Cisco
ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 8.3.2(42) – 10/08/2014
Files: asa832-42-k8.bin, asa832-42-smp-k8.bin
Defects resolved since 8.3.2(41):
Cisco ASA HPM Denial of Service Vulnerability |
|
Cisco ASA SQL*NET Inspection Engine Denial of Service
Vulnerability |
|
Cisco ASA SunRPC Inspection Denial of
Service Vulnerability |
|
Cisco ASA SSL VPN Portal Customization Integrity Vulnerability |
|
Cisco ASA VPN Failover Commands Injection Vulnerability |
|
Cisco ASA SSL VPN Info Disclosure and DoS
Vulnerability |
Revision: Version 8.3.2(41) – 07/11/2014
Files: asa832-41-k8.bin,
asa832-41-smp-k8.bin
Defects resolved since 8.3.2(40):
Multiple Vulnerabilities in OpenSSL -
June 2014 |
Revision: Version 8.3.2(40) – 04/09/2014
Files: asa832-40-k8.bin,
asa832-40-smp-k8.bin
Defects resolved since 8.3.2(39):
Cookie usage in SSL VPN |
|
Add text section to coredump |
|
ASA SSL VPN Privilege Escalation
Vulnerability |
Revision: Version 8.3.2(39) – 10/09/2013
Files: asa832-39-k8.bin,
asa832-39-smp-k8.bin
Defects resolved since 8.3.2(37):
ASA traceback
in Unicorn Proxy Thread while processing lua |
|
ASA - SQL*Net Inspection
Engine Denial of Service Vulnerability |
|
HTTP Deep Packet Inspection
Denial of Service Vulnerability |
|
ASA DNS Inspection Denial
of Service Vulnerability |
|
ASA OSPF LSA Injection
Vulnerability |
|
ASA Remote Access VPN
Authentication Bypass Vulnerability |
|
ASA Digital Certificate
HTTP Authentication Bypass Vulnerability |
Revision: Version 8.3.2(37) – 03/14/2013
Files: asa832-37-k8.bin, asa832-37-smp-k8.bin
Defects resolved since 8.3.2(34):
|
ASA traceback
in IKE Daemon while handling IKEv1 message |
|
||
ASA 5580 page fault in
thread CERT API during pki validation |
||||
ASA may traceback
in thread emweb/https |
||||
flash in ASA5505 got corrupted |
||||
Revision: Version 8.3.2(34) – 10/10/2012
Files: asa832-34-k8.bin,
asa832-34-smp-k8.bin
Defects resolved since 8.3.2(33):
DHCP Memory Allocation
Denial of Service Vulnerability |
|
SSL VPN Authentication
Denial of Service Vulnerability |
Revision: Version 8.3.2(33) – 03/14/2012
Files: asa832-33-k8.bin,
asa832-33-smp-k8.bin
Defects resolved since 8.3.2(25):
Warning message for, "igmp static-group" - affective should be effective |
|
ASA 5580 reboots with traceback in threat detection |
|
PIX/ASA: When route changes connections
over IPSEC tunnel not torn down |
|
DHCP ACK not sent by the firewall. |
|
Unable to edit the privilege level for cmd object & object-group in 8.3 |
|
Traceback
in t_match compile |
|
IPv6 :
ASA Stops responding to IPv6 ND sollicitation |
|
IKEv2 traceback
with 1 L2L and 1
RA tunnel |
|
ASA 8.3 upgrade traceback
in thread pix_flash_config_thread |
|
WebVPN:flv
file within the Flowplayer object is not played
over webvpn |
|
L2 table entries for identity i/f not deleted when interface removed |
|
Syslog %ASA-7-108006 generated
erroneously |
|
ASA Unexpectedly Reloads with a Traceback due to a Watchdog Failure |
|
EIGRP default-route is not displayed w/
"ip default-route" route removed |
|
ASA: dynamic-filter database update may
trigger cpu-hogs |
|
ASA may traceback
in Thread Name: DATAPATH-1-1235 (ipsecvpn-crypto) |
|
ASA WebVPN
clientless not possible to access ipv6 services on the inside |
|
IPv6 traffic not updated after neighbor
changes |
|
WebVPN:flv
file within the Flowplayer object is not mangled
correctly |
|
AC can not
connect to the ASA if the no. of group aliases is
>190 |
|
ASA traceback
in thread emweb/https |
|
asa
8.2(2) traceback with TN : Unicorn Proxy Thread |
|
ASA: IPSec outbound SA data lifetime
rekey fails |
|
ASA: SSH sessions return extra
characters when using CR+LF |
|
Oracle Jinitiator
over WebVPN sends incorrect HTTP request |
|
High CPU and Orphaned SSH session for
on ASA 8.3(2.8) |
|
Traceback
in Thread Name: IP SLA Mon Event Processor |
|
ASA - LU allocate connection failed
with conn-max policy |
|
Coverity
100595: FORWARD_NULL in ppp_auth_process_attributes() |
|
L2TP over IPSec session fails after
IPSec P2 rekey |
|
Zimbra
email suite not usable through WebVPN |
|
traceback
in Crypto CA during multiple ocsp requests |
|
Standby ASA generates syslog 210005
while transmitting data on FTP |
|
ASA reloads with traceback
in Thread Name : Dispatch Unit |
|
Memory leak on ASA 5585-increase of 1%
everyday |
|
backslash
in username for ftp over webvpn changed to semi-colon |
|
ASA: Traceback
in telnet/ci thread when running 'show webvpn svc' |
|
ASA 8.4.2 http inspection might break
certain flows intermittently |
|
ASA5580 traceback
with Thread name telnet/ci |
|
LDAP authentication fails when no RootDSE info returned |
|
ASA Failover: 106017 Deny IP due to
Land Attack on Normal(Waiting) ifc |
|
ASA: Local-host and all conns are torn
down when client hits conn limit |
|
ASA doesn't classify MIME type
correctly for .exe and .dmg in Firefox |
|
ASA: Packet classifier fails with 'any'
in Object NAT rule |
|
Traceback
in sch_dispatcher thread |
|
SSM-4GE doesn't handle unicast packets
after "hw-module module 1 reset" |
|
Webvpn :Support for XFRAME: DENY option in
portal |
|
ASA sends Server Identifier field in
DHCP REQUESTS duirng renewal |
|
ASA may traceback
in dns_process |
|
100% CPU Object Group Search under low
traffic due to spin_lock |
|
ASA: WCCP with authentication fails in
8.3 and 8.4 |
|
ASA 5520 8.2.5 :
traceback at thread name snmp |
|
ASA IKEv1 Traceback
in vpnfol_thread_msg ike_fo_create_new_sa
on Standby |
|
ASA 8.4(1) - mailto for xmpp protocol mail clients fails |
|
Incorrect time displayed on cut through
proxy auth page |
|
NAT-T compatibility improvement with
Windows 7 |
|
NAC Framework - Status Query triggers full
Posture Revalidation |
|
Message from ASA is not displayed about
password complexity requirements |
|
ESMTP drops email with DKIM header |
|
8.4.2.2: Thread Name: DATAPATH-0-1272
Page fault: Unknown |
|
Slow memory leak by skinny |
|
Memory leak in DP udp
host logging resulting in 1550 byte blocks leak |
|
Unexpected packet denials during large
ACL compilation |
|
Inspect PPTP does not change CALL-id for
inbound Set-Link-Info Packet |
|
ASA: 8.3/8.4 no longer logs
%ASA-3-713167 syslog for rejected user |
|
Traceback
in Dispatch Unit on Standby with timeout floating-conn |
|
xlate
objects with no associated conns and idle timer > timeout |
|
WebVPN:
Multiple tracebacks seen in WebVPN
in Unicorn Proxy thread |
|
DCERPC inspection does not properly fix
up port and IP in Map Response |
|
ASA Radius User-Password attribute is
not included in Access-Request |
|
ASA should not send data in the 3rd
message of TCP 3WHS w/ LDAP over SSL |
|
webvpn
- ES keyboard diacritics incorrectly managed by RDP plugin |
|
Traceback
in Thread Name: IP Address Assign |
|
ASA is responding to IKE request when
in vpnclient mode |
|
Traceback
in Thread Name: tacplus_snd |
|
netflow:
template only send once with default timeout-rate |
|
Nested Checkheaps
traceback w/ domain-lookup & dynamic-filter
blacklist |
|
ASA traceback
cause by Global Policy |
|
ASA may traceback
in a DATAPATH thread |
|
ASA 5520 8.2.5 memory leak in the
inspect/gtp area |
|
Standby Firewall traceback
citing nat_remove_policy_from_np+383 |
|
Outbound IPsec
traffic interruption after successful Phase2 rekey |
|
AAA Command Authorization Reactivates
Failed Server on Every Attempt |
|
ASA and apple L2TP IPSec client
disconnects |
|
ASA traceback
in thread ci/console with names > 48 char in prefix-list |
|
wrong
vpn-filter gets applied when peers have overlapping
address space |
|
SNMPv3 Information Disclosure
Vulnerability |
|
ASA - Dispatch unit traceback
- snp_nat_xlate_timeout |
|
Some specific flash file doesn't work
through WebVPN on ASA |
|
WebVPN:
Oracle Java applets failing thru the rewriter |
|
vpnclient
mac-exempt cmd inconsistent when adding more than
16 entries |
|
WebVPN:flv
file within the Flowplayer object is not played
over webvpn |
|
ASA traceback
in thread sch_dispatcher when attempting to call
home |
|
'show shared
license' after toggle license-server causes traceback |
|
Clientless VPN paging application
failure |
|
Backup Shared license server remains ACTIVE
even when the Master is up |
|
ASA 5580 traceback
when CSM attempts deployment |
|
WebVPN
URL Mangler does not handle encoded value of
"/" |
|
5580: assert failure in thread CP
Processing |
|
ASA webvpn
doesn't rewrite some redirect messages properly |
|
ASA: Traceback
after removing 'ip address dhcp
setroute' with DDNS |
|
DACL is not applied to AC when
connection via the webportal |
|
Threat Detection Denial Of Service Vulnerability |
|
TCP sequence space check ignored in
some cases |
|
WebVPN:
CIFS: Incorrect MIME type for PDF files - iPad/iPhone |
|
Natted
traffic not getting encrypted after reconfiguring the crypto ACL |
|
When ASA sends a username with a
"\", WSA logs errors. |
|
SSLVPN Portal uses incorrect DNS Group
after failover |
|
L2TP over IPSec connections fail with ldap authorization and mschapv2 |
|
Page fault traceback
with thread name "pix_flash_config_thread". |
|
Apple Lion OS L2TP Client behind NAT
device does not connect |
|
Cut-through proxy - users unable to log
in |
|
Page fault traceback
in crypto_lib_keypair_show_mypubkey_all |
|
Outbound IPsec
traffic interruption after successful Phase2 rekey |
|
ASA: May traceback
in DATAPATH during capture |
|
Standby ASA traceback
in DATAPATH-0-1400 or Dispatch Unit |
|
Traceback
when memory low and memory profile enabled |
|
Webvpn : Javascript rewrite
causing login button to be inactive |
|
ASA does not start DPD when phase 1 up
but phase 2 down |
|
VPN session failure due to auth handle depletion |
|
Received unexpected event EV_REMOVE in
state AM_WAIT_DELETE |
|
ActiveX RDP Plugin fails to connect
from WIn7 PC after upgrade to 8.4(3) |
|
MSFT KB2585542 breaks cut-thru proxy
and IUA |
|
RDP activex portforwarder is sometimes not loading |
Revision: Version 8.3.2(25) – 08/31/2011
Files: asa832-25-k8.bin,
asa832-25-smp-k8.bin
Defects resolved since 8.3.2(13):
CS: undebug all command doesn't disable debug crypto ca server |
|||
show memory in a context shows incorrect memory usage |
|||
Traceback on ACL modify: assertion "status" at "stride_terminal_node.c" |
|||
Linkdown, Coldstart SNMP Traps not sent with certain snmp-server config |
|||
ASA NAT: LU allocate xlate failed error |
|||
Low performance over shared vlans in multi-mode |
|||
Multi-context ASA Resets a connection from Flooded packet |
|||
ASA may leave connection in half-closed state |
|||
DHCP ACK not sent by the firewall. |
|||
Traceback in Thread Name: Checkheaps due to logging |
|||
WebVPN: Any email can't be sent in OWA 2010 with S/MIME installed |
|||
WebVPN: Bad performance on Internet Explorer 8 for OWA 2010 Premium |
|||
ASA not sending all logging messages via TCP logging |
|||
Clientless WebVPN Memory Leak Causes Blank Page after Authentication |
|||
WebVPN: Preview mode for emails works improperly for DWA 8.5.1 |
|||
Write Mem on active ASA 8.3 produces log 742004 on standby |
|||
ASA WebVPN doesnt rewrite URL Encoded Data in Location Response Header |
|||
Assert Failure caused Traceback in Thread Name: Dispatch Unit |
|||
PIM packet with own source address seen after failover on standby peer |
|||
ASA 8.0.5.9 with a traceback in Thread Name:Checkheaps |
|||
SNMP: ASA responds after two SNMP requests |
|||
ASA fails to delete an existing object in object-group |
|||
The file name is garbled as downloading through SSLVPN and CIFS. |
|||
ASA 8.2.2.x traceback in Thread Name: Dispatch Unit |
|||
EIGRP metrics will not update properly on ASA |
|||
Connections stay open w/ 'sysopt connection timewait' & NetFlow |
|||
WebVPN: Empty emails content for OWA 2010 through Firefox |
|||
ASDM doesn't back up certificate files - indicates that it does |
|||
Packet-tracer not working in Multi Routed mode |
|||
DAP:Control access of AnyConnect Apple iOS Mobile without CSD |
|||
WebVPN: Function "get_base_path" give an error for empty urls |
|||
ASA: SYN may change close-wait conn to SYN state |
|||
Problems with Intranet Page displaying when defined as Home Page w/ASA |
|||
ASA - VPN outbound traffic stalling intermittently after phase 2 rekey |
|||
ASA webvpn; certain ASP elements may fail to load/display properly |
|||
ASA: multiple rules in Name Contraints certificate extension fails |
|||
certificate name contraints parsing fails when encoding is IA5String |
|||
Customers Application HQMS being broken by Webvpn Rewriter |
|||
WebVPN:flv file within the Flowplayer object is not played over webvpn |
|||
ASA - no names applied to the config when refreshing the config on ASDM |
|||
Webvpn, SSO with Radius, CSCO_WEBVPN_PASSWORD rewritten with OTP, 8.3 |
|||
OWA login page strip "\" from "domain\username" |
|||
SSH processes stuck in ssh_init state |
|||
OpenSSL Ciphersuite Downgrade and J-PAKE Issues |
|||
IKE proposal for L2TP over IPSec global IKE entry match is duplicated |
|||
Change in Layered Object Group Does Not Update NAT Table |
|||
ASA rewriter: radcontrols based AJAX/ASP website not working properly |
|||
Error entering object group with similar name as network object |
|||
NAT Xlate idle timer doesn't reset with Conn. |
|||
"clear conn" behaviour is inconsistent with "show conn" |
|||
ASA reload in thread name rtcli when removing a plugin |
|||
ASA MSN Inspection Watchdog Crash |
|||
SSL handshake - no certificate for uauth users after 8.2.3 upgrade |
|||
ASA not posting correct link with Protegent Surveillance application |
|||
UTC time not shown when clock set through user configuration |
|||
DAP ACL in L2TP doesn't get applied after successful connection |
|||
The javascript is truncated when accessing via WebVPN portan on ASA |
|||
Cut-through Proxy - Inactive users unable to log out |
|||
ASA may log negative values for Per-client conn limit exceeded messg |
|||
ASA traceback when layer-2 adjacent TCP syslog server is unavailable |
|||
ASA 8.3 with Static NAT - passes traffic with translated IP in the acl |
|||
Redundant switchover occurs simultaneously on failover pair |
|||
Default "username-from-certificate CN OU" doesn't work after reload |
|||
ASA TCP sending window 700B causing CSM deployment over WAN slow |
|||
ASA - Traceback in thread DATAPATH-6-1330 |
|||
Invalid internal Phone Proxy trustpoint names generated by imported CTL |
|||
Traceback in DATAPATH-2-1361, eip snp_fp_punt_block_free_cleanup |
|||
ASA WEBVPN: POST plugin - Can not find server .plugins. or DNS error |
|||
VPN ports not removed from PAT pool |
|||
'show mem' reports erroneous usage in a virtual context |
|||
ASA: Traceback in fover_parse thread after making NAT changes |
|||
Timeout needs twice time of configured timeout for LDAP in aaa-server |
|||
IPv6 ping fails when ping command includes interface name. |
|||
ASA SAP purchasing app may display incorrectly over webvpn |
|||
L2L IPv6 tunnel with failover not supported Syslog Broken |
|||
ESMTP Inspection Incorrectly Detects End of Data |
|||
ASA 8.2.4 402126: CRYPTO: The ASA created Crypto Archive File |
|||
ASA 5520 traceback in thread emweb/https |
|||
Traceback in SSH due to ACL |
|||
URLs in Hidden Input Fields not Rewritten Across WebVPN |
|||
the packet is discarded when the specific xlate is exist. |
|||
FTP transfer fails on Standby ASA - uses wrong IP add. in PORT command |
|||
ASA fails over under intensive single-flow traffic |
|||
One-to-many NAT with "any" interface not working with PPTP and FTP |
|||
Traceback in fover_FSM_thread with IPv6 failover on SSM-4GE-INC |
|||
ASA: police command with exceed-action permit will not replicate to Stby |
|||
Bookmark macro in post parameters is not replaced with correct user/pass |
|||
ASA stops handling ikev2 sessions after some time |
|||
ASA(8.3) adds a trailing space to the object name and the description |
|||
egress ACL packet drops erroneously counted on ingress interface |
|||
VPN ports not removed from PAT pool (UDP cases) |
|||
correct error msg be displayed instead of "ERROR: % Invalid Hostname" |
|||
ASA5580 traceback in DATAPATH-7-1353 |
|||
BTF DNS-Snooping TTL maxes out at 24 hours, less than actual TTL |
|||
Search query timeout/errors in SAP purchasing portal via clientless |
|||
ASA Traceback in Thread Name: snmp |
|||
Traceback: Thread Name: DATAPATH-3-1276 |
|||
LDAP Authorization doesn't block AccountExpired VPN RA user session |
|||
ASA: override-account-disable does not work without password-management |
|||
AnyConnect DTLS Handshake failure during rekey causes packet loss |
|||
ASA: Memory leak in PKI CRL |
|||
WebVPN: Office WebApps don't work for SharePoint 2010 in IE |
|||
"ip local pool" incorrectly rejected due to overlap with existing NAT |
|||
Dynamic Filter DNS Snooping Database size too small |
|||
WebVPN: Dropdown menu doesn't work in customized SharePoint 2010 |
|||
Easy VPN authentication may consume AAA resources over time |
|||
DTLS handshake fails on ASA when client retransmits ClientHello |
|||
asa traceback on 8.3.2.13 Thread Name: Dispatch Unit |
|||
call-home config auto repopulates after reboot |
|||
ASA 8.4.1 traceback in Thread UserFromCert |
|||
ASA traceback in 8.4.1 with memory failure errors on IKE daemon |
|||
ASA: Ldap attributes not returned for disabled account |
|||
ASA may traceback when using trace feature in capture |
|||
DAP terminate msg not showing for clientless, cert only authentication |
|||
ASA uses a case-sensitive string compare with IBM LDAP server |
|||
ASA: L2TP and NAT-T overhead not included in fragmentation calculation |
|||
ASA: 8.3 upgrade to 8.4, Shared VPN Licensing config lost unable to conf |
|||
multicast packets dropped in the first second after session creation |
|||
CSCto40365 |
Crafted TACACS+ reply considered as
successful auth by ASA |
||
ASA fails to process the OCSP response resulting in the check failure |
|||
FWSM: DCERPC inspection of packet with multiple segments fails |
|||
ASA reset TCP socket when RTP/RTCP arrives before SIP 200 OK using PAT |
|||
can not access cifs folder with japanese character |
|||
HA: Failover LU xmit/rcv statistics is different on Active and Standby |
|||
SAP Portal - Event Tracking Script fails to display correclty |
|||
Traceback with phone-proxy Thread Name: Dispatch Unit |
|||
ASA 8.4.1 traceback in Thread Name: Unicorn Proxy Thread |
|||
FO cluster lic doesnt work if primary reboots while secondary is down |
|||
ASA AC failure due to slow memory leak: "Lua runtime: not enough memory" |
|||
Traceback in Thread Name: gtp ha bulk sync with failover config |
|||
ASA Sequence of ACL changes when changing host IP of object network |
|||
ST not injected in mstsc.exe on 32-bit Win 7 when started through TSWeb |
|||
ASA sends invalid XML when tunnel-group name contains & |
|||
SunRPC inspection DUMP reply crash |
|||
SunRPC
inspection credential length crash |
|||
VPN RA session DAP processing fails with memberOf from OpenLDAP |
|||
SunRPC
inspection arithmetic overflow in parse_transport_address |
|||
SunRPC
inspection arithmetic overflow in portmap code |
|||
ASA: Traceback in ci/console on Standby unit |
|||
Host listed in object group TD shun exception gest shunned |
|||
Threat-detecton stats showing incorrect output |
|||
WebVPN : bytes lost in ftp uploading using IE via smart tunnel |
|||
VPN-Filter Not Applied When AC Initiated Through Weblaunch |
|||
IPSec - Error message trying to reserve UDP port in Multicontext mod |
|||
Java RDP plugin doesn't work with sslv3 on ASAs |
|||
CSD scan happens for SSL VPN when connecting via group alias |
|||
CPU Hog found when invoking 'svc image' |
|||
ASA rebooted unit always become active on failover setup |
|||
Using non-ASCII chars in interf desc makes the ASA reload with no config |
|||
OWA 2007 via WebVPN Sessions fail to get notifications of new emails |
|||
ASA Tracebacks in 'Thread Name: IPv6 ND' |
|||
Cannot point IPv6 route to a link-local that matches other intf |
|||
CSCtq57697 |
ILS inspection traceback
on malformed ILS traffic |
||
Webvpn/mus memory leak observed in 8.4.1.63 |
|||
Interface "description" command allows for more than 200 characters. |
|||
ASA may reload in threadname Dispatch unit |
|||
ASA traceback due to dcerpc inspection. |
|||
ASA wont take "ip audit info action alarm" under "crypto ca" subcommand |
|||
ASA traceback in thread Dispatch Unit |
|||
L2L - IPSEC Backup- Peer list is not rotated/cycled with dual failure |
|||
lightview based Modal Elements do not work with webvpn |
|||
DCERPC Inspection Denial Of
Service Vulnerability |
|||
DCERPC Inspection Buffer
Overflow Vulnerability |
|||
DCERPC Inspection Denial Of
Service Vulnerability |
|||
ASA: Certificate renewal from same CA breaks SSLVPN |
|||
ASA threat detection does not show multicast sender IP in statistics |
|||
Traceback in Dispatch Unit when replicating xlates to standby |
|||
Java AJAX session does not work over SSLVPN |
|||
ASA - panic traceback when issuing show route interface_name |
|||
ASA - Reload in Thread Name: PIM IPv4 |
|||
ASA: asr-group in TFW A/A FO doesn't rewrite dst MAC for IP fragments |
|||
connections are not replicated to standby unit |
|||
Enabling AC Essentials should logoff webvpn sess automatically |
|||
Active ASA traceback Thread: DATAPATH-3-1290, rip spin_lock_get_actual |
|||
Java RDP plugin traceback when using empty user in URL to Win2008 server |
|||
ASA may traceback
when executing packet-tracer via console/ssh/telnet |
|
||
Revision: Version 8.3.2(13) – 02/01/2011
Files: asa832-13-k8.bin,
asa832-13-smp-k8.bin
Defects resolved since 8.3.2(4):
ASA may traceback
when executing packet-tracer via console/ssh/telnet |
|
Conns should update when using dynamic
protocol and floating statics |
|
Clientless webvpn
on ASA cannot save .html attached file with IE6 OWA |
|
Webvpn-
rewrite : ASA inserts lang=VBScript
incorrectly |
|
IXGBE: interface rx
queue low count at 0 |
|
sev1
syslog seen after three failed authentication attempts |
|
ASA: TFW sh
fail output shows Normal(waiting) when Sec unit is
act |
|
SSH to the ASA may fail - ASA may send
Reset |
|
Cmd
authorization fails for certain commands on fallback to LOCAL db |
|
ASA/PIX may generate an ACK packet
using TTL received by sender |
|
Traceback
in thread name Dispatch Unit |
|
EIGRP bandwidth value listed
incorrectly for SFP gig link on SSM-4GE |
|
dynamic-filter
database update triggers cpu-hog |
|
Error message appears on 5505 console
when entering "clear isa sa" |
|
ASA 8.3 reboots after installing memory
upgrade and copying file |
|
ASA Traceback
in Thread Name: snmp / checkheaps |
|
WebVPN:
"Invalid Canary" error for different options in OWA 2010 |
|
ASA - VPN load balancing is disabled
after failover |
|
Inspection triggers block depletion
resulting in traffic failure |
|
WebVPN
CIFS: 'Authentication error', when DFS host is not reachable |
|
WebVPN:
Preview mode for emails works improperly for DWA 8.5.1 |
|
NAT on 8.3 fails during RPF check |
|
SMTP DATA packet ending with
<CRLF>. wrongly considered as end of DATA |
|
ASA tracebacks
in Thread Name: Dispatch Unit |
|
WebVPN:
DWA 8.0.2 will hung up for message forwarding process |
|
ASA pair (8.3.1) traceback
in Thread Name: Dispatch Unit |
|
ASA (8.3.1.9) traceback
in Thread Name: DATAPATH-5-1315 |
|
AC reports 'certificate validation failed'
with VPN LB intermittently |
|
Traceback
in Thread Name: lu_rx - gtp_lu_process_pdpmcb_info |
|
Transparent fw
w/ASR group sets dstMAC to other ctx for last ACK for 3WH |
|
NAT portlist
with failover enabled triggers tmatch assert |
|
Control-plane feature not working for
https traffic to-the-box |
|
TS Web AppSharing
stops working across WebVPN in 8.3.2 |
|
The file name is garbled as downloading
through SSLVPN and CIFS. |
|
webvpn-other:
assert traceback in Thread Name: Unicorn Proxy
Thread |
|
Management connection
fail after multiple tries with SNMP connections. |
|
interface
command on vpn load-balancing should be shown |
|
ASA/ASDM history shows total SSL VPN
sessions for clientless only |
|
IUA Authentication appears to be broken |
|
TFW mode regens
cert every time 'no ip address' applied to mgmt int |
|
slow
mem leak in ctm_sw_generate_dh_key_pair |
|
PKI session exhaustion |
|
ASA 8.2.3 may not accept management
connections after failover |
|
Standby ASA may traceback
in IKE Daemon while deleting a tunnel |
|
rtcli:
traceback in rtcli async executor process, eip ci_set_mo |
|
ASA 5550 8.3.2 traceback
in Thread Name: OSPF
Router |
|
ACL hash incorrect for protocol object |
|
L2L traffic recovery fails following
intermediary traffic disruption |
|
ASA Captures will not capture any
traffic when match icmp6 is used |
|
ARP table not updated by failover when
interface is down on standby |
|
ASA 5505 may traceback
when booting with an AIP SSC card installed |
|
Deleting group-policy removes auto-signon config in other
group-policies |
|
ASA automatically enables the 'service resetoutside' command |
|
Orphaned SSH sessions and High CPU |
|
Traceback
in IKE Timekeeper |
|
Email Proxy leaking 80 block w/ each
email sent |
|
page
fault traceback in IKE Daemon |
|
Second L2TP session disconnects first
one if NATed to the same public IP |
|
Host Scan with Blank OU field in
personal cert causes DAP to fail |
|
Traceback
with thread name netfs_thread_init |
|
ASA webvpn
"csco_HTML" may be added to form |
|
SYSLOG message 106102 needs to show
Username for DAP/vpn-filter |
|
ASA traceback
when using a file management on ASDM |
|
CPU Hog in "NIC status poll"
when failing over redundant intf members |
|
Quitting "show controller"command
with 'q' degrades firewall performance |
|
ASR trans FW rewrites wrong dst. MAC when FO peers active on same ASA |
|
Cut-through proxy sends wrong
accounting stop packets |
|
Traceback
in mmp inspection when connecting using CUMA proxy
feature. |
|
Last CSD data element is not being
loaded into DAP |
|
Page fault traceback
on standby in QOS metrics during idb_get_ifc_stats |
|
Failed to update IPSec failover runtime
data on the standby unit |
|
WebVPN
vmware view does not work after upgrade to ASA 8.2.3 and
8.3.2 |
|
ldap-password-management
fails if user password contained & (ampersand) |
|
Traceback
in Thread Name: ldap_client_thread |
|
IPSec/TCP fails due to corrupt SYN ACK
from ASA when SYN has TCP option |
|
WebVPN:
ASA fails to save HTTP basic authentication credential |
|
Customers Application HQMS being broken
by Webvpn Rewriter |
|
Primary stays in Failed state while all
interfaces are up |
|
ASA as EasyVPN
Client failure on WAN IP Change when using 'mac-exempt' |
|
"ci/console " traceback when writing large nat
config with FO |
|
Standby unit sends ARP request with
Active MAC during config sync |
|
Webvpn:
Java-Trustpoint cmd
error, doesn't accept MS code-signing cert |
|
Group enumeration possible on ASA |
|
H225 keepaplive
ACK is dropped |
|
a
space inserted behind video port number after SIP inspect with PAT on |
|
Watchdog timeout traceback
following "show route" |
|
HA replication code stuck -
"Unable to sync configuration from Active" |
|
timeout
command for LDAP in aaa-server section doesn't work |
|
Memory leak in occam
new arena |
|
ASA traceback
in Thread Name:radius_rcv_auth |
|
IKE Session :
Cumulative Tunnel count always shows Zero |
|
Webvpn
memory pool may report negative values in "% of current" field. |
|
ASA locks up port with mus server command |
|
WebVPN
incorrectly rewrite logout link of Epic app through Firefox |
|
MUS debugs are running with no mus configured |
|
homepage
use-smart-tunnel not working with Firefox on OSX |
|
snmpwalk
for crasLocalAddress reports: No Such Instance
currently exists |
|
Failover interface monitoring only
works with the first ten interfaces. |
|
Traceback
in Dispatch Unit due to dcerpc inspection |
|
vpn-filter
removed incorrectly from ASP table with EzVPN hw clients |
Revision: Version 8.3.2(4) – 09/22/2010
Files: asa832-4-k8.bin,
asa832-4-smp-k8.bin
Defects resolved since 8.3.2:
DHCPD: show binding should display
client-id instead of hw address |
|
ENH: Allow DCERPC inspect to open pin-holes for WMI queries. non epm map |
|
TFW ENH: Management interface should
operate in routed mode |
|
8.2.1.11 Webvpn
not able to show dropdowns items written in javascripts |
|
Heap memory head magic verification
failed on asdm access |
|
WebVPN
Application Access page not displayed if AES chosen |
|
Citrix plugin error with HTTPBrowserAddress parameter |
|
ASA Traceback
Thread Name: Dispatch Unit |
|
PP: MTA can be replaced with
static/dynamic route |
|
ASA Fails to assign available addresses
from local pool |
|
when
doing DTLS rekey, AC may get disconnected with reason idle-timeout |
|
Wrong url message
is generated when access to group-url ended with
"/" |
|
Removing HTTP server caused page fault traceback |
|
debug
webvpn response does not generate any output |
|
ASA local CA: not redirected to cert
download page when user first login |
|
ASA:high
memory usage seen on ASA version 8.0.x onwards |
|
Access List for L2L "show crypt ipsec sa" blank after FO
and rekey |
|
CIFS SSO fails with non-ASCII
characters in username or password |
|
ASA traceback
in Thread Name: RIP Send |
|
WEBVPN: PDF form button doesn't work
with secure link |
|
Cannot SSH to ASA after making changes
to webvpn portal via ASDM |
|
Clientless WebVPN:
DWA 8.0.2 fails to forward attachments |
|
show
run all command causes SSH session hang |
|
RTSP is not translating the
client-ports correctly |
|
ASA - webtype
ACLs are not replicated to the standby |
|
CWA doesn't login with IE 7 and IE8 or
render properly with FireFox 3.x |
|
ASA 8.3 cut-through-proxy behavior
change when authenticating to ASA ip |
|
ASA sends invalid XML when group-alias
contains & |
|
show
nat command shows incorrect line numbers for NAT config lines |
|
ASA:UDP conns
not properly reclassified when tunnel bounces |
|
Changing interface config
to dhcp will add AAA cmd
and break EasyVPN |
|
Timer error on console not useful: init with uninitialized master |
|
ASA:vpn-sessiondb
logoff ipaddress <peer> does not clear tunnelled flows |
|
show
conn port functionality change |
|
ASA WebVPN : Forms don't get
saved in CRM due to no pop-up |
|
Transparent mode ASA does not pass IPv6
Router Advertisement packet |
|
ha
:Watchdog fover_FSM_thread during failover IPv6 on SSM-4GE-INC |
|
Traceback
in Unicorn Proxy Thread, address not mapped |
|
DAP_ERROR:...dap_add_csd_data_to_lua: Unable to load Host Scan data: |
|
"show
service-policy inspect <engine>" may leak 16384 bytes per output |
|
ASA HTTP response splitting on
/+CSCOE+/logon.html |
|
WebVPN
- rewriter inteprets "application/pdf" as generic link |
|
ST not injected in mstsc.exe on 64-bit
Win 7 when started through TSWeb |
|
Memory not released after EZVPN client
with cert fails authentication |
|
ASA 8.3; vpn db; IP information not consistent with previous versions |
|
ASA traceback
due to memory corruption |
|
After failover, CPU-hog and send out ND
packet using Secondary MAC |
|
per-client-max
and conn-max does not count half-closed connections |
|
MS-CHAP-Response generated by ASA has
incorrect flags (0x11) |
|
Search using Dojo Toolkit fails across WebVPN with 404 Error |
|
ASA XSS on /+CSCOE+/portal.html webvpnLang variable |
|
ASA: Session Cookies not Marked Secure |
|
APCF code does not interpret HTTP 304
response code correctly |
|
vpn-access-hours
does not work if client authenticated by certificate |
|
WEBVPN: Copying >2 GB files fails
through CIFS |
|
Webvpn
Customization, DfltCustomization form-order XML
error |
|
"failover
exec standby" TACACS+ authorization failure |
|
Traceback:
watchdog in tmatch_release_actual with large tmatch tree |
|
NAT portlist
with failover enabled triggers tmatch assert |
|
Changing configuration on FT INT not
possible after disabling failover |
|
ISAKMP Phase 1 failure from
Remote->ASA with default Phase 1 Values |
|
Traceback
Thread Name: IKE Daemon Assert |
|
ASA - failover - packet loss when hw-mod reset of SSM mod in fail-open |
|
ASA SIP inspection does not rewrite
with interface pat |
|
re-enter
ipv6 enable does not bring back RRI routes |
|
invalid
ipv6 RRI routes remains after crypto acl changes |
|
VPN-Filter rules not being cleared even
after all vpn sessions gone. |
|
ASA Traceback
in thread Dispatch Unit when executing command alias via https |
|
timed
mode does not fallback to LOCAL if all aaa server
are FAILED |
|
ASA traceback
when assigning priv level to mode ldap command "map-value" |
|
ASA L2L VPN Negative packet
encapsulation figures |
|
ASA traceback
in Thread Name: emweb/https when DAP has IPv6 acl on it |