Table Of Contents
Cisco PIX Security Appliance Release Notes Version 7.2(3)
Contents
Introduction
System Requirements
Memory Requirements
Software Requirements
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Upgrading to a New Software Version
Supported Platforms and Feature Licenses
New Features
capture Command Enhancement
Support for ESMTP over TLS
DHCP Client
WAAS and PIX Interoperability
ASDM Banner Enhancement
Important Notes
User Upgrade Guide
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
Features not Supported
Downgrade to Previous Version
Caveats
Open Caveats - Version 7.2(3)
Resolved Caveats - Version 7.2(3)
Related Documentation
Obtaining Documentation and Submitting a Service Request
Cisco PIX Security Appliance Release Notes Version 7.2(3)
August 2007
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•Supported Platforms and Feature Licenses
•New Features
•Important Notes
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.
For more information on all of the new features, see New Features.
Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.
System Requirements
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(3).
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.2(3).
Table 1 Flash Memory Requirements
Security Appliance Model
|
Flash Memory Required in Version 7.2(3)
|
PIX 515/515E
|
16 MB
|
PIX 525
|
16 MB
|
PIX 535
|
16 MB
|
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Software Requirements
Version 7.2(3) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.2(3) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website:
http://www.cisco.com/public/sw-center/index.shtml
2. For information on specific licenses supported on each model of the security appliance, go to the following website: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "http://www.cisco.com/public/sw-center/index.shtml" for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(3). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(3). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Series
|
Interoperability Comments
|
Cisco IOS routers
|
Version 7.2(3) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.
|
Cisco VPN 3000 concentrators
|
Version 7.2(3) requires Cisco VPN 3000 concentrator Version 3.6 or later for correct VPN interoperability.
|
Cisco VPN Client Interoperability
Cisco VPN Client
|
Interoperability Comments
|
Cisco VPN client v3.x/4x
(Unified VPN client framework)
|
Version 7.2(3) supports the Cisco VPN client Version 3.6 or later that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.
|
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Remote
|
Interoperability Comments
|
Cisco PIX Security Appliance Easy VPN remote v6.3
|
Version 7.2(3) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.
|
VPN 3000 Easy VPN remote v3.x/4x
|
Version 7.2(3) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.
|
Cisco IOS Easy VPN remote Release 12.2(16.4)T
|
Version 7.2(3) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.
|
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.
Upgrading to a New Software Version
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Note PIX and ASDM images must be compatible for example PIX Version 7.2(3) is compatible to ASDM Version 5.2(3). ASDM will not work with an incompatible platform version. You will get an error message and ASDM will close.
You can also use the command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.1.(x) to 7.2(3), you must perform the following steps:
Step 1 Load the new Version 7.2(3) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will start using the Version 7.2(3) image.
Step 3 Copy new ASDM Version 5.2(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
To downgrade from Version 7.2(3) to 7.1.(x), you must perform the following steps:
Step 1 Load the earlier Version 7.1(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will be use the Version 7.1(x) image.
Step 3 Copy the ASDM Version 5.1(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
Supported Platforms and Feature Licenses
This software version supports the following platforms; see the associated tables for the feature support for each model:
•PIX 515/515E, Table 2
•PIX 525, Table 3
•PIX 535, Table 4
Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.
Table 2 PIX 515/515E Security Appliance License Features
PIX 515/515E
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional license: 5
|
2
|
Optional license: 5
|
2
|
Optional license: 5
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
10
|
25
|
25
|
25
|
Concurrent Firewall Conns2
|
48 K
|
130 K
|
130 K
|
130 K
|
Max. Physical Interfaces
|
3
|
6
|
6
|
6
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
64 MB
|
128 MB
|
128 MB
|
128 MB
|
Table 3 PIX 525 Security Appliance License Features
PIX 525
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
25
|
100
|
100
|
100
|
Concurrent Firewall Conns2
|
140 K
|
280 K
|
280 K
|
280 K
|
Max. Physical Interfaces
|
6
|
10
|
10
|
10
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
128 MB
|
256 MB
|
256 MB
|
256 MB
|
Table 4 PIX 535 Security Appliance License Features
PIX 535
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
50
|
150
|
150
|
150
|
Concurrent Firewall Conns2
|
250 K
|
500 K
|
500 K
|
500 K
|
Max. Physical Interfaces
|
8
|
14
|
14
|
14
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
512 MB
|
1024 MB
|
1024 MB
|
1024 MB
|
New Features
This section lists the new features for Version 7.2(3). All new features are supported in ASDM 5.2(3).
capture Command Enhancement
The enhancement to the capture command allows the user to capture traffic and display it in real time. It also allows the user to specify command line options to filter traffic without having to configure a separate access list. This enhancement adds the [real-time] and a five-tupple [match] options.
capture <cap_name> [[real-time] [dump] [detail [trace]] [match <prot> {host <ip> | <ip>
<mask> | any} [eq | lt | gt <port>] {host <ip> | <ip> <mask> | any} [eq | lt | gt
<port>]]
Support for ESMTP over TLS
This enhancement adds the configuration parameter allow-tls [action log] in the esmtp policymap. By default, this parameter is not enabled. When it is enabled, ESMTP inspection would not mask the 250-STARTTLS echo reply from the server nor the STARTTLS command from the client. After the server replies with the 220 reply code, the ESMTP inspection turns off by itself— the ESMTP traffic on that session is no longer inspected. If the allow-tls action log parameter is configured, the system log message ASA-6-108007 is generated when TLS is started on an ESMTP session.
policy-map type inspect esmtp esmtp_map
parameters
allow-tls [action log]
A new line for displaying counters associated with the allow-tls parameter is added to the show
service-policy inspect esmtp command. It is only present if allow-tls is configured in policy map. By default, this parameter is not enabled.
show service-policy inspect esmtp
allow-tls, count 0, log 0
This enhancement adds a new system log message for the allow-tls parameter. It indicates on an esmtp session the server has responded with a 220 reply code to the client STARTTLS command. The ESMTP inspection engine will no longer inspect the traffic on this connection.
System log Number and Format:
%ASA-6-108007: TLS started on ESMTP session between client <client-side interface-name>:<client IP address>/<client port> and server <server-side interface-name>:<server IP address>/<server port>
DHCP Client
The dhcp-client client-id interface <interface name> command forces a MAC address to be stored inside a DHCP request packet instead of the default internally generated unique string. This CLI allows the security appliance to obtain a DHCP address from the ISP with this special requirement
WAAS and PIX Interoperability
The [no] inspect waas command is added to enable WAAS inspection in the policy-map class configuration mode. This CLI is integrated into Modular Policy Framework for maximum flexibility in configuring the feature. The [no] inspect waas command can be configured under default inspection class and under a custom class-map. This inspection service is not enabled by default.
The keyword option waas is added to the show service-policy inspect command to display WAAS statistics.
show service-policy inspect waas
A new system log message is generated when WAAS optimization is detected on a connection. All L7 inspection services including IPS are bypassed on WAAS optimized connections.
System Log Number and Format:
%ASA-6-428001: WAAS confirmed from in_interface:src_ip_addr/src_port to out_interface:dest_ip_addr/dest_port, inspection services bypassed on this connection.
A new connection flag "W" is added int he WAAS connection. The show conn detail command is updated to reflect the new flag.
ASDM Banner Enhancement
The security appliance Version 7.2(3) software supports an ASDM banner. If configured, when you start ASDM, this banner text will appear in a dialog box with the option to continue or disconnect. The Continue option dismisses the banner and completes login as usual whereas, the Disconnect option dismisses the banner and terminates the connection. This enhancement requires the customer to accept the terms of a written policy before connecting. Following is the new CLI associated with this enhancement:
banner {exec | login | motd | asdm} <text>
no banner {exec | login | motd | asdm} [<text>]
show banner [{exec | login | motd | asdm}]
clear banner
Important Notes
This section lists important notes related to Version 7.2(3).
User Upgrade Guide
Before upgrading to Version 7.2(3), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(3) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(3) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:
•ACE insertion capability—Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.
•Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.
Features not Supported
The PPTP feature is not supported.
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the
downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
Caveats
The following sections describe the caveats for the Version 7.2(3).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Version 7.2(3)
Table 5 lists open caveats for Version 7.2(3).
Table 5 Open Caveats
DDTS Number
|
Software Version 7.2(3)
|
| |
| |
Corrected
|
Caveat
|
CSCeh98117
|
No
|
Tunnel-group/ldap-login passwords in cleartext when viewed with more
|
CSCej04099
|
No
|
static xlate breaks management-access inside
|
CSCsc98412
|
No
|
PIX console accounting doesn't appear in ACS Logged-In User report
|
CSCse29407
|
No
|
pim accept-register list documentation issue
|
CSCse93941
|
No
|
add acl logging capability to vpn-filter
|
CSCsf25418
|
No
|
Traceback in Thread Name: tmatch compile after assert
|
CSCsg47023
|
No
|
L2TP Connections with Certificates to ASA Fail to Connect
|
CSCsg63145
|
No
|
Traceback with Thread Name: PIX Garbage Collector
|
CSCsg65434
|
No
|
Multiple ipsec peers : PIX/ASA stops processing the IPSEC peers list
|
CSCsg71579
|
No
|
Programming assertion malloc.c:3822 on secondary after failover from pri
|
CSCsg99492
|
No
|
SASL GSSAPI-Kerberos authentication not happening with Sunone Server
|
CSCsh48208
|
No
|
Directly connected network missing in route table
|
CSCsh78681
|
No
|
In use memory count displayed incorrectly
|
CSCsh91283
|
No
|
ASA/PIX: SunRPC inspect dropping packets on 7.0.6
|
CSCsi00074
|
No
|
Incorrect values returned by SSL VPN OIDs
|
CSCsi04673
|
No
|
FW may drop packets when VPN address pool overlaps with interface subnet
|
CSCsi32502
|
No
|
packet/byte counters are not populated for the session table of CRAS MIB
|
CSCsi35603
|
No
|
L2TP/IPSec sessions hanging when authenticating with EAP
|
CSCsi40796
|
No
|
ASA fails rekey with Checkpoint
|
CSCsi45911
|
No
|
ASA cpu approaches 100%, 80 byte blocks are leaked and mem>0 w/ssl str
|
CSCsi52176
|
No
|
TCP Normalizer Traceback in Thread Name: Dispatch Unit
|
CSCsi53577
|
No
|
OSPF goes DOWN after reload of VPN Peer
|
CSCsi68911
|
No
|
ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t
|
CSCsi80155
|
No
|
memory leak found during batch test of malformed HTTP messages
|
CSCsi94163
|
No
|
PPPOE connection does not renegotiate immediatly after short disconnect
|
CSCsi98617
|
No
|
VPNFO: Standby stale sessions not removed
|
CSCsj01620
|
No
|
Type 0 Client-ID for RA clients not supported by some DHCP servers
|
CSCsj01643
|
No
|
IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode
|
CSCsj02948
|
No
|
%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error
|
CSCsj03437
|
No
|
WebVPN: RDP Icon fails after a redirect action to a Citrix Presentation
|
CSCsj07428
|
No
|
Idle IPSEC connections not closing out
|
CSCsj10151
|
No
|
Traceback in Dispatch Unit (possible double-free)
|
CSCsj12938
|
No
|
PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational
|
CSCsj18055
|
No
|
Traceroute fails through ASA if outside interface is pppoe and doing PAT
|
CSCsj19607
|
No
|
Traceback in Checkheaps - mem corruption PC on stride_list_node
|
CSCsj19904
|
No
|
Traceback in Thread Name: OSPF Router
|
CSCsj29444
|
No
|
VPN Client authentication fails with Novell Radius and Active Card
|
CSCsj32989
|
No
|
ASA traceback when running 100 user Avalanche webvpn goodput test
|
CSCsj42343
|
No
|
PIX 525 - bad vpif msgs are from the vpnfo module
|
CSCsj43076
|
No
|
Logging into standby ASA via SSH fails.
|
CSCsj43703
|
No
|
ASA mem leak on CRYPTO_malloc
|
CSCsj49481
|
No
|
WebVPN: HTTPS Page not rendered correctly while HTTP works fine
|
CSCsj56287
|
No
|
Traceback in Thread Name: ssh/timer
|
CSCsj61214
|
No
|
Lower cpu-hog syslog 711002 from Level 7 to Level 4
|
CSCsj66655
|
No
|
Duplicate ASP crypto table entry forwards VPN traffic using invalid SPI
|
CSCsj68874
|
No
|
Inspect HTTP invokes multiple times with interface service-policy
|
CSCsj74539
|
No
|
Traceback on Standby in Thread Name: fover_FSM_thread
|
CSCsj77641
|
No
|
Viewing QoS policing statistics may create traceback
|
CSCsj80196
|
No
|
Clientless WebVPN traffic not sent when matching crypto dynamic map ACL
|
CSCsj80563
|
No
|
ASA dynamic VPN match address disconnects some peers as duplicate proxy
|
CSCsj82413
|
No
|
QoS: class-map : match tunnel-group <tgrp-name> errors on reboot
|
CSCsj84640
|
No
|
Memory leak on CRYPTO_malloc
|
CSCsj87886
|
No
|
Failover conn replication fails while doing bidirectional NAT
|
CSCsj90274
|
No
|
Citrix sessions randomly disconnect
|
CSCsj90479
|
No
|
Traceback in Thread Name: Dispatch Unit
|
CSCsj92194
|
No
|
Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client
|
CSCsj96159
|
No
|
Traceback when freeing a packet from TCP_MOD function
|
CSCsj96831
|
No
|
half-closed tcp connection behaves as an absolute timer on ASA
|
CSCsj97241
|
No
|
80 byte block depletion with stateful failover enabled
|
CSCsj98622
|
No
|
SIP: Not translate c= address if first m= has port 0 in SDP body.
|
CSCsj99182
|
No
|
Traceback on Standby box in Thread IPsec message handler
|
CSCsj99242
|
No
|
Assert: Traceback in Thread Name: Dispatch Unit
|
CSCsj99660
|
No
|
ASA CONSOLE TIMEOUT does not timeout
|
CSCsk00072
|
No
|
ASA 7.2 Firewall-MIB : no snmp object for failover lan int status
|
CSCsk00089
|
No
|
ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status
|
CSCsk00589
|
No
|
Traceback in Thread Name: Dispatch Unit
|
CSCsk03550
|
No
|
ASA: Route injected through RRI disappear after failover
|
CSCsk04594
|
No
|
traceback: watchdog crash in uauth thread
|
CSCsk05453
|
No
|
Programming assertion while configuring http inspection policy
|
CSCsk06996
|
No
|
Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby
|
Resolved Caveats - Version 7.2(3)
Table 6 lists resolved caveats for Version 7.2(3).
Table 6 Resolved Caveats
DDTS Number
|
Software Version 7.2(3)
|
| |
| |
Corrected
|
Caveat
|
CSCeg00330
|
Yes
|
DHCP relay: ACK in reply to INFORM may be dropped
|
CSCsb45561
|
Yes
|
standby instead of active keeps sending register to RP after failover
|
CSCsd43563
|
Yes
|
Crypto accelerator errors seen - connections failing
|
CSCsd51407
|
Yes
|
Dual ISP fails after failover, routing table have stale routes
|
CSCse14419
|
Yes
|
ASA 7.0(4) : not randomizing TCP SACK sequence numbers
|
CSCse21181
|
Yes
|
Decouple Passwd-Mngt checks from LDAP Authentication-Search
|
CSCse49440
|
Yes
|
SNMP: incorrect cpu usage sent for CISCO-PROCESS-MIB
|
CSCse88291
|
Yes
|
Traceback with WEBVPN user login when memory is running low.
|
CSCsf30571
|
Yes
|
Traceback in ssh_init
|
CSCsg08640
|
Yes
|
access-list damaged and frozen, clear config acl has no effect
|
CSCsg09071
|
Yes
|
L2TP over IPSEC disconnections syslog are always-'User requested'
|
CSCsg16149
|
Yes
|
data sent with Active MAC after switchover to standby
|
CSCsg39936
|
Yes
|
Pix/ASA: Disabling pim on subinterface causes other interface mcast fail
|
CSCsg43591
|
Yes
|
SCP connection to PIX fails
|
CSCsg52106
|
Yes
|
Embryonic value -1 under syslog and count to host = 42949672
|
CSCsg53120
|
Yes
|
ASA WebVPN Time-out on Database Requests
|
CSCsg56876
|
Yes
|
WebVPN: traceback after applying http or IM deep inspection
|
CSCsg60095
|
Yes
|
VPN traffic permitted by vpn-filter is denied
|
CSCsg61719
|
Yes
|
SNMP: Coldstart Trap is not sent
|
CSCsg68181
|
Yes
|
WebVpnPortForward Java applet Certificate Expired
|
CSCsg68186
|
Yes
|
Malformed Regex causes traceback on ASA/PIX
|
CSCsg69149
|
Yes
|
Policy NAT with large ACL and HA may traceback in tmatch compile thread.
|
CSCsg69408
|
Yes
|
Need warning when using time based ACLs with policy NAT/PAT
|
CSCsg70698
|
Yes
|
Session timer is not reset during WebVPN ActiveX and Java tunneling
|
CSCsg76777
|
Yes
|
7.2 transparent / change of behavior : ASA does not retain the src mac
|
CSCsg77099
|
Yes
|
WebVPN Java archives with uncompressed entries fail through rewriter
|
CSCsg78524
|
Yes
|
NT Authentication (NTLM) is attempted three times with a bad password
|
CSCsg80370
|
Yes
|
memory leak in ftp inspection causes high cpu
|
CSCsg81621
|
Yes
|
Cannot authenticate user on first attempt with Unite application.
|
CSCsg83130
|
Yes
|
Device reload with no crashinfo file
|
CSCsg86020
|
Yes
|
web terminal services through webvpn on ASA might not work.
|
CSCsg86507
|
Yes
|
Standby traceback in dispatch unit when enabling 'per-client-max' MPF
|
CSCsg86538
|
Yes
|
Dynamic L2L tunnel fails if the remote peer ip is changed
|
CSCsg86583
|
Yes
|
JavaScript rewriting of typeof followed by src
|
CSCsg87808
|
Yes
|
'wr mem' fails due to snmp config; Error: (Configuration line too long)
|
CSCsg87815
|
Yes
|
sync config with long snmp configuration causes traceback on active unit
|
CSCsg87891
|
Yes
|
WebVPN: Homepage is not accessible when url-entry is disabled.
|
CSCsg88048
|
Yes
|
WebVPN Terminal Server ActiveX control not installed when using WebVPN
|
CSCsg89271
|
Yes
|
PIX 7.2.1 corrupting SDP media attributes in RTSP
|
CSCsg90455
|
Yes
|
VPN:Traceback in Thread Name: Dispatch Unit with fragmented cTCP packets
|
CSCsg92979
|
Yes
|
copy ftp from firewall fails when default passive mode is used
|
CSCsg93050
|
Yes
|
Inspect DCERPC failure. Packet too small error
|
CSCsg94165
|
Yes
|
Device reload when quit (hit q) from <more> console paged display
|
CSCsg94167
|
Yes
|
Kerberos SASL uses the wrong name-type for TGS request
|
CSCsg94762
|
Yes
|
URL caching leads to invalid filter server status on PIX/ASA
|
CSCsg96150
|
Yes
|
dependence between sysopt connection permit-vpn and management commands
|
CSCsg96247
|
Yes
|
ASA traceback - RSA keypair generation SSH function calls
|
CSCsg96351
|
Yes
|
http regex matching fails to match http:\/\/
|
CSCsg96701
|
Yes
|
traceback at Thread PIM IPv4
|
CSCsg96891
|
Yes
|
ASA 7.2.2.1 Traceback: Unicorn Proxy Thread
|
CSCsg97348
|
Yes
|
FW replying to port application requests that are not active using VPN.
|
CSCsg99807
|
Yes
|
ICMP (type3, code4) is not sent after learning PMTU
|
CSCsh01646
|
Yes
|
pptp inspect does not alter Call ID in some packets
|
CSCsh05517
|
Yes
|
EAP state engine triggers retransmission. Clients reply terminates LCP
|
CSCsh05888
|
Yes
|
Standby traceback in vpnfol_thread_msg
|
CSCsh06232
|
Yes
|
PIX does not open RTP connections for H323 calls
|
CSCsh12413
|
Yes
|
FO: Syslog 111111: Memory requested from Null Chunk seen every min.
|
CSCsh12711
|
Yes
|
Traceback in TCP Normalizer
|
CSCsh14023
|
Yes
|
TACACS+ CMD Accounting packets have a Caller-ID field of 0.0.0.0
|
CSCsh15587
|
Yes
|
Garbage characters printed on console at end of long show cmd
|
CSCsh16767
|
Yes
|
WebVPN: DWA problem with sending attachments
|
CSCsh17164
|
Yes
|
ping command within CONTEXT causes SSH session to hang.
|
CSCsh18659
|
Yes
|
ASA-WebVPN: Java Applet for Cisco Unix ACS management doesn't load
|
CSCsh19536
|
Yes
|
VPN-FO: Sessions not cleaned up correctly on Standby
|
CSCsh20618
|
Yes
|
80-byte block memory leak with asn1 decoding
|
CSCsh21446
|
Yes
|
Req Method HEAD is dropped when proto-violation is on at inspect HTTP
|
CSCsh21984
|
Yes
|
When out of available URL requests, future HTTP GETs dropped silently
|
CSCsh22262
|
Yes
|
FTP authen fails if trailing <cr> exists in banner & aaa proxy enabled
|
CSCsh22531
|
Yes
|
ASA: Qos Policing only works when in input direction
|
CSCsh23012
|
Yes
|
data received after static pat is removed causes traceback
|
CSCsh23318
|
Yes
|
When a pending URL request times out the Buffered traffic is lost
|
CSCsh23865
|
Yes
|
Nailed Static configuration doesnt appear in config
|
CSCsh23910
|
Yes
|
ASDM Shows no IP & Line Down for all interfaces
|
CSCsh25317
|
Yes
|
TCP Norm: simultaneous close specific FIN sequence problem
|
CSCsh25337
|
Yes
|
LSA Flush Update from IBM mainframe running OSPF are being ignored
|
CSCsh26607
|
Yes
|
'inspect skinny' drops/corrupts packets with high network latency
|
CSCsh27267
|
Yes
|
Traceback in Thread Name: dns_process
|
CSCsh29038
|
Yes
|
syslog 302020 missing {in | out}bound
|
CSCsh29233
|
Yes
|
Device reload with no saved traceback - no crashinfo file present
|
CSCsh29621
|
Yes
|
new url-server requests are inserted into queue in wrong order
|
CSCsh30022
|
Yes
|
Traceback at IKE Receiver while applying initial config with ASDM
|
CSCsh32241
|
Yes
|
Block size 256 depletion causing failover issues
|
CSCsh33287
|
Yes
|
Users with priv 0 can get to level 15 when authen. ena. LOCAL configured
|
CSCsh33290
|
Yes
|
Transparent FW passes arp requests from standby, causing arp problems
|
CSCsh33982
|
Yes
|
(E)SMTP Multiple Content-Type headers check is wrong
|
CSCsh35400
|
Yes
|
Not able to login to a server through webvpn
|
CSCsh35548
|
Yes
|
Catalyst EEPROM in ASA5505 failed mfg testing.
|
CSCsh35715
|
Yes
|
ESMTP inspection drops emails with special characters in the email addr
|
CSCsh36387
|
Yes
|
ASA 5510 7.2.2 / traceback in Thread Name: IKE Daemon
|
CSCsh36559
|
Yes
|
SVC session not replicated to stdby when addr pool defined in grp policy
|
CSCsh37533
|
Yes
|
VPN Filter not applied to IOS EZVPN client with secondary inside address
|
CSCsh37755
|
Yes
|
Certificate installation fails if 2 CA certs have same issuer name
|
CSCsh37889
|
Yes
|
Cannot use certain Verisign certificates as from 7.1(2.5)
|
CSCsh38298
|
Yes
|
crashinfo file only captures 4KB of console history, lose important info
|
CSCsh38415
|
Yes
|
ASA5500 GE NIC flatlining on bootup when connected to Cat3750
|
CSCsh40829
|
Yes
|
LDAP: multiple Cisco-AV-Pair need to be enforced on vpn-session
|
CSCsh41155
|
Yes
|
ASA h323 inspect corrupts q931 packet
|
CSCsh41496
|
Yes
|
ldap-login-dn requires full path name of admin user
|
CSCsh42793
|
Yes
|
LDAP Authentication bypass Vulnerability
|
CSCsh43698
|
Yes
|
Audio and Video doesnot flow thru SIP Trunk after MOH and Resume
|
CSCsh44239
|
Yes
|
Tunnel might not establish with AO and OO connection types configured
|
CSCsh44467
|
Yes
|
Static ARP Entry Removed From the Configuration and ARP Table
|
CSCsh45169
|
Yes
|
ASA uses tunneled route to contact LDAP server instead of default GW
|
CSCsh45414
|
Yes
|
ASA Radius state machine reuses state attribute from failed auth
|
CSCsh46436
|
Yes
|
Radius NAS-Port-Type not sent in SSH authentication request
|
CSCsh47255
|
Yes
|
PIX 7.2.2 vpnfol_thread_timer traceback
|
CSCsh48962
|
Yes
|
Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI
|
CSCsh49714
|
Yes
|
Traceback inThread Name: emweb/cifs at Failover
|
CSCsh50277
|
Yes
|
Multiple DHCP ACKs to an INFORM message may cause 1550 block leak
|
CSCsh50399
|
Yes
|
Inspect FTP hold 254 MB memory after 12+ hr real world FTP test load
|
CSCsh50673
|
Yes
|
OSPF: redistributed default route not installed after route flap
|
CSCsh53246
|
Yes
|
Traceback when specifying ldap port.
|
CSCsh53299
|
Yes
|
routes inherited from RRI not redistributed into OSPF after failover
|
CSCsh53409
|
Yes
|
ASDM sessions authenticated using RADIUS have incorrect privilege level
|
CSCsh53603
|
Yes
|
Unable to resolve ARP entry for a directly connected host
|
CSCsh53681
|
Yes
|
ASA OCSP RESP CERT verification fails if response has no responder CERT
|
CSCsh54016
|
Yes
|
PIX 7.2.2 memory degradation
|
CSCsh56084
|
Yes
|
ASA CIFS over WebVPN : file created on server but write operation fails
|
CSCsh56439
|
Yes
|
Multicast: Crash in Thread Name: MFIB
|
CSCsh57791
|
Yes
|
Webvpn shows aspx file as blank pop-up page
|
CSCsh58003
|
Yes
|
IPCP not coming up when using 'ip address pppoe'
|
CSCsh58930
|
Yes
|
TFW: Static needs route for traffic
|
CSCsh59098
|
Yes
|
Traceback at ThreadName:Unicorn Proxy Thread(pc 0x00c5a9a4 ebp 0x0dd71cc
|
CSCsh60180
|
Yes
|
Traceback in snp flow bulk sync thread
|
CSCsh60848
|
Yes
|
Traceback in regex_nvclr() from fover_parse thread
|
CSCsh60896
|
Yes
|
ESMTP inspection hogging CPU
|
CSCsh61351
|
Yes
|
ASA DNS load balancing http redirect sends wrong ip if reverse DNS fails
|
CSCsh61431
|
Yes
|
VPNLB: http redirect does not work when using non-default webvpn port
|
CSCsh62358
|
Yes
|
CTIQBE Fixup does not work with Call Manager 4.2.1
|
CSCsh62362
|
Yes
|
Default for WebVPN Cache on 7.1/7.2 should be 'disabled'
|
CSCsh63333
|
Yes
|
Memory leak with CIFS share access via WebVPN
|
CSCsh65168
|
Yes
|
group policy name cannot contain spaces
|
CSCsh66209
|
Yes
|
Traceback at Thread Name: Dispatch Unit(Old pc 0x00218f77 ebp 0x018724a8
|
CSCsh66223
|
Yes
|
enhanced debug and behavior change for 'LU allocate xlate failed' syslog
|
CSCsh66576
|
Yes
|
L2TP: Connectivity issues with 1500 established sessions
|
CSCsh66814
|
Yes
|
SIP pinhole for inbound INVITE timesout before expires in outbound REGIS
|
CSCsh67105
|
Yes
|
ASA 7.2(2): high cpu usage with DHCP assigned IP addresses
|
CSCsh68174
|
Yes
|
Print warning when logging ftp-bufferwrap CLI is configured
|
CSCsh71039
|
Yes
|
PIX 7.2.2: L2TP client receives ip 255.255.255.255 from RADIUS server
|
CSCsh72961
|
Yes
|
connections matching nailed xlate never time out
|
CSCsh74009
|
Yes
|
Show/Clear uauth command will not work for username with spaces.
|
CSCsh74885
|
Yes
|
Traceback in thread accept/ssh_131071
|
CSCsh75977
|
Yes
|
Automatically added AAA commands break Easy VPN client after reboot
|
CSCsh78219
|
Yes
|
7.1.2.5 or later sw Will Not work in Fover with 7.1.1-7.1.2.4 on ASA/SSM
|
CSCsh78335
|
Yes
|
Webvpn - Non-standard JAR manifest digests
|
CSCsh80069
|
Yes
|
Traceback in Thread name: vpnfol_thread_sync
|
CSCsh80740
|
Yes
|
ifAdminStatus stays down when no shutdown is configured
|
CSCsh80889
|
Yes
|
LU allocate connection failed msg due to failed VPN flow replication
|
CSCsh80968
|
Yes
|
ASA traceback through memory corruption
|
CSCsh81111
|
Yes
|
Denial-of-Service in VPNs with password expiry
|
CSCsh82130
|
Yes
|
Command authorization for clear fails for priv level lower than 15
|
CSCsh82286
|
Yes
|
tcp transfers through firewall fail with inspect im enabled
|
CSCsh83148
|
Yes
|
Tcp Timestamp unexpectedly set to 0 for flows reordered by the firewall
|
CSCsh83925
|
Yes
|
ASA traceback in Thread Name: EAPoUDP
|
CSCsh84380
|
Yes
|
Traceback in Thread Name: fover_parse when reloading primary w/syst
|
CSCsh86334
|
Yes
|
Syslog 199002 not sent to external syslog server on bootup
|
CSCsh86444
|
Yes
|
VPN: TCP traffic allowed on any port with management-access enabled.
|
CSCsh86796
|
Yes
|
Process qos_metric_daemon hogging CPU
|
CSCsh89784
|
Yes
|
PIX/ASA Packet capture w/ ACL does not work for locally generated packet
|
CSCsh89816
|
Yes
|
ASA in transparent mode: answer-only vpn, but can still intiate VPN
|
CSCsh90659
|
Yes
|
Traceback: Thread Name:vpnlb_thread in standby after taking active role
|
CSCsh92960
|
Yes
|
broadcast flag set on dhcp request but not discover
|
CSCsh96805
|
Yes
|
ASA traceback in Dispatch Unit
|
CSCsh96817
|
Yes
|
L2TP: Can not connect more than one Vista client at the same time
|
CSCsh97584
|
Yes
|
video connection through ASA fails
|
CSCsh97976
|
Yes
|
show int ip brief shows incorrect line protocol status
|
CSCsh98679
|
Yes
|
ASA: WCCP packets redirected stops incrementing after 2-3 mins
|
CSCsh98826
|
Yes
|
WebVPN: Check CLSID in CSCO_is_java_obj
|
CSCsi00177
|
Yes
|
HTTP inspection does not properly support chunked transfer encoding
|
CSCsi01498
|
Yes
|
ESMTP inspect cannot handle content-type string in DKIM headers
|
CSCsi03576
|
Yes
|
Webvpn: OWA 2000 replies/forwards fail after upgrading to latest hotfix
|
CSCsi05471
|
Yes
|
webvpn crash with citrix
|
CSCsi05768
|
Yes
|
ASA: DPD thresholds over 300 are not accepted for remote access
|
CSCsi06469
|
Yes
|
Inactiviting then reactivating nat 0 multiple access-lists breaks nat 0
|
CSCsi08103
|
Yes
|
command author does not mark aaa-server dead when TACACS unavailable
|
CSCsi08957
|
Yes
|
SNMPv2-SMI enterprises.3076.2.1.2.26.1.2.0 not showing actual connection
|
CSCsi10396
|
Yes
|
ASA crashes at Thread Name: emweb/https while file uploading >1MB
|
CSCsi10874
|
Yes
|
Change priority of shun command
|
CSCsi11941
|
Yes
|
When URL filtering is enabled Streaming Media loads slowly
|
CSCsi12437
|
Yes
|
Traceback in Thread Name: IPsec message handler when under heavy load
|
CSCsi13865
|
Yes
|
SNMP in multi-mode creates message vPif_getVpif: bad vPifNum
|
CSCsi15805
|
Yes
|
SNMP interface counters incorrect on ASA-5505
|
CSCsi15853
|
Yes
|
SiteMinder SSO not sending cookie after authentication
|
CSCsi16248
|
Yes
|
Denial of Service in SSL VPNs
|
CSCsi17946
|
Yes
|
Traceback in Thread Name: accept/http while doing 'wr mem' in ASDM
|
CSCsi18097
|
Yes
|
Deleted SNMP command reappear after failover
|
CSCsi18736
|
Yes
|
IPSec RA session not replicated to standby if addr pool in group policy
|
CSCsi20384
|
Yes
|
ASDM: 5.2 and 6.0 does not display historic graphs for Blocks
|
CSCsi21160
|
Yes
|
ASA NAC revalidation timer triggers frequently under some conditions
|
CSCsi21431
|
Yes
|
Traceback in Thread Name: IP Address Assign
|
CSCsi21488
|
Yes
|
WebVPN: Traceback in Thread Name: vpnfol_thread_msg on Standby
|
CSCsi21595
|
Yes
|
Watch dog timeout crash due to large# of vlans cfgd on the 4GE port
|
CSCsi23369
|
Yes
|
VPNLB master may lose communication with cluster member
|
CSCsi23740
|
Yes
|
ESMTP inspect does not match content-type properly in mail headers
|
CSCsi24458
|
Yes
|
DHCP Client unable to obtain IP address because of Client-ID
|
CSCsi25877
|
Yes
|
Syslog 111008 not generated on Active when no failover active cmd issued
|
CSCsi27609
|
Yes
|
ASA may drop subsequent requests on INVITE dialog
|
CSCsi27755
|
Yes
|
ASA 7.2.2.16 Traceback in Thread Name: emweb/https
|
CSCsi31386
|
Yes
|
ASA OSPF router-id swap between multiple process after reboot
|
CSCsi34289
|
Yes
|
Traceback in Thread Name: ddns_update_process with DDNS update
|
CSCsi34789
|
Yes
|
ASA: Cut-Through Proxy fails over L2L tunnel with http error
|
CSCsi35953
|
Yes
|
Asa 7.2 webvpn session with certif cannot establish when CN contains /
|
CSCsi39655
|
Yes
|
SIP: Pinhole timeout for INVITE different from REGISTER expires value
|
CSCsi39669
|
Yes
|
Traceback in Thread Name: Dispatch Unit with app-fw
|
CSCsi39924
|
Yes
|
standby unit reloads when 'show access-list' is issued
|
CSCsi40553
|
Yes
|
Asa 7.2.2 Failover : the secondary gets a modified config from the prima
|
CSCsi41717
|
Yes
|
PIX/ASA Cannot Parse Large URI in SIP message
|
CSCsi41976
|
Yes
|
Jitter for established connection when compiling ACE's
|
CSCsi42073
|
Yes
|
ASA boot time around 4 hours when ACE config is very long
|
CSCsi42140
|
Yes
|
WebVPN: JavaScript menu is not expandable
|
CSCsi42338
|
Yes
|
PIX/ASA aaa authentication does not work over VPN tunnel : NT,LDAP,SDI
|
CSCsi43521
|
Yes
|
ASA does not include http host header in CRL request
|
CSCsi43722
|
Yes
|
ASA - MGCP inspection drops part of piggybacked MGCP messages
|
CSCsi43813
|
Yes
|
SVC clients are unable to connect to the standby after ASA failover
|
CSCsi44506
|
Yes
|
Traceback in Dispatch thread - softnp sending garbage to sal layer
|
CSCsi46292
|
Yes
|
SNMP coldstart trap not sent in failover scenario
|
CSCsi46497
|
Yes
|
Verisign certificate lost after ASA is reloaded.
|
CSCsi46950
|
Yes
|
npdisk password recovery does not work with multicontext mode
|
CSCsi47110
|
Yes
|
vpn-simultaneous-logins 0 denies management access to the ASA
|
CSCsi47957
|
Yes
|
WebVPN: Traceback in Thread Name: Unicorn Proxy Thread
|
CSCsi48208
|
Yes
|
assertion hdr->dispatch_last < NELTS(hdr->dispatch)
|
CSCsi48812
|
Yes
|
multicast: assert new_flow->conn->conn_set == NULL file snp_mcast.c
|
CSCsi50632
|
Yes
|
NAT: Exempt causing 5505 to crash in <nat_rule_to_cli+293 at pix/cmd/c_n
|
CSCsi51423
|
Yes
|
global cmd may fail using names with '-' and w/ name string overlap
|
CSCsi51600
|
Yes
|
Misleading prompt with radius/sdi authentication on 7.2.2
|
CSCsi52370
|
Yes
|
WCCP may result in 1550 block depletion & sends GRE packets >1500
|
CSCsi52538
|
Yes
|
wildcard mask accepted for ip local pool
|
CSCsi54132
|
Yes
|
Not getting syslog 302010 message
|
CSCsi54517
|
Yes
|
Traceroute not working using l2tp/ipsec client to the outside network
|
CSCsi55798
|
Yes
|
assert in webvpn functionality as CRLF not detected where expected
|
CSCsi56605
|
Yes
|
TCP connection opened for WebVPN on non WebVPN enabled interfaces.
|
CSCsi57504
|
Yes
|
Traceback in Dispatch Unit when no route for nat traffic from SSM
|
CSCsi58109
|
Yes
|
ASA requests username/password until next available aaa server found
|
CSCsi59403
|
Yes
|
Standby: Traceback Thread Name: fover_parse with fover and ifc mac cfgd
|
CSCsi60580
|
Yes
|
WebVPN: Incorrect rewriting of VBScript's parent.window.location.hr
|
CSCsi62588
|
Yes
|
Traceback in Thread Name: aaa
|
CSCsi63099
|
Yes
|
ASA traceback w/ Thread Name: Unicorn Proxy Thread
|
CSCsi67016
|
Yes
|
Traceback in Thread Name: Dispatch Unit
|
CSCsi68946
|
Yes
|
Inbound traffic is being dropped due to NAT-EXEMPT rpf-check
|
CSCsi70522
|
Yes
|
Traceback in Thread Name: Crypto CA
|
CSCsi72224
|
Yes
|
SSH connection allowed to be built from inside host to outside int
|
CSCsi73181
|
Yes
|
vpn-simultaneous-logins/access hrs controls the admin sessions SSH,ASDM
|
CSCsi73804
|
Yes
|
IPSec over UDP port could be 4500 as auth server pushed down attr
|
CSCsi74352
|
Yes
|
ESMTP blocking emails with nested MIME headers
|
CSCsi74710
|
Yes
|
WEBVPN: port-forwarding converts names to IP addresses
|
CSCsi75355
|
Yes
|
5505 WebVPN: hw accelerator errors with >1024 bit cert
|
CSCsi78808
|
Yes
|
Unable to convert dynamic ACL back to extended ACL
|
CSCsi79393
|
Yes
|
Standby ASA reloads in thread vpnfol_thread_msg
|
CSCsi83144
|
Yes
|
Need to mask password in debug aaa common output
|
CSCsi83395
|
Yes
|
show interface input hardware queue counters incorrect
|
CSCsi84498
|
Yes
|
Traceback in Thread Name: IKE Daemon
|
CSCsi85790
|
Yes
|
Traceback in Thread Name: IP Thread when configuring PPPoE
|
CSCsi85823
|
Yes
|
PIX/ASA 7.X should accept RIP V1 updates like 6.X
|
CSCsi85856
|
Yes
|
Syslog not sent when AAA server is marked as FAILED
|
CSCsi88508
|
Yes
|
WebVPN shows Blank Page
|
CSCsi89345
|
Yes
|
Failover: Standby Restart - 1550 block memory depletion
|
CSCsi89890
|
Yes
|
nat-exempt failed on non-outside interface
|
CSCsi91487
|
Yes
|
HTTP inspection evasion using Unicode encoding for HTTP-based attacks
|
CSCsi96469
|
Yes
|
asa 7.2.2 not using port specified in X509v3 CRL DP url
|
CSCsi98464
|
Yes
|
ASA injects another 'BrowserProtocol' keyword in ICA file
|
CSCsi99518
|
Yes
|
show asdm history does not show interface statistics
|
CSCsj01692
|
Yes
|
PKI: error installing Intermediate CA cert with 76 char CN
|
CSCsj03278
|
Yes
|
Traceback in Dispatch Unit thread (page fault)
|
CSCsj03706
|
Yes
|
activex or java filter suppresses the syslog message 304001
|
CSCsj05188
|
Yes
|
WEBVPN TSWeb fails: connect button is grayed out
|
CSCsj05830
|
Yes
|
Syslog 405001 reports incorrect IP when arp collision detected
|
CSCsj06153
|
Yes
|
TCP sessions to the box deny issue
|
CSCsj06868
|
Yes
|
ASA port of pix CSCsi95902 ppp freed memory access on session close
|
CSCsj10082
|
Yes
|
ASA - Traceback in tcp_send_pending
|
CSCsj10869
|
Yes
|
SNMP interface counters incorrect on PIX/ASA 7.2.2.22
|
CSCsj12843
|
Yes
|
SVC disconnects after idle-timeout even if traffic is passing
|
CSCsj16732
|
Yes
|
default-originate w/ route-map w/ acl permit host 0.0.0.0 doesn't work
|
CSCsj18218
|
Yes
|
ASA hangs when processing Citrix data
|
CSCsj19829
|
Yes
|
WebVPN: http-proxy interferes with port-forward
|
CSCsj20254
|
Yes
|
syslog 716046 on standby causing traceback
|
CSCsj20403
|
Yes
|
WebVPN: port-forward command shows up twice in the config
|
CSCsj20438
|
Yes
|
SSL VPN's logged off are not removed from standby sessiondb
|
CSCsj20942
|
Yes
|
ASA stops accetping IP from DHCP when DHCP Scope option is configured
|
CSCsj24810
|
Yes
|
vpn clients unable to connect due to DHCP Proxy processing
|
CSCsj24914
|
Yes
|
vpn-simultaneous-logins does not work when configuring PKI and no-xauth
|
CSCsj28634
|
Yes
|
WebVPN: BAAN ERP application with SSA Webtop fails
|
CSCsj31537
|
Yes
|
Interface keyword in ACL not permitting traffic
|
CSCsj36241
|
Yes
|
%ASA-1-111111: Invalid function called in NVGEN of 'port-forward'
|
CSCsj36655
|
Yes
|
ASA 5505 and 5550 continuous crash on bootup
|
CSCsj37564
|
Yes
|
Traceback in Thread Name: IP Thread
|
CSCsj38362
|
Yes
|
Traceback in Thread Name: fover_parse
|
CSCsj40248
|
Yes
|
ASA cifs: no error indication when file upload fails due to emweb server
|
CSCsj40295
|
Yes
|
Policy NAT not functioning properly after boot
|
CSCsj40648
|
Yes
|
Traceback in Thread Name: emweb/https
|
CSCsj42456
|
Yes
|
ASA 8.0: CSCOPF.CAB has expired Code Signing cert
|
CSCsj43454
|
Yes
|
New l2tp over ipsec sessions blocked due to AAA session limit
|
CSCsj44098
|
Yes
|
traceback caused by gtp inspect handling bad packets
|
CSCsj46729
|
Yes
|
ASA: Active and Standby unit have the same MAC address after failover
|
CSCsj47652
|
Yes
|
clear config all command does not remove the aaa-server config
|
CSCsj50691
|
Yes
|
traceback in Thread Name: Crypto CA (Old pc 0x009dcd56 ebp 0x041b7c18)
|
CSCsj50913
|
Yes
|
ASA : Copying file to OnStor Server via WebVPN fails.
|
CSCsj53102
|
Yes
|
SSH access through VPN tunnel to management interface not working
|
CSCsj53566
|
Yes
|
Traceback in Thread Name: Dispatch Unit continuously on upgrade to 8.0.2
|
CSCsj56051
|
Yes
|
AAA authorization commands LOCAL fallback broken
|
CSCsj56378
|
Yes
|
Traceback in Thread Name: Crypto CA with LDAP CRL query
|
CSCsj77560
|
Yes
|
ASA crash while CRL checking CRL_CheckCertRevocation pki_verify_certific
|
CSCsj77765
|
Yes
|
ASA crash at emweb/https thread
|
CSCsj78831
|
Yes
|
WebFO: Disconnecting clientless deletes local ACL from standby
|
Related Documentation
Use this document in conjunction with the Cisco PIX security appliance and Cisco VPN client Version 3.x documentation at the following websites:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
© 2007 Cisco Systems, Inc.
All rights reserved.© 2006 Cisco Systems, Inc.
All rights reserved.
Feedback
