Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco
TAC and will remain on the download site only until the next Maintenance
release is available. If you do not have a specific problem
which is resolved by an Interim release, we recommend that you use the
Feature or Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them
in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.0.2(10) – 05/19/2013
Files: asa902-10-smp-k8.bin,
asa902-10-k8.bin
Defects resolved since 9.0.2:
Elements in the network
object group are not converted to network object |
|
Failover disabled due to
license incompatible different Licensed cores |
|
Traceback @snp_ifc_purg_cb w/ clear conf all or
write standby |
|
Some legitimate traffic may
get denied with ACL optimization |
|
dynamic policy PAT fails with FTP data due to latter static NAT entry |
|
RRI routes are not injected
after reload if IP SLA is configured. |
|
ASA: Builds conn for packets not destined to ASA's
MAC in port-channel |
|
Natted traffic not getting encrypted after reconfiguring the crypto
ACL |
|
ASA: Packet loss during
phase 2 rekey |
|
ASA sends user passwords in
AV as part of config command authorization. |
|
ASA 5585 with IPS inline
-VPN tunnel dropping fragmented packets |
|
ASA 5585- 10 gig interfaces
may not come up after asa reload |
|
misreported high CPU |
|
ASA may traceback
when multiple users make simultaneous change to ACL |
|
SMP ASA traceback
on periodic_handler for inspecting icmp or dns trafic |
|
Port-Channel Flaps at low
traffic rate with single flow traffic |
|
5500X Software IPS console
too busy for irq can cause data plane down. |
|
Local command auth not
working for certain commands on priv 1 |
|
ASA nat-pat:
8.4.4 assert traceback related to xlate timeout |
|
8.4.3 system log messages
should appear in Admin context only |
|
Interface oversubscription
on active causes standby to disable failover |
|
Traceback in CP Processing when enabling H323 Debug |
|
ASA: Watchdog traceback from tmatch_element_release_actual |
|
ASA: Page fault traceback when copying new image to flash |
|
ASA: Traceback
in Dispatch Unit with HTTP inspect regex |
|
ASA 210005 and 210007 LU
allocate xlate/conn failed with simple 1-1 NAT |
|
ASA5550 continous
reboot with tls-proxy maximum session 4500 |
|
FIFO queue oversubscription
drops packets to free RX Rings |
|
Standby ASA traceback while replicating flow from Active |
|
ASA traceback
due to nested protocol object-group used in ACL |
|
Standby ASA allows L2
broadcast packets with asr-group command |
|
ASA: Page fault traceback in Unicorn Proxy Thread with WebVPN |
|
ASA: Assert traceback in PIX Garbage Collector with GTP inspection |
|
ASA unexpectedly reloads
with traceback in Thread Name: CP Processing |
|
ASA TFW sends broadcast arp traffic to all interfaces in the context |
|
ASA traceback
in threadname Logger |
|
ASA crashes in IKE Daemon after
reassembling ikev1 pkt in a L2L conn |
|
ASA standby produces traceback and reloads in IPsec
message handler |
|
High CPU HOG when connnect/disconnect VPN with large ACL |
|
WebVPN - mishandling of request from Java applet |
|
Accounting STOP with caller
ID 0.0.0.0 if admin session exits abnormally |
|
Nas-Port attribute different for authentication/accounting Anyconnect |
|
ASA: Webvpn
cookie corruption with external cookie storage |
|
OSPF routes were missing on
the Standby Firewall after the failover |
|
ASA - VPN connection
remains up when DHCP rebind fails |
|
TCP ts_val
for an ACK packet sent by ASA for OOO packets is incorrect |
|
ASA: May traceback in Thread Name: fover_health_monitoring_thread |
|
ASA 8.4.4.6 and higher: no
OSPF adj can be build with Portchannel
port |
|
ACL not getting migrated
correctly (FWSM to ASA-SM with migration tool) |
|
Multi-Mode treceback on ci/console copying
config tftp to running-config |
|
ASA may traceback
while fetching personalized user information |
|
ASA traceback:
ASA reloaded when call home feature enabled |
|
ASA never removes qos-per-class ASP rules when VPN disconnects |
|
ASA webvpn
- URLs are not rewritten through webvpn in 8.4(4)5 |
|
Error when connecting VPN:
DTLS1_GET_RECORD Reason: wrong version number |
|
Destination NAT with non
single service (range, gt, lt) not working |
|
Traceback in threadname CP Processing |
|
Traceback in snpi_divert with timeout floating-conn configured |
|
distribute-list does not show in the router config. |
|
HTTP inspection matches
incorrect line when using header host regex |
|
ASA 5580 page fault in
thread CERT API during pki validation |
|
Crypto IPSec SA's are created by dynamic crypto map for static peers |
|
Log indicating syslog connectivity not created when server goes up/down |
|
Cat6000/15.1(1)SY- ASASM/8.5(1.14) PwrDwn due
to SW Version Mismatch |
|
5580 - Thread Name: CP Midpath Processing eip pkp_free_ssl_ctm |
|
ASA Unexpectedly Reloads in
'DATAPATH' Thread |
|
traceback in fover_health_monitoring_thread |
|
XSS in SSLVPN |
|
ASA SIP inspection - To: in
INVITE not translated after 8.3/8.4 upgrade |
|
Traceback while cleaning up portlist w/ clear
conf all or write standby |
|
dynamic policy PAT fails with FTP data due to latter static NAT entry |
|
GTP inspect not working in
Asymmetric Routing Envirement with ASR group: |
|
ASA: Packet loss during
phase 2 rekey |
|
Observing traceback @ ipigrp2_redist_metric_incompatible+88 |
|
SMP ASA traceback
on periodic_handler for inspecting icmp or dns trafic |
|
Failover Unit Stuck in Cold
Standby After Boot Up |
|
ASA traceback
in Unicorn Proxy Thread while processing lua |
|
Proxy ARP Generated for
Identity NAT Configuration in Transparent Mode |
|
Cisco ASA Clientless SSLVPN
CIFS Vulnerability |
|
With inline IPS and heavy
load ASA could drop ICMP or DNS replies |
|
ASA: Nested traceback in Thread Dispatch Unit - cause: SQLNet Inspection |
|
SIP inspect NATs Call-ID in one direction only |
|
error 'Drop-reason: (punt-no-mem) Punt no
memory' need to be specific |
|
Destination NAT with non
single service (range, gt, lt) not working |
|
ASA CIFS UNC Input
Validation Issue |
|
CP Processing hogs in SMP
platform causing failover problems, overruns |
|
EZVPN: User gets unexpected
IUA prompt |
|
Traceback: deadlock between syslog lock and
host lock |
|
ASA may not establish EIGRP
adjacency with router due to version issues |
|
access-group commands removed on upgrade to 9.0(1) |
|
ASASM platform is not
exempt from MAC move wait timer |
|
ASA writes past end of file
system then can't boot |
|
ASA Allows duplicate xlate-persession config lines |
|
Traceroute through the ASA does not work properly, always shows dest IP |
|
BTF traceback
in datapth when apply l4tm rule |
|
IKEv2: ASA does not clear
entry from asp table classify crypto |
|
Deny rules in crypto acl blocks inbound traffic after tunnel formed |
|
Traffic destined for L2L
tunnels can prevent valid L2L from establishing |
|
Smart Tunnel hangs when
list contains more than 80 entries |
|
Prioritize Failover Control
Packets on ASA5585-X CPU Uplinks |
|
ASA IKEv2 fails to accept
incoming IKEV2 connections |
|
DAP: debug dap trace not
fully shown after +1000 lines |
|
STI Flash write failure
corrupts large files |
|
VPNLB: Lost packet during
IKEv1 not retransmitted |
|
ASA 9.x dropping case sensitive
DNS PTR requests |
|
ASA5585: Traceback in Thread Name:DATAPATH when accessing webvpn
urls |
|
ASA hitless upgrade from
8.2 to 8.4 - ERROR: unable to download policy |
|
traceback in ospf_get_authtype |
|
OSPF routes were missing on
the Active Firewall after the failover |
|
ASA may generate Traceback while running packet-tracer |
|
ASA LDAP Mapping should not
map 0 to values with no match |
|
Upgrade ASA causes traceback with assert during spinlock |
|
TRACEBACK, DATAPATH-8-2268,
Multicast |
|
ASA 5580 running 8.2(5)13 traceback |
|
Threat Detection Syslogs from System Context in Multi-context Mode |
|
Netbios insp translating ip
in answer field to mapped ip of WINS server |
|
Anyconnect using Ikev2 is missing username in syslog
messages |
|
ASA traceback
with Checkheaps thread |
|
ASA: 256 byte blocks
depleted when syslog server unreachable across VPN |
|
Control-plane access-list
doesn't filter Anyconnect traffic |
|
Traceback: snp_syslog fails to recognise parent syslog flow |
|
ASA-1-743002 message is
seen without prior ASA-1-743001 message |
|
ASA 9.1.1 - WCCPv2 return
packets are dropped |
|
Anyconnect mtu config
at ASA not taking effect at client |
|
TCP connection to multicast
MAC - unicast MAC S/ACK builds new TCP conn |
|
16k blocks near exhaustion
- process emweb/https (webvpn) |
|
Revert change in subnetting rules for splittunnel
policy for smarttunnel |
|
ASA 5505 not Forming EIGRP neighborship after failover |
|
ASA:Traceback while
deleting trustpoint |
|
Some java applets won't
connect via smart tunnel on windows with jre1.7 |
|
ASA: Assertion traceback in DATAPATH thread after upgrade |
|
Webvpn: Javascript based applications not
working |
|
Secondary Flows Lookup
Denial of Service Vulnerability |
|
LU allocate xlate failed (for NAT with service port) |
|
Mac version Smart Tunnel
with Safari 6.0.1/6.0.2 issue |
|
ASA in multicontext
mode provides incorrect SNMP status of failover |
|
Memory leak of 1024B blocks
in webvpn failover code |
|
RADIUS Memory Leak on ASA
using AD-Agent |
|
IKEv2 reply missing 4bytes
of 0's after UDP header |
|
ASA drops packets with IP
Options received via a VPN tunnel |
|
WebVPN: outside PC enabled webvpn to
management-access inside interface |
|
ESMTP drops due to MIME
filename length >255 |
|
secondary-authentication-server-group cmd
breaks Ikev1/IPsec RA VPN auth |
|
ASA shared port-channel subinterfaces and multicontext
traffic failure |
|
mrib entries mayy not be seen upon failover initiated by auto-update |
|
ASASM Traceback
when issue 'show asp table interface' command |
|
ASA SSHv2 Denial of Service
Vulnerability |
|
Crypto accelerator resets
with error code 23 |
|
The ASA hardware
accelerator encountered an error (Bad checksum) |
|
Group enumeration still
possible on ASA |
|
Anyconnect DTLS idle-timeout is being reset by transmit traffic only |
|
Character encoding not
visible on webvpn portal pages. |
|
ASA5585 8.4.2 Traceback in Thread Name aaa
while accessing Uauth pointer |
|
re-write fails for javascript generated
URL with "\" |
|
ASA Traceback
in Thread Name : CERT API |
|
move OSPF from the punt event queue to its own event queue |
|
Smart Call Home sends
Environmental message every 5 seconds for 5500-X |
|
ASA traceback
in Thread Name: UserFromCert |
|
DTLS drops tunnel on a
crypto reset |
|
Webvpn: Cifs SSO fails first attempt after
AD password reset |
|
ASA: Pending DHCP relay
requests not flushed from binding table |
|
ASA traceback
in Thread Name: ci/console after write erase
command |
|
ASA 8.3+ l2l tunnel-group
name with a leading zero is changed to 0.0.0.0 |
|
snmp engineID abnormal for asa
version 8.4.5 after secondary asa reload |
|
IKEv2: VPN filter ACL
lookup failure causing stale SAs and traceback |
|
ASA traceback
with Thread Name: DATAPATH-3-1041 |
|
ASA-SM traceback
in Thread Name: accept/http |
|
ASA changes user privilege
by vpn tunnel configuration |
|
ASA LDAPS authorization
fails intermittently |
|
Webvpn: OWA 2010 fails to load when navigating between portal and OWA |
|
user-identity will not retain group names with spaces on reboot |
|
ASA 8.4.4.1 Keeps rebooting
when FIPS is enabled: FIPS Self-Test failure |
|
ASA drops some CX/CSC
inspected HTTP packets due to PAWS violation |
|
cannot access Oracle BI via clentless SSL
VPN |
|
Anyconnect IKEv2:Truncated/incomplete debugs,missing 3 payloads |
|
ASA traceback
on thread Session Manager |