Release Notes for the Cisco ASA Series, 9.5(x)
Available Languages
Contents
- Release Notes for the Cisco ASA Series, 9.5(x)
- Important Notes
- System Requirements
- ASA and ASDM Compatibility
- VPN Compatibility
- New Features
- New Features in ASA 9.5(3.9)/ASDM 7.6(2)
- New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
- New Features in ASA 9.5(2.1)/ASDM 7.5(2)
- New Features in ASA 9.5(2)/ASDM 7.5(2)
- New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
- New Features in ASDM 7.5(1.90)
- New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
- New Features in ASA 9.5(1)/ASDM 7.5(1)
- Upgrade the Software
- Upgrade Path
- Upgrade Link
- Open and Resolved Bugs
- Open Bugs in Version 9.5(x)
- Resolved Bugs
- Resolved Bugs in Version 9.5(3.9)
- Resolved Bugs in Version 9.5(2.200)
- Resolved Bugs in Version 9.5(2.1)
- Resolved Bugs in Version 9.5(2)
- Resolved Bugs in Version 9.5(1.5)
- Resolved Bugs in Version 9.5(1.200)
- Resolved Bugs in Version 9.5(1)
- End-User License Agreement
- Related Documentation
First Published: August 31, 2015
Last Updated: April 17, 2017
Release Notes for the Cisco ASA Series, 9.5(x)
This document contains release information for Cisco ASA software Version 9.5(x).
Important Notes
Potential Traffic Outage (9.5(3) through 9.5(3.6))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.
E-mail proxy commands deprecated—In ASA Version 9.5(2), the e-mail proxy commands (imap4s, pop3s, smtps) and subcommands are no longer supported.
CSD commands deprecated or migrated—In ASA Version 9.5(2), the CSD commands (csd image, show webvpn csd image, show webvpn csd, show webvpn csd hostscan, show webvpn csd hostscan image) are no longer supported.
The following CSD commands will migrate: csd enable migrates to hostscan enable; csd hostscan image migrates to hostscan image.
Select AAA commands deprecated—In ASA Version 9.5(2), these AAA commands and subcommands (override-account-disable, authentication crack) are no longer supported.
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
New Features
This section lists new features for each release.
Note
New, changed, and deprecated syslog messages are listed in the syslog message guide.
New Features in ASA 9.5(3.9)/ASDM 7.6(2)
Released: April 11, 2017
Note
Verion 9.5(3) was removed from Cisco.com due to bug CSCvd78303.
Configurable SSH encryption and HMAC algorithm.
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc, for example.
We introduced the following commands: ssh cipher encryption, ssh cipher integrity.
We introduced the following screen:
Also available in 9.1(7) and 9.4(3).
New Features in ASAv 9.5(2.200)/ASDM 7.5(2.153)
Released: January 28, 2016
Note
This release supports only the ASAv.
Microsoft Azure support on the ASAv10
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces.
Licensing Features
Permanent License Reservation for the ASAv
For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv.
Note Not all accounts are approved for permanent license reservation. Make sure you have approval from Cisco for this feature before you attempt to configure it.
We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return
No ASDM support.
Smart Agent Upgrade to v1.6
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.
Note If you downgrade from Version 9.5(2.200), the ASAv does not retain the licensing registration state. You need to re-register with the license smart register idtoken id_token force commandConfiguration > Device Management > Licensing > Smart Licensing page with the Force registration option; obtain the ID token from the Smart Software Manager.
We introduced the following commands: show license status, show license summary, show license udi, show license usage
We modified the following commands: show license all, show tech-support license
We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration
We did not change any screens.
New Features in ASA 9.5(2.1)/ASDM 7.5(2)
Released: December 14, 2015
Note
This release supports only the ASA on the Firepower 9300.
Platform Features
VPN support for the ASA on the Firepower 9300
With FXOS 1.1.3, you can now configure VPN features. Flow off-load for the ASA on the Firepower 9300
You can identify flows that should be off-loaded from the ASA and switched directly in the NIC (on the Firepower 9300). This provides improved performance for large data flows in data centers.
Also requires FXOS 1.1.3.
We added or modified the following commands: clear flow-offload, flow-offload enable, set-connection advanced-options flow-offload, show conn detail, show flow-offload.
We added or modified the following screens: , the tab when adding or editing rules under .
Inter-chassis clustering for 6 modules, and inter-site clustering for the ASA on the Firepower 9300
With FXOS 1.1.3, you can now enable inter-chassis, and by extension inter-site clustering. You can include up to 6 modules in up to 6 chassis.
We did not modify any commands.
We did not modify any screens.
Licensing Features
Strong Encryption (3DES) license automatically applied for the ASA on the Firepower 9300
For regular Cisco Smart Software Manager users, the Strong Encryption license is automatically enabled for qualified customers when you apply the registration token on the Firepower 9300.
Note If you are using the Smart Software Manager satellite deployment, to use ASDM and other strong encryption features, after you deploy the ASA you must enable the Strong Encryption (3DES) license using the ASA CLI.
This feature requires FXOS 1.1.3.
We removed the following command for non-satellite configurations: feature strong-encryption
We modified the following screen:
New Features in ASA 9.5(2)/ASDM 7.5(2)
Released: November 30, 2015
New Features in ASA 9.5(1.5)/ASDM 7.5(1.112)
Released: November 11, 2015
The 6.0 software version for the ASA FirePOWER module is supported on all previously supported device models.
Support for managing the ASA FirePOWER module through ASDM for the 5512-X through 5585-X.
You can manage the ASA FirePOWER module using ASDM instead of using Firepower Management Center (formerly FireSIGHT Management Center) when running version 6.0 on the module. You can still use ASDM to manage the module on the 5506-X, 5506H-X, 5506W-X, 5508-X, and 5516-X when running 6.0.
No new screens or commands were added.
New Features in ASDM 7.5(1.90)
Released: October 14, 2015
ASDM supports AnyConnect 4.2 and the Network Visibility Module (NVM). NVM enhances the enterprise administrator’s ability to do capacity and service planning, auditing, compliance, and security analytics. The NVM collects the endpoint telemetry and logs both the flow data and the file reputation in the syslog and also exports the flow records to a collector (a third-party vendor), which performs the file analysis and provides a UI interface.
We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called Network Visibility Service Profile)
New Features in ASAv 9.5(1.200)/ASDM 7.5(1)
Released: August 31, 2015
Note
This release supports only the ASAv.
New Features in ASA 9.5(1)/ASDM 7.5(1)
Released: August 12, 2015
Note
This version does not support the Firepower 9300 ASA security module or the ISA 3000.
GTP inspection can now handle GTPv2. In addition, GTP inspection for all versions now supports IPv6 addresses.
We modified the following commands: clear service-policy inspect gtp statistics, clear service-policy inspect gtp pdpmcb, clear service-policy inspect gtp request, match message id, show service-policy inspect gtp pdpmcb, show service-policy inspect gtp request, show service-policy inspect gtp statistics, timeout endpoint
We deprecated the following command: timeout gsn
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > GTP
IP Options inspection now supports all possible IP options. You can tune the inspection to allow, clear, or drop any standard or experimental options, including those not yet defined. You can also set a default behavior for options not explicitly defined in an IP options inspection map.
We introduced the following commands: basic-security, commercial-security, default, exp-flow-control, exp-measure, extended-security, imi-traffic-description, quick-start, record-route, timestamp
We modified the following screen: Configuration > Firewall > Objects > Inspect Maps > IP Options
For carrier-grade or large-scale PAT, you can allocate a block of ports for each host, rather than have NAT allocate one port translation at a time (see RFC 6888).
We introduced the following commands: xlate block-allocation size, xlate block-allocation maximum-per-host. We added the block-allocation keyword to the nat command.
We introduced the following screen: Configuration > Firewall > Advanced > PAT Port Block Allocation. We added Enable Block Allocation the object NAT and twice NAT dialog boxes.
Inter-site clustering support for Spanned EtherChannel in Routed firewall mode
You can now use inter-site clustering for Spanned EtherChannels in routed mode. To avoid MAC address flapping, configure a site ID for each cluster member so that a site-specific MAC address for each interface can be shared among a site’s units.
We introduced or modified the following commands: site-id, mac-address site-id, show cluster info, show interface
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Configuration
ASA cluster customization of the auto-rejoin behavior when an interface or the cluster control link fails
You can now customize the auto-rejoin behavior when an interface or the cluster control link fails.
We introduced the following command: health-check auto-rejoin
We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Auto Rejoin
The ASA cluster now supports GTPv1 and GTPv2 inspection.
We did not modify any commands.
We did not modify any screens.
Cluster replication delay for TCP connections
This feature helps eliminate the “unnecessary work” related to short-lived flows by delaying the director/backup flow creation.
We introduced the following command: cluster replication delay
We introduced the following screen:
Also available for the Firepower 9300 ASA security module in Version 9.4(1.152).
Disable health monitoring of a hardware module in ASA clustering
By default when using clustering, the ASA monitors the health of an installed hardware module such as the ASA FirePOWER module. If you do not want a hardware module failure to trigger failover, you can disable module monitoring.
We modified the following command: health-check monitor-interface service-module
We modified the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring
Enable use of the Management 1/1 interface as the failover link on the ASA 5506H
On the ASA 5506H only, you can now configure the Management 1/1 interface as the failover link. This feature lets you use all other interfaces on the device as data interfaces. Note that if you use this feature, you cannot use the ASA Firepower module, which requires the Management 1/1 interface to remain as a regular management interface.
We modified the following commands: failover lan interface, failover link
We modified the following screen: Configuration > Device Management > High Availability and Scalability > Failover > Setup
IPv6 addresses are now supported for Policy Based Routing.
We introduced the following commands: set ipv6 next-hop, set default ipv6-next hop, set ipv6 dscp
We modified the following screens:
Configuration > Device Setup > Routing > Route Maps > Add Route Map > Policy Based Routing
Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause
VXLAN support for Policy Based Routing
You can now enable Policy Based Routing on a VNI interface.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Interface Settings > Interfaces > Add/Edit Interface > General
Policy Based Routing support for Identity Firewall and Cisco Trustsec
You can configure Identity Firewall and Cisco TrustSec and then use Identity Firewall and Cisco TrustSec ACLs in Policy Based Routing route maps.
We did not modify any commands.
We modified the following screen: Configuration > Device Setup > Routing > Route Maps > Add Route Maps > Match Clause
Separate routing table for management-only interfaces
To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.
We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only
We did not modify any screens.
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) pass-through support
The ASA now allows PIM-SSM packets to pass through when you enable multicast routing, unless the ASA is the Last-Hop Router. This feature allows greater flexibility in choosing a multicast group while also protecting against different attacks; hosts only receive traffic from explicitly-requested sources.
We did not modify any commands.
We did not modify any screens.
ASA VPN code has been enhanced to support full IPv6 capabilities. No configuration change is necessary for the administrator. Added support and a predefined application template for this new SharePoint version.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks > Add Bookmark List > Select Bookmark Type > Predefined application templates
Added CSCO_WEBVPN_DYNAMIC_URL and CSCO_WEBVPN_MACROLIST to the list of macros when using bookmarks. These macros allow the administrator to configure a single bookmark that can generate multiple bookmark links on the clientless user’s portal and to statically configure bookmarks to take advantage of arbitrarily sized lists provided by LDAP attribute maps.
We modified the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal > Bookmarks
The overall banner length, which is displayed during post-login on the VPN remote client portal, has increased from 500 to 4000.
We modified the following command: banner (group-policy).
We modified the following screen: Configuration > Remote Access VPN > .... Add/Edit Internal Group Policy > General Parameters > Banner
Cisco Easy VPN client on the ASA 5506-X, 5506W-X, 5506H-X, and 5508-X
This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch.
We introduced the following commands: vpnclient enable, vpnclient server, vpnclient mode, vpnclient username, vpnclient ipsec-over-tcp, vpnclient management, vpnclient vpngroup, vpnclient trustpoint, vpnclient nem-st-autoconnect, vpnclient mac-exempt
We introduced the following screen: Configuration > VPN > Easy VPN Remote
Monitoring Features
Show invalid usernames in syslog messages
You can now show invalid usernames in syslog messages for unsuccessful login attempts. The default setting is to hide usernames when the username is invalid or if the validity is unknown. If a user accidentally types a password instead of a username, for example, then it is more secure to hide the “username” in the resultant syslog message. You might want to show invalid usernames to help with troubleshooting login issues.
We introduced the following command: no logging hide username
We modified the following screen: Configuration > Device Management > Logging > Syslog Setup
This feature is also available in 9.2(4) and 9.3(3).
REST API Features
REST API Version 1.2.1
We added support for the REST API Version 1.2.1.
Upgrade the Software
Upgrade Path
See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version.
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.1(3) and later
9.2(2) and later
9.3(2) and later
9.4(x)
—
9.4(2) and later
9.5(x)
—
9.5(2) and later
9.6(x)
—
9.6(2) and later
9.7(x)
—
9.8(1) and later
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.5(x)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher for Version 9.5(x):
The following table lists open bugs at the time of this Release Note publication.
Caveat ID Number
Description
OpenLDAP needs to be upgraded or patched
Traceback: ASA crash in thread name fover_health_monitoring_thread
ASA5508X SSD LED always green even when SSD is removed
Free memory drops to 0 after clientless VPN Test
ASA/DOC: Spaces can be used in LDAP DN
XMLSoft libxml2 Encoding Conversion Denial of Service Vulnerability
XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab
XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability
XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability
XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili
DOC: ASA IPV6 LAN-to-LAN VPNs is compatible with non-ASA peers
5508 and 5516 Devices may not boot 9.5.1 or later images
libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit
XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial
Configuration retrieval from external server fails in multicontext mode
ASA 5506 interface Counters & OIDs showing incorrect value for traffic!
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500
ASA traceback in CLI thread while making MPF changes
ASAv Azure: ASAv not responding or passing traffic
ASAv-Azure: waagent may reload when asav deployed with load balancer
Shut down interfaces shows up in ASP routing table
Unable to relay DHCP discover packet from ASA when NAT is matched
SIP packets mangled when using TLS1.2 and ASA is server
Linux Kernel NULL Pointer Dereference Denial of Service Vulnerability
XMLSoft libxml2 XML Content Processing External Entity Expansion Vulne
XMLSoft libxml2 Format String Vulnerability
ASAv: TCP state bypass not matching the traffic required
ASA Crash Checkheap Free Buffer Corrupted
Interfaces get deleted on SFR during Multi-context HA configuration sync
ASAv Azure: ASAv30 Anyconnect peer support.
ASA : Botnet update fails with a lot of Errors
Resolved Bugs
Resolved Bugs in Version 9.5(3.9)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number
Description
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock
ARP: Proxy IP traffic is hijacked.
FIPS self test power on fails - fipsPostDrbgKat
ASA traceback on standby when SNMP polling
ASA traceback when retrieving idfw topn user from slave
Stale VPN Context entries cause ASA to stop encrypting traffic
"show resource usage detail counter all 1" causes cpu hog
ASA classifies TCP packets as PAWS failure incorrectly
ASA low DMA memory on low end ASA-X -5512/5515 devices
Transactional ACL commit will bypass security policy during compilation
Share licenses are not activated on failover pair after power cycle
ASA traceback in Thread name DATAPATH when handling multicast packet
ASA traffic not sent properly using 'traffic-forward sfr monitor-only'
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL
Cisco ASA XML Denial of Service Vulnerability
ASA: Stuck uauth entry rejects AnyConnect user connections
ASA Traceback on 9.1.5.19
Traceback in Thread Name: ssh when using capture or continuous ping
9.5.1 - Crash in bcm_esw_init thread
ASA traceback on Standby device during config sync in thread DATAPATH
Traceback: ASA crash in thread name fover_health_monitoring_thread
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST
ASA traceback while restoring backup configuration from ASDM
Cisco ASA Software Version Information Disclosure Vulnerability
ASA - Filtering HTTP via Websense or SFR may cause memory corruption
Watchdog traceback in ldap_client_thread with large number of ldap grps
QEMU coredump: qemu_thread_create: Resource temporarily unavailable
SSH connections are not timed out on ASA (stuck in rtcli)
Standby ASA traceback in Thread Name: EIGRP-IPv4
Traceback in Unicorn Proxy Thread, in http_header_by_name
ASA: Traceback in Thread name DATAPATH-7-1918
ASA 9.4.1 traceback upon clearing and reconfiguring ACL
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly
After some time flash operations fail and configuration can not be saved
Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS)
Traceback in thread name: Unicorn Proxy Thread
RSA 4096 key generation causes failover
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192
CWS: ASA does not append XSS headers
ASA: Traceback in Checkheaps
http-form authentication fails after 9.3.2
ASA traceback when using an ECDSA certificate
Smart Tunnel starts and Java closes without any message
ASA traceback in Unicorn Proxy Thread
show memory indicates inaccurate free memory available
PBR incorrect route selection for deny clause
ASA memory leak related to Botnet
SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIB
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later
ASA: FAILOVER not working with password encryption.
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath
ASA 9.4.2 traceback in DATAPATH
GTPv1 traceback in gtpv1_process_msg
ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test
PBR: Mem leak in cluster mode due to policy based route
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related
Cisco signed certificate expired for WebVpn Port Forward Binary on ASA
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities
ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection
DHCP Relay fails for cluster ASAs with long interface names
SSL sessions stop processing -"Unable to create session directory" error
ASA(9.5.2) changing the ACK number sent to client with SFR redirection
"no ipv6-vpn-addr-assign" CLI not working
ASA L7 policy-map comes into affect only if the inspection is re-applied
ASA: Traceback in Thread IP Address Assign
Traffic drop due to constant amount of arp on ASASM
ASA: Traceback on ASA device after adding FQDN objects in NAT rule
ASA traceback while viewing large ACL
Reload in Thread Name: IKE Daemon
"show resource usage" gives wrong number of routes after shut/no sh
ASA TACACS+: process tacplus_snd uses large percentage of CPU
ASA 9.5 - OCSP check using global routing table instead of management
ASA Traceback on Thread Name: Unicorn Admin Handler
Nat pool exhausted observed when enabling asp transactional-commit nat
VLAN mapping doesn't work when connection falls back to TLS
ASA traceback in Thread Name: https_proxy
ASA traceback in DATAPATH thread
ASA Traceback Assert in Thread Name: ssh_init with component ssh
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728
ASA using a huge dynamic ACL may cause Anyconnect connectivity failures
ASA tracebacks when replicating Xlate to the standby/slave
ASA reloads with traceback in thread name DATAPATH or CP Processing
Traceback in Thread: IPsec message handler
ASA traceback in Thread Name: Unicorn Proxy Thread.
ASA traceback with SIP inspection and SFR enabled in 9.5.2
ASA traceback and reload citing Thread Name: idfw_proc
ASA: MAC address changes on active context when WRITE STANDBY is issued
Re-adding context creates context without configs on some slaves
Smart tunnel does not work since Firefox 32bit version 43
ASA: Assert traceback in version 9.4.2
ASA 5585 traceback when the User name is mentioned in the Access list
ASA Watchdog traceback in CP Processing thread during TLS processing
ASA may traceback with: DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685
Traceback when drop is enabled with diameter inspection and tls-proxy
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload
VPN Load-Balancing does not send load-balancing cert for IPv6 Address
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt
VPN LB stops working when cluster encryption is configured
ASA Crash on cluster member or on standby member of failover pair after replication of conns
ASA Access-list missing and losing elements after configuration change
Can't navigate to OWA 2013 due to ssl errors
Traceback: assertion "0" failed: file "ctm_daemon.c"
OCSP validation fails when multiple certs in chain are verified
BGP:Deployment failed with reason supported on management-only interface
ASA reloads in thread name: DATAPATH while encrypting L2L packet
BVI : Interface IPv6 address deleted from standby context on HA - A/A
ASA : Configuration not replicated on mate if standby IP is missing
Traceback at gtpv1_process_pdp_create_req
Crash in proxyi_rx_q_timeout_timer
Buffer overflow in RAMFS dirent structure causing traceback
Evaluation of pix-asa for OpenSSL March 2016
Unicorn Proxy Thread causing CP contention
ASAv sub-interface failing to send traffic with customised mac-address
ASA 9.1(6) traceback processing outbound DTLS Packet
Cisco ASA Software DHCP Relay Denial of Service vulnerability
Traceback in thread name idfw when modifying object-group having FQDN
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly
orignial master not defending all GARP packets after cluster split brain
OSPF routes not populating over L2L tunnel
ASA crashes when global access-list config is cleared
ASA traceback when receive Radius attribute with improper variable type
ASA - Traceback in CP Processing Thread During Private Key Decryption
ASA may stop responding to OSPF Hello packets
Improve efficiency of malloc_avail_freemem()
ASA clientless rewriter failure at 'CSCOPut_hash' function
ASA 9.1.6.4 traceback with Thread Name: telnet/ci
Memory leak in 112 byte bin when packet hits PBR and WCCP rules
ASA traceback in SSH thread
ASA does not respond to NS in Active/Active HA
infinite loop in JS rewriter state machine when return followed by var
ASA Traceback and reload by strncpy_sx.c
Kenton 9.5.1'boot system/boot config' commands not retained after reload
5585-10 traceback in Thread Name: idfw_proc
Incorrect modification of NAT divert table.
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c"
CSCOPut_hash can initiate unexepected requests
ASA traceback in threadname ssh
CPU usage is high after timer dequeue failed in GTP
Context config may get rejected if all the units in Cluster reloaded
Network command disappears from BGP after reload with name
Traceback in IKEv2 Daemon with 20+ second CPU hog.
Traceback on editing a network object on exceeding the max snmp hosts
ASA Tback when large ACL applied to interface with object-group-search
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript
ASA memory leak due to vpnfo
Interfaces get deleted on SFR during HA configuration sync
ASA Stateful failover for DRP works intermittently
Traceback data path self deadlock panic while attempt to get spin lock
Commands not installed on Standby due to parser switch
Cisco ASA Software Local Certificate Authority Denial of Service Vulnerability
Evaluation of pix-asa for OpenSSL May 2016
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection
ASA Address not mapped traceback - configuring snmp-server host
Interface health-check failover causes OSPF not to advertise ASA as ABR
Observing Memory corruption, assert for debug ospf
GTP traceback at gtp_update_sig_conn_timestamp while processing data
ASA Cut-through Proxy inactivity timeout not working
ASA Cluster fragments reassembled before transmission with no inspection
ASA may Traceback with Thread Name: cluster rx thread
ASA may Traceback with Thread Name: Unicorn Admin Handler
ASA crashed due to Election severe problem no master is promoted
ASA: SSH being denied on the ASA device as the maximum limit is reached
traceback during tls-proxy handshake
IPv6 neighbor discovery packet processing behavior
2048/1550/9344 Byte block leak cause traffic disruption & module failure
ASA with PAT fails to untranslate SIP Via field that doesnt contain port
ASA crashes while clearing global access-list
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck
DNS Doctoring DNS64 is not working
ASA traceback with Thread Name: Dispatch Unit
Traceback in CP Processing thread after upgrade
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets
Remove ACL warning messages in show access-list when FQDN is resolved
Unexpected end of file logon.html in WebVPN
ASA not rate limiting with DSCP bit set from the Server
show service-policy output reporting incorrect values
ASA : Mem leak in cluster mode due to PBR lookup
ASA ASSERT traceback in DATAPATH due to sctp inspection
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash.
IPv6 OSPF routes do not update when a lower metric route is advertised
ASA SM on 9300 reloads multi-context over SSH when config-url is entered
ASA : PBR Mem leak as packet dropped
ASA treaceback at Thread Name: rtcli async executor process
ASA DATAPATH traceback (Cluster)
BGP Socket not open in ASA after reload
Cisco ASA Input Validation File Injection Vulnerability
ASA traceback in CLI thread while making MPF changes
Interfaces get deleted on SFR during cluster rejoining
Crypto accelerator ring timeout causes packet drops
Traceback in Thread Name: ssh when issuing show tls-proxy session detail
memory leak in ssh
uauth is failed after failover
ASA drops ICMP request packets when ICMP inspection is disabled
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB
ASA stuck in boot loop due to FIPS Self-Test failure
ASA negotiates TLS1.2 when server in tls-proxy
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon
IPV6 address not assigned when connecting via IPSEC protocol
ASA: CHILD_SA collision brings down IKEv2 SA
ASA memory leak for CTS SGT mappings
GTP traceback at gtpv1_process_msg for echo response
OTP authentication is not working for clientless ssl vpn
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions
ASA Traceback when issue 'show asp table classify domain permit'
ASA Traceback in CTM Message Handler
Cisco ASA SNMP Remote Code Execution Vulnerability
ASA Cluster DHCP Relay doesn't forward the server replies to the client
Enqueue failures on DP-CP queue may stall inspected TCP connection
Traceback in IKE_DBG
H.323 inspection causes Traceback in Thread Name: CP Processing
traceback in network udpmod_get after anyconnect test load application
ASA : Botnet update fails with a lot of Errors
wr mem/ wr standby is not syncing configs on standby
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer
ASA as DHCP relay drops DHCP 150 Inform message
Buffer Overflow in ASA Leads to Remote Code Execution
ASA Traceback in thread name CP Processing due to DCERPC inspection
ASA 9.1.7-9 crash in Thread Name: NIC status poll
ASA 1550 block depletion with multi-context transparent firewall
AAA authentication/authorization fails if only accessible via mgmt vrf
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416
ASA may generate DATAPATH Traceback with policy-based routing enabled
Traceback : ASA with Threadname: DATAPATH-0-1790
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback
Lower NFS throughput rate on Cisco ASA platform
ASA traceback with Thread Name aaa_shim_thread
Evaluation of pix-asa for Openssl September 2016
Traceback triggered by CoA on ASA when sending/receiving to/from ISE
ASA Traceback Thread Name: emweb/https
AAA session handle leak with IKEv2 when denied due to time range
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client
ASA traceback at Thread Name: IKE Daemon.
ASA dropping traffic with TCP syslog configured in multicontext mode
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'
Resolved Bugs in Version 9.5(2)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(2):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
ASA traceback in Thread Name: CP Crypto Result Processing.
ASA: Traceback with Thread Name - AAA
Auth-prompt configured in one context appears in another context
ASA: LDAP over SSL Authentication failure
Unable to authenticate with remove aaa-server from different context
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue
Cisco ASA XAUTH Bypass Vulnerability
ASA traceback in aaa_shim_thread / command author done for dACL install
ASA - access list address argument changed from host 0.0.0.0 to host ::
ASA traceback: SSH Thread: many users logged in and dACLs being modified
Memory leak @regcomp_unicorn with APCF configured
ASA - Traceback in Thread Name: fover_parse
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test
ASA traceback in Thread Name: fover_parse (ak47/ramfs)
ASA Traceback in vpnfol_thread_msg
Unicorn proxy thread traceback with RAMFS processing
ASA - Traceback in thread name SSH while applying BGP show commands
ASA Dataplane captures dont capture packets when using match/access-list
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain
ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment
ASA Cluster member traceback in DATAPATH
ASA cluster-Incorrect "current conns" counter in service-policy
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel
ASA: ICMP error loop on cluster CCL with Interface PAT
Clustering: Traceback in DATAPATH with transparent FW
ASA is not correctly handling errors on AES-GCM ICV
ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit
ASA failover due to issue show local-host command make CPU-hog
ASA traceback in DATAPATH Thread due to Double Block Free
Interface TLV to SFR is corrupt when frame is longer than 2048 bytes
Request allow packets to pass when snort is down for ASA configurations
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI
DHCP-DHCP Proxy thread traceback shortly after failover and reload
EIGRP configuration not being correctly replicated between failover ASAs
ASA - URL filter - traceback on thread name uauth_urlb clean
ASA traceback in Thread Name: CP Processing
Traceback on standby ASA during hitless upgrade
ASA: traceback in IDFW AD agent
Active ftp-data is blocked by Firepower on Chivas Beta on 5512
ASA Traceback in cp_syslog
ASA: Silently Drops packets with SFR Module installed.
Traceback in Thread CP Processing
ASA change non-default port to 443 for https traffic redirected to CWS
ASA redirection to Scansafe tower fails with log id "775002" in syslog
Immediate FIN from client after GET breaks scansafe connection
ASA/ASASM drops SIP invite packets with From field containing "" and \
Traceback in thread CP Processing
2048-byte block leak if DNS server replies with "No such name"
ASA: Traceback while copying file using SCP on ASA
DNS Traceback in channel_put()
Active ASA in failover setup reboots on its own
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit
Cisco ASA VPN Memory Block Exhaustion Vulnerability
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet
Cert Auth fails with 'max simultaneous-login restriction' error
ikev2 with DH 19 and above fails to pass traffic after phase2 rekey
ASA Traceback in PPP
Improper S2S IPSec Datapath Selection for Remote Overlapping Networks
Split-tunnel not working for EzVPN client on Kenton device (9.5.1)
ASA: Anyconnect IPv6 Traceroute does not work as expected
ASA dropping traffic with TCP syslog configured in multicontext mode
ASATraceback in ssh whilst adding new line to extended ACL
ASA not generating PIM register packet for directly connected sources
ASA traceback when removing dynamic PAT statement from cluster
Observed Traceback in SNMP while querying GET BULK for 'xlate count'
asa Traceback with Thread Name idfw_proc
eglibc 2.18 is missing upstream fix #15073
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards
ASA may tracebeck when displaying packet capture with trace option
ASA LDAP CRL query baseObject DN string is malformed
ASA picks incorrect trustpoint to verify OCSP Response
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached
Anyconnect SSL VPN certificate authentication fails o ASA
ASA CA certificate import fails with different types of Name Constraints
ASA cert validation fails when suitable TP is above the resident CA cert
ASA Name Constraints dirName improperly verified
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)
RA validation failed when CA/subCA contains name constraints
5585 interface counters show 0 for working interfaces and console errors
ASA CX - Data Plane marked as DOWN untill ASA reload.
ASA5505 permanent base license, temp secplus, failover, vlan count issue
ASA5585 9.5(1): Support Failover Lan on Management0/0 port
Kenton 5516: Interface dropping ARPs after flapping under traffic load
ASA 8.4 Memory leak due to duplicate entries in ASP table
ASA: Traceback in Thread Name Checkheaps due to webvpn
'redistribute' cmds under 'router eigrp' removed on deleting any context
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA
ASA OSPF database not reflect changes
CRL download functionality seems to be broken on ASA
Dynamic Route Not Installed After Failover
EIGRP authentication not working with simple pasword
RRI static routing changes not updated in routing table
Standby ASA does not apply OSPF route after config replication
Standby ASA inside IP not reachable after Anyconnect disconnect
Standby traceback during config replication with customization export
ASAv licesing enforcement should not be CLI parser based
Unable to load ASDM to a Context in Multiple Context Mode
CPU hog due to snmp polling of ASA memory pool information
snmpwalk causes slow memory leak on ASA
ASA Traceback in Thread Name ssh/client
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig
Cut Through proxy not working correctly with TLS1.2
SSL : Unable to Join nodes in Cluster
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL
ASAv traceback in DATAPATH when used for WebVPN
ASA SSLVPN RDP Plugin session freezes under heavy load with activex
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS
conn-max counter is not decreased accordingly
Per-session PAT RST sent to incorrect direction after closing session
ASA traceback because of TD tcp-intercept feature
ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection
Cluster destabilizes when contexts are removed
ASA: Watchdog Traceback with Thread Name:- SXP CORE
SXP Version Mismatch Between ASA & N7K with clustering
ASAv Cannot remove/change default global_policy or inspection_default
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal
Trace back with Thread Name: IP Address Assign
ASA allows citrix ICA connection without authentication
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7
ASA WebVPN clientless cookie authentication bypass
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread
ASA WebVPN: Javascript fails to execute when accessing internal portal
Clientless webvpn on ASA does not display asmx files
HTTP chunked data causing watchdog
Need to prevent traceback in js_parser_print_rest
PCP 10.6 Clientless VPN Access is Denied when accessing Pages
Traceback in WebVPN rewriter
Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5
WebVPN Rewriter: "parse" method returns curly brace instead of semicolon
Webvpn: JS parser may crash if the underlying connection is closed
Resolved Bugs in Version 9.5(1.5)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1.5):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal
ASA: Anyconnect IPv6 Traceroute does not work as expected
Auth-prompt configured in one context appears in another context
Traceback in Thread CP Processing
ASA failover due to issue show local-host command make CPU-hog
ASA - URL filter - traceback on thread name uauth_urlb clean
ASAv traceback in DATAPATH when used for WebVPN
Clientless webvpn on ASA does not display asmx files
Need to prevent traceback in js_parser_print_rest
ASA: CLI commands not showing help(?) options for local authorization
ASA LDAP CRL query baseObject DN string is malformed
Unable to authenticate with remove aaa-server from different context
ASA SSLVPN RDP Plugin session freezes under heavy load with activex
ASA: LDAP over SSL Authentication failure
ASA: Not able to remove ACE with "log default" keyword
ASA cluster-Incorrect "current conns" counter in service-policy
Dynamic Route Not Installed After Failover
ASA: Watchdog Traceback with Thread Name:- SXP CORE
ASA may tracebeck when displaying packet capture with trace option
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)
HTTP chunked data causing watchdog
Cisco ASA VPN Memory Block Exhaustion Vulnerability
Standby traceback during config replication with customization export
Webvpn: JS parser may crash if the underlying connection is closed
ASA traceback in Thread Name: fover_parse (ak47/ramfs)
Unicorn proxy thread traceback with RAMFS processing
RA validation failed when CA/subCA contains name constraints
Request allow packets to pass when snort is down for ASA configurations
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+)
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test
traffic-forward interface command is not working on 5585
Resolved Bugs in Version 9.5(1)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.5(1):
The following table lists resolved bugs at the time of this Release Note publication.
Identifier
Description
AAA Authorization HTTP sends username in password field of authorization
ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions
Standalone AnyConnect fails to connect due to empty DAP user message
Add cli to control masked username in syslog
ASA : Password creation date is decrementing by one with every reboot
ASA: Traceback with Thread Name - AAA
[ASA] CTP not working if proxyACL port_argument is gt
ASA tunnel-group"password-expire-in-days"not prompting a password change
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue
ASA traceback in aaa_shim_thread / command author done for dACL install
ASA - access list address argument changed from host 0.0.0.0 to host ::
ASA 9.0.3 not logging permitted UDP traffic
ASA : ACL logging is not getting disabled with keyword "log disable"
[ASA] access-list ACL_name standard permit host 0.0.0.0 deleted
Memory leak @regcomp_unicorn with APCF configured
Codenomicon HTTP-server suite may cause crash
ASA - Traceback in thread name SSH while applying BGP show commands
bgp ipv6 neighborship fails with ASA after hard reset on router
ASA Dataplane captures dont capture packets when using match/access-list
Drop reasons missing from asp-drop capture
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel
Clustering: Traceback in DATAPATH with transparent FW
RPC error in request config after replicated a large configuration
show cluster mem indicates incorrect values
Traceback in snp_cluster_get_buffer
ASA is not correctly handling errors on AES-GCM ICV
Doubling counting flow bytes for decrypted packets
Cisco ASA DHCPv6 Relay Denial of Service Vulnerability
Corrupted host name may occur with DHCP
DHCP-DHCP Proxy thread traceback shortly after failover and reload
EIGRP configuration not being correctly replicated between failover ASAs
ASA traceback in Thread Name: CP Processing
ASA: failover logging messages appear in user context
Failover assembly remained in active-active state permanantly
Traceback on standby ASA during hitless upgrade
ASA: XFRAME support for .JS and .JNLP URL's
ASA: traceback in IDFW AD agent
ASA Remote Access - Phase 1 terminated after xauth
ASA SMTP inspection should not disable TLS by default
Handling esmtp default parameters for TLS
Active ftp-data is blocked by Firepower on Chivas Beta on 5512
ASA traceback: thread name "scansafe_poll"
ASA/ASASM drops SIP invite packets with From field containing "" and \
Traceback in thread CP Processing
USB device hot plug not supported in running ASA
2048-byte block leak if DNS server replies with "No such name"
Cisco ASA DNS Denial of Service Vulnerability
DNS should perform IPv4 lookups if IPv6 address is not reachable
EEM action not executed on absolute time when NTP is configured
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout
LU allocate connection failed on the Standby ASA unit
Cert Auth fails with 'max simultaneous-login restriction' error
ikev2 enable added to config when zones are used despite ERROR msg
Ikev2 Session with bogus assigned IP address stays on ASA
IKEv2: IPSec SA's are created by dynamic crypto map for static peers
ASA Traceback in PPP
L2TP/IPSec Optimal MSS is not what it's supposed to be
L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.
Duplicate IPv6 address is configurable in 1 ASA or context
IPv6 local host route fail when setting link-local/Global simultaneously
ASA dropping traffic with TCP syslog configured in multicontext mode
Timeout:FloatingConnection valid(0:0:30-1193:0)remove http &telnet confg
ASA inspection-MPF ACL changes not inserted into ASP table properly
ASATraceback in ssh whilst adding new line to extended ACL
ASA not generating PIM register packet for directly connected sources
Cisco ASA PIM Multicast Registration Vulnerability
ASA generate pool exhausted for sip inspect with embedded IP but no port
Migration of max_conn/em_limit to MPF is completely wrong in 8.3
Misleading error msg for pat-pool with mapped object
Observed Traceback in SNMP while querying GET BULK for 'xlate count'
PBA: Generate syslogs for port block allocation related failures
Two Dynamic PAT with and without block-allocation
eglibc 2.18 is missing upstream fix #15073
ASA crashes for the OSPFv2 packets from codenomicon
ASA:OSPF over L2L tunnels is not working with multiple cry map entries
Cisco ASA OSPFv2 Denial of Service Vulnerability
Ampersand (&) not encoded in packet tracer phase 'extra' field
"no nameif" is removing the policy-route configuration
PBR: DF & DSCP bits are not getting set without valid set next-hop
Policy based routing is not working with twice NAT
ASA - Traceback in thread name: CERT API
Cryptomaps lose trustpoint when syncing configuration from cluster unit
ASA tunnel-group-map cannot contain spaces
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached
Anyconnect SSL VPN certificate authentication fails o ASA
ASA CA certificate import fails with different types of Name Constraints
ASA Name Constraints dirName improperly verified
Incorrect cert chain sent to connecting IPSec clients
PKI: potential pki session handle leak in IKEv2 L2L configurations
5506-X: 'no buffer' interface counter reports incorrect errors
Kenton 5516: Interface dropping ARPs after flapping under traffic load
kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250
Kernel command line is displayed while booting 9.5.1 Image
Traceback and reload triggered by failover configuration
PPPoE session state timer does not initialize properly
ASA 8.4 Memory leak due to duplicate entries in ASP table
ASA :Top 10 Users status is not getting enabled from ASDM.
ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ
Secondary ASA stuck in config sync while upgrading to 8.4.x
Multiple problems with output of show processes memory
'redistribute' cmds under 'router eigrp' removed on deleting any context
ASA Cluster: Default OSPF route gone on Master unit
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA
ASA silently dropping OSPF LS Update messages from neighbors
ASA-3-317012 and "No route to host" errors even though the route exists
ASA: ECMP stopped working after upgrade to 9.3.2
Misleading route-map warning message
RRI static routing changes not updated in routing table
Standby ASA does not apply OSPF route after config replication
xszASA 9.2.1 Eigrp Authentication does not work with 16 character key
Remove demo and eval warning for sfr monitor-only
ASAv cannot send SL messages after toggeling of "service call-home" cmd
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg
snmpwalk causes slow memory leak on ASA
"ssh scopy enable" deleted from configuration
ASA not checking the MAC of the TLS records
Cisco ASA Poodle TLS Variant
Cut Through proxy not working correctly with TLS1.2
SSL connection failing to WebVPN portal
SSL : Unable to Join nodes in Cluster
Evaluation of OpenSSL June 2015
MARCH 2015 OpenSSL Vulnerabilities
ASAv traceback in DATAPATH when used for WebVPN
JANUARY 2015 OpenSSL Vulnerabilities
To-the-box UDP traffic not getting inspected and getting dropped on ASA
ASA teardown connection after receiving same direction fins
conn-max counter is not decreased accordingly
NFS connections not timing out after failover
Per-session PAT RST sent to incorrect direction after closing session
ASA traceback because of TD tcp-intercept feature
Exception on asdm_handler stream line: </threat-detection>
ASAv requires a reboot for the license to take effect.
ASAv: RSA key pair needs to be automatically generated with 2048 bits
Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno)
ASA Traceback in SSL library due to DMA memory exhaustion
ASA traceback in Thread Name: fover_parse
AnyConnect upgrade from AC 2.5 to AC 3.1 fails
Cisco ASA VPN XML Parser Denial of Service Vulnerability
HTML/Java File Browser- created file or folder shows 9 months offset
ASA WebVPN clientless cookie authentication bypass
WebVpn: portal is not displayed after re-login
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread
ASA WebVPN : jQuery based Calendar table fails to load; Empty frame
ASA WebVPN: HTTP 302 Location URL rewritten incorrectly
ASA WebVPN: Javascript fails to execute when accessing internal portal
Issue with downloading images from Sharepoint
rewriter returns 302 for a file download
Src url of video track tag not mangled via webvpn
WebVPN: Tsweb fails to work through clientless portal
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app
Mac version smart-tunnel uses SSLv3 which is a vulnerability
Windows 8 with new JRE, IE is not gaining access to smart tunnel
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Copyright © 2017, Cisco Systems, Inc. All rights reserved.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)