Cisco ASA 9.4.3 Interim Build Release Notes

Cisco ASA Interim Release Notes

The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

Revision: Version 9.4(3)12 – 11/03/2016

Files: asa943-12-smp-k8.bin

Defects resolved since 9.4(3)11:

CSCuw95262	After some time flash operations fail and configuration can not be saved
CSCux92157	ASA Traceback Assert in Thread Name: ssh_init with component ssh
CSCuy47545	http config missing in multicontext after reload of stdby 916.9 or later
CSCuy89288	AnyConnect DTLS on-demand DPDs are not sent intermittently
CSCva00190	ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets
CSCva39094	ASA traceback in CLI thread while making MPF changes
CSCva68364	SNMPv3 active engineID is not reset when ASA is replaced
CSCva69799	ASA stuck in boot loop due to FIPS Self-Test failure
CSCva70095	ASA negotiates TLS1.2 when server in tls-proxy
CSCva77852	ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon
CSCva85382	ASA memory leak for CTS SGT mappings
CSCva87160	OTP authentication is not working for clientless ssl vpn
CSCva90419	issuer-name falsely detecting duplicates in certificate map using attr
CSCva94702	Enqueue failures on DP-CP queue may stall inspected TCP connection
CSCvb05667	H.323 inspection causes Traceback in Thread Name: CP Processing
CSCvb14997	ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer
CSCvb19251	ASA as DHCP relay drops DHCP 150 Inform message
CSCvb21922	Remove ACL warning messages in show access-list when FQDN is unresolved
CSCvb22435	ASA Traceback in thread name CP Processing due to DCERPC inspection
CSCvb27868	ASA 1550 block depletion with multi-context transparent firewall
CSCvb31833	Traceback : ASA with Threadname: DATAPATH-0-1790
CSCvb32297	WebVPN:VNC plugin:Java:Connection reset by peer: socket write error
CSCvb36199	Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback
CSCvb39147	Lower NFS throughput rate on Cisco ASA platform
CSCvb45039	ASA traceback with Thread Name aaa_shim_thread
CSCvb49445	IKEv2: It is NOT cleaning the sessions after disconnected from the client.
CSCvb52988	ASA Traceback Thread Name: emweb/https
CSCvb63503	AAA session handle leak with IKEv2 when denied due to time range
CSCvb64161	ASA fairly infrequently rewrites the dest MAC address of multicast packet for client

Revision: Version 9.4(3)11 – 09/27/2016

Files: asa943-11-smp-k8.bin

Defects resolved since 9.4(3)8:

CSCum74032	ASA traceback on standby when SNMP polling
CSCux17527	ASA memory leak related to Botnet
CSCux98029	ASA reloads with traceback in thread name DATAPATH or CP Processing
CSCuy10665	HA: Number of interfaces mismatch after SFR module reload on both units
CSCuy87597	ASA - Traceback in CP Processing Thread During Private Key Decryption
CSCuz06499	WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv
CSCuz09255	ASA does not respond to NS in Active/Active HA
CSCuz16398	Incorrect modification of NAT divert table.
CSCuz42390	ASA Stateful failover for DRP works intermittently
CSCuz44968	Commands not installed on Standby due to parser switch
CSCuz72352	traceback during tls-proxy handshake
CSCuz80281	IPv6 neighbor discovery packet processing behavior
CSCuz92074	ASA with PAT fails to untranslate SIP Via field that doesnt contain port
CSCuz94862	IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck
CSCuz98704	Traceback in CP Processing thread after upgrade
CSCva00939	Remove ACL warning messages in show access-list when FQDN is resolved
CSCva01570	Unexpected end of file logon.html in WebVPN
CSCva02817	ASA not rate limiting with DSCP bit set from the Server
CSCva05513	ASA: SLA Monitor not working with floating timeout configured to nonzero
CSCva15911	On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.
CSCva16471	IPv6 OSPF routes do not update when a lower metric route is advertised
CSCva31378	ASA treaceback at Thread Name: rtcli async executor process
CSCva35439	ASA DATAPATH traceback (Cluster)
CSCva36202	BGP Socket not open in ASA after reload
CSCva36884	Cisco ASA Cross Site Scripting SSLVPN Vulnerability
CSCva39804	Interfaces get deleted on SFR during cluster rejoining
CSCva40844	Crypto accelerator ring timeout causes packet drops
CSCva46920	Traceback in Thread Name: ssh when issuing show tls-proxy session detail
CSCva49256	memory leak in ssh
CSCva68987	ASA drops ICMP request packets when ICMP inspection is disabled
CSCva69584	OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB
CSCva84635	ASA: CHILD_SA collision brings down IKEv2 SA
CSCva90806	ASA Traceback when issue 'show asp table classify domain permit'
CSCva91420	ASA Traceback in CTM Message Handler
CSCvb04685	Unable to delete the SNMP config
CSCvb14664	ASA traceback in ipsecvpn-crypto

Revision: Version 9.4(3)8 – 08/26/2016

Files: asa943-8-smp-k8.bin

Defects resolved since 9.4(3)6:

CSCuz80281	IPv6 neighbor discovery packet processing behavior
CSCva92151	Cisco ASA SNMP Remote Code Execution Vulnerability

Revision: Version 9.4(3)6 – 07/30/2016

Files: asa943-6-smp-k8.bin

Defects resolved since 9.4(3)4:

CSCtw90511	Packet captures cause CPU spike on Multi-Core platforms due to spin_lock
CSCub34054	L2 Clustering:OSPFv2, Eigrp and OSPFv3 RIB not replicated to slave node
CSCuh99564	Password change page can be displayed without authentication
CSCup37416	Stale VPN Context entries cause ASA to stop encrypting traffic
CSCuy00296	Traceback in Thread: IPsec message handler
CSCuy67333	SIP call transfer fail due to differences b/w fixing CallId and Refer-To
CSCuy74593	ASA AnyConnect IKEv2 scripts help customisations not served after reload
CSCuy98769	Slow ASA OSPF interface transition from DOWN to WAITING after failover
CSCuz00077	ASA 9.1.6.4 traceback with Thread Name: telnet/ci
CSCuz14600	Kenton 9.5.1'boot system/boot config' commands not retained after reload
CSCuz14808	5585-10 traceback in Thread Name: idfw_proc
CSCuz21178	ASA traceback in threadname ssh
CSCuz38180	ASA: Page Fault traceback in DATAPATH on standby ASA after booting up
CSCuz38888	WebVPN rewrite fails for MSCA Cert enrollment page / VBScript
CSCuz40081	ASA memory leak due to vpnfo
CSCuz40793	Interfaces get deleted on SFR during HA configuration sync
CSCuz54193	ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection
CSCuz58142	ASA Access-list missing and losing elements Warning Message enhancement
CSCuz60555	ASA-2-321006 May be received invalidly when memory is not high
CSCuz61092	Interface health-check failover causes OSPF not to advertise ASA as ABR
CSCuz63531	Observing Memory corruption, assert for debug ospf
CSCuz66661	ASA Cut-through Proxy inactivity timeout not working
CSCuz67349	ASA Cluster fragments reassembled before transmission with no inspection
CSCuz67590	ASA may Traceback with Thread Name: cluster rx thread
CSCuz67596	ASA may Traceback with Thread Name: Unicorn Admin Handler
CSCuz70330	ASA: SSH being denied on the ASA device as the maximum limit is reached
CSCuz79800	ASA cant delete ACL lines and remarks - Specified remark does not exist
CSCuz90648	2048/1550/9344 Byte block leak cause traffic disruption & module failure
CSCuz98220	ASA traceback with Thread Name: Dispatch Unit
CSCva03607	show service-policy output reporting incorrect values
CSCva24799	TLS Proxy feature missing client trust-point command

Revision: Version 9.4(3)4 – 06/22/2016

Files: asa943-4-smp-k8.bin

Defects resolved since 9.4(3)3:

CSCuw58948

An assertion was seen on the stby ASA after config sync

Revision: Version 9.4(3)3 – 06/15/2016

Files: asa943-3-smp-k8.bin

Defects resolved since 9.4(3):

CSCus37458	ASA traceback in Thread name DATAPATH when handling multicast packet
CSCuu22517	ASA - SNMPv3 Traps not Generated for PC Link State in Multi-Context Mode
CSCux70812	Add Asynchronous support for DHCP proxy
CSCuy48004	ASDM detects a config change when dACL is pushed for Anyconnect user
CSCuy54567	Evaluation of pix-asa for OpenSSL March 2016
CSCuy58084	Unable to configure a user for ssh public auth only (tied w/ CSCuw90580)
CSCuy63642	ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524"
CSCuy87597	ASA - Traceback in CP Processing Thread During Private Key Decryption
CSCuy89425	AAA: RSA/SDI unable to set new PIN
CSCuz04534	Memory leak in 112 byte bin when packet hits PBR and WCCP rules
CSCuz06125	Active and Standby ASA use same MAC addr with only active MAC configured
CSCuz08625	ASA traceback in SSH thread
CSCuz09394	infinite loop in JS rewriter state machine when return followed by var
CSCuz30425	Network command disappears from BGP after reload with name
CSCuz36938	Traceback on editing a network object on exceeding the max snmp hosts
CSCuz38115	ASA Tback when large ACL applied to interface with object-group-search
CSCuz38703	ASA capture type isakmp saving malformed ISAKMP packets
CSCuz41033	dynamic crypto map fails if named the same as static crypto map
CSCuz52474	Evaluation of pix-asa for OpenSSL May 2016
CSCuz53186	ASA AnyConnect CSTP Copyright message changed improperly
CSCuz54545	ASA Address not mapped traceback - configuring snmp-server host