Cisco
ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 8.4.4(9) – 09/25/2012
Files: asa844-9-k8.bin,
asa844-9-smp-k8.bin
Defects resolved since 8.4.4(5):
ASA (8.3.2) traceback in
Thread Name: DATAPATH-1-1295 |
|
ASA: Builds conn for
packets not destined to ASA's MAC in port-channel |
|
Newly Added Failover Unit With
Lesser License Rejects Configuration |
|
Reserve 256 byte block pool
for ARP processing |
|
ASA NAT: LU allocate xlate
failed (for NAT with service port) |
|
Traceback: timer assert due
to nf_block timer race condition |
|
ASA 5585 with IPS inline
-VPN tunnel dropping fragmented packets |
|
ASA:IKEv2 tunnel failure
due to IPsec rekey collision |
|
DAP:Continue/Quarantine
messages display French characters incorrectly |
|
Traceback in Thread Name:
CERT API |
|
8.4.3 system log messages
should appear in Admin context only |
|
ASA: May log 305006 regular
translation creation failed messages. |
|
ASA vulnerable to
CVE-2003-0001 |
|
ASA unexpected system
reboot with Thread Name: UserFromCert Thread |
|
ASA sip inspect -
Pre-allocate SIP NOTIFY TCP secondary channel |
|
ASA:write standby command
brings down port-channel interface on standby |
|
WebVPN:"My Mail"
option doesn't work for OWA2010 |
|
ASA: Page fault traceback
in DATAPATH thread with IPsec traffic |
|
Asa 5580-20:
object-group-search access-control causes failover problem |
|
ASA may traceback while
loading a large context config during bootup |
|
config factory-default does
not clear ssl commands |
|
ASA Content rewrite HTML
content was treated as ajax response |
|
ASA5550 continous reboot
when loading asa84x image |
|
FIFO queue oversubscription
drops packets to free RX Rings |
|
ASA does not check
aaa-server use before removing commands |
|
ASA Webvpn rewriter
compression not working |
|
Standby ASA has duplicate
ACEs for webtype ACLs after 'write standby' |
|
"idle-timeout =
0" is not able to configure with AnyConnect IKEv2 |
|
ASA ospf redistributing
failover interface network |
|
Standby ASA allows L2
broadcast packets with asr-group command |
|
ASA Webvpn form POST is not
rewritten 8.4.1.8 or later |
|
ASA: Manual NAT rules are
not processed in order |
|
ASA traceback under
threadname Dispatch Unit due to multicast traffic |
Revision: Version 8.4.4(5) – 07/24/2012
Files: asa844-5-k8.bin,
asa844-5-smp-k8.bin
Defects resolved since 8.4.4(1):
AUTOCOMPLETE attribute is
not disabled for SSL VPNs |
|
ASA CRYPTO: Hardware
Accelerator Archive File Created |
|
ASA 8.3.x not passing
multicast traffic when RP address is NAT-ed |
|
ASA: DHCP-Relay should
forward out interface based on internal gi-addr |
|
ASA 1550 byte block
depletion in ctm_frag_list |
|
ASA 5505 prints message
%ASA-1-111111 when adding a new vlan interface |
|
ASA admin context memory
usage is invalid |
|
Traceback on clear config
all when mem DFP enab or wr standby on active |
|
Traceback seen while
running packet-tracer due to Page fault |
|
IPV6 router advertisements
dropped by multicontext firewall |
|
vpn-filter removed
incorrectly from ASP table blocks L2L traffic |
|
ASA with VoIP memory leak
1% per day on binsize 56 |
|
Incorrect results returned
by SNMP object cipSecGlobalActiveTunnels |
|
ASA: Radius MS-CHAPV2 with
challenge fails |
|
ASA Multicontext: allocated
interface may not be configurable in context |
|
5585 producing 402123 logs
and denying AC users w/ aaa failing |
|
ASA 8.4(2.1) high memory
and traceback in aaa_shim_thread |
|
VPN: Bytes RCV and XMT
incorrect in session disconnect message |
|
1550 byte block leak in
socks_proxy_datarelay |
|
Webvpn : Javascript rewrite
causing login button to be inactive |
|
Standby ASA traceback while
trying to replicate xlates |
|
Traceback in Thread Name:
Dispatch Unit |
|
CSCtx52020 |
Traceback in Thread Name:
rtcli async executor process |
Packet fragmentation issue
on IPSec Over TCP |
|
Traceback in Thread Name:
Dispatch Unit due to Websense URL Filtering |
|
ASA 8.x AAA Authentication
Listener HTTP Redirect not working with IE9 |
|
Different PowerSupply
number between show inventory/environment |
|
ASA: Traceback in purgatory
in release of DSH (datastructure handle) |
|
ASA traceback with Thread
Name: dhcp_daemon |
|
IPV6 extension header
inspection On the ASA 8.4.2 does not work |
|
To-the-box traffic fails
from hosts over L2L vpn tunnel & AnyConnect VPN |
|
logging debug-trace has issues
with lines starting with numbers |
|
ASA 5585: Traceback after
Reload when TCP syslog server unavailable |
|
NAT Migration Fails with
Large Policy NAT ACLs |
|
ASA5580 traceback after
upgrade to 8.4.3.2 |
|
VPN Remote user address
assignment failed after RADIUS authentication |
|
Failover Cluster License
Must be Cleared When Failover is Unconfigured |
|
NAT rules specifying an
interface of any removed if an interface deleted |
|
CSC: Secondary goes to
pseudo standby state when failover is enabled |
|
Traceback with Netflow
configuration |
|
ASA5585-standby traceback
during hitless upgrade: 8.4.2.8-->8.4.3 |
|
ASA Traceback when applying
Regexes via script |
|
HTTP Inspection does not
understand verb without trailing LWSP |
|
Chassis serial number is
incorrect in call-home message on 5585 platform |
|
ASA IKEV2 :Unable to
establish site to site VPN for specific ident-pairs |
|
ASA generates traceback
message when connected with L2TP/IPsec |
|
ENH: Add Command to Allow
ARP Cache Entries from Non-Connected Subnets |
|
ASA-4-402116 - error
message displays outer instead of inner packet |
|
Active ASA5505 interface
remains in Waiting state |
|
IDFW: SYSLOG 746012 appears
twice |
|
authentication in esmtp
inspection breaks |
|
ASA Radius Acct-Delay-Time
does not work |
|
ASA - dhcp relay - option
252 is not passed down to the clients |
|
AJAX - Mis-rendered page
layout on IE over WebVPN |
|
ASA: Assert tracebacks with
GTP inspection |
|
ASA traceback in SiteMinder
SSO when users log into ssl vpn web portal |
|
ASA WebVPN URL Rewrite
Failing - Form action with special characters |
|
SNMP
ciscoRasTooManySessions trap is sent from Standby ASA |
|
Traceback in Thread Name
accept/http |
|
ASA: webvpn removes secure
tag from cookies sent by remote server |
|
multiple clients can
connect with "vpn-simultaneous-logins 1" |
|
RA VPN license client fails
to request more licenses from the server |
|
skinny-inspect
intermittently uses odd port for RTP stream |
|
ASA VPN IPSEC load
balancing causes 1550 block depletion |
|
ASA: webvpn secure content
should not be cached in local disks |
|
ASA SCH - Traceback in
thread name: sch_prompt anonymous reporting |
|
IPv6 traffic to standby
fails in transparent mode |
|
Java applet failing at
launch over Clientless WebVPN |
|
ASA assigned IP address
from DHCP to VPN clients randomly fails |
|
ASA sip inspect - duplicate
pre-allocate secondary pinholes created |
|
ASA: Downloading capture
via HTTP returns incorrect content-length |
|
(VPN-Secondary) Failed to
update IPSec failover runtime data on the stan |
|
ASA SSLVPN Java RDP Plugin
traceback with socket write error exception |
|
Incorrect MPF conn counts
cause %ASA-3-201011 and DoS condition |
|
ASDM Session Replication during
Failover |
|
Aggregate Auth does not
send "88" error code for radius-reject-message |
|
Syslog %ASA-4-402123
Printed incorrectly for webvpn traffic |
|
SNMP MIB: Equivalent of
"show xlate count" command |
|
Clientless SSL VPN causes
UAC on Win 7 to fail when CSD and ST are used |
|
IKEv2 tunnels fail in one
direction following rekey-on-data |
|
ASA may reload with
traceback in Thread Name: vpnfol_thread_msg |
|
Deny lines in NAT exemption
ACL causes ASA config migration to fail |
|
ASA Authorization fails
with LDAP for user with any expiration date set |
|
ASA accept IKEv2 AC
reconnect request once then tear it down |
|
ASA generates "The ASA
hardware accelerator encountered an error" |
|
Syslog 324001 Reason string
missing when pkt dropped because of Null TID |
|
ASA cut-though proxy stops
working if using FQDN ACL |
|
Block depletion, embedded
web client transmit queue |
|
Observed Traceback in SNMP
while querying GET BULK for 'xlate count' |
|
ASA VPN client connection
fails if 'name' is configured
the same as TG |
|
ASA nointeractive
trustpoint auth fails with Incorrect fingerprint |
|
WebVPN: OWA server sending error message due
to missing Canary Value |
|
Clientless: failed ntlm
authentication leads to iobuffer uninitialized |
|
debug ctl-provider causes
traceback |
|
ASA: High CPU with DTLS
sessions and 'crypto engine large-mod-accel' |
|
Webvpn: RDP ActiveX plugin
causes high cpu with IE |
|
1550 byte block depletion
related to TCP |
|
Traceback in CP Midpath
Processing - SSL DHE cipher |
|
ASA:IKEv2 tunnel failure
due to IPsec rekey collision |
|
ASA: WebVPN Rewrite issue -
drop down menu rendering is incorrect |
|
CPU-hog during
line-protocol-up event of 4GE-SSM ports |
|
ASA: traceback in Thread
Name: IPsec message handler,Syslog 602305. |
|
ASA sends too large TCP
payload when ASA MSS < Client MSS |
|
ASA RA tunnel fails when
vlan is set in grppol and XAUTH disabled |
|
DAP:Continue/Quarantine
messages display French characters incorrectly |
|
pki: import from terminal
fails when 'quit' embedded in certificate |
|
ASA: Page fault traceback
in lu_rx with failover and GTP inspection |
|
ASA pre-defined objects
have incorrect port values |
|
Websense URL Filtering
triggers syslog 216004 |
|
Clientless SSL VPN rewriter
fails with javascript |
|
logging debug-trace has
issues with radius debugs |
|
Anyconnect fails to connect
after ASA failover due to IP conflict |
|
Error returned while
removing pfs from dynamic crypto map |
|
Some AAA Server Group names
result in blank AAA config |
|
ASA (8.4.4) Traceback in
Thread Name: IKE Daemon, Syslog 402142 |
|
ASA: Some NAT configuration
removed on failover upgrade to 8.4(4) |
|
Some parts of the WebVPN
login susceptible to HTTP Response Splitting |
|
aaa-radius: ASA sending
duplicate Radius access request |
|
ipsecvpn-ikev2: assert
Traceback in Thread Name: IKEv2
Daemon |
|
Flowcontrol status is OFF
on ASA, after enabling it on ASA and switch. |
|
Cisco script injected in
html tags, JS conditional comments |
|
4096 byte block depletion
due to ak47_np_read |
|
On upgrade to 8.4(4)3 Twice
NAT statements may override routing table |
Revision: Version 8.4.4(1) – 06/18/2012
Files: asa844-1-k8.bin,
asa844-1-smp-k8.bin
Defects resolved since 8.4.4:
Traceback in Thread Name: Dispatch Unit |
|
ASA doesn't fail for Quack auth error with
SpykerI/O& Falcon card |