Release Notes for the Cisco ASA Series, 9.14(x)

This document contains release information for Cisco ASA software Version 9.14(x).

Important Notes

  • No support in ASA 9.13(1) and later for the ASA 5512-X, ASA 5515-X, ASA 5585-X, and the ASASM—ASA 9.12(x) is the last supported version. For the ASA 5515-X and ASA 5585-X FirePOWER module, the last supported version is 6.4.

    Note: ASDM 7.13(1) and ASDM 7.14(1) also did not support these models; you must upgrade to ASDM 7.13(1.101) or 7.14(1.48) to restore ASDM support.

  • ASAv requires 2GB memory in 9.13(1) and later—Beginning with 9.13(1), the minimum memory requirement for the ASAv is 2GB. If your current ASAv runs with less than 2GB of memory, you cannot upgrade to 9.13(1) from an earlier version. You must adjust the memory size before upgrading. See the ASAv Getting Started Guide for information about the resource allocations (vCPU and memory) supported in version 9.13(1).

  • Downgrade issue for the Firepower 2100 in Platform mode from 9.13/9.14 to 9.12 or earlier—For a Firepower 2100 with a fresh installation of 9.13 or 9.14 that you converted to Platform mode: If you downgrade to 9.12 or earlier, you will not be able to configure new interfaces or edit existing interfaces in FXOS (note that 9.12 and earlier only supports Platform mode). You either need to restore your version to 9.13 or later, or you need to clear your configuration using the FXOS erase configuration command. This problem does not occur if you originally upgraded to 9.13 or 9.14 from an earlier release; only fresh installations are affected, such as a new device or a re-imaged device. (CSCvr19755)

  • Cluster control link MTU change in 9.13(1)—Starting in 9.13(1), many cluster control packets are larger than they were in previous releases. The recommended MTU for the cluster control link has always been 1600 or greater, and this value is appropriate. However, if you set the MTU to 1600 but then failed to match the MTU on connecting switches (for example, you left the MTU as 1500 on the switch), then you will start seeing the effects of this mismatch with dropped cluster control packets. Be sure to set all devices on the cluster control link to the same MTU, specifically 1600 or higher.

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • Upgrade ROMMON for the ISA 3000 to Version 1.0.5——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.

    Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • The tls-proxy keyword, and support for SCCP/Skinny encrypted inspection, was removed from the inspect skinny command.

  • Windows DNS Client Optimization Limitation—Because of a limitation in Windows 8 and above, we have observed that certain name resolutions, such as nslookup, fail for FQDNs by not matching any split-DNS domains. The workaround is to disable Windows DNS client optimization with the following changes:

    Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Value:DisableParallelAandAAA Data: 1
    Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient Value: DisableSmartNameResolution Data: 1
    

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASAv 9.14(1.6)

Released: April 30, 2020


Note

This release is only supported on the ASAv.


Feature

Description

Platform Features

ASAv100 platform

The ASAv virtual platform has added the ASAv100, a high-end performance model that provides 20 Gbps Firewall throughput levels. The ASAv100 is a subscription-based license, available in terms of 1 year, 3 years, or 5 years.

The ASAv100 is supported on VMware ESXi and KVM only.

New Features in ASA 9.14(1)

Released: April 6, 2020

Feature

Description

Platform Features

ASA for the Firepower 4112

We introduced the ASA for the Firepower 4112.

No modified commands.

Note 

Requires FXOS 2.8(1).

Firewall Features

Ability to see port numbers in show access-list output.

The show access-list command now has the numeric keyword. You can use this to view port numbers in the access control entries rather than names, for example, 80 instead of www.

The object-group icmp-type command is deprecated.

Although the command remains supported in this release, the object-group icmp-type command is deprecated and might be removed in a future release. Please change all ICMP-type objects to service object groups (object-group service ) and specify service icmp within the object.

Kerberos Key Distribution Center (KDC) authentication.

You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC.

New/Modified commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc .

High Availability and Scalability Features

Configuration sync to data units in parallel

The control unit now syncs configuration changes with data units in parallel by default. Formerly, synching occurred sequentially.

New/Modified commands: config-replicate-parallel

Messages for cluster join failure or eviction added to show cluster history

New messages were added to the show cluster history command for when a cluster unit either fails to join the cluster or leaves the cluster.

New/Modified commands: show cluster history

Interface Features

Speed auto-negotation can be disabled on 1GB fiber interfaces on the Firepower 1000 and 2100

You can now disable speed auto-negotiation on 1GB fiber interfaces on the Firepower 1000 and 2100.

New/Modified commands: speed nonegotiate

Administrative and Troubleshooting Features

New connection-data-rate command

The connection-data-rate command was introduced to provide an overview on data rate of individual connections on the ASA. When this command is enabled, per-flow data rate along with the existing connection information are provided. This information helps to identify and block unwanted connections with high data rates, thereby, ensuring an optimized CPU utilization.

New/Modified commands: conn data-rate ,show conn data-rate , show conn detail , clear conn data-rate

HTTPS idle timeout setting

You can now set the idle timeout for all HTTPS connections to the ASA, including ASDM, WebVPN, and other clients. Formerly, using the http server idle-timeout command, you could only set the ASDM idle timeout. If you set both timeouts, the new command takes precendence.

New/Modified commands: http connection idle-timeout

New clear logging counter command

The show logging command provides statistics of messages logged for each logging category configured on the ASA. The clear logging counter command was introduced to clear the logged counters and statistics.

New/Modified commands: clear logging counter

Debug command changes for FXOS on the Firepower 1000 and 2100 in Appliance mode

The debug fxos_parser command has been simplified to provide commonly-used troubleshooting messages about FXOS. Other FXOS debug commands have been moved under the debug menu fxos_parser command.

New/Modified commands: debug fxos_parser , debug menu fxos_parser

Monitoring Features

Net-SNMP version 5.7.2 Support

The ASA is using Net-SNMP, a suite of applications used to implement SNMP v1, SNMP v2c, and SNMP v3 using both IPv4 and IPv6.

No modified commands.

SNMP OIDs and MIBs

The ASA enhances support for the CISCO-REMOTE-ACCESS-MONITOR-MIB to track rejected/failed authentications from RADIUS over SNMP. This feature implements three SNMP OIDs:

  • crasNumTotalFailures (total failures)

  • crasNumSetupFailInsufResources (AAA and other internal failures)

  • crasNumAbortedSessions (aborted sessions) objects

The ASA provides support for the Advanced Encryption Standard (AES) Cipher Algorithm. This feature implements the following SNMP OIDs:

  • usmAesCfb128Protocol

  • usmNoPrivProtocol

SNMPv3 Authentication

You can now use SHA-256 HMAC for user authentication.

New/Modified commands: snmp-server user

debug telemetry command.

You can use the debug telemetry command, debug messages related to telemetry are displayed. The debugs help to identify the cause for errors when generating the telemetry report.

New/Modified commands: debug telemetry , show debug telemetry

VPN Features

DHCP Relay Server Support on VTI

You can now configure DHCP relay server to forward DHCP messages through VTI tunnel interface.

New/Modified commands: dhcprelay server

IKEv2 Support for Multiple Peer Crypto Map

You can now configure IKEv2 with multi-peer crypto map—when a peer in a tunnel goes down, IKEv2 attempts to establish the SA with the next peer in the list.

No modified commands.

Username Options for Multiple Certificate Authentication

In multiple certificate authentication, you can now specify from which certificate, first (machine certificate) or second (user certificate), you want the attributes to be used for aaa authentication.

New/Modified commands: username-from-certificate-choice, secondary-username-from-certificate-choice

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • CLI—Use the show version command.

  • ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.



Note

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.


Current Version

Interim Upgrade Version

Target Version

9.13(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

9.10(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

9.9(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

9.7(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

9.6(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.5(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.4(x)

Any of the following:

9.14(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.3(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.2(x)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(1)

→ 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.6(1)

→ 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.5(1)

→ 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.4(5+)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.3(x)

→ 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:

9.14(x)

9.13(x)

9.12(x)

→ 9.10(x)

→ 9.9(x)

9.8(x)

→ 9.6(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.14(x)

The following table lists select open bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCvo59840

POE inline power interface config clis for Firepower 1010

CSCvs17978

duart_write -> lina_io_write results in excess white space and repeated characters in console output

CSCvt76939

ASAv on VMWare Packet Throughput Varies after Power Cycle

CSCvu04336

ASAv100 KVM ixgbe-vf VPN throughput rates very low

CSCvu06882

Hotplug removal of virtio interface from KVM ASAv causes crash

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.14(1.6)


Note

This release only supports the ASAv.


There are no resolved bugs in this release.

Resolved Bugs in Version 9.14(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCva36446

ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake

CSCvg59385

ASA scansafe connector takes too long to failover to secondary CWS Tower

CSCvj93609

ASA traceback on spin_lock_release_actual

CSCvm77115

Lina Traceback due to invalid TSC values

CSCvm85823

Not able to ssh, ssh_exec: open(pager) error on console

CSCvo76866

Traceback on 2100 - watchdog

CSCvo88762

FTD inline/transparent sends packets back through the ingress interface

CSCvp04134

Traceback in HTTP Cli Exec when upgrading to 9.12.1

CSCvp29554

Watchdog traceback due to lina_host_file_stat calls

CSCvp69229

OpenSSL 0-byte Record Padding Oracle Information Disclosure Vulnerabil

CSCvp70833

ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports"

CSCvp81083

ASA/Lina Traceback related to TLS/VPN

CSCvq34340

FTD traffic outage due to 9344 block size depletion caused by the egress-optimization feature

CSCvq37913

VPN-sessiondb does not replicate to standby ASA

CSCvq46587

After failover, Active unit tcp sessions are not removed when timeout reached

CSCvq50587

ASA/FTD may traceback and reload in Thread Name 'BGP Router'

CSCvq50944

OSPFv3 neighborship is flapping every ~30 minutes

CSCvq51284

FPR 2100, low block 9472 causes packet loss through the device.

CSCvq55426

Adding an ipv6 default route causes CLI to hang for 50 seconds

CSCvq61601

OpenSSL vulnerability CVE-2019-1559 on FTD

CSCvq63024

Dual stacked ASAv manual failover issues

CSCvq65864

Traceback in HTTP Cli Exec with rest-api agent enabled

CSCvq70775

FPR2100 FTD Standby unit leaking 9K blocks

CSCvq76198

Traffic interruptions for FreeBSD systems

CSCvq78126

V route is missing even after setting the reverse route in Crypto map config in HA-IKEv2

CSCvq87797

Multiple context 5585 ASA, transparent context losing mangement interface configuration.

CSCvq88644

Traceback in tcp-proxy

CSCvq92126

ASA traceback in Thread IPsec Message Handler

CSCvq95058

IPSEC SA is deleted by failover which is caused by link down

CSCvq95826

DCD Causes Standby to send probes

CSCvq99107

Hot swap of SFP is not taking effect on the ASA

CSCvr10777

ASA Traceback in Ikev2 Daemon

CSCvr12018

ASA: VPN traffic fails to take the tunnel route when the default route is learnt over BGP.

CSCvr13278

PPPoE session not coming up after reload.

CSCvr20449

Policy deployment is reported as successful on the FMC but it is actually failed

CSCvr20757

Block leak on ASA while running Cisco Umbrella DNS inspection

CSCvr20876

low memory causes kernel to invoke - oom and reload device - modified rlimit for KP

CSCvr21803

Mac address flap on switch with wrong packet injected on ingress FTD interface

CSCvr23580

Can't delete 2 or more than two IP address-pool

CSCvr25768

ASA may traceback on display_hole_og

CSCvr25954

FTD/LINA Standby may traceback and reload during logging command replication from Active

CSCvr27445

App-sync failure if unit tries to join HA during policy deployment

CSCvr29638

HA FTD on FPR2110 traceback after deploy ACP from FMC

CSCvr35956

Block double-free when combining ServerKeyExchange and ClientKeyExchange fails causes lina traceback

CSCvr42344

Traceback on snp_policy_based_route_lookup when deleting a rule from access-list configured for PBR

CSCvr50266

Dual stack ASAv failover triggered by reload issue

CSCvr50630

ASA Traceback: SCTP bulk sync and HA synchronization

CSCvr51998

ASA Static route disappearing from asp table after learning default route via BGP

CSCvr54054

Mac Rewrite Occurring for Identity Nat Traffic

CSCvr55400

FTD/LINA traceback and reload observed in thread name: cli_xml_server

CSCvr55518

Missing clean up on rule creation failure.

CSCvr56031

FTD/LINA Traceback and reload observed in thread name: cli_xml_server

CSCvr57605

ASA after reload had license context count greater than platform limits

CSCvr60111

configurations getting wiped off from standby, while deployment fails on active

CSCvr66768

Lina Traceback during FTD deployment when PBR config is being pushed

CSCvr79974

Configuration might not replicated if packet loss on the failover Link

CSCvr81457

FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block.

CSCvr85295

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote

CSCvr86077

ASA Traceback/pagefault in Datapath due to re_multi_match_ascii

CSCvr89663

Traceback: with thread name: pix_flash_config_thread WM1010 went into reboot loop

CSCvr90965

FTDv Deployment in Azure causes unrecoverable traceback state due to no dns domain-lookup any"

CSCvr92327

ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533'

CSCvr93978

ASA traceback and reload on Thread DATAPATH-0-2064

CSCvs01422

Lina traceback when changing device mode of FTD

CSCvs02954

ASA OSPF: Prefix removed from the RIB when topology changes, then added back when another SPF is run

CSCvs03023

Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump

CSCvs04179

ASA - 9.8.4.12 traceback and reload in ssh or fover_rx Thread

CSCvs05262

Decrement TTL display wrong result

CSCvs07668

FTD traceback and reload on thread DATAPATH-1-15076 when SIP inspection is enabled

CSCvs07982

ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK

CSCvs15276

ERROR: entry for ::/0 exists when configuring ipv6 icmp

CSCvs15972

Network Performance Degradation when SSL policy is enabled

CSCvs16073

snmp poll failure with host and host-group configured

CSCvs26402

NAT policy configuration range limit to be imposed for non service cmds as well

CSCvs27264

mroute entries on ASA not getting refreshed.

CSCvs28213

ASA Traceback in Thread Name SSH with assertion slib_malloc.c

CSCvs28580

Traceback when processing SSL traffic under heavy load

CSCvs29779

ASA may traceback and reload while waiting for "DATAPATH-12-1899" process to finish.

CSCvs31470

OSPF Hello causing 9K block depletion, control point CPU 100% and cluster unstable.

CSCvs32023

Turn off egress-optimization processing

CSCvs39589

ASA doesn't honor SSH Timeout When Data Channel is not Negotiated

CSCvs40230

ICMP not working and failed with inspect-icmp-seq-num-not-matched

CSCvs40531

AnyConnect 4.8 is not working on the FPR1000 series

CSCvs43154

Secondary ASA is unable to join the failover due to aggressive warning messages.

CSCvs45548

reactivation-mode timed causing untimely reactivation of failed server

CSCvs53705

Anyconnect sessions limited incorrectly

CSCvs59966

false reported value for OID "cipSecGlobalActiveTunnels" - same as ASDM

CSCvs73663

ASA Traceback on IPsec message handler Thread

CSCvs77818

Traceback: spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) is held for a long time

CSCvs80157

ASA Traceback Thread Name: IKE Daemon

CSCvs82726

Placeholder to address CSCvs31470 in Multi-Context Mode

CSCvs91869

IKEv1 on FTD stuck in either "MM_START" or "MM_FREE" state