Release Notes for the Cisco Secure Firewall ASA, 9.20(x)
This document contains release information for ASA software version 9.20(x).
 Note |
9.20(1) is only supported on the Secure Firewall 4200. Later releases are supported on the other models. |
Important Notes
-
Smart licensing default transport changed in 9.20(4)—In 9.20(4), the smart licensing default transport changed from Smart Call Home to Smart Transport. You can configure the ASA to use Smart Call Home if necessary using the transport type callhome command. When you upgrade to 9.20(4), the transport is automatically changed to Smart Transport. If you downgrade, the transport is set back to Smart Call Home, and if you want to use Smart Transport, you need to specify transport type smart . Note also that the licensing URL for Smart Transport is https://smartreceiver.cisco.com (compared to tools.cisco.com), so be sure to allow that URL on upstream routers.
-
ASA 9.20(2) supports all current models.
-
OSPFv3 redistribute commands that specify a route-map that matches a prefix-list will be removed in 9.20(2)—When you upgrade to 9.20(2), OSPFv3 redistribute commands where the specified route-map uses a match ip address prefix-list will be removed from the configuration. Although prefix lists have never been supported, the parser still accepted the command. Before upgrading, you should reconfigure OSPFv3 to use route maps that specify an ACL in the match ip address command.
Remember
Redistribution of route maps with IPv4 prefix list on OSPFv2 is supported.
-
ASA version 9.20(1) only supports the Secure Firewall 4200—ASDM 7.20(1) supports the Secure Firewall 4200 on 9.20(1), but is also backwards-compatible with earlier releases on other platforms.
System Requirements
ASDM requires a computer with a CPU with at least 4 cores. Fewer cores can result in high memory usage.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco Secure Firewall ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.20(4)
Released: July 2, 2025
|
Feature |
Description |
||||
|---|---|---|---|---|---|
|
License Features |
|||||
|
Smart Transport is the default Smart Licensing transport |
Smart Licensing now uses Smart Transport as the default transport. You can optionally enable the former type, Smart Call Home, if necessary. New/Modified commands: transport proxy , transport type , transport url Also in 9.22(1). |
||||
|
Administrative, Monitoring, and Troubleshooting Features |
|||||
|
SSH X.509 certificate authentication |
You can now use an X.509v3 certificate to authenticate a user for SSH (RFC 6187).
New/Modified commands: aaa authorization exec ssh-x509 , ssh authentication method , ssh trustpoint sign, ssh username-from-certificate , validation-usage ssh-client |
||||
|
AES-256-GCM SSH cipher |
The ASA supports the AES-256-GCM cipher for SSH. It is enabled by default for all and high encryption levels. New/Modified commands: ssh cipher encryption |
||||
New Features in ASA 9.20(3)
Released: July 31, 2024
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
ASA Virtual AWS IMDSv2 support |
AWS Instance Metadata Service version 2 (IMDSv2) API is now supported on ASA Virtual, which allows you to retrieve and validate instance metadata. IMDSv2 provides additional security against vulnerabilities targeting the Instance Metadata Service. When deploying ASA Virtual on AWS, you can now configure the Metadata version for ASA Virtual as follows:
If you have an existing ASA Virtual deployment, you can migrate to "IMDSv2 Required" mode after upgrading to 9.20(3) and later. See AWS documentation, https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html For more information, see Cisco Secure Firewall ASA Virtual Getting Started Guide, 9.20. |
|
Firewall Features |
|
|
Threat Detection for VPN services |
You can configure threat detection for VPN services to protect against the following types of VPN attack from IPv4 addresses:
These attacks, even when unsuccessful in their attempt to gain access, can consume computational resources and in some cases result in Denial of Service. The following commands were introduced or changed: clear threat-detection service , show threat-detection service , shun , threat-detection service . |
|
VPN Features |
|
|
Multiple IdP certificates in a webvpn configuration and a tunnel-group |
You can now configure tunnel-group-specific IdP certificates and multiple IdP certificates in a webvpn configuration. This feature lets you trust an old certificate as well as a new certificate, making migration to the new certificate easier. New/Modified commands: saml idp-trustpoint , trustpoint idp |
|
Rate Limit for Preauthenticated SSL Connections |
ASA Virtual can rate-limit preauthenticated SSL connections. This limit is calculated as three times the VPN connection limit of the device. When this limit exceeds, no new SSL connections are allowed. The device allows new SSL connections only after the preauthenticated SSL connections count becomes zero. However, this restriction is not valid for management connections. New/Modified commands: show counters |
New Features in ASA 9.20(2)
Released: December 13, 2023
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
100GB network module support for the Secure Firewall 3100 |
You can now use the 100GB network module for the Secure Firewall 3100. This module is also supported for the Secure Firewall 4200. |
|
Increased connection limits for the Secure Firewall 4200 |
Connection limits have been increased:
|
|
ASAv on OCI: Additional instances |
ASA Virtual instances on OCI now supports additional shapes to achieve the highest performance and throughput level. |
|
High Availability and Scalability Features |
|
|
ASAv on Azure: Clustering with Gateway Load Balancing |
We now support the ASA virtual clustering deployment on Azure
using the Azure Resource Manager (ARM) template and then configure
the ASAv clusters to use the Gateway Load Balancer (GWLB) for load balancing the network traffic.
New/Modified commands: |
|
ASAv on AWS: Resiliency for clustering with Gateway Load Balancing |
You can configure the Target Failover option in the Target Groups service of AWS, which helps GWLB to forward existing flows to a healthy target in the event of virtual instance failover. In the ASAv clustering, each instance is associated with a Target Group, where the Target Failover option is enabled. It helps GWLB to identify an unhealthy target and redirect or forward the network traffic to a healthy instance identified or registered as a target node in the target group. |
|
Configurable delay to rejoin cluster after chassis heartbeat failure (Firepower 4100/9300) |
By default, if the chassis heartbeat fails and then recovers, the node rejoins the cluster immediately. However, if you configure the health-check chassis-heartbeat-delay-rejoin command, it will rejoin according to the settings of the health-check system auto-rejoin command. New/Modified commands: health-check chassis-heartbeat-delay-rejoin |
|
show failover statistics includes client statistics |
The failover client packet statistics are now enhanced to improve debuggability. The show failover statistics command is enhanced to display np-clients (data-path clients) and cp-clients (control-plane clients) information. Modified commands: show failover statistics cp-clients , show failover statistics np-clients Also in 9.18(4). |
|
show failover statistics events includes new events |
The show failover statistics events command is now enhanced to identify the local failures notified by the App agent: failover link uptime, supervisor heartbeat failures, and disk full issues. Modified commands: show failover statistics events Also in 9.18(4). |
New Features in ASA 9.20(1)
Released: September 7, 2023
Note |
This release is only supported on the Secure Firewall 4200. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Secure Firewall 4200 |
We introduced the ASA for the Secure Firewall 4215, 4225, and 4245. The Secure Firewall 4200 supports up to 8 units for Spanned EtherChannel clustering. You can hot swap a network module of the same type while the firewall is powered up without having to reboot; making other module changes requires a reboot. Secure Firewall 4200 25 Gbps and higher interfaces support Forward Error Correction as well as speed detection based on the SFP installed. The SSDs are self-encrypting drives (SEDs), and if you have 2 SSDs, they form a software RAID. There are two Management interfaces. |
|
Firewall Features |
|
|
ASP rule engine compilation offloaded to the data plane. |
By default, ASP rule engine compilation is offloaded to the data plane (instead of the control plane) when any rule-based policy (for example, ACL, NAT, VPN) has more than 100 rule updates. The offload leaves more time for the control plane to perform other tasks. We added or modified the following commands: asp rule-engine compile-offload , show asp rule-engine . |
|
Data plane quick reload |
When data plane needs to be restarted, instead of a reboot of the device, you can now reload the data plane process. When data plane quick reload is enabled, it restarts the data plane and other processes. New/Modified commands:data-plane quick-reload , show data-plane quick-reload status . |
|
High Availability and Scalability Features |
|
|
Reduced false failovers for ASA high availability |
We now introduced an additional heartbeat module in the data plane of the ASA high availability. This heartbeat module helps to avoid false failovers or split-brain scenarios that can happen due to traffic congestion in the control plain or CPU overload. Also in 9.18(4). |
|
Configurable cluster keepalive interval for flow status |
The flow owner sends keepalives (clu_keepalive messages) and updates (clu_update messages) to the director and backup owner to refresh the flow state. You can now set the keepalive interval. The default is 15 seconds, and you can set the interval between 15 and 55 seconds. You may want to set the interval to be longer to reduce the amount of traffic on the cluster control link. New/Modified commands: clu-keepalive-interval |
|
Routing Features |
|
|
EIGRPv6 |
You can now configure EIGRP for IPv6 and manage them separately. You must explicitly enable IPv6 when configuring EIGRP on each interface. New/Modified commands: Following are the new commands introduced: ipv6 eigrp , ipv6 hello-interval eigrp , ipv6 hold-time eigrp , ipv6 split-horizon eigrp , show ipv6 eigrp interface , show ipv6 eigrp traffic , show ipv6 eigrp neighbors , show ipv6 eigrp interface , ipv6 summary-address eigrp , show ipv6 eigrp topology , show ipv6 eigrp events , show ipv6 eigrp timers , clear ipv6 eigrp , and clear ipv6 router eigrp Following commands are modified to support IPv6: default-metric , distribute-list prefix-list , passive-interface , eigrp log-neighbor-warnings , eigrp log-neighbor-changes , eigrp router-id , and eigrp stub |
|
Interface Features |
|
|
VXLAN VTEP IPv6 support |
You can now specify an IPv6 address for the VXLAN VTEP interface. IPv6 is not supported for the ASA Virtual cluster control link or for Geneve encapsulation. New/Modified commands: default-mcast-group , mcast-group , peer ip |
|
Loopback interface support for DNS, HTTP, ICMP, and IPsec Flow Offload |
You can now add a loopback interface and use it for:
|
|
License Features |
|
|
IPv6 for Cloud services such as Smart Licensing and Smart Call Home |
ASA now supports IPv6 for Cloud services such as Smart Licensing and Smart Call Home. |
|
Certificate Features |
|
|
IPv6 PKI for OCSP and CRL |
ASA now supports both IPv4 and IPv6 OCSP and CRL URLs. When using IPv6 in the URLs, it must be enclosed with square brackets.
New/Modified commands:crypto ca trustpointcrl , cdp url , ocsp url |
|
Administrative, Monitoring, and Troubleshooting Features |
|
|
Rate limiting for SNMP syslogs |
If you do not set system-wide rate limiting, you can now configure rate limiting separately for syslogs sent to an SNMP server. New/Modified commands: logging history rate-limit |
|
Packet Capture for switches |
You can now configure to capture egress and ingress traffic packets for a switch. This option is applicable only for Secure Firewall 4200 model devices. New/Modified commands:
capture capture_name switch interface interface_name [ direction { both | egress | ingress } ] |
|
VPN Features |
|
|
Crypto debugging enhancements |
Following are the enhancements for crypto debugging:
New/Modified commands:
|
|
Multiple Key Exchanges for IKEv2 |
ASA supports multiple key exchanges in IKEv2 to secure the IPsec communication from quantum computer attacks. New/Modified commands: additional-key-exchange |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Upgrade Path: ASA Appliances
On the Cisco Support & Download site, the suggested release is marked with a gold star. For example:
View Your Current Version
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
Upgrade Guidelines
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.
Upgrade Paths
This table provides upgrade paths for ASA.
Note |
ASA 9.18 was the final version for the Firepower 4110, 4120, 4140, 4150, and Security Modules SM-24, SM-36, and SM-44 for the Firepower 9300. ASA 9.16 was the final version for the ASA 5506-X, 5508-X, and 5516-X. ASA 9.14 was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12 was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2 was the final version for the ASA 5505. ASA 9.1 was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.19 |
— |
Any of the following: → 9.20 |
|
9.18 |
— |
Any of the following: → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.13 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.12 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.10 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.9 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.8 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.7 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.6 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.5 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.4 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.3 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.2 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.12 |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.12 |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.12 |
Upgrade Path: ASA on Firepower 2100 in Platform Mode
To view your current version and model, use one of the following methods:
-
ASDM: Choose .
-
CLI: Use the show version command.
This table provides upgrade paths for the ASA on the Firepower 2100 in Platform mode. Some versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage.
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.19 |
— |
Any of the following: → 9.20 |
|
9.18 |
— |
Any of the following: → 9.20 → 9.19 |
|
9.17 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.16 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 |
|
9.15 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 |
|
9.14 |
— |
Any of the following: → 9.20 → 9.19 → 9.18 → 9.17 → 9.16 → 9.15 |
|
9.13 |
→ 9.18 |
Any of the following: → 9.20 → 9.19 |
|
9.13 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.12 |
→ 9.18 |
Any of the following: → 9.20 → 9.19 |
|
9.12 |
— |
Any of the following: → 9.18 → 9.17 → 9.16 → 9.15 → 9.14 |
|
9.10 |
→ 9.17 |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.10 |
— |
Any of the following: → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.9 |
→ 9.17 |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.9 |
— |
Any of the following: → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
|
9.8 |
→ 9.17 |
Any of the following: → 9.20 → 9.19 → 9.18 |
|
9.8 |
— |
Any of the following: → 9.17 → 9.16 → 9.15 → 9.14 → 9.12 |
Upgrade Path: ASA Logical Devices for the Firepower 4100/9300
-
FXOS: From FXOS 2.2.2 and later, you can upgrade directly to any higher version. (FXOS 2.0.1–2.2.1 can upgrade as far as 2.8.1. For versions earlier than 2.0.1, you need to upgrade to each intermediate version.) Note that you cannot upgrade FXOS to a version that does not support your current logical device version. You will need to upgrade in steps: upgrade FXOS to the highest version that supports your current logical device; then upgrade your logical device to the highest version supported with that FXOS version. For example, if you want to upgrade from FXOS 2.2/ASA 9.8 to FXOS 2.13/ASA 9.19, you would have to perform the following upgrades:
-
FXOS 2.2 → FXOS 2.11 (the highest version that supports 9.8)
-
ASA 9.8 → ASA 9.17 (the highest version supported by 2.11)
-
FXOS 2.11 → FXOS 2.13
-
ASA 9.17 → ASA 9.19
-
-
Firewall Threat Defense: Interim upgrades may be required for Firewall Threat Defense, in addition to the FXOS requirements above. For the exact upgrade path, refer to the Firewall Management Center upgrade guide for your version.
-
ASA: ASA lets you upgrade directly from your current version to any higher version, noting the FXOS requirements above.
|
FXOS Version |
Model |
ASA Version |
Firewall Threat Defense Version |
||||
|---|---|---|---|---|---|---|---|
|
2.16 |
Firepower 4112 |
9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.20 9.19 9.18 9.17 |
7.6 (recommended) 7.4 7.3 7.2 7.1 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.14(1) |
Firepower 4112 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.20 (recommended) 9.19 9.18 9.17 9.16 9.14 |
7.4 (recommended) 7.3 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.13 |
Firepower 4112 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.19 (recommended) 9.18 9.17 9.16 9.14 |
7.3 (recommended) 7.2 7.1 7.0 6.6 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
2.12 |
Firepower 4112 |
9.18 (recommended) 9.17 9.16 9.14 |
7.2 (recommended) 7.1 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.18 (recommended) 9.17 9.16 9.14 9.12 |
7.2 (recommended) 7.1 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.11 |
Firepower 4112 |
9.17 (recommended) 9.16 9.14 |
7.1 (recommended) 7.0 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.17 (recommended) 9.16 9.14 9.12 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.17 (recommended) 9.16 9.14 9.12 9.8 |
7.1 (recommended) 7.0 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.10
|
Firepower 4112 |
9.16 (recommended) 9.14 |
7.0 (recommended) 6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.16 (recommended) 9.14 9.12 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.16 (recommended) 9.14 9.12 9.8 |
7.0 (recommended) 6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.9 |
Firepower 4112 |
9.14 |
6.6 |
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 9.12 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 9.12 9.8 |
6.6 6.4 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.8 |
Firepower 4112 |
9.14 |
6.6
|
||||
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.14 (recommended) 9.12
|
6.6 (recommended)
6.4 |
|||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.14 (recommended) 9.12 9.8 |
6.6 (recommended)
6.4 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.157)
|
Firepower 4145 Firepower 4125 Firepower 4115 |
9.12
|
6.4 |
||||
|
Firepower 9300 SM-56 Firepower 9300 SM-48 Firepower 9300 SM-40 |
|||||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
6.4 (recommended) 6.2.3 |
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.6(1.131) |
Firepower 9300 SM-48 Firepower 9300 SM-40 |
9.12 |
Not supported |
||||
|
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.12 (recommended) 9.8 |
||||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.73) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
6.2.3 (recommended)
|
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.3(1.66) 2.3(1.58) |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8
|
|||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
|||||||
|
2.2 |
Firepower 4150 Firepower 4140 Firepower 4120 Firepower 4110 |
9.8 |
Firewall Threat Defense versions are EoL |
||||
|
Firepower 9300 SM-44 Firepower 9300 SM-36 Firepower 9300 SM-24 |
Note on Downgrades
Downgrade of FXOS images is not officially supported. The only Cisco-supported method of downgrading an image version of FXOS is to perform a complete re-image of the device.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.20(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
Traceback and reload in spin_lock_get_actual_internal |
|
|
ASA clock is out of sync 2 hours when timezone is configured to Europe/Dublin which is GMT. |
|
|
FTD FP2100 port-channel interfaces flap with LACP |
|
|
FXOS reset and reload due to snmpd service failure |
|
|
Firepower wiping SSL trustpoint config after reload |
|
|
Order of ACL is getting changed after contents of one of the common used object is changed. |
|
|
DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
|
|
Memory leak: ASA Fragment size 72 causing memory exhaustion in MEMPOOL_GLOBAL_SHARED POOL |
|
|
FTD traceback and reload during Troubleshoot file collection |
|
|
ASA SSH login fails at the first attempt when it is integrated with DUO |
|
|
ASA: asacli Processes Not Terminated When SSH Sessions Are Closed |
|
|
FTD MI: SNMP polling fails to work after upgrading to 7.4.2.2 |
|
|
ASA traceback and reload on FP4245 generated corrupted Lina core file |
|
|
FPR 1140 port-channel interfaces flap after upgrade |
|
|
ASA crashinfo files not generated on FP4200 devices |
|
|
ASAv tracebacks in the DPDK code, wile writing TX packets |
|
|
LINA - 1550 Block Exhaustion Caused by Traffic Between Failover Interface IPs |
|
|
Syslogs from the ASA do not include time and timezone in RFC5424 format as expected |
|
|
Packet tracer and real traffic hits incorrect ACL. |
|
|
ASA Clock reverts to UTC after device reload |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.20(4)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
ASDM Access Issue When SSL VPN And HTTP Server Is Configured On Same Port |
|
|
Firepower 1000/2100 may boot to ROMMON mode |
|
|
Banner login does not display when configured |
|
|
FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
|
|
The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
|
|
Stale anyconnect entries causing issues with routing |
|
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
|
ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
|
|
ASA software on FP3110 showing incorrect serial number in show inventory output |
|
|
Syslogs over management interface don't go through loggerd after FTD reboot or lina reload |
|
|
ASA: unexpected logs for initiating inbound connection for DNS query response |
|
|
FTD-HA does not fail over sometimes when snort3 traceback |
|
|
ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
|
|
[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use |
|
|
Lina core at swapcontext on Standby FTD during policy deployment |
|
|
A memory leak flaw was found in Libtiff's tiffcrop utility. This issue |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
ISA3000 Traceback and reload boot loop |
|
|
TCP MSS is changed back to the default value when a VTI or loopback interface is created |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
Modification of destination entries failed, when Source Object Group and Destination Object Group contain same inner object-group |
|
|
Member interface admin status is not updated on Lina after enabling port-channel interface |
|
|
FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
|
|
unzip 5.52 is from 2005 is contains multiple vulnerabilities |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
Debug: Eth1/1 flapping unexpectedly |
|
|
CP might list all on-board interfaces as L3 mode after base-install |
|
|
SNMP walk does not work if IP is configured after SNMP is configured on ngfw management interface. |
|
|
Internal cached access-group list maintenance issue with unexpected clear configure access-list |
|
|
Disk quota for the corefile should be revisited based on platform |
|
|
Dns-guard prematurely closing conn due to timing condition |
|
|
ASA traceback with thread name SSH |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
FTDv - The interface connected to the AWS GW may have connection issues for DHCP or an idle state. |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
ASA: Running the failsafe-exit command caused the interface to enter a DISABLED state |
|
|
Cleanup stale logrotate files |
|
|
Memory manager improvements for webvpn internal lua library |
|
|
SNMP host group content change results in SNMP process termination on management interface |
|
|
PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
ASAv Memory leak involving PKI/Crypto for VPN |
|
|
tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh. |
|
|
ENH Logs FP4110 (FXOS 2.10.1.179) Security module stopped responding after device reboot |
|
|
snmpd core seen in ASA/FTD |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
|
|
FAN is working as expected but FAN LED is in off state. |
|
|
Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
|
|
FPR2100-ASA Unable to generate CSR without FXOS IP address on SAN field |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
Unable to run "nslookup" command on FXOS |
|
|
Failure to read the signature keys (mult-instance deployment) |
|
|
Cisco ASA & FTD Software IKEv2 Denial of Service Vulnerability |
|
|
"show inventory" output shows Name: "power supply 0" on Firepower |
|
|
ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
|
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
|
Serviceablity : Improve routing infra debugs and add new for error conditions |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
FTD is not resolving FQDN for ACLs intermittently |
|
|
FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
|
|
command to print the debug menu setting of service worker |
|
|
Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
|
|
Connectivity failure due to mismatch between l2_table and subinterface mac address |
|
|
High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
|
|
Accepting duplicate object/group-object into object-group from multiple ssh sessions |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
|
|
FTD : Management interface showing down despite being up and operational |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
ASA/FTD: Low Memory Leads to Reload due to process Unified2File_Read |
|
|
State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
Unable to establish RAVPN session on FTD HA setup |
|
|
Add warning message when configuring CCL MTU |
|
|
Radius server configuration for FTD external authentication is not deployed to FTD. |
|
|
Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
|
|
Remove SGT frames/packets to allow VTI decryption |
|
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
|
FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
Backup feature does not save/restore DAP configuration in multiple context mode. |
|
|
ASA/FTD: Substantial increase in the time taken to load configuration |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD memory depletion resulting in traceback and reload |
|
|
ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
|
|
NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
|
|
256/1550 block depletion process fover_thread |
|
|
FPR3K SFP+(10G) optics:Port Channel mem intf becomes down after reload/flap/reinsertion on peer side |
|
|
FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
|
|
Update Fan RPM Thresholds for 42xx platforms |
|
|
High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
|
|
SGT INLINE-TAG added after upgrade to 7.4.x |
|
|
Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
|
|
ASA/FTD may traceback and reload |
|
|
Virtual ASA/FTD may traceback and reload in thread PTHREAD |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
|
|
ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
|
|
CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT |
|
|
FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting' |
|
|
Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
|
|
FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring |
|
|
Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
|
|
IPv6 SSL Anyconnect access blocked in HA pair |
|
|
21xx: debug log process hangs preventing recovery from stuck writing operations |
|
|
Instrument new logs in the startup process to collect more information |
|
|
FTD LINA Traceback and Reload dhcp_daemon Thread |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
|
|
ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
|
|
Incorrect network module slot and status information in "show module" command output |
|
|
App instance stuck in STOP_FAILED with error message |
|
|
HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
|
|
Failover prompt shows state active while the firewall is in Negotiation |
|
|
FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
|
|
FTD: Policy deployment failed due to mismatch of checksum. |
|
|
Failures and records are not seen in "show failover statistics" after simulating failures |
|
|
Certificate validation fails with trustpool when FIPS is enabled |
|
|
FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
|
|
ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
|
|
BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul |
|
|
FMC in CC-mode audit over syslog not working |
|
|
ASA/FTD may traceback and reload in Thread Name SSH |
|
|
FTDv traceback in Thread name - PTHREAD |
|
|
ASA/FTD: Memory Exhaustion due to Threat-Detection |
|
|
Partition "/opt/cisco/config" gets full due to btmp file not getting logrotated |
|
|
FTD upgrade to 7.4.2 via FDM is blocked |
|
|
'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete |
|
|
ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
|
|
FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
|
|
S2S VPN with 3rd party broken after upgrading FPR 9.20 |
|
|
Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
|
|
ASA/FTD may traceback and reload in Thread Name 'strlen' |
|
|
FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
|
|
FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1 |
|
|
Lina traceback and reload in data-path thread |
|
|
Unstable HA causing depolyment failure |
|
|
IPv6 Neighbor Discovery failure on shared interface in multi instance setup |
|
|
FP4245 - NPU Accelerator changed speed of 100Gb interface to 10Mb |
|
|
ASA|FTD Traceback & reload in process name lina |
|
|
Increase memory usage leading to tracebacks in Lina. |
|
|
Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
|
|
Generated Crypto checksum changes without configuration change |
|
|
Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
|
|
CGroups errors in ASA Syslog during every reboot |
|
|
ldap.conf does not get generated using hostname |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability |
|
|
FTD CLISH/CLI gets locked up when trying to run any show command |
|
|
SIP traffic is affected due to unexpected behavior with NAT untranslations. |
|
|
Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
|
|
ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
|
|
CSF 3100 series not rebooting after power outage, requiring manual power cycle |
|
|
Browser redirects to blank page when the user clicks the WebVPN bookmark |
|
|
The ASA's OSPF routing table is not properly synchronized with the neighbors |
|
|
SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect |
|
|
FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
|
|
Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
|
|
FTD - Â Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16 |
|
|
SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured |
|
|
Long boot time seen with one AC rule having object-group and other plain ACL's |
|
|
LINA may traceback in Thread Name: Datapath with NAT config |
|
|
FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
|
|
FTD Secondary Unit got stuck in Bulk sync state. |
|
|
Portmanager and lacp sync is not programmatic |
|
|
ASA/FTD will allow local IP pool with invalid netmask |
|
|
FTD/ASA : 1SXF interfaces on FP3100 stay in a link-down state when connected to a Nexus 9K Switch |
|
|
Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
|
|
FTD/ASA may traceback and reload in DATAPATH thread |
|
|
Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
|
|
FTD inline-set ignore reverse flag for inject/rewrite |
|
|
Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
|
|
FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
|
|
Show mod functionality needs to be fixed after change was reverted in CSCwk63011 due to regression |
|
|
Misconfigured Cross-Origin-Opener-Policy |
|
|
ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
|
|
enhance sma 2nd cruz heartbeat logging |
|
|
ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
|
|
100GB interface flaps with Innolight QSFPs in both ends |
|
|
FXOS: messages rotates every 40 minutes due to Notification Daemon messages' being spammed |
|
|
Not able to remove or clear Fault "The password encryption key has not been set." |
|
|
ASA/FTD may traceback and reload in Thread Name "fover_parse" |
|
|
TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link |
|
|
show run access-list command returns warning |
|
|
SQLNet traffic getting dropped intermittently in Clustering data unit. |
|
|
ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
|
|
FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
|
|
Incompatible members warning message after Po member interface flaps unable to rejoin Po |
|
|
ASA traceback and reload on thread snmp_inspect |
|
|
ASA traceback and reload due to stack overflow while using APCF file |
|
|
ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
|
|
NAT traps have to be rate-limited |
|
|
Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
|
|
ASA/FTD may traceback and reload in DATAPATH-1-20757 |
|
|
ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
|
|
4200/3100/1200 hardware allow to change AppAgent timer |
|
|
'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
|
|
GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
|
|
Cisco ASA/FTD Firepower 3100/4200 Series TLS 1.3 Cipher Denial of Service Vulnerability |
|
|
FTD HA Standby Reloads Repeatedly After Upgrade to 7.4.2.1 |
|
|
FQDNs are unresolved via DNS on data interface after reboot or traceback |
|
|
LINA core observed pointing to "IP RIB Update" thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD device stuck in rommon mode after pressing reset button |
|
|
Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
|
|
ASA/FTD traceback and reload with high rate of SIP connections |
|
|
TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
|
|
Memory Blocks 80 and 9344 leak due to priority-queue |
|
|
GTP inspection not allowing GTP data packets if session create response has cause type 18 |
|
|
When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
|
|
ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
|
|
FPR9K-SM-56 module intermittently lock up and cause traffic impact. |
|
|
ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
|
|
Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption |
|
|
FTD cluster to traceback and reload after extended PAT is enabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
|
|
FTD reload with traceback on swapcontext function |
|
|
Syslog servers below in FTD logging send hostname info as per emblem config for first syslog server |
|
|
ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
|
|
Memory fragmentation resulted in huge pages unavailable for lina |
|
|
Admin users are prompted to change local password when authenticating to external server |
|
|
HA would bring data interfaces up while moving from cold standby to failed state |
|
|
ASA may traceback and reload in Thread Name 'ssh' |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability |
|
|
FTD: Management0/0 status went down, line protocol is up after upgrade |
|
|
GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
|
|
Frequent route updates causes routes to get removed causing outages |
|
|
ASA booting process may freeze when including 'no pim' or 'no igmp' config |
|
|
FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
|
|
Jumbo frame packets are being fragmented |
|
|
Radius user ssh login fails with error: username is not defined with a service type that is valid |
|
|
FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
|
|
Traceback and reload in Thread Name Datapath |
|
|
Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
|
|
Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
|
|
Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
|
|
Primary FTD instance MAC address is not updated correctly in FXOS during failover |
|
|
NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
|
|
SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
|
|
FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
|
|
HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
|
|
MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface |
|
|
MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
|
|
ASA traceback and reload in freeb_core_local_internal |
|
|
Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
|
|
FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
|
|
S2S VPN tunnel Child SA unsuccessful renegotiation |
|
|
ASA 21xx: 'sh environment temperature' shows incorrect temperature values |
|
|
LINA may observe random traceback with Netflow configured |
|
|
Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
|
|
Tracebacks observed in a cluster member running ASA 9.20.3.4 |
|
|
FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
|
|
Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
|
|
ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
|
|
Addressing CVEs reported in unicorn zlib library |
|
|
show blocks old core local can lead to unexpected reload. |
|
|
Asia/Bangkok timezone option not listed in ASA running on firepower1k |
|
|
Banner motd does not display when configured |
|
|
SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
|
|
Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
|
|
Need the SVC Rx/Tx queue as a configurable option |
|
|
ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
|
|
RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
|
|
Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
|
|
Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
|
|
core corruption still seen with switching to quick core feature |
|
|
High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
|
|
WM-DT-7.7.0-40:: Observed switch config failed and switch Mac error on device console |
|
|
Occasionally, 'show chunkstat top-usage' output does not show all entries |
|
|
ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
|
|
Generate syslog if received CRL is older than cached CRL |
|
|
Generate syslog if received CRL signature validation fails |
|
|
ASA: Traceback and Reload Under Thread Name SSH |
|
|
FTD generates syslog 430002 as VPN Routing without VPN hairpin |
|
|
FTD data unit in cluster experienced traceback and rebooted |
|
|
Debuggability: FP2100 port-channel interfaces flap after upgrade |
|
|
Snort3 trimming packets with invalid sequence number due to bad window size information received |
|
|
VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade |
|
|
Community lists should not throw an error until the last item in the list is being deleted |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
|
|
ASA traceback and reload on DATAPATH thread due to memory corruption |
|
|
Serviceability Enhancement - Make FXOS disk errors more descriptive |
|
|
ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
|
|
Command authorization fallback to Local only works for priv 15 users. |
|
|
Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
|
|
SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
|
|
Traceback and reload during the deployment after disabling FQDNs. |
|
|
Enabling debugs with EEM fails |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
|
|
Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
|
|
Port scan alerts not getting generated for custom configuration |
|
|
FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
|
|
debug packet-condition does not work as expected |
|
|
Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series |
|
|
Enhance Debugging for add/update/withdraw of routes with neighbors |
|
|
Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
|
|
Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
|
|
Memory leak leading to split brain |
|
|
ARP is silently dropping packet for an unreachable next hop |
|
|
SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error |
|
|
Port-channel member interface flap renders it as an inactive member |
|
|
ASA may traceback and reload in Thread Name 'fover_parse' |
|
|
Traceback & Reload in Thread Name Unicorn Admin Handler |
|
|
Logging recipient-address not overriding the logging mail message severity levels |
|
|
DNS and default gateway are removed on FTD managed through data interface |
|
|
Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
|
|
Warwick Avenue: LLDP neighbours are not discovered if MGMT 1/2 interface is down |
|
|
Traffic failure due to 9344 blocks leak |
|
|
'${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
|
|
FTD: Large Delay in packets being inspected by snort |
|
|
Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
|
|
FTD HA | Same MAC for port-channels causing network outage. |
|
|
snmp_logging_thread is utilizing high CPU in control plane |
|
|
FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
|
|
FPR3100: The interface mac stuck issue seen with peer switch reloads or after upgrade |
|
|
BFD flap due to ASA not processing incoming BFD packets after unrelated BFD peers go down |
|
|
SNMP polling to chassis is unsuccessful with FTD Multi-instance in HA used as SNMP agent |
|
|
SNMP configuration is not applied consistently across same FTDs type and version |
|
|
Portscan event in FMC displays incorrect source/destination when set to 'low' setting |
|
|
Traceback in thread name DATAPATH when a unit is re-joining the cluster |
|
|
BFD packets are not dropped for single-hop BFD sessions received via alternate path |
|
|
Local user details not replicated to data nodes in a cluster setup. |
|
|
ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
|
|
L3 Clustering where BGP immediately comes up while DATA node is still in bulk sync |
|
|
backout change preventing enabling clustering in FIPS mode |
|
|
Traffic does not match expected ACL when destination contains object-group type network-service |
|
|
ASAv restarts unexpectedly |
|
|
LINA stays inactive without reloading after traceback on non-CP thread |
|
|
ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
|
|
ASA/FTD traceback and reload in function mp_percore |
|
|
ASA traceback and reload |
|
|
high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
|
|
Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
|
|
Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
Resolved Bugs in Version 9.20(3)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
|
|
ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
|
|
Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
|
|
Prevention of RSA private key leaks regardless of root cause. |
|
|
ASA traceback and reload on Datapath process |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD: Improve GTP Inspection Logging |
|
|
ASA/FTD: GTP Inspection engine serviceability |
|
|
Write wrapper around "kill" command to log who is calling it |
|
|
FTD: CLISH slowness due to command execution locking LINA prompt |
|
|
ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
|
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
|
|
Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
Management UI presents self-signed cert rather than custom CA signed one after upgrade |
|
|
Incorrect exit interface choose for VTI traffic next-hop |
|
|
Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
SNMP is not working on the primary active ASA unit in multi-context environment |
|
|
Logging improvement for messages exchange between LinaConfigTool and xml server |
|
|
ASA: Traceback and reload when switching from single to multiple mode |
|
|
ASA/FTD: 1 Second failover delay for each NLP NAT rule |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
|
|
Message asa_log_client exited 1 time(s) seen multiple times |
|
|
After rebooting, the future date set on the FPR2100 platform is not reflected (set clock manually) |
|
|
ASA does not sent 'warmstart' snmp trap |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
NAT pool is not working properly despite is not reaching the 32k object ID limit. |
|
|
FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
|
|
LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
Configuring and unconfiguring "match ip address test" may lead to traceback |
|
|
Firepower WCCP router-id changes randomly when VRFs are configured |
|
|
FTD: Traceback and Reload in Process Name: lina |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
|
|
Community string sent from router is not matching ASA |
|
|
ASA/FTD may traceback and reload due to watchdog time exceeding the default 15 seconds |
|
|
CSF 4200: PSU Fan speed is critical |
|
|
ASA traceback under match_partial_keyword during CPU profiling |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
|
ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
|
|
In FPR4200/FPR3100-cluster observed core file ?core.lina? observed on device reboot. |
|
|
FTD: Traceback in threadname cli_xml_request_process |
|
|
Firewall shows misleading SCP file copy failure reasons |
|
|
crypto_archive file generated after the software upgrade. |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
Last Rule hit shows a hex value ahead of current time in ASA and ASDM |
|
|
Unexpected traceback on thread name Lina and device experienced reboot |
|
|
GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Datapath hogs causing clustering units to get kicked out of the cluster |
|
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
|
ASA: Traceback and reload during tests of High number of traffic flows and syslog messages |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
|
|
FTD VMWare tracebacks at PTHREAD-3587 |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
FTD sends multiple replicated NetFlow records for the same flow event |
|
|
FTD 1120 standby sudden reboot |
|
|
SNMP Unresponsive when snmp-server host specified |
|
|
Traceback on FP2140 without any trigger point. |
|
|
Cross ifc access: Revert PING to old non-cross ifc behavior |
|
|
FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
|
|
ASA - Traceback the standby device while HA sync ACL-DAP |
|
|
Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
|
|
ASA/FTD traceback and reload on thread DATAPATH |
|
|
FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
|
|
Cisco ASA webvpn XSS Vulnerability |
|
|
ASA cluster traceback Thread Name: DATAPATH-8-17824 |
|
|
Hardware bypass not working as expected in FP3140 |
|
|
Config-url is accepting directory as the config file |
|
|
ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
|
|
ASA traceback and reload during ACL configuration modification |
|
|
Cisco ASA and FTD Software Inactive-to-Active ACL Bypass Vulnerability |
|
|
Firewall traceback and reload due to SSH thread |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
|
|
FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
|
|
VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog in 9.16.3.23 code |
|
|
Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
|
|
ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
|
|
FTD with may traceback in data-path during deployment when enabling TAP mode |
|
|
FailSafe admin password is not properly sync'd with system context enable pw |
|
|
ASA: The logical device may boot into failsafe mode because of an large configuration. |
|
|
Device/port-channel goes down with a core generated for portmanager |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
ASA : Modifying a route-map in one context affects other contexts |
|
|
ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
|
|
LINA would randomly generate a traceback and reload on FPR-1K |
|
|
Stale asp entry for TCP 443 remains on standby after changing default port |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
|
|
PSU fan shows critical in show environment output while operating normally |
|
|
FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
|
|
ASA/FTD: SSL VPN Second Factor Fields Disappear |
|
|
Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
|
|
ipv6 table flush exception when cli_firstboot installs bootstrap configuration multi instance |
|
|
ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
|
TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
|
|
use kill tree function in SMA instead of SIGTERM |
|
|
Detailed logging related to reason behind sub-interfce admin state change during operations |
|
|
Policy Apply failed moving from FDM to FMC |
|
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
|
ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
|
|
Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability |
|
|
Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
|
|
ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
|
|
ASA traceback and reload on Thread Name: DATAPATH |
|
|
GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
|
|
low memory/stress causing traceback in SNMP |
|
|
Snort3 traceback with fqdn traffics |
|
|
ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
|
|
ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
|
|
FTD drops double tagged BPDUs. |
|
|
FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
|
|
ASA traceback and reload on Thread Name: pix_flash_config_thread |
|
|
ASA|FTD Traceback & reload in thread name Datapath |
|
|
Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
|
Service object-group protocol type mismatch error seen while access-list referencing already |
|
|
Unable to Synch more then 100 environment-data with data unit |
|
|
SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
|
|
ASA/FTD : Port-channels remain down on Firepower 1010 devices after upgrade |
|
|
Interface fragment queue may get stuck at 2/3 of fragment database size |
|
|
Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
|
|
ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
|
|
interface idb logging log rotation to FXOS logrotate utility |
|
|
RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
|
|
Blocking SMB traffic with reason "Blocked by the firewall preprocessor" |
|
|
Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
|
|
Debugs failed to be enabled on SSH session |
|
|
The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
|
|
ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
|
|
Null pointer dereference in SNMP that results in traceback and reload |
|
|
ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
|
|
traceback and reload around function HA |
|
|
DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
|
|
WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
|
|
ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
|
|
Error logs generated for ssh access to ASA when eddsa is used as kex hostkey |
|
|
Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
|
|
ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Intermittent Packet Losses When VTI Is Sourced From Loopback |
|
|
Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
|
|
"Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
|
|
ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
|
|
Standby FTD experiencing periodic traceback and reload |
|
|
Memory exhaustion due to absence of freeing up mechanism for tmatch |
|
|
Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
|
|
FP2100/FP1000: ASA Smart licenses lost after reload |
|
|
ASDM connection lost issue is observed in ASAv device due to config issue |
|
|
IKEv2 client services is not getting enabled - XML profile is not downloaded |
|
|
FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
|
|
Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
|
|
Incorrect Timezone Format on FTD When Configured via FXOS |
|
|
ASA CLI hangs with 'show run' on multiple SSH |
|
|
TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
|
|
Traceback and reload on Primary unit while running debugs over the SSH session |
|
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
|
FTD/ASA system clock resets to year 2023 |
|
|
Access to website via Clientless SSL VPN Fails |
|
|
ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
|
|
"crypto ikev2 limit queue sa_init" resets after reboot |
|
|
FTD: Hostname Missing from Syslog Message |
|
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
|
|
SSH/SNMP connections to non-admin contexts fail after software upgrade |
|
|
Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
|
|
Cisco ASA and FTD FXOS CLI Root Privilege Escalation Vulnerability |
|
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
Policy deployment failure rollback didnt reconfigure the FTD devices |
|
|
ASA Checkheaps traceback while entering same engineID twice |
|
|
In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
|
|
Intermittent loss of management traffic due to DHCP service failing to start |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
|
|
ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
|
|
Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
|
|
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.1 |
|
|
FTD: HostScan scanning results not processed in version 7.4.1 |
|
|
ICMP replies randomly does not reaching the sender node when initiated from the node. |
|
|
Upload files through Clientless portal is not working as expected after the ASA upgrade |
|
|
FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
|
|
The secondary device reloaded while rebooting the primary device. |
|
|
Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
|
|
Web Contents files appear as text/plain when they should be application/octet-stream |
|
|
Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
|
|
SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
|
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
|
|
username containing '@' character works for asa login but fails for 'connect fxos' |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
|
|
Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
|
|
FTD - Trace back and reload due to NAT involving fqdn objects |
|
|
ASA: Warning messages not displayed when Static interface NAT are configured |
|
|
FTDv reloads and generate backtrace after push EIGRP config |
|
|
FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
|
|
Active unit goes to disabled state when there is a mismatch in firewall mode |
|
|
Lina traceback and reload due to mps_hash_memory pointing to null hash table |
|
|
After upgrading the ASA, “Slot 1: ATA Compact Flash memory” shows a ditterent value |
|
|
Error when running 'show tech-support module detail' on FPR9K |
|
|
FTD/ASA : CSR generation with comma between “Company Name” attribute does not work expected |
|
|
Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
|
|
TLS Secure Client sessions cannot be established on ASA 9.19 and 9.20 |
|
|
Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
|
|
Format string exploit vulnerability in webvpn debugs |
|
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
|
IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
|
|
ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
|
|
Command to show counters for access-policy filtered with a source IP address gives incorrect result |
|
|
Multiple context interfaces fail to pass traffic |
|
|
ASA traceback with thread name SSH |
|
|
High latency observed on FPR3120 |
|
|
ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
|
|
SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
|
|
when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
|
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
|
Cisco Secure Client Unable to complete connection. Cisco Secure Desktop not installed on the client. |
|
|
ASA traceback and reload when accessing file system from ASDM |
|
|
Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
|
|
Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
|
|
All IPV6 BGP routes configured in device flapping |
|
|
Radius secret key of over 14 characters for external authentication does not get deployed (FPR3100) |
|
|
ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
|
|
FPR3K loses connectivity to FMC via mgmt data interface on reboot of FPR3K |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
|
ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
|
|
Error message spammed to console on Firepower 2100 devices while enabling SSH config |
|
|
Snmpwalk throws Error messages #"snmp/error: truncating integer value > 32 bits" |
|
|
Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
|
|
FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
|
|
ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
|
|
ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
|
|
SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
|
|
FTD LINA Traceback and Reload idfw_proc Thread |
|
|
IP-SGT mappings on Lina-side are not being removed, when FMC pxGrid connection is disabled |
|
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
|
|
TLS Handshake Fails if Fragmented Client Hello Packet is Received Out of Order |
|
|
Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
|
|
High LINA CPU observed due to NetFlow configuration |
|
|
FTD may traceback and reload in process name lina while processing appAgent msg reply |
|
|
FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
|
|
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
|
|
Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability |
|
|
RAVPN: Failure to create SGT-IP mapping due to ID table exhaustion |
|
|
Browser redirects to logon page when the user clicks the WebVPN bookmark |
|
|
Cisco ASA and FTD Software IKEv2 VPN Denial of Service Vulnerability |
|
|
WebVPN connections stuck in CLOSEWAIT state |
|
|
ASA/FTD may traceback and reload in Thread Name PTHREAD |
|
|
FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
|
|
ASA CLI hangs with 'show run' with multiple ssh sessions |
|
|
"set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
|
|
Clock skew between FXOS and Lina causes SAML assertion processing failure |
|
|
command to print the debug menu setting of service worker |
|
|
Traceback and reload on active unit due to HA break operation. |
|
|
SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
|
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
|
ASA/FTD incorrectly forwards extended community attribute after upgrade. |
|
|
Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
|
|
FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
|
|
ESP sequence number of 0 being sent after SA establishment/rekey |
|
|
Add warning message when configuring CCL MTU |
|
|
Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
|
|
ENH: Add application support for blocking consecutive AAA failures on LINA |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
|
|
Address SSP OpenSSH regreSSHion vulnerability |
Resolved Bugs in Version 9.20(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
ASA concatenates syslog event to other syslog event while sending to the syslog server |
|
|
Lack of throttling of ARP miss indications to CP leads to oversubscription |
|
|
SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
|
|
ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
|
|
MFIB RPF failed counter instead of Other drops increments when outgoing interface list is Null |
|
|
ASA/FTD may traceback and reload during ACL changes linked to PBR config |
|
|
25G CU SFPs not working in Brentwood 8x25G netmod |
|
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
|
|
multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
|
|
FPR 4115- primary unit lost all HA config after ftd HA upgrade |
|
|
Gateway is not reachable from standby unit in admin and user context with shared mgmt intf |
|
|
Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
|
|
Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
|
|
PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Lina core created during high traffic testing |
|
|
Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
|
|
KP - multimode: ASA traceback observed during HA node break and rejoin. |
|
|
ASA: "Ping <ifc_name> x.x.x.x" is not working as expected starting 9.18.x |
|
|
FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
|
|
FTDv: Traffic failure in VMware Deployments due to dpdk pool exhuastion and rx_buff_alloc_failure |
|
|
Very specific "vpn-idle-timeout" values cause continuous SSL session disconnects and reconnects |
|
|
ASAv in Hyper-V drops packets on management interface |
|
|
HA Serviceability Enh: Maintain HA NLP client stats and HA CTL NLP counters for current App-sync |
|
|
ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
|
|
FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
|
|
KP: Cleanup/Reformat the second (MSP) disk on FTD reinstall |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
|
|
Traffic may be impacted if TLS Server Identity probe timeout is too long |
|
|
access-list: Cannot mix different types of access lists. |
|
|
ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
|
|
ASA/FTD client IP missing from TACACS+ request in SSH authentication |
|
|
Improper load-balancing for traffic on ERSPAN interfaces on FPR 3100/4200 |
|
|
PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
|
|
ECMP + NAT for ipsec sessions support request for Firepower. |
|
|
Priority-queue command causes silent egress packet drops on all port-channel interfaces |
|
|
ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
|
|
DNS cache entry exhaustion leads to traceback |
|
|
FXOS SNMP "property community of sys/svc-ext/snmp-svc is out of range" is unclear to users |
|
|
ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
|
|
Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
|
|
ASA traceback and reload on Thread Name: DHCPRA Monitor |
|
|
vFTD runs out of memory and goes to failed state |
|
|
ASA Traceback & reload on process name lina due to memory header validation |
|
|
KP2140-HA, reloaded primary unit not able to detect the peer unit |
|
|
ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
|
|
"show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
Lina Crash in RAVPN interface with anomaly traffic in both non-FIPS and FIPS mode |
|
|
Failover: standby unit traceback and reload during modifying access-lists |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
FP3110 7.2.4 Unexpected reboot of Firepower 3110 Device |
|
|
FTD: Traceback and reload during OSPF redistribution process execution |
|
|
FTD Lina engine may traceback, due to assertion, in datapath |
|
|
Add meaningful logs when the maximums system limit rules are hit |
|
|
Avoid both the devices in HA sends events to FMC |
|
|
FTD is dropping GRE traffic from WSA due to NAT failure |
|
|
Dumping of last 20 rmu request response packets failed |
|
|
ASA removes the IKEv2 Remote PSK if the Key String ends with a backslash "\" after reload |
|
|
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|
|
ASA: Checkheaps traceback and reload due to Clientless WebVPN |
|
|
FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
|
|
Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
|
|
Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
|
|
WM RM - SFP port status of 9 follows port of state of SFP 10|11|12 |
|
|
switch ports in Trunk mode do not pass vlan traffic after power loss |
|
|
ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
|
|
ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|
|
ECDSA Self-signed certificate using SHA384 for EC521 |
|
|
ASA|FTD: Traceback & reload due to a free buffer corruption |
|
|
FTD Lina traceback Thread Name: DATAPATH-3-11917 due to double free |
|
|
"failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
|
|
OSPFv3 Traffic is Centralized in Transparent Mode |
|
|
FMC: ACP Rule with UDP port 6081 is getting removed after subsequent deployment |
|
|
Radius authentication stopped working after ASAv on AWS upgrade to any higher version than 9.18.2 |
|
|
ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
|
|
ASDM application randomly exits/terminates with an alert message on multi-context setup |
|
|
ASA/FTD HA checkheaps crash where memory buffers are corrupted |
|
|
ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
|
|
Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
|
|
ASA traceback on Lina process with FREEB and VPN functions |
|
|
FTDv/AWS - NTP clock offset between Lina and FTD cluster |
|
|
ASA/FTD: Traceback and reload due to NAT change and DVTI in use |
|
|
ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
|
|
ASA/FTD may traceback and reload in when changing capture buffer size |
|
|
FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
|
|
Lina crash in snp_fp_tcp_normalizer() when DAQ/Snort sends malformed L3 header |
|
|
Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
|
|
Include "show env tech" in FXOS FPRM troubleshoot |
|
|
ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
|
|
741 - HA & AppAgent - Long term solution for avoiding momentary split-brain situations |
|
|
ASA unexpected HA failover due to MIO blade heartbeat failure |
|
|
ASA traceback when re-configuring access-list |
|
|
PAC Key file missing on standby on reload |
|
|
FTD VMWare: High disk utilization on /dev/sda8 partition caused by file system corruption |
|
|
Connections are not cleared after idle timeout when the interfaces are in inline mode. |
|
|
Specific OID 1.3.6.1.2.1.25 should not be responding |
|
|
ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
|
|
FTD - Traceback and reload due to nat rule removed by CPU core |
|
|
ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
FTD responding to UDP500 packet with a Mac Address of 0000.000.000 |
|
|
ASA "pager line 25" command doesn't work as expected on few terminal applications |
|
|
FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
|
|
ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
|
|
FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
|
|
ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
|
|
FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
|
|
"show aaa-server" command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload while running show inventory all |
|
|
ASA:Management access via IPSec tunnel is NOT working |
|
|
The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
|
|
ASA: Traceback and reload during 6 nodes cluster synchronization after CCL link failure/recovery |
|
|
ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
|
|
Source NAT Rule performing incorrect translation due to interface overload |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
|
|
Fragmented UDP packet via MPLS tunnel reassemble fail |
|
|
Multicast through the box traffic causing high CPU with 1GBps traffic |
|
|
FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
|
|
ASDM can not see log timestamp after enable logging timestamp on cli |
|
|
Configuring and unconfiguring "match ip address test" may lead to crash |
|
|
Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vu |
|
|
Configuration to disable TLS1.3 |
|
|
ASA: Traceback and reload when restore configuration using CLI |
|
|
Timestamp entry missing for some syslog messages sent to syslog server |
|
|
Community string sent from router is not matching ASA |
|
|
spin lock and watch dog crash in kp 741-1146 - ctm_ipsec_get_sa_lock+112 |
|
|
Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |
|
|
FXOS : Duplication of NTP entry results in Error message : Unreachable Or Invalid Ntp Server |
|
|
ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
|
|
File copy via SCP using ciscossh stack fails with error "no such file or directory" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
CPOC: 4245 ASA Crashed with CPS test |
|
|
Cisco ASA and FTD Software Inactive-to-Active ACL Bypass Vulnerability |
|
|
ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
|
|
OSPF Redistribution route-map with prefix-list not working after upgrade |
Resolved Bugs in Version 9.20(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Headline |
|---|---|
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
|
|
ERROR: Deleted IDB found in in-use queue - message misleading |
|
|
Primary node disconnected from VPN-Cluster when performed HA failover on Primary with DNS lookup |
|
|
Cisco ASA and FTD SSL VPN Memory Management Denial of Service Vulnerability |
|
|
ASA/FTD Traceback and reload in Process Name: lina |
|
|
ASA: The timestamp for all logs generated by Admin context are the same |
|
|
cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
|
|
FTD on FP2100 can take over as HA active unit during reboot process |
|
|
ASAv high CPU and stack memory allocation errors despite over 30% free memory |
|
|
FTPS getting ssl3_get_record:bad record type during connection for KK and DR rules |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
|
|
ASA HA failover triggers HTTP server restart failure and ASDM outage |
|
|
FPR1000 ASA/FTD: Primary takes active role after reloading |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASAv "Unable to retrieve license info. Please try again later" |
|
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
|
ASA using WebVPN tracebacks in Unicorn thread during memory tracking |
|
|
ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
|
|
ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
|
|
AnyConnect SAML using external browser and round robin DNS intermittently fails |
|
|
Failover trigger due to Inspection engine in other unit has failed due to disk failure |
|
|
ASA/FTD: Using Round Robin with PAT rules on two or more interfaces breaks IP stickiness |
|
|
GTP drops not always logged on buffer and syslog |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' following policy deployment |
|
|
FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
|
|
ASA/FTD may traceback with large number of network objects deployment using distribute-list |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount' failed" on LINA. |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
|
|
User with no vpn-filter may get additional access when per-user-override is set |
|
|
DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
|
Deploying objects with escaped values in the description might cause all future deployments to fail |
|
|
Blade remains online for more than 600 secs after deleting Native logical device on 92.14.0 |
|
|
FPR 2100: 10G interfaces with 1G SFP goes down post reload |
|
|
fxos log rotate failing to cycle files, resulting in large file sizes |
|
|
ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
Not able to ping Virtual IP of FTDv cluster |
|
|
ASA restore is not applying vlan configuration |
|
|
Unable to get polling results using snmp GET for connection rate OID’s |
|
|
ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
|
|
FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
|
|
AWS: SSL decryption failing with Geneve tunnel interface |
|
|
FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
|
|
Need corrections in log_handler_file watchdog crash fix |
|
|
"show tech-support" generation does not include "show inventory" when run on FTD |
|
|
FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
|
|
Misleading drop reason in "show asp drop" |
|
|
Clientless Accessing Web Contents using application/octet-stream vs text/plain |
|
|
Recursive panic under lina_duart_write |
|
|
Inline-pair's state could not able to auto recover from hardware-bypass to standby mode. |
|
|
ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
|
|
ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
|
|
ASA Connections stuck in idle state when DCD is enabled |
|
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
|
|
FPR2100: Increase in failover convergence time with ASA in Appliance mode |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum with all 0 checksum |
|
|
AC clients fail to match DAP rules due to attribute value too large |
|
|
Packets through cascading contexts in ASA are dropped in gateway context after software upgrade |
|
|
FP4125 2.10.1.166 FTD applications in HA went into not responding state |
|
|
Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
|
|
QEMU KVM console got stuck in "Booting the kernel" page |
|
|
Port-channel interfaces of secondary unit are in waiting status after reload |
|
|
ASA/FTD may traceback and reload in idfw fqdn hash lookup |
|
|
FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
|
|
S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
|
|
FPR3110 Fans' SN in label are different from show inventory cli output |
|
|
System Crash on ICMPv6 Option Processing |
|
|
ASA configured with HA may traceback and reload with multiple input/output error messages |
|
|
FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
|
|
LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
|
|
Microsoft SCEP enrollment fails to get ASA identity cert - Unable to verify PKCS7 |
|
|
ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
|
|
AWS ASAv PAYG Licensing not working in GovCloud regions. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD: Traceback and Reload on Netflow timer infra |
|
|
Cut-Through Proxy does not work with HTTPS traffic |
|
|
Enhance logging mechanism for syslogs |
|
|
ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
|
|
Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
|
|
ASA/FTD failure due to heartbeat loss between chassis and blade |
|
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
|
Clientless VPN users are unable to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different authentication and authorization server |
|
|
Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
Primary ASA traceback upon rebooting the secondary |
|
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
|
Link Up seen for a few seconds on FPR1010 during bootup |
|
|
FTD: Unable to configure WebVPN Keepout or Certificate Map on FPR3100 |
|
|
ASA is unexpected reload when doing backup |
|
|
Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
|
|
License Commands go missing in Cluster data unit if the Cluster join fails. |
|
|
FTD traceback and reload while deploying PAT POOL |
|
|
Need to provide rate-limit on "logging history <mode>" |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
|
|
Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
|
|
FPR1120:connections are getting teardown after switchover in HA |
|
|
None option under trustpoint doesn't work when CRL check is failing |
|
|
FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
|
|
FTD is dropping GRE traffic from WSA |
|
|
ASA binding with LDAP as authorization method with missing configuration |
|
|
ASA: Traceback and reload while processing SNMP packets |
|
|
High Lina memory use due to leaked SSL handles |
|
|
FTD - 'show memory top-usage' providing improper value for memory allocation |
|
|
FTD: IPSLA Pre-emption not working even when destination becomes reachable |
|
|
ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
|
|
[FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
|
|
ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
|
|
256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
Open AC VPN Agent" can connect to a Multi-Cert Auth TG using a single cert & username/password |
|
|
ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or teardown syslog messages may not always be generated |
|
|
NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
|
|
8x10Gb netmod fails to come online |
|
|
ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
|
|
ASA Traceback & reload citing thread name: asacli/0 |
|
|
FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
|
|
ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
|
|
LINA traceback with icmp_thread |
|
|
The command "app-agent heartbeat" is getting removed when deleting any created context |
|
|
CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
|
|
ASA/FTD Show chunkstat top command implementation |
|
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
|
Workaround to set hwclock from ntp logs on low end platforms |
|
|
ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
|
|
Multiple traceback seen on standby unit. |
|
|
Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
|
|
FDM WM-HA ssh is not working after upgrading 7.2.3 beta with data interface as management |
|
|
ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
|
|
FP2100:Update LINA asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
|
Syslog ASA-6-611101 is generated twice for a single ssh connection |
|
|
User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
|
|
FTD upgrade from 7.0 to 7.2.x and beyond crashes due to management-access enabled |
|
|
ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
|
|
SNMP on SFR module goes down and won't come back up |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
|
|
FTD on FPR2140 - Lina traceback and reload by TCP normalization |
|
|
Memory leak observed on ASA/FTD when logging history is enabled |
|
|
ASA/FTD: Revision of cluster event message "Health check detected that control left cluster" |
|
|
FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
|
|
ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
|
|
FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
|
|
PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA Multicontext 'management-only' interface attribute not synced during creation |
|
|
New context subcommands are not replicated on HA standby when multiple sessions are opened. |
|
|
Policy Deploy Failing when trying to remove Umbrella DNS Connector Configuration |
|
|
ASA/FTD traceback in snp_tracer_format_route |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload states within cluster are the same |
|
|
Need fault/error for invalid firmware MF-111-234949 |
|
|
ASA/FTD may traceback and reload |
|
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
|
|
FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
|
|
KP Generating invalid core files which cannot be decoded 7.2.4-64 |
|
|
ASA - Standby device may traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
|
|
ASA / FTD Traceback and reload when removing isakmp capture |
|
|
Failover fover_trace.log file is flooding and gets overwritten quickly |
|
|
Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
|
|
FTD 3100 Crash in Thead Name: CP Processing |
|
|
ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
|
|
FTD LINA traceback and reload in Datapath thread after adding Static Routing |
|
|
Cross-interface-access: ICMP Ping to management access ifc over VPN is broken |
|
|
Interface remains DOWN in an Inline-set with propagate link state |
|
|
ASA/FTD: From-the-box ping fails when using a custom VRF |
|
|
ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
|
|
ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
Default DLY value of port-channel sub interface mismatch with parent Portchannel |
|
|
ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
|
|
health alert for [FSM:STAGE:FAILED]: external aaa server configuration |
|
|
ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
|
|
Serial number attribute from the subject DN of certificate should be taken as the username |
|
|
Notification Daemon false alarm of Service Down |
|
|
CVIM Console getting stuck in "Booting the kernel" page |
|
|
Username-from-certificate feature cannot extract the email attribute |
|
|
ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
|
|
ASA Traceback and reload in parse thread due ha_msg corruption |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
|
|
FXOS REST API: Unable to create a keyring with type "ecdsa" |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina'. |
|
|
Cisco Adaptive Security Appliance Software SSH Remote Command Injection Vulnerability |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
ASA not updating Timezone despite taking commands |
|
|
FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
|
|
Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
|
|
ASA/FTD may traceback and reload in Thread Name 'lina' |
|
|
ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
|
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
|
Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
|
|
7.2.4 - Block depletion using single crafted UDP SIP register request |
|
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
|
Add knob to pause/resume file specific logging in asa log infra. |
|
|
FTD/ASA Hub and spoke (U-turn) VPN fails when one spoke is IPSec flow offloaded and the other isn't |
|
|
TCP ping is completely broken starting in 9.18.2 |
|
|
ASA/FTD may traceback and reload in Thread Name 'ci/console' |
|
|
Setting heartbeat timeout to 6sec for BS and QP |
|
|
ASA running out of SNMP PDU and SNMP VAR chunks |
|
|
Lina traceback and reload due to fragmented packets |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA sends OCSP request without user-agent and host |
|
|
ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
|
|
ASA Traceback and reload citing process name 'lina' |
|
|
traceback and reload in Process Name: lina related to Nat/Pat |
|
|
TCP normalizer needs stats that show actions like packet drops |
|
|
LDAP authentication over SSL not working for users that send large authorisation profiles |
|
|
ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
|
|
ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
|
|
ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
|
|
Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
|
|
Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
|
|
FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
|
|
Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
|
|
ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
|
|
ASA integration with umbrella does not work without validation-usage ssl-server. |
|
|
ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
|
|
Firewall may drop packets when routing between global or user VRFs |
|
|
ASA access-list entries have the same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
FTD: GRE traffic is load balanced between CPU cores |
|
|
AnyConnect Ikev2 Login Failed With certificate-group-map Configured |
|
|
ASA/FTD may traceback and reload citing process name "lina" |
|
|
Traceback in Thread Name: ssh/client in a clustered setup |
|
|
Lina crash in thread name: cli_xml_request_process during FTD cluster upgrade |
|
|
99.20.1.16 lina crash on nat_remove_policy_from_np |
|
|
Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
|
|
VPN load-balancing cluster encryption using deprecated ciphers |
|
|
FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
|
|
FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory in low end platforms |
|
|
FTDv Single-Arm Proxy behind AWS GWLB drops due to geneve-invalid-udp-checksum. |
|
|
FMC 1600 process ssp_snmp_trap_fwdr high memory utilization |
|
|
Cisco ASA Software and FTD Software SAML Assertion Hijack Vulnerability |
|
|
ASA/FTD: Traceback and reload due to NAT L7 inspection rewrite |
Cisco General Terms
The Cisco General Terms (including other related terms) governs the use of Cisco software. You can request a physical copy from Cisco Systems, Inc., P.O. Box 641387, San Jose, CA 95164-1387. Non-Cisco software purchased from Cisco is subject to applicable vendor license terms. See also: https://cisco.com/go/generalterms.
Related Documentation
For additional information on the ASA, see Navigating the Cisco Secure Firewall ASA Series Documentation.
Feedback