Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.6(2)13 – 03/10/2017
Files: asa962-13-smp-k8.bin
Defects resolved since 9.6(2)11:
OCSP Responder certificate
must contain OCSPSigning EKU |
|
CRL must be signed by
certificate containing cRLSign key usage |
Revision: Version 9.6(2)11 – 02/22/2017
Files: asa962-11-smp-k8.bin
Defects resolved since 9.6(2)7:
ASA: Auth failures for SNMPv3 polling
after unit rejoins cluster |
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
CWS redirection on ASA may corrupt sequence numbers with https
traffic |
|
ASA: Protocol and Status showing UP without connecting the
interface |
|
Unicorn Proxy Thread causing CP contention |
|
ASA: SIP Call Drops with PAT when same media port used in
multiple calls |
|
SCTP MH:pin
hole removed and added freq on standby with dual nat |
|
ICMP error packets in response to reply packets are dropped |
|
ASA 5585-60 dropping out of cluster with traceback |
|
SIP: Address from Route: header not translated correctly |
|
ENH:Support to validate
certificate verify signature that uses 512 hash |
|
ASA Page fault traceback in Thread
Name: DATAPATH |
|
IPv6 DNS packets getting malformed when DNS inspection is
enabled. |
|
ASA not sending Authen Session End log
if user logs out manually |
|
ASA Traceback in Checkheaps
Thread |
|
ASA traceback observed on auto-update
thread. |
|
ASA traceback at Thread Name: rtcli |
|
viewer_dart.js file not loading correctly |
|
VPN tunnels are lost after failover due to OSPF route issue |
|
Object-group-search redundant service group objects are
incorrectly removed |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
4GE-SSM RJ45 interface may drop traffic due to interface
"rate limit drops" |
|
Failed to ssh management interface
after failover and plug-in/out |
|
ASA: Stuck uauth entry rejects AnyConnect connection despite fix for CSCuu48197 |
|
WebVPN: Internal page login button not working through rewriter |
|
ASA drops DNS PTR Reply with reason Label length exceeded during
rewrite |
|
ASA SIP inspection may delay transmission of 200 OK when
embedded with NOTIFY |
|
ASA : memory leak due to ikev2 |
|
Interfaces show down and not associated on MIO |
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
ASA unable to add multiple attribute entries in a certificate
map |
|
ASAv traceback randomly |
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
ASA multicontext disallowing new conns
with TCP syslog unreachable and logging permit-hostdown
set |
|
ASA-SM 9.5.2 inspect-sctp licensing
breaks existing deployments |
|
ASA traceback at Thread Name: sch_syslog |
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
MIB object cempMemPoolHCUsed
disappeared |
|
ASA: OspfV3 routes are not getting installed |
|
Error synchronizing the SNMPv3 user after rebooting a cluster
unit |
|
ASA memory leak in CloneOctetString
when using SNMP polling |
|
Implement speed improvements for ACL and NAT table compilation |
|
ASA traceback in Thread Name: ssh, rip igb_disable_rx_queues
after no shutdown of interface |
|
Firepower Threat Defense (FTD) IKEv2 NAT-T gets disabled after
reboot |
|
Anyconnect address assignment fails using external DHCP server when ASA is
in Multi-context Mode |
|
ASA clustering: mac-address cmd is ignored
on spanned port-channel interface in 9.6.2 |
|
ASA not update access-list dynamically when forward-reference
enable is configured |
|
Webvpn portal not displayed corrrectly for
connections landing on default webvpn group. |
|
ASA inspection-MPF ACL changes are not getting ordered correctly
in the ASP Table |
|
ASA may traceback with Thread Name:
Unicorn Admin Handler |
|
Reloading Active unit in Active/Standby ASA failover pair is not
triggering a failover. |
|
ikev2 handles get leaked in a L2L setup |
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric
routing |
|
Tracking route is up while the reachability is down |
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
Traceback observed on gtpv2_process_msg on cluster |
Revision: Version 9.6(2)7 – 12/09/2016
Files: asa962-7-smp-k8.bin
Defects resolved since 9.6(2)3:
IPv6 ACLs can be bypassed with crafted packets |
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
ASA Traceback on 9.1.5.19 |
|
After some time flash operations fail and configuration can not
be saved |
|
L2TP over IPSec can not be connected
after disconnection from client. |
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
USGv6 Cert: Non-RH0 Packets Being Dropped w/Valid Policy-Map |
|
ASA ASSERT traceback in DATAPATH due
to sctp inspection |
|
Cisco ASA Input Validation File Injection Vulnerability |
|
ASA traceback in CLI thread while
making MPF changes |
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions
reached |
|
HTML5: Guacamole server requires page refresh |
|
ASA Cluster DHCP Relay doesn't forward the server replies to the
client |
|
H.323 inspection causes Traceback in
Thread Name: CP Processing |
|
ASA : Botnet update fails with a lot of Errors |
|
Sweet32 Vulnerability in ASA's SSH Implementation |
|
ASA Traceback in thread name CP
Processing due to DCERPC inspection |
|
Stale VPN Context entries cause ASA to stop encrypting traffic
despite fix for CSCup37416 |
|
ASA traceback with Thread Name aaa_shim_thread |
|
IKEv2: It is NOT cleaning the sessions after disconnected from
the client. |
|
Lina core during failover with sip traffic |
|
ASA Traceback Thread Name: emweb/https |
|
GARP flood done by ASAs in multi-site cluster using the site-ip address |
|
9.6.2 TCP connection doesn't work through L2TP |
|
AAA session handle leak with IKEv2 when denied due to time range |
|
ASA-SM traceback with Thread : fover_parse during
upgrade OS 9.1.6 to 9.4.3 |
|
ASA fairly infrequently rewrites the dest
MAC address of multicast packet for client |
|
SCP fails in 962 |
|
ASA9.(6)1 regression "internal
error' instead of "admin disconnect" |
Revision: Version 9.6(2)3 – 11/01/2016
Files: asa962-3-smp-k8.bin
Defects resolved since 9.6(2)2:
v1 handoff gtp stat count incremented
for v2-v1 Handoff scenario. |
|
GTPv2 Dropping instance 1 handoffs |
|
Delete Bearer Req fails to delete
second default bearer after v2 Handoff callflow. |
|
v1 PDP may get deleted on parse IE failure |
Revision: Version 9.6(2)2 – 10/24/2016
Files: asa962-2-smp-k8.bin
Defects resolved since 9.6(2)1:
http config missing in multicontext
after reload of stdby 916.9 or later |
|
ASAv ACKs FIN before all data is received during smart licensing exch |
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip
resets |
|
Traceback on CP Process with H323 inspection, rip h323_service_early_msg |
|
ASAv-Azure: waagent may reload when asav deployed with load balancer |
|
Two Upstream Kernel Patches for ASAv
in Azure |
|
SmartLic: Inter-chassis master switchover license race condition |
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
EIGRP does not populate routing table on FPR4K with ASA software |
|
ASA memory leak for CTS SGT mappings |
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
FTD: 9k byte block depletion leads to dropped traffic |
|
Remove ACL warning messages in show access-list when FQDN is
unresolved |
|
ASA 1550 block depletion with multi-context transparent firewall |
|
AAA authentication/authorization fails if only accessible via mgmt vrf |
|
ASA may generate DATAPATH Traceback
with policy-based routing enabled |
|
Traceback
: ASA with Threadname: DATAPATH-0-1790 |
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
ASA traceback with passive-interface
default on 9.6(2) |
|
Thread Name: snmp ASA5585-SSP-2
running 9.6.2 traceback |
|
Lower NFS throughput rate on Cisco ASA platform |
Revision: Version 9.6(2)1 – 09/22/2016
Files: asa962-1-smp-k8.bin
Defects resolved since 9.6(2):
L2 Clustering:OSPFv2, Eigrp and OSPFv3
RIB not replicated to slave node |
|
ASA traceback on standby when SNMP
polling |
|
ASA memory leak related to Botnet |
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
ASA does not respond to NS in Active/Active HA |
|
Commands not installed on Standby due to parser switch |
|
Cisco ASA Software Local Certificate Authority Denial of Service
Vulnerability |
|
IPv6 neighbor discovery packet processing behavior |
|
ASA with PAT fails to untranslate SIP
Via field that doesnt contain port |
|
ASA not rate limiting with DSCP bit set from the Server |
|
show service-policy output reporting incorrect values |
|
ASA: SLA Monitor not working with floating timeout configured to
nonzero |
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the
flash. |
|
IPv6 OSPF routes do not update when a lower metric route is
advertised |
|
TLS Proxy feature missing client trust-point command |
|
ASA crash at Thread Name: rtcli async executor process |
|
BGP Socket not open in ASA after reload |
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
Traceback in Thread Name: ssh when issuing show
tls-proxy session detail |
|
memory leak in ssh |
|
SNMPv3 active engineID is not reset
when ASA is replaced |
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck
in LSDB |
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in
Thread Name: IKEv2 Daemon |
|
ASAv show hostname generates smart licensing authorization request |
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
FTD - 6.1 - redistribute connected is redistributing
Internal-Data (NLP) |
|
OTP authentication is not working for clientless ssl vpn |
|
ASA Traceback when issue 'show asp
table classify domain permit' |
|
ASA Traceback in CTM Message Handler |
|
Unable to delete the SNMP config |
|
ASA traceback in ipsecvpn-crypto |
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |