Release Notes for the Cisco ASA Series, 9.12(x)

This document contains release information for Cisco ASA software Version 9.12(x).

Important Notes

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.


    Caution

    The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.


  • SSH security improvements and new defaults in 9.12(1)—See the following SSH security improvements:

    • SSH version 1 is no longer supported; only version 2 is supported. The ssh version 1 command will be migrated to ssh version 2 .

    • Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default (ssh key-exchange group dh-group14-sha256 ). The former default was Group 1 SHA1. Make sure that your SSH client supports Diffie-Hellman Group 14 SHA256. If it does not, you may see an error such as "Couldn't agree on a key exchange algorithm." For example, OpenSSH supports Diffie-Hellman Group 14 SHA256.

    • HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256 as defined by the ssh cipher integrity high command). The former default was the medium set.

  • No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1) or later, the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade. The FirePOWER image and its configuration remains intact on the SSD. If you want to downgrade, you can copy the ASA configuration from the backup to restore functionality.

  • The NULL-SHA TLSv1 cipher is deprecated and removed in 9.12(1)—Because NULL-SHA doesn't offer encryption and is no longer considered secure against modern threats, it will be removed when listing supported ciphers for TLSv1 in the output of tls-proxy mode commands/options and show ssl ciphers all . The ssl cipher tlsv1 all and ssl cipher tlsv1 custom NULL-SHA commands will also be deprecated and removed.

  • Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued certificates. This feature has become obsolete and hence the crypto ca server command is deprecated.

  • The default trustpool is removed in 9.12(1)—In order to comply with PSB requirement, SEC-AUT-DEFROOT, the "default" trusted CA bundle is removed from the ASA image. As a result, crypto ca trustpool import default and crypto ca trustpool import clean default commands are also removed along with other related logic. However, in existing deployments, certificates that were previously imported using these command will remain in place.

  • The ssl encryption command is removed in 9.12(1)—In 9.3(2) the deprecation was announced and replaced by ssl cipher . In 9.12(1), ssl encryption is removed and no longer supported.

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.12(2)

Released: May 30, 2019

Feature

Description

Firepower 9300 SM-56 support

We introduced the following security modules: SM-56.

Requires FXOS 2.6.1.157

No modified commands.

New Features in ASA 9.12(1)

Released: March 13, 2019

Feature

Description

Platform Features

ASA for the Firepower 4115, 4125, and 4145

We introduced the Firepower 4115, 4125, and 4145.

Requires FXOS 2.6.1.

No modified commands.

Support for ASA and FTD on separate modules of the same Firepower 9300

You can now deploy ASA and FTD logical devices on the same Firepower 9300.

Requires FXOS 2.6.1.

No modified commands.

Firepower 9300 SM-40 and SM-48 support

We introduced the following two security modules: SM-40 and SM-48.

Requires FXOS 2.6.1.

No modified commands.

Firewall Features

GTPv1 release 10.12 support.

The system now supports GTPv1 release 10.12. Previously, the system supported release 6.1. The new support includes recognition of 25 additional GTPv1 messages and 66 information elements.

In addition, there is a behavior change. Now, any unknown message IDs are allowed. Previously, unknown messages were dropped and logged.

No modified commands.

Cisco Umbrella Enhancements.

You can now identify local domain names that should bypass Cisco Umbrella. DNS requests for these domains go directly to the DNS servers without Umbrella processing. You can also identify which Umbrella servers to use for resolving DNS requests. Finally, you can define the Umbrella inspection policy to fail open, so that DNS requests are not blocked if the Umbrella server is unavailable.

New/Modified commands: local-domain-bypass , resolver , umbrella fail-open .

The object group search threshold is now disabled by default.

If you enabled object group search, the feature was subject to a threshold to help prevent performance degradation. That threshold is now disabled by default. You can enable it by using the object-group-search threshold command.

New/Modified command: object-group-search threshold .

Interim logging for NAT port block allocation.

When you enable port block allocation for NAT, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates message 305017 at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block.

New/Modified command: xlate block-allocation pba-interim-logging seconds .

VPN Features

New condition option for debug aaa .

The condition option was added to the debug aaa command. You can use this option to filter VPN debugging based on group name, user name, or peer IP address.

New/Modified commands: debug aaa condition

Support for RSA SHA-1 in IKEv2

You can now generate a signature using the RSA SHA-1 hashing algorithm for IKEv2.

New/Modified commands: rsa-sig-sha1

View the default SSL configuration for both DES and 3DES encryption licenses as well as available ciphers

You can now view the default SSL configuration with and without the 3DES encryption license. In addition, you can view all the ciphers supported on the device.

New/Modified commands: show ssl information

Add subdomains to webVPN HSTS

Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers.

New/Modified commands: hostname(config-webvpn) includesubdomains

High Availability and Scalability Features

Per-site gratuitous ARP for clustering

The ASA now generates gratuitous ARP (GARP) packets to keep the switching infrastructure up to date: the highest priority member at each site periodically generates GARP traffic for the global MAC/IP addresses. When using per-site MAC and IP addresses, packets sourced from the cluster use a site-specific MAC address and IP address, while packets received by the cluster use a global MAC address and IP address. If traffic is not generated from the global MAC address periodically, you could experience a MAC address timeout on your switches for the global MAC address. After a timeout, traffic destined for the global MAC address will be flooded across the entire switching infrastructure, which can cause performance and security concerns. GARP is enabled by default when you set the site ID for each unit and the site MAC address for each Spanned EtherChannel.

New/Modified commands: site-periodic-garp interval

Routing Features

OSPF Keychain support for authentication

OSPF authenticates the neighbor and route updates using MD5 keys. In ASA, the keys that are used to generate the MD5 digest had no lifetime associated with it. Thus, user intervention was required to change the keys periodically. To overcome this limitation, OSPFv2 supports MD5 authentication with rotating keys.

Based on the accept and send lifetimes of Keys in KeyChain, OSPF authenticates, accepts or rejects keys and forms adjacency.

New/Modified commands: accept-lifetime , area virtual-link authentication , cryptographic-algorithm , key , key chain , key-string , ospf authentication , send-lifetime

Certificate Features

Local CA configurable FQDN for enrollment URL

To make the FQDN of the enrollment URL configurable instead of using the ASA's configured FQDN, a new CLI option is introduced. This new option is added to the smpt mode of crypto ca server .

New/Modified commands: fqdn

Administrative, Monitoring, and Troubleshooting Features

enable password change now required on a login

The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to a value of 3 characters or longer. You cannot keep it blank. The no enable password command is no longer supported.

At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password.

This password change requirement is not enforced for ASDM logins. In ASDM, by default you can log in without a username and with the enable password.

New/Modified commands: enable password

Configurable limitation of admin sessions

You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at 5 sessions. The quota management-session command is also no longer accepted in the system configuration, and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15.

New/Modified commands: quota management-session , show quota management-session

Notifications for administrative privilege level changes

When you authenticate for enable access (aaa authentication enable console ) or allow privileged EXEC access directly (aaa authorization exec auto-enable ), then the ASA now notifies users if their assigned access level has changed since their last login.

New/Modified commands: show aaa login-history

NTP support on IPv6

You can now specify an IPv6 address for the NTP server.

New/Modified commands: ntp server

SSH stronger security

See the following SSH security improvements:

  • SSH version 1 is no longer supported; only version 2 is supported.

  • Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default. The former default was Group 1 SHA1.

  • HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha1 and hmac-sha2-256). The former default was the medium set.

New/Modified commands: ssh cipher integrity , ssh key-exchange group dh-group14-sha256 , ssh version

Allow non-browser-based HTTPS clients to access the ASA

You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed.

New/Modified commands: http server basic-auth-client

Capture control plane packets only on the cluster control link

You can now capture control plane packets only on the cluster control link (and no data plane packets). This option is useful in the system in multiple context mode where you cannot match traffic using an ACL.

New/Modified commands: capture interface cluster cp-cluster

debug conn command

The debug conn command was added to provide two history mechanisms that record connection processing. The first history list is a per-thread list that records the operations of the thread. The second history list is a list that records the operations into the conn-group. When a connection is enabled, processing events such as a connection lock, unlock, and delete are recorded into the two history lists. When a problem occurs, these two lists can be used to look back at the processing to determine the incorrect logic.

New/Modified commands: debug conn

show tech-support includes additional output

The output of the show tech-support is enhanced to display the output of the following:

  • show ipv6 interface

  • show aaa-server

  • show fragment

New/Modified commands: show tech-support

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • CLI—Use the show version command.

  • ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.

Current Version

Interim Upgrade Version

Target Version

9.10(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

9.7(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

9.6(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

9.5(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

9.4(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

9.3(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

9.2(x)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.6(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.5(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(5+)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(1) through 8.4(4)

Any of the following:

→ 9.0(2), 9.0(3), or 9.0(4)

→ 8.4(6)

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.3(x)

→ 8.4(6)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.2(x) and earlier

→ 8.4(6)

Any of the following:

9.12(x)

9.10(x)

9.9(x)

9.8(x)

→ 9.7(x)

→ 9.6(x)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.12(x)

There are no open bugs at the time of this Release Note publication.

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.12(2)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvj00363

ASA may traceback and reload with combination of packet-tracer and captures

CSCvj06993

ASA HA with NSF: NSF is not triggered properly when there is an Interface failure in ASA HA

CSCvj82652

Deployment changes are not pushed to the device due to disk0 mounted on read-only

CSCvk29263

SSH session stuck after committing changes within a Configure Session.

CSCvm00066

ASA is stuck on "reading from flash" for several hours

CSCvm50421

ASA traceback on slave/standby during sync config due to OSPF/EIGRP and IPv6 used together in ACE

CSCvn13880

Unit traceback at Thread PIM IPv4 or IGMP IPv4 due to timer events when multicast routing is enabled

CSCvn17347

Traceback and reload when displaying CPU profiling results

CSCvn22833

ADI process fails to start on ASA on Firepower 4100

CSCvn25949

Digitial Signature Verification Failed during upload of Rest-Api image to ASA

CSCvn31347

ACL Unable to configure an ACL after access-group configuration error

CSCvn38453

ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled

CSCvn40592

'No certificate ' command under certificate chain removes wrong certificate

CSCvn46358

overloading of the lina msglyr infra due to the sending of VPN status messages

CSCvn55007

DTLS fails after rekey

CSCvn67137

ASA5506 may slowly leak memory when using NetFlow

CSCvn68527

KP:AnyConnect used IP from pool shows as available

CSCvn69213

ASA traceback and reload due to multiple threads waiting for the same lock - watchdog

CSCvn72650

FTD Address not mapped traceback on 6.3.0.x release

CSCvn75368

FPR platform IPsec VPN goes down intermittently

CSCvn78674

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvn80394

ASA SNMP CPU Hogs

CSCvn94100

"Process Name: lina" | ASA traceback caused by Netflow

CSCvn95711

Traceback on Thread Name: Unicorn Admin Handler after adding protocol to IKEV2 ipsec-proposal

CSCvn96898

Memory Leak in DMA_Pool in binsize 1024 with SCP download

CSCvn97591

Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures

CSCvn97733

Syslog ID 111005 generated incorrectly

CSCvo02097

Upgrading ASA cluster to 9.10.1.7 cause traceback

CSCvo03808

Deploy from FMC fails due to OOM with no indication of why

CSCvo04444

Ikev2 tunnel creation fails

CSCvo06216

Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961

CSCvo09046

Upgrading ASA cluster to 9.10.1.7 cause low memory

CSCvo11077

Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel.

CSCvo11406

Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability

CSCvo12057

DHCPRelay does not consume DHCP Offer packet with Unicast flag

CSCvo13497

Unable to remove access-list with 'log default' keyword

CSCvo15497

Tunnel Group: 'no ikev2 local-authentication pre-shared-key' removes local cert authen

CSCvo19247

Traceback while processing an outbound SSL packet

CSCvo20847

Active FTP fails through Cluster due to xlate allocation corruption upon sync

CSCvo21210

PDTS has incorrect numa node info resulting in incorrect load balancing

CSCvo23222

AnyConnect session rejected due to resource issue in multi context deployments

CSCvo27109

Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6

CSCvo38051

segfault in ctm_ipsec_pfkey_parse_msg at ctm_ipsec_pfkey.c:602

CSCvo39356

Traceback at Thread Name: IP Address Assign

CSCvo42174

ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI

CSCvo43679

FTD Lina traceback, due to packet looping in the system by normaliser

CSCvo45230

ASA5506 - IBR - not able to ping with hostname if the interface is in BVI in IBR mode

CSCvo55151

crypto ipsec inner-routing-lookup should not be allowed to be configured with VTI present

CSCvo56675

ASA or FTD traceback and reload due to failover state change or xlates cleared

CSCvo62077

SFR VPN Event Memory Leak

CSCvo63240

Smart Tunnel bookmarks don't work after upgrade giving certificate error

CSCvo93872

Memory leak while inspecting GTP traffic

CSCvp16482

ASA on FXOS platforms reloads when establishing simultaneous ASDM sessions

CSCvp36425

ASA 5506/5508/5516 traceback in Thread Name octnic_hm_thread

Resolved Bugs in Version 9.12(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCux69220

WebVPN 'enable intf' with DHCP , CLI missing when ASA boot

CSCuz70352

Unable to SSH over remote access VPN (telnet, asdm working)

CSCvb21927

IKEv2 certificate authentication PRF SHA2 interoperability 3rd party

CSCvc62565

Failover crypto IPsec IKEv2 config does not match when sync with standby

CSCvd13180

AVT : Missing Content-Security-Policy Header in ASA 9.5.2

CSCvd21406

Multiple PAT rules with "any" and named interface cause 305006 "portmap translation creation failed"

CSCvd28906

ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory

CSCvd76939

ASA policy-map configuration is not replicated to cluster slave

CSCve53415

ASA traceback in DATAPATH thread while running captures

CSCve95403

ASA boot loop caused by logs sent after FIPS boot test

CSCvf85831

asdm displays error uploading image

CSCvg00565

ASA crashes in glib/g_slice when do "debug menu" self testing

CSCvg40735

GTP inspection may spike cpu usage

CSCvg65072

Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability

CSCvg76652

Default DLY value of port-channel sub interface mismatch

CSCvg78582

ENH: ASA 9.8.2 Missing HTTP Secure Header X-XSS-Protection

CSCvh14743

IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload.

CSCvh55035

Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000

CSCvh55340

ASA Running config through REST-API Full Backup does not contain the specified context configuration

CSCvh77456

Cisco Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability

CSCvh79732

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh81737

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh81870

Cisco Adaptive Security Appliance Denial of Service Vulnerability

CSCvh83849

DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping

CSCvh86252

Change the blacklist flow timeout inline with snort timeout

CSCvh95302

ASDM/Webvpn stops working after reload if IPv6 address configured on the interface

CSCvh98781

ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance'

CSCvi01312

webvpn: multiple rendering issues on Confluence and Jira applications

CSCvi03103

BGP ASN cause policy deployment failures.

CSCvi19125

Multicast ip-proto-50 (ESP) dropped by ASP citing 'np-sp-invalid-spi'

CSCvi19220

ASA fails to encrypt after performing IPv6 to IPv4 NAT translation

CSCvi34164

ASA does not send 104001 and 104002 messages to TCP/UDP syslog

CSCvi37644

PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full."

CSCvi38151

ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs.

CSCvi42008

Stuck uauth entry rejects AnyConnect user connections

CSCvi46759

Allow ASA to process packet with hop limit of 0 (Follow RFC 8200)

CSCvi51515

REST-API:500 Internal Server Error

CSCvi53708

ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config

CSCvi54162

"ha-replace" action not working when peer not present

CSCvi55464

ASA5585 device power supply Serial Number not in the snmp response

CSCvi65512

FTD: AAB might force a snort restart with relatively low load on the system

CSCvi71622

Traceback in DATAPATH on standby FTD

CSCvi77643

Hanging downloads and slow downloads on a FPR4120 due to http inspect

CSCvi79691

LDAP over SSL crypto engine error

CSCvi79999

256 Byte block leak observed due to ARP traffic when using VTI

CSCvi85382

ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed

CSCvi87214

Neighbour Solicitation messages are observed for IPv6 traffic

CSCvi90633

Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX

CSCvi96442

Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master

CSCvi97729

To-the-box traffic being routing out a data interface when failover is transitioning on a New Active

CSCvi99743

Standby traceback in Thread "Logger" after executing "failover active" with telnet access

CSCvj01704

ASA is getting traceback with reboot only on Spyker aftr shutdown SFR module

CSCvj18111

FTD: Flow-preserve N1 flag shouldn't apply for IPS interfaces

CSCvj22491

Cluster: Enhance ifc monitor debounce-time for interface down->up scenario

CSCvj37924

CWE-20: Improper Input Validation

CSCvj39858

Traceback: Thread Name: IPsec message handler

CSCvj42269

ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101%

CSCvj42450

ASA traceback in Thread Name: DATAPATH-14-17303

CSCvj43591

Firepower 2110 with ASA DHCP does not work properly

CSCvj47119

"clear capture /all" might crash Firepower 9300 MI Firepower Threat Defense

CSCvj47256

ASA SIP and Skinny sessions drop, when two subsequent failovers take place

CSCvj48340

ASA memory Leak - snp_svc_insert_dtls_session

CSCvj49883

ASA traceback on Firepower Threat Defense 2130-ASA-K9

CSCvj50008

WebVPN HSTS header is missing includeSubDomains response per RFC 6797

CSCvj50024

ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure

CSCvj54840

create/delete context stress test causes traceback in nameif_install_arp_punt_service

CSCvj56909

ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module

CSCvj58342

Multicast dropped after deleting a security context

CSCvj59347

Remove/Increase the maximum 255 characters error limit in result of a cli command!

CSCvj65581

Excessive logging from ftdrpcd process on 2100 series appliances

CSCvj67258

Change 2-tuple and 4-tuple hash table to lockless

CSCvj67740

Static IPv6 route prefix will be removed from the ASA configuration

CSCvj67776

clear crypto ipsec ikev2 commands not replicated to standby

CSCvj72309

FTD does not send Marker for End-of-RIB after a BGP Graceful Restart

CSCvj73581

Traceback in cli_xml_server Thread

CSCvj74210

Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail'

CSCvj75220

Usage of 'virtual http' or 'virtual telnet' incorrectly needs 'same-security permit intra-interface'

CSCvj75793

2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage

CSCvj79765

Netflow configuration on Active ASA is replicated in upside down order on Standby unit

CSCvj85516

Packet capture fails for interface named "management" on Firepower Threat Defense

CSCvj88461

Withdrawal advertisements for specific prefixes are flooded before flooding aggregate prefix

CSCvj88514

IP Local pools configured with the same name.

CSCvj89470

Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability

CSCvj91449

ASA traceback when logging host command is enable for IPv6 after each reboot

CSCvj91619

1550 Block Depletion Causes ASA to reload 6.2.3.3.

CSCvj91815

Invalid Http response (IO error during SSL communication) when trying to copy a file from CSM to ASA

CSCvj91858

Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability

CSCvj92444

ASA keeps Type 7 NSSA after losing neighbor

CSCvj95451

webvpn-l7-rewriter: Bookmark logout fails on IE

CSCvj97159

ASA IKEv2 capture type isakmp setting incorrect "Initiator Request" flag on decrypted IKE_AUTH_Reply

CSCvj97213

ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets

CSCvj97514

ASA Smart Licensing messaging fails with 'nonce failed to match'

CSCvj98964

ASA may traceback due to SCTP traffic

CSCvk00985

ASA: 9.6.4, 9.8.2 - Failover logging message appears in user context

CSCvk02250

"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix)

CSCvk04592

Flows get stuck in lina conn table in half-closed state

CSCvk07522

webvpn: Bookmark fails to render on Firefox and Chrome. IE fine.

CSCvk08377

ASA 5525 running 9.8.2.20 memory exhaustion.

CSCvk08535

ASA generates warning messages regarding IKEv1 L2L tunnel-groups

CSCvk11898

GTP soft traceback seen while processing v2 handoff

CSCvk13703

ASA5585 doesn't use priority RX ring when FlowControl is enabled

CSCvk14258

Crash output reports hardware ASP-## for ASA5585-SSP-##. Should correctly report full model name.

CSCvk14537

SSH/Telnet Management sessions may get stuck in pc ftpc_suspend

CSCvk18330

Active FTP Data transfers fail with FTP inspection and NAT

CSCvk18378

ASA Traceback and reload when executing show process (rip: inet_ntop6)

CSCvk18578

Enabling compression necessary to load ASA SSLVPN login page customization

CSCvk19435

Unwanted IE present error when parsing GTP APN Restriction

CSCvk24297

IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled.

CSCvk25729

Large ACL taking long time to compile on boot causing outage

CSCvk26887

Certificate import from Local CA fails due to invalid Content-Encoding

CSCvk27686

ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH

CSCvk28023

WebVPN: Grammar Based Parser fails to handle META tags

CSCvk29263

SSH session stuck after committing changes within a Configure Session.

CSCvk30228

ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response

CSCvk30665

ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops

CSCvk30739

ASA CP core pinning leads to exhaustion of core-local blocks

CSCvk30775

ENH: Addition of 'show fragment' to 'show tech' output

CSCvk30779

ENH: Addition of 'show ipv6 interface' to 'show tech' output

CSCvk30783

ENH: Addition of 'show aaa-server' to 'show tech' output

CSCvk31035

KVM (FTD): Mapping web server through outside not working consistent with other platforms

CSCvk34648

Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic

CSCvk36087

When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP

CSCvk36733

mac address is flapping on huasan switch when asa etherchannel is configued with active mode

CSCvk37890

Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback

CSCvk38176

Traceback and reload due to GTP inspection and Failover

CSCvk43865

Traceback: ASA 9.8.2.28 while doing mutex lock

CSCvk45443

ASA cluster: Traffic loop on CCL with NAT and high traffic

CSCvk46038

ERROR: The entitlement is already acquired while the configuration is cached.

CSCvk47583

ASA WebVPN - incorrect rewriting for SAP Netweaver

CSCvk48437

ASA - VTI tunnel interface nameif not available for SNMP in "snmp-server host" command

CSCvk50732

AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers

CSCvk50815

GTP inspection should not process TCP packets

CSCvk51181

FTD IPV6 traffic outage after interface edit and deployment part 1/2

CSCvk54779

Async queue issues with fragmented packets leading to block depletion 9344

CSCvk57516

Low DMA memory leading to VPN failures due to incorrect crypto maps

CSCvk62896

ASA IKEv2 traceback while deleting SAs

CSCvk66529

FTD on FPR 9300 corrupts TCP headers with pre-filter enabled

CSCvk66771

The CPU profiler stops running without having hit the threshold and without collecting any samples.

CSCvk67239

FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped"

CSCvk67569

ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN

CSCvk70676

Clientless webvpn fails when ASA sends HTTP as a message-body

CSCvk72192

"Free memory" in "show memory" output is wrong as it includes memory utilisation due to overhead

CSCvk72958

Qos applied on interfaces doesn't work.

CSCvm01053

ASA 9.8(2)24 traceback on FPR9K-SM-44

CSCvm06114

RDP bookmark plugin won't launch

CSCvm07458

Using EEM to track VPN connection events may cause traceback and reload

CSCvm08769

Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail.

CSCvm15880

FPR 9k ASA cluster multicon mode/vpn-mode distribute causes a reboot-loop if transparent mode conf

CSCvm17985

Initiating write net command with management access for BVI interfaces does not succeed

CSCvm19791

"capture stop" command doesn't work for asp-drop type capture

CSCvm23370

ASA: Memory leak due to PC cssls_get_crypto_ctxt

CSCvm24706

GTP delete bearer request is being dropped

CSCvm25972

ASA Traceback: Thread Name NIC Status Poll.

CSCvm36138

With v1 host configured, a v2c walk from that host succeeds

CSCvm43975

Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability

CSCvm49283

Make Object Group Search Threshold disabled by default, and configurable. Causes outages.

CSCvm53531

Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability

CSCvm54827

Firepower 2100 ASA Smart Licensing Hostname Change Not Reflected in Smart Account

CSCvm55091

HA failed primary unit shows active while "No Switchover" status on FP platforms

CSCvm56019

Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser

CSCvm56371

ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached

CSCvm56719

Traceback high availability standby unit Thread Name: vpnfol_thread_msg

CSCvm65725

ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG)

CSCvm67273

ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136

CSCvm67316

ASA: Add additional IKEv2/IPSec debugging for CSCvm70848

CSCvm72378

ASA: CLI: User should not be allowed to create network object "ANY"

CSCvm78449

Unable to modify access control license entry with log default command

CSCvm80779

ASA not inspecting H323 H225

CSCvm80874

ASAv/FP2100 Smart Licensing - Unable to register/renew license

CSCvm82930

FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured

CSCvm86443

Only first line of traceroute is captured in event manager output

CSCvm87970

Webvpn Clientless- password management issue

CSCvm88004

SSH Service on ASA echoes back each typed/pasted character in its own packet

CSCvm91014

NTP synchronization don't work when setting BVI IF as NTP source interface

CSCvm92359

Blocks exhaustion snapshot was not captured on ASA

CSCvm95669

ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device)

CSCvn03966

FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage.

CSCvn04688

ASA AAA Authentication using TACACs does not work when the Server Host Key is set to 128 characters

CSCvn09322

FTD device rebooted after taking Active State for less than 5 minutes

CSCvn09367

Prevent administrators from installing CXSC module on ASA 5500-X

CSCvn09612

ASA/FTD Connection Idle Timers Not Increasing For Inactive Offloaded Sessions

CSCvn09640

FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through

CSCvn13556

port-channel IF's Interface number is displayed un-assigned when running at transparent mode

CSCvn15757

ASA may traceback due to SCTP traffic inspection without NULL check

CSCvn19823

ASA : Failed SSL connection not getting deleted and depleting DMA memory

CSCvn22833

ADI process fails to start on ASA on Firepower 4100

CSCvn23254

SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface

CSCvn29446

Keepout configuration on the active ASA can not be synchronized to the standby ASA

CSCvn30108

The 'show memory' CLI output is incorrect on ASAv

CSCvn30393

ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment

CSCvn32657

ASA traceback when removing interface configuration used in call-home

CSCvn33943

Standby node traceback in wccp_int_statechange() with HA configuration sync

CSCvn35014

ASA routes change during OS upgrade

CSCvn44201

ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later

CSCvn44748

Specified virtual mac address could not display when executing "show interface"

CSCvn46425

AnyConnect Cert Auth w/ periodic cert auth fails if failover enabled but other device unreachable

CSCvn47599

RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server

CSCvn47800

ASA stops authenticating new AnyConnect connections due to fiber exhaustion

CSCvn49180

ASA/FTD:MAC address not refreshing after changing member-interface of CCL link

CSCvn56095

selective acking not happening with SSL crypto hardware offload

CSCvn61662

ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading

CSCvn62470

anyconnect client dns request dropped by ASA with umbrella enabled

CSCvn62787

To support multiple retry on devcmd failure to CRUZ during flow table configuration update.

CSCvn64418

ISA300 interop issue with Nokia 7705 router

CSCvn66248

Configuring "boot config" has no effect if file was modified off-box and copied back on

CSCvn67222

DPD doesn't work following a failover, which can (in rare cases) cause an outage if things fail back

CSCvn69213

ASA traceback and reload due to multiple threads waiting for the same lock - watchdog

CSCvn73962

ASA 5585 9.8.3.14 traceback in Datapath with ipsec

CSCvn76829

ASA as an SSL Client Memory Leak in Handshake Error path

CSCvn77636

ASA/webvpn: FF and Chrome: Bookmark is not rendered with Grammar Based Parser

CSCvn94100

"Process Name: lina" | ASA traceback caused by Netflow

CSCvn97517

WebVPN: URL-Entry disabled / "Go to" address within embedded toolbar is not taking effect

CSCvo06216

Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961

CSCvo09046

Upgrading ASA cluster to 9.10.1.7 cause low memory