Release Notes for the Cisco ASA Series, 9.5(x)
This document contains release information for Cisco ASA software Version 9.5(x).
Important Notes
-
Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.
-
E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s, pop3s, smtps) and subcommands are no longer supported.
-
CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image, show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image migrates to hostscan image.
-
Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands (override-account-disable, authentication crack) are no longer supported.
-
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
![]() Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
![]() Note |
Feature |
Description |
---|---|
Remote Access Features |
|
Configurable SSH encryption and HMAC algorithm. |
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example. We introduced the following commands: ssh cipher encryption, ssh cipher integrity. We introduced the following screen: Also available in 9.1(7) and 9.4(3). |
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
![]() Note |
This release supports only the ASAv. |
Feature |
Description |
||
---|---|---|---|
Platform Features |
|||
Microsoft Azure support on the ASAv10 |
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces. |
||
Licensing Features |
|||
Permanent License Reservation for the ASAv |
For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv.
We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return No ASDM support. |
||
Smart Agent Upgrade to v1.6 |
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.
We introduced the following commands: show license status, show license summary, show license udi, show license usage We modified the following commands: show license all, show tech-support license We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration We did not change any screens. |
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
![]() Note |
This release supports only the ASA on the Firepower 9300. |
Feature |
Description |
||
---|---|---|---|
Platform Features |
|||
VPN support for the ASA on the Firepower 9300 |
With FXOS 1.1.3, you can now configure VPN features. | ||
Firewall Features |
|||
Flow off-load for the ASA on the Firepower 9300 |
You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers. Also requires FXOS 1.1.3. We added or modified the following commands: clear flow-offload , flow-offload enable , set-connection advanced-options flow-offload , show conn detail , show flow-offload . We added or modified the following screens: , the tab when adding or editing rules under . |
||
High Availability Features |
|||
Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300 |
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis. We did not modify any commands. We did not modify any screens. |
||
Licensing Features |
|||
Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300 |
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.
This feature requires FXOS 1.1.3. We removed the following command for non-satellite configurations: feature strong-encryption We modified the following screen: |
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
Feature |
Description |
||
---|---|---|---|
Platform Features |
|||
Cisco ISA 3000 Support |
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power. We introduced the following command: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay We modified the following screen: Also in Version 9.4(1.225). |
||
Firewall Features |
|||
DCERPC inspection improvements and UUID filtering |
DCERPC inspection now supports NAT for OxidResolver ServerAlive2 opnum5 messages. You can also now filter on DCERPC message universally unique identifiers (UUIDs) to reset or log particular message types. There is a new DCERPC inspection class map for UUID filtering. We introduced the following command: match [not] uuid . We modified the following command: class-map type inspect . We added the following screen: .We modified the following screen: . |
||
Diameter inspection |
You can now inspect Diameter traffic. Diameter inspection requires the Carrier license. We introduced or modified the following commands: class-map type inspect diameter , diameter , inspect diameter , match application-id , match avp , match command-code , policy-map type inspect diameter , show conn detail , show diameter , show service-policy inspect diameter , unsupported We added or modified the following screens: Diameter AVP andadd/edit wizard's tab |
||
SCTP inspection and access control |
You can now use the SCTP protocol and port specifications in service objects, access control lists (ACLs) and access rules, and inspect SCTP traffic. SCTP inspection requires the Carrier license. We introduced the following commands: access-list extended , clear conn protocol sctp , inspect sctp , match ppid , nat static (object), policy-map type inspect sctp , service-object , service , set connection advanced-options sctp-state-bypass , show conn protocol sctp , show local-host connection sctp , show service-policy inspect sctp , timeout sctp We added or modified the following screens: add/edit dialogs add/edit dialogs
Advanced NAT Settings dialog box add/edit static network object NAT rule,add/edit dialogs
Connection Settings tabs add/edit wizard' s and |
||
Carrier Grade NAT enhancements now supported in failover and ASA clustering |
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). This feature is now supported in failover and ASA cluster deployments. We modified the following command: show local-host We did not modify any screens. |
||
Captive portal for active authentication on ASA FirePOWER 6.0. |
The captive portal feature is required to enable active authentication using identity policies starting with ASA FirePOWER 6.0. We introduced or modified the following commands: captive-portal , clear configure captive-portal , show running-config captive-portal . |
||
High Availability Features |
|||
LISP Inspection for Inter-Site Flow Mobility |
Cisco Locator/ID Separation Protocol (LISP) architecture separates the device identity from its location into two different numbering spaces, making server migration transparent to clients. The ASA can inspect LISP traffic for location changes and then use this information for seamless clustering operation; the ASA cluster members inspect LISP traffic passing between the first hop router and the egress tunnel router (ETR) or ingress tunnel router (ITR), and then change the flow owner to be at the new site. We introduced or modified the following commands: allowed-eid, clear cluster info flow-mobility counters, clear lisp eid, cluster flow-mobility lisp, debug cluster flow-mobility, debug lisp eid-notify-intercept, flow-mobility lisp, inspect lisp, policy-map type inspect lisp, site-id, show asp table classify domain inspect-lisp, show cluster info flow-mobility counters, show conn, show lisp eid, show service-policy, validate-key We introduced or modified the following screens:
|
||
ASA 5516-X support for clustering |
The ASA 5516-X now supports 2-unit clusters. Clustering for 2 units is enabled by default in the base license. We did not modify any commands. We did not modify any screens. |
||
Configurable level for clustering trace entries |
By default, all levels of clustering events are included in the trace buffer, including many low level events. To limit the trace to higher level events, you can set the minimum trace level for the cluster. We introduced the following command: trace-level We did not modify any screens. |
||
Interface Features |
|||
Support to map Secondary VLANs to a Primary VLAN |
You can now configure one or more secondary VLANs for a subinterface. When the ASA receives traffic on the secondary VLANs, it maps the traffic to the primary VLAN. We introduced or modified the following commands: vlan secondary, show vlan mapping We modified the following screens:
|
||
Routing Features |
|||
PIM Bootstrap Router (BSR) support for multicast routing |
The ASA currently supports configuring static RPs to route multicast traffic for different groups. For large complex networks where multiple RPs could exist, the ASA now supports dynamic RP selection using PIM BSR to support mobility of RPs. We introduced the following commands: clear pim group-map, debug pim bsr, pim bsr-border, pim bsr-candidate, show pim bsr-router, show pim group-map rp-timers We introduced the following screen: |
||
Remote Access Features |
|||
Support for Remote Access VPN in multiple context mode |
You can now use the following remote access features in multiple context mode:
We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect We modified the following screen: |
||
Clientless SSL VPN offers SAML 2.0-based Single Sign-On (SSO) functionality |
The ASA acts as a SAML Service Provider. |
||
Clientless SSL VPN conditional debugging |
You can debug logs by filtering, based on the filter condition sets, and can then better analyze them. We introduced the following additions to the debug command:
|
||
Clientless SSL VPN cache disabled by default |
The clientless SSL VPN cache is now disabled by default. Disabling the clientless SSL VPN cache provides better stability. If you want to enable the cache, you must manually enable it.
We modified the following command: cache We modified the following screen: |
||
Licensing Features |
|||
Validation of the Smart Call Home/Smart Licensing certificate if the issuing hierarchy of the server certificate changes |
Smart licensing uses the Smart Call Home infrastructure. When the ASA first configures Smart Call Home anonymous reporting in the background, it automatically creates a trustpoint containing the certificate of the CA that issued the Smart Call Home server certificate. The ASA now supports validation of the certificate if the issuing hierarchy of the server certificate changes; you can enable the automatic update of the trustpool bundle at periodic intervals. We introduced the following command: auto-import We modified the following screen: |
||
New Carrier license |
The new Carrier license replaces the existing GTP/GPRS license, and also includes support for SCTP and Diameter inspection. For the ASA on the Firepower 9300, the feature mobile-sp command will automatically migrate to the feature carrier command. We introduced or modified the following commands: feature carrier, show activation-key, show license, show tech-support, show version We modified the following screen: |
||
Monitoring Features |
|||
SNMP engineID sync |
In an HA pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID. An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user. We modified the following commands: snmp-server user, no snmp-server user We did not add or modify any screens. Also available in 9.4(3). |
||
show tech support enhancements |
The show tech support command now:
We modified the following command: show tech support We did not add or modify any screens. Also available in 9.1(7) and 9.4(3). |
||
logging debug-trace persistence |
Formerly, when you enabled logging debug-trace to redirect debugs to a syslog server, if the SSH connection were disconnected (due to network connectivity or timeout), then the debugs were removed. Now, debugs persist for as long as the logging command is in effect. We modified the following command: logging debug-trace We did not modify any screens. |
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
Feature |
Description |
---|---|
Platform Features |
|
Support for ASA FirePOWER 6.0 |
The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models. |
Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X. |
You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT Management Center) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X when running 6.0. No new screens or commands were added. |
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
Feature |
Description |
---|---|
Remote Access Features |
|
AnyConnect Version 4.2 support |
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances the enterprise administrator’s ability to do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetry and logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-party vendor), which performs the file analysis and provides a UI interface. We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called Network Visibility Service Profile) |
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
![]() Note |
This release supports only the ASAv. |
Feature |
Description |
---|---|
Platform Features |
|
Microsoft Hyper-V supervisor support |
Extends the hypervisor portfolio for the ASAv. |
ASAv5 low memory support |
The ASAv5 now only requires 1 GB RAM to operate. Formerly, it required 2 GB. For already-deployed ASAv5s, you should reduce the allocated memory to 1 GB or you will see an error that you are using more memory than is licensed. |
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
![]() Note |
This version does not support the Firepower 9300 ASA security module or the ISA 3000. |
Feature |
Description |
---|---|
Firewall Features |
|
GTPv2 inspection and improvements to GTPv0/1 inspection |
GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses. We modified the following commands: clear service-policy inspect gtp statistics, clear service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request, show service-policy inspect gtp statistics, timeout endpoint We deprecated the following command: timeout gsn We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP |
IP Options inspection improvements |
IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map. We introduced the following commands: basic-security, commercial-security, default, exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start, record-route, timestamp We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options |
Carrier Grade NAT enhancements |
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888). We introduced the following commands: xlate block-allocation size, xlate block-allocation maximum-per-host. We added the block-allocation keyword to the nat command. We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes. |
High Availability Features |
|
Inter-site clustering support for Spanned EtherChannel in Routed firewall mode |
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a site’s units. We introduced or modified the following commands: site-id, mac-address site-id, show cluster info, show interface We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration |
ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails |
You can now customize the auto-rejoin behavior when an interface or the cluster control link fails. We introduced the following command: health-check auto-rejoin We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin |
The ASA cluster supports GTPv1 and GTPv2 |
The ASA cluster now supports GTPv1 and GTPv2 inspection. We did not modify any commands. We did not modify any screens. |
Cluster replication delay for TCP connections |
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying the director/backup flow creation. We introduced the following command: cluster replication delay We introduced the following screen: Also available for the Firepower 9300 ASA security module in Version 9.4(1.152). |
Disable health monitoring of a hardware module in ASA clustering |
By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring. We modified the following command: health-check monitor-interface service-module We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring |
Enable use of the Management 1/1 interface as the failover link on the ASA 5506H |
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface. We modified the following commands: failover lan interface, failover link We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup |
Routing Features |
|
Support for IPv6 in Policy Based Routing |
IPv6 addresses are now supported for Policy Based Routing. We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set ipv6 dscp We modified the following screens:
|
VXLAN support for Policy Based Routing |
You can now enable Policy Based Routing on a VNI interface. We did not modify any commands. We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General |
Policy Based Routing support for Identity Firewall and Cisco Trustsec |
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps. We did not modify any commands. We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause |
Separate routing table for management-only interfaces |
To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces. We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only We did not modify any screens. |
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support |
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources. We did not modify any commands. We did not modify any screens. |
Remote Access Features |
|
IPv6 VLAN Mapping |
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator. |
Clientless SSL VPN SharePoint 2013 Support |
Added support and a predefined application template for this new SharePoint version. We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates |
Dynamic Bookmarks for Clientless VPN |
Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless user’s portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps. We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks |
VPN Banner Length Increase |
The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000. We modified the following command: banner (group-policy). We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner |
Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X |
This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch. We introduced the following commands: vpnclient enable, vpnclient server, vpnclient mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt We introduced the following screen: Configuration > VPN > Easy VPN Remote |
Monitoring Features |
|
Show invalid usernames in syslog messages |
You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues. We introduced the following command: no logging hide username We modified the following screen: Configuration > Device Management > Logging > Syslog Setup This feature is also available in 9.2(4) and 9.3(3). |
REST API Features |
|
REST API Version 1.2.1 |
We added support for the REST API Version 1.2.1. |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
CLI—Use the show version command.
-
ASDM—Choose
.
See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.4(x) |
— |
Any of the following: → 9.5(x) → 9.4(x) |
9.3(x) |
— |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) |
9.2(x) |
— |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.0(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.6(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.5(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.4(1) through 8.4(4) |
Any of the following: → 9.0(2), 9.0(3), or 9.0(4) → 8.4(6) |
→ 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.3(x) |
→ 8.4(6) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.2(x) and earlier |
→ 8.4(6) |
Any of the following: → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
![]() Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.5(x)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher for Version 9.5(x):
The following table lists open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
OpenLDAP needs to be upgraded or patched |
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
ASA5508X SSD LED always green even when SSD is removed |
|
Free memory drops to 0 after clientless VPN Test |
|
ASA/DOC: Spaces can be used in LDAP DN |
|
XMLSoft libxml2 Encoding Conversion Denial of Service Vulnerability |
|
XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab |
|
XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability |
|
XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability |
|
XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili |
|
DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peers |
|
5508 and 5516 Devices may not boot 9.5.1 or later images |
|
libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit |
|
XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial |
|
Configuration retrieval from external server fails in multicontext mode |
|
ASA 5506 interface Counters & OIDs showing incorrect value for traffic! |
|
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500 |
|
ASA traceback in CLI thread while making MPF changes |
|
ASAv Azure: ASAv not responding or passing traffic |
|
ASAv-Azure: waagent may reload when asav deployed with load balancer |
|
Shut down interfaces shows up in ASP routing table |
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
SIP packets mangled when using TLS1.2 and ASA is server |
|
Linux Kernel NULL Pointer Dereference Denial of Service Vulnerability |
|
XMLSoft libxml2 XML Content Processing External Entity Expansion Vulne |
|
XMLSoft libxml2 Format String Vulnerability |
|
ASAv: TCP state bypass not matching the traffic required |
|
ASA Crash Checkheap Free Buffer Corrupted |
|
Interfaces get deleted on SFR during Multi-context HA configuration sync |
|
ASAv Azure: ASAv30 Anyconnect peer support. |
|
ASA : Botnet update fails with a lot of Errors |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.5(3.9)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
ARP: Proxy IP traffic is hijacked. |
|
FIPS self test power on fails - fipsPostDrbgKat |
|
ASA traceback on standby when SNMP polling |
|
ASA traceback when retrieving idfw topn user from slave |
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
"show resource usage detail counter all 1" causes cpu hog |
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
Transactional ACL commit will bypass security policy during compilation |
|
Share licenses are not activated on failover pair after power cycle |
|
ASA traceback in Thread name DATAPATH when handling multicast packet |
|
ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL |
|
Cisco ASA XML Denial of Service Vulnerability |
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
ASA Traceback on 9.1.5.19 |
|
Traceback in Thread Name: ssh when using capture or continuous ping |
|
9.5.1 - Crash in bcm_esw_init thread |
|
ASA traceback on Standby device during config sync in thread DATAPATH |
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST |
|
ASA traceback while restoring backup configuration from ASDM |
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
ASA - Filtering HTTP via Websense or SFR may cause memory corruption |
|
Watchdog traceback in ldap_client_thread with large number of ldap grps |
|
QEMU coredump: qemu_thread_create: Resource temporarily unavailable |
|
SSH connections are not timed out on ASA (stuck in rtcli) |
|
Standby ASA traceback in Thread Name: EIGRP-IPv4 |
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
ASA: Traceback in Thread name DATAPATH-7-1918 |
|
ASA 9.4.1 traceback upon clearing and reconfiguring ACL |
|
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly |
|
After some time flash operations fail and configuration can not be saved |
|
Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS) |
|
Traceback in thread name: Unicorn Proxy Thread |
|
RSA 4096 key generation causes failover |
|
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192 |
|
CWS: ASA does not append XSS headers |
|
ASA: Traceback in Checkheaps |
|
http-form authentication fails after 9.3.2 |
|
ASA traceback when using an ECDSA certificate |
|
Smart Tunnel starts and Java closes without any message |
|
ASA traceback in Unicorn Proxy Thread |
|
show memory indicates inaccurate free memory available |
|
PBR incorrect route selection for deny clause |
|
ASA memory leak related to Botnet |
|
SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIB |
|
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later |
|
ASA: FAILOVER not working with password encryption. |
|
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd |
|
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath |
|
ASA 9.4.2 traceback in DATAPATH |
|
GTPv1 traceback in gtpv1_process_msg |
|
ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16] |
|
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test |
|
PBR: Mem leak in cluster mode due to policy based route |
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
Cisco signed certificate expired for WebVpn Port Forward Binary on ASA |
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
|
ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection |
|
DHCP Relay fails for cluster ASAs with long interface names |
|
SSL sessions stop processing -"Unable to create session directory" error |
|
ASA(9.5.2) changing the ACK number sent to client with SFR redirection |
|
"no ipv6-vpn-addr-assign" CLI not working |
|
ASA L7 policy-map comes into affect only if the inspection is re-applied |
|
ASA: Traceback in Thread IP Address Assign |
|
Traffic drop due to constant amount of arp on ASASM |
|
ASA: Traceback on ASA device after adding FQDN objects in NAT rule |
|
ASA traceback while viewing large ACL |
|
Reload in Thread Name: IKE Daemon |
|
"show resource usage" gives wrong number of routes after shut/no sh |
|
ASA TACACS+: process tacplus_snd uses large percentage of CPU |
|
ASA 9.5 - OCSP check using global routing table instead of management |
|
ASA Traceback on Thread Name: Unicorn Admin Handler |
|
Nat pool exhausted observed when enabling asp transactional-commit nat |
|
VLAN mapping doesn't work when connection falls back to TLS |
|
ASA traceback in Thread Name: https_proxy |
|
ASA traceback in DATAPATH thread |
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728 |
|
ASA using a huge dynamic ACL may cause Anyconnect connectivity failures |
|
ASA tracebacks when replicating Xlate to the standby/slave |
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
Traceback in Thread: IPsec message handler |
|
ASA traceback in Thread Name: Unicorn Proxy Thread. |
|
ASA traceback with SIP inspection and SFR enabled in 9.5.2 |
|
ASA traceback and reload citing Thread Name: idfw_proc |
|
ASA: MAC address changes on active context when WRITE STANDBY is issued |
|
Re-adding context creates context without configs on some slaves |
|
Smart tunnel does not work since Firefox 32bit version 43 |
|
ASA: Assert traceback in version 9.4.2 |
|
ASA 5585 traceback when the User name is mentioned in the Access list |
|
ASA Watchdog traceback in CP Processing thread during TLS processing |
|
ASA may traceback with: DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685 |
|
Traceback when drop is enabled with diameter inspection and tls-proxy |
|
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload |
|
VPN Load-Balancing does not send load-balancing cert for IPv6 Address |
|
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability |
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
|
VPN LB stops working when cluster encryption is configured |
|
ASA Crash on cluster member or on standby member of failover pair after replication of conns |
|
ASA Access-list missing and losing elements after configuration change |
|
Can't navigate to OWA 2013 due to ssl errors |
|
Traceback: assertion "0" failed: file "ctm_daemon.c" |
|
OCSP validation fails when multiple certs in chain are verified |
|
BGP:Deployment failed with reason supported on management-only interface |
|
ASA reloads in thread name: DATAPATH while encrypting L2L packet |
|
BVI : Interface IPv6 address deleted from standby context on HA - A/A |
|
ASA : Configuration not replicated on mate if standby IP is missing |
|
Traceback at gtpv1_process_pdp_create_req |
|
Crash in proxyi_rx_q_timeout_timer |
|
Buffer overflow in RAMFS dirent structure causing traceback |
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
Unicorn Proxy Thread causing CP contention |
|
ASAv sub-interface failing to send traffic with customised mac-address |
|
ASA 9.1(6) traceback processing outbound DTLS Packet |
|
Cisco ASA Software DHCP Relay Denial of Service vulnerability |
|
Traceback in thread name idfw when modifying object-group having FQDN |
|
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly |
|
orignial master not defending all GARP packets after cluster split brain |
|
OSPF routes not populating over L2L tunnel |
|
ASA crashes when global access-list config is cleared |
|
ASA traceback when receive Radius attribute with improper variable type |
|
ASA - Traceback in CP Processing Thread During Private Key Decryption |
|
ASA may stop responding to OSPF Hello packets |
|
Improve efficiency of malloc_avail_freemem() |
|
ASA clientless rewriter failure at 'CSCOPut_hash' function |
|
ASA 9.1.6.4 traceback with Thread Name: telnet/ci |
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
ASA traceback in SSH thread |
|
ASA does not respond to NS in Active/Active HA |
|
infinite loop in JS rewriter state machine when return followed by var |
|
ASA Traceback and reload by strncpy_sx.c |
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
5585-10 traceback in Thread Name: idfw_proc |
|
Incorrect modification of NAT divert table. |
|
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c" |
|
CSCOPut_hash can initiate unexepected requests |
|
ASA traceback in threadname ssh |
|
CPU usage is high after timer dequeue failed in GTP |
|
Context config may get rejected if all the units in Cluster reloaded |
|
Network command disappears from BGP after reload with name |
|
Traceback in IKEv2 Daemon with 20+ second CPU hog. |
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
ASA Tback when large ACL applied to interface with object-group-search |
|
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up |
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
ASA memory leak due to vpnfo |
|
Interfaces get deleted on SFR during HA configuration sync |
|
ASA Stateful failover for DRP works intermittently |
|
Traceback data path self deadlock panic while attempt to get spin lock |
|
Commands not installed on Standby due to parser switch |
|
Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability |
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
ASA Address not mapped traceback - configuring snmp-server host |
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
Observing Memory corruption, assert for debug ospf |
|
GTP traceback at gtp_update_sig_conn_timestamp while processing data |
|
ASA Cut-through Proxy inactivity timeout not working |
|
ASA Cluster fragments reassembled before transmission with no inspection |
|
ASA may Traceback with Thread Name: cluster rx thread |
|
ASA may Traceback with Thread Name: Unicorn Admin Handler |
|
ASA crashed due to Election severe problem no master is promoted |
|
ASA: SSH being denied on the ASA device as the maximum limit is reached |
|
traceback during tls-proxy handshake |
|
IPv6 neighbor discovery packet processing behavior |
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
ASA with PAT fails to untranslate SIP Via field that doesnt contain port |
|
ASA crashes while clearing global access-list |
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
DNS Doctoring DNS64 is not working |
|
ASA traceback with Thread Name: Dispatch Unit |
|
Traceback in CP Processing thread after upgrade |
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets |
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
Unexpected end of file logon.html in WebVPN |
|
ASA not rate limiting with DSCP bit set from the Server |
|
show service-policy output reporting incorrect values |
|
ASA : Mem leak in cluster mode due to PBR lookup |
|
ASA ASSERT traceback in DATAPATH due to sctp inspection |
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash. |
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
|
ASA SM on 9300 reloads multi-context over SSH when config-url is entered |
|
ASA : PBR Mem leak as packet dropped |
|
ASA treaceback at Thread Name: rtcli async executor process |
|
ASA DATAPATH traceback (Cluster) |
|
BGP Socket not open in ASA after reload |
|
Cisco ASA Input Validation File Injection Vulnerability |
|
ASA traceback in CLI thread while making MPF changes |
|
Interfaces get deleted on SFR during cluster rejoining |
|
Crypto accelerator ring timeout causes packet drops |
|
Traceback in Thread Name: ssh when issuing show tls-proxy session detail |
|
memory leak in ssh |
|
uauth is failed after failover |
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB |
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
IPV6 address not assigned when connecting via IPSEC protocol |
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
ASA memory leak for CTS SGT mappings |
|
GTP traceback at gtpv1_process_msg for echo response |
|
OTP authentication is not working for clientless ssl vpn |
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
ASA Traceback when issue 'show asp table classify domain permit' |
|
ASA Traceback in CTM Message Handler |
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
Traceback in IKE_DBG |
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
traceback in network udpmod_get after anyconnect test load application |
|
ASA : Botnet update fails with a lot of Errors |
|
wr mem/ wr standby is not syncing configs on standby |
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
Buffer Overflow in ASA Leads to Remote Code Execution |
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
ASA 1550 block depletion with multi-context transparent firewall |
|
AAA authentication/authorization fails if only accessible via mgmt vrf |
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
ASA may generate DATAPATH Traceback with policy-based routing enabled |
|
Traceback : ASA with Threadname: DATAPATH-0-1790 |
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback |
|
Lower NFS throughput rate on Cisco ASA platform |
|
ASA traceback with Thread Name aaa_shim_thread |
|
Evaluation of pix-asa for Openssl September 2016 |
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
ASA Traceback Thread Name: emweb/https |
|
AAA session handle leak with IKEv2 when denied due to time range |
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
ASA traceback at Thread Name: IKE Daemon. |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
Resolved Bugs in Version 9.5(2.200)
There were no bugs fixed in 9.5(2.200).
Resolved Bugs in Version 9.5(2.1)
There were no bugs fixed in 9.5(2.1).
Resolved Bugs in Version 9.5(2)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(2):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier |
Description |
---|---|
ASA traceback in Thread Name: CP Crypto Result Processing. |
|
ASA: Traceback with Thread Name - AAA |
|
Auth-prompt configured in one context appears in another context |
|
ASA: LDAP over SSL Authentication failure |
|
Unable to authenticate with remove aaa-server from different context |
|
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) |
|
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue |
|
Cisco ASA XAUTH Bypass Vulnerability |
|
ASA traceback in aaa_shim_thread / command author done for dACL install |
|
ASA - access list address argument changed from host 0.0.0.0 to host :: |
|
ASA traceback: SSH Thread: many users logged in and dACLs being modified |
|
Memory leak @regcomp_unicorn with APCF configured |
|
ASA - Traceback in Thread Name: fover_parse |
|
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
ASA traceback in Thread Name: fover_parse (ak47/ramfs) |
|
ASA Traceback in vpnfol_thread_msg |
|
Unicorn proxy thread traceback with RAMFS processing |
|
ASA - Traceback in thread name SSH while applying BGP show commands |
|
ASA Dataplane captures dont capture packets when using match/access-list |
|
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain |
|
ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment |
|
ASA Cluster member traceback in DATAPATH |
|
ASA cluster-Incorrect "current conns" counter in service-policy |
|
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel |
|
ASA: ICMP error loop on cluster CCL with Interface PAT |
|
Clustering: Traceback in DATAPATH with transparent FW |
|
ASA is not correctly handling errors on AES-GCM ICV |
|
ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit |
|
ASA failover due to issue show local-host command make CPU-hog |
|
ASA traceback in DATAPATH Thread due to Double Block Free |
|
Interface TLV to SFR is corrupt when frame is longer than 2048 bytes |
|
Request allow packets to pass when snort is down for ASA configurations |
|
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF |
|
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI |
|
DHCP-DHCP Proxy thread traceback shortly after failover and reload |
|
EIGRP configuration not being correctly replicated between failover ASAs |
|
ASA - URL filter - traceback on thread name uauth_urlb clean |
|
ASA traceback in Thread Name: CP Processing |
|
Traceback on standby ASA during hitless upgrade |
|
ASA: traceback in IDFW AD agent |
|
Active ftp-data is blocked by Firepower on Chivas Beta on 5512 |
|
ASA Traceback in cp_syslog |
|
ASA: Silently Drops packets with SFR Module installed. |
|
Traceback in Thread CP Processing |
|
ASA change non-default port to 443 for https traffic redirected to CWS |
|
ASA redirection to Scansafe tower fails with log id "775002" in syslog |
|
Immediate FIN from client after GET breaks scansafe connection |
|
ASA/ASASM drops SIP invite packets with From field containing "" and \ |
|
Traceback in thread CP Processing |
|
2048-byte block leak if DNS server replies with "No such name" |
|
ASA: Traceback while copying file using SCP on ASA |
|
DNS Traceback in channel_put() |
|
Active ASA in failover setup reboots on its own |
|
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout |
|
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit |
|
Cisco ASA VPN Memory Block Exhaustion Vulnerability |
|
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet |
|
Cert Auth fails with 'max simultaneous-login restriction' error |
|
ikev2 with DH 19 and above fails to pass traffic after phase2 rekey |
|
ASA Traceback in PPP |
|
Improper S2S IPSec Datapath Selection for Remote Overlapping Networks |
|
Split-tunnel not working for EzVPN client on Kenton device (9.5.1) |
|
ASA: Anyconnect IPv6 Traceroute does not work as expected |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
ASATraceback in ssh whilst adding new line to extended ACL |
|
ASA not generating PIM register packet for directly connected sources |
|
ASA traceback when removing dynamic PAT statement from cluster |
|
Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
asa Traceback with Thread Name idfw_proc |
|
eglibc 2.18 is missing upstream fix #15073 |
|
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards |
|
ASA may tracebeck when displaying packet capture with trace option |
|
ASA LDAP CRL query baseObject DN string is malformed |
|
ASA picks incorrect trustpoint to verify OCSP Response |
|
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached |
|
Anyconnect SSL VPN certificate authentication fails o ASA |
|
ASA CA certificate import fails with different types of Name Constraints |
|
ASA cert validation fails when suitable TP is above the resident CA cert |
|
ASA Name Constraints dirName improperly verified |
|
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
RA validation failed when CA/subCA contains name constraints |
|
5585 interface counters show 0 for working interfaces and console errors |
|
ASA CX - Data Plane marked as DOWN untill ASA reload. |
|
ASA5505 permanent base license, temp secplus, failover, vlan count issue |
|
ASA5585 9.5(1): Support Failover Lan on Management0/0 port |
|
Kenton 5516: Interface dropping ARPs after flapping under traffic load |
|
ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
ASA: Traceback in Thread Name Checkheaps due to webvpn |
|
'redistribute' cmds under 'router eigrp' removed on deleting any context |
|
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA |
|
ASA OSPF database not reflect changes |
|
CRL download functionality seems to be broken on ASA |
|
Dynamic Route Not Installed After Failover |
|
EIGRP authentication not working with simple pasword |
|
RRI static routing changes not updated in routing table |
|
Standby ASA does not apply OSPF route after config replication |
|
Standby ASA inside IP not reachable after Anyconnect disconnect |
|
Standby traceback during config replication with customization export |
|
ASAv licesing enforcement should not be CLI parser based |
|
Unable to load ASDM to a Context in Multiple Context Mode |
|
CPU hog due to snmp polling of ASA memory pool information |
|
snmpwalk causes slow memory leak on ASA |
|
ASA Traceback in Thread Name ssh/client |
|
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: |
|
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig |
|
Cut Through proxy not working correctly with TLS1.2 |
|
SSL : Unable to Join nodes in Cluster |
|
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL |
|
ASAv traceback in DATAPATH when used for WebVPN |
|
ASA SSLVPN RDP Plugin session freezes under heavy load with activex |
|
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS |
|
conn-max counter is not decreased accordingly |
|
Per-session PAT RST sent to incorrect direction after closing session |
|
ASA traceback because of TD tcp-intercept feature |
|
ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection |
|
Cluster destabilizes when contexts are removed |
|
ASA: Watchdog Traceback with Thread Name:- SXP CORE |
|
SXP Version Mismatch Between ASA & N7K with clustering |
|
ASAv Cannot remove/change default global_policy or inspection_default |
|
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
Trace back with Thread Name: IP Address Assign |
|
ASA allows citrix ICA connection without authentication |
|
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7 |
|
ASA WebVPN clientless cookie authentication bypass |
|
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread |
|
ASA WebVPN: Javascript fails to execute when accessing internal portal |
|
Clientless webvpn on ASA does not display asmx files |
|
HTTP chunked data causing watchdog |
|
Need to prevent traceback in js_parser_print_rest |
|
PCP 10.6 Clientless VPN Access is Denied when accessing Pages |
|
Traceback in WebVPN rewriter |
|
Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 |
|
WebVPN Rewriter: "parse" method returns curly brace instead of semicolon |
|
Webvpn: JS parser may crash if the underlying connection is closed |
Resolved Bugs in Version 9.5(1.5)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1.5):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier |
Description |
---|---|
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7 |
|
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit |
|
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig |
|
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
ASA: Anyconnect IPv6 Traceroute does not work as expected |
|
Auth-prompt configured in one context appears in another context |
|
Traceback in Thread CP Processing |
|
ASA failover due to issue show local-host command make CPU-hog |
|
ASA - URL filter - traceback on thread name uauth_urlb clean |
|
ASAv traceback in DATAPATH when used for WebVPN |
|
Clientless webvpn on ASA does not display asmx files |
|
Need to prevent traceback in js_parser_print_rest |
|
ASA: CLI commands not showing help(?) options for local authorization |
|
ASA LDAP CRL query baseObject DN string is malformed |
|
Unable to authenticate with remove aaa-server from different context |
|
ASA SSLVPN RDP Plugin session freezes under heavy load with activex |
|
ASA: LDAP over SSL Authentication failure |
|
ASA: Not able to remove ACE with "log default" keyword |
|
ASA cluster-Incorrect "current conns" counter in service-policy |
|
Dynamic Route Not Installed After Failover |
|
ASA: Watchdog Traceback with Thread Name:- SXP CORE |
|
ASA may tracebeck when displaying packet capture with trace option |
|
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
HTTP chunked data causing watchdog |
|
Cisco ASA VPN Memory Block Exhaustion Vulnerability |
|
Standby traceback during config replication with customization export |
|
Webvpn: JS parser may crash if the underlying connection is closed |
|
ASA traceback in Thread Name: fover_parse (ak47/ramfs) |
|
Unicorn proxy thread traceback with RAMFS processing |
|
RA validation failed when CA/subCA contains name constraints |
|
Request allow packets to pass when snort is down for ASA configurations |
|
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) |
|
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
traffic-forward interface command is not working on 5585 |
Resolved Bugs in Version 9.5(1.200)
There were no bugs fixed in 9.5(1.200).
Resolved Bugs in Version 9.5(1)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier |
Description |
---|---|
AAA Authorization HTTP sends username in password field of authorization |
|
ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions |
|
Standalone AnyConnect fails to connect due to empty DAP user message |
|
Add cli to control masked username in syslog |
|
ASA : Password creation date is decrementing by one with every reboot |
|
ASA: Traceback with Thread Name - AAA |
|
[ASA] CTP not working if proxyACL port_argument is gt |
|
ASA tunnel-group"password-expire-in-days"not prompting a password change |
|
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue |
|
ASA traceback in aaa_shim_thread / command author done for dACL install |
|
ASA - access list address argument changed from host 0.0.0.0 to host :: |
|
ASA 9.0.3 not logging permitted UDP traffic |
|
ASA : ACL logging is not getting disabled with keyword "log disable" |
|
[ASA] access-list ACL_name standard permit host 0.0.0.0 deleted |
|
Memory leak @regcomp_unicorn with APCF configured |
|
Codenomicon HTTP-server suite may cause crash |
|
ASA - Traceback in thread name SSH while applying BGP show commands |
|
bgp ipv6 neighborship fails with ASA after hard reset on router |
|
ASA Dataplane captures dont capture packets when using match/access-list |
|
Drop reasons missing from asp-drop capture |
|
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel |
|
Clustering: Traceback in DATAPATH with transparent FW |
|
RPC error in request config after replicated a large configuration |
|
show cluster mem indicates incorrect values |
|
Traceback in snp_cluster_get_buffer |
|
ASA is not correctly handling errors on AES-GCM ICV |
|
Doubling counting flow bytes for decrypted packets |
|
Cisco ASA DHCPv6 Relay Denial of Service Vulnerability |
|
Corrupted host name may occur with DHCP |
|
DHCP-DHCP Proxy thread traceback shortly after failover and reload |
|
EIGRP configuration not being correctly replicated between failover ASAs |
|
ASA traceback in Thread Name: CP Processing |
|
ASA: failover logging messages appear in user context |
|
Failover assembly remained in active-active state permanantly |
|
Traceback on standby ASA during hitless upgrade |
|
ASA: XFRAME support for .JS and .JNLP URL's |
|
ASA: traceback in IDFW AD agent |
|
ASA Remote Access - Phase 1 terminated after xauth |
|
ASA SMTP inspection should not disable TLS by default |
|
Handling esmtp default parameters for TLS |
|
Active ftp-data is blocked by Firepower on Chivas Beta on 5512 |
|
ASA traceback: thread name "scansafe_poll" |
|
ASA/ASASM drops SIP invite packets with From field containing "" and \ |
|
Traceback in thread CP Processing |
|
USB device hot plug not supported in running ASA |
|
2048-byte block leak if DNS server replies with "No such name" |
|
Cisco ASA DNS Denial of Service Vulnerability |
|
DNS should perform IPv4 lookups if IPv6 address is not reachable |
|
EEM action not executed on absolute time when NTP is configured |
|
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout |
|
LU allocate connection failed on the Standby ASA unit |
|
Cert Auth fails with 'max simultaneous-login restriction' error |
|
ikev2 enable added to config when zones are used despite ERROR msg |
|
Ikev2 Session with bogus assigned IP address stays on ASA |
|
IKEv2: IPSec SA's are created by dynamic crypto map for static peers |
|
ASA Traceback in PPP |
|
L2TP/IPSec Optimal MSS is not what it's supposed to be |
|
L2TP/IPsec traffic dropped due to "vpn-overlap-conflict" |
|
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. |
|
Duplicate IPv6 address is configurable in 1 ASA or context |
|
IPv6 local host route fail when setting link-local/Global simultaneously |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg |
|
ASA inspection-MPF ACL changes not inserted into ASP table properly |
|
ASATraceback in ssh whilst adding new line to extended ACL |
|
ASA not generating PIM register packet for directly connected sources |
|
Cisco ASA PIM Multicast Registration Vulnerability |
|
ASA generate pool exhausted for sip inspect with embedded IP but no port |
|
Migration of max_conn/em_limit to MPF is completely wrong in 8.3 |
|
Misleading error msg for pat-pool with mapped object |
|
Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
PBA: Generate syslogs for port block allocation related failures |
|
Two Dynamic PAT with and without block-allocation |
|
eglibc 2.18 is missing upstream fix #15073 |
|
ASA crashes for the OSPFv2 packets from codenomicon |
|
ASA:OSPF over L2L tunnels is not working with multiple cry map entries |
|
Cisco ASA OSPFv2 Denial of Service Vulnerability |
|
Ampersand (&) not encoded in packet tracer phase 'extra' field |
|
"no nameif" is removing the policy-route configuration |
|
PBR: DF & DSCP bits are not getting set without valid set next-hop |
|
Policy based routing is not working with twice NAT |
|
ASA - Traceback in thread name: CERT API |
|
Cryptomaps lose trustpoint when syncing configuration from cluster unit |
|
ASA tunnel-group-map cannot contain spaces |
|
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached |
|
Anyconnect SSL VPN certificate authentication fails o ASA |
|
ASA CA certificate import fails with different types of Name Constraints |
|
ASA Name Constraints dirName improperly verified |
|
Incorrect cert chain sent to connecting IPSec clients |
|
PKI: potential pki session handle leak in IKEv2 L2L configurations |
|
5506-X: 'no buffer' interface counter reports incorrect errors |
|
Kenton 5516: Interface dropping ARPs after flapping under traffic load |
|
kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250 |
|
Kernel command line is displayed while booting 9.5.1 Image |
|
Traceback and reload triggered by failover configuration |
|
PPPoE session state timer does not initialize properly |
|
ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
ASA :Top 10 Users status is not getting enabled from ASDM. |
|
ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ |
|
Secondary ASA stuck in config sync while upgrading to 8.4.x |
|
Multiple problems with output of show processes memory |
|
'redistribute' cmds under 'router eigrp' removed on deleting any context |
|
ASA Cluster: Default OSPF route gone on Master unit |
|
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA |
|
ASA silently dropping OSPF LS Update messages from neighbors |
|
ASA-3-317012 and "No route to host" errors even though the route exists |
|
ASA: ECMP stopped working after upgrade to 9.3.2 |
|
Misleading route-map warning message |
|
RRI static routing changes not updated in routing table |
|
Standby ASA does not apply OSPF route after config replication |
|
xszASA 9.2.1 Eigrp Authentication does not work with 16 character key |
|
Remove demo and eval warning for sfr monitor-only |
|
ASAv cannot send SL messages after toggeling of "service call-home" cmd |
|
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg |
|
snmpwalk causes slow memory leak on ASA |
|
"ssh scopy enable" deleted from configuration |
|
ASA not checking the MAC of the TLS records |
|
Cisco ASA Poodle TLS Variant |
|
Cut Through proxy not working correctly with TLS1.2 |
|
SSL connection failing to WebVPN portal |
|
SSL : Unable to Join nodes in Cluster |
|
Evaluation of OpenSSL June 2015 |
|
MARCH 2015 OpenSSL Vulnerabilities |
|
ASAv traceback in DATAPATH when used for WebVPN |
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
To-the-box UDP traffic not getting inspected and getting dropped on ASA |
|
ASA teardown connection after receiving same direction fins |
|
conn-max counter is not decreased accordingly |
|
NFS connections not timing out after failover |
|
Per-session PAT RST sent to incorrect direction after closing session |
|
ASA traceback because of TD tcp-intercept feature |
|
Exception on asdm_handler stream line: </threat-detection> |
|
ASAv requires a reboot for the license to take effect. |
|
ASAv: RSA key pair needs to be automatically generated with 2048 bits |
|
Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno) |
|
ASA Traceback in SSL library due to DMA memory exhaustion |
|
ASA traceback in Thread Name: fover_parse |
|
AnyConnect upgrade from AC 2.5 to AC 3.1 fails |
|
Cisco ASA VPN XML Parser Denial of Service Vulnerability |
|
HTML/Java File Browser- created file or folder shows 9 months offset |
|
ASA WebVPN clientless cookie authentication bypass |
|
WebVpn: portal is not displayed after re-login |
|
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread |
|
ASA WebVPN : jQuery based Calendar table fails to load; Empty frame |
|
ASA WebVPN: HTTP 302 Location URL rewritten incorrectly |
|
ASA WebVPN: Javascript fails to execute when accessing internal portal |
|
Issue with downloading images from Sharepoint |
|
rewriter returns 302 for a file download |
|
Src url of video track tag not mangled via webvpn |
|
WebVPN: Tsweb fails to work through clientless portal |
|
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app |
|
Mac version smart-tunnel uses SSLv3 which is a vulnerability |
|
Windows 8 with new JRE, IE is not gaining access to smart tunnel |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.