Adaptive Security Appliance Hot Issues from Cisco TAC

ActiveX RDP Plugin fails to connect from WIn7 PC after upgrade to 8.4(3), Open CSCtx58556

Symptom: After an upgrade to 8.4(3), Windows 7 users are unable to connect to an RDP resource using the RDP ActiveX plugin via the WebVPN portal page.
Conditions: Customer must be using ASA 8.4(3) and Internet Explorer with the RDP ActiveX plugin.
Workaround: - Use the Java Plugin. This can be accomplished by adding '?ForceJava=yes' to the end of the RDP bookmark. For instance 'rdp://myterminalserver/?ForceJava=true'. - You can also use Firefox/Chrome to force the use of Java RDP plugin. - Downgrade to 8.4(2)x and remove the ActiveX plugin from Internet Explorer. You will also need to remove references to the ActiveX plugin from your Windows Registry. You can reference bug ID CSCtx57453 for further information. After removing the ActiveX plugin and cleaning up the registry, reconnect to the ASA 8.4(2)x to re-download the ActiveX plugin.

Standby ASA traceback in DATAPATH-0-1400 or Dispatch Unit, Fixed CSCtx03464

Symptom: Under certain conditions, The STANDBY ASA in a failover pair may generate a traceback and reload in the DATAPATH-0-1400 or Dispatch Unit thread.
Conditions: The ASA must be part of a failover pair. Only the Standby unit is affected. This was first seen on ASA code 8.2(5.20) on both single and multi-core platforms.
Workaround: Downgrading to 8.2(5) seems to stabilize the pair.

DOC: ASA RDP w/ ActiveX fails after downgrade from 8.4.3 to 8.4.2, Open CSCtx57453

Symptom: This is a documentation bug only to document issues when you downgrade from 8.4.3 or later with RDP activex plugin to a older version like 8.4.2. After downgrading from ASA 8.4.3 to 8.4.2 (or lower), RDP (ActiveX-based) via WebVPN portal fails to work for some users. OR If a set of users attempted ActiveX-based RDP via WebVPN portal on an ASA 8.4.3, then those users will not be able to RDP via WebVPN portals hosted by ASAs running 8.4.2 or lower. Downgrading from 8.4.3 to 8.4.2 or other versions is not possible due to compatability issues with the activex port forwarder plugins. Use workaround below if there is a real need to downgrade. The documentation bug is to document the exact procedure to downgrade to 8.4.2 or earlier version to able to use a older activex portforwarder.
Conditions: 1. Only users who have attempted RDP via SSL portal on ASA 8.4.3 will be affected. 2. The issue is seen only if ActiveX is used to launch the RDP link on the SSL portal i.e. the issue will only be seen on IE (8.x, 9.x).
Workaround: 1. Use the Java option on IE to relaunch the RDP link. 2. Use Firefox. 3. Remove all registry instances of "b8e73359-3422-4384-8d27-4ea1b4c01232? (old activex CLSID) using regedit Note: this should be only done after a backup of the registry. Should be done at your own risk and consult Microsoft support for further information.

Standby ASA traceback while trying to replicate xlates, Open CSCtx33347

Symptom: The standby ASA would crash while it is trying to replicate the translation entries
Conditions: ASA 5585 running 8.4.3
Workaround: none

ASA's ARP table will populate with non connected subnets, Fixed CSCto63702

Symptom: Currently the Adaptive Security Appliance (ASA) will install broadcast Address Resolution Protocol(ARP) replies into it's ARP table for any Internet Protocol (IP) address. Normally only values that are in the same subnet as the interface that receives the ARP would be installed into the ARP table. Conditions: Any Cisco ASA with default configuration. Any Pix running 7.x or later Workaround: Limit ARP traffic allowed to reach the ASA. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.3/3.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:A/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:U/RC:C No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

ASA: Decrypted VPN packets dropped due to bad-tcp-cksum when using NAT-T, Fixed CSCtt98991

Symptom: When using NAT-T (UDP/4500), remote access VPN decrypted TCP traffic on ASA 5585-SSPX is dropped by the ASA. The following syslog may be generated: %ASA-6-302014: Teardown TCP connection 339698 for outside:a.a.a.a/b to outside:c.c.c.c/d duration 0:00:00 bytes 0 TCP invalid SYN () The output of 'show asp drop' will show the packets dropped with a reason of "bad-tcp-cksum". This issue affects both through-the-box traffic that is scanned by an IPS-SSP, as well as to-the-box management traffic.
Conditions: This issue only affects traffic sent over a remote access VPN using NAT-T. For through-the-box traffic, the traffic flow must also be sent to the IPS-SSP for scanning. UDP and ICMP traffic is not affected.
Workaround: Disable NAT-T in the VPN client's profile (if possible). For through-the-box traffic, the following workarounds are also available: 1. Exclude traffic from IPS processing or 2. Configure TCP state bypass on the ASA

EIGRP metrics will not update properly on ASA, Fixed CSCti54545

Symptom: EIGRP metrics on the ASA's EIGRP topology table will populate incorrectly. The numbers will be higher than they should be. EIGRP topology from a router advertising a default route to the ASA: Router#show ip eigrp topology 0.0.0.0 IP-EIGRP (AS 65000): Topology entry for 0.0.0.0/0 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 26112 Routing Descriptor Blocks: ... Total delay is 20 microseconds <-- Total delay on router is 20, so router will advertise 20 delay in EIGRP update to ASA ... Hop count is 1 <-- Total hopcount is 1, so router will advertise 1 hopcount in EIGRP to ASA ... ASA# show eigrp topology 0.0.0.0 EIGRP-IPv4 (AS 65000): Topology Default-IP-Routing-Table(0) entry for 0.0.0.0 0.0.0.0 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 26624 ... Total delay is 40 microseconds <-- Total delay on ASA is now 40. Which should actually be 30 since interface delay is only 10 (ie. 20+10 = 30 !=40) ... Hop count is 3 <-- Total hop count on ASA is no 3. Which should actually be 2 since there are no other devices between ... Show interface of ASA shows interface delay of only 10usec: ASA# show int gi0/1 Interface GigabitEthernet0/1 "outside", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) ...
Conditions: This issue was hit after a default route was redistributed from BGP into EIGRP, then advertised to the ASA through an intermediate hop. BGP Router | | Core Router | | ASA
Workaround: Use the EIGRP metrics on the ASA to route the traffic as you desire. Also, a static route would supersede the incorrectly populated EIGRP route.

WebVPN & ASDM doesn't work on Chrome with AES & 3DES ciphers, Fixed CSCtk97719

Symptom:Using Chrome browser to establish Clientless SSL VPN (a.k.a WebVPN) or ASDM to an ASA 55xx appliance, the session fails to establish if "ssl encryption" setting has aes-128-sha, aes256-sha and/or 3des-sha cipher as a priority cipher . The result is that the Login screen fails to display. If "ssl encryption" is set to rc4-md5 and or rc4-sha1 as the priority cipher, the WebVPN and ASDM session can be established and becomes operational. Syslogs 725001-725014 show all SSL exchanges. The significant syslog error when it fails is below: <167>Dec 14 2010 03:48:22: %ASA-7-725014: SSL lib error. Function: SSL3_GET_RECORD Reason: decryption failed or bad record mac ************************************************************************************** Note: Currently IE 7.x/8.x, Safari 3.x and above, and FireFox 3.x browsers are AES and 3DES capable :
Conditions:
Workaround:Configure "ssl encryption" command to have an rc4 cipher as a priority cipher. ASA(config)# show run all ssl ssl server-version any ssl client-version any ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Traceback in Thread Name: Dispatch Unit, Open CSCtx42698

Symptom: ASA reloads with Traceback in Thread Name Dispatch Unit
Conditions: Webvpn in use
Workaround: None

Syslog 199011 "Close on bad channel in process/fiber", Open CSCtx43083

Symptom: This is a rare case in which customer is getting following syslogs very frequently %ASA-3-199011: Close on bad channel in process/fiber (Unicorn Proxy Thread)/(unicorn-proxy), channel ID 0xe800000112840fc0, channel state 1
Conditions: Cisco ASA running release 8.4.2.8.
Workaround: none

ASA: Traceback in Unicorn Admin Handler when making DAP changes via ASDM, Fixed CSCtw75613

Symptom: In rare circumstances, the ASA may generate a traceback and reload after making changes to the DAP configuration via ASDM. The traceback will be in the Unicorn Admin Handler thread.
Conditions: The ASA must be running an affected software version and an administrator must be making changes to the DAP configuration via ASDM at the time of the reload.
Workaround: There is no known workaround at this time.

Outbound IPsec traffic interruption after successful Phase2 rekey, Fixed CSCtt29654

Symptom: An interruption in outgoing ESP traffic can be seen after a Phase2 rekey is completed. This interruption can last 30 seconds.
Conditions: ASA running 8.4(2) software configured with an IKEv1/IPsec Lan-to-Lan tunnel
Workaround:

Clientless WebVPN Memory Leak Causes Blank Page after Authentication, Fixed CSCth34278

Symptom: ASA memory used increments slowly over weeks leading up to the problem - at time of problem typical memory usage is 50MB+ more then after reload.
Conditions: Webvpn must be enabled and in use.
Workaround: Fail over to standby ASA.

CPU hog due to snmp polling of ASA memory statistics, Open CSCtx43501

Symptom: The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough on the ASA, packets might be dropped. If an ASA is experiencing this problem, it could generate syslogs that look like this: %ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a 0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca 0x00000000004245a5 Also, the output of 'show process cpu-hog' will show entries for SNMP: Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33
Conditions: To encounter this problem, the ASA must be configured for SNMP and be queried by SNMP monitoring stations. The specific OIDs that can trigger this problem are listed below. 1.3.6.1.4.1.9.9.48.1.1.1.5.7 - ciscoMemoryPoolUsed 1.3.6.1.4.1.9.9.48.1.1.1.6.7 - ciscoMemoryPoolFree 1.3.6.1.4.1.9.9.48.1.1.1.7.7 - ciscoMemoryPoolLargestFree
Workaround: Configure the SNMP monitoring station to not query the OIDs that trigger the problem Reduce the frequency of the queries Disable SNMP monitoring of the ASA entirely.

traceback: , Terminated CSCtb19716

Symptom: Traceback occurs during TFTP
Conditions: A traceback occurs whiled attempting to TFTP off a large file after a previous traceback
Workaround: None
Further Problem Description:

ipsecvpn-datapath: mgmt access through VPN fails, bad tcp checksum, Open CSCtx76889

Symptom: The ACK from TCP 3-Way Handshake is dropped by the ASA's ASP with reason "(bad-tcp-cksum) Bad TCP checksum".
Conditions: The traffic is passing through an IPSec RA VPN, from a client with destination to a internal ASA's interface. This affects SSH/Telnet management access.
Workaround: None.

'show route' command was issued via an SSH console and crashed the ASA, CSCsv75787

Symptom: ASA system crashes / failsover following the entry of "show route" command.
Conditions: Not defined. does not always happen.
Workaround: Not fully identified.

8.4.2.11 Traceback Thread Name: Init Thread, Open CSCtx51787

Symptom: Traceback for unknow reason
Conditions: The message is triggered by typing the "no failover active" on the primary. The customer reported that no crash occurred since the last one, but he faces the following error message: <177> Jan 11 2012 16:31:27: %ASA-1-199010: Signal 11 caught in process/fiber (Unicorn Proxy Thread)/(unicorn-proxy) at address 0x00000000, corrective action at 0x0a54ff40
Workaround: N/A

Traceback in DATAPATH-2-1361, eip snp_fp_punt_block_free_cleanup, Fixed CSCtl66339

Symptom: ASA 5580-40 may experience page fault crash. Crashinfo file contains: Thread Name: DATAPATH-2-1361 Page fault: Address not mapped
Conditions: This may happen under moderate load when ASA processes data traffic.
Workaround: None.

ASA 8.4.2.8 fill_cpu_hog_entry, Open CSCtx43526

Symptom: The ASA's CPU may hog showing the following traceback: %ASA-4-711004: Task ran for 170 msec, Process = DATAPATH-1-1843, PC = 0, Call stack = 0x0000000000416686 0x0000000000416870 0x00000000005cea05 0x00000000010bc587 0x00000000010c6195 0x00000000010cb593 0x00007ffffeab2f3a
Conditions: NA
Workaround: NA

Nested traceback in Checkheaps with dump_chunk_and_neighbours at slib/.., Open CSCtx60807

Symptom: ASA nested traceback in Checkheaps
Conditions: Not Known
Workaround: None at the moment

Traceback when Converting ACL Remarks of 100 Characters, Fixed CSCtx69498

Symptom: Adaptive Security Appliance running 8.4(2.18) and later software may continuously reload during the pre-8.3 software configuration conversion process if maximum length (100 characters) Access Control List (ACL) remarks are present.
Conditions: Performing an upgrade with pre-8.3 configuration to 8.4(2.18) or later software with long ACL remarks.
Workaround: Remove ACL remarks completely or reduce the length to less than 100 characters.

ASASM traceback in DATAPATH thread causes traceback, Open CSCtx59946

Symptom: ASASM may experience operational failure and write a crashinfo to flash. Thread Name: DATAPATH-XX-XXXX Abort: Unknown
Conditions: Unknown
Workaround: None

cut through proxy authentication vulnerability, Fixed CSCtx42746

Symptom: When a user tries to connect to a resource behind the firewall, the firewall intercepts the connection and prompts him to enter his credential on a https page. Than the URL of this page contains a session ID.
Conditions: Seen on all versions.
Workaround: None known at this point. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.1: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C CVE ID CVE-2012-0335 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

WebVPN: "Add new..." button doesn't work properly for SharePoint 2010, Open CSCth26429

Symptom: Any content items can't be added through default 'Add new ...' controls to SharePoint 2010 portal through ASA
Conditions: 1. Internet Explorer 8 or Firefox 3.6.3. 2. SharePoint 2010 server.
Workaround: disable compression on the sharepoint server

ASA: 8.4 Page fault traceback while displaying "sh run threat-detection", Fixed CSCtx65353

Symptom: ASA may traceback in Thread Name ssh when ''sh run threat-detection'' command is run.
Conditions: This was observed in 8.4(2) release. The trigger is not known yet.
Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

ASA traceback in Unicorn Admin Handler Thread, Fixed CSCsm90239

Symptom: The ASA stops passing traffic and then the unit crashes.
Conditions: The ASA is being used to terminate IPSEC VPN traffic while using Reverse Route Injection and EIGRP. Tacacs authorization was being used for all VPN clients.
Workaround: None at this time. -->

Traceback in Thread Name: Dispatch Unit, Open CSCtx60431

Symptom: Under rare situations, The ASA may crash with The thread "Dispatch Unit". The crash is observed with URL Filtering configuration enabled.
Conditions: ASA running version 8.4.3 Web-sense URL filtering configuration
Workaround: Unknown/None

ASA5580 traceback in DATAPATH-7-1353, Fixed CSCtn74485

Symptom: ASA5580 crash at DATAPATH-7-1353
Conditions: None
Workaround: None

ASA reduces TCP window size to zero in the absence of standalone ACK, Fixed CSCtk75548

Symptom: After ASA upgrade calls are failing. Supplementary service failures, transfer and hold, are the majority of call failures seen. Also see SCCP devices unregistering after a period of time. Packet captures indicate the TCP socket getting torn down. The cause of the unregister event in CUCM traces is a keepalive timeout. Packet captures taken indicate the TCP window size decreasing after every keepalive exchange. It eventually goes down to zero and causes the endpoint to not send SCCP keepalives.
Conditions: ASA version 8.2(4.1)
Workaround: None

IKEv2: ASA does not re-establish more than one SA after disconnect, Fixed CSCtw84087

Symptom: after disconnect, the ASA only re-established one of the matching ACEs in the crypto acl used for an ikev2 l2l tunnel
Conditions: 1. define an ACL with multiple ACEs(either with object groups or inline) 2. 8.4.x code 3. doesn't happen for ikev1 only on ikev2
Workaround: If possible summarise as many routes as possible into one ACE, otherwise you have to shut off ISAKMP completely and then turn it on again.

ASA 5580 traceback when CSM attempts deployment, Fixed CSCtu30581

Symptom: ASA 5580 crashes when CSM attempt deployment SSLVPN/CSD is not enabled on the ASA firewall, however, when CSM (Cisco Security Manager) attempts to make a cofiguration deployment for the ASA (which contains configuration for the Default Group-Policy), the ASA5580 crashes! CSM version is 4.1 and ASA is 5580 on 8.4.2(11). Attached is the traceback information I could collect from the console of the firewall during the crash.
Conditions: Seen only when there is a functional interaction between CSM and the ASA 5580 firewall.
Workaround: None.