Adaptive Security Appliance Hot Issues from Cisco TAC

Clientless plugins are not working, Fixed CSCug23031

Symptom: Clientless plugins (telnet/ssh, RDP, etc.) no longer work in ASA 8.4(6). When you access them through the clientless portal, only a blank page is displayed.
Conditions: Launching the plugin after login to the portal. Seen using ASA 8.4(6) and any Internet browser (Internet Explorer, Firefox, Chrome, etc.).
Workaround: Upgrade to ASA version 9.x or downgrade to 8.4(5). More Info:

ASA:Traffic denied 'licensed host limit of 0 exceeded, Open CSCuh23347

Symptom: ASA 5505 drops Traffic with syslog message "%ASA-4-450001: Deny traffic for protocol 1 src inside:10.11.12.3/512 dst outside:4.2.2.2/0, licensed host limit of 0 exceeded" with Base License.
Conditions: ASA 5505 running 8.4.6 with Base license.
Workaround: upgrade to 9.0.2, 9.1.2 or downgrade to 8.2.5. Also works on 8.4.5.6 More Info:

ASA 8.4(6) - WebVPN Plugins No Longer Function, CSCuh15069

Symptom: Web plugins (telnet/ssh, RDP, etc.) no longer work in ASA 8.4(6). When you access them through the clientless portal, only a blank page is displayed.
Conditions: Seen using ASA 8.4(6) and any Internet browser (Internet Explorer, Firefox, Chrome, etc.).
Workaround: Upgrade to ASA version 9.x or downgrade to 8.4(5). More Info:

webvpn-l7-rewrite: add full fledged VBScript rewirter, Open CSCuh40325

Symptom: Applications using VBscipt fail over clientless webvpn
Conditions: Use any application that uses VBScript over webvpn without ST enabled.
Workaround: enable ST to bypass the rewriter, if that doesn't work then create an APCF. More Info:

AIP-SSM-40 not recognized as genuine Cisco product, Terminated CSCtz29732

Symptom: ASA and AIP-SSM module may reported error related to "Failed Identification Test in slot 1"
Conditions: Observed on a 5520 and 5540 with AIP-SSM-40 running 8.4.3 and 7.0(6)E4
Workaround: Reload/reseat the module

Connection not removed even after reaching idle timeout, Open CSCuh13899

Symptom: Some connection may not removed even after reaching idle timeout.
Conditions: Yet to identify which specific and what condition these connection are not removed.
Workaround: Clearing this connection manually, but very difficult in customer environment. This will not be acceptable / workable workaround. More Info:

Standby ASA reloads unexpectedly after config sync with netflow enabled, Fixed CSCud56558

Symptom: ASA running 8.4.5 with netflow configuration may reload while replicating config seen in 2 conditions - disable failover and re-enable failover on the standby unit - write standby on the active unit
Conditions: netflow should be enabled by applying it to the policy-map
Workaround: disable netflow or avoid doing a write standby

ASA drops some CX/CSC inspected HTTP packets due to PAWS violation, Fixed CSCug19491

Symptom: Certain HTTP connections might experience slowdowns or fail to complete if the packets are inspected by the CX module. HTTP packets might be dropped by the ASA for the ASP drop reason "TCP packet failed PAWS test (tcp-paws-fail)"
Conditions: All of the following conditions must be met to encounter this problem: 1) The traffic flow must be subjected to inspection by the ASA CX module 2) The connection must be HTTP over TCP 3) The HTTP GET message must be so big as to become segmented into multiple TCP packets. This might occur if the cookie values in the get are very long
Workaround: Using the ASA's modular policy framework, disable TCP timestamps for the connections: ! access-list http-traffic extended permit tcp any any eq www ! class-map http-class match access-list http-traffic ! tcp-map TCP-map-timestamps tcp-options timestamp clear ! policy-map global_policy ... class http-class set connection advanced-options TCP-map-timestamps !

ASA UDP 500 port not removed from PAT pool, Terminated CSCuf56976

Symptom: New VPN connections will fail if the VPN port is allocated from PAT pool on the same interface. We should not allow the VPN port to be used in the PAT pool.
Conditions: Problem observed on 9.1.1. PAT configured for same interface that terminates the VPN. Problem is intermittent. Source ip address is random. VPN will work fine until this xlate using the UDP port is created. Clearing this xlate will restore VPN connectivity. Example: nat (any,outside) after-auto source dynamic any interface dns crypto map outside_map interface outside sh xlate: UDP PAT from any:/123 to outside:/500 flags riD idle 0:00:51 timeout 0:00:30
Workaround: Issue "clear xlate" to clear the translation that is using the VPN port Adjust PAT configuration to use an IP address that differs from the VPN interface IP

ASA writes past end of file system then can't boot, Fixed CSCuc98398

Symptom: After upgrading the ASA OS the device does not boot successfully, and will continually loop the unsuccessful boot sequence. The following will be seen on the console of the ASA (The ASA and image file will vary): ----------------------------------------------------------------------------------- Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008 Platform ASA5505 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Launching BootLoader... Boot configuration file contains 1 entry. Loading disk0:/asa844-9-k8.bin... Booting... Platform ASA5505 Loading... IO memory blocks requested from bigphys 32bit: 9672 ## APPLIANCE REBOOTS AUTOMATICALLY HERE ## -----------------------------------------------------------------------------------
Conditions: Cisco ASA where the disk (Compact Flash) is already close to full or is fragmented from frequent use and a new version of the OS is saved on the disk (without removing any files) and the new file is made the boot file in the configuration.
Workaround: Delete the bad file from flash, as well as any other images that are no longer in use to free up more space on the flash. Then, re-download the new file to flash - or - 1) Copy all the files off of the ASA's disk 2) Format the disk: 3) Copy the files back onto the disk, starting with the OS image you wish the ASA to boot. The second procedure (involving the re-format) is the preferred workaround, as it places the ASA image towards the beginning of the filesystem, making the chances of encountering this problem much less.

Osiris: Crash when NULL pointer was passed to the l2p function, Fixed CSCuf85524

Symptom: A crash occurs and the console at the time of the crash should say: " Panic: DATAPATH-0-2764 - _mempool_dma_l2p: Invalid laddr 0x21a0 passed in. DMA pool 0 starts 0x___________ ends 0x_________ DMA pool 1 starts 0x__________ ends 0x__________ "
Conditions: Establishing AnyConnect DTLS connections. Crash occurs after ~1000.
Workaround: There are no workarounds. More Info:

ASA does not obfuscate aaa-server key when timeout is configured., Open CSCuh27912

Symptom: The ASA isn't obfuscating passwords when timeout configured before aaa-server key command. Conditions: timeout configured in aaa-server host command. Workaround: none. More Info:

ASA may reload with traceback in thread name: Reload Control Thread, Terminated CSCtn03617

Symptom: ASA may reload with traceback in Thread name: Reload Control Thread.
Conditions: ASA 8.x
Workaround: None at this time.

Traceback after upgrade from 8.2.5 to 8.4.6, Fixed CSCuh19234

Symptom: Crash happens during upgrade migration from 8.2.5 -> 8.4.6. Causing bootloop.
Conditions: ASA with version 8.2.5
Workaround: Manual migration of the config More Info:

ASA 9.1.2 - Memory corruptions in ctm hardware crypto code., Open CSCuh19462

Symptom: ASA crashes in CERT API thread
Conditions: ASA running 9.1.2 version on smp platform
Workaround: not known More Info:

Upgrade ASA causes traceback with assert during spinlock, Fixed CSCud77352

Symptom: ASA may generate a traceback in DATAPATH-0-1238 with assert+48 at slib/../finesse/snap_api.h:161
Conditions: Upgrading ASA from 8.6.1.5 to 9.1.1
Workaround: NA

ASA exhausting DHCP pool when acting as a proxy for VPN clients, Terminated CSCts45189

Symptom: 1. When the client disconnect it doesn't seem to request for a release of the IP address 2. The same client seems to use up more than one ip address from the DHCP pool exhausting the pool and thus preventing new users to connect after a while. 3. When a client tries to renew it's lease the ASA seems to be renewing the lease for the wrong client ip address
Conditions: 1. configure ASA to use the DHCP server to assign an ip address 2. use an IPSEC VPN client.
Workaround: 1. Shift the DHCP pools around quite frequently on the dhcp server or 2. Reload the ASA

Anyconnect sessions do not connect due to uauth failure, Open CSCuh08432

Symptom: Anyconnect sessions are randomly rejected, both from standalone client and from portal
Conditions: This is seen randomly after upgrading to 9.0.2. debug webvpn reports: vpn_put_uauth failed!
Workaround: Issue is not seen on 8.4 More Info:

ASA assert traceback during xlate replication in a failover setup, Fixed CSCuf07393

Symptom: An ASA firewall running in STANDBY as part of an Active/Standby or Active/Active high availability configuration may crash citing an assert in thread name DATAPATH-x-xxxx.
Conditions: The crash is seen in rare circumstances on a standby firewall or a firewall in an Active/Active high availability configuration where some contexts are STANDBY on that firewall.
Workaround: None at this time. In order to reduce the impact of crashes in an Active/Active failover configuration you might want to move both ACTIVE Failover Groups to one ASA More Info:

Traceback in Thread Name: OSPF Router during interface removal, Fixed CSCug98894

Symptom: Traceback in OSPF process
Conditions: Removing an interface with OSPF configured on it
Workaround:

Re-transmitted FIN not allowed through with sysopt connection timewait, Fixed CSCuh20716

Symptom: An ASA firewall, by design, will remove a connection from the connection table upon seeing all the packets required to close the connection. In situations where the ASA sees all the required packets, but perhaps some of the packets are lost in transit to their destinations, host endpoints may try to re-transmit packets needed to close the connection gracefully. Since the connection was closed and removed from the ASA's connection table, those packets would fail to pass through the firewall. By enabling 'sysopt connection timewait' on the ASA Firewall, these connections will be left in the connection table for an additional 15 seconds in an effort to allow for packet loss during the closing of a connection (the firewall should allow the retransmitted FINs through/etc.). Currently, however, re-transmitted TCP FIN packets that are part of the normal TCP closing sequence, are denied and dropped by the firewall despite the presence of 'sysopt connection timewait'.
Conditions: This is seen on all current build of ASA firewall code and is only relevant when the firewall has the following command in its configuration: sysopt connection timewait Please consult the bug details in order to determine a fixed version of code.
Workaround: Currently the only workaround that has been identified is to utilize TCP state bypass on the ASA Firewall in question. Not only will this allow the re-transmitted FIN-ACK packets through the firewall, but it does so by disabling TCP checking along with a host of other security related feature. As a result care should be used when evaluating TCP State Bypass as a workaround for this situation. More Info:

ASA 9.0.1 & 9.1.1 - 256 Byte Blocks depletion, Fixed CSCue90343

Symptom: Entry seen in logs: -------------------------- ASA-3-321007 System is low on free memory blocks of size 256 (0 CNT out of 3636 MAX) Output from"show blocks": --------------------------------------- SIZE MAX LOW CNT INUSE HIGH 0 2200 2198 2200 0 1 4 100 99 99 0 0 80 1000 998 1000 0 2 256 2100 0 0 0 2 1550 6274 6232 6271 1 40 2048 100 100 100 0 0 2560 164 164 164 0 0 4096 100 100 100 0 0 8192 100 100 100 0 0 9344 100 100 100 0 0 16384 100 100 100 0 0 Possible problems with: -------------------------------- --Stateful failover, --Syslog messages, --TCP Module --connecting to ASA with SSH, telent is working fine - issue present till power cycle, reload from CLI might not work
Conditions: ASA 9.0.1 and 9.1.1 EtherChannel configured with Active mode of LACP (Link Aggregation Control Protocol)
Workaround: Not known at this moment More Info:

Traceback in Thread Name: Dispatch Unit, Open CSCug60235

Symptom: ASA may generate a traceback and reload in the dispatch unit thread
Conditions: This issue has been seen on ASA 8.4(5), other versions may also be affected
Workaround: No known workaround at this time

ASA 8.4.4.1 traceback in threadname Datapath, Open CSCuf93071

Symptom: ASA5585-SSP-60 running 8.4.4.1 crashed in threadname 'datapath'
Conditions:
Workaround: Disable IPS.

Connections not timing out when the route changes on the ASA, Open CSCue46275

Symptom: Connections on the ASA are not timing out after a route change
Conditions: timeout floating-conn was set to 30 seconds
Workaround: clear out the connections manually

Page fault traceback in crypto_lib_keypair_show_mypubkey_all, Fixed CSCtw93059

Symptom: ASA may traceback in Thread Name ssh when "show crypto key mypubkey rsa" command is run.
Conditions: This was observed in 8.4(2) release. The trigger is not known yet.
Workaround: Do not use the "show crypto key mypubkey rsa" command

ASA traceback in datapath thread with netflow enabled, Fixed CSCue88423

Symptom: ASA may reload with traceback in a datapath thread (such as DATAPATH-1-1241) with abort type Assert failure. Line like the below will be seen in the crashinfo output: Panic: DATAPATH-1-1241 - Message #93 : spin_lock_fair_mode_enqueue: Lock (snp_nf_block_t) is held for a long time, owner: DATAPATH-2-1242, requestor: DATAPATH-1-1241
Conditions: Netflow is configured and enabled on the ASA.
Workaround: 1. Disable Netflow or... 2. Disable the flow-teardown filtering More Info:

Cisco ASA config rollback via CSM doesnt work in multi context mode, Fixed CSCuh10827

Symptom: The roll-back for Cisco ASA configs via CSM doesnt work with ""aaa authorization comm LOCAL". CSM shows rollback completed however the configs are still there on the ASA. Device HW & SW Details: HW - Cisco ASA 5585 SW - 8.4.5 CSM - 4.3 (running on VM) Cisco ACS server - 5.3
Conditions: Cisco ASA in multi-context mode configured with RADIUS authentication with Cisco ACS 5.x and local authorization via "aaa authorization comm LOCAL" and integrated to CSM 4.3.
Workaround: None More Info:

dbgtrace: Adjustable logging buffer Required, Open CSCuh36489

Symptom: DAP debugs output hits a limit when the output is more than around 1470 lines. Hence we should have adjustable logging buffer command to adjust the amount of buffer available for such debugs
Conditions: ASA Software Version 9.1(2)
Workaround: None

mrib entries mayy not be seen upon failover initiated by auto-update, Fixed CSCue62470

Symptom: In rare conditions upon failover triggered by auto-update server (CSM), ASA may not show any mrib, mfib or mroute entries until multicast-routing is toggled. "show asp drop" may show huge spike in "No route to host (no-route)" counter..
Conditions: This was first identified on an ASA5520 failover pair running 8.4.3.
Workaround: Toggle multicast routing.

ASA runs out of CTM memory when under heavy SSL Load, Terminated CSCtn26868

Symptom: The inability to access the ASA via ASDM and webvpn/AnyConnect. show asp drop indicates: SSL malloc error (ssl-malloc-error)
Conditions: High load ~200 or more users on AnyConnect/webvpn
Workaround: 1. Disable and re-enable webvpn. 2. Reboot

ASA 8.3.1: Traceback with snp_fp_punt_block_free_cleanup, Fixed CSCth80945

Symptom: ASA 5580-20 reloads after normal operation for a number of days.
Conditions: ASA 5580 running 8.3.1-release code. IPsec remote access configured.
Workaround: None - Use a stateful failover pair to avoid downtime.

IKEv2: ASA does not clear entry from asp table classify crypto, Fixed CSCud28106

Symptom: Intermittently ikev2 Anyconnect clients are no longer able to access internal resources even though the tunnel gets built just fine.
Conditions: 1. ikev2 Anyconnect clients 2. ASA 8.4.x
Workaround: 1. increase the time period before the ip address is reused from the VPN pool 2. disconnect the user from the ASA.

ASA shared port-channel subinterfaces and multicontext traffic failure, Fixed CSCue59676

Symptom: An ASA configured in multi context mode, with port-channels divided into subinterfaces, may experience an issue where traffic to certain contexts will fail if the port-channel has more than one active TenGigabitEthernet member.
Conditions: This was first observed in an environment using 250 contexts with more than 300 subinterfaces.
Workaround: Reduce the number of contexts or subinterfaces. Deleting the context experience the problem and reconfiguring it sometimes resolves the issue for that context, but the problem may then move to another context.

ASA 5580 traceback when CSM attempts deployment, Fixed CSCtu30581

Symptom: ASA 5580 crashes when CSM attempt deployment SSLVPN/CSD is not enabled on the ASA firewall, however, when CSM (Cisco Security Manager) attempts to make a cofiguration deployment for the ASA (which contains configuration for the Default Group-Policy), the ASA5580 crashes! CSM version is 4.1 and ASA is 5580 on 8.4.2(11). Attached is the traceback information I could collect from the console of the firewall during the crash.
Conditions: Seen only when there is a functional interaction between CSM and the ASA 5580 firewall.
Workaround: None.