Release Notes for the Secure Firewall ASA Series, 9.18(x)

This document contains release information for ASA software Version 9.18(x).

Important Notes

  • ASDM signed-image support in 9.18(2)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)

  • 9.18(1) upgrade issue if you enabled HTTPS/ASDM (with HTTPS authentication) and SSL on the same interface with the same port—If you enable both SSL (webvpn > enable interface) and HTTPS/ASDM (http ) access on the same interface, you can access AnyConnect from https://ip_address and ASDM from https://ip_address/admin, both on port 443. However, if you also enable HTTPS authentication (aaa authentication http console), then you must specify a different port for ASDM access starting in 9.18(1). Make sure you change the port before you upgrade using the http command. (CSCvz92016)

  • ASA virtual of instance type g5ne.4xLarge has low performance on Alibaba Cloud—The ASA virtual of instance type g5ne.4xLarge on Alibaba Cloud has low performance, especially in terms of Connections Per Second (CPS) due to underlying issues in the Alibaba infrastructure. There is no workaround. (CSCwb24458, CSCwb61168)

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.18(2)

Released: August 10, 2022

Feature

Description

Interface Features

Loopback interface support for BGP and management traffic

You can now add a loopback interface and use it for the following features:

  • BGP

  • SSH

  • SNMP

  • Syslog

  • AAA

  • Telnet

New/Modified commands: interface loopback , logging host , neighbor update-source , snmp-server host , ssh , telnet

New Features in ASA 9.18(1)

Released: June 6, 2022

Feature

Description

Platform Features

ASAv-AWS Security center integration for AWS GuardDuty You can now integrate Amazon GuardDuty service with ASAv. The integration solution helps you to capture and process the threat analysis data or results (malicious IP addresses) reported by Amazon GuardDuty. You can configure and feed these malicious IP addresses in the ASAv to protect the underlying networks and applications.

Alibaba virtual deployments

You can now deploy Secure Firewall ASA Virtual on Alibaba Cloud. The following features are supported:

  • QCOW2 Image package.

  • Basic Product Bringup.

  • Day-0 Configuration.

  • SSH using Public Key or Password.

    Alibaba UI Console to access ASAv for any debugging purpose.

  • Alibaba UI Stop/Restart.

  • Supported instance types: ecs.g5ne.large, ecs.g5ne.xlarge, ecs.g5ne.2xlarge, ecs.g5ne.4xlarge.

  • BYOL License Support.

Firewall Features

Forward referencing of ACLs and objects is always enabled. In addition, object group search for access control is now enabled by default.

You can refer to ACLs or network objects that do not yet exist when configuring access groups or access rules.

In addition, object group search is now enabled by default for access control. After upgrade, if you had object group search disabled, it will no be enabled. If you want to disable it (not recommended), you must do so manually.

We removed the forward-reference enable command, and changed the default for object-group-search access-control to enabled.

Routing Features

Path monitoring metrics in PBR.

PBR uses the metrics to determine the best path (egress interface) for forwarding the traffic. Path monitoring periodically notifies PBR with the monitored interface whose metric got changed. PBR retrieves the latest metric values for the monitored interfaces from the path monitoring database and updates the data path.

New/Modified commands: clear path-monitoring , policy-route , show path-monitoring

Interface Features

Pause Frames for Flow Control for the Secure Firewall 3100

If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue.

New/Modified commands: flowcontrol send on

Breakout ports for the Secure Firewall 3130 and 3140

You can now configure four 10GB breakout ports for each 40GB interface on the Secure Firewall 3130 and 3140.

New/Modified commands: breakout

License Features

Secure Firewall 3100 support for the Carrier license

The Carrier license enables Diameter, GTP/GPRS, SCTP inspection.

New/Modified commands: feature carrier

Certificate Features

Mutual LDAPS authentication.

You can configure a client certificate for the ASA to present to the LDAP server when it requests a certificate to authenticate. This feature applies when using LDAP over SSL. If an LDAP server is configured to require a peer certificate, the secure LDAP session will not complete and authentication/authorization requests will fail.

New/Modified commands: ssl-client-certificate .

Authentication: Validate certificate name or SAN

When a feature specific reference-identity is configured, the peer certificate identity is validated with the matching criteria specified under crypto ca reference-identity <name> submode commands. If there is no match found in the peer certificate Subject Name/SAN or if the FQDN specified with reference-identity submode command fail to resolve, the connection is terminated

The reference-identity CLI is configured as a submode command for aaa-server host configuration and ddns configuration.

New/Modified commands: ldap-over-ssl , ddns update method , and show update method .

Administrative, Monitoring, and Troubleshooting Features

Multiple DNS server groups

You can now use multiple DNS server groups: one group is the default, while other groups can be associated with specific domains. A DNS request that matches a domain associated with a DNS server group will use that group. For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface.

New/Modified commands: dns-group-map , dns-to-domain

Dynamic Logging Rate-limit

A new option to limit logging rate when block usage exceeds a specified threshold value was added. It dynamically limits the logging rate as the rate limiting is disabled when the block usage returns to normal value.

New/Modified commands: logging rate-limit

Packet Capture for Secure Firewall 3100 devices

The provision to capture switch packets was added. This option can be enabled only for Secure Firewall 3100 devices.

New/Modified commands: capture real-time

VPN Features

IPsec flow offload.

On the Secure Firewall 3100, IPsec flows are offloaded by default. After the initial setup of an IPsec site-to-site VPN or remote access VPN security association (SA), IPsec connections are offloaded to the field-programmable gate array (FPGA) in the device, which should improve device performance.

New/Modified commands: clear flow-offload-ipsec , flow-offload-ipsec , show flow-offload-ipsec

Certificate and SAML for Authentication

You can configure remote access VPN connection profiles for certificate and SAML authentication. Users can configure VPN settings to authenticate a machine certificate or user certificate before a SAML authentication/authorization is initiated. This can be done using DAP certificate attributes along with user specific SAML DAP attributes.

New/Modified commands: authentication saml certificate , authentication certificate saml , authentication multiple-certificate saml

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • ASDM: Choose Home > Device Dashboard > Device Information.

  • CLI: Use the show version command.

This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


Note

Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.



Note

For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.



Note

ASA 9.16(x) was the final version for the ASA 5506-X, 5508-X, and 5516-X.

ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X.

ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.


Current Version

Interim Upgrade Version

Target Version

9.17(x)

Any of the following:

9.18(x)

9.16(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.15(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

9.14(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

9.13(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

9.12(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

9.10(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

9.9(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

9.8(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

9.7(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.6(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.5(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.4(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.3(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.2(x)

Any of the following:

9.18(x)

→ 9.17(x)

9.16(x)

→ 9.15(x)

→ 9.14(x)

→ 9.12(x)

→ 9.8(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.6(x)

→ 9.1(7.4)

9.0(1)

→ 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.6(1)

→ 9.0(4)

Any of the following:

→ 9.14(x)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.5(1)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.4(5+)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.3(x)

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:

9.12(x)

→ 9.8(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.18(x)

The following table lists select open bugs at the time of this Release Note publication.

Identifier

Headline

CSCwb43433

Jumbo frame performance has degraded up to -45% on Firepower 2100 series

CSCwc23113

LTP feature not working on KP ASA with 9.18

CSCwc50891

MPLS tagging removed by FTD

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.18(2)

The following table lists select resolved bugs at the time of this Release Note publication.

Identifier

Headline

CSCvw82067

ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic

CSCvy50598

BGP table not removing connected route when interface goes down

CSCvz36903

ASA traceback and reload while allocating a new block for cluster keepalive packet

CSCvz69729

Unstable client processes may cause LINA zmqio traceback on FTD

CSCwa59907

LINA observed traceback on thread name "snmp_client_callback_thread"

CSCwa75966

ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped

CSCwa97917

ISA3000 in boot loop after powercycle

CSCwb05291

Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability

CSCwb06847

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543'

CSCwb17963

Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server.

CSCwb19648

SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels.

CSCwb53172

FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated

CSCwb53328

ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url

CSCwb54791

ASA DHCP server fails to bind reserved address to Linux devices

CSCwb67040

FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init

CSCwb68642

ASA traceback in Thread Name: SXP CORE

CSCwb69503

ASA unable to configure aes128-gcm@openssh.com when FIPS enabled

CSCwb71460

ASA traceback in Thread Name: fover_parse and triggered by snmp related functions

CSCwb73248

FW traceback in timer infra / netflow timer

CSCwb74571

PBR not working on ASA routed mode with zone-members

CSCwb79812

RIP is advertising all connected Anyconnect users and not matching route-map for redistribution

CSCwb80559

FTD offloads SGT tagged packets although it should not

CSCwb80862

ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination

CSCwb82796

ASA/FTD firewall may traceback and reload when tearing down IKE tunnels

CSCwb83388

ASA HA Active/standby tracebacks seen approximately every two months.

CSCwb83691

ASA/FTD traceback and reload due to the initiated capture from FMC

CSCwb85633

Snmpwalk output of memory does not match show memory/show memory detail

CSCwb87498

Lina traceback and reload during EIGRP route update processing.

CSCwb90074

ASA: Multiple Context Mixed Mode SFR Redirection Validation

CSCwb90532

ASA/FTD traceback and reload on NAT related function nat_policy_find_location

CSCwb92709

We can't monitor the interface via "snmpwalk" once interface is removed from context.

CSCwb93932

ASA/FTD traceback and reload with timer services assertion

CSCwb94190

ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled.

CSCwb94312

Unable to apply SSH settings to ASA version 9.16 or later

CSCwb97251

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCwc02488

ASA/FTD may traceback and reload in Thread Name 'None'

CSCwc03069

Interface internal data0/0 is up/up from cli but up/down from SNMP polling

CSCwc09414

ASA/FTD may traceback and reload in Thread Name 'ci/console'

CSCwc10483

ASA/FTD - Traceback in Thread Name: appAgent_subscribe_nd_thread

CSCwc10792

ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete

CSCwc11597

ASA tracebacks after SFR was upgraded to 6.7.0.3

CSCwc11663

ASA traceback and reload when modifying DNS inspection policy via CSM or CLI

CSCwc13017

FTD/ASA traceback and reload at at ../inspect/proxy.h:439

CSCwc13994

ASA - Restore not remove the new configuration for an interface setup after backup

CSCwc18312

"show nat pool cluster" commands run within EEM scripts lead to traceback and reload

CSCwc23356

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-20-7695'

CSCwc23695

ASA/FTD can not parse UPN from SAN field of user's certificate

CSCwc24422

AC SSLVPN with Certificate Authentication and DAP failure if client's machine cert has empty subject

CSCwc24906

ASA/FTD traceback and reload on Thread id: 1637

CSCwc28532

9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing

CSCwc28928

ASA: SLA debugs not showing up on VTY sessions

CSCwc32246

NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used

Resolved Bugs in Version 9.18(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Identifier

Headline

CSCvw56551

ASA displays cosmetic NAT warning message when making the interface config changes

CSCvw62288

ASA: 256 byte block depletion when syslog rate is high

CSCvx97053

Unable to configure ipv6 address/prefix to same interface and network in different context

CSCvy04430

Management Sessions fail to connect after several weeks

CSCvy40401

L2L VPN session bringup fails when using NULL encryption in ipsec configuration

CSCvz03524

PKI "OCSP revocation check" failing due to sha256 request instead of sha1

CSCvz05541

ASA55XX: Expansion module interfaces not coming up after a software upgrade

CSCvz44645

FTD may traceback and reload in Thread Name 'lina'

CSCvz60578

Cluster unit in MASTER_POST_CONFIG state should transition to Disabled state after an interva

CSCvz68336

SSL decryption not working due to single connection on multiple in-line pairs

CSCvz69729

Unstable client processes may cause LINA zmqio traceback on FTD

CSCvz70688

default-information originate is configured first then Stub command is not allowed for config

CSCvz70958

High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby

CSCvz72771

ASA/FTD may traceback and reload. "c_assert_cond_terminate" in stack trace

CSCvz76746

While implementing management tunnel a user can use open connect to bypass anyconnect.

CSCvz76966

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS

CSCvz81888

NTP will not change to *(synced) status after upgrade to asa-9.15.1/9.16.1.28 from asa-9.14.3

CSCvz86256

Primary ASA should send GARP as soon as split-brain is detected and peer becomes cold standby

CSCvz88149

Lina traceback and reload during block free causing FTD boot loop

CSCvz89126

ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM

CSCvz89327

OSPFv2 flow missing cluster centralized "c" flag

CSCvz90375

Low available DMA memory on ASA 9.14 at boot reduces AnyConnect sessions supported

CSCvz91218

Statelink hello messages dropped on Standby unit due to interface ring drops on high rate traffic

CSCvz92016

Cisco ASA and FTD Software Web Services Interface Privilege Escalation Vulnerability

CSCvz92932

ASA show tech execution causing spike on CPU and impacting to IKEv2 sessions

CSCvz94153

NTP sync on IPV6 will fail if the IPV4 address is not configured

CSCvz95108

FTD Deployment failure post upgrade due to major version change on device

CSCvz95949

FP1120 9.14.3 : temporary split brain happened after active device reboot

CSCvz99222

Clear and show conn for inline-set is not working

CSCwa02929

FTD Blocks Traffic with SSL Flow Error CORRUPT_MESSAGE

CSCwa03341

Standby's sub interface mac doesn't revert to old mac with no mac-address command

CSCwa08262

AnyConnect users with mapped group-policies take attributes from default GP under the tunnel-group

CSCwa11052

SNMP Stopped Responding After Upgrading to Version- 9.14(2)15

CSCwa13873

ASA Failover Split Brain caused by delay on state transition after "failover active" command run

CSCwa14485

Cisco Firepower Threat Defense Software Denial of Service Vulnerability

CSCwa14725

ASA/FTD traceback and reload on IKE Daemon Thread

CSCwa15185

ASA/FTD: remove unwanted process call from LUA

CSCwa18858

ASA drops non DNS traffic with reason "label length 164 bytes exceeds protocol limit of 63 bytes"

CSCwa18889

Clock drift observed between Lina and FXOS on multi-instance

CSCwa19443

Flow Offload - Compare state values remains in error state for longer periods

CSCwa19713

Traffic dropped by ASA configured with BVI interfaces due to asp drop type "no-adjacency"

CSCwa28822

FTD moving UI management from FDM to FMC causes traffic to fail

CSCwa28895

FTD SSL Decryption Traffic Latency | SSL Proxy to allow configurable/dynamic maximum TCP window size

CSCwa30114

"Error:NAT unable to reserve ports" when using a range of ports in an object service

CSCwa33898

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

CSCwa34287

ASA: Loss of NTP sync following a reload after upgrade

CSCwa35200

Some syslogs for AnyConnect SSL are generated in admin context instead of user context

CSCwa36672

ASA on FPR4100 traceback and reload when running captures using ASDM

CSCwa36678

Random FTD reloads with the traceback during deployment from FMC

CSCwa38277

ASA NAT66 with big range as a pool don't works with IPv6

CSCwa40719

Traceback: Secondary firewall reloading in Threadname: fover_parse

CSCwa41834

ASA/FTD traceback and reload due to pix_startup_thread

CSCwa42594

ASA: IP Header check validation failure when GTP Header have SEQ and EXT field

CSCwa49480

SNMP OID , stop working after around one hour and a half - FTD

CSCwa53489

Lina Traceback and Reload Due to invalid memory access while accessing Hash Table

CSCwa54045

Memory leaks in SAML native browser processing

CSCwa55562

Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion

CSCwa55878

FTD Service Module Failure: False alarm of "ND may have gone down"

CSCwa56449

ASA traceback in HTTP cli EXEC code

CSCwa56975

DHCP Offer not seen on control plane

CSCwa57115

New access-list are not taking effect after removing non-existance ACL with objects.

CSCwa58686

ASA/FTD Change in OGS compilation behavior causing boot loop

CSCwa61218

Polling OID "1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the associated tunnel

CSCwa65389

ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM

CSCwa67882

Offloaded GRE tunnels may be silently un-offloaded and punted back to CPU

CSCwa68660

FTP inspection stops working properly after upgrading the ASA to 9.12.4.x

CSCwa73172

ASA reload and traceback in Thread Name: PIX Garbage Collector

CSCwa74900

Traceback and reload after enabling debug webvpn cifs 255

CSCwa75966

ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped

CSCwa77073

SNMP is responding to snmpgetbulk with unexpected order of results

CSCwa79494

Traffic keep failing on Hub when IPSec tunnel from Spoke flaps

CSCwa79980

SNMP get command in FPR does not show interface index.

CSCwa85043

Traceback: ASA/FTD may traceback and reload in Thread Name 'Logger'

CSCwa85138

Multiple issues with transactional commit diagnostics

CSCwa87315

ASA/FTD may traceback and reload in Thread Name 'IP Address Assign'

CSCwa89243

SNMP no longer responds to polls after upgrade to 9.15.1.17

CSCwa91090

SSL handshake logging showing unknown session during AnyConnect TLSv1.2 Session establishment

CSCwa94894

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-4-9608'

CSCwa96759

Lina may traceback and reload on tcpmod_proxy_handle_mixed_mode

CSCwa97784

ASA: Jumbo sized packets are not fragmented over the L2TP tunnel

CSCwa98684

Console has an excessive rate of warnings during policy deployment

CSCwb00595

Mempool_DMA allocation issue / memory leakage

CSCwb01700

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCwb01919

FP2140 ASA 9.16.2 HA units traceback and reload at lua_getinfo (getfuncname)

CSCwb08644

Crash at IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test

CSCwb11939

ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT on

CSCwb16920

CPU profile cannot be reactivated even if previously active memory tracking is disabled

CSCwb18252

FTD/ASA: Traceback on BFD function causing unexpected reboot

CSCwb25809

Single Pass - Traceback due to stale ifc

CSCwb54791

ASA DHCP server fails to bind reserved address to Linux devices

CSCwb69503

ASA unable to configure aes128-gcm@openssh.com when FIPS enabled

CSCwb80862

ASA/FTD proxy arps any traffic when using the built-in 'any' object in translated destination

CSCwb85633

Snmpwalk output of memory does not match show memory/show memory detail