Release Notes for the Cisco ASA Series, 9.5(x)

This document contains release information for Cisco ASA software Version 9.5(x).

Important Notes

  • Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.

  • E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s, pop3s, smtps) and subcommands are no longer supported.

  • CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image, show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image) are no longer supported.

    The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image migrates to hostscan image.

  • Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands (override-account-disable, authentication crack) are no longer supported.

  • The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.

    For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


Note

New, changed, and deprecated syslog messages are listed in the syslog message guide.


New Features in ASA 9.5(3.9)/ASDM 7.6(2)

Released: April 11, 2017


Note

Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.


Feature

Description

Remote Access Features

Configurable SSH encryption and HMAC algorithm.

Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example.

We introduced the following commands: ssh cipher encryption, ssh cipher integrity.

We introduced the following screen: Configuration > Device Management > Advanced > SSH Ciphers

Also available in 9.1(7) and 9.4(3).

New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)

Released: January 28, 2016


Note

This release supports only the ASAv.


Feature

Description

Platform Features

Microsoft Azure support on the ASAv10

Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.

Licensing Features

Permanent License Reservation for the ASAv

For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv.

Note 

Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.

We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return

No ASDM support.

Smart Agent Upgrade to v1.6

The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.

Note 

If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.

We introduced the following commands: show license status, show license summary, show license udi, show license usage

We modified the following commands: show license all, show tech-support license

We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration

We did not change any screens.

New Features in ASA 9.5(2.1)/ASDM 7.5(2)

Released: December 14, 2015


Note

This release supports only the ASA on the Firepower 9300.


Feature

Description

Platform Features

VPN support for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now configure VPN features.

Firewall Features

Flow off-load for the ASA on the Firepower 9300

You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers.

Also requires FXOS 1.1.3.

We added or modified the following commands: clear flow-offload , flow-offload enable , set-connection advanced-options flow-offload , show conn detail , show flow-offload .

We added or modified the following screens: Configuration > Firewall > Advanced > Offload Engine, the Rule Actions > Connection Settings tab when adding or editing rules under Configuration > Firewall > Service Policy Rules.

High Availability Features

Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300

With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.

We did not modify any commands.

We did not modify any screens.

Licensing Features

Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300

For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.

Note 

If you are using the Smart Software Manager satellite deployment, to use ASDM and other strong encryption features, after you deploy the ASA you must enable the Strong Encryption (3DES) license using the ASA CLI.

This feature requires FXOS 1.1.3.

We removed the following command for non-satellite configurations: feature strong-encryption

We modified the following screen: Configuration > Device Management > Licensing > Smart License

New Features in ASA 9.5(2)/ASDM 7.5(2)

Released: November 30, 2015

Feature

Description

Platform Features

Cisco ISA 3000 Support

The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power.

We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay

We modified the following screen: Configuration > Device Management > Hardware Bypass

Also in Version 9.4(1.225).

Firewall Features

DCERPC inspection improvements and UUID filtering

DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset or log particular message types. There is a new DCERPC inspection class map for UUID filtering.

We introduced the following command: match [not] uuid . We modified the following command: class-map type inspect .

We added the following screen: Configuration > Firewall > Objects > Class Maps > DCERPC.

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > DCERPC.

Diameter inspection

You can now inspect Diameter traffic. Diameter inspection requires the Carrier license.

We introduced or modified the following commands: class-map type inspect diameter , diameter , inspect diameter , match application-id , match avp , match command-code , policy-map type inspect diameter , show conn detail , show diameter , show service-policy inspect diameter , unsupported

We added or modified the following screens:

Configuration > Firewall > Objects > Inspect Maps > Diameter and Diameter AVP

Configuration > Firewall > Service Policy add/edit wizard's Rule Actions > Protocol Inspection tab

SCTP inspection and access control

You can now use the SCTP protocol and port specifications in service objects, access control lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier license.

We introduced the following commands: access-list extended , clear conn protocol sctp , inspect sctp , match ppid , nat static (object), policy-map type inspect sctp , service-object , service , set connection advanced-options sctp-state-bypass , show conn protocol sctp , show local-host connection sctp , show service-policy inspect sctp , timeout sctp

We added or modified the following screens:

Configuration > Firewall > Access Rules add/edit dialogs

Configuration > Firewall > Advanced > ACL Manager add/edit dialogs

Configuration > Firewall > Advanced > Global Timeouts

Configuration > Firewall > NAT add/edit static network object NAT rule, Advanced NAT Settings dialog box

Configuration > Firewall > Objects > Service Objects/Groups add/edit dialogs

Configuration > Firewall > Objects > Inspect Maps > SCTP

Configuration > Firewall > Service Policy add/edit wizard' s Rule Actions > Protocol Inspection and Connection Settings tabs

Carrier Grade NAT enhancements now supported in failover and ASA clustering

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). This feature is now supported in failover and ASA cluster deployments.

We modified the following command: show local-host

We did not modify any screens.

Captive portal for active authentication on ASA FirePOWER 6.0.

The captive portal feature is required to enable active authentication using identity policies starting with ASA FirePOWER 6.0.

We introduced or modified the following commands: captive-portal , clear configure captive-portal , show running-config captive-portal .

High Availability Features

LISP Inspection for Inter-Site Flow Mobility

Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients. The ASA can inspect LISP traffic for location changes and then use this information for seamless clustering operation; the ASA cluster members inspect LISP traffic passing between the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then change the flow owner to be at the new site.

We introduced or modified the following commands: allowed-eid, clear cluster info flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key

We introduced or modified the following screens:

Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

Configuration > Firewall > Objects > Inspect Maps > LISP

Configuration > Firewall > Service Policy Rules > Protocol Inspection

Configuration > Firewall > Service Policy Rules > Cluster

Monitoring > Routing > LISP-EID Table

ASA 5516-X support for clustering

The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license.

We did not modify any commands.

We did not modify any screens.

Configurable level for clustering trace entries

By default, all levels of clustering events are included in the trace buffer, including many low level events. To limit the trace to higher level events, you can set the minimum trace level for the cluster.

We introduced the following command: trace-level

We did not modify any screens.

Interface Features

Support to map Secondary VLANs to a Primary VLAN

You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN.

We introduced or modified the following commands: vlan secondary, show vlan mapping

We modified the following screens: Configuration > Device Setup > Interface Settings > Interfaces

Configuration > Device Setup > Interface Settings > Interfaces > Add Interface > General

Routing Features

PIM Bootstrap Router (BSR) support for multicast routing

The ASA currently supports configuring static RPs to route multicast traffic for different groups. For large complex networks where multiple RPs could exist, the ASA now supports dynamic RP selection using PIM BSR to support mobility of RPs.

We introduced the following commands: clear pim group-map, debug pim bsr, pim bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers

We introduced the following screen: Configuration > Device Setup > Routing > Multicast > PIM > Bootstrap Router

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)

  • Centralized AnyConnect image configuration

  • AnyConnect image upgrade

  • Context Resource Management for AnyConnect connections

Note 

The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality

The ASA acts as a SAML Service Provider.

Clientless SSL VPN conditional debugging

You can debug logs by filtering, based on the filter condition sets, and can then better analyze them.

We introduced the following additions to the debug command:

  • [no] debug webvpn condition user <user name>

  • [no] debug webvpn condition group <group name>

  • [no] debug webvpn condition p-ipaddress <ipv4> [subnet<mask>]

  • [no] debug webvpn condition p-ipaddress <ipv6> [prefix<prefix>]

  • debug webvpn condition reset

  • show debug webvpn condition

  • show webvpn debug-condition

Clientless SSL VPN cache disabled by default

The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.


webvpn
   cache
      no disable

We modified the following command: cache

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > Content Cache

Licensing Features

Validation of the Smart Call Home/Smart Licensing certificate if the issuing hierarchy of the server certificate changes

Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes; you can enable the automatic update of the trustpool bundle at periodic intervals.

We introduced the following command: auto-import

We modified the following screen: Configuration > Remote Access VPN > Certificate Management > Trusted Certificate Pool > Edit Policy

New Carrier license

The new Carrier license replaces the existing GTP/GPRS license, and also includes support for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp command will automatically migrate to the feature carrier command.

We introduced or modified the following commands: feature carrier, show activation-key, show license, show tech-support, show version

We modified the following screen: Configuration > Device Management > Licensing > Smart License

Monitoring Features

SNMP engineID sync

In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID.

An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user.

We modified the following commands: snmp-server user, no snmp-server user

We did not add or modify any screens.

Also available in 9.4(3).

show tech support enhancements

The show tech support command now:

  • Includes dir all-filesystems output—This output can be helpful in the following cases:

    • SSL VPN configuration: check if the required resources are on the ASA

    • Crash: check for the date timestamp and presence of a crash file

  • Removes the show kernel cgroup-controller detail output—This command output will remain in the output of show tech-support detail.

We modified the following command: show tech support

We did not add or modify any screens.

Also available in 9.1(7) and 9.4(3).

logging debug-trace persistence

Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the SSH connection were disconnected (due to network connectivity or timeout), then the debugs were removed. Now, debugs persist for as long as the logging command is in effect.

We modified the following command: logging debug-trace

We did not modify any screens.

New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)

Released: November 11, 2015

Feature

Description

Platform Features

Support for ASA FirePOWER 6.0

The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models.

Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X.

You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT Management Center) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X when running 6.0.

No new screens or commands were added.

New Features in ASDM 7.5(1.90)

Released: October 14, 2015

Feature

Description

Remote Access Features

AnyConnect Version 4.2 support

ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances the enterprise administrator’s ability to do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetry and logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-party vendor), which performs the file analysis and provides a UI interface.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called Network Visibility Service Profile)

New Features in ASAv 9.5(1.200)/ASDM 7.5(1)

Released: August 31, 2015


Note

This release supports only the ASAv.


Feature

Description

Platform Features

Microsoft Hyper-V supervisor support

Extends the hypervisor portfolio for the ASAv.

ASAv5 low memory support

The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see an error that you are using more memory than is licensed.

New Features in ASA 9.5(1)/ASDM 7.5(1)

Released: August 12, 2015


Note

This version does not support the Firepower 9300 ASA security module or the ISA 3000.


Feature

Description

Firewall Features

GTPv2 inspection and improvements to GTPv0/1 inspection

GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses.

We modified the following commands: clear service-policy inspect gtp statistics, clear service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request, show service-policy inspect gtp statistics, timeout endpoint

We deprecated the following command: timeout gsn

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP

IP Options inspection improvements

IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map.

We introduced the following commands: basic-security, commercial-security, default, exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start, record-route, timestamp

We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options

Carrier Grade NAT enhancements

For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888).

We introduced the following commands: xlate block-allocation size, xlate block-allocation maximum-per-host. We added the block-allocation keyword to the nat command.

We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes.

High Availability Features

Inter-site clustering support for Spanned EtherChannel in Routed firewall mode

You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a site’s units.

We introduced or modified the following commands: site-id, mac-address site-id, show cluster info, show interface

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration

ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails

You can now customize the auto-rejoin behavior when an interface or the cluster control link fails.

We introduced the following command: health-check auto-rejoin

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin

The ASA cluster supports GTPv1 and GTPv2

The ASA cluster now supports GTPv1 and GTPv2 inspection.

We did not modify any commands.

We did not modify any screens.

Cluster replication delay for TCP connections

This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying the director/backup flow creation.

We introduced the following command: cluster replication delay

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster Replication

Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).

Disable health monitoring of a hardware module in ASA clustering

By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.

We modified the following command: health-check monitor-interface service-module

We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

Enable use of the Management 1/1 interface as the failover link on the ASA 5506H

On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface.

We modified the following commands: failover lan interface, failover link

We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup

Routing Features

Support for IPv6 in Policy Based Routing

IPv6 addresses are now supported for Policy Based Routing.

We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set ipv6 dscp

We modified the following screens:



Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based Routing
Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

VXLAN support for Policy Based Routing

You can now enable Policy Based Routing on a VNI interface.

We did not modify any commands.

We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General

Policy Based Routing support for Identity Firewall and Cisco Trustsec

You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps.

We did not modify any commands.

We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause

Separate routing table for management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.

We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only

We did not modify any screens.

Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support

The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources.

We did not modify any commands.

We did not modify any screens.

Remote Access Features

IPv6 VLAN Mapping

ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator.

Clientless SSL VPN SharePoint 2013 Support

Added support and a predefined application template for this new SharePoint version.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates

Dynamic Bookmarks for Clientless VPN

Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless user’s portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps.

We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks

VPN Banner Length Increase

The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000.

We modified the following command: banner (group-policy).

We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner

Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X

This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch.

We introduced the following commands: vpnclient enable, vpnclient server, vpnclient mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt

We introduced the following screen: Configuration > VPN > Easy VPN Remote

Monitoring Features

Show invalid usernames in syslog messages

You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.

We introduced the following command: no logging hide username

We modified the following screen: Configuration > Device Management > Logging > Syslog Setup

This feature is also available in 9.2(4) and 9.3(3).

REST API Features

REST API Version 1.2.1

We added support for the REST API Version 1.2.1.

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • CLI—Use the show version command.

  • ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.

Current Version

Interim Upgrade Version

Target Version

9.4(x)

Any of the following:

→ 9.5(x)

→ 9.4(x)

9.3(x)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

9.2(x)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.1(1)

→ 9.1(2)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

9.0(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.6(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.5(1)

→ 9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(5+)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.4(1) through 8.4(4)

Any of the following:

→ 9.0(2), 9.0(3), or 9.0(4)

→ 8.4(6)

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.3(x)

→ 8.4(6)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

8.2(x) and earlier

→ 8.4(6)

Any of the following:

→ 9.5(x)

→ 9.4(x)

→ 9.3(x)

→ 9.2(x)

→ 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


Note

You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.


For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.5(x)

If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher for Version 9.5(x):

The following table lists open bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCto19832

OpenLDAP needs to be upgraded or patched

CSCuv86562

Traceback: ASA crash in thread name fover_health_monitoring_thread

CSCuw83618

ASA5508X SSD LED always green even when SSD is removed

CSCux20294

Free memory drops to 0 after clientless VPN Test

CSCux75565

ASA/DOC: Spaces can be used in LDAP DN

CSCux85525

XMLSoft libxml2 Encoding Conversion Denial of Service Vulnerability

CSCux85527

XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab

CSCux85528

XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability

CSCux85532

XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability

CSCux85533

XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili

CSCuy28172

DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peers

CSCuy47780

5508 and 5516 Devices may not boot 9.5.1 or later images

CSCuy85511

libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit

CSCuz05856

XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial

CSCuz67536

Configuration retrieval from external server fails in multicontext mode

CSCuz81201

ASA 5506 interface Counters & OIDs showing incorrect value for traffic!

CSCva32092

OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500

CSCva39094

ASA traceback in CLI thread while making MPF changes

CSCva46651

ASAv Azure: ASAv not responding or passing traffic

CSCva52514

ASAv-Azure: waagent may reload when asav deployed with load balancer

CSCva62667

Shut down interfaces shows up in ASP routing table

CSCva69346

Unable to relay DHCP discover packet from ASA when NAT is matched

CSCva70079

SIP packets mangled when using TLS1.2 and ASA is server

CSCva72317

Linux Kernel NULL Pointer Dereference Denial of Service Vulnerability

CSCva72318

XMLSoft libxml2 XML Content Processing External Entity Expansion Vulne

CSCva72319

XMLSoft libxml2 Format String Vulnerability

CSCva79278

ASAv: TCP state bypass not matching the traffic required

CSCva84089

ASA Crash Checkheap Free Buffer Corrupted

CSCva89342

Interfaces get deleted on SFR during Multi-context HA configuration sync

CSCvb11599

ASAv Azure: ASAv30 Anyconnect peer support.

CSCvb13690

ASA : Botnet update fails with a lot of Errors

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.5(3.9)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number

Description

CSCtw90511

Packet captures cause CPU spike on Multi-Core platforms due to spin_lock

CSCuc11186

ARP: Proxy IP traffic is hijacked.

CSCum70304

FIPS self test power on fails - fipsPostDrbgKat

CSCum74032

ASA traceback on standby when SNMP polling

CSCun21186

ASA traceback when retrieving idfw topn user from slave

CSCup37416

Stale VPN Context entries cause ASA to stop encrypting traffic

CSCup96099

"show resource usage detail counter all 1" causes cpu hog

CSCuq80704

ASA classifies TCP packets as PAWS failure incorrectly

CSCur87011

ASA low DMA memory on low end ASA-X -5512/5515 devices

CSCus10787

Transactional ACL commit will bypass security policy during compilation

CSCus16416

Share licenses are not activated on failover pair after power cycle

CSCus37458

ASA traceback in Thread name DATAPATH when handling multicast packet

CSCus53126

ASA traffic not sent properly using 'traffic-forward sfr monitor-only'

CSCut10103

ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL

CSCut14209

Cisco ASA XML Denial of Service Vulnerability

CSCuu48197

ASA: Stuck uauth entry rejects AnyConnect user connections

CSCuu50708

ASA Traceback on 9.1.5.19

CSCuv20449

Traceback in Thread Name: ssh when using capture or continuous ping

CSCuv47191

9.5.1 - Crash in bcm_esw_init thread

CSCuv49446

ASA traceback on Standby device during config sync in thread DATAPATH

CSCuv86562

Traceback: ASA crash in thread name fover_health_monitoring_thread

CSCuw02009

ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST

CSCuw19671

ASA traceback while restoring backup configuration from ASDM

CSCuw28735

Cisco ASA Software Version Information Disclosure Vulnerability

CSCuw39685

ASA - Filtering HTTP via Websense or SFR may cause memory corruption

CSCuw44038

Watchdog traceback in ldap_client_thread with large number of ldap grps

CSCuw48499

QEMU coredump: qemu_thread_create: Resource temporarily unavailable

CSCuw51576

SSH connections are not timed out on ASA (stuck in rtcli)

CSCuw55813

Standby ASA traceback in Thread Name: EIGRP-IPv4

CSCuw71147

Traceback in Unicorn Proxy Thread, in http_header_by_name

CSCuw87331

ASA: Traceback in Thread name DATAPATH-7-1918

CSCuw90116

ASA 9.4.1 traceback upon clearing and reconfiguring ACL

CSCuw92005

Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly

CSCuw95262

After some time flash operations fail and configuration can not be saved

CSCux00686

Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS)

CSCux03626

Traceback in thread name: Unicorn Proxy Thread

CSCux05081

RSA 4096 key generation causes failover

CSCux07002

ASA: assertion "pp->pd == pd" failed: file "main.c", line 192

CSCux08783

CWS: ASA does not append XSS headers

CSCux08838

ASA: Traceback in Checkheaps

CSCux09181

http-form authentication fails after 9.3.2

CSCux09310

ASA traceback when using an ECDSA certificate

CSCux10499

Smart Tunnel starts and Java closes without any message

CSCux11440

ASA traceback in Unicorn Proxy Thread

CSCux15273

show memory indicates inaccurate free memory available

CSCux16427

PBR incorrect route selection for deny clause

CSCux17527

ASA memory leak related to Botnet

CSCux18455

SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIB

CSCux20178

OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later

CSCux21955

ASA: FAILOVER not working with password encryption.

CSCux23659

ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd

CSCux29842

Primary and Secondary ASA in HA is traceback in Thread Name:DataPath

CSCux29929

ASA 9.4.2 traceback in DATAPATH

CSCux30780

GTPv1 traceback in gtpv1_process_msg

CSCux33808

ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]

CSCux35538

Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test

CSCux36112

PBR: Mem leak in cluster mode due to policy based route

CSCux37303

Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related

CSCux37442

Cisco signed certificate expired for WebVpn Port Forward Binary on ASA

CSCux41145

Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities

CSCux42936

ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection

CSCux43978

DHCP Relay fails for cluster ASAs with long interface names

CSCux45179

SSL sessions stop processing -"Unable to create session directory" error

CSCux47195

ASA(9.5.2) changing the ACK number sent to client with SFR redirection

CSCux56111

"no ipv6-vpn-addr-assign" CLI not working

CSCux59122

ASA L7 policy-map comes into affect only if the inspection is re-applied

CSCux61257

ASA: Traceback in Thread IP Address Assign

CSCux66866

Traffic drop due to constant amount of arp on ASASM

CSCux69987

ASA: Traceback on ASA device after adding FQDN objects in NAT rule

CSCux70784

ASA traceback while viewing large ACL

CSCux70998

Reload in Thread Name: IKE Daemon

CSCux71197

"show resource usage" gives wrong number of routes after shut/no sh

CSCux72610

ASA TACACS+: process tacplus_snd uses large percentage of CPU

CSCux72835

ASA 9.5 - OCSP check using global routing table instead of management

CSCux81683

ASA Traceback on Thread Name: Unicorn Admin Handler

CSCux82835

Nat pool exhausted observed when enabling asp transactional-commit nat

CSCux86769

VLAN mapping doesn't work when connection falls back to TLS

CSCux87457

ASA traceback in Thread Name: https_proxy

CSCux88237

ASA traceback in DATAPATH thread

CSCux92157

ASA Traceback Assert in Thread Name: ssh_init with component ssh

CSCux93751

Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728

CSCux94598

ASA using a huge dynamic ACL may cause Anyconnect connectivity failures

CSCux96716

ASA tracebacks when replicating Xlate to the standby/slave

CSCux98029

ASA reloads with traceback in thread name DATAPATH or CP Processing

CSCuy00296

Traceback in Thread: IPsec message handler

CSCuy01420

ASA traceback in Thread Name: Unicorn Proxy Thread.

CSCuy01438

ASA traceback with SIP inspection and SFR enabled in 9.5.2

CSCuy03024

ASA traceback and reload citing Thread Name: idfw_proc

CSCuy05949

ASA: MAC address changes on active context when WRITE STANDBY is issued

CSCuy06125

Re-adding context creates context without configs on some slaves

CSCuy07753

Smart tunnel does not work since Firefox 32bit version 43

CSCuy11281

ASA: Assert traceback in version 9.4.2

CSCuy11905

ASA 5585 traceback when the User name is mentioned in the Access list

CSCuy13937

ASA Watchdog traceback in CP Processing thread during TLS processing

CSCuy15636

ASA may traceback with: DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685

CSCuy21206

Traceback when drop is enabled with diameter inspection and tls-proxy

CSCuy21287

STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload

CSCuy22561

VPN Load-Balancing does not send load-balancing cert for IPv6 Address

CSCuy25163

Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability

CSCuy32321

Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt

CSCuy32728

VPN LB stops working when cluster encryption is configured

CSCuy32964

ASA Crash on cluster member or on standby member of failover pair after replication of conns

CSCuy34265

ASA Access-list missing and losing elements after configuration change

CSCuy36897

Can't navigate to OWA 2013 due to ssl errors

CSCuy40207

Traceback: assertion "0" failed: file "ctm_daemon.c"

CSCuy41986

OCSP validation fails when multiple certs in chain are verified

CSCuy42223

BGP:Deployment failed with reason supported on management-only interface

CSCuy43839

ASA reloads in thread name: DATAPATH while encrypting L2L packet

CSCuy44472

BVI : Interface IPv6 address deleted from standby context on HA - A/A

CSCuy45475

ASA : Configuration not replicated on mate if standby IP is missing

CSCuy47706

Traceback at gtpv1_process_pdp_create_req

CSCuy50406

Crash in proxyi_rx_q_timeout_timer

CSCuy51918

Buffer overflow in RAMFS dirent structure causing traceback

CSCuy54567

Evaluation of pix-asa for OpenSSL March 2016

CSCuy55468

Unicorn Proxy Thread causing CP contention

CSCuy57644

ASAv sub-interface failing to send traffic with customised mac-address

CSCuy63642

ASA 9.1(6) traceback processing outbound DTLS Packet

CSCuy66942

Cisco ASA Software DHCP Relay Denial of Service vulnerability

CSCuy73652

Traceback in thread name idfw when modifying object-group having FQDN

CSCuy74218

Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly

CSCuy78802

orignial master not defending all GARP packets after cluster split brain

CSCuy80070

OSPF routes not populating over L2L tunnel

CSCuy82905

ASA crashes when global access-list config is cleared

CSCuy85243

ASA traceback when receive Radius attribute with improper variable type

CSCuy87597

ASA - Traceback in CP Processing Thread During Private Key Decryption

CSCuy90936

ASA may stop responding to OSPF Hello packets

CSCuy95543

Improve efficiency of malloc_avail_freemem()

CSCuy96391

ASA clientless rewriter failure at 'CSCOPut_hash' function

CSCuz00077

ASA 9.1.6.4 traceback with Thread Name: telnet/ci

CSCuz04534

Memory leak in 112 byte bin when packet hits PBR and WCCP rules

CSCuz08625

ASA traceback in SSH thread

CSCuz09255

ASA does not respond to NS in Active/Active HA

CSCuz09394

infinite loop in JS rewriter state machine when return followed by var

CSCuz10371

ASA Traceback and reload by strncpy_sx.c

CSCuz14600

Kenton 9.5.1'boot system/boot config' commands not retained after reload

CSCuz14808

5585-10 traceback in Thread Name: idfw_proc

CSCuz16398

Incorrect modification of NAT divert table.

CSCuz16565

9.6.2 EST - assertion "0" failed: file "snp_vxlan.c"

CSCuz21068

CSCOPut_hash can initiate unexepected requests

CSCuz21178

ASA traceback in threadname ssh

CSCuz23354

CPU usage is high after timer dequeue failed in GTP

CSCuz28000

Context config may get rejected if all the units in Cluster reloaded

CSCuz30425

Network command disappears from BGP after reload with name

CSCuz33255

Traceback in IKEv2 Daemon with 20+ second CPU hog.

CSCuz36938

Traceback on editing a network object on exceeding the max snmp hosts

CSCuz38115

ASA Tback when large ACL applied to interface with object-group-search

CSCuz38180

ASA: Page Fault traceback in DATAPATH on standby ASA after booting up

CSCuz38888

WebVPN rewrite fails for MSCA Cert enrollment page / VBScript

CSCuz40081

ASA memory leak due to vpnfo

CSCuz40793

Interfaces get deleted on SFR during HA configuration sync

CSCuz42390

ASA Stateful failover for DRP works intermittently

CSCuz44687

Traceback data path self deadlock panic while attempt to get spin lock

CSCuz44968

Commands not installed on Standby due to parser switch

CSCuz47295

Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability

CSCuz52474

Evaluation of pix-asa for OpenSSL May 2016

CSCuz54193

ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection

CSCuz54545

ASA Address not mapped traceback - configuring snmp-server host

CSCuz61092

Interface health-check failover causes OSPF not to advertise ASA as ABR

CSCuz63531

Observing Memory corruption, assert for debug ospf

CSCuz64603

GTP traceback at gtp_update_sig_conn_timestamp while processing data

CSCuz66661

ASA Cut-through Proxy inactivity timeout not working

CSCuz67349

ASA Cluster fragments reassembled before transmission with no inspection

CSCuz67590

ASA may Traceback with Thread Name: cluster rx thread

CSCuz67596

ASA may Traceback with Thread Name: Unicorn Admin Handler

CSCuz67690

ASA crashed due to Election severe problem no master is promoted

CSCuz70330

ASA: SSH being denied on the ASA device as the maximum limit is reached

CSCuz72352

traceback during tls-proxy handshake

CSCuz80281

IPv6 neighbor discovery packet processing behavior

CSCuz90648

2048/1550/9344 Byte block leak cause traffic disruption & module failure

CSCuz92074

ASA with PAT fails to untranslate SIP Via field that doesnt contain port

CSCuz92921

ASA crashes while clearing global access-list

CSCuz94862

IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck

CSCuz95806

DNS Doctoring DNS64 is not working

CSCuz98220

ASA traceback with Thread Name: Dispatch Unit

CSCuz98704

Traceback in CP Processing thread after upgrade

CSCva00190

ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets

CSCva00939

Remove ACL warning messages in show access-list when FQDN is resolved

CSCva01570

Unexpected end of file logon.html in WebVPN

CSCva02817

ASA not rate limiting with DSCP bit set from the Server

CSCva03607

show service-policy output reporting incorrect values

CSCva03982

ASA : Mem leak in cluster mode due to PBR lookup

CSCva10054

ASA ASSERT traceback in DATAPATH due to sctp inspection

CSCva15911

On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.

CSCva16471

IPv6 OSPF routes do not update when a lower metric route is advertised

CSCva24924

ASA SM on 9300 reloads multi-context over SSH when config-url is entered

CSCva26771

ASA : PBR Mem leak as packet dropped

CSCva31378

ASA treaceback at Thread Name: rtcli async executor process

CSCva35439

ASA DATAPATH traceback (Cluster)

CSCva36202

BGP Socket not open in ASA after reload

CSCva38556

Cisco ASA Input Validation File Injection Vulnerability

CSCva39094

ASA traceback in CLI thread while making MPF changes

CSCva39804

Interfaces get deleted on SFR during cluster rejoining

CSCva40844

Crypto accelerator ring timeout causes packet drops

CSCva46920

Traceback in Thread Name: ssh when issuing show tls-proxy session detail

CSCva49256

memory leak in ssh

CSCva62861

uauth is failed after failover

CSCva68987

ASA drops ICMP request packets when ICMP inspection is disabled

CSCva69584

OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB

CSCva69799

ASA stuck in boot loop due to FIPS Self-Test failure

CSCva70095

ASA negotiates TLS1.2 when server in tls-proxy

CSCva76568

ASA : Enabling IKEv1/IKEv2 opens RADIUS ports

CSCva77852

ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon

CSCva81749

IPV6 address not assigned when connecting via IPSEC protocol

CSCva84635

ASA: CHILD_SA collision brings down IKEv2 SA

CSCva85382

ASA memory leak for CTS SGT mappings

CSCva87077

GTP traceback at gtpv1_process_msg for echo response

CSCva87160

OTP authentication is not working for clientless ssl vpn

CSCva88796

AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions

CSCva90806

ASA Traceback when issue 'show asp table classify domain permit'

CSCva91420

ASA Traceback in CTM Message Handler

CSCva92151

Cisco ASA SNMP Remote Code Execution Vulnerability

CSCva92813

ASA Cluster DHCP Relay doesn't forward the server replies to the client

CSCva94702

Enqueue failures on DP-CP queue may stall inspected TCP connection

CSCvb03994

Traceback in IKE_DBG

CSCvb05667

H.323 inspection causes Traceback in Thread Name: CP Processing

CSCvb05787

traceback in network udpmod_get after anyconnect test load application

CSCvb13690

ASA : Botnet update fails with a lot of Errors

CSCvb13737

wr mem/ wr standby is not syncing configs on standby

CSCvb14997

ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer

CSCvb19251

ASA as DHCP relay drops DHCP 150 Inform message

CSCvb19843

Buffer Overflow in ASA Leads to Remote Code Execution

CSCvb22435

ASA Traceback in thread name CP Processing due to DCERPC inspection

CSCvb22848

ASA 9.1.7-9 crash in Thread Name: NIC status poll

CSCvb27868

ASA 1550 block depletion with multi-context transparent firewall

CSCvb29411

AAA authentication/authorization fails if only accessible via mgmt vrf

CSCvb29688

Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416

CSCvb30445

ASA may generate DATAPATH Traceback with policy-based routing enabled

CSCvb31833

Traceback : ASA with Threadname: DATAPATH-0-1790

CSCvb32297

WebVPN:VNC plugin:Java:Connection reset by peer: socket write error

CSCvb36199

Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback

CSCvb39147

Lower NFS throughput rate on Cisco ASA platform

CSCvb45039

ASA traceback with Thread Name aaa_shim_thread

CSCvb48640

Evaluation of pix-asa for Openssl September 2016

CSCvb49273

Traceback triggered by CoA on ASA when sending/receiving to/from ISE

CSCvb52988

ASA Traceback Thread Name: emweb/https

CSCvb63503

AAA session handle leak with IKEv2 when denied due to time range

CSCvb63819

ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3

CSCvb64161

ASA fairly infrequently rewrites the dest MAC address of multicast packet for client

CSCvb68766

ASA traceback at Thread Name: IKE Daemon.

CSCvb74249

ASA dropping traffic with TCP syslog configured in multicontext mode

CSCvd78303

ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'

Resolved Bugs in Version 9.5(2.200)

There were no bugs fixed in 9.5(2.200).

Resolved Bugs in Version 9.5(2.1)

There were no bugs fixed in 9.5(2.1).

Resolved Bugs in Version 9.5(2)

If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(2):

The following table lists resolved bugs at the time of this Release Note publication.

Identifier

Description

CSCuv94338

ASA traceback in Thread Name: CP Crypto Result Processing.

CSCuu27334

ASA: Traceback with Thread Name - AAA

CSCuu73395

Auth-prompt configured in one context appears in another context

CSCuv32615

ASA: LDAP over SSL Authentication failure

CSCuv12884

Unable to authenticate with remove aaa-server from different context

CSCuw00971

ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)

CSCut28210

AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue

CSCus47259

Cisco ASA XAUTH Bypass Vulnerability

CSCut27332

ASA traceback in aaa_shim_thread / command author done for dACL install

CSCuu48626

ASA - access list address argument changed from host 0.0.0.0 to host ::

CSCuv92371

ASA traceback: SSH Thread: many users logged in and dACLs being modified

CSCuv12564

Memory leak @regcomp_unicorn with APCF configured

CSCus56590

ASA - Traceback in Thread Name: fover_parse

CSCuw09578

ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test

CSCuv87150

ASA traceback in Thread Name: fover_parse (ak47/ramfs)

CSCut88287

ASA Traceback in vpnfol_thread_msg

CSCuv87760

Unicorn proxy thread traceback with RAMFS processing

CSCus32005

ASA - Traceback in thread name SSH while applying BGP show commands

CSCuu10284

ASA Dataplane captures dont capture packets when using match/access-list

CSCuu61573

9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain

CSCur20322

ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment

CSCus97061

ASA Cluster member traceback in DATAPATH

CSCuv39775

ASA cluster-Incorrect "current conns" counter in service-policy

CSCuu28909

ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel

CSCuw36853

ASA: ICMP error loop on cluster CCL with Interface PAT

CSCut56198

Clustering: Traceback in DATAPATH with transparent FW

CSCuu66218

ASA is not correctly handling errors on AES-GCM ICV

CSCuu18989

ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit

CSCuu75901

ASA failover due to issue show local-host command make CPU-hog

CSCus92856

ASA traceback in DATAPATH Thread due to Double Block Free

CSCut40770

Interface TLV to SFR is corrupt when frame is longer than 2048 bytes

CSCuv91730

Request allow packets to pass when snort is down for ASA configurations

CSCuv58559

Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF

CSCuw66397

DHCP Server Process stuck if dhcpd auto_config already enabled from CLI

CSCuu84085

DHCP-DHCP Proxy thread traceback shortly after failover and reload

CSCut44082

EIGRP configuration not being correctly replicated between failover ASAs

CSCuu77207

ASA - URL filter - traceback on thread name uauth_urlb clean

CSCut92194

ASA traceback in Thread Name: CP Processing

CSCur07061

Traceback on standby ASA during hitless upgrade

CSCuv01177

ASA: traceback in IDFW AD agent

CSCze96017

Active ftp-data is blocked by Firepower on Chivas Beta on 5512

CSCuu45858

ASA Traceback in cp_syslog

CSCut86523

ASA: Silently Drops packets with SFR Module installed.

CSCuu73716

Traceback in Thread CP Processing

CSCuu56912

ASA change non-default port to 443 for https traffic redirected to CWS

CSCut30741

ASA redirection to Scansafe tower fails with log id "775002" in syslog

CSCuu91304

Immediate FIN from client after GET breaks scansafe connection

CSCuq99821

ASA/ASASM drops SIP invite packets with From field containing "" and \

CSCut48009

Traceback in thread CP Processing

CSCut45114

2048-byte block leak if DNS server replies with "No such name"

CSCuu94945

ASA: Traceback while copying file using SCP on ASA

CSCuw41548

DNS Traceback in channel_put()

CSCut28217

Active ASA in failover setup reboots on its own

CSCuu36639

ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout

CSCus08239

ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit

CSCuv70576

Cisco ASA VPN Memory Block Exhaustion Vulnerability

CSCuo08193

Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet

CSCuu39636

Cert Auth fails with 'max simultaneous-login restriction' error

CSCuu82229

ikev2 with DH 19 and above fails to pass traffic after phase2 rekey

CSCut75983

ASA Traceback in PPP

CSCuw17930

Improper S2S IPSec Datapath Selection for Remote Overlapping Networks

CSCuw22886

Split-tunnel not working for EzVPN client on Kenton device (9.5.1)

CSCut95793

ASA: Anyconnect IPv6 Traceroute does not work as expected

CSCut01856

ASA dropping traffic with TCP syslog configured in multicontext mode

CSCuv07106

ASATraceback in ssh whilst adding new line to extended ACL

CSCuu63656

ASA not generating PIM register packet for directly connected sources

CSCuw22130

ASA traceback when removing dynamic PAT statement from cluster

CSCtz98516

Observed Traceback in SNMP while querying GET BULK for 'xlate count'

CSCuu45812

asa Traceback with Thread Name idfw_proc

CSCuu39615

eglibc 2.18 is missing upstream fix #15073

CSCuv96011

OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards

CSCuv45756

ASA may tracebeck when displaying packet capture with trace option

CSCuv11566

ASA LDAP CRL query baseObject DN string is malformed

CSCuv66333

ASA picks incorrect trustpoint to verify OCSP Response

CSCut67965

CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached

CSCut15570

Anyconnect SSL VPN certificate authentication fails o ASA

CSCuu46569

ASA CA certificate import fails with different types of Name Constraints

CSCus78450

ASA cert validation fails when suitable TP is above the resident CA cert

CSCuu45813

ASA Name Constraints dirName improperly verified

CSCuv57389

ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)

CSCuv88785

RA validation failed when CA/subCA contains name constraints

CSCui20213

5585 interface counters show 0 for working interfaces and console errors

CSCuu04012

ASA CX - Data Plane marked as DOWN untill ASA reload.

CSCuv10258

ASA5505 permanent base license, temp secplus, failover, vlan count issue

CSCuw29566

ASA5585 9.5(1): Support Failover Lan on Management0/0 port

CSCus62863

Kenton 5516: Interface dropping ARPs after flapping under traffic load

CSCuq57307

ASA 8.4 Memory leak due to duplicate entries in ASP table

CSCuw06294

ASA: Traceback in Thread Name Checkheaps due to webvpn

CSCuv10938

'redistribute' cmds under 'router eigrp' removed on deleting any context

CSCuu53928

ASA does not set forward address or p-bit in OSPF redistrubution in NSSA

CSCuu31751

ASA OSPF database not reflect changes

CSCuv50968

CRL download functionality seems to be broken on ASA

CSCuv42413

Dynamic Route Not Installed After Failover

CSCut37974

EIGRP authentication not working with simple pasword

CSCur09141

RRI static routing changes not updated in routing table

CSCut10078

Standby ASA does not apply OSPF route after config replication

CSCuv50709

Standby ASA inside IP not reachable after Anyconnect disconnect

CSCuv79552

Standby traceback during config replication with customization export

CSCuu06081

ASAv licesing enforcement should not be CLI parser based

CSCuw59388

Unable to load ASDM to a Context in Multiple Context Mode

CSCtx43501

CPU hog due to snmp polling of ASA memory pool information

CSCuu04160

snmpwalk causes slow memory leak on ASA

CSCuu84697

ASA Traceback in Thread Name ssh/client

CSCus70693

ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:

CSCut03981

ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig

CSCus27650

Cut Through proxy not working correctly with TLS1.2

CSCuv51649

SSL : Unable to Join nodes in Cluster

CSCuu02848

Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL

CSCuu87823

ASAv traceback in DATAPATH when used for WebVPN

CSCuv27197

ASA SSLVPN RDP Plugin session freezes under heavy load with activex

CSCuv92384

ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS

CSCuu86195

conn-max counter is not decreased accordingly

CSCut39985

Per-session PAT RST sent to incorrect direction after closing session

CSCut49111

ASA traceback because of TD tcp-intercept feature

CSCuw26991

ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection

CSCut36927

Cluster destabilizes when contexts are removed

CSCuv43902

ASA: Watchdog Traceback with Thread Name:- SXP CORE

CSCur07369

SXP Version Mismatch Between ASA & N7K with clustering

CSCuw86069

ASAv Cannot remove/change default global_policy or inspection_default

CSCut49034

ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal

CSCuw14334

Trace back with Thread Name: IP Address Assign

CSCut12513

ASA allows citrix ICA connection without authentication

CSCuq97035

WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7

CSCut71095

ASA WebVPN clientless cookie authentication bypass

CSCuv30184

AddThis widget is not shown causing Traceback in Unicorn Proxy Thread

CSCuu32905

ASA WebVPN: Javascript fails to execute when accessing internal portal

CSCuv05386

Clientless webvpn on ASA does not display asmx files

CSCuv69235

HTTP chunked data causing watchdog

CSCuv05916

Need to prevent traceback in js_parser_print_rest

CSCuw87910

PCP 10.6 Clientless VPN Access is Denied when accessing Pages

CSCuw44744

Traceback in WebVPN rewriter

CSCuu78835

Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5

CSCus46895

WebVPN Rewriter: "parse" method returns curly brace instead of semicolon

CSCuv86500

Webvpn: JS parser may crash if the underlying connection is closed

Resolved Bugs in Version 9.5(1.5)

If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1.5):

The following table lists resolved bugs at the time of this Release Note publication.

Identifier

Description

CSCuq97035

WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7

CSCus08239

ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit

CSCut03981

ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig

CSCut49034

ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal

CSCut95793

ASA: Anyconnect IPv6 Traceroute does not work as expected

CSCuu73395

Auth-prompt configured in one context appears in another context

CSCuu73716

Traceback in Thread CP Processing

CSCuu75901

ASA failover due to issue show local-host command make CPU-hog

CSCuu77207

ASA - URL filter - traceback on thread name uauth_urlb clean

CSCuu87823

ASAv traceback in DATAPATH when used for WebVPN

CSCuv05386

Clientless webvpn on ASA does not display asmx files

CSCuv05916

Need to prevent traceback in js_parser_print_rest

CSCuv09538

ASA: CLI commands not showing help(?) options for local authorization

CSCuv11566

ASA LDAP CRL query baseObject DN string is malformed

CSCuv12884

Unable to authenticate with remove aaa-server from different context

CSCuv27197

ASA SSLVPN RDP Plugin session freezes under heavy load with activex

CSCuv32615

ASA: LDAP over SSL Authentication failure

CSCuv35243

ASA: Not able to remove ACE with "log default" keyword

CSCuv39775

ASA cluster-Incorrect "current conns" counter in service-policy

CSCuv42413

Dynamic Route Not Installed After Failover

CSCuv43902

ASA: Watchdog Traceback with Thread Name:- SXP CORE

CSCuv45756

ASA may tracebeck when displaying packet capture with trace option

CSCuv57389

ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)

CSCuv69235

HTTP chunked data causing watchdog

CSCuv70576

Cisco ASA VPN Memory Block Exhaustion Vulnerability

CSCuv79552

Standby traceback during config replication with customization export

CSCuv86500

Webvpn: JS parser may crash if the underlying connection is closed

CSCuv87150

ASA traceback in Thread Name: fover_parse (ak47/ramfs)

CSCuv87760

Unicorn proxy thread traceback with RAMFS processing

CSCuv88785

RA validation failed when CA/subCA contains name constraints

CSCuv91730

Request allow packets to pass when snort is down for ASA configurations

CSCuw00971

ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)

CSCuw09578

ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test

CSCuw30700

traffic-forward interface command is not working on 5585

Resolved Bugs in Version 9.5(1.200)

There were no bugs fixed in 9.5(1.200).

Resolved Bugs in Version 9.5(1)

If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1):

The following table lists resolved bugs at the time of this Release Note publication.

Identifier

Description

CSCuu31281

AAA Authorization HTTP sends username in password field of authorization

CSCus57241

ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions

CSCuu73087

Standalone AnyConnect fails to connect due to empty DAP user message

CSCur17006

Add cli to control masked username in syslog

CSCut96928

ASA : Password creation date is decrementing by one with every reboot

CSCuu27334

ASA: Traceback with Thread Name - AAA

CSCut22865

[ASA] CTP not working if proxyACL port_argument is gt

CSCut54218

ASA tunnel-group"password-expire-in-days"not prompting a password change

CSCut28210

AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue

CSCut27332

ASA traceback in aaa_shim_thread / command author done for dACL install

CSCuu48626

ASA - access list address argument changed from host 0.0.0.0 to host ::

CSCut92373

ASA 9.0.3 not logging permitted UDP traffic

CSCus83942

ASA : ACL logging is not getting disabled with keyword "log disable"

CSCut31315

[ASA] access-list ACL_name standard permit host 0.0.0.0 deleted

CSCuv12564

Memory leak @regcomp_unicorn with APCF configured

CSCur99653

Codenomicon HTTP-server suite may cause crash

CSCus32005

ASA - Traceback in thread name SSH while applying BGP show commands

CSCuv25327

bgp ipv6 neighborship fails with ASA after hard reset on router

CSCuu10284

ASA Dataplane captures dont capture packets when using match/access-list

CSCuu13345

Drop reasons missing from asp-drop capture

CSCuu28909

ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel

CSCut56198

Clustering: Traceback in DATAPATH with transparent FW

CSCur56038

RPC error in request config after replicated a large configuration

CSCut49711

show cluster mem indicates incorrect values

CSCut44075

Traceback in snp_cluster_get_buffer

CSCuu66218

ASA is not correctly handling errors on AES-GCM ICV

CSCuu88607

Doubling counting flow bytes for decrypted packets

CSCus56252

Cisco ASA DHCPv6 Relay Denial of Service Vulnerability

CSCut49724

Corrupted host name may occur with DHCP

CSCuu84085

DHCP-DHCP Proxy thread traceback shortly after failover and reload

CSCut44082

EIGRP configuration not being correctly replicated between failover ASAs

CSCut92194

ASA traceback in Thread Name: CP Processing

CSCuu16983

ASA: failover logging messages appear in user context

CSCut11895

Failover assembly remained in active-active state permanantly

CSCur07061

Traceback on standby ASA during hitless upgrade

CSCut06531

ASA: XFRAME support for .JS and .JNLP URL's

CSCuv01177

ASA: traceback in IDFW AD agent

CSCuu54660

ASA Remote Access - Phase 1 terminated after xauth

CSCur68226

ASA SMTP inspection should not disable TLS by default

CSCut05676

Handling esmtp default parameters for TLS

CSCze96017

Active ftp-data is blocked by Firepower on Chivas Beta on 5512

CSCuq69907

ASA traceback: thread name "scansafe_poll"

CSCuq99821

ASA/ASASM drops SIP invite packets with From field containing "" and \

CSCut48009

Traceback in thread CP Processing

CSCut83833

USB device hot plug not supported in running ASA

CSCut45114

2048-byte block leak if DNS server replies with "No such name"

CSCuu07799

Cisco ASA DNS Denial of Service Vulnerability

CSCuu02761

DNS should perform IPv4 lookups if IPv6 address is not reachable

CSCuv02304

EEM action not executed on absolute time when NTP is configured

CSCuu36639

ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout

CSCur51051

LU allocate connection failed on the Standby ASA unit

CSCuu39636

Cert Auth fails with 'max simultaneous-login restriction' error

CSCuv07126

ikev2 enable added to config when zones are used despite ERROR msg

CSCut80316

Ikev2 Session with bogus assigned IP address stays on ASA

CSCus85532

IKEv2: IPSec SA's are created by dynamic crypto map for static peers

CSCut75983

ASA Traceback in PPP

CSCut24490

L2TP/IPSec Optimal MSS is not what it's supposed to be

CSCut64327

L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"

CSCut69675

Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.

CSCus98309

Duplicate IPv6 address is configurable in 1 ASA or context

CSCuu41142

IPv6 local host route fail when setting link-local/Global simultaneously

CSCut01856

ASA dropping traffic with TCP syslog configured in multicontext mode

CSCuu67411

Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg

CSCuu19489

ASA inspection-MPF ACL changes not inserted into ASP table properly

CSCuv07106

ASATraceback in ssh whilst adding new line to extended ACL

CSCuu63656

ASA not generating PIM register packet for directly connected sources

CSCus74398

Cisco ASA PIM Multicast Registration Vulnerability

CSCus14147

ASA generate pool exhausted for sip inspect with embedded IP but no port

CSCti05769

Migration of max_conn/em_limit to MPF is completely wrong in 8.3

CSCui37201

Misleading error msg for pat-pool with mapped object

CSCtz98516

Observed Traceback in SNMP while querying GET BULK for 'xlate count'

CSCut71347

PBA: Generate syslogs for port block allocation related failures

CSCuu33321

Two Dynamic PAT with and without block-allocation

CSCuu39615

eglibc 2.18 is missing upstream fix #15073

CSCus84220

ASA crashes for the OSPFv2 packets from codenomicon

CSCuv01022

ASA:OSPF over L2L tunnels is not working with multiple cry map entries

CSCut52679

Cisco ASA OSPFv2 Denial of Service Vulnerability

CSCuu88548

Ampersand (&) not encoded in packet tracer phase 'extra' field

CSCus19673

"no nameif" is removing the policy-route configuration

CSCus86487

PBR: DF & DSCP bits are not getting set without valid set next-hop

CSCus78109

Policy based routing is not working with twice NAT

CSCus63993

ASA - Traceback in thread name: CERT API

CSCuu74823

Cryptomaps lose trustpoint when syncing configuration from cluster unit

CSCuu81932

ASA tunnel-group-map cannot contain spaces

CSCut67965

CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached

CSCut15570

Anyconnect SSL VPN certificate authentication fails o ASA

CSCuu46569

ASA CA certificate import fails with different types of Name Constraints

CSCuu45813

ASA Name Constraints dirName improperly verified

CSCut48571

Incorrect cert chain sent to connecting IPSec clients

CSCut75202

PKI: potential pki session handle leak in IKEv2 L2L configurations

CSCus69021

5506-X: 'no buffer' interface counter reports incorrect errors

CSCus62863

Kenton 5516: Interface dropping ARPs after flapping under traffic load

CSCuu75675

kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250

CSCuv72010

Kernel command line is displayed while booting 9.5.1 Image

CSCuq27342

Traceback and reload triggered by failover configuration

CSCut23991

PPPoE session state timer does not initialize properly

CSCuq57307

ASA 8.4 Memory leak due to duplicate entries in ASP table

CSCut67315

ASA :Top 10 Users status is not getting enabled from ASDM.

CSCuu08031

ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ

CSCut37042

Secondary ASA stuck in config sync while upgrading to 8.4.x

CSCuj68919

Multiple problems with output of show processes memory

CSCuv10938

'redistribute' cmds under 'router eigrp' removed on deleting any context

CSCus24519

ASA Cluster: Default OSPF route gone on Master unit

CSCuu53928

ASA does not set forward address or p-bit in OSPF redistrubution in NSSA

CSCut01395

ASA silently dropping OSPF LS Update messages from neighbors

CSCuu99349

ASA-3-317012 and "No route to host" errors even though the route exists

CSCuu00733

ASA: ECMP stopped working after upgrade to 9.3.2

CSCus64394

Misleading route-map warning message

CSCur09141

RRI static routing changes not updated in routing table

CSCut10078

Standby ASA does not apply OSPF route after config replication

CSCut26062

xszASA 9.2.1 Eigrp Authentication does not work with 16 character key

CSCuu02635

Remove demo and eval warning for sfr monitor-only

CSCus79307

ASAv cannot send SL messages after toggeling of "service call-home" cmd

CSCus79129

ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg

CSCuu04160

snmpwalk causes slow memory leak on ASA

CSCuu07308

"ssh scopy enable" deleted from configuration

CSCuu52976

ASA not checking the MAC of the TLS records

CSCuu93339

Cisco ASA Poodle TLS Variant

CSCus27650

Cut Through proxy not working correctly with TLS1.2

CSCuu97304

SSL connection failing to WebVPN portal

CSCuv51649

SSL : Unable to Join nodes in Cluster

CSCuu83280

Evaluation of OpenSSL June 2015

CSCut46019

MARCH 2015 OpenSSL Vulnerabilities

CSCuu87823

ASAv traceback in DATAPATH when used for WebVPN

CSCus42901

JANUARY 2015 OpenSSL Vulnerabilities

CSCut64846

To-the-box UDP traffic not getting inspected and getting dropped on ASA

CSCus11465

ASA teardown connection after receiving same direction fins

CSCuu86195

conn-max counter is not decreased accordingly

CSCut04182

NFS connections not timing out after failover

CSCut39985

Per-session PAT RST sent to incorrect direction after closing session

CSCut49111

ASA traceback because of TD tcp-intercept feature

CSCus89139

Exception on asdm_handler stream line: </threat-detection>

CSCus54537

ASAv requires a reboot for the license to take effect.

CSCuu09302

ASAv: RSA key pair needs to be automatically generated with 2048 bits

CSCuu07462

Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno)

CSCus89286

ASA Traceback in SSL library due to DMA memory exhaustion

CSCus53692

ASA traceback in Thread Name: fover_parse

CSCus37840

AnyConnect upgrade from AC 2.5 to AC 3.1 fails

CSCus95290

Cisco ASA VPN XML Parser Denial of Service Vulnerability

CSCuc16662

HTML/Java File Browser- created file or folder shows 9 months offset

CSCut71095

ASA WebVPN clientless cookie authentication bypass

CSCuu48813

WebVpn: portal is not displayed after re-login

CSCuv30184

AddThis widget is not shown causing Traceback in Unicorn Proxy Thread

CSCuu18564

ASA WebVPN : jQuery based Calendar table fails to load; Empty frame

CSCuu18527

ASA WebVPN: HTTP 302 Location URL rewritten incorrectly

CSCuu32905

ASA WebVPN: Javascript fails to execute when accessing internal portal

CSCut85049

Issue with downloading images from Sharepoint

CSCuv38654

rewriter returns 302 for a file download

CSCut35406

Src url of video track tag not mangled via webvpn

CSCut58935

WebVPN: Tsweb fails to work through clientless portal

CSCut39169

WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app

CSCur42776

Mac version smart-tunnel uses SSLv3 which is a vulnerability

CSCuq10239

Windows 8 with new JRE, IE is not gaining access to smart tunnel