Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and
will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a
production environment. We strongly
encourage you to upgrade to a fully tested Maintenance or Feature release when
it becomes available.
Revision: Version 8.7.1(18) – 02/10/2016
Files: asa871-18-smp-k8.bin
Defects resolved since 8.7.1(17):
|
ASA
IKEv1 and IKEv2 Vulnerability |
|
|
|
IKEv2
Fragments may get dropped with a specific sequence of fragments |
||
Revision: Version 8.7.1(17) – 10/21/2015
Files: asa871-17-smp-k8.bin
Defects resolved since 8.7.1(16):
|
ISAKMP SERVER traffic from codenomicon
crashes ASA |
|
|
ASA traceback in ThreadName:ci/console,while pinging
DNS Server name |
|
|
MARCH 2015 OpenSSL Vulnerabilities |
|
|
Traceback: mem_get_owner+104 at slib/../finesse/snap_api.h:163 |
|
|
Evaluation of OpenSSL June 2015 |
Revision: Version 8.7.1(16) – 04/08/2015
Files: asa871-16-smp-k8.bin
Defects resolved since 8.7.1(14):
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
|
Failover units should accept only traffic coming from the peer |
|
|
ASA : evaluation of
SSLv3 POODLE vulnerability |
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
|
2048-byte block leak if DNS server replies with "No such
name" |
Revision: Version 8.7.1(14) – 10/08/2014
Files: asa871-14-smp-k8.bin
Defects resolved since 8.7.1(12):
|
Remove flash storage from library load path |
|
|
Cisco ASA Privilege Escalation |
|
|
ASA: Entering Query String on /+CSCOE+/logon.html disclose
information |
|
|
ASA1000v unauthorized access to underlying Linux shell |
|
|
1550 block leak occur if DNS replies "refused" query
response |
Revision: Version 8.7.1(12) – 07/28/2014
Files: asa871-12-smp-k8.bin
Defects resolved since 8.7.1(11):
|
ASA traceback
on cp processing due to sqlnet
inspection |
||
|
ASA traceback
with inspection GTP |
||
|
Cisco ASA SCH Certificate
Authentication Bypass Vulnerability |
||
|
ASA:Tracebacks in thread
dispatch unit due to SunRPC inspection |
|
|
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |
|
|
|
ASA WebVPN portal modification vulnerability |
|
|
Revision: Version 8.7.1(11) – 04/09/2014
Files: asa871-11-smp-k8.bin
Defects resolved since 8.7.1(8):
|
Cookie usage in SSL VPN |
|
|
Add text section to coredump |
|
|
Privillage level 0 users getting full access |
|
|
ASA SSL VPN Privilege Escalation
Vulnerability |
|
|
Page fault traceback
in DATAPATH under DoS, rip qos_topn_hosts_db_reset |
Revision: Version 8.7.1(8) – 10/22/2013
Files: asa871-8-smp-k8.bin
Defects resolved since 8.7.1(7):
|
ASA protcol
inspection connection table fill up DOS Vulnerability |
|
|
ASA traceback
with thread
name "Thread 0 in thread group" |
Revision: Version 8.7.1(7) – 10/09/2013
Files: asa871-7-smp-k8.bin
Defects resolved since 8.7.1(4):
|
1/5 minute input rate and
output rate are always 0 with user context. |
|
|
ASA SIP inspection - To: in
INVITE not translated after 8.3/8.4 upgrade |
|
|
ST not injected in mstsc.exe
on 32-bit Win 7 when started through TSWeb |
|
|
ACL remark line is missing
when range object is configured in ACL |
|
|
dynamic policy PAT fails with FTP data due to latter static NAT entry |
|
|
Clientless SSL VPN causes
UAC on Win 7 to fail when CSD and ST are used |
|
|
ASA traceback
in Unicorn Proxy Thread while processing lua |
|
|
Cisco ASA Clientless SSLVPN
CIFS Vulnerability |
|
|
With inline IPS and heavy
load ASA could drop ICMP or DNS replies |
|
|
ASA - SQL*Net Inspection
Engine Denial of Service Vulnerability |
|
|
SIP inspect NATs Call-ID in
one direction only |
|
|
error 'Drop-reason: (punt-no-mem) Punt no
memory' need to be specific |
|
|
ASA CIFS UNC Input
Validation Issue |
|
|
ASA upgrade fails with
large number of static policy-nat commands |
|
|
ASA may not establish EIGRP
adjacency with router due to version issues |
|
|
ASA writes past end of file
system then can't boot |
|
|
Smart-tunnel failing to forward
tcp connections for certain application |
|
|
IKEv2: ASA does not clear
entry from asp table classify crypto |
|
|
HTTP Deep Packet Inspection
Denial of Service Vulnerability |
|
|
TLS-Proxy does not Send
issuer name in the certificate |
|
|
Smart Tunnel hangs when
list contains more than 80 entries |
|
|
VPNLB: Lost packet during
IKEv1 not retransmitted |
|
|
ASA hitless upgrade from
8.2 to 8.4 - ERROR: unable to download policy |
|
|
OSPF routes were missing on
the Active Firewall after the failover |
|
|
TRACEBACK, DATAPATH-8-2268,
Multicast |
|
|
ASA in HA lose shared
license post upgrade to 9.x |
|
|
Netbios insp translating ip
in answer field to mapped ip of WINS server |
|
|
Anyconnect using Ikev2 is missing username in syslog messages |
|
|
Traceback: snp_syslog fails to recognise parent syslog flow |
|
|
TCP connection to multicast
MAC - unicast MAC S/ACK builds new TCP conn |
|
|
16k blocks near exhaustion -
process emweb/https (webvpn) |
|
|
Revert change in subnetting rules for splittunnel
policy for smarttunnel |
|
|
ASA 5505 not Forming EIGRP neighborship after failover |
|
|
ASA:Traceback while deleting
trustpoint |
|
|
Some java applets won't connect
via smart tunnel on windows with jre1.7 |
|
|
Secondary Flows Lookup
Denial of Service Vulnerability |
|
|
LU allocate xlate failed (for NAT with service port) |
|
|
Mac version Smart Tunnel
with Safari 6.0.1/6.0.2 issue |
|
|
Memory leak of 1024B blocks
in webvpn failover code |
|
|
RADIUS Memory Leak on ASA
using AD-Agent |
|
|
IKEv2 reply missing 4bytes
of 0's after UDP header |
|
|
Portchannel keeps sending packets through down/down interface |
|
|
ASA drops packets with IP
Options received via a VPN tunnel |
|
|
IPv6 ACL can't be modified
after used as vpn-filter |
|
|
secondary-authentication-server-group cmd
breaks Ikev1/IPsec RA VPN auth |
|
|
ASA shared port-channel subinterfaces and multicontext
traffic failure |
|
|
mrib entries mayy not be seen upon failover initiated by auto-update |
|
|
ASA SSHv2 Denial of Service
Vulnerability |
|
|
Group enumeration still
possible on ASA |
|
|
Anyconnect DTLS idle-timeout is being reset by transmit traffic only |
|
|
When specifying two same
OID in GETBULK, reply has no duplicate OID |
|
|
Character encoding not visible
on webvpn portal pages. |
|
|
ASA5585 8.4.2 Traceback in Thread Name aaa
while accessing Uauth pointer |
|
|
re-write fails for javascript generated
URL with "\" |
|
|
Prefill username from
certificate does not extract serial number |
|
|
ASA Traceback
in Thread Name : CERT API |
|
|
ASA traceback
in Thread Name: UserFromCert |
|
|
split-dns cli warning msg
incorrect after client increasing the limit |
|
|
ASA 8.3+ l2l tunnel-group name
with a leading zero is changed to 0.0.0.0 |
|
|
Framed-IP-Address not sent
with AC IKEv2 and INTERIM-ACCOUNTING-UPDATE |
|
|
ASA DNS Inspection Denial
of Service Vulnerability |
|
|
Change of behavior in
Prefill username from certificate SER extraction |
|
|
ASA OSPF LSA Injection
Vulnerability |
|
|
ASA Remote Access VPN
Authentication Bypass Vulnerability |
|
|
ASA Digital Certificate
HTTP Authentication Bypass Vulnerability |
Revision: Version 8.7.1(4) – 02/20/2013
Files: asa871-4-smp-k8.bin
Defects resolved since 8.7.1(3):
|
Elements in the network
object group are not converted to network object |
||||||
|
Failover disabled due to
license incompatible different Licensed cores |
||||||
|
Traceback @snp_ifc_purg_cb w/ clear conf all or write standby |
||||||
|
Some legitimate traffic may
get denied with ACL optimization |
||||||
|
ESMTP inspection corrupts
data |
||||||
|
GTP inspect not working in
Asymmetric Routing Envirement with ASR group: |
||||||
|
ASA: Packet loss during
phase 2 rekey |
||||||
|
Observing traceback @ ipigrp2_redist_metric_incompatible+88 |
||||||
|
ASA may traceback
when multiple users make simultaneous change to ACL |
||||||
|
SMP ASA traceback
on periodic_handler for inspecting icmp or dns trafic |
||||||
|
ASA5505 stuck in Cold
Standby after boot up |
||||||
|
ASA nat-pat:
8.4.4 assert traceback related to xlate timeout |
||||||
|
ASA: Watchdog traceback from tmatch_element_release_actual |
||||||
|
ASA 210005 and 210007 LU
allocate xlate/conn failed with simple 1-1 NAT |
||||||
|
ASA: Memory leak due to SNP
RT Inspect |
||||||
|
ASA: Assert traceback in PIX Garbage Collector with GTP inspection |
||||||
|
ASA unexpectedly reloads
with traceback in Thread Name: CP Processing |
||||||
|
ASA is max-aging OSPF LSAs
after 50 minutes |
||||||
|
ASA traceback
in threadname Logger |
||||||
|
ASA traceback in IKE Daemon while handling IKEv1 message |
|
||||
|
ASA: Webvpn
cookie corruption with external cookie storage |
||||||
|
OSPF routes were missing on
the Standby Firewall after the failover |
||||||
|
'clear
config crypto ipsec
ikev1' removes ikev2 proposals as well |
||||||
|
Flash filesystem
does not recognize filesnames > 63 characters |
||||||
|
TCP ts_val
for an ACK packet sent by ASA for OOO packets is incorrect |
||||||
|
ASA: May traceback in Thread Name: fover_health_monitoring_thread |
||||||
|
PRTG app Javascript as a stream (not content) fails through the
rewriter |
||||||
|
ASA traceback:
ASA reloaded when call home feature enabled |
||||||
|
ASA never removes qos-per-class ASP rules when VPN disconnects |
||||||
|
OWA doesn't work after the
ASA upgrade |
||||||
|
Traceback in threadname CP Processing |
||||||
|
Management access fails via
L2TP VPN client on SMP platform |
||||||
|
ASA IPSEC error: Internal Error, ike_lock
trying to unlock bit |
||||||
|
ASA traceback
in Dispatch Unit |
||||||
|
ASA 5580 page fault in
thread CERT API during pki validation |
|
|||||
|
EZVPN: User gets unexpected
IUA prompt |
||||||
|
Traceback: deadlock between syslog lock and host lock |
||||||
|
Crypto IPSec SA's are
created by dynamic crypto map for static peers |
||||||
|
Log indicating syslog
connectivity not created when server goes up/down |
||||||
|
5580 - Thread Name: CP Midpath Processing eip pkp_free_ssl_ctm |
||||||
|
traceback in fover_health_monitoring_thread |
||||||
|
ipsecvpn-ike:IKEv1 rekey fails when IPCOMP proposal is sent |
||||||
|
XSS in SSLVPN |
||||||
|
ASA Logging command submits
invalid characters as port zero |
||||||
|
ASA: Multiple context mode
does not allow configuration of 'mount' |
||||||
|
Race condition can result
in stuck VPN context following a rekey |
||||||
|
ASASM platform is not
exempt from MAC move wait timer |
||||||
|
Deny rules in crypto acl blocks inbound traffic after tunnel formed |
||||||
|
Incorrect and duplicate
logs about status change of port-channel intfs |
||||||
|
APCF Flag no-toolbar fails
after upgrade to 8.4.4.9 |
||||||
|
ASA webvpn
plugin files Expires header incorrectly set |
||||||
|
Smart-tunnel failing to
forward tcp connections for certain application |
||||||
|
Smart Tunnel failed for
Safari 6.0.1/6.0.2 on OSX10.7 and 10.8 |
||||||
|
CA certificates expiring
after 2038 display wrong end date on 5500-X |
||||||
|
ASA may traceback in thread emweb/https |
|
||||
|
Called-Station-Id in RADIUS
acct stop after failover is standby address. |
||||||
|
ASA-Traceback
in Dispatch unit due to dcerpc inspection |
||||||
|
BTF traceback
in datapth when apply l4tm rule |
||||||
|
License server becomes
unreachable due to "signature invalid" error |
||||||
|
Deny rules in crypto acl blocks inbound traffic after tunnel formed |
||||||
|
Deny ACL lines in
crypto-map add RRI routes |
||||||
|
Increase stack size in VPN Load
Balancing feature |
||||||
|
SMP ASA traceback
in periodic_handler in proxyi_rx |
||||||
|
Traffic destined for L2L
tunnels can prevent valid L2L from establishing |
||||||
|
ASA nested traceback with url-filtering
policy during failover |
||||||
|
Smart Tunnel hangs when
list contains more than 80 entries |
||||||
|
DNS resolution for
"from-the-box" traffic not working with "names" |
||||||
|
ASA: adding nested object
group fails with "IP version mismatch" |
||||||
|
"Failed to update
IPSec failover runtime data" msg on the
standby unit |
||||||
|
DAP: debug dap trace not
fully shown after +1000 lines |
||||||
|
traceback in ospf_get_authtype |
||||||
|
IKEV2-L2L: DH handle leak
when PFS enabled only on one peer |
||||||
|
ASA LDAP Mapping should not
map 0 to values with no match |
||||||
|
ASA 5580 running 8.2(5)13 traceback |
||||||
|
ASA: Username with
ampersand disconnects ASDM Firewall Dashboards |
||||||
|
flash in ASA5505 got corrupted |
||||||
|
Webvpn: Javascript based applications not
working |
||||||
Revision: Version 8.7.1(3) – 11/15/2012
Files: asa871-3-smp-k8.bin
Defects resolved since 8.7.1(1):
|
SCCP does not handle new msg StartMediaTransmissionACK |
|
|
Time-based License Expires
Pre-maturely |
|
|
ASA (8.3.2) traceback in Thread Name: DATAPATH-1-1295 |
|
|
RRI routes are not injected
after reload if IP SLA is configured. |
|
|
ASA: Builds conn for
packets not destined to ASA's MAC in port-channel |
|
|
Traceback in Thread Name: Dispatch Unit |
|
|
Newly Added Failover Unit
With Lesser License Rejects Configuration |
|
|
Reserve 256 byte block pool
for ARP processing |
|
|
ASA sends user passwords in
AV as part of config command authorization. |
|
|
RADIUS client too busy -
try later |
|
|
Emails from Smart Call Home
are not RFC 2822 Section 2.3 compliant |
|
|
Traceback: timer assert due to nf_block timer
race condition |
|
|
ASA 5585 with IPS inline
-VPN tunnel dropping fragmented packets |
|
|
ASA 5585- 10 gig interfaces
may not come up after asa reload |
|
|
misreported high CPU |
|
|
(VPN-Secondary) Failed to
update IPSec failover runtime data on the stan |
|
|
ASA: access-list with name
"ext" is changed to "extended"
on boot |
|
|
Clientless SSL VPN causes
UAC on Win 7 to fail when CSD and ST are used |
|
|
Deny lines in NAT exemption
ACL causes ASA config migration to fail |
|
|
ASA accept IKEv2 AC
reconnect request once then tear it down |
|
|
ASA generates "The ASA
hardware accelerator encountered an error" |
|
|
WebVPN: OWA server sending error message due to
missing Canary Value |
|
|
ASA: High CPU with DTLS
sessions and 'crypto engine large-mod-accel' |
|
|
CPU-hog during
line-protocol-up event of 4GE-SSM ports |
|
|
Local command auth not working for certain commands on priv 1 |
|
|
PP : TFTP ACK to last block dropped |
|
|
Traceback in Thread Name: CERT API |
|
|
8.4.3 system log messages
should appear in Admin context only |
|
|
ASA: Page fault traceback when changing port-channel load balancing |
|
|
Websense URL Filtering triggers syslog 216004 |
|
|
Clientless SSL VPN rewriter
fails with javascript |
|
|
Anyconnect fails to connect after ASA failover due to IP conflict |
|
|
ASA: May log 305006 regular
translation creation failed messages. |
|
|
Some parts of the WebVPN
login susceptible to HTTP Response Splitting |
|
|
aaa-radius: ASA
sending duplicate Radius access request |
|
|
Interface oversubscription
on active causes standby to disable failover |
|
|
ASA vulnerable to
CVE-2003-0001 |
|
|
ASA unexpected system
reboot with Thread Name: UserFromCert Thread |
|
|
Traceback in CP Processing when enabling H323 Debug |
|
|
Flowcontrol status is OFF on ASA, after enabling it on ASA and switch. |
|
|
ASA sip inspect -
Pre-allocate SIP NOTIFY TCP secondary channel |
|
|
ASA: Watchdog traceback from tmatch_element_release_actual |
|
|
ASA:write standby
command brings down port-channel interface on standby |
|
|
Cisco script injected in html
tags, JS conditional comments |
|
|
WebVPN:"My Mail" option doesn't work for OWA2010 |
|
|
ASA: Page fault traceback when copying new image to flash |
|
|
ASA: Traceback
in Dispatch Unit with HTTP inspect regex |
|
|
ASA: Page fault traceback in DATAPATH thread with IPsec
traffic |
|
|
Asa 5580-20: object-group-search access-control causes failover
problem |
|
|
ASA may traceback
while loading a large context config during bootup |
|
|
ASA Content rewrite HTML
content was treated as ajax response |
|
|
4096 byte block depletion
due to ak47_np_read |
|
|
ASA5550 continous
reboot with tls-proxy maximum session 4500 |
|
|
FIFO queue oversubscription
drops packets to free RX Rings |
|
|
unexpected policy-map is added on standby ASA when new context is made |
|
|
Standby ASA traceback while replicating flow from Active |
|
|
ASA crashes due to nested
protocol object-group used in ACL |
|
|
ASA does not check aaa-server use before removing commands |
|
|
ASA Webvpn
rewriter compression not working |
|
|
Standby ASA has duplicate
ACEs for webtype ACLs after 'write standby' |
|
|
"idle-timeout
= 0" is not able to configure with AnyConnect
IKEv2 |
|
|
ASA ospf
redistributing failover interface network |
|
|
Standby ASA allows L2
broadcast packets with asr-group command |
|
|
ASA Webvpn
form POST is not rewritten
8.4.1.8 or later |
|
|
ASA: Manual NAT rules are not
processed in order |
|
|
NAT Config
Rejected on Upgrade when Objects Overlap with Failover IP |
|
|
ASA traceback
under threadname Dispatch Unit due to multicast
traffic |
|
|
syslog 113019 reports invalid address when VPN client disconnects. |
|
|
ASA TFW sends broadcast arp traffic to all interfaces in the context |
|
|
VPNFO should return failure
to HA FSM when control channel is down |
|
|
OID used for authentication
by EKU is trunkated |
|
|
ASA standby produces traceback and reloads in IPsec
message handler |
|
|
Deleting ip local pool cause disconnect of VPN session using other
pools |
|
|
WebVpn PortForward code signning
issue |
|
|
High CPU HOG when connnect/disconnect VPN with large ACL |
|
|
WebVPN - mishandling of
request from Java applet |
|
|
Traceback in Thread Name: accept/http |
|
|
Accounting STOP with caller
ID 0.0.0.0 if admin session exits abnormally |
|
|
Nas-Port attribute different for authentication/accounting Anyconnect |
|
|
ASA: Webvpn
rewriter not rewriting eval function call properly |
|
|
Enhance RTCLI
implementation of password type (BNF) |
|
|
The "clear crypto ca crls <trustpoint>"
command does not work |
|
|
ASA packet transmission
failure due to depletion of 1550 byte block |
|
|
ASA - VPN connection
remains up when DHCP rebind fails |
|
|
ASA Traceback
- MD5_Update |
|
|
ASA: Port-channel config not loaded correctly when speed/duplex are set |
|
|
Per tunnel webvpn customizations ignored after ASA 8.2 upgraded to
8.4 |
|
|
ASA 8.4.4.6 and higher: no
OSPF adj can be build with Portchannel
port |
|
|
Multi-Mode treceback on ci/console copying config
tftp to running-config |
|
|
Crash when removing
group-policy |
|
|
ASA may traceback
while fetching personalized user information |
|
|
ASA webvpn
- URLs are not rewritten through webvpn in 8.4(4)5 |
|
|
Error when connecting VPN: DTLS1_GET_RECORD
Reason: wrong version number |
|
|
HTTP inspection matches
incorrect line when using header host regex |