Release Notes for the Cisco Secure Firewall ASA, 9.20(x)
This document contains release information for ASA software version 9.20(x).
 Note |
9.20(1) is only supported on the Secure Firewall 4200. Later releases are supported on the other models. |
Important Notes
-
ASA 9.20(2) supports all current models.
-
OSPF redistribute commands that specify a route-map that matches a prefix-list will be removed in 9.20(2)—When you upgrade to 9.20(2), OSPF redistribute commands where the specified route-map uses a match ip address prefix-list will be removed from the configuration. Although prefix lists have never been supported, the parser still accepted the command. Before upgrading, you should reconfigure OSPF to use route maps that specify an ACL in the match ip address command.
-
ASA version 9.20(1) only supports the Secure Firewall 4200—ASDM 7.20(1) supports the Secure Firewall 4200 on 9.20(1), but is also backwards-compatible with earlier releases on other platforms.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.20(2)
Released: December 13, 2023
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
100GB network module support for the Secure Firewall 3100 |
You can now use the 100GB network module for the Secure Firewall 3100. This module is also supported for the Secure Firewall 4200. |
|
Increased connection limits for the Secure Firewall 4200 |
Connection limits have been increased:
|
|
ASAv on OCI: Additional instances |
ASA Virtual instances on OCI now supports additional shapes to achieve the highest performance and throughput level. |
|
High Availability and Scalability Features |
|
|
ASAv on Azure: Clustering with Gateway Load Balancing |
We now support the ASA virtual clustering deployment on Azure
using the Azure Resource Manager (ARM) template and then configure
the ASAv clusters to use the Gateway Load Balancer (GWLB) for load balancing the network traffic.
New/Modified commands: |
|
ASAv on AWS: Resiliency for clustering with Gateway Load Balancing |
You can configure the Target Failover option in the Target Groups service of AWS, which helps GWLB to forward existing flows to a healthy target in the event of virtual instance failover. In the ASAv clustering, each instance is associated with a Target Group, where the Target Failover option is enabled. It helps GWLB to identify an unhealthy target and redirect or forward the network traffic to a healthy instance identified or registered as a target node in the target group. |
|
Configurable delay to rejoin cluster after chassis heartbeat failure (Firepower 4100/9300) |
By default, if the chassis heartbeat fails and then recovers, the node rejoins the cluster immediately. However, if you configure the health-check chassis-heartbeat-delay-rejoin command, it will rejoin according to the settings of the health-check system auto-rejoin command. New/Modified commands: health-check chassis-heartbeat-delay-rejoin |
|
show failover statistics includes client statistics |
The failover client packet statistics are now enhanced to improve debuggability. The show failover statistics command is enhanced to display np-clients (data-path clients) and cp-clients (control-plane clients) information. Modified commands: show failover statistics cp-clients , show failover statistics np-clients Also in 9.18(4). |
|
show failover statistics events includes new events |
The show failover statistics events command is now enhanced to identify the local failures notified by the App agent: failover link uptime, supervisor heartbeat failures, and disk full issues. Modified commands: show failover statistics events Also in 9.18(4). |
New Features in ASA 9.20(1)
Released: September 7, 2023
Note |
This release is only supported on the Secure Firewall 4200. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Secure Firewall 4200 |
We introduced the ASA for the Secure Firewall 4215, 4225, and 4245. The Secure Firewall 4200 supports up to 8 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 4200 25 Gbps and higher interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. There are two Management interfaces. |
|
Firewall Features |
|
|
ASP rule engine compilation offloaded to the data plane. |
By default, ASP rule engine compilation is offloaded to the data plane (instead of the control plane) when any rule-based policy (for example, ACL, NAT, VPN) has more than 100 rule updates. The offload leaves more time for the control plane to perform other tasks. We added or modified the following commands: asp rule-engine compile-offload , show asp rule-engine . |
|
Data plane quick reload |
When data plane needs to be restarted, instead of a reboot of the device, you can now reload the data plane process. When data plane quick reload is enabled, it restarts the data plane and other processes. New/Modified commands:data-plane quick-reload , show data-plane quick-reload status . |
|
High Availability and Scalability Features |
|
|
Reduced false failovers for ASA high availability |
We now introduced an additional heartbeat module in the data plane of the ASA high availability. This heartbeat module helps to avoid false failovers or split-brain scenarios that can happen due to traffic congestion in the control plain or CPU overload. Also in 9.18(4). |
|
Configurable cluster keepalive interval for flow status |
The flow owner sends keepalives (clu_keepalive messages) and updates (clu_update messages) to the director and backup owner to refresh the flow state. You can now set the keepalive interval. The default is 15 seconds, and you can set the interval between 15 and 55 seconds. You may want to set the interval to be longer to reduce the amount of traffic on the cluster control link. New/Modified commands: clu-keepalive-interval |
|
Routing Features |
|
|
EIGRPv6 |
You can now configure EIGRP for IPv6 and manage them separately. You must explicitly enable IPv6 when configuring EIGRP on each interface. New/Modified commands: Following are the new commands introduced: ipv6 eigrp , ipv6 hello-interval eigrp , ipv6 hold-time eigrp , ipv6 split-horizon eigrp , show ipv6 eigrp interface , show ipv6 eigrp traffic , show ipv6 eigrp neighbors , show ipv6 eigrp interface , ipv6 summary-address eigrp , show ipv6 eigrp topology , show ipv6 eigrp events , show ipv6 eigrp timers , clear ipv6 eigrp , and clear ipv6 router eigrp Following commands are modified to support IPv6: default-metric , distribute-list prefix-list , passive-interface , eigrp log-neighbor-warnings , eigrp log-neighbor-changes , eigrp router-id , and eigrp stub |
|
Interface Features |
|
|
VXLAN VTEP IPv6 support |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the ASA virtual cluster control link or for Geneve encapsulation. New/Modified commands: default-mcast-group , mcast-group , peer ip |
|
Loopback interface support for DNS, HTTP, ICMP, and IPsec Flow Offload |
You can now add a loopback interface and use it for:
|
|
License Features |
|
|
IPv6 for Cloud services such as Smart Licensing and Smart Call Home |
ASA now supports IPv6 for Cloud services such as Smart Licensing and Smart Call Home. |
|
Certificate Features |
|
|
IPv6 PKI for OCSP and CRL |
ASA now supports both IPv4 and IPv6 OCSP and CRL URLs. When using IPv6 in the URLs, it must be enclosed with square brackets.
New/Modified commands:crypto ca trustpointcrl , cdp url , ocsp url |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
Rate limiting for SNMP syslogs |
If you do not set system-wide rate limiting, you can now configure rate limiting separately for syslogs sent to an SNMP server. New/Modified commands: logging history rate-limit |
|
Packet Capture for switches |
You can now configure to capture egress and ingress traffic packets for a switch. This option is applicable only for Secure Firewall 4200 model devices. New/Modified commands:
capture capture_name switch interface interface_name [ direction { both | egress | ingress } ] |
|
VPN Features |
|
|
Crypto debugging enhancements |
Following are the enhancements for crypto debugging:
New/Modified commands:
|
|
Multiple Key Exchanges for IKEv2 |
ASA supports multiple key exchanges in IKEv2 to secure the IPsec communication from quantum computer attacks. New/Modified commands: additional-key-exchange |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.19 |
— |
Any of the following: → 9.20 |
|
9.18 |
— |
Any of the following: → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 |
|
9.13 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.12 |
— |
Any of the following: → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.10 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.6 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.5 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.4 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.3 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.2 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 → 9.8 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.6 → 9.1(7.4) |
|
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14 → 9.12 → 9.8 → 9.1(7.4) |
|
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) → 9.0(4) |
|
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12 → 9.8 → 9.1(7.4) |
|
8.3 |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
|
8.2 and earlier |
→ 9.0(4) |
Any of the following: → 9.12 → 9.8 → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.20(x)
There are no open bugs at the time of this Release Note publication.
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.20(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Lina core created during high traffic testing |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
access-list: Cannot mix different types of access lists. |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
Priority-queue command causes silent egress packet drops on all port-channel interfaces |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
FP3110 7.2.4 Unexpected reboot of Firepower 3110 Device |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
switch ports in Trunk mode do not pass vlan traffic after power loss |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
FTD Lina traceback Thread Name: DATAPATH-3-11917 due to double free |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
PAC Key file missing on standby on reload |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory all |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
ASA: Traceback and reload during 6 nodes cluster synchronization after CCL link failure/recovery |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to crash |
|
|
Configuration to disable TLS1.3 |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
spin lock and watch dog crash in kp 741-1146 - ctm_ipsec_get_sa_lock+112 |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CPOC: 4245 ASA Crashed with CPS test |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
Resolved Bugs in Version 9.20(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASAv "Unable to retrieve license info. Please try again later" |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
ASA/FTD: Using Round Robin with PAT rules on two or more interfaces breaks IP stickiness |
|
|
GTP drops not always logged on buffer and syslog |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
|
User with no vpn-filter may get additional access when per-user-override is set |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
|
Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0 |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
Not able to ping Virtual IP of FTDv cluster |
|
|
ASA restore is not applying vlan configuration |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
|
Need corrections in log_handler_file watchdog crash fix |
|
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Misleading drop reason in "show asp drop" |
|
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
|
Recursive panic under lina_duart_write |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
FP4125 2.10.1.166 FTD applications in HA went into not responding state |
|
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
|
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
|
FPR3110 Fans' SN in label are different from show inventory cli output |
|
|
System Crash on ICMPv6 Option Processing |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
High Lina memory use due to leaked SSL handles |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Open AC VPN Agent" can connect to a Multi-Cert Auth TG using a single cert & username/password |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
Multiple traceback seen on standby unit. |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
SNMP on SFR module goes down and won't come back up |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
ASA/FTD may traceback and reload |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
FTD 3100 Crash in Thead Name: CP Processing |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
7.2.4 - Block depletion using single crafted UDP SIP register request |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
Setting heartbeat timeout to 6sec for BS and QP |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FTD: GRE traffic is load balanced between CPU cores |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
FMC 1600 process ssp_snmp_trap_fwdr high memory utilization |
|
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback