clear conf filter. eip 0x00beb377.

CSCsj84640

No

Memory leak on CRYPTO_malloc

CSCsk08454

No

ASA 8.0 fails to send TACACS request over L2L tunnel

CSCsk19065

No

Excessive High CPU and packets drops when applying ACL to an interface

CSCsk21548

No

2048 byte Block depletion related to Fragmented multicast traffic

CSCsk21641

No

Traceback in Dispatch unit related to fragmented multicast traffic

CSCsk36399

No

Traceback in PIX Garbage Collector (Old pc 0x008b619d ebp 0x0261ed60)

CSCsk36703

No

Traceback in thread name IP Thread

CSCsk36952

No

Traceback in Thread: accept/http when changing DHCP config via ASDM

CSCsk37533

No

SIP: Traceback in 7.0(7) with segmented SIP packets

CSCsk38848

No

ASA crashes in Active/Standby Routed Mode causing voice failures

CSCsk40743

No

system miss ticks when cpu-hog is present

CSCsk42958

No

Traceback in thread https_proxy

CSCsk45220

No

Regex used in CLI command filtering causes device reload

CSCsk48344

No

Inspect http is not matching server response fields

CSCsk48629

No

ASA crashes with Unicorn Proxy Thread

CSCsk55665

No

reload with panic: route_process inconsistent annotation

CSCsk60581

No

Device reload when the SIP PROTOS Suite is launched

CSCsk69537

No

Traceback in Dispatch Unit during ASDM access

CSCsk70941

No

Traceback in Thread Name: Dispatch Unit

CSCsk78634

No

ASA Traceback in thread MFIB

CSCsk84529

No

Reload with Thread Name: ssh

CSCsk88517

No

ASA stops servicing WebVPN login page

CSCsk89022

No

ASA dhcp server crashed while removing dhcpd configuration.

CSCsk89600

No

Reload in Dispatch Unit thread with ESMTP inspection enabled

CSCsk89639

No

Reload with Thread Name: Checkheaps

CSCsk90689

No

telnet to the box and vpn tunnels fail due to 0-byte block depletion

CSCsk95246

No

no router rip, followed by router rip & network cause vPifnum & tracebac

CSCsk96804

No

Traceback in Thread Name: Dispatch Unit with inspect h323

CSCsk97830

No

Traceback in thread name Dispatch Unit

CSCsl01792

No

ASA traceback in Thread Name: Dispatch Unit

CSCsl02630

No

WebVPN: Traceback in Thread Name: emweb/https

CSCsl04124

No

ASA 8.0.2 - SIP call from outside w/o sound : SIP::Error - fail to NAT

CSCsl04893

No

ASA: Traceback with threadname Dispatch Unit

CSCsl04953

No

Need to add additional support for DECNET multicast in Transparent mode

CSCsl05707

No

ASA: crash when removing h323 h225 inspection

CSCsl06247

No

ASA-0-716507: Fiber scheduler has reached unreachable code causes outage

CSCsl07386

No

WebVPN: Traceback in Thread Name: vpnfol_thread_sync at failover sync

CSCsl08970

No

Downgrade from 8.0.2 to 7.2.3.5 can cause traceback

CSCsl10562

No

DAP_TRACE: Username: fatemeh, Selected DAPs: <error>

CSCsl11435

No

telnet over VPN hangs when ASA failover occurs

CSCsl11572

No

Traceback - emweb/https - Watchdog Timeout in 0x00909c3d:_vpn_put_uauth

CSCsl12010

No

flash memory corruption issues

CSCsl17136

No

ASA-PIX: H323 Video breaks with inspection enabled.

CSCsl17381

No

ASA crashes with Thread Name: CTM message handler

CSCsl18071

No

Windows Media Player can not play media file with/without L-2-L Ipsec

CSCeh98117

No

Tunnel-group/ldap-login passwords in cleartext when viewed with more

CSCsf07135

No

ASDM connection may cause packet loss

CSCsh78681

No

In use memory count displayed incorrectly

CSCsh79097

No

Syslog message displaying reason why flow is closed by ESMTP inspection

CSCsi49983

No

Periodic HW crypto errors 402123 & 402125 see with L2TP/IPSEC

CSCsi79159

No

admin connections via management-access fail

CSCsi94163

No

PPPOE connection does not renegotiate immediatly after short disconnect

CSCsj02948

No

%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error

CSCsj07428

No

Idle IPSEC connections not closing out

CSCsj61214

No

Lower cpu-hog syslog 711002 from Level 7 to Level 4

CSCsj71788

No

Slow response when entering commands via Telnet

CSCsk00089

No

ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status

CSCsk10088

No

LDAPS / LDAP over SSL suddenly stops working

CSCsk14532

No

ASA - FTP Type Mount remains inaccessible if FTP server goes offline

CSCsk14695

No

WebVPN with SDI in new pin mode does not prompt user

CSCsk18083

No

nat exemption access-list not checked for protocol or port when applied

CSCsk18084

No

cikeTunnelTable does not populate for some of the ISAKMP SA's.

CSCsk19485

No

syslog TCP_CONN_END shows Reset-O for ASA generated TCP RST

CSCsk29306

No

ASA 8.0 - Error Contacting Host error when accessing CIFS Shares

CSCsk30698

No

PIX/ASA may stop generating syslogs all together

CSCsk33310

No

PIX SIP fixup does not correctly open RTP conns using NAT 0

CSCsk34404

No

Multicontext mode: static nat overlap check not valid when no classifier

CSCsk40210

No

Auth-Proxy DACLs may become stale and impossible to delete

CSCsk42595

No

ASA:: 2 Factor Authentication with Password-Management Fails for SSL VPN

CSCsk47949

No

ASDM hangs at 47% if packet losses on the network

CSCsk47999

No

TCP session stays half-open when FIN sequence problem.

CSCsk48355

No

ISAKMP SA stuck in AM_WAIT_DELETE after ASA upgrade

CSCsk48377

No

Clear Xlate doesn't clear for a host in a static entry

CSCsk49506

No

Local-host for u-turn traffic on lowest sec level used for license limit

CSCsk50537

No

ASA Javascript error with webvpn and mail server (SUN iPlanet)

CSCsk54728

No

Citrix applications do not close automatically when Logging off WebVPN

CSCsk64428

No

High CPU when polling VPN MIBs via SNMP

CSCsk65211

No

ASA5505 inside interface w/23bit or smaller subnet mask becomes unstable

CSCsk65788

No

FO: Webvpn customization import not replicated to Standby device

CSCsk65940

No

crashinfo file corrupted, extra text appended to bottom

CSCsk71006

No

ipv6 acl don't have acl options when using MPF

CSCsk71413

No

Traceback: chunk memory corruption with caller occam_arena__get_block.

CSCsk73047

No

Crash in Thread Name: IKE Receiver

CSCsk75944

No

ASA configuration of NTP - NTP process fails to initialise

CSCsk80789

No

RTSP inspection changes Media Player version to 0.0.0.0

CSCsk84107

No

Standby uses active sub-interface ip address after enabling monitoring

CSCsk88563

No

Answers to DHCPINFORM packets use wrong destination MAC address

CSCsk89474

No

URL filtering not performed for u-turn vpn traffic

CSCsk91598

No

Sip inspection on ASA fails to NAT record-route entries in invite packet

CSCsk93067

No

no management-access Inside still allows telnet over IPSec tunnel

CSCsk94835

No

UDP SIP not being inspected by default-inspection-class

CSCsk97671

No

VPN client with NULL Encryption L2TP-IPSec behind NAT drops on 71st sec

CSCsl02675

No

ASDM>Tools> ping fails when entering hostname in IP address field

CSCsl02821

No

VPN tunnel might not reestablish after failover

CSCsl03839

No

WebVPN does not modify URLs in Sharepoint .iqy files

CSCsl04448

No

Cannot remove url-server despite having removed url-block cmd in 7.2.3

CSCsl04900

No

SIP invite fixup'd with name rather than IP address

CSCsl05751

No

Citrix with Client Detection is not working

CSCsl05777

No

Citrix Apps hanging when opening multiple Apps

CSCsl08857

No

warning message with certificate based authentication

CSCsl10052

No

new L2TP sessions are denied after %ASA-4-403103 is seen in the logs

CSCsl11321

No

ASA doesn't send coldStart trap when speed/duplex is fixed as 100/full

CSCsl14914

No

webvpn rewriter causing webpage to fail with Cisco clientless webvpn

CSCsl15013

No

DHCPrelay broken with 2 DHCPrelay servers when second one out of service

CSCsl16873

No

CSD version 3.2 installed on ASA shows some unwanted garbage characters

CSCsl17191

No

PIX/ASA PMTUD: ICMP type 3 code 4 uses wrong source interface

CSCsl18668

No

last configured dhcprelay server shows up first in configuration


Resolved Caveats - Version 8.0(3)

Table 3 Resolved Caveats 

DDTS Number
Software Version 8.0(3)
 
 
Corrected
Caveat

CSCeg00330

Yes

DHCP relay: ACK in reply to INFORM may be dropped

CSCsb45561

Yes

standby instead of active keeps sending register to RP after failover

CSCsc98412

Yes

Pix console accounting doesn't appear in ACS Logged-In User report

CSCsd51407

Yes

Dual ISP fails after failover, routing table have stale routes

CSCsd65922

Yes

webvpn acls should allow wilcard * hostnames

CSCse31519

Yes

OCSP: CRL checking of externally signed responder cert fails

CSCse99033

Yes

tracked route removed from Standby firewall after failover

CSCsf30571

Yes

Traceback in ssh_init

CSCsg16149

Yes

data sent with Active MAC after switchover to standby

CSCsg25616

Yes

ASA put PATed src port in ICMP (type3, code4)

CSCsg43591

Yes

SCP connection to PIX fails

CSCsg52106

Yes

Embryonic value -1 under syslog and count to host = 42949672

CSCsg61719

Yes

SNMP: Coldstart Trap is not sent

CSCsg78524

Yes

NT Authentication (NTLM) is attempted three times with a bad password

CSCsg93050

Yes

Inspect DCERPC failure. Packet too small error

CSCsg96150

Yes

dependence between sysopt connection permit-vpn and management commands

CSCsg96247

Yes

ASA traceback - RSA keypair generation SSH function calls

CSCsg96351

Yes

http regex matching fails to match http:\/\/

CSCsg99807

Yes

ICMP (type3, code4) is not sent after learning PMTU

CSCsh21984

Yes

When out of available URL requests, future HTTP GETs dropped silently

CSCsh22262

Yes

FTP authen fails if trailing <cr> exists in banner & aaa proxy enabled

CSCsh23012

Yes

data received after static pat is removed causes traceback

CSCsh23318

Yes

When a pending URL request times out the Buffered traffic is lost

CSCsh23865

Yes

Nailed Static configuration doesnt appear in config

CSCsh26607

Yes

'inspect skinny' drops/corrupts packets with high network latency

CSCsh32241

Yes

Block size 256 depletion causing failover issues

CSCsh33290

Yes

Transparent FW passes arp requests from standby, causing arp problems

CSCsh35715

Yes

ESMTP inspection drops emails with special characters in the email addr

CSCsh36387

Yes

ASA 5510 7.2.2 / traceback in Thread Name: IKE Daemon

CSCsh40829

Yes

LDAP: multiple Cisco-AV-Pair need to be enforced on vpn-session

CSCsh41155

Yes

ASA h323 inspect corrupts q931 packet

CSCsh41496

Yes

ldap-login-dn requires full path name of admin user

CSCsh44467

Yes

Static ARP Entry Removed From the Configuration and ARP Table

CSCsh45414

Yes

ASA Radius state machine reuses state attribute from failed auth

CSCsh46436

Yes

Radius NAS-Port-Type not sent in SSH authentication request

CSCsh48962

Yes

Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI

CSCsh53246

Yes

Traceback when specifying ldap port.

CSCsh53603

Yes

Unable to resolve ARP entry for a directly connected host

CSCsh54016

Yes

PIX 7.2.2 memory degradation

CSCsh55107

Yes

DHCP relay fails when static translation for all hosts configured

CSCsh56084

Yes

ASA CIFS over WebVPN : file created on server but write operation fails

CSCsh56439

Yes

Multicast: Crash in Thread Name: MFIB

CSCsh58003

Yes

IPCP not coming up when using 'ip address pppoe'

CSCsh59098

Yes

Traceback at ThreadName:Unicorn Proxy Thread(pc 0x00c5a9a4 ebp 0x0dd71cc

CSCsh60896

Yes

ESMTP inspection hogging CPU

CSCsh62358

Yes

CTIQBE Fixup does not work with Call Manager 4.2.1

CSCsh65168

Yes

group policy name cannot contain spaces

CSCsh66209

Yes

Traceback at Thread Name: Dispatch Unit(Old pc 0x00218f77 ebp 0x018724a8

CSCsh66576

Yes

L2TP: Connectivity issues with 1500 established sessions

CSCsh66814

Yes

SIP pinhole for inbound INVITE timesout before expires in outbound REGIS

CSCsh67105

Yes

ASA 7.2(2): high cpu usage with DHCP assigned IP addresses

CSCsh68174

Yes

Print warning when logging ftp-bufferwrap CLI is configured

CSCsh74009

Yes

Show/Clear uauth command will not work for username with spaces.

CSCsh74885

Yes

Traceback in thread accept/ssh_131071

CSCsh80968

Yes

ASA traceback through memory corruption

CSCsh81111

Yes

Denial-of-Service in VPNs with password expiry

CSCsh82130

Yes

Command authorization for clear fails for priv level lower than 15

CSCsh83148

Yes

Tcp Timestamp unexpectedly set to 0 for flows reordered by the firewall

CSCsh83925

Yes

ASA traceback in Thread Name: EAPoUDP

CSCsh86334

Yes

Syslog 199002 not sent to external syslog server on bootup

CSCsh86444

Yes

VPN: TCP traffic allowed on any port with management-access enabled.

CSCsh86796

Yes

Process qos_metric_daemon hogging CPU

CSCsh89816

Yes

ASA in transparent mode: answer-only vpn, but can still intiate VPN

CSCsh90659

Yes

Traceback: Thread Name:vpnlb_thread in standby after taking active role

CSCsh91283

Yes

Inspect SunRPC drops segmented packets

CSCsh96817

Yes

L2TP: Can not connect more than one Vista client at the same time

CSCsh97584

Yes

video connection through ASA fails

CSCsh97976

Yes

show int ip brief shows incorrect line protocol status

CSCsh98679

Yes

ASA: WCCP packets redirected stops incrementing after 2-3 mins

CSCsh98791

Yes

OCSP with CA signed responder cert failing verification check

CSCsi01498

Yes

ESMTP inspect cannot handle content-type string in DKIM headers

CSCsi03576

Yes

Webvpn: OWA 2000 replies/forwards fail after upgrading to latest hotfix

CSCsi05471

Yes

webvpn crash with citrix

CSCsi05768

Yes

ASA: DPD thresholds over 300 are not accepted for remote access

CSCsi07349

Yes

SAA/tracking traceback under specific CLI sequence

CSCsi08103

Yes

command author does not mark aaa-server dead when TACACS unavailable

CSCsi08317

Yes

PIX using Authentication Proxy and Wildcard causes Certificates error

CSCsi08957

Yes

SNMPv2-SMI enterprises.3076.2.1.2.26.1.2.0 not showing actual connection

CSCsi10396

Yes

ASA crashes at Thread Name: emweb/https while file uploading >1MB

CSCsi10466

Yes

SIP inspect fails for INVITE where display name contains string 'tel'

CSCsi11941

Yes

When URL filtering is enabled Streaming Media loads slowly

CSCsi13865

Yes

SNMP in multi-mode creates message vPif_getVpif: bad vPifNum

CSCsi15805

Yes

SNMP interface counters incorrect on ASA-5505

CSCsi17946

Yes