Release Notes for the Cisco ASA Series, 9.14(x)

This document contains release information for Cisco ASA software Version 9.14(x).

Important Notes

  • For Failover pairs in 9.14(1)+, the ASA no longer shares SNMP client engine data with its peer.

  • No support in ASA 9.14(1)+ for cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs (CSCvy22526).

  • No support in ASA 9.13(1) and later for the ASA 5512-X, ASA 5515-X, ASA 5585-X, and the ASASM—ASA 9.12(x) is the last supported version. For the ASA 5515-X and ASA 5585-X FirePOWER module, the last supported version is 6.4.

    Note: ASDM 7.13(1) and ASDM 7.14(1) also did not support these models; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

  • ASAv requires 2GB memory in 9.13(1) and later—Beginning with 9.13(1), the minimum memory requirement for the ASAv is 2GB. If your current ASAv runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version. You must adjust the memory size before upgrading. See the ASAv Getting Started Guide for information about the resource allocations (vCPU and memory) supported in version 9.13(1).

  • Downgrade issue for the Firepower 2100 in Platform mode from 9.13/9.14 to 9.12 or earlier—For a Firepower 2100 with a fresh installation of 9.13 or 9.14 that you converted to Platform mode: If you downgrade to 9.12 or earlier, you will not be able to configure new interfaces or edit existing interfaces in FXOS (note that 9.12 and earlier only supports Platform mode). You either need to restore your version to 9.13 or later, or you need to clear your configuration using the FXOS erase configuration command. This problem does not occur if you originally upgraded to 9.13 or 9.14 from an earlier release; only fresh installations are affected, such as a new device or a re-imaged device. (CSCvr19755)

  • Cluster control link MTU change in 9.13(1)—Starting in 9.13(1), many cluster control packets are larger than they were in previous releases. The recommended MTU for the cluster control link has always been 1600 or greater, and this value is appropriate. However, if you set the MTU to 1600 but then failed to match the MTU on connecting switches (for example, you left the MTU as 1500 on the switch), then you will start seeing the effects of this mismatch with dropped cluster control packets. Be sure to set all devices on the cluster control link to the same MTU, specifically 1600 or higher.

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was removed from the inspect skinny command.

  • Windows DNS Client Optimization Limitation—Because of a limitation in Windows 8 and above, we have observed that certain name resolutions, such as nslookup, fail for FQDNs by not matching any split-DNS domains. The workaround is to disable Windows DNS client optimization with the following changes:

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Value:DisableParallelAandAAA Data: 1
    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient Value: DisableSmartNameResolution Data: 1
    

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.14(3)

Released: June 15, 2021

There are no new features in this release.

New Features in ASA 9.14(2)

Released: November 9, 2020

Feature

Description

SNMP Features

SNMP polling over site-to-site VPN

For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.

New Features in ASA 9.14(1.30)

Released: September 23, 2020

Feature

Description

Licensing Features

ASAv100 permanent license reservation

The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation.

New Features in ASAv 9.14(1.6)

Released: April 30, 2020


Note

This release is only supported on the ASAv.


Feature

Description

Platform Features

ASAv100 platform

The ASAv virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years.

The ASAv100 is supported on VMware ESXi and KVM only.

New Features in ASA 9.14(3)

Released: June 15, 2021

There are no new features in this release.

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.



Note

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.


Current Version

Interim Upgrade Version

Target Version

9.13(x)

Any of the following:

9.14(x)

9.12(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.10(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

9.9(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

9.8(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.7(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

9.6(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

9.5(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.4(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.3(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.2(x)

Any of the following:

9.14(x)

→ 9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(1)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.6(1)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.5(1)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.4(5+)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.3(x)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.14(x)

The following table lists select open bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvq29993

FPR2100 ONLY - add pkt counters to track blocks entering/exiting octeon IOQ HW path

CSCvu96436

Traceback of master and one slave when a particular lock is contended for long

CSCvw71405

FPR1120 running ASA traceback and reload in crypto process.

CSCvw89467

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-0-1652'

CSCvx11917

FTD active unit might drop interface failover messages with host-move-pkt drop reason

CSCvx24207

FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries

CSCvx26308

ASA traceback and reload due to strcpy_s: source string too long for dest

CSCvx26324

Firepower 1010 HA goes active/active or New hosts not discoverable, even if back to back connected

CSCvx47992

ASA on FPR4140 traceback and reload on thread name datapath

CSCvx56021

FTD 6.6 CTS SGT propagation gets enabled after reload

CSCvx81208

ASA/FTD may traceback and reload citing one of the datapath threads as culprit

CSCvx81443

FTD-CLUSTER (tcp-3way-handshake): ACK message getting dropped for unknown reason

CSCvx87709

FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover

CSCvx87969

ASA device in appliance mode traceback and reload

CSCvx91225

FTD Fails to send IKE_AUTH IKEv2 S2S

CSCvy03174

Failover works "mac-address auto" is configured

CSCvy09217

HA goes to active-active state due to cipher mismatch

CSCvy09926

The SNMP server receives many cseHaRestartNotify trap from FXOS(FPR2140-ASA-K9)

CSCvy10583

ASA Traceback and Reload in Thread Name: DATAPATH

CSCvy11821

FPR4k-ASA wr memory gives error opening nvram:/startup-config (Resource temporarily unavailable)

CSCvy12782

FTD/ASA: PATed traffic impacted when configured on ixgbe-vf SRIOV interfaces in HA

CSCvy21334

Active tries to send CoA update to Standby in case of "No Switchover"

CSCvy23349

FTD unnecessarily ACKing TCP flows on inline-pair deployment

CSCvy24859

Multicast packets may be dropped due to punt-rate-limit ASP drop reason

CSCvy26673

There is not support for SCTP protocol in ASA REST API

CSCvy27549

Intermittent ZMQ cores causing FTD 5545 to reboot

CSCvy31413

Traceback: All Data Path processes produced traceback and reloaded

CSCvy33204

ASA not handling the TLS extension padding correctly

CSCvy33676

UN-NAT created on FTD once a prior dynamic xlate is created

CSCvy33755

After upgrade from 9.6.4 to 9.14.2 on ASAv PLR license is not longer applied

CSCvy35737

FTD traceback and reload during anyconnect package verification

CSCvy36275

Traceback: ASA App on FP1140 traceback and reload on Thread: fover_fail_check rip vPif_get_extension

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.14(3)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvg69380

ASA - rare cp processing corruption causes console lock

CSCvh19737

HTTPS access on FTD data interface (off-box management) is failing

CSCvm82290

ASA core blocks depleted when host unreachable in IRB/TFW configuration

CSCvo34210

ASA running 9.6.4.20 Traceback in threadname Unicorn Proxy Thread

CSCvp28713

Input/Output interfaces in packet tracer RESULT are shown as "UNKNOWN"

CSCvp69936

ASA : Traceback on tcp_intercept Thread name : Threat detection

CSCvq98396

ASA: crypto session handles leak on the standby unit

CSCvr77005

Traffic does not fallback to primary interface from crypto map when interface becomes available

CSCvr85295

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote

CSCvs13204

ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down

CSCvs72450

FXOS - Recover hwclock of service module from corruption due to simultaneous write collision

CSCvs82926

Critical RPM alert on FRP 1000 and FPR2100 Series with ASA 'Chassis 0 Cooling Fan OK' SCH message

CSCvs84542

ASA traceback with thread: idfw_proc

CSCvt10944

ctm crashed while sending emix traffic over VTI tunnel

CSCvt48260

Standby unit traceback at fover_parse and boot loop when detecting Active unit

CSCvt71529

ASA traceback and reload during SSL handshake

CSCvt75760

Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup

CSCvt92077

Ping Failure on ASAv - 9.13 after CAT9k reboot

CSCvt97205

SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

CSCvu33992

traceback: ASA reloaded lina_sigcrash+1394

CSCvu89110

ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog is down

CSCvu98222

FTD Lina engine may traceback in datapath after enabling SSL decryption policy

CSCvv00719

Access Control Policy with time range object is not getting hit

CSCvv02925

OSPF neighbourship is not establising

CSCvv07917

ASA learning a new route removes asp route table created by floating static

CSCvv10778

Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4

CSCvv15572

ASA traceback observed when "config-url" is entered while creating new context

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv19230

ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout

CSCvv25394

After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa.

CSCvv30172

Intermittently after reboot, ADI can't join KCD

CSCvv31755

Interface status may be mismatched between application and chassis due to missed update

CSCvv32333

ASA still doesn't allow to poll internal-data0/0 counters via SNMP in multiple mode

CSCvv37629

Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable traffic issue

CSCvv41453

Removing static ipv6 route from management-only route table affects data traffic

CSCvv49698

ASA Anyconnect url-redirect not working for ipv6

CSCvv49800

ASA/FTD: HA switchover doesn't happen with graceful reboot of firepower chassis

CSCvv50338

Traceback Cluster unit on snpi_nat_xlate_destroy+2508

CSCvv52591

DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail

CSCvv53696

ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user

CSCvv55291

Snmp user fails on standby device after rejoing ha, after ha break.

CSCvv56644

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv58332

ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse order

CSCvv62305

ASA traceback and reload in fover_parse when attempting to join the failover pair.

CSCvv63412

ASA dropping all traffic with reason "No route to host" when tmatch compilation is ongoing

CSCvv64068

After modify network/service object name. mis-match will occur on hash value of ACL in syslog.

CSCvv65184

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv66005

ASA traceback and reload on inspect esmtp

CSCvv66920

Inner flow: U-turn GRE flows trigger incorrect connection flow creation

CSCvv67196

FTD does not try all the crl urls for getting crl file

CSCvv67398

Inspect-snmp drops thru-the-box snmp paks if snmp is disabled

CSCvv67500

ASA 9.12 random traceback and reload in DATAPATH

CSCvv68669

Traffic to virtual IP address dropped on system context of Master ASA due to failed classification

CSCvv69991

FTD stuck in Maintenance Mode after upgrade to 6.6.1

CSCvv70984

ASA traceback while modifying the bookmark SSL Ciphers configuration

CSCvv71097

traceback: ASA reloaded snp_fdb_destroy_fh_callback+104

CSCvv72466

OSPF network commands go missing in the startup-config after upgrading the ASA

CSCvv73017

Traceback due to fover and ssh thread

CSCvv80782

Traceback leads to the purg_process

CSCvv85029

ASA5555 traceback and reload on Thread Name: ace_work

CSCvv86861

Traceback during SNMP traffic testing

CSCvv86926

Unexpected traceback and reload on FTD creating a Core file

CSCvv87232

ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process

CSCvv87496

ASA cluster members 2048 block depletion due to "VPN packet redirect on peer"

CSCvv88017

ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel

CSCvv89355

DHCP-Proxy renewal timer is not started after failover

CSCvv89400

ASA SNMPv3 Poll fails when using AES 256

CSCvv89708

ASA/FTD may traceback in thread name fover_FSM_thread and reload

CSCvv90181

No deployment failure reason in transcript if 'show running-config' is running during deployment

CSCvv90720

ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover

CSCvv94165

FTD 6.6 : High CPU spikes on snmpd process

CSCvv94701

ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover.

CSCvv96193

ASA/FTD debugs do not print clear failure reason when no proposal is chosen

CSCvv97877

Secondary unit not able to join the cluster

CSCvw00161

ASA traceback and reload due to VPN thread on firepower 2140

CSCvw03628

ASA will not import CA certificate with name constraint of RFC822Name set as empty

CSCvw06195

ASA traceback cp_midpath_process_thread

CSCvw06298

ASA duplicate MAC addresses in Shared Interfaces of different Contexts causing traffic impact

CSCvw07000

Snort busy drops with PDTS Tx queue stuck

CSCvw12008

ASA traceback and reload while executing "show tech-support" command

CSCvw12040

Heapcache Memory depleting rapidly due to certificate chain failed validation

CSCvw12100

ASA stale VPN Context seen for site to site and AnyConnect sessions

CSCvw16619

Offloaded traffic not failed over to secondary route in ECMP setup

CSCvw18614

ASA traceback in the LINA process

CSCvw19227

Unable to remove non-used prefix-list object

CSCvw21844

FTD traceback and reload on DATAPATH thread when processing encapsulated flows

CSCvw22881

radius_rcv_auth can shoot up control plane CPU to 100%.

CSCvw22986

Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init state

CSCvw23199

ASA/FTD Traceback and reload in Thread Name: Logger

CSCvw24556

TCP File transfer (Big File) not properly closed when Flow offload is enabled

CSCvw26171

ASA syslog traceback while strncpy NULL string passed from SSL library

CSCvw26331

ASA traceback and reload on Thread Name: ci/console

CSCvw26544

Cisco ASA and FTD Software SIP Denial of Service Vulnerability

CSCvw27301

IKEv2 with EAP, MOBIKE status fails to be processed.

CSCvw28814

SNMP process crashed, resulting in Lina traceback

CSCvw30252

ASA/FTD may traceback and reload due to memory corruption in SNMP

CSCvw31569

Director/Backup flows are left behind and traffic related to this flow is blackholed

CSCvw32518

ASASM traceback and reload after upgrade up to 9.12(4)4 and higher

CSCvw36662

TACACS+ ASCII password change request not handled properly

CSCvw37259

VPN syslogs are generated at a rate of 600/s until device goes into a hang state

CSCvw37807

Ipsec Send Error Increasing When NTP Authenticate is Enabled

CSCvw42999

9.10.1.11 ASA on FPR2110 traceback and reloads randomly

CSCvw43486

ASA/FTD Traceback and reload during PBR configuration change

CSCvw44122

ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine

CSCvw45863

ASAv snmp traceback on reload

CSCvw46630

FTD: NLP path dropping return ICMP destination unreachable messages

CSCvw47321

IPSec transport mode traffic corruption for inbound traffic for some FPR platforms

CSCvw48517

DAP stopped working after upgrading the ASA to 9.13(1)13

CSCvw50679

ASA/FTD may traceback and reload during upgrade

CSCvw51307

ASA/FTD traceback and reload in process name "Lina"

CSCvw51462

IPv4 Default Tunneled Route Rejected

CSCvw51745

RIP database not populated with SLA monitored static route that was re added in the routing table.

CSCvw51950

FPR 4K: SSL trust-point removed from new active ASA after manual Failover

CSCvw51985

ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure

CSCvw52609

Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability

CSCvw53255

FTD/ASA HA: Standby Unit FXOS is still able to forward traffic even after failover due to traceback

CSCvw53427

ASA Fails to process HTTP POST with SAML assertion containing multiple query parameters

CSCvw53796

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability

CSCvw54640

FPR-4150 - ASA traceback and reload with thread name DATAPATH

CSCvw56703

IPv6 static routes not getting installed, upon changing ifc type management-only

CSCvw58414

Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed after reload

CSCvw59035

Connection issues to directly connected IP from FTD BVI address

CSCvw60177

Standby/Secondary cluster unit might crash in Thread Name: fover_parse and "cluster config sync"

CSCvw62526

ASA traceback and reload on engineering ASA build - 9.12.3.237

CSCvw62528

ASA failing to sync with IPv6 NTP server

CSCvw63862

ASA: Random L2TP users cannot access resources due to stale ACL filter entries

CSCvw64623

Standby ASA linkdown SNMPtrap sent from standby interface with active IP address

CSCvw71766

ASA traceback and reload in Thread: Ikev2 Daemon

CSCvw74940

ASA traceback in IKE Daemon and reload

CSCvw77930

ASA fails to process SAML assertion when tunnel-group name contains "."

CSCvw81897

ASA: OpenSSL Vulnerability CVE-2020-1971

CSCvw82629

ASA Tracebacks when making "configuration session" changes regarding an ACL.

CSCvw83572

BVI HTTP/SSH access is not working in versions 9.14.1.30 or above

CSCvw83780

FTD Firewall may traceback and reload when modifying ACLs

CSCvw84339

Managed device backup fails, for FTD, if hostname exceeds 30 characters

CSCvw84786

ASA traceback and reload on Thread name snmp_alarm_thread

CSCvw87788

ASA traceback and reload webvpn thread

CSCvw89365

ASA/FTD may traceback and reload during certificate changes.

CSCvw90151

PPPOE - ASA sends CONFACK for non-configured protocol

CSCvw94988

S2S traffic fails due to missing V routes after Primary cluster unit gets disabled

CSCvw95301

ASA traceback and reload with Thread name: ssh when capture was removed

CSCvw96488

Traceback in inspect_h323_ras+1810

CSCvw97821

ASA: VPN traffic does not pass if no dACL is provided in CoA

CSCvw98840

ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA

CSCvw99916

ASAv: SNMP result for used memory value incorrect after upgrade to 9.14

CSCvx02869

Traceback in Thread Name: Lic TMR

CSCvx03764

Offload rewrite data needs to be fixed for identity nat traffic and clustering environment

CSCvx04057

When SGT name is unresolved and used in ACE, line is not being ignored/inactive

CSCvx04643

ASA reload is removing 'content-security-policy' config

CSCvx05385

ASA may generate a traceback in Logger thread during configuration sync in HA

CSCvx06385

Fail-to-wire ports in FPR 2100 flapping after upgrade to 6.6.1

CSCvx08734

ASA: default IPv6/IPv4 route tunneled does not work

CSCvx09248

SNMP walk for v2 and v3 fails with No Such Object available on this agent at this OID is seen

CSCvx09535

ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers reload

CSCvx10110

Last transaction timestamp status "unknown" for active LDAP AAA server

CSCvx10841

Not able to Advertise/Redistribute VXLAN/VNI interface subnet using EIGRP

CSCvx11295

ASA may traceback and reload on thread Crypto CA

CSCvx11460

Firepower 2110 silently dropping traffic with TFC enabled on the remote end

CSCvx13694

ASA/FTD traceback in Thread Name: PTHREAD-4432

CSCvx15040

DHCP Proxy Offer is getting drop on the ASA/FTD

CSCvx16592

FTD doesn't redirect packets to the WCCP web-cache engine when VRF's are configured

CSCvx17664

ASA may traceback and reload in Thread Name 'webvpn_task'

CSCvx17780

FPR-2100-ASA : SNMP Walk for ifType is showing "other" for ASA interfaces in the latest versions

CSCvx17842

Prevent lina from traceback due to object loop sent by FMC. Fail the deployment instead.

CSCvx19934

Deployment gets failed for snmp settings while deleting snmpv1 and adding snmpv3 at a time in 6.6.3

CSCvx20303

ASA/FTD may traceback in after changing snmp host-group object

CSCvx20872

ASA/FTD Traceback and reload due to netflow refresh timer

CSCvx22695

ASA traceback and reload during OCSP response data cleanup

CSCvx23833

IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response

CSCvx25406

LINA silently drops packet if the MTU of the packet is of size > the MTU of egress interface

CSCvx25719

X-Frame-Options header is not set in webvpn response pages

CSCvx25836

ASA traceback & reload due to "show crashinfo" adding a new output log

CSCvx26221

Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508

CSCvx26308

ASA traceback and reload due to strcpy_s: source string too long for dest

CSCvx26808

FTD traceback and reload on process lina on FPR2100 series

CSCvx27430

ASA: Unable to import PAC file if FIPS is enabled.

CSCvx29771

Firewall CPU can increase after a bulk routing update with flow offload

CSCvx29814

IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server

CSCvx30314

ASA 9.15.1.7 traceback and reload in ssl midpath

CSCvx34237

ASA reload with FIPS failure

CSCvx38124

Core-local block alloc failure on cores where CP is pinned leading to drops

CSCvx41171

Concurrent modification of ACL configuration breaks output of "show running-config" completely

CSCvx42081

FPR4150 ASA Standby Ready unit Loops to failed and remove config to install it again

CSCvx42197

ASA EIGRP route stuck after neighbour disconnected

CSCvx44401

FTD/ASA traceback in Thread Name : Unicorn Proxy Thread

CSCvx45976

ASA/FTD Watchdog forced traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay)

CSCvx47230

X-Frame-Options header support for older versions of IE and windows platforms

CSCvx48490

SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0

CSCvx50366

Traceback in Thread Name: fover_health_monitoring_thread

CSCvx52122

ASA traceback and reload in SNMP Notify Thread while deleting transparent context

CSCvx54235

ASP capture dispatch-queue-limit shows no packets

CSCvx54396

Deployment failures on FTD when multicast is enabled.

CSCvx54606

FTD 6.6.1/6.7.0 is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0

CSCvx57417

Smart Tunnel Code signing certifcate renewal

CSCvx59120

COA Received before data tunnel comes up results in tear down of parent session

CSCvx62239

Need comprehensive details in logs on what is stopping VPN load-balancing cluster formation

CSCvx63647

ASA traceback and reload on Thread Name: CTM Daemon

CSCvx65745

FPR2100: enable kernel panic on octeon for UE events to trigger crash

CSCvx68128

ASA internal deadlock leads to loss of feature functionality (syslogs, reload, ASDM, anyconnect)

CSCvx68355

ASA - unable to import CA certificate when countryName is encoded as UTF8

CSCvx68951

ASA responds with "00 00 00 00 00 00" when polling interface physical address using snmp

CSCvx69405

ASA Traceback and reload in Thread Name: SNMP ContextThread

CSCvx71434

ASA/FTD Traceback and reload in Thread Name: pix_startup_thread due to asa_run_ttyS0 script

CSCvx71571

ASA: "ERROR: Unable to delete entries from Hash Table" with CSM

CSCvx72904

Optimise ifmib polls

CSCvx73164

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

CSCvx75503

Re-transmitted SYN are not inspected by inspection engine

CSCvx75963

ASA traceback while taking captures

CSCvx77768

Traceback and reload due to Umbrella

CSCvx85534

SNMP traps being sent out sourced with unexpected IP from the data interface

CSCvx85922

ASA/FTD may traceback and reload when saving/writitng the configuration to memory

CSCvx87679

Failover license count not synced to standby firewall.

CSCvx87709

FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover

CSCvx88683

ASA not replicating BGP password correctly to standby unit

CSCvx94326

VPN Load Balancing may get stuck and disconnect from the group

CSCvx94398

Secondary ASA could not get the startup configuration

CSCvx95255

Supportive change in ASA to differentiate, new ASDM connections from existing ASDM context switch

CSCvx97632

ASA crashes when copying files with long destination filenames using cluster command

CSCvy01752

Traceback on FPR 4115 in Thread - Lic HA Cluster

CSCvy02703

ASA/FTD tracebacks due to CTM message handler

CSCvy03006

improve debugging capability for uauth

CSCvy04869

AnyConnect certificate authentication fails if user certificate has 8192 bits key size

CSCvy07491

ASA traceback when re-configuring access-list

CSCvy08908

Port-forwarding application blocked by Java

CSCvy17365

REST API Login Page Issue

CSCvy39659

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815'

Resolved Bugs in Version 9.14(2)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCuw51499

TCM doesn't work for ACE addition/removal, ACL object/object-group edits

CSCvh19161

ASA/FTD traceback and reload in Thread Name: SXP CORE

CSCvk51778

"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs

CSCvn64647

ASA traceback and reload due to tcp_retrans_timeout internal thread handling

CSCvn82441

[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches

CSCvn95731

ASA traceback and reload on Thread Name SSH

CSCvp47536

AAA requests on FTD not following V-routes learned from RRI

CSCvq47743

AnyConnect and Management Sessions fail to connect after several weeks

CSCvr15503

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCvr35872

ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22

CSCvr58411

RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted

CSCvr60195

ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec'

CSCvr99642

ASA traceback and reload multiple times with trace "webvpn_periodic_signal"

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs09533

FP2100: Traceback and reload when processing traffic through more than two inline sets

CSCvs33852

After upgrade to version 9.6.4.34 is not possible to add an access-group

CSCvs38785

Inconsistent timestamp format in syslog

CSCvs50274

ASA5506 to the box icmp request packets intermittently dropped

CSCvs52108

ASA Traceback Due to Umbrella Inspection

CSCvs55603

ICMP Reply Dropped when matched by ACL

CSCvs59056

ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

CSCvs72378

ASDM session being abruptly terminated when switching between different contexts

CSCvs72393

FPR1010 temperature thresholds should be changed

CSCvs73754

ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface

CSCvs78252

ASA/Lina Offloaded TCP flows interrupted if TCP sequence number randomizer is enabled and SACK used

CSCvs79023

ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection

CSCvs79606

"dns server-group DefaultDNS" cli not getting negated

CSCvs81763

vFTD not able to pass vlan tagged traffic (trunk mode)

CSCvs82829

Calls fail once anyconnect configuration is added to the site to site VPN tunnel

CSCvs85196

ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection

CSCvs88413

Port-channel bundling is failing after upgrade to 9.8 version

CSCvs90100

ASA/FTD may traceback and reload in Thread Name 'License Thread'

CSCvs91389

FTD Traceback Lina process

CSCvs97863

Reduce number of fsync calls during close in flash file system

CSCvt00113

ASA/FTD traceback and reload due to memory leak in SNMP community string

CSCvt01397

Deployment is marked as success although LINA config was not pushed

CSCvt02409

Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability

CSCvt03598

Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

CSCvt04560

SCTP heartbeats failing across the firewall in Cluster deploymnet.

CSCvt05862

IPv6 DNS server resolution fails when the server is reachable over the management interface.

CSCvt06606

Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)

CSCvt06841

Incorrect access-list hitcount seen when configuring it with a capture on ASA

CSCvt11661

DOC - Clarify the meaning of mp-svc-flow-control under show asp drop

CSCvt11742

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCvt12463

ASA: Traceback in thread Unicorn Admin Handler

CSCvt13822

ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry

CSCvt15163

Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability

CSCvt18199

IPv6 Nat rejected with error "overlaps with inside standby interface address" for Standalone ASA

CSCvt21041

FTD Traceback in thread 'ctm_ipsec_display_msg'

CSCvt22356

Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after ASA reboot

CSCvt23643

VPN failover recovery is taking approx. 30 seconds for data to resume

CSCvt24328

FTD: Traceback and reload related to lina_host_file_open_raw function

CSCvt26031

ASAv Unable to register smart licensing with IPv6

CSCvt26067

Active FTP fails when secondary interface is used on FTD

CSCvt27585

Observed traceback on 2100 while performing Failover Switch from Standby.

CSCvt28182

sctp-state-bypass is not getting invoked for inline FTD

CSCvt29049

FPR2100 - ASA in Appliance Mode - SNMP Delay

CSCvt33785

IPSec SAs are not being created for random VPN peers

CSCvt35945

Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train

CSCvt36542

Multi-context ASA/LINA on FPR not sending DHCP release message

CSCvt38279

Erase disk0 on ISA3000 causes file system not supported

CSCvt40306

ASA:BVI interface of standby unit stops responding after reload

CSCvt41333

Dynamic RRI route is not destroyed when IKEv2 tunnel goes down

CSCvt43967

Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros

CSCvt45863

Crypto ring stalls when the length in the ip header doesn't match the packet length

CSCvt46289

ASA LDAPS connection fails on Firepower 1000 Series

CSCvt46830

FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto

CSCvt50528

Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI

CSCvt50946

Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008

CSCvt51346

PKI-CRL: Memory Leak on Download and Clear Large CRL

CSCvt51348

PKI-CRL: Memory Leak on Download Large CRL in loop without clearing it

CSCvt51349

Fragmented packets forwarded to fragment owner are not visible on data interface captures

CSCvt51987

Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56

CSCvt52782

ASA traceback Thread name - webvpn_task

CSCvt53640

ASA5585 traceback and reload after upgrading SFR from 6.4.0 to 6.4.0.9-34

CSCvt54182

LINA cores are generated when FTD is configured to do SSL decryption.

CSCvt56923

FTD manual certificate enrollment fails with "&" (ampersand) in Organisation subject field

CSCvt61196

ASA on multicontext mode, deleting a context does not delete the SSH keys.

CSCvt63484

ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process

CSCvt64035

remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around

CSCvt64270

ASA is sending failover interface check control packets with a wrong destination mac address

CSCvt64822

Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability

CSCvt64952

"Show crypto accelerator load-balance detail" has missing and undefined output

CSCvt65982

Route Fallback doesn't happen on Slave unit, upon RRI route removal.

CSCvt66351

NetFlow reporting impossibly large flow bytes

CSCvt68131

FTD traceback and reload on thread "IKEv2 Mgd Timer Thread"

CSCvt68294

Adjust Firepower 4120 Maximum VPN Session Limit to 20,000

CSCvt70664

ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for AnyConnect

CSCvt70879

"clear configure access-list" on ACL used for vpn-filter breaks access to resources

CSCvt73407

TACACS Fallback authorization fails for Username enable_15 on ASA device.

CSCvt73806

FTD traceback and reload on FP2120 LINA Active Box. VPN

CSCvt75241

Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100

CSCvt76688

The syslog message 201008 should include reason of drop when TCP server is down

CSCvt80126

ASA traceback and reload for the CLI "show asp table socket 18421590 det"

CSCvt80134

WebVPN rewriter fails to parse data from SAP Netweaver.

CSCvt83133

Unable to access anyconnect webvpn portal from google chrome using group-url

CSCvt86188

SNMP traps can't be generated via diagnostic interface

CSCvt90330

ASA traceback and reload with thread name coa_task

CSCvt92647

Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA

CSCvt93142

ASA should allow null sequence encoding in certificates for client authentication.

CSCvt95517

Certificate mapping for AnyConnect on FTD stops working.

CSCvt97205

SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

CSCvt97917

ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR

CSCvt98599

IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions

CSCvu00112

tsd0 not reset when ssh quota limit is hit in ci_cons_shell

CSCvu01039

Traceback: Modifying FTD inline-set tap-mode configuration with active traffic

CSCvu03107

AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting

CSCvu03562

Device loses ssh connectivity when username and password is entered

CSCvu03675

FPR2100: ASA console may hang & become unresponsive in low memory conditions

CSCvu04279

ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS

CSCvu05180

aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment

CSCvu05216

cert map to specify CRL CDP Override does not allow backup entries

CSCvu05336

ASAv - Traceback and reload on SNMP process

CSCvu05821

Timestamp format will be shown always in UTC

CSCvu06767

Lina cores on multi-instance causing a boot loop on both logical-devices

CSCvu07602

FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload

CSCvu07880

ASA on QP platforms display wrong coredump filesystem space (50 GB)

CSCvu08013

DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently.

CSCvu08339

FTD Inline-set bridge group ID set to 0 with tap-mode off

CSCvu10053

ASA traceback and reload on function snmp_master_callback_thread

CSCvu12039

Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup

CSCvu12248

ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN

CSCvu12684

HKT - Failover time increases with upgrade to 9.8.4.15

CSCvu16423

ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread

CSCvu17852

Current connection count is negative on 'show service policy' when connection limit is set in MPF

CSCvu17924

FTD failover units traceback and reload on DATAPATH

CSCvu17965

ASA generated a traceback and reloaded when changing the port value of a manual nat rule

CSCvu20007

Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available.

CSCvu25030

FTD 6.4.0.8 traceback & reload on thread name : CP processing

CSCvu26296

ASA interface ACL dropping snmp control-plane traffic from ASA

CSCvu26561

WebVPN SSO Gives Unexpected Results when Integrated with Kerberos

CSCvu27287

Scheduled Backup failing over SCP via EEM

CSCvu27868

ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade

CSCvu29395

Traceback observed while performing master role change with active IGMP joins

CSCvu32698

ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present

CSCvu34413

SSH keys lost in ASA after reload

CSCvu36302

%ASA-3-737403 is used incorrectly when vpn-addr-assign local reuse-delay is configured

CSCvu37547

Memory leak: due to resource-limit MIB handler, eventually causing reload

CSCvu38795

FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry

CSCvu40213

ASA traceback in Thread Name kerberos_recv

CSCvu40324

ASA traceback and reload with Flow lookup calling traceback

CSCvu40398

ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS

CSCvu42434

ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA

CSCvu43355

FTD Lina traceback in datapath due to double free

CSCvu43827

ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread"

CSCvu43924

GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope

CSCvu45748

ASA traceback in threadname 'ppp_timer_thread'

CSCvu45822

ASA experienced a traceback and reloaded

CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

CSCvu49625

[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily

CSCvu53258

FMC pushes certificate map incorrectly to lina

CSCvu55469

FTD - Connection idle timeout doesn't reset

CSCvu55843

ASA traceback after TACACS authorized user made configuration changes

CSCvu58153

Display RADIUS port representation as little-endian instead of big-endian

CSCvu60011

FTD: Snort policy changes deployed to a HA on failed state are not fully synced

CSCvu61704

ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance

CSCvu63458

FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks

CSCvu65688

IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599

CSCvu68529

Embryonic connections limit does not work consistently

CSCvu70622

CTS SGT propagation gets enabled after reload

CSCvu70931

Cluster / aaa-server key missing after "no key config-key" is entered

CSCvu71324

ASA: Automatic DENY rule applied in multiple contexts due to the use of the dhcp-network-scope

CSCvu72094

ASA traceback and reload on thread name DATAPATH

CSCvu72658

AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently

CSCvu73207

DSCP values not preserved in DTLS packets towards AnyConnect users

CSCvu75594

FTD: Traceback and reload when changing capture buffer options on a already applied capture

CSCvu77095

ASA unable to delete ACEs with remarks and display error "Specified remark does not exist"

CSCvu78721

Cannot change (modify) interface speed after upgrade

CSCvu80143

Snmp stops responding. CLI returns: Unable to honour this request now.

CSCvu82738

The drop rate in show interface for inline sets is incorrect

CSCvu83178

Dynamic routing protocols summary route not being replicated to standby

CSCvu83389

ASA drops GTPV1 Forward relocation Request message with Null TEID

CSCvu83599

ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread

CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

CSCvu97764

FTD in TAP mode won't capture on egress interfaces

CSCvu98505

ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly

CSCvv02245

ASA 'session sfr' command disconnects from FirePOWER module for initial setup

CSCvv04584

Multicast traffic is being dropped with the resson no-mcast-intrf

CSCvv07864

Multicast EIGRP traffic not seen on internal FTD interface

CSCvv07917

ASA learning a new route removes asp route table created by floating static

CSCvv08684

Cluster site-specific MAC addresses not rewritten by flow-offload

CSCvv09396

Stale VPN routes for L2TP, after the session was terminated

CSCvv09944

Lina Traceback during FTD deployment when WCCP config is being pushed

CSCvv12273

SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject

CSCvv12857

ASA gets frozen after crypto engine failure

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv20405

WEBVPN: ERROR: Invalid tunnel group name on Multi-Context ASA

CSCvv23370

Observed traceback in FPR2130 while running webVPN, SNMP related traffic.

CSCvv26786

ASA traceback and reload unexpectedly on "Process Name: lina"

CSCvv26845

ASA: Watchdog Traceback and reload on SNMP functions with syslog traps

CSCvv28997

ASA Traceback and reload on thread name Crypto CA

CSCvv29687

Rate-limit syslogs 780001/780002 by default on ASA

CSCvv30371

SNMP: Memory leak in VPN polling

CSCvv31334

Lina traceback and reload seen on trying to switch peer on KP HA with 6.6.1-63

CSCvv31629

Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes asymmetrically.

CSCvv32425

ASA traceback when running show asp table classify domain permit

CSCvv34003

snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning value of 0 for .16 and .17

CSCvv34140

ASA IKEv2 VTI - Failed to request SPI from CTM as responder

CSCvv36518

ASA: Extended downtime after reload after CSCuw51499 fix

CSCvv36725

ASA logging rate-limit 1 5 message ... limits to 1 message in 10 seconds instead of 5

CSCvv37108

ASA silently dropping OSPF LS Update messages from neighbors

CSCvv43484

ASA stops processing RIP packets after system upgrade

CSCvv43885

'show sctp' command is unavailable when carrier license is out of compliance

CSCvv44051

Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows

CSCvv44270

ASAv5 reloads without traceback.

CSCvv48594

Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection

CSCvv54831

ASA traceback and reload when running Packet Tracer commands

CSCvv57590

ASA: ACL compilation takes more time on standby

CSCvv57842

WebSSL clientless user accounts being locked out on 1st bad password

CSCvv58605

ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki global table in MTX

CSCvv69991

FTD stuck in Maintenance Mode after upgrade to 6.6.1

CSCvw30252

ASA/FTD may traceback and reload due to memory corruption in SNMP

CSCvv53696

ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user

Resolved Bugs in Version 9.14(1.30)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvh19161

ASA/FTD traceback and reload in Thread Name: SXP CORE

CSCvi42008

Stuck uauth entry rejects AnyConnect user connections

CSCvk51778

"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs

CSCvn64647

ASA traceback and reload due to tcp_retrans_timeout internal thread handling

CSCvn82441

[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches

CSCvn95731

ASA traceback and reload on Thread Name SSH

CSCvq47743

AnyConnect and Management Sessions fail to connect after several weeks

CSCvq51284

FPR 2100, low block 9472 causes packet loss through the device.

CSCvr15503

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCvr35872

ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22

CSCvr58411

RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted

CSCvr60195

ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec'

CSCvr99642

ASA traceback and reload multiple times with trace "webvpn_periodic_signal"

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs09533

FP2100: Traceback and reload when processing traffic through more than two inline sets

CSCvs33852

After upgrade to version 9.6.4.34 is not possible to add an access-group

CSCvs38785

Inconsistent timestamp format in syslog

CSCvs52108

ASA Traceback Due to Umbrella Inspection

CSCvs55603

ICMP Reply Dropped when matched by ACL

CSCvs59056

ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

CSCvs72393

FPR1010 temperature thresholds should be changed

CSCvs73754

ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface

CSCvs79023

ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection

CSCvs82829

Calls fail once anyconnect configuration is added to the site to site VPN tunnel

CSCvs88413

Port-channel bundling is failing after upgrade to 9.8 version

CSCvs90100

ASA/FTD may traceback and reload in Thread Name 'License Thread'

CSCvs97863

Reduce number of fsync calls during close in flash file system

CSCvt00113

ASA/FTD traceback and reload due to memory leak in SNMP community string

CSCvt01397

Deployment is marked as success although LINA config was not pushed

CSCvt02409

9.12.2.151 snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN traffic

CSCvt03598

Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

CSCvt05862

IPv6 DNS server resolution fails when the server is reachable over the management interface.

CSCvt06606

Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)

CSCvt06841

Incorrect access-list hitcount seen when configuring it with a capture on ASA

CSCvt11661

DOC - Clarify the meaning of mp-svc-flow-control under show asp drop

CSCvt11742

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCvt12463

ASA: Traceback in thread Unicorn Admin Handler

CSCvt21041

FTD Traceback in thread 'ctm_ipsec_display_msg'

CSCvt23643

VPN failover recovery is taking approx. 30 seconds for data to resume

CSCvt24328

FTD: Traceback and reload related to lina_host_file_open_raw function

CSCvt26031

ASAv Unable to register smart licensing with IPv6

CSCvt26067

Active FTP fails when secondary interface is used on FTD

CSCvt28182

sctp-state-bypass is not getting invoked for inline FTD

CSCvt29049

FPR2100 - ASA in Appliance Mode - SNMP Delay

CSCvt35945

Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train

CSCvt36542

Multi-context ASA/LINA on FPR not sending DHCP release message

CSCvt38279

Erase disk0 on ISA3000 causes file system not supported

CSCvt41333

Dynamic RRI route is not destroyed when IKEv2 tunnel goes down

CSCvt43967

Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros

CSCvt45863

Crypto ring stalls when the length in the ip header doesn't match the packet length

CSCvt46289

ASA LDAPS connection fails on Firepower 1000 Series

CSCvt46830

FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto

CSCvt50528

Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI

CSCvt50946

Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008

CSCvt51349

Fragmented packets forwarded to fragment owner are not visible on data interface captures

CSCvt51987

Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56

CSCvt52782

ASA traceback Thread name - webvpn_task

CSCvt53640

ASA5585 traceback and reload after upgrading SFR from 6.4.0 to 6.4.0.9-34

CSCvt54182

LINA cores are generated when FTD is configured to do SSL decryption.

CSCvt63484

ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process

CSCvt64035

remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around

CSCvt64270

ASA is sending failover interface check control packets with a wrong destination mac address

CSCvt64822

ASA may traceback and unexpectedly reload after SSL handshake

CSCvt65982

Route Fallback doesn't happen on Slave unit, upon RRI route removal.

CSCvt66351

NetFlow reporting impossibly large flow bytes

CSCvt68131

FTD traceback and reload on thread "IKEv2 Mgd Timer Thread"

CSCvt68294

Adjust Firepower 4120 Maximum VPN Session Limit to 20,000

CSCvt73806

FTD traceback and reload on FP2120 LINA Active Box. VPN

CSCvt75241

Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100

CSCvt80126

ASA traceback and reload for the CLI "show asp table socket 18421590 det"

CSCvt83133

Unable to access anyconnect webvpn portal from google chrome using group-url

CSCvt86188

SNMP traps can't be generated via diagnostic interface

CSCvt90330

ASA traceback and reload with thread name coa_task

CSCvt92647

Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA

CSCvt93142

ASA should allow null sequence encoding in certificates for client authentication.

CSCvt95517

Certificate mapping for AnyConnect on FTD stops working.

CSCvt97917

ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR

CSCvt98599

IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions

CSCvu00112

tsd0 not reset when ssh quota limit is hit in ci_cons_shell

CSCvu01039

Traceback: Modifying FTD inline-set tap-mode configuration with active traffic

CSCvu03107

AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting

CSCvu03562

Device loses ssh connectivity when username and password is entered

CSCvu03675

FPR2100: ASA console may hang & become unresponsive in low memory conditions

CSCvu04279

ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS

CSCvu05180

aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment

CSCvu05216

cert map to specify CRL CDP Override does not allow backup entries

CSCvu05336

ASAv - Traceback and reload on SNMP process

CSCvu05821

Timestamp format will be shown always in UTC

CSCvu06767

Lina cores on multi-instance causing a boot loop on both logical-devices

CSCvu07602

FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload

CSCvu07880

ASA on QP platforms display wrong coredump filesystem space (50 GB)

CSCvu08013

DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently.

CSCvu10053

ASA traceback and reload on function snmp_master_callback_thread

CSCvu12039

Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup

CSCvu12248

ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN

CSCvu12684

HKT - Failover time increases with upgrade to 9.8.4.15

CSCvu16423

ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread

CSCvu17924

FTD failover units traceback and reload on DATAPATH

CSCvu17965

ASA generated a traceback and reloaded when changing the port value of a manual nat rule

CSCvu20007

Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available.

CSCvu25030

FTD 6.4.0.8 traceback & reload on thread name : CP processing

CSCvu26296

ASA interface ACL dropping snmp control-plane traffic from ASA

CSCvu26561

WebVPN SSO Gives Unexpected Results when Integrated with Kerberos

CSCvu27868

ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade

CSCvu29395

Traceback observed while performing master role change with active IGMP joins

CSCvu32698

ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present

CSCvu34413

SSH keys lost in ASA after reload

CSCvu36362

ASA inconsistent behavior with DNS doctoring

CSCvu37547

Memory leak: due to resource-limit MIB handler, eventually causing reload

CSCvu38795

FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry

CSCvu40213

ASA traceback in Thread Name kerberos_recv

CSCvu40324

ASA traceback and reload with Flow lookup calling traceback

CSCvu40398

ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS

CSCvu42434

ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA

CSCvu43355

FTD Lina traceback in datapath due to double free

CSCvu43827

ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread"

CSCvu43924

GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope

CSCvu45748

ASA traceback in threadname 'ppp_timer_thread'

CSCvu45822

ASA experienced a traceback and reloaded

CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

CSCvu49625

[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily

CSCvu53258

FMC pushes certificate map incorrectly to lina

CSCvu55843

ASA traceback after TACACS authorized user made configuration changes

CSCvu60011

FTD: Snort policy changes deployed to a HA on failed state are not fully synced

CSCvu61704

ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance

CSCvu63458

FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks

CSCvu65688

IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599

CSCvu68529

Embryonic connections limit does not work consistently

CSCvu70931

Cluster / aaa-server key missing after "no key config-key" is entered

CSCvu71051

Deployment failure after configure sub-interfaces on POE enabled interfaces

CSCvu72094

ASA traceback and reload on thread name DATAPATH

CSCvu72658

AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently

CSCvu73207

DSCP values not preserved in DTLS packets towards AnyConnect users

CSCvu75594

FTD: Traceback and reload when changing capture buffer options on a already applied capture

CSCvu77095

ASA unable to delete ACEs with remarks and display error "Specified remark does not exist"

CSCvu78721

Cannot change (modify) interface speed after upgrade

CSCvu83178

EIGRP summary route not being replicated to standby and causing outage after switchover

CSCvu83599

ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread

CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

CSCvu98505

ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly

CSCvv02245

ASA 'session sfr' command disconnects from FirePOWER module for initial setup

CSCvv04584

Multicast traffic is being dropped with the resson no-mcast-intrf

CSCvv07864

Multicast EIGRP traffic not seen on internal FTD interface

CSCvv08684

Cluster site-specific MAC addresses not rewritten by flow-offload

CSCvv09396

Stale VPN routes for L2TP, after the session was terminated

CSCvv09944

Lina Traceback during FTD deployment when WCCP config is being pushed

CSCvv12273

SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject

CSCvv12857

ASA gets frozen after crypto engine failure

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv23370

Observed traceback in FPR2130 while running webVPN, SNMP related traffic.

CSCvv26786

ASA traceback and reload unexpectedly on "Process Name: lina"

CSCvv26845

ASA: Watchdog Traceback and reload on SNMP functions

CSCvv28997

ASA Traceback and reload on thread name Crypto CA

CSCvv29687

Rate-limit syslogs 780001/780002 by default on ASA

CSCvv30371

SNMP: Memory leak in VPN polling

CSCvv31334

Lina traceback and reload seen on trying to switch peer on KP HA with 6.6.1-63

CSCvv31629

Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes asymmetrically.

CSCvv32425

ASA traceback when running show asp table classify domain permit

CSCvv34003

snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning value of 0 for .16 and .17

CSCvv34140

ASA IKEv2 VTI - Failed to request SPI from CTM as responder

CSCvv43484

ASA stops processing RIP packets after system upgrade

CSCvv44051

Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows

CSCvv44270

ASAv5 reloads without traceback.

CSCvv48594

Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection

CSCvv54831

ASA traceback and realod when running Packet Tracer commands

CSCvv57842

WebSSL clientless user accounts being locked out on 1st bad password

CSCvv58605

ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki global table in MTX

CSCvv69991

FTD stuck in Maintenance Mode after upgrade to 6.6.1

Resolved Bugs in Version 9.14(1.6)


Note

This release only supports the ASAv.


There are no resolved bugs in this release.

Resolved Bugs in Version 9.14(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCva36446

ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake

CSCvg59385

ASA scansafe connector takes too long to failover to secondary CWS Tower

CSCvj93609

ASA traceback on spin_lock_release_actual

CSCvm77115

Lina Traceback due to invalid TSC values

CSCvm85823

Not able to ssh, ssh_exec: open(pager) error on console

CSCvo76866

Traceback on 2100 - watchdog

CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

CSCvp04134

Traceback in HTTP Cli Exec when upgrading to 9.12.1

CSCvp29554

Watchdog traceback due to lina_host_file_stat calls

CSCvp69229

OpenSSL 0-byte Record Padding Oracle Information Disclosure Vulnerabil

CSCvp70833

ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports"

CSCvp81083

ASA/Lina Traceback related to TLS/VPN

CSCvq34340

FTD traffic outage due to 9344 block size depletion caused by the egress-optimization feature

CSCvq37913

VPN-sessiondb does not replicate to standby ASA

CSCvq46587

After failover, Active unit tcp sessions are not removed when timeout reached

CSCvq50587

ASA/FTD may traceback and reload in Thread Name 'BGP Router'

CSCvq50944

OSPFv3 neighborship is flapping every ~30 minutes

CSCvq51284

FPR 2100, low block 9472 causes packet loss through the device.

CSCvq55426

Adding an ipv6 default route causes CLI to hang for 50 seconds

CSCvq61601

OpenSSL vulnerability CVE-2019-1559 on FTD

CSCvq63024

Dual stacked ASAv manual failover issues

CSCvq65864

Traceback in HTTP Cli Exec with rest-api agent enabled

CSCvq70775

FPR2100 FTD Standby unit leaking 9K blocks

CSCvq76198

Traffic interruptions for FreeBSD systems

CSCvq78126

V route is missing even after setting the reverse route in Crypto map config in HA-IKEv2

CSCvq87797

Multiple context 5585 ASA, transparent context losing mangement interface configuration.

CSCvq88644

Traceback in tcp-proxy

CSCvq92126

ASA traceback in Thread IPsec Message Handler

CSCvq95058

IPSEC SA is deleted by failover which is caused by link down

CSCvq95826

DCD Causes Standby to send probes

CSCvq99107

Hot swap of SFP is not taking effect on the ASA

CSCvr10777

ASA Traceback in Ikev2 Daemon

CSCvr12018

ASA: VPN traffic fails to take the tunnel route when the default route is learnt over BGP.

CSCvr13278

PPPoE session not coming up after reload.

CSCvr20449

Policy deployment is reported as successful on the FMC but it is actually failed

CSCvr20757

Block leak on ASA while running Cisco Umbrella DNS inspection

CSCvr20876

low memory causes kernel to invoke - oom and reload device - modified rlimit for KP

CSCvr21803

Mac address flap on switch with wrong packet injected on ingress FTD interface

CSCvr23580

Can't delete 2 or more than two IP address-pool

CSCvr25768

ASA may traceback on display_hole_og

CSCvr25954

FTD/LINA Standby may traceback and reload during logging command replication from Active

CSCvr27445

App-sync failure if unit tries to join HA during policy deployment

CSCvr29638

HA FTD on FPR2110 traceback after deploy ACP from FMC

CSCvr35956

Block double-free when combining ServerKeyExchange and ClientKeyExchange fails causes lina traceback

CSCvr42344

Traceback on snp_policy_based_route_lookup when deleting a rule from access-list configured for PBR

CSCvr50266

Dual stack ASAv failover triggered by reload issue

CSCvr50630

ASA Traceback: SCTP bulk sync and HA synchronization

CSCvr51998

ASA Static route disappearing from asp table after learning default route via BGP

CSCvr54054

Mac Rewrite Occurring for Identity Nat Traffic

CSCvr55400

FTD/LINA traceback and reload observed in thread name: cli_xml_server

CSCvr55518

Missing clean up on rule creation failure.

CSCvr56031

FTD/LINA Traceback and reload observed in thread name: cli_xml_server

CSCvr57605

ASA after reload had license context count greater than platform limits

CSCvr60111

configurations getting wiped off from standby, while deployment fails on active

CSCvr66768

Lina Traceback during FTD deployment when PBR config is being pushed

CSCvr79974

Configuration might not replicated if packet loss on the failover Link

CSCvr81457

FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block.

CSCvr86077

ASA Traceback/pagefault in Datapath due to re_multi_match_ascii

CSCvr89663

Traceback: with thread name: pix_flash_config_thread WM1010 went into reboot loop

CSCvr90965

FTDv Deployment in Azure causes unrecoverable traceback state due to no dns domain-lookup any"

CSCvr92327

ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533'

CSCvr93978

ASA traceback and reload on Thread DATAPATH-0-2064

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs02954

ASA OSPF: Prefix removed from the RIB when topology changes, then added back when another SPF is run

CSCvs03023

Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump

CSCvs04179

ASA - 9.8.4.12 traceback and reload in ssh or fover_rx Thread

CSCvs05262

Decrement TTL display wrong result

CSCvs07668

FTD traceback and reload on thread DATAPATH-1-15076 when SIP inspection is enabled

CSCvs07982

ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK

CSCvs15276

ERROR: entry for ::/0 exists when configuring ipv6 icmp

CSCvs15972

Network Performance Degradation when SSL policy is enabled

CSCvs16073

snmp poll failure with host and host-group configured

CSCvs26402

NAT policy configuration range limit to be imposed for non service cmds as well

CSCvs27264

mroute entries on ASA not getting refreshed.

CSCvs28213

ASA Traceback in Thread Name SSH with assertion slib_malloc.c

CSCvs28580

Traceback when processing SSL traffic under heavy load

CSCvs29779

ASA may traceback and reload while waiting for "DATAPATH-12-1899" process to finish.

CSCvs31470

OSPF Hello causing 9K block depletion, control point CPU 100% and cluster unstable.

CSCvs32023

Turn off egress-optimization processing

CSCvs39589

ASA doesn't honor SSH Timeout When Data Channel is not Negotiated

CSCvs40230

ICMP not working and failed with inspect-icmp-seq-num-not-matched

CSCvs40531

AnyConnect 4.8 is not working on the FPR1000 series

CSCvs43154

Secondary ASA is unable to join the failover due to aggressive warning messages.

CSCvs45548

reactivation-mode timed causing untimely reactivation of failed server

CSCvs53705

Anyconnect sessions limited incorrectly

CSCvs59966

false reported value for OID "cipSecGlobalActiveTunnels" - same as ASDM

CSCvs73663

ASA Traceback on IPsec message handler Thread

CSCvs77818

Traceback: spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) is held for a long time

CSCvs80157

ASA Traceback Thread Name: IKE Daemon

CSCvs82726

Placeholder to address CSCvs31470 in Multi-Context Mode

CSCvs91869

IKEv1 on FTD stuck in either "MM_START" or "MM_FREE" state