Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.4(3)12 – 11/03/2016
Files: asa943-12-smp-k8.bin
Defects resolved since 9.4(3)11:
After some time flash operations fail and configuration can not
be saved |
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
http config missing in multicontext
after reload of stdby 916.9 or later |
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip
resets |
|
ASA traceback in CLI thread while
making MPF changes |
|
SNMPv3 active engineID is not reset
when ASA is replaced |
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in
Thread Name: IKEv2 Daemon |
|
ASA memory leak for CTS SGT mappings |
|
OTP authentication is not working for clientless ssl vpn |
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
H.323 inspection causes Traceback in
Thread Name: CP Processing |
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
Remove ACL warning messages in show access-list when FQDN is
unresolved |
|
ASA Traceback in thread name CP
Processing due to DCERPC inspection |
|
ASA 1550 block depletion with multi-context transparent firewall |
|
Traceback
: ASA with Threadname: DATAPATH-0-1790 |
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
Thread Name: snmp ASA5585-SSP-2
running 9.6.2 traceback |
|
Lower NFS throughput rate on Cisco ASA platform |
|
ASA traceback with Thread Name aaa_shim_thread |
|
IKEv2: It is NOT cleaning the sessions after disconnected from
the client. |
|
ASA Traceback Thread Name: emweb/https |
|
AAA session handle leak with IKEv2 when denied due to time range |
|
ASA fairly infrequently rewrites the dest
MAC address of multicast packet for client |
Revision: Version 9.4(3)11 – 09/27/2016
Files: asa943-11-smp-k8.bin
Defects resolved since 9.4(3)8:
ASA traceback on standby when SNMP
polling |
|
ASA memory leak related to Botnet |
|
ASA reloads with traceback in thread
name DATAPATH or CP Processing |
|
HA: Number of interfaces mismatch after SFR module reload on
both units |
|
ASA - Traceback in CP Processing
Thread During Private Key Decryption |
|
WebVPN: Webpage not fully rewritten when ASA has the same FQDN
as srv |
|
ASA does not respond to NS in Active/Active HA |
|
Incorrect modification of NAT divert table. |
|
ASA Stateful failover for DRP works
intermittently |
|
Commands not installed on Standby due to parser switch |
|
traceback during tls-proxy handshake |
|
IPv6 neighbor discovery packet processing behavior |
|
ASA with PAT fails to untranslate SIP
Via field that doesnt contain port |
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
Traceback in CP Processing thread after upgrade |
|
Remove ACL warning messages in show access-list when FQDN is
resolved |
|
Unexpected end of file logon.html in WebVPN |
|
ASA not rate limiting with DSCP bit set from the Server |
|
ASA: SLA Monitor not working with floating timeout configured to
nonzero |
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the
flash. |
|
IPv6 OSPF routes do not update when a lower metric route is
advertised |
|
ASA treaceback at Thread Name: rtcli async executor process |
|
ASA DATAPATH traceback (Cluster) |
|
BGP Socket not open in ASA after reload |
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
Interfaces get deleted on SFR during cluster rejoining |
|
Crypto accelerator ring timeout causes packet drops |
|
Traceback in Thread Name: ssh when issuing show
tls-proxy session detail |
|
memory leak in ssh |
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck
in LSDB |
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
ASA Traceback when issue 'show asp
table classify domain permit' |
|
ASA Traceback in CTM Message Handler |
|
Unable to delete the SNMP config |
|
ASA traceback in ipsecvpn-crypto |
Revision: Version 9.4(3)8 – 08/26/2016
Files: asa943-8-smp-k8.bin
Defects resolved since 9.4(3)6:
IPv6 neighbor discovery packet processing behavior |
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
Revision: Version 9.4(3)6 – 07/30/2016
Files: asa943-6-smp-k8.bin
Defects resolved since 9.4(3)4:
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
L2 Clustering:OSPFv2, Eigrp and OSPFv3
RIB not replicated to slave node |
|
Password change page can be displayed without authentication |
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
Traceback in Thread: IPsec message handler |
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
ASA AnyConnect IKEv2 scripts help customisations not served after reload |
|
Slow ASA OSPF interface transition from DOWN to WAITING after
failover |
|
ASA 9.1.6.4 traceback with Thread
Name: telnet/ci |
|
Kenton 9.5.1'boot system/boot config'
commands not retained after reload |
|
5585-10 traceback in Thread Name: idfw_proc |
|
ASA traceback in threadname
ssh |
|
ASA: Page Fault traceback in DATAPATH
on standby ASA after booting up |
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
ASA memory leak due to vpnfo |
|
Interfaces get deleted on SFR during HA configuration sync |
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
ASA Access-list missing and losing elements Warning Message
enhancement |
|
ASA-2-321006 May be received invalidly when memory is not high |
|
Interface health-check failover causes OSPF not to advertise ASA
as ABR |
|
Observing Memory corruption, assert for debug ospf |
|
ASA Cut-through Proxy inactivity timeout not working |
|
ASA Cluster fragments reassembled before transmission with no
inspection |
|
ASA may Traceback with Thread Name:
cluster rx thread |
|
ASA may Traceback with Thread Name:
Unicorn Admin Handler |
|
ASA: SSH being denied on the ASA device as the maximum limit is
reached |
|
ASA cant delete ACL lines and remarks - Specified remark does
not exist |
|
2048/1550/9344 Byte block leak cause traffic disruption &
module failure |
|
ASA traceback with Thread Name:
Dispatch Unit |
|
show service-policy output reporting incorrect values |
|
TLS Proxy feature missing client trust-point command |
Revision: Version 9.4(3)4 – 06/22/2016
Files: asa943-4-smp-k8.bin
Defects resolved since 9.4(3)3:
An assertion was
seen on the stby ASA after config
sync |
Revision: Version 9.4(3)3 – 06/15/2016
Files: asa943-3-smp-k8.bin
Defects resolved since 9.4(3):
ASA traceback in Thread name DATAPATH
when handling multicast packet |
|
ASA - SNMPv3 Traps not Generated for PC Link State in
Multi-Context Mode |
|
Add Asynchronous support for DHCP proxy |
|
ASDM detects a config change when dACL is pushed for Anyconnect
user |
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
Unable to configure a user for ssh
public auth only (tied w/ CSCuw90580) |
|
ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" |
|
ASA - Traceback in CP Processing
Thread During Private Key Decryption |
|
AAA: RSA/SDI unable to set new PIN |
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
Active and Standby ASA use same MAC addr
with only active MAC configured |
|
ASA traceback in SSH thread |
|
infinite loop in JS rewriter state machine when return followed by var |
|
Network command disappears from BGP after reload with name |
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
ASA Tback when large ACL applied to
interface with object-group-search |
|
ASA capture type isakmp saving
malformed ISAKMP packets |
|
dynamic crypto map fails if named the same as static crypto map |
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
ASA AnyConnect CSTP Copyright message
changed improperly |
|
ASA Address not mapped traceback -
configuring snmp-server host |