Table Of Contents
Cisco PIX Security Appliance Release Notes Version 7.2(4)
Contents
Introduction
System Requirements
Memory Requirements
Software Requirements
Maximum Recommended Configuration File Size
Cisco VPN Software Interoperability
Cisco VPN Client Interoperability
Cisco Easy VPN Remote Interoperability
Determining the Software Version
Upgrading to a New Software Version
Supported Platforms and Feature Licenses
New Features
capture command Enhancement
clear conn Command
IPv6 Multicast Listener Discovery Protocol v2 Support
clear ipv6 mld traffic Command
show ipv6 mld Command
debug ipv6 Command Enhancement
show debug ipv6 mld Command Enhancement
MIB Enhancement
QoS Traffic Shaping
show asp drop Command Enhancement
show asp table classify hits Command Enhancement
TCP Normalization Enhancements
TCP Urgent Flag Syslog
Timeout for SIP Provisional Media
Important Notes
User Upgrade Guide
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
Features not Supported
Downgrade to Previous Version
Caveats
Open Caveats - Version 7.2(4)
Resolved Caveats - Version 7.2(4)
Related Documentation
Obtaining Documentation and Submitting a Service Request
Cisco PIX Security Appliance Release Notes Version 7.2(4)
April 2008
Contents
This document includes the following sections:
•
Introduction
•System Requirements
•Supported Platforms and Feature Licenses
•New Features
•Important Notes
•Caveats
•Related Documentation
•Obtaining Documentation and Submitting a Service Request
Introduction
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(4).
The Cisco PIX 500 series security appliance delivers unprecedented levels of defense against threats to the network with deeper web inspection and flow-specific analysis, improved secure connectivity through end-point security posture validation and voice and video over VPN support. It also provides enhanced support for intelligent information networks through improved network integration, resiliency, and scalability.
For more information on all of the new features, see New Features.
Additionally, the security appliance software supports Cisco Adaptive Security Device Manager (ASDM). ASDM delivers world-class security management and monitoring through an intuitive, easy-to-use web-based management interface. Bundled with the security appliance, ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of the security appliance. Its secure, web-based design enables anytime, anywhere access to security appliances.
System Requirements
The sections that follow list the system requirements for operating a security appliance.
Note The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.2(4).
Memory Requirements
If you are using a PIX 515/515E running PIX Version 6.2/6.3, you need to upgrade your memory before performing an upgrade to PIX Version 7.0. PIX Version 7.0 requires at least 64 MB of RAM for Restricted (R) licenses and 128 MB of RAM for Unrestricted (UR) and Failover (FO) licenses. The following security appliance platforms require at least 64 MB of RAM. Table 1 lists flash memory requirements for Version 7.2(4).
Table 1 Flash Memory Requirements
Security Appliance Model
|
Flash Memory Required in Version 7.2(4)
|
PIX 515/515E
|
16 MB
|
PIX 525
|
16 MB
|
PIX 535
|
16 MB
|
For more information on minimum memory requirements, see the "Minimum Memory Requirements" section in the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading to Cisco PIX Software Version 7.0.
Software Requirements
Version 7.2(4) requires the following:
1. The minimum software version required before performing an upgrade to PIX Version 7.2(4) is PIX Version 7.0. If you are running a PIX version prior to PIX Version 6.2, you must first upgrade to PIX Version 6.2 or PIX Version 6.3 before you can begin the upgrade to PIX Version 7.0.
To upgrade your PIX software image, go to the following website:
http://www.cisco.com/public/sw-center/index.shtml
2. For information on specific licenses supported on each model of the security appliance, go to the following website: http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
3. If you are upgrading from a previous PIX version, save your configuration and write down your activation key and serial number. See "Upgrading to a New Software Version" for new installation requirements.
Maximum Recommended Configuration File Size
For the PIX 525 and PIX 535, the maximum supported configuration file size is 2 MB for Version 7.2(4). For the PIX 515/515E, the maximum supported configuration file size is 1 MB for Version 7.2(4). If you are using ASDM, we recommend no more than a 500 KB configuration file because larger configuration files can interfere with the performance of ASDM on your workstation.
While configuration files up to 2 MB are supported on the PIX 525 and PIX 535, be aware that such large configuration files can reduce system performance. For example, a large configuration file is likely to noticeably slow execution times in the following situations:
•While executing commands such as the write terminal and show running-config commands
•Failover (the configuration synchronization time)
•During a system reload
Cisco VPN Software Interoperability
Cisco VPN Series
|
Interoperability Comments
|
Cisco IOS routers
|
Version 7.2(4) requires Cisco IOS Release 12.3(T)T or later running on the router when using IKE Mode Configuration on the security appliance.
|
Cisco VPN 3000 concentrators
|
Version 7.2(4) requires Cisco VPN 3000 concentrator Version 3.6 or later for correct VPN interoperability.
|
Cisco VPN Client Interoperability
Cisco VPN Client
|
Interoperability Comments
|
Cisco VPN client v3.x/4x
(Unified VPN client framework)
|
Version 7.2(4) supports the Cisco VPN client Version 3.6 or later that runs on all Microsoft Windows platforms. It also supports the Cisco VPN client Version 3.6 or later that runs on Linux, Solaris, and Macintosh platforms.
|
Cisco Easy VPN Remote Interoperability
Cisco Easy VPN Remote
|
Interoperability Comments
|
Cisco PIX Security Appliance Easy VPN remote v6.3
|
Version 7.2(4) Cisco Easy VPN server requires the Cisco PIX security appliance Version 6.3 Easy VPN remote that runs on the PIX 501 and PIX 506 platforms.
|
VPN 3000 Easy VPN remote v3.x/4x
|
Version 7.2(4) Cisco Easy VPN server requires the Version 3.6 or later of the Easy VPN remote that runs on the VPN 3002 platform.
|
Cisco IOS Easy VPN remote Release 12.2(16.4)T
|
Version 7.2(4) Cisco Easy VPN server interoperates with Cisco IOS 806 Easy VPN remote Release (16.4)T.
|
Determining the Software Version
Use the show version command to verify the software version installed on your security appliance. Alternatively, you can see the software version, on the Cisco ASDM home page.
Upgrading to a New Software Version
If you have a Cisco.com (CDC) login, you can obtain software from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Note PIX and ASDM images must be compatible for example PIX Version 7.2(4) is compatible to ASDM Version 5.2(4). ASDM will not work with an incompatible platform version. You will get an error message and ASDM will close.
You can also use the command-line interface to download the image, see the "Downloading Software or Configuration Files to Flash Memory" section in the Cisco Security Appliance Command Line Configuration Guide.
To upgrade from Version 7.1.(x) to 7.2(4), you must perform the following steps:
Step 1 Load the new Version 7.2(4) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will start using the Version 7.2(4) image.
Step 3 Copy new ASDM Version 5.2(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
To downgrade from Version 7.2(4) to 7.1.(x), you must perform the following steps:
Step 1 Load the earlier Version 7.1(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 2 Reload the device so that it will be use the Version 7.1(x) image.
Step 3 Copy the ASDM Version 5.1(x) image from the following website:
http://www.cisco.com/public/sw-center/index.shtml
Step 4 Enter the following command; this will tell the security appliance where to find the ASDM image:
hostname(config)# asdm image flash:/ asdm file
Supported Platforms and Feature Licenses
This software version supports the following platforms; see the associated tables for the feature support for each model:
•PIX 515/515E, Table 2
•PIX 525, Table 3
•PIX 535, Table 4
Note Items that are in italics are separate, optional licenses that you can replace the base license. You can mix and match licenses, for example, the 10 security context license plus the Strong Encryption license; or the 500 WebVPN license plus the GTP/GPRS license; or all four licenses together.
Table 2 PIX 515/515E Security Appliance License Features
PIX 515/515E
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional license: 5
|
2
|
Optional license: 5
|
2
|
Optional license: 5
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
10
|
25
|
25
|
25
|
Concurrent Firewall Conns2
|
48 K
|
130 K
|
130 K
|
130 K
|
Max. Physical Interfaces
|
3
|
6
|
6
|
6
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
64 MB
|
128 MB
|
128 MB
|
128 MB
|
Table 3 PIX 525 Security Appliance License Features
PIX 525
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
25
|
100
|
100
|
100
|
Concurrent Firewall Conns2
|
140 K
|
280 K
|
280 K
|
280 K
|
Max. Physical Interfaces
|
6
|
10
|
10
|
10
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
128 MB
|
256 MB
|
256 MB
|
256 MB
|
Table 4 PIX 535 Security Appliance License Features
PIX 535
|
R (Restricted)
|
UR (Unrestricted)
|
|
FO-AA (Failover Active/Active) 1
|
Users, concurrent
|
Unlimited
|
Unlimited
|
Unlimited
|
Unlimited
|
Security Contexts
|
No support
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
2
|
Optional licenses:
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
5
|
10
|
20
|
50
|
IPSec Sessions
|
2000
|
2000
|
2000
|
2000
|
WebVPN Sessions
|
No support
|
No support
|
No support
|
No support
|
VPN Load Balancing
|
No support
|
No support
|
No support
|
No support
|
TLS Proxy for SIP and Skinny Inspection
|
No support
|
No support
|
No support
|
No support
|
Failover
|
No support
|
Active/Standby
Active/Active
|
Active/Standby
|
Active/Standby
Active/Active
|
GTP/GPRS
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
None
|
Optional license:
Enabled
|
Max. VLANs
|
50
|
150
|
150
|
150
|
Concurrent Firewall Conns2
|
250 K
|
500 K
|
500 K
|
500 K
|
Max. Physical Interfaces
|
8
|
14
|
14
|
14
|
Encryption
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
None
|
Optional licenses:
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Base (DES)
|
Strong (3DES/
AES)
|
Min. RAM
|
512 MB
|
1024 MB
|
1024 MB
|
1024 MB
|
New Features
This section lists the new features for Version 7.2(4). All new features are supported in ASDM 5.2(4).
capture command Enhancement
The capture asp type asp-drop all command captures all packets that the security appliance drops, including those dropped due to security checks.
clear conn Command
The clear conn command was added to remove connections.
IPv6 Multicast Listener Discovery Protocol v2 Support
The PIX security appliance now supports the Multicast Listener Discovery Protocol (MLD) Version 2, to discover the presence of multicast address listeners on their directly attached links, and to discover specifically which multicast addresses are of interest to those neighboring nodes. PIX becomes a multicast address listener, or a host, but not a a multicast router, and responds to Multicast Listener Queries and sends Multicast Listener Reports only.
The following commands support this feature:
•show ipv6 mld Command
•debug ipv6 Command Enhancement
•show debug ipv6 mld Command Enhancement
clear ipv6 mld traffic Command
The clear ipv6 mld traffic command allows you to reset all the Multicast Listener Discovery traffic counters. the syntax is as follows:
show ipv6 mld Command
The show ipv6 mld command allows you to display all the Multicast Listener Discovery traffic counters. the syntax is as follows:
debug ipv6 Command Enhancement
The enhancement to the debug ipv6 command allows the user to display the debug messages for MLD, to see whether the MLD protocol activities are working properly. This enhancement adds the mld option.
debug ipv6 {icmp | interface | mld | nd | packet | routing}
show debug ipv6 mld Command Enhancement
The enhancement to the show debug ipv6 command allows the user to display whether debug ipv6 mld is enabled or disabled.
show debug ipv6 mld
MIB Enhancement
The CISCO-REMOTE-ACCESS-MONITOR-MIB is implemented more completely.
QoS Traffic Shaping
If you have a device that transmits packets at a high speed, such as a security appliance with Fast Ethernet, and it is connected to a low speed device such as a cable modem, then the cable modem is a bottleneck at which packets are frequently dropped. To manage networks with differing line speeds, you can configure the security appliance to transmit packets at a fixed slower rate. See the crypto ipsec security-association replay command, which lets you configure the IPSec anti-replay window size. One side-effect of priority queueing is packet re-ordering. For IPSec packets, out-of-order packets that are not within the anti-replay window generate warning syslog messages. These warnings become false alarms in the case of priority queueing. This new command avoids possible false alarms.
show asp drop Command Enhancement
The show asp drop command now displays the capture asp-drop type keywords. This enhancement displays the particular capture type as part of the output of the show asp drop command.
A timestamp was also added indicating when the last time the asp drop counters were cleared.
show asp table classify hits Command Enhancement
The hits option was added to the show asp table classify command, showing the timestamp indicating the last time the asp table counters were cleared. It also shows rules with hits values not equal to zero. This permits users to quickly see what rules are being hit, especially since a simple configuration may end up with hundreds of entries in the show asp table classify command.
TCP Normalization Enhancements
You can now configure TCP normalization actions for certain packet types. Previously, the default actions for these kinds of packets was to drop the packet. Now you can set the TCP normalizer to allow the packets.
•TCP invalid ACK check (the invalid-ack command)
•TCP packet sequence past window check (the seq-past-window command)
•TCP SYN-ACK with data check (the synack-data command)
You can also set the TCP out-of-order packet buffer timeout (the queue command timeout keyword). Previously, the timeout was 4 seconds. You can now set the timeout to another value.
The default action for packets that exceed MSS has changed from drop to allow (the exceed-mss command).
The following non-configurable actions have changed from drop to clear for these packet types:
•Bad option length in TCP
•TCP Window scale on non-SYN
•Bad TCP window scale value
•Bad TCP SACK ALLOW option
TCP Urgent Flag Syslog
When the TCP urgent flag of a TCP packet is cleared and debugging is enabled, a syslog is generated.
Timeout for SIP Provisional Media
You can now configure the timeout for SIP provisional media using the timeout sip-provisional-media command.
Important Notes
This section lists important notes related to Version 7.2(4).
User Upgrade Guide
Before upgrading to Version 7.2(4), read the Guide for Cisco PIX 6.2 and 6.3 Users Upgrading in Cisco PIX Software Version 7.0. This guide includes information about deprecated features and other changes in the Cisco PIX software Version 7.0. For a list of deprecated features and user upgrade information, go to the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/pix_upgrade/upgrade/guide/pixupgrd.html
Caution If you share the Stateful Failover update link with a link for regular traffic such as your inside interface, you must change your configuration before upgrading. Do not upgrade until you have corrected your configuration, as this is not a supported configuration and Version 7.2(4) treats the LAN failover and Stateful Failover update interfaces as special interfaces. If you upgrade to Version 7.2(4) with a configuration that shares an interface for both regular traffic and the Stateful Failover updates, configuration related to the regular traffic interface will be lost after the upgrade. The lost configuration may prevent you from connecting to the security appliance over the network.
Readme Document for the Conduits and Outbound List Conversion Tool 1.2
The security appliance Outbound and Conduit Conversion tool assists in converting configurations with outbound or conduit commands to similar configurations using ACLs. ACL-based configurations provide uniformity and optimize the ACL feature set. ACL-based configurations provide the following benefits:
•ACE insertion capability—Provides simplified system configuration and management, which allows you to add, delete or modify individual ACEs.
•Outbound ACLs and time-based ACLs—Provides administrators with improved flexibility for defining access control policies by adding support for outbound ACLs and time-based ACLs.
•Enabling and Disabling of ACL entries—Provides a convenient troubleshooting tool that allows administrators to test and fine-tune ACLs without the need to remove and replace ACL entries.
Features not Supported
The PPTP feature is not supported.
Downgrade to Previous Version
To downgrade to a previous version of the operating system software (software image), use the downgrade command in privileged EXEC mode. Use the downgrade command only if you want to downgrade to a version other than 7.x.
For more information and a complete description of the command syntax, see the Cisco Security Appliance Command Reference.
Caution Do not load a previous version of software if your PIX security appliance is currently running PIX Version 7.0 or later. If you load a software image from monitor mode onto a PIX security appliance that has a PIX Version 7.0 file system, unpredictable behavior may occur and is not supported. We strongly recommend that you use the
downgrade command from a running PIX Version 7.0 image that facilitates the downgrade process.
Caveats
The following sections describe the caveats for the Version 7.2(4).
For your convenience in locating caveats in Cisco's Bug Toolkit, the caveat titles listed in this section are drawn directly from the Bug Toolkit database. These caveat titles are not intended to be read as complete sentences because the title field length is limited. In the caveat titles, some truncation of wording or punctuation may be necessary to provide the most complete and concise description. The only modifications made to these titles are as follows:
•Commands are in boldface type.
•Product names and acronyms may be standardized.
•Spelling errors and typos may be corrected.
Note If you are a registered cisco.com user, view Bug Toolkit on cisco.com at the following website:
http://www.cisco.com/pcgi-bin/Support/Bugtool/launch_bugtool.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Version 7.2(4)
Table 5 lists open caveats for Version 7.2(4).
Table 5 Open Caveats
DDTS Number
|
Software Version 7.2(4)
|
| |
| |
Corrected
|
Caveat
|
CSCsg44891
|
No
|
Traceback in tmatch compile thread
|
CSCsg71579
|
No
|
Programming assertion malloc.c:3822 on secondary after failover from pri
|
CSCsg99492
|
No
|
SASL GSSAPI-Kerberos authentication not happening with Sunone Server
|
CSCsh91747
|
No
|
SSL VPN stress cause SSL lib error. Function: DO_SSL3_WRITE
|
CSCsk19485
|
No
|
syslog TCP_CONN_END shows Reset-O for ASA generated TCP RST
|
CSCsk30698
|
No
|
PIX/ASA may stop generating syslogs all together
|
CSCsk45220
|
No
|
Regex used in CLI command filtering causes device reload
|
CSCsk48344
|
No
|
Inspect http is not matching server response fields
|
CSCsk89474
|
No
|
URL filtering not performed for u-turn vpn traffic
|
CSCsk95246
|
No
|
no router rip, followed by router rip & network cause vPifnum & tracebac
|
CSCsk96804
|
No
|
Traceback in Thread Name: Dispatch Unit with inspect h323
|
CSCsl04448
|
No
|
Cannot remove url-server despite having removed url-block cmd in 7.2.3
|
CSCsl10052
|
No
|
new L2TP sessions are denied after %ASA-4-403103 is seen in the logs
|
CSCsl18071
|
No
|
Windows Media Player can not play media file with/without L-2-L Ipsec
|
CSCsl22480
|
No
|
CIFS share not working for Clientless SSL VPN
|
CSCsl41515
|
No
|
ASA traceback in Dispatch Unit (Old pc 0x00223a67 ebp 0x018b12f8)
|
CSCsl52895
|
No
|
ASA 7.2.3 number of IPSec SA not replicated in failover unit
|
CSCsl82200
|
No
|
IPSec not encrypting after failover
|
CSCsl90215
|
No
|
Traceback may occur when access-list changes pushed from SolSoft
|
CSCsl95928
|
No
|
High CPU utilization due to OSPF
|
CSCsm16160
|
No
|
Traceback may occur in pix_flash_config_thread w/ dynamic DNS cfg'ed
|
CSCsm55447
|
No
|
ASA/WebVPN Citrix sessions randomly dropped
|
CSCsm55491
|
No
|
ASA Disconnects voice call when # key is entered
|
CSCsm55947
|
No
|
Failover interface missing from ifTable
|
CSCsm57291
|
No
|
ASA/PIX traceback due to memory corruption during IPSec SA deletion
|
CSCsm57303
|
No
|
Communication failure between ASA and AIP-SSM
|
CSCsm65019
|
No
|
Websense encryption is not supported error on ASA
|
CSCsm68957
|
No
|
SIP inspection not fixing-up addr in Refer-To replaces section
|
CSCsm69219
|
No
|
GTP: Drop GTP message creating PDP context when no filter
|
CSCsm69271
|
No
|
GTP: Drop GTP message based on message ID when permitted
|
CSCsm73923
|
No
|
SIP:session timeout when forwarding a call is improperly set
|
CSCsm77854
|
No
|
%ASA-4-402124: CRYPTO: The ASA hardware accelerator encountered an error
|
CSCsm79787
|
No
|
drop for inspect skinny is not counted in show service-policy
|
CSCsm85872
|
No
|
snmp trap for PHYSICAL interface is not sent when a port goes down
|
CSCsm87233
|
No
|
Traffic flow stops on a wireless hand-off or a reconnect
|
CSCsm87892
|
No
|
ASA 5505 Interface Hangs
|
CSCsm92275
|
No
|
SQL inspection rewrites IP addresses embeded in SQL data
|
CSCsm92613
|
No
|
ASP drop capture missing type for vpn-handle-error
|
CSCso01003
|
No
|
Crypto accelerator errors seen in syslog
|
CSCso01629
|
No
|
RTSP inspection doesn't drop non-RTSP traffic with TCP/554
|
CSCso01702
|
No
|
SIP: RTP/RTCP pinholes are allocated unexpectedly between same interface
|
CSCso03582
|
No
|
Overrun counter increments when REINVITE is recevied
|
CSCso38699
|
No
|
CPU Hog when replicating config to standby unit
|
CSCso39525
|
No
|
failed to open ASA webvpn homepage
|
CSCso43026
|
No
|
Traceback in Thread Name: Dispatch Unit (Old pc 0x00223a67 ebp 0x018b)
|
CSCso43383
|
No
|
SIP:media xlate idle timer is not refreshed when receiving 200ok
|
CSCso45557
|
No
|
Traceback in tmatch compile thread (user assertion)
|
Resolved Caveats - Version 7.2(4)
Table 6 lists resolved caveats for Version 7.2(4).
Table 6 Resolved Caveats
DDTS Number
|
Software Version 7.2(4)
|
| |
| |
Corrected
|
Caveat
|
CSCsc98412
|
Yes
|
Pix console accounting doesn't appear in ACS Logged-In User report
|
CSCsd65922
|
Yes
|
webvpn acls should allow wilcard * hostnames
|
CSCsg48442
|
Yes
|
Ping through ASA fails when using interface PAT on PPPoE interface
|
CSCsh55107
|
Yes
|
DHCP relay fails when static translation for all hosts configured
|
CSCsh91283
|
Yes
|
Inspect SunRPC drops segmented packets
|
CSCsi14147
|
Yes
|
SSH conn drops while writing a file to ASA5505 file system
|
CSCsi35603
|
Yes
|
L2TP/IPSec sessions hanging when authenticating with EAP
|
CSCsi41346
|
Yes
|
user session and idle timeout values not honored by cut-thru-pxy
|
CSCsi49983
|
Yes
|
Periodic HW crypto errors 402123 & 402125 see with L2TP/IPSEC
|
CSCsi53577
|
Yes
|
OSPF goes DOWN after reload of VPN Peer
|
CSCsi55386
|
Yes
|
PKI: ocsp malformed request error - OpenCA/OCSPD responder
|
CSCsi60244
|
Yes
|
webvpn_session struct is not correctly validated in failover code
|
CSCsi65122
|
Yes
|
Overlapping static with NAT exemption causes xlate errors on standby
|
CSCsi68911
|
Yes
|
ASA may traceback when pushing rules from SolSoft - corrupted conn_set_t
|
CSCsi84143
|
Yes
|
Mem del-free-poisoner fails to svc alloc requests from the poisoned pool
|
CSCsi94163
|
Yes
|
PPPOE connection does not renegotiate immediatly after short disconnect
|
CSCsi98616
|
Yes
|
The TCP connections in SVC won't survive after consecutive failovers
|
CSCsj01643
|
Yes
|
IPSec VPN first auth fails when SDI SoftID is in Cleared PIN Mode
|
CSCsj12938
|
Yes
|
PIX/ASA - show ip audit count - signatures 6050 - 6053 are Informational
|
CSCsj40648
|
Yes
|
Traceback in Thread Name: emweb/https
|
CSCsj41977
|
Yes
|
cert handling inconsistent between physical and LB interfaces
|
CSCsj43076
|
Yes
|
Logging into standby ASA via SSH fails
|
CSCsj49481
|
Yes
|
WebVPN: HTTPS Page not rendered correctly while HTTP works fine
|
CSCsj51849
|
Yes
|
cpu-hog observed in process nic status poll thread
|
CSCsj62231
|
Yes
|
traceback pix_flash_config_thread while booting with a 4K key ID cert
|
CSCsj66185
|
Yes
|
ASA: Switching primary and secondary unit can cause duplicate MAC
|
CSCsj66667
|
Yes
|
group-url hostname should not be case-sensitive
|
CSCsj78675
|
Yes
|
HTTP host header not included in PKI requests with terminal enrollment
|
CSCsj80196
|
Yes
|
Clientless WebVPN traffic not sent when matching crypto dynamic map ACL
|
CSCsj80563
|
Yes
|
ASA dynamic VPN match address disconnects some peers as duplicate proxy
|
CSCsj82105
|
Yes
|
ASA vulnerable to HTTP Splitting
|
CSCsj82370
|
Yes
|
WebVPN: OWA left pane unresponsive when trying to access the folders
|
CSCsj82413
|
Yes
|
QoS: class-map : match tunnel-group <tgrp-name> errors on reboot
|
CSCsj83531
|
Yes
|
Dynamic VPN phase 2 neg with ID_IPV4_ADDR_RANGE accepted as 0.0.0.0/0
|
CSCsj84405
|
Yes
|
Poison route causes default route in ASP routing table to be deleted
|
CSCsj86636
|
Yes
|
Frames offset and toolbar missing in mangled site
|
CSCsj90274
|
Yes
|
Citrix sessions randomly disconnect
|
CSCsj90479
|
Yes
|
IPS and fragments cause Traceback in Thread Name: Dispatch Unit
|
CSCsj91809
|
Yes
|
Clientless email proxy POP3S with Outlook 2007 not working
|
CSCsj92194
|
Yes
|
Implicit ACL 'Deny IP Any Any' Ignored on EasyVPN Client
|
CSCsj96831
|
Yes
|
half-closed tcp connection behaves as an absolute timer on ASA
|
CSCsj97241
|
Yes
|
80 byte block depletion with stateful failover enabled
|
CSCsj98458
|
Yes
|
LDAP CRL checking failure for Cert Chain
|
CSCsj98622
|
Yes
|
SIP: Not translate c= address if first m= has port 0 in SDP body
|
CSCsj99242
|
Yes
|
Assert: Traceback in Thread Name: Dispatch Unit
|
CSCsj99660
|
Yes
|
ASA CONSOLE TIMEOUT does not timeout
|
CSCsk00089
|
Yes
|
ASA 7.2 : Firewall-MIB : no snmp object for failover lan int status
|
CSCsk00547
|
Yes
|
Traceback in ci/console when modifying cmap inspection_default
|
CSCsk01426
|
Yes
|
URL filtering broken if multiple inspection enabled on same traffic
|
CSCsk03550
|
Yes
|
ASA: Route injected through RRI disappear after failover
|
CSCsk05432
|
Yes
|
PKI: Default attribute for an LDAP CRL query should include a binary CRL
|
CSCsk06989
|
Yes
|
WebVPN: Traceback in Unicorn while rewriting Java applets
|
CSCsk06996
|
Yes
|
Leak in vpnfol_fragdb:vpnfol_fragdb_rebuild on standby
|
CSCsk10156
|
Yes
|
VPN traffic with static PAT to outside ip address denied by outside ACL
|
CSCsk12859
|
Yes
|
ASA 8.0.2 Traceback under heavy loads of traffic
|
CSCsk13421
|
Yes
|
Firewall may traceback while capturing WebVPN Data
|
CSCsk18083
|
Yes
|
nat exemption access-list not checked for protocol or port when applied
|
CSCsk18084
|
Yes
|
cikeTunnelTable does not populate for some of the ISAKMP SA's
|
CSCsk19065
|
Yes
|
Excessive High CPU and packets drops when applying ACL to an interface
|
CSCsk19882
|
Yes
|
Memory leak in ASA due to WEBVPN compression
|
CSCsk25164
|
Yes
|
IPSec VPN Client Update not working for mac-> headend issue
|
CSCsk26830
|
Yes
|
Certificate authorization broken when using all DN fields as username
|
CSCsk27085
|
Yes
|
ASA 5505 switch stops forwarding arp packets to ASA
|
CSCsk28847
|
Yes
|
ASA only sends six (6) Radius IETF class 25 attributes for accounting
|
CSCsk28972
|
Yes
|
Traceback:Thread Name: IKE Daemon when connecting w/ certain certificate
|
CSCsk31007
|
Yes
|
IP: traceback in Thread Name: Dispatch Unit
|
CSCsk31129
|
Yes
|
SIP inspection breaks SIP authentication
|
CSCsk33925
|
Yes
|
WebVPN: Regression with OWA as a result of CSCsj82370
|
CSCsk36399
|
Yes
|
Traceback in PIX Garbage Collector (Old pc 0x008b619d ebp 0x0261ed60)
|
CSCsk37130
|
Yes
|
Clear button goes away too much from Login button
|
CSCsk38962
|
Yes
|
memory leak in webvpn failover
|
CSCsk39154
|
Yes
|
PIX/ASA dynamic l2l vpn does not work in 8.0.2.16
|
CSCsk39286
|
Yes
|
ASA5505:Setting Duplex causes a 5 or 6 second outage on the interface
|
CSCsk41454
|
Yes
|
Traceback in thread name: ssh
|
CSCsk43103
|
Yes
|
Traceback in Thread Name emweb/https
|
CSCsk43232
|
Yes
|
traceback with http traffic when url filtering and http inspect enabled
|
CSCsk44832
|
Yes
|
Primary does not become active when pri & sec are booted together
|
CSCsk45117
|
Yes
|
Traceback in webvpn_url_mangle.c
|
CSCsk45867
|
Yes
|
clear conf sec causes trace back on EIGRP thread
|
CSCsk45943
|
Yes
|
PIX: proxy-arps on all interfaces for the vpn-pool
|
CSCsk47949
|
Yes
|
ASDM hangs at 47% if packet losses on the network
|
CSCsk48199
|
Yes
|
Traceback in thread: Dispatch Unit (Old pc 0x0021eae7 ebp 0x01887690)
|
CSCsk48629
|
Yes
|
Traceback in Unicorn Proxy Thread (Old pc 0x00c82197 ebp 0x1782f93c)
|
CSCsk49149
|
Yes
|
mem leak with inspect esmtp
|
CSCsk49506
|
Yes
|
Local-host for u-turn traffic on lowest sec level used for license limit
|
CSCsk50378
|
Yes
|
SSH to device produces traceback
|
CSCsk50879
|
Yes
|
L2TP with EAP authenticatio In use List count session leaking
|
CSCsk53985
|
Yes
|
locked up at Error reading tftp unspecified error
|
CSCsk54686
|
Yes
|
HT: WCCP with bypass configured at CE causes traceback
|
CSCsk55097
|
Yes
|
WebVPN: OWA new contact functionality not working
|
CSCsk58034
|
Yes
|
L2L tunnels come down sometimes in failover setup after failover
|
CSCsk58346
|
Yes
|
Memory leak when adding/removing nameif (sp_actions)
|
CSCsk59083
|
Yes
|
ASA 5505 failover: rebooted unit becomes active after reload
|
CSCsk59816
|
Yes
|
Traceback in the process Crypto CA when retrieving the CRL
|
CSCsk62411
|
Yes
|
Traceback with memory tracking enabled
|
CSCsk63982
|
Yes
|
ASA with EzVPN client does not send DHCP renew packets, tunnel flaps
|
CSCsk64117
|
Yes
|
CPU Hog seen generating RSA keys during SSH session establishment
|
CSCsk64428
|
Yes
|
High CPU when polling VPN MIBs via SNMP
|
CSCsk65211
|
Yes
|
ASA5505 inside interface w/23bit or smaller subnet mask becomes unstable
|
CSCsk65425
|
Yes
|
failing to verify OCSP for RemoteAccess VPN - EJBCA CA infrastructure
|
CSCsk65863
|
Yes
|
traceback in ppp_timer_thread
|
CSCsk65940
|
Yes
|
crashinfo file corrupted, extra text appended to bottom
|
CSCsk66924
|
Yes
|
ASDM: Monitoring Used memory records different stats history
|
CSCsk67715
|
Yes
|
During Ipsec negotiation, peer ip address is seen reversed in the debugs
|
CSCsk68658
|
Yes
|
ICMP (type 3 code 4) messages generated against ESP flow dropped by ASA
|
CSCsk68895
|
Yes
|
Traceback in thread name Dispatch Unit with IDS packet recv
|
CSCsk69878
|
Yes
|
ASA running 8.0.2 rejects DHCP leases less than 32 seconds
|
CSCsk70101
|
Yes
|
Adding/Removing subinterface causes memory leak
|
CSCsk70941
|
Yes
|
Traceback in Thread Dispatch Unit: snp_tcp_timeout_cb
|
CSCsk71006
|
Yes
|
ipv6 acl don't have acl options when using MPF
|
CSCsk71135
|
Yes
|
ASA 7.2.3 - Traceback in Unicorn Proxy Thread
|
CSCsk73724
|
Yes
|
ASA 5505 default route via dhcp setroute goes away after link flap
|
CSCsk76401
|
Yes
|
set connection decrement-ttl does not work for traceroute
|
CSCsk76770
|
Yes
|
vpn-filter may prevent renegotiation of the tunnel
|
CSCsk79263
|
Yes
|
On link flap, DHCP REQUEST sent only once
|
CSCsk79728
|
Yes
|
ASA5550 7.2.3 traceback with Dispatch Unit
|
CSCsk80789
|
Yes
|
RTSP inspection changes Media Player version to 0.0.0.0
|
CSCsk81616
|
Yes
|
PIX/ASA Traceback in 'dhcp_daemon'
|
CSCsk83113
|
Yes
|
emweb memory accounting is incorrect
|
CSCsk83425
|
Yes
|
OSPF with Message digest fails, no adjacencies, shows allocation error
|
CSCsk84801
|
Yes
|
WCCP GRE packets decapsulated when passing through pix
|
CSCsk84808
|
Yes
|
Unable to remove WebVPN capture CLI, ERROR:Unable to get real-time
|
CSCsk85428
|
Yes
|
Traceback in scheduler
|
CSCsk85441
|
Yes
|
Traceback in thread https_proxy
|
CSCsk86002
|
Yes
|
Memory accounting for aaa chunks is incorrect
|
CSCsk87093
|
Yes
|
L2TP /EAP-TLS sessions disconnect with 734 error the first time
|
CSCsk88562
|
Yes
|
CSC-SSM: 1550-byte block depletion
|
CSCsk89639
|
Yes
|
Traceback with Thread Name: Checkheaps
|
CSCsk90689
|
Yes
|
telnet to the box and vpn tunnels fail due to 0-byte block depletion
|
CSCsk93067
|
Yes
|
no management-access Inside still allows telnet over IPSec tunnel
|
CSCsk95133
|
Yes
|
Traceback in Thread Unicorn Proxy related to WebVPN page rewrite
|
CSCsk97671
|
Yes
|
VPN client with NULL Encryption L2TP-IPSec behind NAT drops on 71st sec
|
CSCsk97830
|
Yes
|
Traceback in thread name Dispatch Unit
|
CSCsl01053
|
Yes
|
ASA doesn't handle the multiple CPS entries in the Issuing CA cert
|
CSCsl03985
|
Yes
|
ASA DHCP client unable to renew the IP address if DHCP ACK is lost
|
CSCsl11321
|
Yes
|
ASA doesn't send coldStart trap when speed/duplex is fixed as 100/full
|
CSCsl12010
|
Yes
|
flash memory corruption issues
|
CSCsl12239
|
Yes
|
WebVPN: OWA 2K -> shortcuts pane does not load
|
CSCsl12449
|
Yes
|
DHCP Client - remove minimum lease time restriction
|
CSCsl12472
|
Yes
|
Traceback in emweb/https observed on ASA
|
CSCsl15013
|
Yes
|
DHCPrelay broken with 2 DHCPrelay servers when second one out of service
|
CSCsl17136
|
Yes
|
H323: Video breaks with inspection enabled
|
CSCsl19419
|
Yes
|
enabling acl-netmask-convert wildcard does not accept acl with host
|
CSCsl21500
|
Yes
|
Traceback with 'no capture <name>' for ISAKMP type capture
|
CSCsl23542
|
Yes
|
User Certificate mappings against the whole field failing
|
CSCsl26135
|
Yes
|
Memory leak when FTP filter is enabled
|
CSCsl26200
|
Yes
|
ASA SSL VPN ACL bypass
|
CSCsl26604
|
Yes
|
Traceback in Dispatch Unit with VPN (not ported to 7.2)
|
CSCsl28306
|
Yes
|
PIX/ASA default route redistributed into EIGRP when explicitly disabled
|
CSCsl29315
|
Yes
|
ASA-3-713902 appears on standby unit when disconnecting VPN connection
|
CSCsl29851
|
Yes
|
ASA sends 0.0.0.0 as caller-id for command authorization
|
CSCsl30307
|
Yes
|
PIX/ASA fails to install cert with an empty subject/issuer alt name ext
|
CSCsl31908
|
Yes
|
ASA: SIP inspection drops SIP message 200 OK from 3rd party CosmoCall
|
CSCsl32225
|
Yes
|
Traceback in Thread Name: Checkheaps when Simultaneous login set to 1
|
CSCsl32785
|
Yes
|
Traceback in Thread Name: pix_flash_config_thread
|
CSCsl33600
|
Yes
|
Traceback when show service after removing global policy with police
|
CSCsl33833
|
Yes
|
ASA shouldn't install default route learned from PPPoE into running-conf
|
CSCsl34791
|
Yes
|
WebVPN: Traceback in Thread Name: Dispatch Unit
|
CSCsl35591
|
Yes
|
Bulk skinny registration creates 2048 block leak
|
CSCsl35603
|
Yes
|
Memory corruption with csc and nat testing
|
CSCsl37767
|
Yes
|
Traceback when timeout with L2TP and delay-free-poisoner enabled
|
CSCsl38314
|
Yes
|
HA: SNMP trap authentication replicated to standby improperly
|
CSCsl40225
|
Yes
|
CPU usage eventually hits 90% and that causes call failures
|
CSCsl40367
|
Yes
|
DDNS updates append duplicate domain name
|
CSCsl41666
|
Yes
|
Crypto debug command should not dump keys as part of the SA
|
CSCsl43246
|
Yes
|
L2TP with EAP authentication In use List count session slowly leaking
|
CSCsl45763
|
Yes
|
Syslog message during config-replication: invalid function
|
CSCsl49999
|
Yes
|
! used in downloadable ACL yields error unable to apply access list
|
CSCsl51292
|
Yes
|
IPSEC VPN tunnel on ASA 8.0.3 fails every couple days
|
CSCsl51797
|
Yes
|
ASA traceback in AAA thread
|
CSCsl53995
|
Yes
|
5510 interface can be set to1000Mbps with base license
|
CSCsl55623
|
Yes
|
SNMP link trap varbind list missing values
|
CSCsl56635
|
Yes
|
Input errors remains 0 even when CRC counts up
|
CSCsl57533
|
Yes
|
setting privilege for capture does not affect "no capture"
|
CSCsl59108
|
Yes
|
Auto-signon servers not inherited from DfltGrpPolicy
|
CSCsl59247
|
Yes
|
Unable to request CRL for trustpoint with only ID certificate
|
CSCsl59266
|
Yes
|
PKI: export/import of pkcs12 containing only ID cert fails
|
CSCsl63265
|
Yes
|
Error message: Customization <> is in use, unable to remove
|
CSCsl64946
|
Yes
|
5510 Ethernet interface fail speed auto negotiation when boot up
|
CSCsl66538
|
Yes
|
ASA "hardware accelerator encountered an error (Invalid PKCS Type)"
|
CSCsl66758
|
Yes
|
TCP intercept comes before ACL checks. All TCP ports appear open
|
CSCsl67229
|
Yes
|
ASA: timeout sip_media is not working properly
|
CSCsl68785
|
Yes
|
Confusing Error message when Interfaces have overlapping networks
|
CSCsl68914
|
Yes
|
traceback when upgrading license
|
CSCsl70685
|
Yes
|
Traceback in Thread Name: accept/http
|
CSCsl71113
|
Yes
|
DDNS: conf mem w/ DDNS config causes traceback
|
CSCsl73850
|
Yes
|
Traceback occurs when SIP session is active and switchover occurs twice
|
CSCsl73906
|
Yes
|
Traceback on network command under rip config mode under load
|
CSCsl74327
|
Yes
|
Traceback in fover_parse when editing ACL config
|
CSCsl74571
|
Yes
|
l2tp over ipsec accounting and 4-113019 do not reports Rx / Tx bytes
|
CSCsl75006
|
Yes
|
Traceback on entering command vpnclient nem-st-autoconnect
|
CSCsl78110
|
Yes
|
Downloadable ACL does not get removed from memory in some scenarios
|
CSCsl78638
|
Yes
|
stateful subinterface would not become Up, remains Failed
|
CSCsl79211
|
Yes
|
Traceback: AAA task overflow when object-group acls and virtual telnet
|
CSCsl82984
|
Yes
|
HT: Traceback proxy_block_cpy+829 at inspect/tcp_proxy_utils.c:108
|
CSCsl83313
|
Yes
|
access-group sometimes take more than 10 min to execute
|
CSCsl84122
|
Yes
|
Xlate timers for RTP/RTCP on ASA are always 30 seconds
|
CSCsl84179
|
Yes
|
Traceback at ssh thread when working with 'capture'
|
CSCsl84204
|
Yes
|
Xlate timers for RTP/RTCP on standby ASA aren't synchronized with active
|
CSCsl85169
|
Yes
|
Inspect WAAS causing the memory leak
|
CSCsl87918
|
Yes
|
IPSec: RESPONDER-LIFETIME not properly created
|
CSCsl89105
|
Yes
|
Traceback when enabling blocks queue history w/ high load/low memory
|
CSCsl89162
|
Yes
|
show cheakheaps displays negative number for total memory in use
|
CSCsl89537
|
Yes
|
SIP: ASA improperly adds some value in From-tag when sending BYE
|
CSCsl89653
|
Yes
|
SIP connection entry not be cleared after sip_disconnect timeout
|
CSCsl91005
|
Yes
|
Traceback in Thread Name: CP Processing under TCP/UDP load
|
CSCsl91061
|
Yes
|
Traceback while adding regex with Synsend and Udpsend SIP traffic load
|
CSCsl93003
|
Yes
|
TACACS+ allow enable command but ASA output Command authorization fail
|
CSCsl93495
|
Yes
|
SIP: ASA shows 4xx response message as 500 on debug sip
|
CSCsl95043
|
Yes
|
PIX/ASA: L2TP/IPsec needs both ipsec and l2tp-ipsec in group-policy
|
CSCsl95244
|
Yes
|
Traceback in Dispatch Unit caused by rapid connection successions
|
CSCsl95856
|
Yes
|
DHCP learned default route not in route table if other DHCP interfaces
|
CSCsl96219
|
Yes
|
SIP:ASA fails to associate re-invites to the original SIP session
|
CSCsl96502
|
Yes
|
SIP: sess is not kept around for ACK in response to non2xx final RESP
|
CSCsl97161
|
Yes
|
RTSP connections failing when RTSP inspection enabled
|
CSCsl99322
|
Yes
|
Traceback at ids_put in Thread Name: Dispatch Unit
|
CSCsm00894
|
Yes
|
ASA LDAP MAP fails on IETF-Radius-Framed-IP-Address
|
CSCsm02280
|
Yes
|
ASA keeps registering but does not send Register packets
|
CSCsm02939
|
Yes
|
Memory leak while processing SSL transactions
|
CSCsm03751
|
Yes
|
SNMP Coldstart Trap is Only Sent to the Last Configured NMS
|
CSCsm05055
|
Yes
|
PIX traceback occurs when 'established udp 0 0' is enabled
|
CSCsm05181
|
Yes
|
traceback in Thread: vpnfol_thread_msg
|
CSCsm07888
|
Yes
|
Authenticator value on retransmitted RADIUS request pkt changed
|
CSCsm09584
|
Yes
|
EAP l2tp authentication fails if mschapv2 is configured on the same TG
|
CSCsm10187
|
Yes
|
Both Pri/Sec ASA don't send coldstart trap when both units are available
|
CSCsm14283
|
Yes
|
ICMP (type 3, code 4) packet not returned from PPPoE interface
|
CSCsm17247
|
Yes
|
H323/NAT-Setup msg with SupportedFeatures extensions malformed after NAT
|
CSCsm18372
|
Yes
|
show input hardware queue max counters incorrect
|
CSCsm18437
|
Yes
|
clear interface doesn't clear max queue counter
|
CSCsm22002
|
Yes
|
Traceback in qos/qos_rate_limiter while processing pakt with TCP flow
|
CSCsm22781
|
Yes
|
PIX/ASA: RPF(reverse path forwarding)chk fails when PMTUD packet is sent
|
CSCsm23689
|
Yes
|
SSL session cache size is too large for some platforms
|
CSCsm25189
|
Yes
|
ASA demonstrates inconsistent behavior for different kind of SIP packets
|
CSCsm26011
|
Yes
|
Active ASA traceback occurs when replicating large number of WebVPN sessions
|
CSCsm28270
|
Yes
|
ASA5550 only: all interfaces fail to pass data with 7.2.3.16-17-18
|
CSCsi62588
|
Yes
|
Dest unicast address to multicast address NAT not working in 7.x
|
CSCsm31973
|
Yes
|
ASA snmpwalk on cefcMIBEnableStatusNotification : value returned : 2
|
CSCsm32507
|
Yes
|
External group policy authentication failure with password-management
|
CSCsm32972
|
Yes
|
SNMP Counters Get Stuck on Repeated Polls
|
CSCsm36660
|
Yes
|
DHCP Server: ASA must send dhcp decline if dhcp proposes in-use address
|
CSCsm37151
|
Yes
|
skinny inspection blocking pinhole w/ high skinny load on rsvp agent
|
CSCsm39684
|
Yes
|
Boston AT: IPSEC rekey does not occur
|
CSCsm39781
|
Yes
|
ASA High CPU under certain configuration conditions
|
CSCsm40251
|
Yes
|
ASDM falsely shows interface status as down/down
|
CSCsm41986
|
Yes
|
Need to handle fragmented IP packets with 8-byte first frag
|
CSCsm44660
|
Yes
|
5505 in EzVPN mode cannot establish a VPN tunnel to the head end ASA
|
CSCsm45722
|
Yes
|
SIP:Caller's RTP/RTCP timeout should set to sip_invite
|
CSCsm46182
|
Yes
|
DHCP Client: ASA as dhcp client does not renew when lease expires
|
CSCsm47185
|
Yes
|
Traceback when an interface configured for IPV6 changes to link up state
|
CSCsm48386
|
Yes
|
ASA with local command authorization not able to download conf from AUS
|
CSCsm48412
|
Yes
|
SSL rec paramater list continues to grow without boundaries
|
CSCsm50494
|
Yes
|
ASA is not able to process CRL with extension CRL number > 65535
|
CSCsm51093
|
Yes
|
Cannot establish WebVPN session to ASA-5550 - memory allocation error
|
CSCsm51459
|
Yes
|
GTP: IMSI prefixing doesn't work with 2 digit MNC
|
CSCsm56957
|
Yes
|
Traceback occurs in Dispatch Unit with 8.0.3
|
CSCsm59304
|
Yes
|
SIP: INVITE not passing after failover
|
CSCsm61494
|
Yes
|
ASA may open unknown port "50195"
|
CSCsm61775
|
Yes
|
ASA creates unnecessary xlate after a voice device hands over
|
CSCsm62831
|
Yes
|
SIP:Half-open xlate entry is generated by ASAs
|
CSCsm63108
|
Yes
|
Block 2048 depleted with url-filtering enabled ASA Websense
|
CSCsm64838
|
Yes
|
Traceback occurs in Dispatch Unit with 7.2.3.15 and L2TP/PPP
|
CSCsm66982
|
Yes
|
PIX/ASA: L2TP session should not establish when authorization fails
|
CSCsm68097
|
Yes
|
ASA 8.0.x - SSH resource exhausted preventing further sessions
|
CSCsm70077
|
Yes
|
SIP:Local/Local connection entry is created
|
CSCsm70101
|
Yes
|
Unable to apply priority command in policy map while configuring QOS-ASA
|
CSCsm70246
|
Yes
|
SIP:ASA duplicates "mi" connection when receiving REINVITE
|
CSCsm70860
|
Yes
|
Difference of total vpn session via OID SNMP and vpn-sessiondb summary
|
CSCsm73565
|
Yes
|
Traceback in Thread Name Dispatch Unit during network scan
|
CSCsm73654
|
Yes
|
%ASA-1-111111 appears when both active/standby units reload at once
|
CSCsm75212
|
Yes
|
ASA Traceback Thread Name: IKE Daemon (Old pc 0x0050a493 ebp 0x0346e)
|
CSCsm77958
|
Yes
|
Traceback in "IP Thread" when clientless webvpn is started
|
CSCsm82753
|
Yes
|
Phase 2 fails if PFS is required. - ASA -IOS l2tp IPSEC
|
CSCsm82887
|
Yes
|
FO: IPSec RA session not replicated if addr pool defined in group policy
|
CSCsm83098
|
Yes
|
SIP:Fails to create m connection when ACK to 407 is lost
|
CSCsm83636
|
Yes
|
CPU hog during config sync
|
CSCsm85736
|
Yes
|
shutdown interface e0/6 triggers interface e0/0 shutdown on ASA5505
|
CSCsm88116
|
Yes
|
SIP:Fails to update to-tag when recevied no-2xx response
|
CSCsm91261
|
Yes
|
Traceback in 'ssh' thread aossipov
|
CSCsm92266
|
Yes
|
Traceback may occur when AAA command authorization is enabled
|
CSCsm93071
|
Yes
|
5505: 'no buffer' and 'input error' not correct on InternalData0/0
|
CSCsm93115
|
Yes
|
Memory leak in DMA free crypto memory 8.0.3.6
|
CSCso00670
|
Yes
|
Move ssl debug commands from menu to real CLI
|
CSCso01090
|
Yes
|
ASA5505:copy config from disk0:/ to running-config makes int e0/0 down
|
CSCso03100
|
Yes
|
SSL cache entries timing out prematurely
|
CSCso05327
|
Yes
|
Cert from 3k imported into ASA causes Hardware error on use
|
CSCso10078
|
Yes
|
Traceback occurs when wr mem command is entered
|
CSCso15583
|
Yes
|
Traceback when many remote peers try to establish ipsec L2L tunnels
|
CSCso17578
|
Yes
|
VPNLB: WebVPN client cannot connect to VPN load-balancing cluster
|
CSCso17920
|
Yes
|
SIP media connection cannot be created more than 13 when PBX is used
|
CSCso20009
|
Yes
|
ASA DHCP proxy not working for L2TP connections
|
CSCso24103
|
Yes
|
Delivering shape average command through https failed
|
CSCso33873
|
Yes
|
L2TP/IPsec connection cannot pass data
|
CSCso40520
|
Yes
|
re-INVITE is dropped when it's exceeded 119ch after establishing 400ch
|
CSCso41232
|
Yes
|
traceback while executing 'show skinny'
|
CSCso42643
|
Yes
|
WebFO: WebVPN sessions not replicated until after FO forced
|
Related Documentation
Use this document in conjunction with the Cisco PIX security appliance and Cisco VPN client Version 3.x documentation at the following websites:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/tsd_products_support_series_home.html
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0705R)
© 2008 Cisco Systems, Inc.
All rights reserved.
