Release Notes for the Cisco Secure Firewall ASA Series, 9.19(x)
This document contains release information for ASA software Version 9.19(x).
Important Notes
-
No support in ASA 9.19(1) and later for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300—ASA 9.18(x) is the last supported version.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
 Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.19(1)
Released: November 29, 2022
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Secure Firewall 3105 |
We introduced the ASA for the Secure Firewall 3105. |
|
ASA virtual Auto Scale solution with Azure Gateway Load Balancer |
You can now deploy the ASA virtual Auto Scale Solution with Gateway Load Balancer on Microsoft Azure. See the Interfaces features for more information. |
|
Firewall Features |
|
|
Network service groups support |
You can now define a maximum of 1024 network service groups. |
|
High Availability and Scalability Features |
|
|
Removal of biased language |
Commands, command output, and syslog messages that contained the terms "Master" and "Slave" have been changed to "Control" and "Data." New/Modified commands: cluster control-node , enable as-data-node , prompt , show cluster history , show cluster info |
|
ASA virtual Amazon Web Services (AWS) clustering |
The ASA virtual supports Individual interface clustering for up to 16 nodes on AWS. You can use clustering with or without the AWS Gateway Load Balancer. |
|
Routing Features |
|
|
BGP graceful restart support for IPv6 |
We added BGP graceful restart support for IPv6 address family. New/Modified commands: Existing command, extended to support for IPv6 family:ha-mode graceful-restart |
|
Interface Features |
|
|
ASA virtual support for IPv6 |
ASAv to support IPv6 network protocol on Private and Public Cloud platforms. Users can now:
|
|
Paired proxy VXLAN for the ASA virtual for the Azure Gateway Load Balancer |
You can configure a paired proxy mode VXLAN interface for the ASA virtual in Azure for use with the Azure Gateway Load Balancer (GWLB). The ASA virtual defines an external interface and an internal interface on a single NIC by utilizing VXLAN segments in a paired proxy. New/Modified commands: external-port, external-segment-id, internal-port, internal-segment-id, proxy paired |
|
Default Forward Error Correction (FEC) on Secure Firewall 3100 fixed ports changed to cl108-rs from cl74-fc for 25 GB+ SR, CSR, and LR transceivers |
When you set the FEC to Auto on the Secure Firewall 3100 fixed ports, the default type is now set to cl108-rs instead of cl74-fc for 25 GB SR, CSR, and LR transceivers. New/Modified commands: fec |
|
License Features |
|
|
ASA virtual permanent license reservation support for the ASAv5 on KVM and VMware |
A new command is available that you can execute to override the default PLR license entitlement and request the Cisco Smart Software Manager (SSM) to issue an ASAv5 PLR license when you are deploying ASAv with 2GB RAM on KVM and VMware. You can modify the same command by adding the <no> form to revert the license entitlement from ASAv5 to the default PLR license in correspondence to the RAM configuration. |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
CiscoSSH stack now default |
The Cisco SSH stack is now used by default. New/Modified commands: ssh stack ciscossh |
|
VPN Features |
|
|
VTI loopback interface support |
You can now set a loopback interface as the source interface for a VTI. Support has also been added to inherit the IP address from a loopback interface instead of a statically configured IP address. The loopback interface helps to overcome path failures. If an interface goes down, you can access all interfaces through the IP address assigned to the loopback interface. New/Modified commands: tunnel source interface , ip unnumbered , ipv6 unnumbered |
|
Dynamic Virtual Tunnel Interface (dynamic VTI) support |
The ASA is enhanced with dynamic VTI. A single dynamic VTI can replace several static VTI configurations on the hub. You can add new spokes to a hub without changing the hub configuration. Dynamic VTI supports dynamic (DHCP) spokes. New/Modified commands: interface virtual-Template, ip unnumbered, ipv6 unnumbered, tunnel protection ipsec policy. |
|
VTI support for EIGRP and OSPF |
EIGRP and OSPFv2/v3 routing is now supported on the Virtual Tunnel Interface. You can now use these routing protocol to share routing information and to route traffic flow through VTI-based VPN tunnel between peers |
|
TLS 1.3 in Remote Access VPN |
You can now use TLS 1.3 to encrypt remote access VPN connections. TLS 1.3 adds support for the following ciphers:
This feature requires Cisco Secure Client, Version 5.0.01242 and above. New/Modified commands: sslserver-version, sslclient-version. |
|
Dual Stack support for IKEv2 third-party clients |
Secure Firewall ASA now supports dual stack IP request from IKEv2 third-party remote access VPN clients. If the third-party remote access VPN client requests for both IPv4 and IPv6 addresses, ASA can now assign both IP version addresses using multiple traffic selectors. This feature enables third-party remote access VPN clients to send IPv4 and IPv6 data traffic using the single IPsec tunnel. New/Modified commands: show crypto ikev2 sa, show crypto ipsec sa, show vpn-sessiondb ra-ikev2-ipsec. |
|
Traffic selector for static VTI interface |
You can now assign a traffic selector for a static VTI interface. New/Modified commands: tunnel protection ipsec policy. |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.18 |
— |
Any of the following: → 9.19 |
|
9.17 |
— |
Any of the following: → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 |
|
9.13 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.19(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
AWS C5N-4Xlarge 10g interface just have 4 RX Queues with GENEVE and jumbo frame enabled |
Resolved Bugs in Version 9.19(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
RTC unstable clock register read causes "watchdog: BUG: soft lockup - CPU#0 stuck" error on console |
|
|
Update FXOS troubleshooting documentation to provide details on isolating potential SSD HW failures |
|
|
High System Overhead memory on FTD |
|
|
M500IT Model Solid State Drives on 4100/9300 may go unresponsive after 3.2 Years in service |
|
|
Shutdown command reboots instead of shutting the FP1k device down. |
|
|
In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
|
Management interface flaps every 13mins post upgrade from 9.12 to 9.14.2.15 |
|
|
PLR license reservation for ASAv5 is requesting ASAv10 |
|
|
Unstable client processes may cause LINA zmqio traceback on FTD |
|
|
9.17/Rare 256 block leak/exhaustion, 1550 block overallocation |
|
|
App-instance startup version is ignored and set to running-version after copy config |
|
|
failover is getting failed in secondary FTD when the loopback interface is configured |
|
|
Big number of repetitive messages in snmpd.log leading to huge log size |
|
|
ASA/FTD traceback and reload on netsnmp_handler_check_cache function |
|
|
Uploading firmware triggers data port-channel to flap |
|
|
FPR 4100 saw an unexpected reload with reason "Reset triggered due to HA policy of Reset" |
|
|
ASA running on SSP platform generate critical error "[FSM:FAILED]: sam:dme:MgmtIfSwMgmtOobIfConfig" |
|
|
Tune throttling flow control on syslog-ng destinations |
|
|
Adding more logs to watchdog infra |
|
|
ASA Failover does not detect context mismatch before declaring joining node as "Standby ready" |
|
|
Multi-instance internal portchannel VLANs may be misprogrammed causing traffic loss |
|
|
FTD/FXOS - ASAconsole.log files fail to rotate causing excessive disk space used in /ngfw |
|
|
ASA/FTD may traceback and reload in process Lina |
|
|
Chassis and application sets the time to Jan 1, 2010 after reboot |
|
|
ASA/FTD stuck after crash and reboot |
|
|
ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
|
|
FXOS misses logs to diagnose root cause of module show-tech file generation failure |
|
|
FXOS should check reference clock stratum instead of NTP server local clock stratum |
|
|
ASA/FTD datapath threads may run into deadlock and generate traceback |
|
|
ASA/FTD: DF bit is being set on packets routed into VTI |
|
|
Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
|
|
crontab -e unable to find editor |
|
|
Portmanager/LACP improvement to avoid false restarts and increase of logging events |
|
|
Single Pass - Traceback due to stale ifc |
|
|
FXOS: Third-party interop between Ciena Waveserver with firepower chassis. |
|
|
FTD HA deployment fails with error "Deployment failed due to major version change on device" |
|
|
When inbound packet contains SGT header, FPR2100 cannot distribute properly per 5 tuple |
|
|
ENH: FCM should include option for modifying the interface 'link debounce time' |
|
|
FXOS upgrade to 2.11 is stuck |
|
|
FTD upgrade fails - not enough disk space from old FXOS bundles in distributables partition |
|
|
Configuring pbr access-list with line number failed. |
|
|
The smConLogger traceback is caused by memory leak. |
|
|
CVE-2022-28199: Evaluation for FTDv and ASAv |
|
|
Unable to login to FTD using external authentication after upgrade |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DoS |
|
|
ASAv - 9344 Block not created automatically after enabling JumboFrames, breaks OSPF MD5 |
|
|
MIO: No blade reboot during CATERR if fault severity is non-Severe or CATERR sensor is different |
|
|
/var/tmp partition fullness warning on FXOS |
|
|
Cisco FXOS and NX-OS Software CDP DoS and Arbitrary Code Execution Vulnerability |
|
|
ASA/FTD firewall may traceback and reload when tearing down IKE tunnels |
|
|
ASA/FTD traceback and reload due to the initiated capture from FMC |
|
|
FXOS:after fxos config import new port-channel creation causing existing port-channel flap |
|
|
ASA: Multiple Context Mixed Mode SFR Redirection Validation |
|
|
FPR1010 - No ARP on switchport VLAN interface after portmanager DIED event |
|
|
Cisco FTD Software and Cisco FXOS Software Command Injection Vulnerability |
|
|
The interface's LED remains green blinking when the optical fiber is unplugged on FPR1150 |
|
|
FTDv Cluster unit not re-joining cluster with error msg "Failed to open NLP SSL listening socket" |
|
|
Control-Plane ACL Non-Functional After Upgrade to 9.18(1) or 7.2.0-82 Firepower |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
Observing Crash in QP(multicontext)-99.18(28)9 while HA sync after upgrading and reloading. |
|
|
ASA Traceback and Reload on process name Lina |
|
|
ASA process with cleartext token when not able to encrypt it |
|
|
SNMP: FMC doesn't reply to OID 1.3.6.1.2.1.25.3.3.1.2 |
|
|
Cisco FXOS Software Command Injection Vulnerability |
|
|
Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
|
|
FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations |
|
|
Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
Unable to configure domain\username under cfg-export-policy in FXOS |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
FTD/ASA "Write Standby" enables ECDSA ciphers causing AC SSLv3 handshake failure |
|
|
DOC:The default keying is only used by FCM on FXOS. |
|
|
FPR1120-ASA:Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
|
|
CGroups errors in ASA syslog after startup |
|
|
"inspect snmp" config difference between active and standby |
|
|
ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy |
|
|
ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
|
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
|
|
ISA3000 LACP channel member SFP port suspended after reload |
|
|
ifAdminStatus output is abnormal via snmp polling |
|
|
FTD Traceback and reload |
|
|
FTD traceback on Lina due to syslog component. |
|
|
ASA: Unable to connect AnyConnect Cert based Auth with "periodic-authentication certificate" enabled |
|
|
Management access over VPN not working when custom NAT is configured |
|
|
Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback