Release Notes for the Cisco ASA Series, 9.14(x)

This document contains release information for Cisco ASA software Version 9.14(x).

Important Notes

  • ASDM signed-image support in 9.14(4.14)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • For Failover pairs in 9.14(1)+, the ASA no longer shares SNMP client engine data with its peer.

  • No support in ASA 9.14(1)+ for cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OIDs (CSCvy22526).

  • No support in ASA 9.13(1) and later for the ASA 5512-X, ASA 5515-X, ASA 5585-X, and the ASASM—ASA 9.12(x) is the last supported version. For the ASA 5515-X and ASA 5585-X FirePOWER module, the last supported version is 6.4.

    Note: ASDM 7.13(1) and ASDM 7.14(1) also did not support these models; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

  • ASAv requires 2GB memory in 9.13(1) and later—Beginning with 9.13(1), the minimum memory requirement for the ASAv is 2GB. If your current ASAv runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version. You must adjust the memory size before upgrading. See the ASAv Getting Started Guide for information about the resource allocations (vCPU and memory) supported in version 9.13(1).

  • Downgrade issue for the Firepower 2100 in Platform mode from 9.13/9.14 to 9.12 or earlier—For a Firepower 2100 with a fresh installation of 9.13 or 9.14 that you converted to Platform mode: If you downgrade to 9.12 or earlier, you will not be able to configure new interfaces or edit existing interfaces in FXOS (note that 9.12 and earlier only supports Platform mode). You either need to restore your version to 9.13 or later, or you need to clear your configuration using the FXOS erase configuration command. This problem does not occur if you originally upgraded to 9.13 or 9.14 from an earlier release; only fresh installations are affected, such as a new device or a re-imaged device. (CSCvr19755)

  • Cluster control link MTU change in 9.13(1)—Starting in 9.13(1), many cluster control packets are larger than they were in previous releases. The recommended MTU for the cluster control link has always been 1600 or greater, and this value is appropriate. However, if you set the MTU to 1600 but then failed to match the MTU on connecting switches (for example, you left the MTU as 1500 on the switch), then you will start seeing the effects of this mismatch with dropped cluster control packets. Be sure to set all devices on the cluster control link to the same MTU, specifically 1600 or higher.

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was removed from the inspect skinny command.

  • Windows DNS Client Optimization Limitation—Because of a limitation in Windows 8 and above, we have observed that certain name resolutions, such as nslookup, fail for FQDNs by not matching any split-DNS domains. The workaround is to disable Windows DNS client optimization with the following changes:

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Value:DisableParallelAandAAA Data: 1
    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient Value: DisableSmartNameResolution Data: 1
    

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.14(4)

Released: February 2, 2022

There are no new features in this release.

New Features in ASA 9.14(3)

Released: June 15, 2021

There are no new features in this release.

New Features in ASA 9.14(2)

Released: November 9, 2020

Feature

Description

SNMP Features

SNMP polling over site-to-site VPN

For secure SNMP polling over a site-to-site VPN, include the IP address of the outside interface in the crypto map access-list as part of the VPN configuration.

New Features in ASA 9.14(1.30)

Released: September 23, 2020

Feature

Description

Licensing Features

ASAv100 permanent license reservation

The ASAv100 now supports permanent license reservation using product ID L-ASAV100SR-K9=. Note: Not all accounts are approved for permanent license reservation.

New Features in ASAv 9.14(1.6)

Released: April 30, 2020


Note

This release is only supported on the ASAv.


Feature

Description

Platform Features

ASAv100 platform

The ASAv virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years.

The ASAv100 is supported on VMware ESXi and KVM only.

New Features in ASA 9.14(1)

Released: April 6, 2020

Feature

Description

Platform Features

ASA for the Firepower 4112

We introduced the ASA for the Firepower 4112.

No modified commands.

Note 

Requires FXOS 2.8(1).

Firewall Features

Ability to see port numbers in show access-list output.

The show access-list command now has the numeric keyword. You can use this to view port numbers in the access control entries rather than names, for example, 80 instead of www.

The object-group icmp-type command is deprecated.

Although the command remains supported in this release, the object-group icmp-type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service ) and specify service icmp within the object.

Kerberos Key Distribution Center (KDC) authentication.

You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC.

New/Modified commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc .

High Availability and Scalability Features

Configuration sync to data units in parallel

The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially.

New/Modified commands: config-replicate-parallel

Messages for cluster join failure or eviction added to show cluster history

New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster.

New/Modified commands: show cluster history

Interface Features

Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100

You can now configure a Firepower 1100 or 2100 SFP interface to disable auto-negotiation. For 10GB interfaces, you can configure the speed down to 1GB without auto-negotiation; you cannot disable auto-negotiation for an interface with the speed set to 10GB.

New/Modified commands: speed nonegotiate

Administrative and Troubleshooting Features

New connection-data-rate command

The connection-data-rate command was introduced to provide an overview on data rate of individual connections on the ASA. When this command is enabled, per-flow data rate along with the existing connection information are provided. This information helps to identify and block unwanted connections with high data rates, thereby, ensuring an optimized CPU utilization.

New/Modified commands: conn data-rate ,show conn data-rate , show conn detail , clear conn data-rate

HTTPS idle timeout setting

You can now set the idle timeout for all HTTPS connections to the ASA, including ASDM, WebVPN, and other clients. Formerly, using the http server idle-timeout command, you could only set the ASDM idle timeout. If you set both timeouts, the new command takes precendence.

New/Modified commands: http connection idle-timeout

NTPv4 support

The ASA now supports NTPv4.

No modified commands.

New clear logging counter command

The show logging command provides statistics of messages logged for each logging category configured on the ASA. The clear logging counter command was introduced to clear the logged counters and statistics.

New/Modified commands: clear logging counter

Debug command changes for FXOS on the Firepower 1000 and 2100 in Appliance mode

The debug fxos_parser command has been simplified to provide commonly-used troubleshooting messages about FXOS. Other FXOS debug commands have been moved under the debug menu fxos_parser command.

New/Modified commands: debug fxos_parser , debug menu fxos_parser

show tech-support command enhanced

The show ssl objects and show ssl errors command was added to the output of the show tech-support command.

New/Modified commands: show tech-support

Also in 9.12(4).

Monitoring Features

Net-SNMP version 5.8 Support

The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1, SNMP v2c, and SNMP v3 using both IPv4 and IPv6.

No modified commands.

SNMP OIDs and MIBs

The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track rejected/failed authentications from RADIUS over SNMP. This feature implements three SNMP OIDs:

  • crasNumTotalFailures (total failures)

  • crasNumSetupFailInsufResources (AAA and other internal failures)

  • crasNumAbortedSessions (aborted sessions) objects

The ASA provides support for the Advanced Encryption Standard (AES) Cipher Algorithm. This feature implements the following SNMP OIDs:

  • usmAesCfb128Protocol

  • usmNoPrivProtocol

SNMPv3 Authentication

You can now use SHA-256 HMAC for user authentication.

New/Modified commands: snmp-server user

debug telemetry command.

You can use the debug telemetry command, debug messages related to telemetry are displayed. The debugs help to identify the cause for errors when generating the telemetry report.

New/Modified commands: debug telemetry , show debug telemetry

VPN Features

DHCP Relay Server Support on VTI

You can now configure DHCP relay server to forward DHCP messages through VTI tunnel interface.

New/Modified commands: dhcprelay server

IKEv2 Support for Multiple Peer Crypto Map

You can now configure IKEv2 with multi-peer crypto map—when a peer in a tunnel goes down, IKEv2 attempts to establish the SA with the next peer in the list.

No modified commands.

Username Options for Multiple Certificate Authentication

In multiple certificate authentication, you can now specify from which certificate, first (machine certificate) or second (user certificate), you want the attributes to be used for aaa authentication.

New/Modified commands: username-from-certificate-choice, secondary-username-from-certificate-choice

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


Note

Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.



Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.



Note

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.


Current Version

Interim Upgrade Version

Target Version

9.13(x)

Any of the following:

→ 9.14(x)

9.12(x)

Any of the following:

→ 9.14(x)

9.10(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

9.9(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

9.8(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

9.7(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.6(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.5(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.4(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.3(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.2(x)

Any of the following:

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(1)

→ 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.6(1)

→ 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.5(1)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.4(5+)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.3(x)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.14(x)

The following table lists select open bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvw76421

ASA traceback and reload on Thread Name CP Processing

CSCvx24207

FQDN Object Containing IPv4 and IPv6 Addresses Only Install IPv6 Entries

CSCvz52917

ICMP Echo replies can be dropped with a high load of echo requests

CSCvz68713

PLR license reservation for ASAv5 is requesting ASAv10

CSCvz70958

High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby

CSCvz78816

ASA disconnects the ssh, https session using of Active IP address and Standby MAC address after FO

CSCwa03341

Standby's sub interface mac doesn't revert to old mac with no mac-address command

CSCwa26535

IPv6 PMTU discovery does not work for RA VPN Cllient with tunneled route

CSCwa35200

Some syslogs for AnyConnect SSL are generated in admin context instead of user context

CSCwa37844

ASA/FTD traceback and reload on octnic_hm_thread thread

CSCwa42596

ASA with SNMPv3 configuration observes unexpected reloads with snmpd cores

CSCwa44112

FTDv Loss of network reachability across all data interfaces

CSCwa56854

AnyConnect SSL traffic not passing due to stale SVC NP rules

CSCwa57029

ASA/FTD Lina Traceback and reload

CSCwa58725

ASA/FTD - Traceback in Thread Name:DATAPATH

CSCwa59907

LINA observed traceback on thread name "snmp_client_callback_thread"

CSCwa61218

Polling OID "1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the associated tunnel

CSCwa61361

ASAv traceback when SD_WAN ACL enabled, then disabled (or vice-versa) in PBR

CSCwa67884

Conditional flow-offload debugging produces no output

CSCwa72530

FTD: Time gap/mismatch seen when new node joins a Cluster Control node under history

CSCwa73472

ASA/FTD - Traceback in Thread Name:DATAPATH

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.14(4)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCum03297

MAXHOG timestamp is not shown in 'show processes cpu-hog' output

CSCvg66052

2 CPU Cores continuously spike on firepower appliances

CSCvi58484

Cluster: ping sourced from FTD/ASA to external IPs may if reply lands on different cluster unit

CSCvr11958

AWS FTD: Deployment failure with ERROR: failed to set interface to promiscuous mode

CSCvs27336

Traceback on ASA by Smart Call Home process

CSCvt15348

ASA show processes cpu-usage output is misleading on multi-core platforms

CSCvt67167

Data Unit traceback and reload without traffic at Thread Name :"logger"

CSCvv27218

Node traceback and reload when trying to add into the cluster using "enable" command

CSCvv40406

FTD/ASA creates coredump file with "!" character in filename (lina changes).

CSCvv43190

Crypto engine errors when GRE header protocol field doesn't match protocol field in inner ip header

CSCvv48942

Snmpwalk showing traffic counter as 0 for failover interface

CSCvv71097

traceback: ASA reloaded snp_fdb_destroy_fh_callback+104

CSCvw62526

ASA traceback and reload on engineering ASA build - 9.12.3.237

CSCvw71405

FPR1120 running ASA traceback and reload in crypto process.

CSCvx20872

ASA/FTD Traceback and reload due to netflow refresh timer

CSCvx23833

IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response

CSCvx26308

ASA traceback and reload due to strcpy_s: source string too long for dest

CSCvx38124

Core-local block alloc failure on cores where CP is pinned leading to drops

CSCvx47895

Cisco ASA Software and FTD Software Identity-Based Rule Bypass Vulnerability

CSCvx48490

SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0

CSCvx50980

ASA CP CPU wrong calculation leads to high percentage (100% CP CPU)

CSCvx65178

SNMP bulkget not working for specific OIDs in firewall mib and device performance degradation

CSCvx77768

Traceback and reload due to Umbrella

CSCvx78968

ASA/FTD Traceback and reload on Thread Name: IKEv2 Daemon with VTIs configured

CSCvx79526

Cisco ASA and FTD Software Resource Exhaustion Denial of Service Vulnerability

CSCvx79793

Slow file transfer or file upload with SSL policy is applied with Decrypt resign action

CSCvx80830

VPN conn fails from same user if Radius server sends a dACL and vpn-simultaneous-logins is set to 1

CSCvx85534

SNMP traps being sent out sourced with unexpected IP from the data interface

CSCvx85922

ASA/FTD may traceback and reload when saving/writitng the configuration to memory

CSCvx87709

FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover

CSCvx90486

In some cases snmpwalk for ifXTable may not return data interfaces

CSCvx94398

Secondary ASA could not get the startup configuration

CSCvx95884

High CPU and massive "no buffer" drops during HA bulk sync and during normal conn sync

CSCvx97053

Unable to configure ipv6 address/prefix to same interface and network in different context

CSCvx97632

ASA traceback and reload when copying files with long destination filenames using cluster command

CSCvy01752

Traceback on FPR 4115 in Thread - Lic HA Cluster

CSCvy04343

ASA in PLR mode,"license smart reservation" is failing.

CSCvy04869

AnyConnect certificate authentication fails if user certificate has 8192 bits key size

CSCvy07491

ASA traceback when re-configuring access-list

CSCvy09217

HA goes to active-active state due to cipher mismatch

CSCvy09436

DHCP reservation fails to apply reserved address for some devices

CSCvy10583

ASA Traceback and Reload in Thread Name: DATAPATH

CSCvy12782

FTD/ASA: PATed traffic impacted when configured on ixgbe-vf SRIOV interfaces in HA

CSCvy16179

ASA cluster Traceback with Thread Name: Unicorn Admin Handler even when running fix for CSCuz67596

CSCvy17078

Traceback: ASA on FPR 2110 traceback and reload on process Lina

CSCvy17365

REST API Login Page Issue

CSCvy17470

ASA Traceback and reload on the A/S failover pair at IKEv2

CSCvy18138

PIM Register Sent counter does not increase when encapsulated packets with register flag sent to RP

CSCvy18366

LINA Crash from pdts_pd_segment.c:1941 on FPR1k & ISA3k

CSCvy21334

Active tries to send CoA update to Standby in case of "No Switchover"

CSCvy23349

FTD unnecessarily ACKing TCP flows on inline-pair deployment

CSCvy27283

ASA/FTD SNMPv3 polling may fail using privacy algorithms AES192/AES256

CSCvy31229

No space left disk space is full on /ngfw

CSCvy33105

Ambiguous command error is shown for 'show route bgp' or 'show route isis' if DNS lookup is enabled

CSCvy33676

UN-NAT created on FTD once a prior dynamic xlate is created

CSCvy35737

FTD traceback and reload during anyconnect package verification

CSCvy36910

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS

CSCvy39621

ASA/FTD sends continuous Radius Access Requests Even After Max Retry Count is Reached

CSCvy39659

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815'

CSCvy40401

L2L VPN session bringup fails when using NULL encryption in ipsec configuration

CSCvy43187

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS

CSCvy43447

FTD traceback and reload on Lic TMR Thread on Multi Instance FTD

CSCvy47108

Remote Access IKEv2 VPN session cannot be established because of stuck Uauth entry

CSCvy48159

ASA Traceback & reload on process name lina due to memory header validation

CSCvy48730

ASA/FTD may traceback and reload in Thread Name 'Unicorn Proxy Thread'

CSCvy49732

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCvy50011

ASA traceback in IKE Daemon process and reload

CSCvy51659

Long OCSP timeout may cause AnyConnect authentication failure

CSCvy51814

Firepower flow-offload stops offloading all existing and new flows

CSCvy52074

ASA/FTD may traceback and reload in Thread Name 'webvpn_task'

CSCvy52924

FTD loses OSPF network statements config for all VRF instances upon reboot

CSCvy53461

RSA keys & Certs get removed post reload on WS-SVC-ASA-SM1-K7 with ASA code 9.12.x

CSCvy55054

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS

CSCvy56395

ASA traceback and reload due to snmp encrypted community string when key config is present

CSCvy57905

VTI tunnel interface stays down post reload on KP/WM platform in HA

CSCvy58268

Block 80 and 256 exhaustion snapshots are not created

CSCvy58278

Denial of Service vulnerability handling the config-request request

CSCvy60100

SNMP v3 configuration lost after reboot for HA

CSCvy60831

ASA/FTD Memory block location not updating for fragmented packets in data-path

CSCvy61008

Time out of sync between Lina and FXOS

CSCvy64492

ASAv adding non-identity L2 entries for own addresses on MAC table and dropping HA hellos

CSCvy64911

Debugs for: SNMP MIB value for crasLocalAddress is not showing the IP address

CSCvy69189

FTD HA stuck in bulk state due to stuck vpnfol_sync/Bulk-sync keytab

CSCvy69453

WM Standby device do not send out coldstart trap after reboot.

CSCvy72846

ASA accounting reports incorrect Acct-Session-Time

CSCvy73554

ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections

CSCvy74781

The standby device is sending the keep alive messages for ssl traffic after the failover

CSCvy74984

ASAv on Azure loses connectivity to Metadata server once default outside route is used

CSCvy78525

FTD doesn't TCP ping when VRF's are configured

CSCvy79952

ASA/FTD traceback and reload after downgrade

CSCvy82668

SSH session not being released

CSCvy82794

ASA/FTD traceback and reload when negating snmp commands

CSCvy90836

ASA Traceback and reload in Thread Name: SNMP ContextThread

CSCvy91668

PAT pool exhaustion with stickiness traffic could lead to new connection drop.

CSCvy92990

FTD traceback and reload related to SSL after upgrade to 7.0

CSCvy93480

Cisco ASA and FTD Software IKEv2 Site-to-Site VPN Denial of Service Vulnerability

CSCvy96325

FTD/ASA: Adding new ACE entries to ACP causes removal and re-add of ACE elements in LINA

CSCvy96625

Revert 'fix' introduced by CSCvr33428 and CSCvy39659

CSCvy96803

FTD traceback and reload in Process Name lina related to SNMP functions

CSCvy96895

ASA disconnects the VTY session using of Active IP address and Standby MAC address after failed over

CSCvy98458

FP21xx -traceback "Panic:DATAPATH-10-xxxx -remove_mem_from_head: Error - found a bad header"

CSCvz00383

FTD lina traceback and reload in thread Name Checkheaps

CSCvz00699

Traceback in webvpn and reload experienced periodically after ASA upgrade

CSCvz02398

Crypto archive generated with SE ring timeout on 7.0

CSCvz03524

PKI "OCSP revocation check" failing due to sha256 request instead of sha1

CSCvz05189

FTD reload with Lina traceback during xlate replication in Cluster

CSCvz05541

ASA55XX: Expansion module interfaces not coming up after a software upgrade

CSCvz07614

ASA: Orphaned SSH session not allowing us to delete a policy-map from CLI

CSCvz08387

ASP drop capture output may display incorrect drop reason

CSCvz09109

Cluster CCL interface capture shows full packets although headers-only is configured

CSCvz15529

ASA traceback and reload thread name: Datapath

CSCvz20544

ASA/FTD may traceback and reload in loop processing Anyconnect profile

CSCvz20679

FTDv - Lina Traceback and reload

CSCvz21886

Twice nat's un-nat not happening if nat matches a pbr acl that matches a port number instead of IP

CSCvz23157

SNMP agent restarts when show commands are issued

CSCvz24765

device rebooted with snmpd core

CSCvz25454

ASA: Drop reason is missing from 129 lines of asp-drop capture

CSCvz29233

ASA: ARP entries from custom context not removed when an interface flap occurs on system context

CSCvz30333

FTD/Lina may traceback when "show capture" command is executed

CSCvz30933

ASA tracebacks and reload when clear configure snmp-server command is issued

CSCvz33468

Nat hitcount not updated in FQDN_NAT

CSCvz34831

If ASA fails to download DACL it will never stop trying

CSCvz37306

ASDM session is not served for new user after doing multiple context switches in existing user

CSCvz38332

FTD/ASA - Stuck in boot loop after upgrade from 9.14.2.15 to 9.14.3

CSCvz38361

BGP packets dropped for non directly connected neighbors

CSCvz38692

ASAv traceback in snmp_master_callback_thread and reload

CSCvz39565

ASA/FTD Traceback and Reload during bulk VPN session connect

CSCvz39646

ASA/AnyConnect - Stale RADIUS sessions

CSCvz40352

ASA traffic dropped by Implicit ACL despite the fact of explicit rules present on Access-list

CSCvz43414

Internal ldap attribute mappings fail after HA failover

CSCvz43455

ASAv observed traceback while upgrading hostscan

CSCvz44645

FTD may traceback and reload in Thread Name 'lina'

CSCvz48407

Traceback and reload in Thread Name: DATAPATH-15-18621

CSCvz50922

FPR2100: Unable to form L2L VPN tunnels when using ESP-Null encryption

CSCvz51258

show tech-support output can be confusing when there crashinfo, need to clean up/make more intuitive

CSCvz53142

ASA does not use the interface specified in the name-server command to reach IPv6 DNS servers

CSCvz55849

FTD Traceback and Reload on process LINA

CSCvz57710

conf t is converted to disk0:/t under context-config mode

CSCvz58710

ASA traceback due to SCTP traffic.

CSCvz60970

ASA Traceback in Thread Name: DATAPATH-4-23199 in enic_put / FREEB when sending LU to statelink

CSCvz61160

ASA traceback on DATAPATH when handling ICMP error message

CSCvz64470

ASA/FTD Traceback and reload due to memory corruption when generating ICMP unreachable message

CSCvz66795

ASA traceback and reload in SSH process when executing the command "show access-list"

CSCvz67003

ASDM session count and quota management's count mismatch. 'Lost connection firewall' msg in ASDM

CSCvz67816

IPV6 DNS PTR query getting modified on FTD

CSCvz68336

SSL decryption not working due to single connection on multiple in-line pairs

CSCvz69571

ASA log shows wrong value of the transferred data after the anyconnect session terminated.

CSCvz70595

Traceback observed on ASA while handling SAML handler

CSCvz71064

Deleting The Context From ASA taking Almost 2 Minutes with ikev2 tunnel

CSCvz73146

FTD - Traceback in Thread Name: DATAPATH

CSCvz73709

ASA/FTD Standby unit fails to join HA

CSCvz75988

Inconsistent logging timestamp with RFC5424 enabled

CSCvz76966

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS

CSCvz77744

OSPFv3: FTD Wrong "Forwarding address" added in ospfv3 database

CSCvz84850

ASA/FTD traceback and reload caused by "timer services" function

CSCvz85437

FTD 100G interfaces down after upgrade of FXOS and FTD to 2.10.1.159 and 6.6.4

CSCvz86256

Primary ASA should send GARP as soon as split-brain is detected and peer becomes cold standby

CSCvz89126

ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM

CSCvz89327

OSPFv2 flow missing cluster centralized "c" flag

CSCvz89545

SSL VPN performance degraded and significant stability issues after upgrade

CSCvz90375

Low available DMA memory on ASA 9.14 at boot considerably reduces AnyConnect sessions supported

CSCvz90722

With object-group in crypto ACL sum of hitcnt mismatches with the individual elements

CSCvz91218

Statelink hello messages dropped on Standby unit due to interface ring drops on high rate traffic

CSCvz92016

ASA Privilege Escalation with valid user in AD

CSCvz92932

ASA show tech execution causing spike on CPU and impacting to IKEv2 sessions

CSCvz94153

NTP sync on IPV6 will fail if the IPV4 address is not configured

CSCvz95108

FTD Deployment failure post upgrade due to major version change on device

CSCvz96462

IP Address 'in use' though no VPN sessions

CSCwa03275

BGP routes shows unresolved and dropping packet with asp-drop reason "No route to host"

CSCwa03347

IPv6 PIM packets are dropped in ASP with invalid-ip-length drop reason

CSCwa04461

Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service

CSCwa08262

AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group

CSCwa11052

SNMP Stopped Responding After Upgrading to Version- 9.14(2)15

CSCwa13873

ASA Failover Split Brain caused by delay on state transition after "failover active" command run

CSCwa14485

Cisco Firepower Threat Defense Software Denial of Service Vulnerability

CSCwa14725

ASA/FTD traceback and reload on IKE Daemon Thread

CSCwa15185

ASA/FTD: remove unwanted process call from LUA

CSCwa18858

ASA drops non DNS traffic with reason "label length 164 bytes exceeds protocol limit of 63 bytes"

CSCwa19443

Flow Offload - Compare state values remains in error state for longer periods

CSCwa19713

Traffic dropped by ASA configured with BVI interfaces due to asp drop type "no-adjacency"

CSCwa28822

FTD moving UI management from FDM to FMC causes traffic to fail

CSCwa3011

"Error:NAT unable to reserve ports" when using a range of ports in an object service

CSCwa33898

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

CSCwa36672

ASA on FPR4100 traceback and reload when running captures using ASDM

CSCwa36678

Random FTD traceback during deployment from FMC

CSCwa40719

Traceback: Secondary firewall reloading in Threadname: fover_parse

CSCwa41834

ASA/FTD traceback and reload due to pix_startup_thread

CSCwa55878

FTD Service Module Failure: False alarm of "ND may have gone down"

CSCwa58686

ASA/FTD Change in OGS compilation behavior causing boot loop

Resolved Bugs in Version 9.14(3)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvg69380

ASA - rare cp processing corruption causes console lock

CSCvh19737

HTTPS access on FTD data interface (off-box management) is failing

CSCvm82290

ASA core blocks depleted when host unreachable in IRB/TFW configuration

CSCvo34210

ASA running 9.6.4.20 Traceback in threadname Unicorn Proxy Thread

CSCvp28713

Input/Output interfaces in packet tracer RESULT are shown as "UNKNOWN"

CSCvp69936

ASA : Traceback on tcp_intercept Thread name : Threat detection

CSCvq98396

ASA: crypto session handles leak on the standby unit

CSCvr77005

Traffic does not fallback to primary interface from crypto map when interface becomes available

CSCvr85295

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote

CSCvs13204

ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down

CSCvs72450

FXOS - Recover hwclock of service module from corruption due to simultaneous write collision

CSCvs82926

Critical RPM alert on FRP 1000 and FPR2100 Series with ASA 'Chassis 0 Cooling Fan OK' SCH message

CSCvs84542

ASA traceback with thread: idfw_proc

CSCvt10944

ctm crashed while sending emix traffic over VTI tunnel

CSCvt48260

Standby unit traceback at fover_parse and boot loop when detecting Active unit

CSCvt71529

ASA traceback and reload during SSL handshake

CSCvt75760

Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup

CSCvt92077

Ping Failure on ASAv - 9.13 after CAT9k reboot

CSCvt97205

SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

CSCvu33992

traceback: ASA reloaded lina_sigcrash+1394

CSCvu89110

ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog is down

CSCvu98222

FTD Lina engine may traceback in datapath after enabling SSL decryption policy

CSCvv00719

Access Control Policy with time range object is not getting hit

CSCvv02925

OSPF neighbourship is not establising

CSCvv07917

ASA learning a new route removes asp route table created by floating static

CSCvv10778

Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4

CSCvv15572

ASA traceback observed when "config-url" is entered while creating new context

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv19230

ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout

CSCvv25394

After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa.

CSCvv30172

Intermittently after reboot, ADI can't join KCD

CSCvv31755

Interface status may be mismatched between application and chassis due to missed update

CSCvv32333

ASA still doesn't allow to poll internal-data0/0 counters via SNMP in multiple mode

CSCvv37629

Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable traffic issue

CSCvv41453

Removing static ipv6 route from management-only route table affects data traffic

CSCvv49698

ASA Anyconnect url-redirect not working for ipv6

CSCvv49800

ASA/FTD: HA switchover doesn't happen with graceful reboot of firepower chassis

CSCvv50338

Traceback Cluster unit on snpi_nat_xlate_destroy+2508

CSCvv52591

DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail

CSCvv53696

ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user

CSCvv55291

Snmp user fails on standby device after rejoing ha, after ha break.

CSCvv56644

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv58332

ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse order

CSCvv62305

ASA traceback and reload in fover_parse when attempting to join the failover pair.

CSCvv63412

ASA dropping all traffic with reason "No route to host" when tmatch compilation is ongoing

CSCvv64068

After modify network/service object name. mis-match will occur on hash value of ACL in syslog.

CSCvv65184

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv66005

ASA traceback and reload on inspect esmtp

CSCvv66920

Inner flow: U-turn GRE flows trigger incorrect connection flow creation

CSCvv67196

FTD does not try all the crl urls for getting crl file

CSCvv67398

Inspect-snmp drops thru-the-box snmp paks if snmp is disabled

CSCvv67500

ASA 9.12 random traceback and reload in DATAPATH

CSCvv68669

Traffic to virtual IP address dropped on system context of Master ASA due to failed classification

CSCvv69991

FTD stuck in Maintenance Mode after upgrade to 6.6.1

CSCvv70984

ASA traceback while modifying the bookmark SSL Ciphers configuration

CSCvv71097

traceback: ASA reloaded snp_fdb_destroy_fh_callback+104

CSCvv72466

OSPF network commands go missing in the startup-config after upgrading the ASA

CSCvv73017

Traceback due to fover and ssh thread

CSCvv80782

Traceback leads to the purg_process

CSCvv85029

ASA5555 traceback and reload on Thread Name: ace_work

CSCvv86861

Traceback during SNMP traffic testing

CSCvv86926

Unexpected traceback and reload on FTD creating a Core file

CSCvv87232

ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process

CSCvv87496

ASA cluster members 2048 block depletion due to "VPN packet redirect on peer"

CSCvv88017

ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel

CSCvv89355

DHCP-Proxy renewal timer is not started after failover

CSCvv89400

ASA SNMPv3 Poll fails when using AES 256

CSCvv89708

ASA/FTD may traceback in thread name fover_FSM_thread and reload

CSCvv90181

No deployment failure reason in transcript if 'show running-config' is running during deployment

CSCvv90720

ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover

CSCvv94165

FTD 6.6 : High CPU spikes on snmpd process

CSCvv94701

ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover.

CSCvv96193

ASA/FTD debugs do not print clear failure reason when no proposal is chosen

CSCvv97877

Secondary unit not able to join the cluster

CSCvw00161

ASA traceback and reload due to VPN thread on firepower 2140

CSCvw03628

ASA will not import CA certificate with name constraint of RFC822Name set as empty

CSCvw06195

ASA traceback cp_midpath_process_thread

CSCvw06298

ASA duplicate MAC addresses in Shared Interfaces of different Contexts causing traffic impact

CSCvw07000

Snort busy drops with PDTS Tx queue stuck

CSCvw12008

ASA traceback and reload while executing "show tech-support" command

CSCvw12040

Heapcache Memory depleting rapidly due to certificate chain failed validation

CSCvw12100

ASA stale VPN Context seen for site to site and AnyConnect sessions

CSCvw16619

Offloaded traffic not failed over to secondary route in ECMP setup

CSCvw18614

ASA traceback in the LINA process

CSCvw19227

Unable to remove non-used prefix-list object

CSCvw21844

FTD traceback and reload on DATAPATH thread when processing encapsulated flows

CSCvw22881

radius_rcv_auth can shoot up control plane CPU to 100%.

CSCvw22986

Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init state

CSCvw23199

ASA/FTD Traceback and reload in Thread Name: Logger

CSCvw24556

TCP File transfer (Big File) not properly closed when Flow offload is enabled

CSCvw26171

ASA syslog traceback while strncpy NULL string passed from SSL library

CSCvw26331

ASA traceback and reload on Thread Name: ci/console

CSCvw26544

Cisco ASA and FTD Software SIP Denial of Service Vulnerability

CSCvw27301

IKEv2 with EAP, MOBIKE status fails to be processed.

CSCvw28814

SNMP process crashed, resulting in Lina traceback

CSCvw30252

ASA/FTD may traceback and reload due to memory corruption in SNMP

CSCvw31569

Director/Backup flows are left behind and traffic related to this flow is blackholed

CSCvw32518

ASASM traceback and reload after upgrade up to 9.12(4)4 and higher

CSCvw36662

TACACS+ ASCII password change request not handled properly

CSCvw37259

VPN syslogs are generated at a rate of 600/s until device goes into a hang state

CSCvw37807

Ipsec Send Error Increasing When NTP Authenticate is Enabled

CSCvw42999

9.10.1.11 ASA on FPR2110 traceback and reloads randomly

CSCvw43486

ASA/FTD Traceback and reload during PBR configuration change

CSCvw44122

ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine

CSCvw45863

ASAv snmp traceback on reload

CSCvw46630

FTD: NLP path dropping return ICMP destination unreachable messages

CSCvw47321

IPSec transport mode traffic corruption for inbound traffic for some FPR platforms

CSCvw48517

DAP stopped working after upgrading the ASA to 9.13(1)13

CSCvw50679

ASA/FTD may traceback and reload during upgrade

CSCvw51307

ASA/FTD traceback and reload in process name "Lina"

CSCvw51462

IPv4 Default Tunneled Route Rejected

CSCvw51745

RIP database not populated with SLA monitored static route that was re added in the routing table.

CSCvw51950

FPR 4K: SSL trust-point removed from new active ASA after manual Failover

CSCvw51985

ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure

CSCvw52609

Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability

CSCvw53255

FTD/ASA HA: Standby Unit FXOS is still able to forward traffic even after failover due to traceback

CSCvw53427

ASA Fails to process HTTP POST with SAML assertion containing multiple query parameters

CSCvw53796

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability

CSCvw54640

FPR-4150 - ASA traceback and reload with thread name DATAPATH

CSCvw56703

IPv6 static routes not getting installed, upon changing ifc type management-only

CSCvw58414

Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed after reload

CSCvw59035

Connection issues to directly connected IP from FTD BVI address

CSCvw60177

Standby/Secondary cluster unit might crash in Thread Name: fover_parse and "cluster config sync"

CSCvw62526

ASA traceback and reload on engineering ASA build - 9.12.3.237

CSCvw62528

ASA failing to sync with IPv6 NTP server

CSCvw63862

ASA: Random L2TP users cannot access resources due to stale ACL filter entries

CSCvw64623

Standby ASA linkdown SNMPtrap sent from standby interface with active IP address

CSCvw71766

ASA traceback and reload in Thread: Ikev2 Daemon

CSCvw74940

ASA traceback in IKE Daemon and reload

CSCvw77930

ASA fails to process SAML assertion when tunnel-group name contains "."

CSCvw81897

ASA: OpenSSL Vulnerability CVE-2020-1971

CSCvw82629

ASA Tracebacks when making "configuration session" changes regarding an ACL.

CSCvw83572

BVI HTTP/SSH access is not working in versions 9.14.1.30 or above

CSCvw83780

FTD Firewall may traceback and reload when modifying ACLs

CSCvw84339

Managed device backup fails, for FTD, if hostname exceeds 30 characters

CSCvw84786

ASA traceback and reload on Thread name snmp_alarm_thread

CSCvw87788

ASA traceback and reload webvpn thread

CSCvw89365

ASA/FTD may traceback and reload during certificate changes.

CSCvw90151

PPPOE - ASA sends CONFACK for non-configured protocol

CSCvw94988

S2S traffic fails due to missing V routes after Primary cluster unit gets disabled

CSCvw95301

ASA traceback and reload with Thread name: ssh when capture was removed

CSCvw96488

Traceback in inspect_h323_ras+1810

CSCvw97821

ASA: VPN traffic does not pass if no dACL is provided in CoA

CSCvw98840

ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA

CSCvw99916

ASAv: SNMP result for used memory value incorrect after upgrade to 9.14

CSCvx02869

Traceback in Thread Name: Lic TMR

CSCvx03764

Offload rewrite data needs to be fixed for identity nat traffic and clustering environment

CSCvx04057

When SGT name is unresolved and used in ACE, line is not being ignored/inactive

CSCvx04643

ASA reload is removing 'content-security-policy' config

CSCvx05385

ASA may generate a traceback in Logger thread during configuration sync in HA

CSCvx06385

Fail-to-wire ports in FPR 2100 flapping after upgrade to 6.6.1

CSCvx08734

ASA: default IPv6/IPv4 route tunneled does not work

CSCvx09248

SNMP walk for v2 and v3 fails with No Such Object available on this agent at this OID is seen

CSCvx09535

ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers reload

CSCvx10110

Last transaction timestamp status "unknown" for active LDAP AAA server

CSCvx10841

Not able to Advertise/Redistribute VXLAN/VNI interface subnet using EIGRP

CSCvx11295

ASA may traceback and reload on thread Crypto CA

CSCvx11460

Firepower 2110 silently dropping traffic with TFC enabled on the remote end

CSCvx13694

ASA/FTD traceback in Thread Name: PTHREAD-4432

CSCvx15040

DHCP Proxy Offer is getting drop on the ASA/FTD

CSCvx16592

FTD doesn't redirect packets to the WCCP web-cache engine when VRF's are configured

CSCvx17664

ASA may traceback and reload in Thread Name 'webvpn_task'

CSCvx17780

FPR-2100-ASA : SNMP Walk for ifType is showing "other" for ASA interfaces in the latest versions

CSCvx17842

Prevent lina from traceback due to object loop sent by FMC. Fail the deployment instead.

CSCvx19934

Deployment gets failed for snmp settings while deleting snmpv1 and adding snmpv3 at a time in 6.6.3

CSCvx20303

ASA/FTD may traceback in after changing snmp host-group object

CSCvx20872

ASA/FTD Traceback and reload due to netflow refresh timer

CSCvx22695

ASA traceback and reload during OCSP response data cleanup

CSCvx23833

IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response

CSCvx25406

LINA silently drops packet if the MTU of the packet is of size > the MTU of egress interface

CSCvx25719

X-Frame-Options header is not set in webvpn response pages

CSCvx25836

ASA traceback & reload due to "show crashinfo" adding a new output log

CSCvx26221

Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508

CSCvx26308

ASA traceback and reload due to strcpy_s: source string too long for dest

CSCvx26808

FTD traceback and reload on process lina on FPR2100 series

CSCvx27430

ASA: Unable to import PAC file if FIPS is enabled.

CSCvx29771

Firewall CPU can increase after a bulk routing update with flow offload

CSCvx29814

IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server

CSCvx30314

ASA 9.15.1.7 traceback and reload in ssl midpath

CSCvx34237

ASA reload with FIPS failure

CSCvx38124

Core-local block alloc failure on cores where CP is pinned leading to drops

CSCvx41171

Concurrent modification of ACL configuration breaks output of "show running-config" completely

CSCvx42081

FPR4150 ASA Standby Ready unit Loops to failed and remove config to install it again

CSCvx42197

ASA EIGRP route stuck after neighbour disconnected

CSCvx44401

FTD/ASA traceback in Thread Name : Unicorn Proxy Thread

CSCvx45976

ASA/FTD Watchdog forced traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay)

CSCvx47230

X-Frame-Options header support for older versions of IE and windows platforms

CSCvx48490

SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0

CSCvx50366

Traceback in Thread Name: fover_health_monitoring_thread

CSCvx52122

ASA traceback and reload in SNMP Notify Thread while deleting transparent context

CSCvx54235

ASP capture dispatch-queue-limit shows no packets

CSCvx54396

Deployment failures on FTD when multicast is enabled.

CSCvx54606

FTD 6.6.1/6.7.0 is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0

CSCvx57417

Smart Tunnel Code signing certifcate renewal

CSCvx59120

COA Received before data tunnel comes up results in tear down of parent session

CSCvx62239

Need comprehensive details in logs on what is stopping VPN load-balancing cluster formation

CSCvx63647

ASA traceback and reload on Thread Name: CTM Daemon

CSCvx65745

FPR2100: enable kernel panic on octeon for UE events to trigger crash

CSCvx68128

ASA internal deadlock leads to loss of feature functionality (syslogs, reload, ASDM, anyconnect)

CSCvx68355

ASA - unable to import CA certificate when countryName is encoded as UTF8

CSCvx68951

ASA responds with "00 00 00 00 00 00" when polling interface physical address using snmp

CSCvx69405

ASA Traceback and reload in Thread Name: SNMP ContextThread

CSCvx71434

ASA/FTD Traceback and reload in Thread Name: pix_startup_thread due to asa_run_ttyS0 script

CSCvx71571

ASA: "ERROR: Unable to delete entries from Hash Table" with CSM

CSCvx72904

Optimise ifmib polls

CSCvx73164

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

CSCvx75503

Re-transmitted SYN are not inspected by inspection engine

CSCvx75963

ASA traceback while taking captures

CSCvx77768

Traceback and reload due to Umbrella

CSCvx85534

SNMP traps being sent out sourced with unexpected IP from the data interface

CSCvx85922

ASA/FTD may traceback and reload when saving/writitng the configuration to memory

CSCvx87679

Failover license count not synced to standby firewall.

CSCvx87709

FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover

CSCvx88683

ASA not replicating BGP password correctly to standby unit

CSCvx94326

VPN Load Balancing may get stuck and disconnect from the group

CSCvx94398

Secondary ASA could not get the startup configuration

CSCvx95255

Supportive change in ASA to differentiate, new ASDM connections from existing ASDM context switch

CSCvx97632

ASA crashes when copying files with long destination filenames using cluster command

CSCvy01752

Traceback on FPR 4115 in Thread - Lic HA Cluster

CSCvy02703

ASA/FTD tracebacks due to CTM message handler

CSCvy03006

improve debugging capability for uauth

CSCvy04869

AnyConnect certificate authentication fails if user certificate has 8192 bits key size

CSCvy07491

ASA traceback when re-configuring access-list

CSCvy08908

Port-forwarding application blocked by Java

CSCvy17365

REST API Login Page Issue

CSCvy39659

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815'

Resolved Bugs in Version 9.14(2)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCuw51499

TCM doesn't work for ACE addition/removal, ACL object/object-group edits

CSCvh19161

ASA/FTD traceback and reload in Thread Name: SXP CORE

CSCvk51778

"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs

CSCvn64647

ASA traceback and reload due to tcp_retrans_timeout internal thread handling

CSCvn82441

[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches

CSCvn95731

ASA traceback and reload on Thread Name SSH

CSCvp47536

AAA requests on FTD not following V-routes learned from RRI

CSCvq47743

AnyConnect and Management Sessions fail to connect after several weeks

CSCvr15503

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCvr35872

ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22

CSCvr58411

RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted

CSCvr60195

ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec'

CSCvr99642

ASA traceback and reload multiple times with trace "webvpn_periodic_signal"

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs09533

FP2100: Traceback and reload when processing traffic through more than two inline sets

CSCvs33852

After upgrade to version 9.6.4.34 is not possible to add an access-group

CSCvs38785

Inconsistent timestamp format in syslog

CSCvs50274

ASA5506 to the box icmp request packets intermittently dropped

CSCvs52108

ASA Traceback Due to Umbrella Inspection

CSCvs55603

ICMP Reply Dropped when matched by ACL

CSCvs59056

ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

CSCvs72378

ASDM session being abruptly terminated when switching between different contexts

CSCvs72393

FPR1010 temperature thresholds should be changed

CSCvs73754

ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface

CSCvs78252

ASA/Lina Offloaded TCP flows interrupted if TCP sequence number randomizer is enabled and SACK used

CSCvs79023

ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection

CSCvs79606

"dns server-group DefaultDNS" cli not getting negated

CSCvs81763

vFTD not able to pass vlan tagged traffic (trunk mode)

CSCvs82829

Calls fail once anyconnect configuration is added to the site to site VPN tunnel

CSCvs85196

ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection

CSCvs88413

Port-channel bundling is failing after upgrade to 9.8 version

CSCvs90100

ASA/FTD may traceback and reload in Thread Name 'License Thread'

CSCvs91389

FTD Traceback Lina process

CSCvs97863

Reduce number of fsync calls during close in flash file system

CSCvt00113

ASA/FTD traceback and reload due to memory leak in SNMP community string

CSCvt01397

Deployment is marked as success although LINA config was not pushed

CSCvt02409

Cisco Firepower Threat Defense Software Inline Pair/Passive Mode DoS Vulnerability

CSCvt03598

Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

CSCvt04560

SCTP heartbeats failing across the firewall in Cluster deploymnet.

CSCvt05862

IPv6 DNS server resolution fails when the server is reachable over the management interface.

CSCvt06606

Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)

CSCvt06841

Incorrect access-list hitcount seen when configuring it with a capture on ASA

CSCvt11661

DOC - Clarify the meaning of mp-svc-flow-control under show asp drop

CSCvt11742

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCvt12463

ASA: Traceback in thread Unicorn Admin Handler

CSCvt13822

ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry

CSCvt15163

Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability

CSCvt18199

IPv6 Nat rejected with error "overlaps with inside standby interface address" for Standalone ASA

CSCvt21041

FTD Traceback in thread 'ctm_ipsec_display_msg'

CSCvt22356

Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after ASA reboot

CSCvt23643

VPN failover recovery is taking approx. 30 seconds for data to resume

CSCvt24328

FTD: Traceback and reload related to lina_host_file_open_raw function

CSCvt26031

ASAv Unable to register smart licensing with IPv6

CSCvt26067

Active FTP fails when secondary interface is used on FTD

CSCvt27585

Observed traceback on 2100 while performing Failover Switch from Standby.

CSCvt28182

sctp-state-bypass is not getting invoked for inline FTD

CSCvt29049

FPR2100 - ASA in Appliance Mode - SNMP Delay

CSCvt33785

IPSec SAs are not being created for random VPN peers

CSCvt35945

Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train

CSCvt36542

Multi-context ASA/LINA on FPR not sending DHCP release message

CSCvt38279

Erase disk0 on ISA3000 causes file system not supported

CSCvt40306

ASA:BVI interface of standby unit stops responding after reload

CSCvt41333

Dynamic RRI route is not destroyed when IKEv2 tunnel goes down

CSCvt43967

Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros

CSCvt45863

Crypto ring stalls when the length in the ip header doesn't match the packet length

CSCvt46289

ASA LDAPS connection fails on Firepower 1000 Series

CSCvt46830

FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto

CSCvt50528

Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI

CSCvt50946

Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008

CSCvt51346

PKI-CRL: Memory Leak on Download and Clear Large CRL

CSCvt51348

PKI-CRL: Memory Leak on Download Large CRL in loop without clearing it

CSCvt51349

Fragmented packets forwarded to fragment owner are not visible on data interface captures

CSCvt51987

Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56

CSCvt52782

ASA traceback Thread name - webvpn_task

CSCvt53640

ASA5585 traceback and reload after upgrading SFR from 6.4.0 to 6.4.0.9-34

CSCvt54182

LINA cores are generated when FTD is configured to do SSL decryption.

CSCvt56923

FTD manual certificate enrollment fails with "&" (ampersand) in Organisation subject field

CSCvt61196

ASA on multicontext mode, deleting a context does not delete the SSH keys.

CSCvt63484

ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process

CSCvt64035

remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around

CSCvt64270

ASA is sending failover interface check control packets with a wrong destination mac address

CSCvt64822

Cisco Adaptive Security Appliance Software SSL/TLS Denial of Service Vulnerability

CSCvt64952

"Show crypto accelerator load-balance detail" has missing and undefined output

CSCvt65982

Route Fallback doesn't happen on Slave unit, upon RRI route removal.

CSCvt66351

NetFlow reporting impossibly large flow bytes

CSCvt68131

FTD traceback and reload on thread "IKEv2 Mgd Timer Thread"

CSCvt68294

Adjust Firepower 4120 Maximum VPN Session Limit to 20,000

CSCvt70664

ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for AnyConnect

CSCvt70879

"clear configure access-list" on ACL used for vpn-filter breaks access to resources

CSCvt73407

TACACS Fallback authorization fails for Username enable_15 on ASA device.

CSCvt73806

FTD traceback and reload on FP2120 LINA Active Box. VPN

CSCvt75241

Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100

CSCvt76688

The syslog message 201008 should include reason of drop when TCP server is down

CSCvt80126

ASA traceback and reload for the CLI "show asp table socket 18421590 det"

CSCvt80134

WebVPN rewriter fails to parse data from SAP Netweaver.

CSCvt83133

Unable to access anyconnect webvpn portal from google chrome using group-url

CSCvt86188

SNMP traps can't be generated via diagnostic interface

CSCvt90330

ASA traceback and reload with thread name coa_task

CSCvt92647

Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA

CSCvt93142

ASA should allow null sequence encoding in certificates for client authentication.

CSCvt95517

Certificate mapping for AnyConnect on FTD stops working.

CSCvt97205

SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1

CSCvt97917

ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR

CSCvt98599

IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions

CSCvu00112

tsd0 not reset when ssh quota limit is hit in ci_cons_shell

CSCvu01039

Traceback: Modifying FTD inline-set tap-mode configuration with active traffic

CSCvu03107

AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting

CSCvu03562

Device loses ssh connectivity when username and password is entered

CSCvu03675

FPR2100: ASA console may hang & become unresponsive in low memory conditions

CSCvu04279

ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS

CSCvu05180

aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment

CSCvu05216

cert map to specify CRL CDP Override does not allow backup entries

CSCvu05336

ASAv - Traceback and reload on SNMP process

CSCvu05821

Timestamp format will be shown always in UTC

CSCvu06767

Lina cores on multi-instance causing a boot loop on both logical-devices

CSCvu07602

FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload

CSCvu07880

ASA on QP platforms display wrong coredump filesystem space (50 GB)

CSCvu08013

DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently.

CSCvu08339

FTD Inline-set bridge group ID set to 0 with tap-mode off

CSCvu10053

ASA traceback and reload on function snmp_master_callback_thread

CSCvu12039

Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup

CSCvu12248

ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN

CSCvu12684

HKT - Failover time increases with upgrade to 9.8.4.15

CSCvu16423

ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread

CSCvu17852

Current connection count is negative on 'show service policy' when connection limit is set in MPF

CSCvu17924

FTD failover units traceback and reload on DATAPATH

CSCvu17965

ASA generated a traceback and reloaded when changing the port value of a manual nat rule

CSCvu20007

Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available.

CSCvu25030

FTD 6.4.0.8 traceback & reload on thread name : CP processing

CSCvu26296

ASA interface ACL dropping snmp control-plane traffic from ASA

CSCvu26561

WebVPN SSO Gives Unexpected Results when Integrated with Kerberos

CSCvu27287

Scheduled Backup failing over SCP via EEM

CSCvu27868

ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade

CSCvu29395

Traceback observed while performing master role change with active IGMP joins

CSCvu32698

ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present

CSCvu34413

SSH keys lost in ASA after reload

CSCvu36302

%ASA-3-737403 is used incorrectly when vpn-addr-assign local reuse-delay is configured

CSCvu37547

Memory leak: due to resource-limit MIB handler, eventually causing reload

CSCvu38795

FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry

CSCvu40213

ASA traceback in Thread Name kerberos_recv

CSCvu40324

ASA traceback and reload with Flow lookup calling traceback

CSCvu40398

ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS

CSCvu42434

ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA

CSCvu43355

FTD Lina traceback in datapath due to double free

CSCvu43827

ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread"

CSCvu43924

GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope

CSCvu45748

ASA traceback in threadname 'ppp_timer_thread'

CSCvu45822

ASA experienced a traceback and reloaded

CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

CSCvu49625

[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily

CSCvu53258

FMC pushes certificate map incorrectly to lina

CSCvu55469

FTD - Connection idle timeout doesn't reset

CSCvu55843

ASA traceback after TACACS authorized user made configuration changes

CSCvu58153

Display RADIUS port representation as little-endian instead of big-endian

CSCvu60011

FTD: Snort policy changes deployed to a HA on failed state are not fully synced

CSCvu61704

ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance

CSCvu63458

FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks

CSCvu65688

IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599

CSCvu68529

Embryonic connections limit does not work consistently

CSCvu70622

CTS SGT propagation gets enabled after reload

CSCvu70931

Cluster / aaa-server key missing after "no key config-key" is entered

CSCvu71324

ASA: Automatic DENY rule applied in multiple contexts due to the use of the dhcp-network-scope

CSCvu72094

ASA traceback and reload on thread name DATAPATH

CSCvu72658

AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently

CSCvu73207

DSCP values not preserved in DTLS packets towards AnyConnect users

CSCvu75594

FTD: Traceback and reload when changing capture buffer options on a already applied capture

CSCvu77095

ASA unable to delete ACEs with remarks and display error "Specified remark does not exist"

CSCvu78721

Cannot change (modify) interface speed after upgrade

CSCvu80143

Snmp stops responding. CLI returns: Unable to honour this request now.

CSCvu82738

The drop rate in show interface for inline sets is incorrect

CSCvu83178

Dynamic routing protocols summary route not being replicated to standby

CSCvu83389

ASA drops GTPV1 Forward relocation Request message with Null TEID

CSCvu83599

ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread

CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

CSCvu97764

FTD in TAP mode won't capture on egress interfaces

CSCvu98505

ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly

CSCvv02245

ASA 'session sfr' command disconnects from FirePOWER module for initial setup

CSCvv04584

Multicast traffic is being dropped with the resson no-mcast-intrf

CSCvv07864

Multicast EIGRP traffic not seen on internal FTD interface

CSCvv07917

ASA learning a new route removes asp route table created by floating static

CSCvv08684

Cluster site-specific MAC addresses not rewritten by flow-offload

CSCvv09396

Stale VPN routes for L2TP, after the session was terminated

CSCvv09944

Lina Traceback during FTD deployment when WCCP config is being pushed

CSCvv12273

SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject

CSCvv12857

ASA gets frozen after crypto engine failure

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv20405

WEBVPN: ERROR: Invalid tunnel group name on Multi-Context ASA

CSCvv23370

Observed traceback in FPR2130 while running webVPN, SNMP related traffic.

CSCvv26786

ASA traceback and reload unexpectedly on "Process Name: lina"

CSCvv26845

ASA: Watchdog Traceback and reload on SNMP functions with syslog traps

CSCvv28997

ASA Traceback and reload on thread name Crypto CA

CSCvv29687

Rate-limit syslogs 780001/780002 by default on ASA

CSCvv30371

SNMP: Memory leak in VPN polling

CSCvv31334

Lina traceback and reload seen on trying to switch peer on KP HA with 6.6.1-63

CSCvv31629

Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes asymmetrically.

CSCvv32425

ASA traceback when running show asp table classify domain permit

CSCvv34003

snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning value of 0 for .16 and .17

CSCvv34140

ASA IKEv2 VTI - Failed to request SPI from CTM as responder

CSCvv36518

ASA: Extended downtime after reload after CSCuw51499 fix

CSCvv36725

ASA logging rate-limit 1 5 message ... limits to 1 message in 10 seconds instead of 5

CSCvv37108

ASA silently dropping OSPF LS Update messages from neighbors

CSCvv43484

ASA stops processing RIP packets after system upgrade

CSCvv43885

'show sctp' command is unavailable when carrier license is out of compliance

CSCvv44051

Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows

CSCvv44270

ASAv5 reloads without traceback.

CSCvv48594

Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection

CSCvv54831

ASA traceback and reload when running Packet Tracer commands

CSCvv57590

ASA: ACL compilation takes more time on standby

CSCvv57842

WebSSL clientless user accounts being locked out on 1st bad password

CSCvv58605

ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki global table in MTX

CSCvv69991

FTD stuck in Maintenance Mode after upgrade to 6.6.1

CSCvw30252

ASA/FTD may traceback and reload due to memory corruption in SNMP

CSCvv53696

ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user

Resolved Bugs in Version 9.14(1.30)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvh19161

ASA/FTD traceback and reload in Thread Name: SXP CORE

CSCvi42008

Stuck uauth entry rejects AnyConnect user connections

CSCvk51778

"show inventory" (or) "show environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs

CSCvn64647

ASA traceback and reload due to tcp_retrans_timeout internal thread handling

CSCvn82441

[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches

CSCvn95731

ASA traceback and reload on Thread Name SSH

CSCvq47743

AnyConnect and Management Sessions fail to connect after several weeks

CSCvq51284

FPR 2100, low block 9472 causes packet loss through the device.

CSCvr15503

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCvr35872

ASA traceback Thread Name: DATAPATH-0-1388 PBR 9.10(1)22

CSCvr58411

RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted

CSCvr60195

ASA/FTD may traceback and reload in Thread Name 'HTTP Cli Exec'

CSCvr99642

ASA traceback and reload multiple times with trace "webvpn_periodic_signal"

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs09533

FP2100: Traceback and reload when processing traffic through more than two inline sets

CSCvs33852

After upgrade to version 9.6.4.34 is not possible to add an access-group

CSCvs38785

Inconsistent timestamp format in syslog

CSCvs52108

ASA Traceback Due to Umbrella Inspection

CSCvs55603

ICMP Reply Dropped when matched by ACL

CSCvs59056

ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled

CSCvs72393

FPR1010 temperature thresholds should be changed

CSCvs73754

ASA/FTD: Block 256 size depletion caused by ARP of BVI not assigned to any physical interface

CSCvs79023

ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection

CSCvs82829

Calls fail once anyconnect configuration is added to the site to site VPN tunnel

CSCvs88413

Port-channel bundling is failing after upgrade to 9.8 version

CSCvs90100

ASA/FTD may traceback and reload in Thread Name 'License Thread'

CSCvs97863

Reduce number of fsync calls during close in flash file system

CSCvt00113

ASA/FTD traceback and reload due to memory leak in SNMP community string

CSCvt01397

Deployment is marked as success although LINA config was not pushed

CSCvt02409

9.12.2.151 snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN traffic

CSCvt03598

Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

CSCvt05862

IPv6 DNS server resolution fails when the server is reachable over the management interface.

CSCvt06606

Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169)

CSCvt06841

Incorrect access-list hitcount seen when configuring it with a capture on ASA

CSCvt11661

DOC - Clarify the meaning of mp-svc-flow-control under show asp drop

CSCvt11742

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCvt12463

ASA: Traceback in thread Unicorn Admin Handler

CSCvt21041

FTD Traceback in thread 'ctm_ipsec_display_msg'

CSCvt23643

VPN failover recovery is taking approx. 30 seconds for data to resume

CSCvt24328

FTD: Traceback and reload related to lina_host_file_open_raw function

CSCvt26031

ASAv Unable to register smart licensing with IPv6

CSCvt26067

Active FTP fails when secondary interface is used on FTD

CSCvt28182

sctp-state-bypass is not getting invoked for inline FTD

CSCvt29049

FPR2100 - ASA in Appliance Mode - SNMP Delay

CSCvt35945

Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train

CSCvt36542

Multi-context ASA/LINA on FPR not sending DHCP release message

CSCvt38279

Erase disk0 on ISA3000 causes file system not supported

CSCvt41333

Dynamic RRI route is not destroyed when IKEv2 tunnel goes down

CSCvt43967

Pad packets received from RA tunnel which are less than or equal 46 bytes in length with zeros

CSCvt45863

Crypto ring stalls when the length in the ip header doesn't match the packet length

CSCvt46289

ASA LDAPS connection fails on Firepower 1000 Series

CSCvt46830

FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto

CSCvt50528

Warning Message for default settings with Installation of Certificates in ASA/FTD - CLI

CSCvt50946

Stuck uauth entry rejects AnyConnect user connections despite fix of CSCvi42008

CSCvt51349

Fragmented packets forwarded to fragment owner are not visible on data interface captures

CSCvt51987

Traffic outage due to 80 size block exhaustion on the ASA FPR9300 SM56

CSCvt52782

ASA traceback Thread name - webvpn_task

CSCvt53640

ASA5585 traceback and reload after upgrading SFR from 6.4.0 to 6.4.0.9-34

CSCvt54182

LINA cores are generated when FTD is configured to do SSL decryption.

CSCvt63484

ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process

CSCvt64035

remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around

CSCvt64270

ASA is sending failover interface check control packets with a wrong destination mac address

CSCvt64822

ASA may traceback and unexpectedly reload after SSL handshake

CSCvt65982

Route Fallback doesn't happen on Slave unit, upon RRI route removal.

CSCvt66351

NetFlow reporting impossibly large flow bytes

CSCvt68131

FTD traceback and reload on thread "IKEv2 Mgd Timer Thread"

CSCvt68294

Adjust Firepower 4120 Maximum VPN Session Limit to 20,000

CSCvt73806

FTD traceback and reload on FP2120 LINA Active Box. VPN

CSCvt75241

Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100

CSCvt80126

ASA traceback and reload for the CLI "show asp table socket 18421590 det"

CSCvt83133

Unable to access anyconnect webvpn portal from google chrome using group-url

CSCvt86188

SNMP traps can't be generated via diagnostic interface

CSCvt90330

ASA traceback and reload with thread name coa_task

CSCvt92647

Connectivity over the state link configured with IPv6 addresses is lost after upgrading the ASA

CSCvt93142

ASA should allow null sequence encoding in certificates for client authentication.

CSCvt95517

Certificate mapping for AnyConnect on FTD stops working.

CSCvt97917

ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR

CSCvt98599

IKEv2 Call Admission Statistics "Active SAs" counter out of sync with the real number of sessions

CSCvu00112

tsd0 not reset when ssh quota limit is hit in ci_cons_shell

CSCvu01039

Traceback: Modifying FTD inline-set tap-mode configuration with active traffic

CSCvu03107

AnyConnect statistics is doubled in both %ASA-4-113019 and RADIUS accounting

CSCvu03562

Device loses ssh connectivity when username and password is entered

CSCvu03675

FPR2100: ASA console may hang & become unresponsive in low memory conditions

CSCvu04279

ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS

CSCvu05180

aaa-server configuration missing on the FTD after a Remote Access VPN policy deployment

CSCvu05216

cert map to specify CRL CDP Override does not allow backup entries

CSCvu05336

ASAv - Traceback and reload on SNMP process

CSCvu05821

Timestamp format will be shown always in UTC

CSCvu06767

Lina cores on multi-instance causing a boot loop on both logical-devices

CSCvu07602

FPR-41x5: 'clear crypto accelerator load-balance' will cause a traceback and reload

CSCvu07880

ASA on QP platforms display wrong coredump filesystem space (50 GB)

CSCvu08013

DTLS v1.2 and AES-GCM cipher when used drops a particular size packet frequently.

CSCvu10053

ASA traceback and reload on function snmp_master_callback_thread

CSCvu12039

Slave unit might fail to synchronize SCTP configuration from the cluster master after bootup

CSCvu12248

ASA-FPWR 1010 traceback and reload when users connect using AnyConnect VPN

CSCvu12684

HKT - Failover time increases with upgrade to 9.8.4.15

CSCvu16423

ASA 9.12(2) - Multiple tracebacks due to Unicorn Proxy Thread

CSCvu17924

FTD failover units traceback and reload on DATAPATH

CSCvu17965

ASA generated a traceback and reloaded when changing the port value of a manual nat rule

CSCvu20007

Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available.

CSCvu25030

FTD 6.4.0.8 traceback & reload on thread name : CP processing

CSCvu26296

ASA interface ACL dropping snmp control-plane traffic from ASA

CSCvu26561

WebVPN SSO Gives Unexpected Results when Integrated with Kerberos

CSCvu27868

ASA: Lack of specific syslog messages to external IPv6 logging server after ASA upgrade

CSCvu29395

Traceback observed while performing master role change with active IGMP joins

CSCvu32698

ASA Crashes in SNMP while joining the cluster when key config-key password-encryption" is present

CSCvu34413

SSH keys lost in ASA after reload

CSCvu36362

ASA inconsistent behavior with DNS doctoring

CSCvu37547

Memory leak: due to resource-limit MIB handler, eventually causing reload

CSCvu38795

FTD firewall unit cannot join the cluster after a traceback due to invalid interface GOID entry

CSCvu40213

ASA traceback in Thread Name kerberos_recv

CSCvu40324

ASA traceback and reload with Flow lookup calling traceback

CSCvu40398

ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS

CSCvu42434

ASA: High CPU due to stuck running SSH sessions / Unable to SSH to ASA

CSCvu43355

FTD Lina traceback in datapath due to double free

CSCvu43827

ASA & FTD Cluster unit traceback in thread Name "cluster config sync" or "fover_FSM_thread"

CSCvu43924

GIADDR of DHCP Discover packet is changed to the ip address of dhcp-network-scope

CSCvu45748

ASA traceback in threadname 'ppp_timer_thread'

CSCvu45822

ASA experienced a traceback and reloaded

CSCvu48285

ASA configured with TACACS REST API: /cli api fail with "Command authorization failed" message

CSCvu49625

[PKI] Standard Based IKEv2 Certificate Auth session does second userfromcert lookup unnecessarily

CSCvu53258

FMC pushes certificate map incorrectly to lina

CSCvu55843

ASA traceback after TACACS authorized user made configuration changes

CSCvu60011

FTD: Snort policy changes deployed to a HA on failed state are not fully synced

CSCvu61704

ASA high CPU with intel_82576_check_link_thread impacting on overall unit performance

CSCvu63458

FPR2100: Show crash output on show tech does not display outputs from most recent tracebacks

CSCvu65688

IKEv2 CAC "Active SAs" counter out of sync with the real number of sessions despite CSCvt98599

CSCvu68529

Embryonic connections limit does not work consistently

CSCvu70931

Cluster / aaa-server key missing after "no key config-key" is entered

CSCvu71051

Deployment failure after configure sub-interfaces on POE enabled interfaces

CSCvu72094

ASA traceback and reload on thread name DATAPATH

CSCvu72658

AnyConnect Connected Client IPs Not Advertised into OSPF Intermittently

CSCvu73207

DSCP values not preserved in DTLS packets towards AnyConnect users

CSCvu75594

FTD: Traceback and reload when changing capture buffer options on a already applied capture

CSCvu77095

ASA unable to delete ACEs with remarks and display error "Specified remark does not exist"

CSCvu78721

Cannot change (modify) interface speed after upgrade

CSCvu83178

EIGRP summary route not being replicated to standby and causing outage after switchover

CSCvu83599

ASA may traceback and unexpectedly reload on Thread snmp_alarm_thread

CSCvu90727

Native VPN client with EAP-TLS authentication fails to connect to ASA

CSCvu98505

ASA licensed via PLR does not have 'export-controlled functionality enabled' flag set correctly

CSCvv02245

ASA 'session sfr' command disconnects from FirePOWER module for initial setup

CSCvv04584

Multicast traffic is being dropped with the resson no-mcast-intrf

CSCvv07864

Multicast EIGRP traffic not seen on internal FTD interface

CSCvv08684

Cluster site-specific MAC addresses not rewritten by flow-offload

CSCvv09396

Stale VPN routes for L2TP, after the session was terminated

CSCvv09944

Lina Traceback during FTD deployment when WCCP config is being pushed

CSCvv12273

SNMP get-response using snmpget with multiple OIDs on hardwareStatus MIB returns noSuchObject

CSCvv12857

ASA gets frozen after crypto engine failure

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv23370

Observed traceback in FPR2130 while running webVPN, SNMP related traffic.

CSCvv26786

ASA traceback and reload unexpectedly on "Process Name: lina"

CSCvv26845

ASA: Watchdog Traceback and reload on SNMP functions

CSCvv28997

ASA Traceback and reload on thread name Crypto CA

CSCvv29687

Rate-limit syslogs 780001/780002 by default on ASA

CSCvv30371

SNMP: Memory leak in VPN polling

CSCvv31334

Lina traceback and reload seen on trying to switch peer on KP HA with 6.6.1-63

CSCvv31629

Intermittently embedded ping reply over GRE drops on FTD cluster if traffic passes asymmetrically.