Release Notes for the Cisco ASA Series, 9.16(x)
This document contains release information for Cisco ASA software Version 9.16(x).
Important Notes
-
ASDM signed-image support in 9.16(3.19)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)
-
SNMPv3 users using MD5 hashing and DES encryption are no longer supported, and the users will be removed when you upgrade to 9.16(1)—Be sure to change any user configuration to higher security algorithms using the snmp-server user command before you upgrade.
-
SSH host key action required in 9.16(1)—In addition to RSA, we added support for the EDDSA and ECDSA host keys for SSH. The ASA tries to use keys in the following order if they exist: EDDSA, ECDSA, and then RSA. When you upgrade to 9.16(1), the ASA will fall back to using the existing RSA key. However, we recommend that you generate higher-security keys as soon as possible using the crypto key generate {eddsa | ecdsa} command. Moreover, if you explicitly configure the ASA to use the RSA key with the ssh key-exchange hostkey rsa command, you must generate a key that is 2048 bits or higher. For upgrade compatibility, the ASA will use smaller RSA host keys only when the default host key setting is used. RSA support will be removed in a later release.
-
In 9.16 and later, certificates with RSA keys are not compatible with ECDSA ciphers—When you use the ECDHE_ECDSA cipher group, configure the trustpoint with a certificate that contains an ECDSA-capable key.
-
RSA keys using that are smaller than 2048 cannot be generated in 9.16(1)—You can no longer generate RSA keys smaller than 2048 using the crypto key generate rsa command.
For SSH, existing smaller keys can continue to be used after upgrading, but we recommend that you upgrade to a larger size, or to a higher security key type.
For other features, existing certificates signed with RSA key sizes smaller than 2048 cannot be used in ASA 9.16.1 and later. You can use the crypto ca permit-weak-crypto command to allow use of existing smaller keys, but even with this command, you cannot generate new smaller RSA keys..
-
ssh version command removed in 9.16(1)—This command has been removed. Only SSH version 2 is supported.
-
SAMLv1 feature removed in 9.16(1)—Support for SAMLv1 was removed.
-
No support for DH groups 2, 5, and 24 in 9.16(1)—Support has been removed for the DH groups 2, 5, and 24 in SSL DH group configuration. The ssl dh-group command has been updated to remove the command options group2, group5, and group24.
-
Cisco announces the feature deprecation for Clientless SSL VPN effective with ASA version 9.17(1)—Limited support will continue on releases prior to 9.17(1).
-
No support in ASA 9.15(1) and later for the ASA 5525-X, ASA 5545-X, and ASA 5555-X—ASA 9.14(x) is the last supported version. For the ASA FirePOWER module, the last supported version is 6.6.
-
For the Firepower 1010, invalid VLAN IDs can cause problems—Before you upgrade to 9.15(1) or later, make sure you are not using a VLAN for switch ports in the range 3968 to 4047. These IDs are for internal use only, and 9.15(1) includes a check to make sure you are not using these IDs. For example, if these IDs are in use after upgrading a failover pair, the failover pair will go into a suspended state. See CSCvw33057 for more information.
-
Chacha-poly ciphers—AnyConnect has an updated list of supported cryptographic algorithms: AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.10, which are proposed to the ASA when starting TLS-based VPN traffic.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
 Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.16(4)
Released: October 13, 2022
There are no new features in this release.
New Features in ASA 9.16(3)
Released: April 6, 2022
There are no new features in this release.
New Features in ASA 9.16(2)
Released: August 18, 2021
There are no new features in this release.
New Features in ASA 9.16(1)
Released: May 26, 2021
|
Feature |
Description |
|---|---|
|
Firewall Features |
|
|
New Section 0 for system-defined NAT rules. |
A new Section 0 has been added to the NAT rule table. This section is exclusively for the use of the system. Any NAT rules that the system needs for normal functioning are added to this section, and these rules take priority over any rules you create. Previously, system-defined rules were added to Section 1, and user-defined rules could interfere with proper system functioning. You cannot add, edit, or delete Section 0 rules, but you will see them in show nat detail command output. |
|
The default SIP inspection policy map drops non-SIP traffic. |
For SIP-inspected traffic, the default is now to drop non-SIP traffic. The previous default was to allow non-SIP traffic on ports inspected for SIP. We changed the default SIP policy map to include the no traffic-non-sip command. |
|
Ability to specify the IMSI prefixes to be dropped in GTP inspection. |
GTP inspection lets you configure IMSI prefix filtering, to identify the Mobile Country Code/Mobile Network Code (MCC/MNC) combinations to allow. You can now do IMSI filtering on the MCC/MNC combinations that you want to drop. This way, you can list out the unwanted combinations, and default to allowing all other combinations. We added the following command: drop mcc . |
|
Configure the maximum segment size (MSS) for embryonic connections |
You can configure a service policy to set the server maximum segment size (MSS) for SYN-cookie generation for embryonic connections upon reaching the embryonic connections limit. This is meaningful for service policies where you are also setting embryonic connection maximums. New/Modified commands: set connection syn-cookie-mss . |
|
Improved CPU usage and performance for many-to-one and one-to-many connections. |
The system no longer creates local host objects and locks them when creating connections, except for connections that involve dynamic NAT/PAT and scanning threat detection and host statistics. This improves performance and CPU usage in situations where many connections are going to the same server (such as a load balancer or web server), or one endpoint is making connections to many remote hosts. We changed the following commands: clear local-host (deprecated), show local-host |
|
Platform Features |
|
|
ASAv support for VMware ESXi 7.0 |
The ASAv virtual platform supports hosts running on VMware ESXi 7.0. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASAv on ESXi 7.0. No modified commands. No modified screens. |
|
Intel QuickAssist Technology (QAT) on ASAv |
The ASAv supports hardware crypto acceleration for ASAv deployments that use the Intel QuickAssist (QAT) 8970 PCI adapter. Hardware crypto acceleration for the ASAv using QAT is supported on VMware ESXi and KVM only. No modified commands. No modified screens. |
|
ASAv on OpenStack |
The ASAv virtual platform has added support for OpenStack. No modified commands. No modified screens. |
|
High Availability and Scalability Features |
|
|
Improved PAT port block allocation for clustering on the Firepower 4100/9300 |
The improved PAT port block allocation ensures that the control unit keeps ports in reserve for joining nodes, and proactively reclaims unused ports. To best optimize the allocation, you can set the maximum nodes you plan to have in the cluster using the cluster-member-limit command. The control unit can then allocate port blocks to the planned number of nodes, and it will not have to reserve ports for extra nodes you don't plan to use. The default is 16 nodes. You can also monitor syslog 747046 to ensure that there are enough ports available for a new node. New/Modified commands: cluster-member-limit , show nat pool cluster [summary] , show nat pool ip detail |
|
show cluster history command improvements |
We have added additional outputs for the show cluster history command. New/Modified commands: show cluster history brief , show cluster history latest , show cluster history reverse , show cluster history time |
|
Firepower 1140 maximum contexts increased from 5 to 10 |
The Firepower 1140 now supports up to 10 contexts. |
|
Certificate Features |
|
|
Enrollment over Secure Transport (EST) for certification |
ASA supports certificate enrollment using the Enrollment over Secure Transport (EST). However, you can configure to use EST enrollments only with RSA and ECDSA keys. You cannot use EdDSA keypair for a trustpoint configured for EST enrollment. New/Modified commands: enrollment protocol , crypto ca authenticate , and crypto ca enroll |
|
Support for new EdDSA key |
The new key option, EdDSA, was added to the existing RSA and ECDSA options. New/Modified commands: crypto key generate , crypto key zeroize , show crypto key mypubkey |
|
Command to override restrictions on certificate keys |
Support to use SHA1with RSA Encryption algorithm for certification and support for certificates with RSA key sizes smaller than 2048 were removed. You can use crypto ca permit-weak-crypto command to override these restrictions. New/Modified commands: crypto ca permit-weak-crypto |
|
Administrative and Troubleshooting Features |
|
|
SSH security improvements |
SSH now supports the following security improvements:
New/Modified commands: crypto key generate eddsa , crypto key zeroize eddsa , show crypto key mypubkey, ssh cipher encryption chacha20-poly1305@openssh.com , ssh key-exchange group {ecdh-sha2-nistp256 | curve25519-sha256} , ssh key-exchange hostkey , ssh version |
|
Monitoring Features |
|
|
SNMPv3 Authentication |
You can now use SHA-224 and SHA-384 for user authentication. You can no longer use MD5 for user authentication. You can no longer use DES for encryption. New/Modified commands: snmp-server user |
|
VPN Features |
|
|
Support for IPv6 on Static VTI |
ASA supports IPv6 addresses in Virtual Tunnel Interfaces (VTI) configurations. A VTI tunnel source interface can have an IPv6 address, which you can configure to use as the tunnel endpoint. If the tunnel source interface has multiple IPv6 addresses, you can specify which address to be used, else the first IPv6 global address in the list is used by default. The tunnel mode can be either IPv4 or IPv6, but it must be the same as IP address type configured on VTI for the tunnel to be active. An IPv6 address can be assigned to the tunnel source or the tunnel destination interface in a VTI. New/Modified commands: tunnel source interface , tunnel destination , tunnel mode |
|
Support for 1024 VTI interfaces per device |
The number of maximum VTIs to be configured on a device has been increased from 100 to 1024. Even if a platform supports more than 1024 interfaces, the VTI count is limited to the number of VLANs configurable on that platform. For example, ASA 5510 supports 100 VLANs, the tunnel count would be 100 minus the number of physical interfaces configured. New/Modified commands: None |
|
Support for DH group 15 in SSL |
Support has been added for DH group 15 for SSL encryption. New/Modified commands: ssl dh-group group15 |
|
Support for DH group 31 for IPsec encryption |
Support has been added for DH group 31 for IPsec encryption. New/Modified commands: set pfs |
|
Support to limit the SA in IKEv2 queue |
Support has been added to limit the number of queues in SA-INIT packets. New/Modified commands: crypto ikev2 limit queue sa_init |
|
Option to clear IPsec statistics |
CLIs have been introduced to clear and reset IPsec statistics. New/Modified commands: clear crypto ipsec stats and clear ipsec stats |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.15 |
— |
Any of the following: → 9.16 |
|
9.14 |
— |
Any of the following: → 9.16 → 9.15 |
|
9.13 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.16(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread Name 'lina' |
|
|
FP2100: ASA/FTD high availability is not resilient to unexpected lacp process termination |
|
|
Failover IPSec session and tunnel ID out of sync |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
FPR1120-ASA:Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
RX queue getting stuck, causing the packets silently drop between chassis and blade |
|
|
Changing the buffer size impacting logging to buffer |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
FPR1010 Trunk port traffic stops working after upgrade to 9.16 or higher. |
|
|
TCP Normalizer silent actions causing connections to fail |
|
|
Traffic is dropped with unclear snort verdict 'block-packet' |
|
|
Port-channel members use backplane interface MAC after a reload |
|
|
FTD Requesting Certificate Unexpectingly |
|
|
ASA traceback due to block data corruption |
|
|
More information is required on Syslog 202010 messages for troubleshooting |
|
|
Nested core observed in FTD4115 with lina_assert in calq_platform_entry_callback |
|
|
ASA - FP1120 unexpected traceback seen in version 9.16.2.14 |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.16(4)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic |
|
|
FTD: CTS SGT propagation gets enabled after reload |
|
|
BGP table not removing connected route when interface goes down |
|
|
FTD VTI reports TUNNEL_SRC_IS_UP false despite source interface is up/up and working |
|
|
FP4100 platform: Active-Standby changed to dual Active after running "show conn" command |
|
|
Cruz ASIC CLU filter has the incorrect src/dst IP subnet when a custom CCL IP subnet is set |
|
|
Cisco ASA and FTD Software SSL VPN Denial of Service Vulnerability |
|
|
ASA traceback and reload while allocating a new block for cluster keepalive packet |
|
|
ASA/FTD stops serving SSL connections |
|
|
PLR license reservation for ASAv5 is requesting ASAv10 |
|
|
Unstable client processes may cause LINA zmqio traceback on FTD |
|
|
"Number of interfaces on Active and Standby are not consistent" should trigger warning syslog |
|
|
ASAv: coredumpfsys is formatted during bootup |
|
|
Standby's sub interface mac doesn't revert to old mac with no mac-address command |
|
|
Standby unit failed to join failover due to large config size. |
|
|
Snort blocking and dropping packet, with bigger size(1G) file download |
|
|
ASA/FTD may hit a watchdog traceback related to snmp config writing |
|
|
SNMP OID , stop working after around one hour and a half - FTD |
|
|
LINA observed traceback on thread name "snmp_client_callback_thread" |
|
|
ASAv traceback when SD_WAN ACL enabled, then disabled (or vice-versa) in PBR |
|
|
IPv6: Some of egress interfaces of global and user vrf routes are missing in asp table |
|
|
All type-8 passwords are lost upon upgrade from ASA 9.12-9.15 to 9.16, failover gets disabled |
|
|
FTD: Time gap/mismatch seen when new node joins a Cluster Control node under history |
|
|
SNMPv3 polling may fail using privacy algorithms AES192/AES256 |
|
|
ASA reload and traceback in Thread Name: PIX Garbage Collector |
|
|
ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
|
ASA/FTD Traceback and reload due to NAT configuration |
|
|
ISA3000 in boot loop after powercycle |
|
|
ASA/FTD: Tuning of update_mem_reference process |
|
|
snmp-group host with Invalid host range and subnet causing traceback and reload |
|
|
ASA/FTD datapath threads may run into deadlock and generate traceback |
|
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
|
Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543' |
|
|
Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
|
|
Traceback: Standby FTD reboots and generates crashinfo and lina core on thread name cli_xml_server |
|
|
ASA/FTD traceback and reload at IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
|
CPU profile cannot be reactivated even if previously active memory tracking is disabled |
|
|
SNMP cores are generated every minute while running snmpwalk on HA |
|
|
Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server. |
|
|
SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels. |
|
|
ASA traceback and reload on routing |
|
|
Single Pass - Traceback due to stale ifc |
|
|
FTD HA deployment fails with error "Deployment failed due to major version change on device" |
|
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
|
Primary takes active role after reload |
|
|
NAT (any,any) statements in-states the failover interface and resulting on Split Brain events |
|
|
Long delays when executing SNMP commands |
|
|
Implement SNP API to check ifc and ip belongs to HA LU or CMD interface |
|
|
ASA/FTD Traceback in crypto hash function |
|
|
ASA Traceback and reload in process name: lina |
|
|
FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated |
|
|
Certificate validation fails post upgrade to 9.17.1 |
|
|
ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url |
|
|
ASA DHCP server fails to bind reserved address to Linux devices |
|
|
Configuring pbr access-list with line number failed. |
|
|
ASA/FTD may traceback (watchdog) and reload when generating a syslog from the VPN Failover subsystem |
|
|
ASA/FTD Traceback in memory allocation failed |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
|
|
FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init |
|
|
ASA traceback in Thread Name: SXP CORE |
|
|
ASA unable to configure aes128-gcm@openssh.com when FIPS enabled |
|
|
ASA traceback in Thread Name: fover_parse and triggered by snmp related functions |
|
|
FW traceback in timer infra / netflow timer |
|
|
PBR not working on ASA routed mode with zone-members |
|
|
RIP is advertising all connected Anyconnect users and not matching route-map for redistribution |
|
|
FTD offloads SGT tagged packets although it should not |
|
|
ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination |
|
|
ASA/FTD firewall may traceback and reload when tearing down IKE tunnels |
|
|
ASA HA Active/standby tracebacks seen approximately every two months. |
|
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
|
Snmpwalk output of memory does not match show memory/show memory detail |
|
|
Lina traceback and reload during EIGRP route update processing. |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
ASA Traceback & reload in thread name: Datapath |
|
|
ASA: Multiple Context Mixed Mode SFR Redirection Validation |
|
|
ASA/FTD traceback and reload on NAT related function nat_policy_find_location |
|
|
We can't monitor the interface via "snmpwalk" once interface is removed from context. |
|
|
ASA/FTD traceback and reload with timer services assertion |
|
|
ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled. |
|
|
Unable to apply SSH settings to ASA version 9.16 or later |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' |
|
|
Interface internal data0/0 is up/up from cli but up/down from SNMP polling |
|
|
Standby ASA goes to booting loop during configuration replication after upgrade to 9.16(3). |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread |
|
|
ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete |
|
|
FTD: SNMP failures after upgrade to 7.0.2 |
|
|
ASA tracebacks after SFR was upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when modifying DNS inspection policy via CSM or CLI |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA - Restore not remove the new configuration for an interface setup after backup |
|
|
"show nat pool cluster" commands run within EEM scripts lead to traceback and reload |
|
|
ASA/FTD Voltage information is missing in the commnad "show environment" |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695' |
|
|
ASA/FTD can not parse UPN from SAN field of user's certificate |
|
|
ASA/FTD traceback and reload on Thread id: 1637 |
|
|
FTD Traceback and reload in process name lina |
|
|
ASA mgmt ip cannot be released |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
ASA Traceback and Reload on process name Lina |
|
|
ASA: SLA debugs not showing up on VTY sessions |
|
|
NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
ASA/FTD may traceback and reload while executing SCH code |
|
|
ASA : HTTPS traffic authentication issue with Cut-through Proxy enabled |
|
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
|
ASA/FTD: GTP inspection causing 9344 sized blocks leak |
|
|
ASA HA - Restore in primary not remove new interface configuration done after backup |
|
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks |
|
|
ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete network statement under OSPF process and is present in show run |
|
|
syslog related to failover is not outputted in FPR2140 |
|
|
IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response |
|
|
ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context |
|
|
ASA/FTD OSPFv3 does not generate messages Type 8 LSA for IPv6 |
|
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
|
Call home configuration on standby device is lost after reload |
|
|
FTD - Traceback in Thread Name: DATAPATH |
|
|
During the deployment time, device got stuck processing the config request. |
|
|
Unable to configure 'match ip address' under route-map when using object-group in access list |
|
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
|
Unable to establish DTLSv1.2 with FIPS enabled after upgrade from 6.6.5. |
|
|
ASA Custom login page is not working through webvpn after an upgrade |
Resolved Bugs in Version 9.16(3)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
Cluster: ping sourced from FTD/ASA to external IPs may if reply lands on different cluster unit |
|
|
Traceback on ASA by Smart Call Home process |
|
|
ASA show processes cpu-usage output is misleading on multi-core platforms |
|
|
Traceback of master and one slave when a particular lock is contended for long |
|
|
Crypto engine errors when GRE header protocol field doesn't match protocol field in inner ip header |
|
|
Snmpwalk showing traffic counter as 0 for failover interface |
|
|
ASA: 256 byte block depletion when syslog rate is high |
|
|
snmpwalk fails on ipv6 interface post a failover |
|
|
ASA reload and traceback in DATAPATH |
|
|
The 'show cluster info trace' output is overwhelmed by 'tag does not exist' messages |
|
|
Cisco ASA and FTD Software Resource Exhaustion Denial of Service Vulnerability |
|
|
VPN conn fails from same user if Radius server sends a dACL and vpn-simultaneous-logins is set to 1 |
|
|
ASAv Azure: Some or all interfaces might stop passing traffic after a certain period of run time |
|
|
Unable to configure ipv6 address/prefix to same interface and network in different context |
|
|
ASA in PLR mode,"license smart reservation" is failing. |
|
|
Management Sessions fail to connect after several weeks |
|
|
Active tries to send CoA update to Standby in case of "No Switchover" |
|
|
After upgrading ASA to 9.15(1)10, ASDM 7.15(1)150 One Time Password (OTP) field does not appear |
|
|
FDM failover pair - new configured sVTI IPSEC SA is not synced to standby. FDM shows HA not in sync |
|
|
UN-NAT created on FTD once a prior dynamic xlate is created |
|
|
FTD traceback and reload during anyconnect package verification |
|
|
L2L VPN session bringup fails when using NULL encryption in ipsec configuration |
|
|
Remote Access IKEv2 VPN session cannot be established because of stuck Uauth entry |
|
|
FTD loses OSPF network statements config for all VRF instances upon reboot |
|
|
RSA keys & Certs get removed post reload on WS-SVC-ASA-SM1-K7 with ASA code 9.12.x |
|
|
FTDv throughput degredation due to frequent PDTS read/write |
|
|
ASA traceback and reload due to snmp encrypted community string when key config is present |
|
|
VTI tunnel interface stays down post reload on KP/WM platform in HA |
|
|
Block 80 and 256 exhaustion snapshots are not created |
|
|
ASA/FTD Memory block location not updating for fragmented packets in data-path |
|
|
Debugs for: SNMP MIB value for crasLocalAddress is not showing the IP address |
|
|
WM Standby device do not send out coldstart trap after reboot. |
|
|
The standby device is sending the keep alive messages for ssl traffic after the failover |
|
|
ASAv on Azure loses connectivity to Metadata server once default outside route is used |
|
|
ZMQ OOM due to less Msglyr pool memory in low end platforms |
|
|
VRF route lookup for TCP ping is missing |
|
|
ASA/FTD traceback and reload after downgrade |
|
|
SSH session not being released |
|
|
Cisco ASA and FTD Web Services Denial of Service Vulnerability |
|
|
ASA Traceback and reload in Thread Name: SNMP ContextThread |
|
|
PAT pool exhaustion with stickiness traffic could lead to new connection drop. |
|
|
Cisco ASA and FTD Software IKEv2 Site-to-Site VPN Denial of Service Vulnerability |
|
|
FTD/ASA: Adding new ACE entries to ACP causes removal and re-add of ACE elements in LINA |
|
|
Roll back changes introduced by CSCvr33428 and CSCvy39659 |
|
|
FTD traceback and reload in Process Name lina related to SNMP functions |
|
|
ASA disconnects the VTY session using of Active IP address and Standby MAC address after failed over |
|
|
FP21xx -traceback "Panic:DATAPATH-10-xxxx -remove_mem_from_head: Error - found a bad header" |
|
|
IKEv2: SA Error code should be translated to human friendly reason |
|
|
Cisco Firepower Threat Defense Software TCP Proxy Denial of Service Vulnerability |
|
|
FTD tracebacks and reloads on Thread name Lina |
|
|
FTD lina traceback and reload in thread Name Checkheaps |
|
|
Traceback in webvpn and reload experienced periodically after ASA upgrade |
|
|
AnyConnect connection failure related to ASA truncated/corrupt config |
|
|
Crypto archive generated with SE ring timeout on 7.0 |
|
|
PKI "OCSP revocation check" failing due to sha256 request instead of sha1 |
|
|
FTD reload with Lina traceback during xlate replication in Cluster |
|
|
Multiple SSH host entries in platform settings as first feature enable/deploy will break SSH on LINA |
|
|
ASA55XX: Expansion module interfaces not coming up after a software upgrade |
|
|
ASA: Orphaned SSH session not allowing us to delete a policy-map from CLI |
|
|
ASP drop capture output may display incorrect drop reason |
|
|
Cluster CCL interface capture shows full packets although headers-only is configured |
|
|
ASA traceback and reload thread name: Datapath |
|
|
Dispatcher doesn't account for asynclock pend q work under some conditions result lower cpu util |
|
|
ASA/FTD may traceback and reload in loop processing Anyconnect profile |
|
|
FTDv - Lina Traceback and reload |
|
|
Twice nat's un-nat not happening if nat matches a pbr acl that matches a port number instead of IP |
|
|
SNMP agent restarts when show commands are issued |
|
|
device rebooted with snmpd core |
|
|
ASA: Drop reason is missing from 129 lines of asp-drop capture |
|
|
ASA: ARP entries from custom context not removed when an interface flap occurs on system context |
|
|
FTD/Lina may traceback when "show capture" command is executed |
|
|
ASA tracebacks and reload when clear configure snmp-server command is issued |
|
|
ASA/FTD - NAT stops translating source addresses after changes to object-groups in manual NAT Rule |
|
|
If ASA fails to download DACL it will never stop trying |
|
|
ASDM session is not served for new user after doing multiple context switches in existing user |
|
|
FTD/ASA - Stuck in boot loop after upgrade from 9.14.2.15 to 9.14.3 |
|
|
BGP packets dropped for non directly connected neighbors |
|
|
ASAv traceback in snmp_master_callback_thread and reload |
|
|
ASA/AnyConnect - Stale RADIUS sessions |
|
|
ASA traffic dropped by Implicit ACL despite the fact of explicit rules present on Access-list |
|
|
Internal ldap attribute mappings fail after HA failover |
|
|
ASAv observed traceback while upgrading hostscan |
|
|
FTD - Deployment will fail if you try to delete an SNMP host with ngfw-interface and host-group |
|
|
FTD may traceback and reload in Thread Name 'lina' |
|
|
Traceback and reload in Thread Name: DATAPATH-15-18621 |
|
|
TLS server discovery uses incorrect source IP address for probes in AnyConnect deployment |
|
|
FPR2100: Unable to form L2L VPN tunnels when using ESP-Null encryption |
|
|
show tech-support output can be confusing when there crashinfo, need to clean up/make more intuitive |
|
|
ASA does not use the interface specified in the name-server command to reach IPv6 DNS servers |
|
|
ASA:Failed ASA in HA pair not recovering by itself, after an "HA state progression failed" |
|
|
FTD/ASA Traceback and reload due to SSL null checks under low memory conditions |
|
|
TCP connections are cleared after configured idle-timeout even though traffic is present |
|
|
FTD Traceback and Reload on process LINA |
|
|
conf t is converted to disk0:/t under context-config mode |
|
|
Snort down after deploying the policy |
|
|
ASA traceback due to SCTP traffic. |
|
|
Cluster unit in MASTER_POST_CONFIG state should transition to Disabled state after an interva |
|
|
ASA traceback on DATAPATH when handling ICMP error message |
|
|
"Netsnmp_update_ma_config: ERROR Failed to build req"messages seen during cluster configuration sync |
|
|
CPU hogs in update_mem_reference |
|
|
ASA/FTD Traceback and reload due to memory corruption when generating ICMP unreachable message |
|
|
ASA traceback and reload in SSH process when executing the command "show access-list" |
|
|
ASDM session count and quota management's count mismatch. 'Lost connection firewall' msg in ASDM |
|
|
IPV6 DNS PTR query getting modified on FTD |
|
|
SSL decryption not working due to single connection on multiple in-line pairs |
|
|
ASA log shows wrong value of the transferred data after the anyconnect session terminated. |
|
|
LINA may generate traceback and reload |
|
|
Traceback observed on ASA while handling SAML handler |
|
|
High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby |
|
|
Deleting The Context From ASA taking Almost 2 Minutes with ikev2 tunnel |
|
|
ASA/FTD may traceback and reload. "c_assert_cond_terminate" in stack trace |
|
|
FTD - Traceback in Thread Name: DATAPATH |
|
|
ASA/FTD Standby unit fails to join HA |
|
|
Inconsistent logging timestamp with RFC5424 enabled |
|
|
While implementing management tunnel a user can use open connect to bypass anyconnect. |
|
|
FTD traceback and reload when using DTLS1.2 on RA tunnels |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS |
|
|
OSPFv3: FTD Wrong "Forwarding address" added in ospfv3 database |
|
|
ASA disconnects the ssh, https session using of Active IP address and Standby MAC address after FO |
|
|
NTP will not change to *(synced) status after upgrade to asa-9.15.1/9.16.1.28 from asa-9.14.3 |
|
|
ASA/FTD: site-to-site VPN - traffic incorrectly fragmented |
|
|
ASA/FTD traceback and reload caused by "timer services" function |
|
|
FTD 25G, 40G and 100G interfaces down after upgrade of FXOS and FTD to 2.10.1.159 and 6.6.4 |
|
|
Primary ASA should send GARP as soon as split-brain is detected and peer becomes cold standby |
|
|
Lina traceback and reload during block free causing FTD boot loop |
|
|
ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM |
|
|
OSPFv2 flow missing cluster centralized "c" flag |
|
|
SSL VPN performance degraded and significant stability issues after upgrade |
|
|
Low available DMA memory on ASA 9.14 at boot reduces AnyConnect sessions supported |
|
|
With object-group in crypto ACL sum of hitcnt mismatches with the individual elements |
|
|
Statelink hello messages dropped on Standby unit due to interface ring drops on high rate traffic |
|
|
ASA Privilege Escalation with valid user in AD |
|
|
ASA show tech execution causing spike on CPU and impacting to IKEv2 sessions |
|
|
NTP sync on IPV6 will fail if the IPV4 address is not configured |
|
|
FTD Deployment failure post upgrade due to major version change on device |
|
|
Loss of NTP sync following an upgrade |
|
|
FP1120 9.14.3 : temporary split brain happened after active device reboot |
|
|
IP Address 'in use' though no VPN sessions |
|
|
Clear and show conn for inline-set is not working |
|
|
FTD Blocks Traffic with SSL Flow Error CORRUPT_MESSAGE |
|
|
BGP routes shows unresolved and dropping packet with asp-drop reason "No route to host" |
|
|
IPv6 PIM packets are dropped in ASP with invalid-ip-length drop reason |
|
|
Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service |
|
|
AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group |
|
|
SNMP Stopped Responding After Upgrading to Version- 9.14(2)15 |
|
|
ASA Failover Split Brain caused by delay on state transition after "failover active" command run |
|
|
Cisco Firepower Threat Defense Software Denial of Service Vulnerability |
|
|
ASA/FTD traceback and reload on IKE Daemon Thread |
|
|
ASA/FTD: remove unwanted process call from LUA |
|
|
ASA drops non DNS traffic with reason "label length 164 bytes exceeds protocol limit of 63 bytes" |
|
|
Clock drift observed between Lina and FXOS on multi-instance |
|
|
Flow Offload - Compare state values remains in error state for longer periods |
|
|
Traffic dropped by ASA configured with BVI interfaces due to asp drop type "no-adjacency" |
|
|
FTD moving UI management from FDM to FMC causes traffic to fail |
|
|
FTD SSL Proxy should allow configurable or dynamic maximum TCP window size |
|
|
"Error:NAT unable to reserve ports" when using a range of ports in an object service |
|
|
Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability |
|
|
ASA: Loss of NTP sync following a reload after upgrade |
|
|
Some syslogs for AnyConnect SSL are generated in admin context instead of user context |
|
|
ASA on FPR4100 traceback and reload when running captures using ASDM |
|
|
Random FTD reloads with the traceback during deployment from FMC |
|
|
ASA NAT66 with big range as a pool don't works with IPv6 |
|
|
Traceback: Secondary firewall reloading in Threadname: fover_parse |
|
|
ASA/FTD traceback and reload due to pix_startup_thread |
|
|
ASA: IP Header check validation failure when GTP Header have SEQ and EXT field |
|
|
Lina Traceback and Reload Due to invalid memory access while accessing Hash Table |
|
|
Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion |
|
|
FTD Service Module Failure: False alarm of "ND may have gone down" |
|
|
ASA traceback in HTTP cli EXEC code |
|
|
DHCP Offer not seen on control plane |
|
|
New access-list are not taking effect after removing non-existance ACL with objects. |
|
|
ASA/FTD Change in OGS compilation behavior causing boot loop |
|
|
ASA traceback and reload on snp_ha_trans_alloc_msg_muxbuf_space function |
|
|
Polling OID "1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the associated tunnel |
|
|
ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM |
|
|
Conditional flow-offload debugging produces no output |
|
|
FTP inspection stops working properly after upgrading the ASA to 9.12.4.x |
|
|
Traceback and reload after enabling debug webvpn cifs 255 |
|
|
SNMP is responding to snmpgetbulk with unexpected order of results |
|
|
Traffic keep failing on Hub when IPSec tunnel from Spoke flaps |
|
|
SNMP get command in FPR does not show interface index. |
|
|
Cisco ASA and FTD Software VPN Authorization Bypass Vulnerability |
|
|
Traceback: Lina traceback and reload on thread name: Logger |
|
|
Multiple issues with transactional commit diagnostics |
|
|
ASA/FTD may traceback and reload in Thread Name 'IP Address Assign' |
|
|
ASA/FTD Failover: Joining Standby reboots when receiving configuration replication from Active mate |
|
|
SNMP no longer responds to polls after upgrade to 9.15.1.17 |
|
|
SSL handshake logging showing unknown session during AnyConnect TLSv1.2 Session establishment |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-4-9608' |
|
|
Incorrect ifHighSpeed value for a interfaces that are port channel members |
|
|
Lina may traceback and reload on tcpmod_proxy_handle_mixed_mode |
|
|
ASA: Jumbo sized packets are not fragmented over the L2TP tunnel |
|
|
Console has an excessive rate of warnings during policy deployment |
|
|
Mempool_DMA allocation issue / memory leakage |
|
|
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
FP2140 ASA 9.16.2 HA units traceback and reload at lua_getinfo (getfuncname) |
|
|
ASA/FTD: OCSP may fail to work after upgrade due to "signer certificate not found" |
|
|
ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT on |
|
|
Audit message not generated by: no logging enable from ASAv9.12 |
|
|
FTD/ASA: Traceback on BFD function causing unexpected reboot |
|
|
ASA CLI gets hung randomly while configuring SNMP |
Resolved Bugs in Version 9.16(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
ENH: ASA should save the timestamp of the MAXHOG in 'show proc cpu-hog' |
|
|
2 CPU Cores continuously spike on firepower appliances |
|
|
AWS FTD: Deployment failure with ERROR: failed to set interface to promiscuous mode |
|
|
traceback: ASA reloaded snp_fdb_destroy_fh_callback+104 |
|
|
FTD: NLP path dropping return ICMP destination unreachable messages |
|
|
ASA traceback and reload on engineering ASA build - 9.12.3.237 |
|
|
FPR1120 running ASA traceback and reload in crypto process. |
|
|
FTD active unit might drop interface failover messages with host-move-pkt drop reason |
|
|
ASA/FTD Traceback and reload due to netflow refresh timer |
|
|
IKEv2 rekey - Invalid SPI for ESP packet using new SPI received right after Create_Child_SA response |
|
|
ASA traceback and reload due to strcpy_s: source string too long for dest |
|
|
Core-local block alloc failure on cores where CP is pinned leading to drops |
|
|
SSL Decrypted https flow EOF events showing 'Initiator/Responder' Packets as 0 |
|
|
ASA CP CPU wrong calculation leads to high percentage (100% CP CPU) |
|
|
SNMP bulkget not working for specific OIDs in firewall mib and device performance degradation |
|
|
Traceback and reload due to Umbrella |
|
|
Slow file transfer or file upload with SSL policy is applied with Decrypt resign action |
|
|
ASA/FTD may traceback and reload when saving/writitng the configuration to memory |
|
|
FPR 2100 running ASA in HA. Traceback and reload on watchdog during failover |
|
|
In some cases snmwapwalk for ifXTable may not return data interfaces |
|
|
Secondary ASA could not get the startup configuration |
|
|
ASA traceback and reload when copying files with long destination filenames using cluster command |
|
|
Traceback on FPR 4115 in Thread - Lic HA Cluster |
|
|
improve debugging capability for uauth |
|
|
ASA traceback when re-configuring access-list |
|
|
HA goes to active-active state due to cipher mismatch |
|
|
DHCP reservation fails to apply reserved address for some devices |
|
|
ASA Traceback and Reload in Thread Name: DATAPATH |
|
|
ASA cluster Traceback with Thread Name: Unicorn Admin Handler even when running fix for CSCuz67596 |
|
|
Traceback: ASA on FPR 2110 traceback and reload on process Lina |
|
|
REST API Login Page Issue |
|
|
ASA Traceback and reload on the A/S failover pair at IKEv2. |
|
|
PIM Register Sent counter does not increase when encapsulated packets with register flag sent to RP |
|
|
Web portal persistent redirects when certificate authentication is used. |
|
|
FTD unnecessarily ACKing TCP flows on inline-pair deployment |
|
|
No space left disk space is full on /ngfw |
|
|
Ambiguous command error is shown for 'show route bgp' or 'show route isis' if DNS lookup is enabled |
|
|
FTDv 6.7 on Azure is unable to set 1000 speed on GigabitEthernet interfaces |
|
|
ASA/FTD sends continuous Radius Access Requests Even After Max Retry Count is Reached |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815' |
|
|
FTD traceback and reload on Lic TMR Thread on Multi Instance FTD |
|
|
Remote Access IKEv2 VPN session cannot be established because of stuck Uauth entry |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
ASA/FTD may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
|
ASA traceback in IKE Daemon process and reload |
|
|
Long OCSP timeout may cause AnyConnect authentication failure |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
FTD loses OSPF network statements config for all VRF instances upon reboot |
|
|
CPU hogs less than 10 msec are produced contrary to documentation |
|
|
ASA traceback and reload due to snmp encrypted community string when key config is present |
|
|
Block 80 and 256 exhaustion snapshots are not created |
|
|
SNMP v3 configuration lost after reboot for HA |
|
|
Time out of sync between Lina and FXOS |
|
|
ASA direct authentication timeouts even if direct authentication traffic is passing through the ASA |
|
|
ASAv adding non-identity L2 entries for own addresses on MAC table and dropping HA hellos |
|
|
Cisco ASA 9.16.1 and FTD 7.0.0 IPsec Denial of Service Vulnerability |
|
|
FTD HA stuck in bulk state due to stuck vpnfol_sync/Bulk-sync keytab |
|
|
ASAv on AWS TenGigabit interface is learning 1000mbps instead of 10000Mbps |
|
|
ASA accounting reports incorrect Acct-Session-Time |
|
|
ASA: "deny ip any any" entry in crypto ACL prevents IKEv2 remote AnyConnect access connections |
|
|
The standby device is sending the keep alive messages for ssl traffic after the failover |
|
|
ASA/FTD traceback and reload after downgrade |
|
|
ASA/FTD traceback and reload when negating snmp commands |
|
|
FTD traceback and reload related to SSL after upgrade to 7.0 |
|
|
FTD traceback and reload in Process Name lina related to SNMP functions |
|
|
Traceback in webvpn and reload experienced periodically after ASA upgrade |
|
|
ASA tracebacks and reload when clear configure snmp-server command is issued |
Resolved Bugs in Version 9.16(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
Implement detection and auto-fix capability for scheduler corruption problems |
|
|
Functionality to include SNMP OID for retrieving 'show asp drop' information |
|
|
ASA - rare cp processing corruption causes console lock |
|
|
ASA core blocks depleted when host unreachable in IRB/TFW configuration |
|
|
ASA running 9.6.4.20 Traceback in threadname Unicorn Proxy Thread |
|
|
ASA : Traceback on tcp_intercept Thread name : Threat detection |
|
|
ENH: Need to log console messages on 2100 similar to 4100/9300 running ASA |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
|
|
ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down |
|
|
FXOS - Recover hwclock of service module from corruption due to simultaneous write collision |
|
|
Critical RPM alert on FRP 1000 and FPR2100 Series with ASA 'Chassis 0 Cooling Fan OK' SCH message |
|
|
ASA traceback with thread: idfw_proc |
|
|
ASA traceback and reload during SSL handshake |
|
|
Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup |
|
|
FTD LINA traceback & reload while processing snort return verdict |
|
|
When enabling inline tap mode you may experience between 20-50% performance reduction |
|
|
FTD Lina engine may traceback in datapath after enabling SSL decryption policy |
|
|
ASA traceback observed when "config-url" is entered while creating new context |
|
|
Netflow template not sent under certain circumstances |
|
|
ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout |
|
|
6.7.0-1992: duplicate connection events with empty SSL info in one of them |
|
|
FTD/ASA creates coredump file with "!" character in filename (lina changes). |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
FPR2100 1 Gig Fiber SFP Interfaces down in ASA appliance mode |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
ASA traceback and reload on inspect esmtp |
|
|
ASA 9.12 random traceback and reload in DATAPATH |
|
|
ASA traceback while modifying the bookmark SSL Ciphers configuration |
|
|
OSPF network commands go missing in the startup-config after upgrading the ASA |
|
|
Traceback due to fover and ssh thread |
|
|
Traceback leads to the purg_process |
|
|
ASA5555 traceback and reload on Thread Name: ace_work |
|
|
Traceback in KP in timer while running VPN, EMIX and SNMP traffic for overnight. |
|
|
Unexpected traceback and reload on FTD creating a Core file |
|
|
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
|
|
ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel |
|
|
ASA/FTD may traceback in thread name fover_FSM_thread and reload |
|
|
ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover |
|
|
FTD 6.6 : High CPU spikes on snmpd process |
|
|
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover. |
|
|
Secondary unit not able to join the cluster |
|
|
ASA traceback and reload due to VPN thread on firepower 2140 |
|
|
Snort busy drops with PDTS Tx queue stuck |
|
|
ASA traceback and reload while executing "show tech-support" command |
|
|
ASA stale VPN Context seen for site to site and AnyConnect sessions |
|
|
Offloaded traffic not failed over to secondary route in ECMP setup |
|
|
ASA traceback in the LINA process |
|
|
FTD traceback and reload on DATAPATH thread when processing encapsulated flows |
|
|
radius_rcv_auth can shoot up control plane CPU to 100%. |
|
|
Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init state |
|
|
ASA/FTD Traceback and reload in Thread Name: Logger |
|
|
FTD might crash in SNMP with rip Netsnmp_config_req_dequeue_and_send+269 at snmp/snmp_config_utils.c |
|
|
TCP File transfer (Big File) not properly closed when Flow offload is enabled |
|
|
ASA syslog traceback while strncpy NULL string passed from SSL library |
|
|
ASA traceback and reload on Thread Name: ci/console |
|
|
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
|
|
IKEv2 with EAP, MOBIKE status fails to be processed. |
|
|
SNMP process crashed, while upgrading the QP to v9.14.1.109 |
|
|
ASA/FTD may traceback and reload due to memory corruption in SNMP |
|
|
Director/Backup flows are left behind and traffic related to this flow is blackholed |
|
|
ASASM traceback and reload after upgrade up to 9.12(4)4 and higher |
|
|
TACACS+ ASCII password change request not handled properly |
|
|
VPN syslogs are generated at a rate of 600/s until device goes into a hang state |
|
|
AZURE ASA/FTD NIC MAC address might get re-ordered upon a reboot |
|
|
9.10.1.11 ASA on FPR2110 traceback and reloads randomly |
|
|
ASA/FTD Traceback and reload during PBR configuration change |
|
|
ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine |
|
|
ASAv snmp traceback on reload |
|
|
ASA/FTD traceback and reload related to SNMP and management-access configuration |
|
|
IPSec transport mode traffic corruption for inbound traffic for some FPR platforms |
|
|
DAP stopped working after upgrading the ASA to 9.13(1)13 |
|
|
ASA/FTD traceback and reload in process name "Lina" |
|
|
IPv4 Default Tunneled Route Rejected |
|
|
FPR 4K: SSL trust-point removed from new active ASA after manual Failover |
|
|
ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure |
|
|
Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability |
|
|
ASA Fails to process HTTP POST with SAML assertion containing multiple query parameters |
|
|
FPR4120 - Lina watchdog traceback in cli_xmlserver_thread |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability |
|
|
M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service |
|
|
FPR-4150 - ASA traceback and reload with thread name DATAPATH |
|
|
Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed after reload |
|
|
Connection issues to directly connected IP from FTD BVI address |
|
|
ASA: Random L2TP users cannot access resources due to stale ACL filter entries |
|
|
ASA traceback and reload in Thread: Ikev2 Daemon |
|
|
ASA traceback in IKE Daemon and reload |
|
|
ASA: OpenSSL Vulnerability CVE-2020-1971 |
|
|
ASA Tracebacks when making "configuration session" changes regarding an ACL. |
|
|
BVI HTTP/SSH access is not working in versions 9.14.1.30 or above |
|
|
FTD Firewall may traceback and reload when modifying ACLs |
|
|
Managed device backup fails, for FTD, if hostname exceeds 30 characters |
|
|
ASA traceback and reload on Thread name snmp_alarm_thread |
|
|
ASA traceback and reload webvpn thread |
|
|
ASA/FTD may traceback and reload during certificate changes. |
|
|
Cisco ASA and FTD Software for FP 1000/2100 Series Command Injection Vulnerability |
|
|
ASA traceback and reload with Thread name: ssh when capture was removed |
|
|
ASA: Traceback at emweb/https and reload when Remote Access VPN is enabled |
|
|
Traceback in inspect_h323_ras+1810 |
|
|
ASA: VPN traffic does not pass if no dACL is provided in CoA |
|
|
ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA |
|
|
ASAv: SNMP result for used memory value incorrect after upgrade to 9.14 |
|
|
AppAgent gets deregistered due to hearbeat failure during config sync up on Firepower 2100s |
|
|
Traceback in Thread Name: Lic TMR |
|
|
Offload rewrite data needs to be fixed for identity nat traffic and clustering environment |
|
|
When SGT name is unresolved and used in ACE, line is not being ignored/inactive |
|
|
ASA reload is removing 'content-security-policy' config |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
ASA may generate a traceback in Logger thread during configuration sync in HA |
|
|
Fail-to-wire ports in FPR 2100 flapping after upgrade to 6.6.1 |
|
|
ASA: default IPv6/IPv4 route tunneled does not work |
|
|
M500IT Model Solid State Drives on ISA3000 may go unresponsive after 3.2 Years in service |
|
|
ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers reload |
|
|
ASA may traceback and reload on thread Crypto CA |
|
|
Firepower 2110 silently dropping traffic with TFC enabled on the remote end |
|
|
ASA/FTD traceback in Thread Name: PTHREAD-4432 |
|
|
DHCP Proxy Offer is getting drop on the ASA/FTD |
|
|
Failure accessing FXOS with connect fxos admin from Multi-Context ASA if admin context is changed |
|
|
ASA may traceback and reload in Thread Name 'webvpn_task' |
|
|
FPR-2100-ASA : SNMP Walk for ifType is showing "other" for ASA interfaces in the latest versions |
|
|
Prevent lina from traceback due to object loop sent by FMC. Fail the deployment instead. |
|
|
ASA/FTD may traceback in after changing snmp host-group object |
|
|
ASA traceback and reload during OCSP response data cleanup |
|
|
X-Frame-Options header is not set in webvpn response pages |
|
|
ASA traceback & reload due to "show crashinfo" adding a new output log |
|
|
Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508 |
|
|
FTD traceback and reload on process lina on FPR2100 series |
|
|
ASA: Unable to import PAC file if FIPS is enabled. |
|
|
Firewall CPU can increase after a bulk routing update with flow offload |
|
|
IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server |
|
|
CPU performance degrade with lots of route updates with flow offload enabled |
|
|
ASA 9.15.1.7 traceback and reload in ssl midpath |
|
|
ASA reload with FIPS failure |
|
|
Concurrent modification of ACL configuration breaks output of "show running-config" completely |
|
|
FPR4150 ASA Standby Ready unit Loops to failed and remove config to install it again |
|
|
ASA EIGRP route stuck after neighbour disconnected |
|
|
FTD cluster physical interface will not be up in inline mode even fxos interface state up. |
|
|
FTD/ASA traceback in Thread Name : Unicorn Proxy Thread |
|
|
X-Frame-Options header support for older versions of IE and windows platforms |
|
|
Traceback in Thread Name: fover_health_monitoring_thread |
|
|
ASA traceback and reload in SNMP Notify Thread while deleting transparent context |
|
|
ASP capture dispatch-queue-limit shows no packets |
|
|
Deployment failures on FTD when multicast is enabled. |
|
|
FTD 6.6.1/6.7.0 is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0 |
|
|
Smart Tunnel Code signing certifcate renewal |
|
|
COA Received before data tunnel comes up results in tear down of parent session |
|
|
ASA traceback and reload on Thread Name: CTM Daemon |
|
|
ASA internal deadlock leads to loss of feature functionality (syslogs, reload, ASDM, anyconnect) |
|
|
ASA Traceback and reload in Thread Name: SNMP ContextThread |
|
|
ASA/FTD Traceback and reload in Thread Name: pix_startup_thread due to asa_run_ttyS0 script |
|
|
Optimise ifmib polls |
|
|
ASA traceback and reload in thread ci/console when copying a system image to flash |
|
|
Slow file transfer or file upload with SSL policy is applied with Decrypt resign action |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Feedback