Release Notes for the Cisco ASA Series, 9.6(x)
This document contains release information for Cisco ASA software Version 9.6(x).
Important Notes
-
Potential Traffic Outage (9.6(2.1) through 9.6(3))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.
-
The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2).
-
ASDM 7.6(2) supports AnyConnect Client profiles in multiple context mode. This feature requires AnyConnect Version 4.2.00748 or 4.3.03013 and later.
-
(ASA 9.6.2) Upgrade impact when using multiple-mode configuration—When upgrading from 9.5.2 to 9.6.1 and then subsequently to 9.6.2, any existing RAVPN for multiple-mode configuration will stop working. Post upgrade to the 9.6.2 image, a reconfiguration to give each context a storage space and to get new AnyConnect images in all of the contexts is required.
-
(ASA 9.6(2)) Upgrade impact when using SSH public key authentication—Due to updates to SSH authentication, additional configuration is required to enable SSH public key authentication; as a result, existing SSH configurations using public key authentication no longer work after upgrading. Public key authentication is the default for the ASAv on Amazon Web Services (AWS), so AWS users will see this issue. To avoid loss of SSH connectivity, you can update your configuration before you upgrade. Or you can use ASDM after you upgrade (if you enabled ASDM access) to fix the configuration.
Sample original configuration for a username "admin":
username admin nopassword privilege 15 username admin attributes ssh authentication publickey 55:06:47:eb:13:75:fc:5c:a8:c1:2c:bb: 07:80:3a:fc:d9:08:a9:1f:34:76:31:ed:ab:bd:3a:9e:03:14:1e:1b hashedTo use the ssh authentication command, before you upgrade, enter the following commands:
aaa authentication ssh console LOCAL username admin password <password> privilege 15We recommend setting a password for the username as opposed to keeping the nopassword keyword, if present. The nopassword keyword means that any password can be entered, not that no password can be entered. Prior to 9.6(2), the aaa command was not required for SSH public key authentication, so the nopassword keyword was not triggered. Now that the aaa command is required, it automatically also allows regular password authentication for a username if the password (or nopassword ) keyword is present.
After you upgrade, the username command no longer requires the password or nopassword keyword; you can require that a user cannot enter a password. Therefore, to force public key authentication only, re-enter the username command:
username admin privilege 15 -
Upgrade impact when upgrading the ASA on the Firepower 9300— Due to license entitlement naming changes on the back-end, when you upgrade to ASA 9.6(1)/FXOS 1.1.4, the startup configuration may not parse correctly upon the initial reload; configuration that corresponds to add-on entitlements is rejected.
For a standalone ASA, after the unit reloads with the new version, wait until all the entitlements are processed and are in an "Authorized" state (show license all), and simply reload again (reload) without saving the configuration. After the reload, the startup configuration will be parsed correctly.
For a failover pair if you have any add-on entitlements, follow the upgrade procedure in the FXOS release notes, but reset failover after you reload each unit (failover reset ).
For a cluster, follow the upgrade procedure in the FXOS release notes; no additional action is required.
-
ASA 5508-X and 5516-X upgrade issue when upgrading to 9.5(x) or later—Before you upgrade to ASA Version 9.5(x) or later, if you never enabled jumbo frame reservation then you must check the maximum memory footprint. Due to a manufacturing defect, an incorrect software memory limit might have been applied. If you upgrade to 9.5(x) or later before performing the below fix, then your device will crash on bootup; in this case, you must downgrade to 9.4 using ROMMON (Load an Image for the ASA 5500-X Series Using ROMMON), perform the below procedure, and then upgrade again.
-
Enter the following command to check for the failure condition:
ciscoasa# show memory detail | include Max memory footprint Max memory footprint = 456384512 Max memory footprint = 0 Max memory footprint = 456384512If a value less than 456,384,512 is returned for “Max memory footprint,” then the failure condition is present, and you must complete the remaining steps before you upgrade. If the memory shown is 456,384,512 or greater, then you can skip the rest of this procedure and upgrade as normal.
-
Enter global configuration mode:
ciscoasa# configure terminal ciscoasa(config)# -
Temporarily enable jumbo frame reservation:
ciscoasa(config)# jumbo-frame reservation WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted. INFO: Interface MTU should be increased to avoid fragmenting jumbo frames during transmit
Note
Do not reload the ASA.
-
Save the configuration:
ciscoasa(config)# write memory Building configuration... Cryptochecksum: b511ec95 6c90cadb aaf6b306 41579572 14437 bytes copied in 1.320 secs (14437 bytes/sec) [OK] -
Disable jumbo frame reservation:
ciscoasa(config)# no jumbo-frame reservation WARNING: This command will take effect after the running-config is saved and the system has been rebooted. Command accepted.
Note
Do not reload the ASA.
-
Save the configuration again:
ciscoasa(config)# write memory Building configuration... Cryptochecksum: b511ec95 6c90cadb aaf6b306 41579572 14437 bytes copied in 1.320 secs (14437 bytes/sec) [OK] -
You can now upgrade to Version 9.5(x) or later.
-
-
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.6(4)
Released: December 13, 2017
There are no new features in this release.
New Features in ASA 9.6(3.1)
Released: April 3, 2017
Note |
|
Feature |
Description |
|---|---|
|
AAA Features |
|
|
Separate authentication for users with SSH public key authentication and users with passwords |
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS. We did not modify any commands. |
New Features in ASA 9.6(2)
Released: August 24, 2016
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
ASA for the Firepower 4150 |
We introduced the ASA for the Firepower 4150. Requires FXOS 2.0.1. We did not add or modify any commands. |
||
|
Hot Plug Interfaces on the ASAv |
You can add and remove Virtio virtual interfaces on the ASAv while the system is active. When you add a new interface to the ASAv, the virtual machine detects and provisions the interface. When you remove an existing interface, the virtual machine releases any resource associated with the interface. Hot plug interfaces are limited to Virtio virtual interfaces on the Kernel-based Virtual Machine (KVM) hypervisor. |
||
|
Microsoft Azure support on the ASAv10 |
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. The ASAv runs as a guest in the Microsoft Azure environment of the Hyper V Hypervisor. The ASAv on Microsoft Azure supports one instance type, the Standard D3, which supports four vCPUs, 14 GB, and four interfaces. Also in 9.5(2.200). |
||
|
Through traffic support on the Management 0/0 interface for the ASAv |
You can now allow through traffic on the Management 0/0 interface on the ASAv. Previously, only the ASAv on Microsoft Azure supported through traffic; now all ASAvs support through traffic. You can optionally configure this interface to be management-only, but it is not configured by default. We modified the following command: management-only |
||
|
Common Criteria Certification |
The ASA was updated to comply with the Common Criteria requirements. See the rows in this table for the following features that were added for this certification:
|
||
|
Firewall Features |
|||
|
DNS over TCP inspection |
You can now inspect DNS over TCP traffic (TCP/53). We added the following command: tcp-inspection |
||
|
MTP3 User Adaptation (M3UA) inspection |
You can now inspect M3UA traffic and also apply actions based on point code, service indicator, and message class and type. We added or modified the following commands: clear service-policy inspect m3ua {drops | endpoint [IP_address]} , inspect m3ua , match dpc , match opc , match service-indicator , policy-map type inspect m3ua , show asp table classify domain inspect-m3ua , show conn detail , show service-policy inspect m3ua {drops | endpoint IP_address} , ss7 variant , timeout endpoint |
||
|
Session Traversal Utilities for NAT (STUN) inspection |
You can now inspect STUN traffic for WebRTC applications including Cisco Spark. Inspection opens pinholes required for return traffic. We added or modified the following commands: inspect stun , show conn detail , show service-policy inspect stun |
||
|
Application layer health checking for Cisco Cloud Web Security |
You can now configure Cisco Cloud Web Security to check the health of the Cloud Web Security application when determining if the server is healthy. By checking application health, the system can fail over to the backup server when the primary server responds to the TCP three-way handshake but cannot process requests. This ensures a more reliable system. We added the following commands: health-check application url , health-check application timeout |
||
|
Connection holddown timeout for route convergence. |
You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping. We added the following command: timeout conn-holddown Also in 9.4(3). |
||
|
Changes in TCP option handling |
You can now specify actions for the TCP MSS and MD5 options in a packet’s TCP header when configuring a TCP map. In addition, the default handling of the MSS, timestamp, window-size, and selective-ack options has changed. Previously, these options were allowed, even if there were more than one option of a given type in the header. Now, packets are dropped by default if they contain more than one option of a given type. For example, previously a packet with 2 timestamp options would be allowed, now it will be dropped. You can configure a TCP map to allow multiple options of the same type for MD5, MSS, selective-ack, timestamp, and window-size. For the MD5 option, the previous default was to clear the option, whereas the default now is to allow it. You can also drop packets that contain the MD5 option. For the MSS option, you can set the maximum segment size in the TCP map (per traffic class). The default for all other TCP options remains the same: they are cleared. We modified the following command: tcp-options |
||
|
Transparent mode maximum interfaces per bridge group increased to 64 |
The maximum interfaces per bridge group was increased from 4 to 64. We did not modify any commands. |
||
|
Flow offload support for multicast connections in transparent mode. |
You can now offload multicast connections to be switched directly in the NIC on transparent mode Firepower 4100 and 9300 series devices. Multicast offload is available for bridge groups that contain two and only two interfaces. There are no new commands or ASDM screens for this feature. |
||
|
Customizable ARP rate limiting |
You can set the maximum number of ARP packets allowed per second. The default value depends on your ASA model. You can customize this value to prevent an ARP storm attack. We added the following commands: arp rate-limit, show arp rate-limit |
||
|
Ethertype rule support for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. |
You can now write Ethertype access control rules for the IEEE 802.2 Logical Link Control packet's Destination Service Access Point address. Because of this addition, the bpdu keyword no longer matches the intended traffic. Rewrite bpdu rules for dsap 0x42 . We modified the following commands: access-list ethertype |
||
|
Remote Access Features |
|||
|
Pre-fill/Username-from-cert feature for multiple context mode |
AnyConnect SSL support is extended, allowing pre-fill/username-from-certificate feature CLIs, previously available only in single mode, to be enabled in multiple context mode as well. We did not modify any commands. |
||
|
Flash Virtualization for Remote Access VPN |
Remote access VPN in multiple context mode now supports flash virtualization. Each context can have a private storage space and a shared storage place based on the total flash that is available:
We introduced the following commands: limit-resource storage, storage-url |
||
|
AnyConnect client profiles supported in multiple context mode |
AnyConnect client profiles are supported in multiple context mode. To add a new profile using ASDM, you must have the AnyConnect Secure Mobility Client release 4.2.00748 or 4.3.03013 and later. |
||
|
Stateful failover for AnyConnect connections in multiple context mode |
Stateful failover is now supported for AnyConnect connections in multiple context mode. We did not modify any commands. |
||
|
Remote Access VPN Dynamic Access Policy (DAP) is supported in multiple context mode |
You can now configure DAP per context in multiple context mode. We did not modify any commands. |
||
|
Remote Access VPN CoA (Change of Authorization) is supported in multiple context mode |
You can now configure CoA per context in multiple context mode. We did not modify any commands. |
||
|
Remote Access VPN localization is supported in multiple context mode |
Localization is supported globally. There is only one set of localization files that are shared across different contexts. We did not modify any commands. |
||
|
Umbrella Roaming Security module support |
You can choose to configure the AnyConnect Secure Mobility Client's Umbrella Roaming Security module for additional DNS-layer security when no VPN is active. We did not modify any commands. |
||
|
IPsec/ESP Transport Mode Support for IKEv2 |
Transport mode is now supported for ASA IKEv2 negotiation. It can be used in place of tunnel (default) mode. Tunnel mode encapsulates the entire IP packet. Transport mode encapsulates only the upper-layer protocols of an IP packet. Transport mode requires that both the source and destination hosts support IPSec, and can only be used when the destination peer of the tunnel is the final destination of the IP packet. We modified the following command: crypto map set ikev2 mode |
||
|
Per-packet routing lookups for IPsec inner packets |
By default, per-packet adjacency lookups are done for outer ESP packets; lookups are not done for packets sent through the IPsec tunnel. In some network topologies, when a routing update has altered the inner packet’s path, but the local IPsec tunnel is still up, packets through the tunnel may not be routed correctly and fail to reach their destination. To prevent this, use the new option to enable per-packet routing lookups for the IPsec inner packets. We added the following command: crypto ipsec inner-routing-lookup |
||
|
Certificate and Secure Connection Features |
|||
|
ASA client checks Extended Key Usage in server certificates |
Syslog and Smart licensing Server Certificates must contain “ServerAuth” in the Extended Key Usage field. If not, the connection fails. |
||
|
Mutual authentication when ASA acts as a TLS client for TLS1.1 and 1.2 |
If the server requests a client certificate from the ASA for authentication, the ASA will send the client identity certificate configured for that interface. The certificate is configured by the ssl trust-point command. | ||
|
PKI debug messages |
The ASA PKI module makes connections to CA servers such as SCEP enrollment, revocation checking using HTTP, etc. All of these ASA PKI exchanges will be logged as debug traces under debug crypto ca message 5. |
||
|
ASA SSL Server mode matching for ASDM |
For an ASDM user who authenticates with a certificate, you can now require the certificate to match a certificate map. We modified the following command: http authentication-certificate match |
||
|
Reference Identities for Secure Syslog Server connections and Smart Licensing connections |
TLS client processing now supports rules for verification of a server identity defined in RFC 6125, Section 6. Identity verification will be done during PKI validation for TLS connections to the Syslog Server and the Smart Licensing server only. If the presented identity cannot be matched against the configured reference identity, the connection is not established. We added or modified the following commands: crypto ca reference-identity, logging host, call home profile destination address |
||
|
Crypto Key Zeroization verification |
The ASA crypto system has been updated to comply with new key zeroization requirements. Keys must be overwritten with all zeros and then the data must be read to verify that the write was successful. |
||
|
SSH public key authentication improvements |
In earlier releases, you could enable SSH public key authentication (ssh authentication ) without also enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). The configuration is now fixed so that you must explicitly enable AAA SSH authentication. To disallow users from using a password instead of the private key, you can now create a username without any password defined. We modified the following commands: ssh authentication, username |
||
|
Interface Features |
|||
|
Increased MTU size for the ASA on the Firepower 4100/9300 chassis |
You can set the maximum MTU to 9188 bytes on the Firepower 4100 and 9300; formerly, the maximum was 9000 bytes. This MTU is supported with FXOS 2.0.1.68 and later. We modified the following command: mtu |
||
|
Routing Features |
|||
|
Bidirectional Forwarding Detection (BFD) Support |
The ASA now supports the BFD routing protocol. Support was added for configuring BFD templates, interfaces, and maps. Support for BGP routing protocol to use BFD was also added. We added or modified the following commands: authentication, bfd echo, bfd interval, bfd map, bfd slow-timers, bfd template, bfd-template, clear bfd counters, echo, debug bfd, neighbor fall-over bfd, show bfd drops, show bfd map, show bfd neighbors, show bfd summary |
||
|
IPv6 DHCP |
The ASA now supports the following features for IPv6 addressing:
We added or modified the following commands: clear ipv6 dhcp statistics, domain-name, dns-server, import, ipv6 address autoconfig, ipv6 address dhcp, ipv6 dhcp client pd, ipv6 dhcp client pd hint, ipv6 dhcp pool, ipv6 dhcp server, network, nis address, nis domain-name, nisp address, nisp domain-name, show bgp ipv6 unicast, show ipv6 dhcp, show ipv6 general-prefix, sip address, sip domain-name, sntp address |
||
|
High Availability and Scalability Features |
|||
|
Improved sync time for dynamic ACLs from AnyConnect when using Active/Standby failover |
When you use AnyConnect on a failover pair, then the sync time for the associated dynamic ACLs (dACLs) to the standby unit is now improved. Previously, with large dACLs, the sync time could take hours during which time the standby unit is busy syncing instead of providing high availability backup. We did not modify any commands. |
||
|
Licensing Features |
|||
|
Permanent License Reservation for the ASAv |
For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASAv. In 9.6(2), we also added support for this feature for the ASAv on Amazon Web Services. This feature is not supported for Microsoft Azure.
We introduced the following commands: license smart reservation, license smart reservation cancel, license smart reservation install, license smart reservation request universal, license smart reservation return Also in 9.5(2.200). |
||
|
Satellite Server support for the ASAv |
If your devices cannot access the internet for security reasons, you can optionally install a local Smart Software Manager satellite server as a virtual machine (VM). We did not modify any commands. |
||
|
Permanent License Reservation for the ASAv Short String enhancement |
Due to an update to the Smart Agent (to 1.6.4), the request and authorization codes now use shorter strings. We did not modify any commands. |
||
|
Permanent License Reservation for the ASA on the Firepower 4100/9300 chassis |
For highly secure environments where communication with the Cisco Smart Software Manager is not allowed, you can request a permanent license for the ASA on the Firepower 9300 and Firepower 4100. All available license entitlements are included in the permanent license, including the Standard Tier, Strong Encryption (if qualified), Security Contexts, and Carrier licenses. Requires FXOS 2.0.1. All configuration is performed on the Firepower 4100/9300 chassis; no configuration is required on the ASA. |
||
|
Smart Agent Upgrade for ASAv to v1.6 |
The smart agent was upgraded from Version 1.1 to Version 1.6. This upgrade supports permanent license reservation and also supports setting the Strong Encryption (3DES/AES) license entitlement according to the permission set in your license account.
We introduced the following commands: show license status, show license summary, show license udi, show license usage We modified the following commands: show license all, show tech-support license We deprecated the following commands: show license cert, show license entitlement, show license pool, show license registration Also in 9.5(2.200). |
||
|
Monitoring Features |
|||
|
Packet capture of type asp-drop supports ACL and match filtering |
When you create a packet capture of type asp-drop, you can now also specify an ACL or match option to limit the scope of the capture. We modified the following command: capture type asp-drop |
||
|
Forensic Analysis enhancements |
You can create a core dump of any process running on the ASA. The ASA also extracts the text section of the main ASA process that you can copy from the ASA for examination. We modified the following commands: copy system:text, verify system:text, crashinfo force dump process |
||
|
Tracking Packet Count on a Per-Connection Basis through NetFlow |
Two counters were added that allow Netflow users to see the number of Layer 4 packets being sent in both directions on a connection. You can use these counters to determine average packet rates and sizes and to better predict traffic types, anomalies, and events. We did not modify any commands. |
||
|
SNMP engineID sync for Failover |
In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID. An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user. We modified the following command: snmp-server user Also in 9.4(3). |
||
New Features in ASA 9.6(1)
Released: March 21, 2016
Note |
The ASAv 9.5.2(200) features, including Microsoft Azure support, are not available in 9.6(1). They are available in 9.6(2). |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
ASA for the Firepower 4100 series |
We introduced the ASA for the Firepower 4110, 4120, and 4140. Requires FXOS 1.1.4. We did not add or modify any commands. |
||
|
SD card support for the ISA 3000 |
You can now use an SD card for external storage on the ISA 3000. The card appears as disk3 in the ASA file system. Note that plug and play support requires hardware version 2.1 and later. Use the show module command to check your hardware version. We did not add or modify any commands. |
||
|
Dual power supply support for the ISA 3000 |
For dual power supplies in the ISA 3000, you can establish dual power supplies as the expected configuration in the ASA OS. If one power supply fails, the ASA issues an alarm. By default, the ASA expects a single power supply and won't issue an alarm as long as it includes one working power supply. We introduced the following command: power-supply dual . |
||
|
Firewall Features |
|||
|
Diameter inspection improvements |
You can now inspect Diameter over TCP/TLS traffic, apply strict protocol conformance checking, and inspect Diameter over SCTP in cluster mode. We introduced or modified the following commands: client clear-text , inspect diameter , strict-diameter . |
||
|
SCTP stateful inspection in cluster mode |
SCTP stateful inspection now works in cluster mode. You can also configure SCTP stateful inspection bypass in cluster mode. We did not add or modify any commands. |
||
|
H.323 inspection support for the H.255 FACILITY message coming before the H.225 SETUP message for H.460.18 compatibility. |
You can now configure an H.323 inspection policy map to allow for H.225 FACILITY messages to come before the H.225 SETUP message, which can happen when endpoints comply with H.460.18. We introduced the following command: early-message . |
||
|
Cisco Trustsec support for Security Exchange Protocol (SXP) version 3. |
Cisco Trustsec on ASA now implements SXPv3, which enables SGT-to-subnet bindings, which are more efficient than host bindings. We introduced or modified the following commands: cts sxp mapping network-map maximum_hosts , cts role-based sgt-map , show cts sgt-map , show cts sxp sgt-map , show asp table cts sgt-map . |
||
|
Flow off-load support for the Firepower 4100 series. |
You can identify flows that should be off-loaded from the ASA and switched directly in the NIC for the Firepower 4100 series. Requires FXOS 1.1.4. We did not add or modify any commands. |
||
|
Remote Access Features |
|||
|
IKEv2 Fragmentation, RFC-7383 support |
The ASA now supports this standard fragmentation of IKEv2 packets. This allows interoperability with other IKEv2 implementations such as Apple, Strongswan etc. ASA continues to support the current, proprietary IKEv2 fragmentation to maintain backward compatibility with Cisco products that do not support RFC-7383, such as the AnyConnect client. We introduced the following commands: crypto ikev2 fragmentation , show running-config crypto ikev2 , show crypto ikev2 sa detail |
||
|
VPN Throughput Performance Enhancements on Firepower 9300 and Firepower 4100 series |
The crypto engine accelerator-bias command is now supported on the ASA security module on the Firepower 9300 and Firepower 4100 series. This command lets you “bias” more crypto cores toward either IPSec or SSL. We modified the following command: crypto engine accelerator-bias |
||
|
Configurable SSH encryption and HMAC algorithm. |
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. You might want to change the ciphers to be more or less strict, depending on your application. Note that the performance of secure copy depends partly on the encryption cipher used. By default, the ASA negotiates one of the following algorithms in order: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr. If the first algorithm proposed (3des-cbc) is chosen, then the performance is much slower than a more efficient algorithm such as aes128-cbc. To change the proposed ciphers, use ssh cipher encryption custom aes128-cbc , for example. We introduced the following commands: ssh cipher encryption, ssh cipher integrity. Also available in 9.1(7), 9.4(3), and 9.5(3). |
||
|
HTTP redirect support for IPv6 |
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address. We added functionality to the following command: http redirect Also available in 9.1(7) and 9.4(3). |
||
|
Routing Features |
|||
|
IS-IS routing |
The ASA now supports the Intermediate System to Intermediate System (IS-IS) routing protocol. Support was added for routing data, performing authentication, and redistributing and monitoring routing information using the IS-IS routing protocol. We introduced the following commands: advertise passive-only, area-password, authentication key, authentication mode, authentication send-only, clear isis, debug isis, distance, domain-password, fast-flood, hello padding, hostname dynamic, ignore-lsp-errors, isis adjacency-filter, isis advertise prefix, isis authentication key, isis authentication mode, isis authentication send-only, isis circuit-type, isis csnp-interval, isis hello-interval, isis hello-multiplier, isis hello padding, isis lsp-interval, isis metric, isis password, isis priority, isis protocol shutdown, isis retransmit-interval, isis retransmit-throttle-interval, isis tag, is-type, log-adjacency-changes, lsp-full suppress, lsp-gen-interval, lsp-refresh-interval, max-area-addresses, max-lsp-lifetime, maximum-paths, metric, metric-style, net, passive-interface, prc-interval, protocol shutdown, redistribute isis, route priority high, route isis, set-attached-bit, set-overload-bit, show clns, show isis, show router isis, spf-interval, summary-address. |
||
|
High Availability and Scalability Features |
|||
|
Support for site-specific IP addresses in Routed, Spanned EtherChannel mode |
For inter-site clustering in routed mode with Spanned EtherChannels, you can now configure site-specific IP addresess in addition to site-specific MAC addresses. The addition of site IP addresses allows you to use ARP inspection on the Overlay Transport Virtualization (OTV) devices to prevent ARP responses from the global MAC address from traveling over the Data Center Interconnect (DCI), which can cause routing problems. ARP inspection is required for some switches that cannot use VACLs to filter MAC addresses. We modified the following commands: mac-address, show interface |
||
|
Administrative Features |
|||
|
Longer password support for local username and enable passwords (up to 127 characters) |
You can now create local username and enable passwords up to 127 characters (the former limit was 32). When you create a password longer than 32 characters, it is stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Shorter passwords continue to use the MD5-based hashing method. We modified the following commands: enable, username |
||
|
Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB |
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.
We did not add or modify any commands. Also available in 9.1(7) and 9.4(3). |
||
|
REST API Version 1.3.1 |
We added support for the REST API Version 1.3.1. |
||
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
CLI—Use the show version command.
-
ASDM—Choose .
See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.3(x) |
— |
Any of the following: → 9.4(x) → 9.3(x) |
|
9.2(x) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.6(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.5(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(1) through 8.4(4) |
Any of the following: → 9.0(2), 9.0(3), or 9.0(4) → 8.4(6) |
→ 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.3(x) |
→ 8.4(6) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.2(x) and earlier |
→ 8.4(6) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.6(x)
The following table lists select open bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
ASAv5 - Cannot re-enable http after reducing memory from 2GB to 1G and upgrade from 9.4.1 to 9.6.2 |
|
|
DOC: Document all ASA SCH commands in Command Reference |
|
|
Multiple PAT rules with "any" and named interface cause 305006 "portmap translation creation failed" |
|
|
ASA traceback with thread name: DATAPATH |
|
|
ASA Crash on Thread Name:CTM message handler |
|
|
ASA doesn't boot after a reload unless accessed with console connection |
|
|
ENH: Unique IPv6 link-local addresses assigned when sub-interface is being created |
|
|
"management-access <interface>" will open all management sockets on that int. |
|
|
Active ASA Crashing on DATAPATH |
|
|
Netflow Returns Large Values for Bytes Sent/Received and IP address switch |
|
|
Rest-API queries returns "Resource-not-found" for existing resources |
|
|
Connection table not synchronized during upgrade in failover environment. |
|
|
ASA Routes flushed after failover when etherchannel fails |
|
|
Incorrect sequence numbers in selective ACKs with SSL decrypt/resign |
|
|
ASA fails to rejoin the failover HA Or a cluster with insufficient memory error, OGS enabled |
|
|
Upon joining cluster slave unit generates ASA-3-202010: NAT/PAT pool exhausted for all PAT'd conns |
|
|
ASA WebVPN Smart-tunnel: DNS resolution failing on Windows 8 and Windows 10 |
|
|
ASA broadcasting packets sent to subnet address as destination IP |
|
|
FP4120 / ASA 9.6(3)230 "established tcp" not working anymore after SW upgrade |
|
|
GTP inspection may spike cpu usage |
|
|
OSPF Not So Stubby Area Type 7 are not converted to Type 5 |
|
|
ASA reports incorrectly double input packets traffic on PPPoe/VPDN interface |
|
|
ASA traceback in Thread name: idfw_proc on running "show access-list" |
|
|
Traceback when ACL and NAT objects changed from IP to FQDN objects |
|
|
ASA - rare cp processing corruption causes console lock |
|
|
Heavy utilization in SNP APP ID |
|
|
ASA Traceback in spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) |
|
|
Traceback when trying to save/view access-list with object groups (display_hole_og) |
|
|
RDP session does not establish after changing SSL certificate on ASA. |
|
|
DOC: IPsec over NAT-T enabled by default |
|
|
ASA Traceback in Assert "0" failed: file "timer_services.c" |
|
|
On ASA "show module" not showing correct BIOS version |
|
|
traceback in IKE Reciver Thread when "wr standby" is used |
|
|
Reverse Route fails to install after crypto map enabled interface on ASA undergoes a shut/no shut |
|
|
ASA: several ipv6 packets drop during failover when using sub-interface |
|
|
Next Registration Attempt shows wrong time and it stops to register when ntp is configured |
|
|
ASA ping to IPv6 address selects egress interface source IP instead of specified source IP |
|
|
Inspect SIP is not handling the RTCP attribute in the SDP header |
|
|
Traceback when configuring/modifying time range objects and acls |
|
|
ACL hitcount is not increasing even though ACE hitcount is being increased. |
|
|
Failover delay with coredump configured |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.6(4)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
Resolve any vulnerabilities in ASA/FTD lina Heimdal Kerberos code |
|
|
FQDN ACL entries might be incomplete if DNS response from server is large and truncated |
|
|
ASA block new conns with "logging permit-hostdown" & TCP syslog is down |
|
|
ASA Traceback in thread SSH when ran "show service set conn detail" |
|
|
TLS CTP does not work in TLSv1.2 when GCM ciphers are used |
|
|
ASA traceback in Thread Name:ci/console while running show ospf commands |
|
|
FTP data conn scaling fails with dynamic PAT |
|
|
Support for more than 255 characters for Split DNS value |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
ASA dropping packets with "novalid adjacency" though valid ARP entry avail |
|
|
OSPF multicast filter rules missing in cluster slave |
|
|
Huge Byte Count seen on IP protocol 97 flows with SFR |
|
|
9.7.1 traceback in snp_fp_qos |
|
|
Unable to run show counters protocol ip |
|
|
ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528 syslog messages |
|
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
|
TCP connections might fail through a FTD cluster with inline mode interfaces |
|
|
ASA - Incorrect interface-based route-lookup if more specific route exist out different interface |
|
|
asa Rest-api - component monitoring - empty value/blank value |
|
|
Implement detection and auto-fix capability for scheduler corruption problems |
|
|
Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel |
|
|
Logs lost when TCP is used as transport protocol for Syslogs |
|
|
CEP records edit page take minutes to load |
|
|
Traffic drops for reverse UDP/TCP IPv6 traffic over IPv4 tunnel |
|
|
ASA 1550 block gradual depletion |
|
|
gzip compression not working via Webvpn |
|
|
ASA does not respond to IPv6 MLD Query. |
|
|
Unable to deploy policy on FTD devices due to wrong XML parsing |
|
|
ASA: IKEv2 ipsec-proposal command removed if more than 9 proposals configured in single command |
|
|
VTI - Some sessions do not get cleared from vpn-sessiondb |
|
|
ASA TCP SIP inspection translation not working when IP phone is behind VPN tunnel |
|
|
Slow Memory leak in ASA |
|
|
ASA traceback in DATAPATH-41-16976 thread |
|
|
Port Forwarding Session times out due to "vpn-idle-timeout" in group-policy while passing data |
|
|
ASA IKEv1: Set non-zero SPI in INVALID_ID_INFO Notify |
|
|
Traceback in "Thread Name: IPsec message handler" on EZVPN client |
|
|
FTD: Interface capture on lina CLI causes all traffic to be dropped on data-plane |
|
|
RSA keys may fail to synchronize between contexts in cluster setup |
|
|
ASA drops web traffic when IM inspection is enabled. |
|
|
ASA erroneously triggers syslog ID 201011 |
|
|
SNMP lists same Hostname for all Firepower Threat Defense managed devices |
|
|
Mgmt route deletion removes data plane route too. |
|
|
FTD traceback at "cli_xmlserver_thread" while deploying access-control policy |
|
|
ASA does not send Epoch on TACACS Auditing packet |
|
|
Assertion in syslog.c due to uauth |
|
|
Traceback in thread name DATAPATH |
|
|
Ether-channel: 5585-60 LACP state shows SYSTEM ID of old neighbor on interface which is in disabled |
|
|
9.6.2 DHCPRA: Maximum relay bindings (500) exceeded |
|
|
Access-lists not being matched for a newly created object-group |
|
|
Cisco Adaptive Security Appliance Username Enumeration Information Disclosure Vuln. |
|
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
|
ASA with 9.5.1 and above does not show SXP socket when managment0/0 is used as src-ip |
|
|
ASA traceback in Thread name: idfw_proc on running "show access-list", while displaying remark |
|
|
RT#687120: Bookmark Issue with clientless VPN - SAML |
|
|
ASA Traceback when saving/viewing the configuration due to time-range ACLs |
|
|
ASA in cluster results in incorrect user group mappings between the Master and Slave |
|
|
%ASA-3-216001: internal error in ci_cons_shell: thread data misuse |
|
|
ASA traceback in ARP thread, PBR configured |
|
|
Web folder filebrowser applet code signing certificate expired |
|
|
DCERPC inspection drops packets and breaks communication |
|
|
ASA backup in multicontext fails due to [Running Configurations] ERROR |
|
|
ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
|
ASA All contexts use the same EIGRP router-ID upon a reload |
|
|
EIGRP routes wrongly being advertising on mgmt routing table vrf after disabling and enabling EIGRP |
|
|
ASA may traceback when changing a NAT related object to fqdn |
|
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
|
Traceback in Thread Name: Unicorn Admin Handler |
|
|
ASA fails to contact the secondary LDAP server with reactivation mode timed configured |
|
|
ASA - Interface status change causes VPN traffic disconnect while using ipsec inner-routing-lookup |
|
|
ASA: slow memory leak when using many DNS queries |
|
|
Cluster director connection gets timed out with reason idle timeout |
|
|
tcp-options md5 allow is pushed to slave units as tcp-options md5 clear |
|
|
ASA policy-map configuration is not replicated to cluster slave |
|
|
ASA may generate an assert traceback while modifying access-group |
|
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
|
|
ASA local dns resolution fails when dns server is reachable through a site to site ipsec tunnel |
|
|
FTD OSPF with ECMP, packets are sent to peer in down state for existing connections |
|
|
In security context, cannot generate the SNMP events trap. |
|
|
FTD-VPN: VPN RRI not getting synced between Master and Slave units |
|
|
Cisco Adaptive Security Appliance Authenticated Cross-Site Scripting Vulnerability |
|
|
Increase memory allocated to rest-agent on ASAv5 |
|
|
ASA 9.6.2.11 - Intermittent authentication with CTP uauth in cluster |
|
|
ASA traceback when trying to remove configured capture |
|
|
ASA traceback in Thread Name: fover_parse performing upgrade from 9.1.5 to 9.4.3 |
|
|
ASA traceback observed in Datapath due to SIP inspection |
|
|
Unable to switch standby unit of the failover pair to active |
|
|
WebVPN forces IE to use IE8 mode |
|
|
ASA Traceback in Unicorn Proxy Thread |
|
|
L2TP/IPsec fails when transform-set with mode transport is 11th in dynamic-map |
|
|
Cisco Firepower Detection Engine SSL Decryption Memory Consumption Denial of Service Vulnerability |
|
|
FTD traceback observed during failover synchronization. |
|
|
The interactive icons on internal bookmark site not showing properly (+CSCO+0undefined) |
|
|
ASA may drop DNS reply containing only additional RR of type TXT |
|
|
ASA Issue with bgp route summarization(auto-summary)and route advertisement |
|
|
SFR Backplane is pulling the public address for policy match instead of ASA inside address |
|
|
Proxy ARP information for SSH NLP NAT is not updating on the FTD upon failover |
|
|
ASA with FirePOWER services module generates traceback and reload |
|
|
Slave should have use CCL to forward traffic instead of blackholing when egress interface is down |
|
|
ASA reloaded while joining cluster and active as slave |
|
|
Show Crypto Acclerator shows status as booting for hardware devices |
|
|
Routes do not sync properly between different minor versions during hitless upgrade |
|
|
CRL verification fails due to incorrect KU after CSCvd41423 |
|
|
Dist-S2S: tunnels stay up even after passing vpn idle timeout in Multimode |
|
|
Memory leak with capture with trace and clear capture |
|
|
In multi-context ASA drops traffic sourced from certain ports when interface PAT is used |
|
|
ASA: Active FTP not working with extended keyword in NAT. |
|
|
ASA clustering to support rollback feature with CSM |
|
|
Upgrading the ASA results in No Valid adjacency due to track configure on the route |
|
|
ASA: Multicast packets getting dropped starting code 9.6.3 |
|
|
ASA traceback observed in datapath |
|
|
Username is not fetched from certificate when certificate map is used in clientless portal |
|
|
Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability |
|
|
ASA SNI connection fails after upgrade - no shared cipher |
|
|
"activate-tunnel-group-scripts" not available in 9.6.3.1 |
|
|
CSCOGet_origin wrapper doesn't handle 'origin' property if it belongs to Location object |
|
|
ICMP Unreachables (PMTU) dropped indicating "Routing failed to locate next hop" |
|
|
Auto-RP packet is dropped due to no-route - No route to host |
|
|
BTF not supported on ASA application on FXOS Chassis, but smart licensing show this feature enabled. |
|
|
ASA may traceback on displaying access-list config or saving running config |
|
|
Smart Licensing ID cert renewal failure should not deregister product instance |
|
|
Traceback in Thread Name: IP RIB Update when routes are redistributed |
|
|
Interfaces on SLAVES in shutdown if FMC deployment results in failure |
|
|
Calls not working with CUCI Lync version 11.6.3 on ASA |
|
|
ASA - Traceback in DATAPATH during PAT pool socket allocation |
|
|
ASA corrupt dst mac address of return traffic from l2tp client |
|
|
network_udpmod_get not releasing shr_lock in rare error case |
|
|
CPU Hog CI_CONSOLE Traceback During Configuration |
|
|
ASA does not install routes learned via OSPF over IPSec using UDP/4500 |
|
|
"NSF IETF/CISCO" commands getting removed on reload |
|
|
ASA: IPv6 protocol X rule for passing through FW is dropping packets with Invalid IP length message |
|
|
AnyConnect new customization creation fails on ASDM for all ASA versions above 9.5(3) |
|
|
ASA sends the ICMP unreachable type 3 code 4 in the wrong direction when SFR redirection enabled |
|
|
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
|
OSPF Rogue LSA with maximum sequence number vulnerability |
|
|
Slave reports Master's interface status as "init" while it is up |
|
|
ASA Memory Leak - RSA toolkit |
|
|
SSH Connections to ASA fail with SLA monitoring & nonzero floating-conn timeout |
|
|
"service resetoutside" impacts to-the-device traffic on all interfaces, behaves different on Standby |
|
|
vpn vlan mapping issue |
|
|
CPU hog in CP Processing thread due to huge number of sunrpc sessions |
|
|
ASA- Traceback in 'Thread Name : Datapath' on crypto_SSL functions |
|
|
ASA 9.5.1 onwards, Traffic incorrectly routed instead of management interface |
|
|
ASA Cluster : Potential UDP loop on cluster link with PAT pool |
|
|
ASA Log message 414003 may be generated with bogus IP data when TCP Syslog Server down |
|
|
ASA 2048 block depletion when PBR next-hop is interface address |
|
|
ASASM: Interface vlans going to admin down after reload. |
|
|
webvpn-l7-rewriter: Jira 7.3.0's login page through WebVPN portal does not render completely |
|
|
Memory leak at location "snp_fp_encrypt" when syslog server is reachable over the VPN tunnel |
|
|
ASA Webvpn Rewritter issue. Unable to browse tabs of WebSite over Clientless VPN |
|
|
IPsec SA fail to come up and flap with more than 1000 IPsec SA count in ASA5506/5508/5516 |
|
|
Traceback in DATAPATH-1-2084 ASA 9.(8)1 |
|
|
All 1700 "4 byte blocks" were depleted after a weekend VPN load test. |
|
|
ASA traceback on websns_rcv_tcp |
|
|
Start of Flow Block event has incorrect number of Initiator Bytes |
|
|
Traceback in Unicorn Proxy Thread due to Webvpn |
|
|
ASA/ 9.6.3 // WebVPN Smart tunnel works but floods windows with event viewer |
|
|
ASA WebVPN Rewriter: WebVPN bookmark scholar.google.com not properly written |
|
|
Cisco Adaptive Security Appliance HREF Cross Site Scripting Vulnerability |
|
|
Standby ASA rejects NAT rule when dest overlaps with interface IP, Active allows this |
|
|
SNMP::User is not added to a user-list or host ,after reconfigure it. |
|
|
Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled |
|
|
Unable to scale the flash virtualisation feature up to 250 contexts |
|
|
CDA agent stucks in 'Probing' when domain-lookup is enable |
|
|
ASA OSPF interface gets stuck in State DOWN (waiting for NSF) after 3rd failover |
|
|
ASA: Low free DMA Memory on versions 9.6 and later |
|
|
Evaluation for the vulnerabilities CVE-2017-1000364 and CVE-2017-1000366 |
|
|
Regex is not matching for HTTP argument field |
|
|
Ports not getting reserved on ASA after adding snmp configuration. |
|
|
ASA - Crypto accelerator traceback in a loop |
|
|
Duplicate host entries in flow-export action cause traceback after policy deployment |
|
|
multicast traffic sourced from anyconnect pool dropped due to reverse path checked. |
|
|
ASA-5-720012:(VPN-Secondary)Failed to update IPSec failover runtime data in ASA cluster environment |
|
|
IPv6 Addresses intermittently assigned to AnyConnect clients |
|
|
Ikev2 Remote Access client sessions stuck in Delete state |
|
|
Unable to SSH to Active Unit//TCP connection Limit Exceeded |
|
|
ASA Exports ECDSA as corrupted PKCS12 |
|
|
SAML 2.0 || (5525) 9.7.1 ASA : ASA compiler not taking the sign-in URL for SAML authentication. |
|
|
ASA: SNMP Host Group not working as required for multi context configuration. |
|
|
ASA memory leak - DTLS sessions |
|
|
ASA5585 traceback in DATAPATH - snp_vpn_process_natt_pkt |
|
|
EC Certificates that are imported to the ASA in PKCS12s cannot be used for SSL |
|
|
An ASA with low free memory fails to join existing cluster and could traceback and reload |
|
|
DAP config restored but inactive after backup restore |
|
|
ASA not sending register stop when mroute is configured |
|
|
ASA Connections stuck in idle state with DCD enabled |
|
|
Install 6.2.2-1290 sfr on a ASA with firepower - asa cores |
|
|
ASA traceback in fover_parse after version up |
|
|
Unable to add new networks to existing EIGRP configuration |
|
|
traceback in watchdog process |
|
|
Webvpn rewriter failing for internal URL |
|
|
ASA// 9.6 // FTP inspection does not allocate new NAT entrie for DATA traffic on Active FTP with PAT |
|
|
OSPF route not getting installed on peer devices when an ASA failover happens with NSF enabled |
|
|
ASA 9.x: DNS inspection appending "0" on PTR query |
|
|
iOS and OS X IKEv2 Native Clients unable to connect to ASA with EAP-TLS |
|
|
Contexts are missing on ASA once Chassis reloads after becoming Master on 9.6 code |
|
|
ENH: GOID allocation and sync cleanup |
|
|
ASA on FXOS is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0 |
|
|
TLS version 1.1 connection failed no shared signature algorithms@t1_lib.c:3106 |
|
|
ASA - 80 Byte memory block depletion |
|
|
ASA 9.6(2), 9.6(3) traceback in DataPath |
|
|
ASA doesn't send LACP PDU during port flap in port-channel |
|
|
Transparent Firewall: Ethertype ACLs installed with incorrect DSAP value |
|
|
Traceback in thread DATAPATH due to NAT |
|
|
ASA: entConfigChange is unexpectedly sent when secondary ASA is reloaded |
|
|
ASA drops the IGMP Report packet which has Source IP address 0.0.0.0 |
|
|
ERROR: Captive-portal port not available. Try again |
|
|
FXOS - ASA/FTD standby unit in transparent mode may still traffic for offloaded flows |
|
|
ASAv image in AWS GovCloud not working in Hourly Billing Mode |
|
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached |
|
|
Hostscan: Errors in cscan.log downloading Microsoft and Panda .dll files |
|
|
OpenSSL CVE-2017-3735 "incorrect text display of the certificate" |
|
|
management-only comes back after reboot |
|
|
Memory leak in 112 byte bin when packet hits PBR and connection is built |
|
|
'Incomplete command' error with some inspects due to K7 license |
|
|
"crypto ikev1 enable" command not installed on FTD CLI |
|
|
Slave kicked out due to CCL link failure and rejoins, but loses v3 user in multiple context mode |
|
|
ASA: Traceback by Thread Name idfw_proc |
|
|
ASA - rare scheduler corruption causes console lock |
|
|
ASA cluster intermittently drop IP fragments when NAT is involved |
|
|
ASA/FTD traceback when clearing capture - assertion "0" failed: file "mps_hash_table_debug.c" |
|
|
ASA on FP 2100 traceback when uploading AnyConnect image via ASDM |
|
|
ASA does not create pinholes for DCERPC inspection, debug dcerpc shows "MEOW not found". |
|
|
ASA : After upgrading from 9.2(4) to 9.2(4)18 serial connection hangs |
|
|
"clear local-host <IP>" deletes all stub flows present in the entire ASA cluster for all hosts/conns |
|
|
iPhone IKEv2 PKI leaks over Wi-Fi using local certificate authentication on ASA 5555 9.6.3 |
|
|
ASA-SSP HA reload in CP Processing due to DNS inspect |
|
|
traceback with Show OSPF Database Commands |
|
|
ASA local DNS resolution fails when DNS server is reachable over a site to site sec VPN tunnel |
|
|
One node rejoined and traffic restarted will cause the unit 100% CPU due to snpi_untranslate |
|
|
ASA getting stuck in hung state because of STATIC NAT configuration for SNMP ports |
|
|
FORWARD PORT: 1550/2048/9344 byte memory block depletion due to identity UDP traffic |
|
|
Assert Traceback, thread name : cli_xml_server |
|
|
ASA SNMP OID for ifInDiscards always 0 |
|
|
Javascript elmements rewriter issue |
|
|
"OCTEON:DROQ[8] idx: 494 len:0" message appearing on console access of the device |
|
|
ASA Webvpn Username field should not accept XSS executable scripts. |
|
|
ASA AC client PKI username from cert longer than 64 characters - radius username is cut short to 64 |
|
|
ASA traceback: thread name scansafe |
|
|
High CPU in IKE Daemon causing slow convergence of VPN tunnels in a scaled environment |
|
|
Unable to save configuration in system context after enabling password encryption in ASA |
|
|
"dir /recursive cache:/stc" and "dir cache:stc/2/" list AnyConnect.xsd differently on ASA9.8.2 |
|
|
Modifying service object-groups (add and remove objects) removes ACE |
|
|
SSH/Telnet Traffic, 3-WHS, ACK packets with data is getting dropped - reason (intercept-unexpected) |
|
|
GTP echo response is dropped in ASA cluster |
|
|
ASA backs out of connection when it receives Server Key exchange with named curve as x25519 |
|
|
Memory Leaking on ASA with vpnfol_memory_allocate and vpnfol_data_dyn_string_allocator |
|
|
ASA:multi-session command being configured after write erase |
Resolved Bugs in Version 9.6(3.1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
ASA block new conns with "logging permit-hostdown" & TCP syslog is down |
|
|
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster |
|
|
ASA traceback on standby when SNMP polling |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
|
dhcprelay interface doesn't change by changing route |
|
|
ASA - TO the box traffic break due to int. missing in asp table routing |
|
|
ASA Traceback on 9.1.5.19 |
|
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
|
ASA: Protocol and Status showing UP without connecting the interface |
|
|
After some time flash operations fail and configuration can not be saved |
|
|
ASA memory leak related to Botnet |
|
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
|
ASA generates unexpected syslog messages with mcast routing disabled |
|
|
L2TP over IPSec can not be connected after disconnection from client. |
|
|
http config missing in multicontext after reload of stdby 916.9 or later |
|
|
Unicorn Proxy Thread causing CP contention |
|
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
|
ASA does not respond to NS in Active/Active HA |
|
|
ASA Stateful failover for DRP works intermittently |
|
|
Commands not installed on Standby due to parser switch |
|
|
GTP traceback at gtp_update_sig_conn_timestamp while processing data |
|
|
Error Indication dropped with Null TID MBReq dropped with no Ctrl F-TEID |
|
|
OSPF multicast filter rules missing in cluster slave |
|
|
IPv6 neighbor discovery packet processing behavior |
|
|
nat-t-disable feature is not working for ikev2 |
|
|
Ikev1 tunnel drops with reason " Peer Address Changed" |
|
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
|
ASA with PAT fails to untranslate SIP Via field that doesnt contain port |
|
|
Hash miscalculation for "Any" address on inside |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
ASAv ACKs FIN before all data is received during smart licensing exch |
|
|
management-only cli not available in user context of QP-D |
|
|
Traceback in CP Processing thread after upgrade |
|
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets |
|
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
|
Unexpected end of file logon.html in WebVPN |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA not rate limiting with DSCP bit set from the Server |
|
|
show service-policy output reporting incorrect values |
|
|
ASA: SLA Monitor not working with floating timeout configured to nonzero |
|
|
Unable to auth a 2nd time via clientless after ASA upgrade |
|
|
ASA ASSERT traceback in DATAPATH due to sctp inspection |
|
|
snmpwalk not working for some NAT OIDs |
|
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash. |
|
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
|
|
ASA: SIP Call Drops with PAT when same media port used in multiple calls |
|
|
TLS Proxy feature missing client trust-point command |
|
|
ASA SM on 9300 reloads multi-context over SSH when config-url is entered |
|
|
ASA : PBR Mem leak as packet dropped |
|
|
ASA treaceback at Thread Name: rtcli async executor process |
|
|
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500 |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
BGP Socket not open in ASA after reload |
|
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
|
Cisco ASA Input Validation File Injection Vulnerability |
|
|
ASA traceback in CLI thread while making MPF changes |
|
|
Interfaces get deleted on SFR during cluster rejoining |
|
|
Crypto accelerator ring timeout causes packet drops |
|
|
ASA 'show inventory' shows 'Driver Error, invalid query ready' |
|
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached |
|
|
ASA OSPFv3 interface ID changes upon disabling/enabling failover |
|
|
Traceback in Thread Name: ssh when issuing show tls-proxy session detail |
|
|
SCTP MH:pin hole removed and added freq on standby with dual nat |
|
|
memory leak in ssh |
|
|
ASA uses "::" for host IP addresses if booted with an improper config |
|
|
ASA capture type isakmp not saving reassembled rfc7383 IKEv2 packets |
|
|
ASAv-Azure: waagent may reload when asav deployed with load balancer |
|
|
Increasing the global ARP request pool |
|
|
CISCO-MEMORY-POOL-MIB returns incorrect values for heapcache |
|
|
Clustering: TFW asynchronous flow packet drop due to L2 entry timeout |
|
|
Two Upstream Kernel Patches for ASAv in Azure |
|
|
Shut down interfaces shows up in ASP routing table |
|
|
uauth is failed after failover |
|
|
SmartLic: Inter-chassis master switchover license race condition |
|
|
SNMPv3 active engineID is not reset when ASA is replaced |
|
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB |
|
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
|
failover descriptor is not updated in Port Channel interfaces |
|
|
ICMP error packets in response to reply packets are dropped |
|
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
|
ASR9000 BGP Graceful Restart doesnt work as expected |
|
|
IPV6 address not assigned when connecting via IPSEC protocol |
|
|
ASAv hangs often during reboot |
|
|
ASAv show hostname generates smart licensing authorization request |
|
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
|
ASA memory leak for CTS SGT mappings |
|
|
FTD - 6.1 - redistribute connected is redistributing Internal-Data (NLP) |
|
|
HTML5: Guacamole server requires page refresh |
|
|
GTP traceback at gtpv1_process_msg for echo response |
|
|
OTP authentication is not working for clientless ssl vpn |
|
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
|
ASA Traceback when issue 'show asp table classify domain permit' |
|
|
ASA Traceback in CTM Message Handler |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
|
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
|
ASA 5585-60 dropping out of cluster with traceback |
|
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
|
FTD: 9k byte block depletion leads to dropped traffic |
|
|
971 EST - Console hang on show capture |
|
|
SIP: Address from Route: header not translated correctly |
|
|
FTD inline is not blocking MPLS-switched TCP session it should block |
|
|
Traceback in IKE_DBG |
|
|
Unable to delete the SNMP config |
|
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
|
traceback in network udpmod_get after anyconnect test load application |
|
|
Internal ATA Compact Flash size is incorrectly shown in "show version" |
|
|
ASA : Botnet update fails with a lot of Errors |
|
|
wr mem/ wr standby is not syncing configs on standby |
|
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
|
ASA Page fault traceback in Thread Name: DATAPATH |
|
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |
|
|
Sweet32 Vulnerability in ASA's SSH Implementation |
|
|
Remove ACL warning messages in show access-list when FQDN is unresolved |
|
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
|
IPv6 DNS packets getting malformed when DNS inspection is enabled. |
|
|
Webvpn rewriter failing on matterport.com |
|
|
ASA 1550 block depletion with multi-context transparent firewall |
|
|
Unable to run show counters protocol ip |
|
|
AAA authentication/authorization fails if only accessible via mgmt vrf |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
ASA may generate DATAPATH Traceback with policy-based routing enabled |
|
|
ASA Multiple Context SNMP PAT Interface Missing |
|
|
Traceback : ASA with Threadname: DATAPATH-0-1790 |
|
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
|
ASA traceback with passive-interface default on 9.6(2) |
|
|
Cisco ASA Signature Verification Misleading Digital Signing Text On Boot |
|
|
Cisco ASA Remove Mis-leading Secure Boot commands on non-SB hardware |
|
|
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback |
|
|
Failover after IKE rekey fails to initiate ph1 rekey on act device |
|
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
|
Lower NFS throughput rate on Cisco ASA platform |
|
|
nlp_int_tap routes seen in ASA "sh route" command |
|
|
nlp information seen in ipv6 commands |
|
|
ASA not sending Authen Session End log if user logs out manually |
|
|
GTPv2 Dropping instance 1 handoffs |
|
|
ASA Traceback in Checkheaps Thread |
|
|
ASA traceback with Thread Name aaa_shim_thread |
|
|
ASDM : memory usage reading incorrect for ASAv 9.6.2 |
|
|
ASA traceback observed on auto-update thread. |
|
|
Evaluation of pix-asa for Openssl September 2016 |
|
|
Delete Bearer Req fails to delete second default bearer after v2 Handoff callflow. |
|
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
|
IKEv2: It is NOT cleaning the sessions after disconnected from the client. |
|
|
ASA traceback at Thread Name: rtcli |
|
|
RADIUS authorization request does not send Called-Station-ID attribute |
|
|
Lina core during failover with sip traffic |
|
|
viewer_dart.js file not loading correctly |
|
|
VPN tunnels are lost after failover due to OSPF route issue |
|
|
ASA Traceback Thread Name: emweb/https |
|
|
ASA : Discrepancy in used memory calculation for Multiple context firewall |
|
|
GARP flood done by ASAs in multi-site cluster using the site-ip address |
|
|
EIGRP: Need to add large number error handling when getting scaled bandwidth |
|
|
Object-group-search redundant service group objects are incorrectly removed |
|
|
AAA session handle leak with IKEv2 when denied due to time range |
|
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
|
webvpn_state cookie information disclosure in url |
|
|
ASA traceback at Thread Name: IKE Daemon. |
|
|
SCP fails in 962 |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
ASA - ACL remark displayed incorrectly in the Packet Tracer tool's XML output |
|
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
|
4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops" |
|
|
v1 PDP may get deleted on parse IE failure |
|
|
Evaluation of pix-asa for CVE-2016-5195 (DIRTY CoW) |
|
|
Failed to ssh management interface after failover and plug-in/out |
|
|
ASA: Stuck uauth entry rejects AnyConnect connection despite fix for CSCuu48197 |
|
|
webvpn-l7-rewriter: 5515 9.1.6 Content Rewrite Problem for ASA Web Bookmark |
|
|
WebVPN: Internal page login button not working through rewriter |
|
|
ASA drops DNS PTR Reply with reason Label length exceeded during rewrite |
|
|
Cluster ASA drops to-the-box ICMP replies with reason "inspect-icmp-seq-num-not-matched" |
|
|
ASA matches incorrect ACL with object-group-search enabled |
|
|
ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY |
|
|
Incorrect behaviour when SNMP polling is done on virtual IP of an ASA cluster. |
|
|
ASA : memory leak due to ikev2 |
|
|
RDP Plugin Connection failed with error |
|
|
PLR: ASAv generates invalid reservation code |
|
|
ASA DHCP relay is incompatible with intercept-dhcp feature |
|
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
|
ASA unable to add multiple attribute entries in a certificate map |
|
|
Implement detection and auto-fix capability for scheduler corruption problems |
|
|
ASAv may crash when running webvpn |
|
|
ASA fails SSL VPN session establishment with EC under load |
|
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
|
ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set |
|
|
ASA-SM 9.5.2 inspect-sctp licensing breaks existing deployments |
|
|
ASA traceback at Thread Name: sch_syslog |
|
|
DSCP Markings Not Copied to Outer IP Header With IPsec Encapsulation |
|
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
|
Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel |
|
|
MIB object cempMemPoolHCUsed disappeared |
|
|
ASA: OspfV3 routes are not getting installed |
|
|
ASA portal reveals that multiple context is configured when anyconnect is deployed. |
|
|
Error synchronizing the SNMPv3 user after rebooting a cluster unit |
|
|
ASA memory leak in CloneOctetString when using SNMP polling |
|
|
Implement speed improvements for ACL and NAT table compilation |
|
|
ASA traceback in Thread Name: ssh, rip igb_disable_rx_queues after no shutdown of interface |
|
|
Firepower Threat Defense (FTD) IKEv2 NAT-T gets disabled after reboot |
|
|
SSL connection hangs between ASA and backend server in clientless WebVPN |
|
|
ASA with FirePOWER module generates traceback and reloads or causes process not running |
|
|
Anyconnect address assignment fails using external DHCP server when ASA is in Multi-context Mode |
|
|
ASA clustering: mac-address cmd is ignored on spanned port-channel interface in 9.6.2 |
|
|
ASA not update access-list dynamically when forward-reference enable is configured |
|
|
Webvpn portal not displayed corrrectly for connections landing on default webvpn group. |
|
|
ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table |
|
|
ASA may traceback with Thread Name: Unicorn Admin Handler |
|
|
Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover. |
|
|
ASA: IPSec SA failed to come up |
|
|
ikev2 handles get leaked in a L2L setup |
|
|
ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue |
|
|
SIP: 200 OK messages with multiple seqments not reassembled correctly |
|
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric routing |
|
|
CTP after failed attempt sends the domain along with the username |
|
|
RDP plugin activex Full Screen option is not available with ASA 9.6.2 version |
|
|
Tracking route is up while the reachability is down |
|
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
|
Traceback observed on gtpv2_process_msg on cluster |
|
|
BGP's BFD support code opens tcp/udp 3784 and 3785 to bypass access-lists |
|
|
ASA watchdog traceback during cluster config sync with rest-api enabled |
|
|
ASA nat pool not getting updated correctly. |
|
|
Unable to configure ssh public auth for script users |
|
|
mac-address auto command uses default prefix of 1 on ASA5585-X |
|
|
ASA traceback in threadname Datapath |
|
|
Traceback: ASA 9.5(2)11 crash Active |
|
|
ASA traceback and Reload on Config Sync Failure |
|
|
ASA Clustering IDFW not updating user mappings |
|
|
1550-byte block depletion seen due to Radius Accounting packets |
|
|
Unable to deploy policy on FTD devices due to wrong XML parsing |
|
|
ASA(9.1.7.12):Connection entries created for multicast streams through standby ASA. |
|
|
Deployment fails when management-only enabled on port-channel interface |
|
|
L2TP connects only sometimes when DHCP used |
|
|
ASAv Goes Unresponsive / VPN fails to function after restart |
|
|
Unable to configure SSH public key auth for non-system contexts |
|
|
ASA-FP9300 Crashed in thread name IPSEC MESSAGE HANDLER after upgrade |
|
|
SNMPv3 linkup/linkdown should be generated through admin context |
|
|
Slow Memory leak in ASA |
|
|
ACL last hit-cnt counter shows incorrect time |
|
|
asymetric path icmp traffic fails through distributed clustering |
|
|
ASA traceback in DATAPATH-41-16976 thread |
|
|
Port Forwarding Session times out due to "vpn-idle-timeout" in group-policy while passing data |
|
|
5585 does not unbundle its data intfs for 30 seconds after leaving cluste |
|
|
Cannot delete port-object once created under the Service object group in ASA 944 |
|
|
ASA w/ RRI and OSPF : Fails to flush route from ASP routing table |
|
|
ASA may traceback when copying capture out using tftp |
|
|
ASA may traceback while loading a large context config during bootup |
|
|
ASA drops web traffic when IM inspection is enabled. |
|
|
SNMP lists same Hostname for all FTD managed devices |
|
|
ASA: PBR Memory leak for ICMP traffic |
|
|
Mgmt route deletion removes data plane route too. |
|
|
FTD crash at "cli_xmlserver_thread" while deploying access-control policy |
|
|
Assertion in syslog.c due to uauth |
|
|
Cluster C-Hash table is updated with one more unit despite the new unit didn't join the setup |
|
|
Scheduler Queue Corruption leads to connectivity failures or failover problems after 9.6(2) |
|
|
CRL must be signed by certificate containing cRLSign key usage |
|
|
Access-lists not being matched for a newly created object-group |
|
|
ASA traceback while doing in-service upgrade |
|
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
|
ASA with 9.5.1 and above does not show SXP socket when managment0/0 is used as src-ip |
|
|
RT#687120: Bookmark Issue with clientless VPN - SAML |
|
|
Firepower (SFR) module data plane down after reload of module |
|
|
Traceback in Thread Name: dhcp_daemon |
|
|
DCERPC inspection drops packets and breaks communication |
|
|
ASA backup in multicontext fails due to [Running Configurations] ERROR |
|
|
ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
|
ASA-FP9300 Crashed in thread name IPSEC MESSAGE HANDLER |
|
|
ASA All contexts use the same EIGRP router-ID upon a reload |
|
|
EIGRP routes wrongly being advertising on mgmt routing table vrf after disabling and enabling EIGRP |
|
|
ASA May crash when changing a NAT related object to fqdn |
|
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
|
ASA - Interface status change causes VPN traffic disconnect while using ipsec inner-routing-lookup |
|
|
Cluster director connection gets timed out with reason idle timeout |
|
|
ASA policy-map configuration is not replicated to cluster slave |
|
|
ASA may generate an assert traceback while modifying access-group |
|
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
Resolved Bugs in Version 9.6(2)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
Increase Content-length counter from 4 to 8 byte size |
|
|
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
|
ASA: ifSpeed/ifHighSpeed not populated by SNMP for port-channel |
|
|
FIPS self test power on fails - fipsPostDrbgKat |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
|
Capture <name> type inline-tag interface <name> defaults to tag value 0 |
|
|
ASA: "Auto-Enable" feature not working with SSH configured with PKF |
|
|
SSH connections are not timed out on ASA (stuck in rtcli) |
|
|
Standby ASA traceback in Thread Name: EIGRP-IPv4 |
|
|
CWS: ASA does not append XSS headers |
|
|
show memory indicates inaccurate free memory available |
|
|
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
ASA traceback - WebVPN CIFS_file_rename_remove operations |
|
|
ASA "show chunkstat | redirect" does not work |
|
|
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test |
|
|
Different output of BVI address in transparent mode on failover pair |
|
|
SSL sessions stop processing -"Unable to create session directory" error |
|
|
Traffic drop due to constant amount of arp on ASASM |
|
|
"show resource usage" gives wrong number of routes after shut/no sh |
|
|
Stub Connections Torn Down due to Shun/Threat Detection in ASA Cluster |
|
|
Nat pool exhausted observed when enabling asp transactional-commit nat |
|
|
DNS Reply Modification for Dual-Stack does not work as expected |
|
|
VLAN mapping doesn't work when connection falls back to TLS |
|
|
Traceback when unit joins cluster |
|
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
|
Uploaded/downloaded files via CIFS have Zero Byte size (same WebFolder) |
|
|
Traceback in Thread: IPsec message handler |
|
|
ASA traceback with SIP inspection and SFR enabled in 9.5.2 |
|
|
ASA traceback and reload citing Thread Name: idfw_proc |
|
|
ASA: MAC address changes on active context when WRITE STANDBY is issued |
|
|
Smart tunnel does not work since Firefox 32bit version 43 |
|
|
HA: Number of interfaces mismatch after SFR module reload on both units |
|
|
Webvpn bookmark subtitles not visible |
|
|
ASA: Assert traceback in version 9.4.2 |
|
|
ASA 5585 traceback when the User name is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP Processing thread during TLS processing |
|
|
Add support for IPv6 assigned address field in Radius Accounting packet |
|
|
Potential deadlock between GTP msg process and pdp creation/deletion |
|
|
ASA rewriter incorrectly handle HTML code of type <base>xxx</base> |
|
|
Traceback when drop is enabled with diameter inspection and tls-proxy |
|
|
VPN Load-Balancing does not send load-balancing cert for IPv6 Address |
|
|
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability |
|
|
ASA traceback in thread name snmp after upgrade to 9.1(7) |
|
|
ASA 9.5.2 does not send CERT_REQ for 512-bit certificate |
|
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
|
|
VPN LB stops working when cluster encryption is configured |
|
|
inter chassises SSP ASA cluster Traceback during hitless fxos upgrade |
|
|
ASA Access-list missing and losing elements after configuration change |
|
|
OCSP validation fails when multiple certs in chain are verified |
|
|
ASA: Not able to remove ACE with "log default" keyword |
|
|
BGP:Deployment failed with reason supported on management-only interface |
|
|
ASA WebVPN: Java Exception with Kronos application |
|
|
Traceback at gtpv1_process_pdp_create_req |
|
|
Clientless SSL VPN CIFS stress test: ramfs_webvpn_file_open traceback |
|
|
inspect ip-option is not allowing "NOP" even when allowed |
|
|
Crash in proxyi_rx_q_timeout_timer |
|
|
Buffer overflow in RAMFS dirent structure causing traceback |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
Unable to configure a user for ssh public auth only (tied w/ CSCuw90580) |
|
|
SNMP poll is successful for invalid username for v3 |
|
|
IPv6 Routes not installed on QP |
|
|
If FQDN is more than 64 chars then we redirect to ip instead of FQDN |
|
|
ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" |
|
|
assert "ctm->async_ref == 0" failed: file "ssl_common.c", line 193-part2 |
|
|
Coverity 114172: FORWARD_NULL in snp_fp_inspect_ip_options |
|
|
Coverity 114170: SECURE_CODING in parser_interface_list_invalid |
|
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
|
Coverity 114166: NULL_RETURNS in ss_send_health_check_request |
|
|
Coverity 114217: NULL_RETURNS in snp_fp_action_cap_construct_key |
|
|
Coverity 114176: CHECKED_RETURN in oct_dbg_read_csr |
|
|
Coverity 114177: CHECKED_RETURN in oct_dbg_write_csr |
|
|
Traceback in thread name idfw when modifying object-group having FQDN |
|
|
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly |
|
|
WebVPN FTP client failing with "Error contacting host" message |
|
|
orignial master not defending all GARP packets after cluster split brain |
|
|
FO replication failed: cmd=no disable, when disabling webvpn-cache |
|
|
Coverity 114304: CHECKED_RETURN in ProcessConfiguration(vdi::config::Adi |
|
|
Rewriter error with webworker JS |
|
|
BFD: ASA might traceback in snp_bfd_pp_process+101 |
|
|
ASA - Traceback in CP Processing Thread During Private Key Decryption |
|
|
ASA does not suppress EIGRP candidate default route information |
|
|
AAA: RSA/SDI unable to set new PIN |
|
|
ASA should not load-balance same flow traffic over port-channel CCL |
|
|
ASAv: Free memory is reported as negative in an OOM condition |
|
|
Traceback in DATAPATH or Hi CPU usage due to Threat Detection |
|
|
Improve efficiency of malloc_avail_freemem() |
|
|
ASA clientless rewriter failure at 'CSCOPut_hash' function |
|
|
Slow ASA OSPF interface transition from DOWN to WAITING after failover |
|
|
ENH: ASAv should have a different pre-loaded cert |
|
|
ASA 9.1.6.4 traceback with Thread Name: telnet/ci |
|
|
Traceback in gtp_remove_request with duplicate requests |
|
|
Active and Standby ASA use same MAC addr with only active MAC configured |
|
|
WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv |
|
|
ASA traceback in SSH thread |
|
|
infinite loop in JS rewriter state machine when return followed by var |
|
|
ASA Traceback and reload by strncpy_sx.c |
|
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
|
5585-10 traceback in Thread Name: idfw_proc |
|
|
ASA RIP crashes when using address-family subconfiguration |
|
|
Incorrect modification of NAT divert table. |
|
|
Error messages on console "ERROR: Problem with interface " |
|
|
Intranet page does not load via WebVPN with JavaScript errors |
|
|
AWS: ASAv not reachable if deployed with 2 interfaces |
|
|
CSCOPut_hash can initiate unexepected requests |
|
|
ASA traceback in threadname ssh |
|
|
CPU usage is high after timer dequeue failed in GTP |
|
|
Allocated memory showing high (invalid) values |
|
|
BTF is not blocking blacklisted domain with more than 2 labels in it |
|
|
Context config may get rejected if all the units in Cluster reloaded |
|
|
Network command disappears from BGP after reload with name |
|
|
ASA QOS fails to classify packets between priority and best effort queue |
|
|
Drop down menu doesn't work on Simfosia web page |
|
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
|
ASA Tback when large ACL applied to interface with object-group-search |
|
|
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up |
|
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
|
ASA memory leak due to vpnfo |
|
|
Interfaces get deleted on SFR during HA configuration sync |
|
|
dynamic crypto map fails if named the same as static crypto map |
|
|
zone keyword seen in show route interface |
|
|
ASA Stateful failover for DRP works intermittently |
|
|
ASA(HA) doesn't send RST packets when sfr module shutdown |
|
|
Many "show blocks" outputs have truncated PC values with ASLR |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
SNMPv3 noauth traps/poll not working when going from single to multimode |
|
|
ASA AnyConnect CSTP Copyright message changed improperly |
|
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
|
ASA Address not mapped traceback - configuring snmp-server host |
|
|
ASA Access-list missing and losing elements Warning Message enhancement |
|
|
ASA-2-321006 May be received invalidly when memory is not high |
|
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
|
Observing Memory corruption, assert for debug ospf |
|
|
GTP traceback at gtp_update_sig_conn_timestamp while processing data |
|
|
ASA traceback in DATAPATH on all cluster units during context removal |
|
|
SCP Client not allow to enter password with "no ssh stricthostkeycheck" |
|
|
ASA Cut-through Proxy inactivity timeout not working |
|
|
ASA Cluster fragments reassembled before transmission with no inspection |
|
|
ASA may Traceback with Thread Name: cluster rx thread |
|
|
ASA may Traceback with Thread Name: Unicorn Admin Handler |
|
|
ASA: SSH being denied on the ASA device as the maximum limit is reached |
|
|
Error Indication dropped with Null TID MBReq dropped with no Ctrl F-TEID |
|
|
traceback during tls-proxy handshake |
|
|
PIM BiDir DF Elections stuck in "offer" state on some interfaces |
|
|
ASA cant delete ACL lines and remarks - Specified remark does not exist |
|
|
SRTS: "type" option missing under "show cluster chassis xlate count" |
|
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
ASAv - High CPU utilization |
|
|
ASA traceback with Thread Name: Dispatch Unit |
|
|
Traceback in CP Processing thread after upgrade |
|
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
|
Unexpected end of file logon.html in WebVPN |
|
|
Traceback Thread Name: ci/console : debug menu ctm 103 crashes the ASA |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA : Mem leak in cluster mode due to PBR lookup |
|
|
ASA9.(6)1 regression "internal error' instead of "maximum time exceeded" |
|
|
snmpwalk not working for some NAT OIDs |
|
|
CISCO-ENHANCED-MEMPOOL-MIB::cempMemPoolHCFree.1.1 = Counter64: 0 bytes |
|
|
Cannot bootup ASAv-KVM when deployed via oVirt |
|
|
ASA : PBR Mem leak as packet dropped |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
Interfaces get deleted on SFR during cluster rejoining |
|
|
Crypto accelerator ring timeout causes packet drops |
|
|
ASA OSPFv3 interface ID changes upon disabling/enabling failover |
|
|
uauth is failed after failover |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
Resolved Bugs in Version 9.6(1)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Identifier |
Description |
|---|---|
|
Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
|
ARP: Proxy IP traffic is hijacked. |
|
|
ASA traceback when retrieving idfw topn user from slave |
|
|
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet |
|
|
TLSv1.2 Client Cert Auth Connection Establishment Failure |
|
|
ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
|
Transactional ACL commit will bypass security policy during compilation |
|
|
Share licenses are not activated on failover pair after power cycle |
|
|
ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
|
Interface TLV to SFR is corrupt when frame is longer than 2048 bytes |
|
|
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
|
ASA WebVPN clientless cookie authentication bypass |
|
|
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL |
|
|
ASAv licesing enforcement should not be CLI parser based |
|
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
|
ikev2 with DH 19 and above fails to pass traffic after phase2 rekey |
|
|
Immediate FIN from client after GET breaks scansafe connection |
|
|
Traceback in Thread Name: ssh when using capture or continuous ping |
|
|
ASA traceback on Standby device during config sync in thread DATAPATH |
|
|
Standby ASA inside IP not reachable after Anyconnect disconnect |
|
|
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF |
|
|
ASA picks incorrect trustpoint to verify OCSP Response |
|
|
ASA traceback in Thread Name: fover_parse (ak47/ramfs) |
|
|
Unicorn proxy thread traceback with RAMFS processing |
|
|
ASA traceback: SSH Thread: many users logged in and dACLs being modified |
|
|
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS |
|
|
ASA traceback in Thread Name: CP Crypto Result Processing. |
|
|
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST |
|
|
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
|
Trace back with Thread Name: IP Address Assign |
|
|
ASA EIGRP does not send poison reverse for neighbors to remove route |
|
|
Improper S2S IPSec Datapath Selection for Remote Overlapping Networks |
|
|
ASA traceback while restoring backup configuration from ASDM |
|
|
ASA traceback when removing dynamic PAT statement from cluster |
|
|
Split-tunnel not working for EzVPN client on Kenton device (9.5.1) |
|
|
ASA:Traceback in Thread Name:- netfs_thread_init |
|
|
ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection |
|
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
|
ASA5585 9.5(1): Support Failover Lan on Management0/0 port |
|
|
RA-VPN transactions are shown as 0 in PRSM Dashboard |
|
|
ASA: ICMP error loop on cluster CCL with Interface PAT |
|
|
filter sfr traffic may cause memory corruption |
|
|
DNS Traceback in channel_put() |
|
|
Watchdog traceback in ldap_client_thread with large number of ldap grps |
|
|
Traceback in WebVPN rewriter |
|
|
QEMU coredump: qemu_thread_create: Resource temporarily unavailable |
|
|
SSH connections are not timed out on Standby ASA (stuck in rtcli) |
|
|
Standby ASA traceback in Thread Name: EIGRP-IPv4 |
|
|
Unable to load ASDM to a Context in Multiple Context Mode |
|
|
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI |
|
|
SAML won't be able select Oracle OAM tunnel group |
|
|
ASAv Cannot remove/change default global_policy or inspection_default |
|
|
ASA: Traceback in Thread name DATAPATH-7-1918 |
|
|
PCP 10.6 Clientless VPN Access is Denied when accessing Pages |
|
|
ASA 9.4.1 traceback upon clearing and reconfiguring ACL |
|
|
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly |
|
|
Traceback in thread name: Unicorn Proxy Thread |
|
|
RSA 4096 key generation causes failover |
|
|
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192 |
|
|
CWS: ASA does not append XSS headers |
|
|
http-form authentication fails after 9.3.2 |
|
|
ASA traceback when using an ECDSA certificate |
|
|
show memory indicates inaccurate free memory available |
|
|
PBR incorrect route selection for deny clause |
|
|
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later |
|
|
ASA: FAILOVER not working with password encryption. |
|
|
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
GTPv1 traceback in gtpv1_process_msg |
|
|
PBR: Mem leak in cluster mode due to policy based route |
|
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
|
Cisco signed certificate expired for WebVpn Port Forward Binary on ASA |
|
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
|
|
ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection |
|
|
DHCP Relay fails for cluster ASAs with long interface names |
|
|
SSL sessions stop processing -"Unable to create session directory" error |
|
|
ASA(9.5.2) changing the ACK number sent to client with SFR redirection |
|
|
"no ipv6-vpn-addr-assign" CLI not working |
|
|
ASA L7 policy-map comes into affect only if the inspection is re-applied |
|
|
ASA: Traceback in Thread IP Address Assign |
|
|
ASA: Traceback on ASA device after adding FQDN objects in NAT rule |
|
|
Reload in Thread Name: IKE Daemon |
|
|
"show resource usage" gives wrong number of routes after shut/no sh |
|
|
ASA TACACS+: process tacplus_snd uses large percentage of CPU |
|
|
ASA 9.5 - OCSP check using global routing table instead of management |
|
|
ASA Traceback on Thread Name: Unicorn Admin Handler |
|
|
Nat pool exhausted observed when enabling asp transactional-commit nat |
|
|
VLAN mapping doesn't work when connection falls back to TLS |
|
|
ASA traceback in Thread Name: https_proxy |
|
|
ASA traceback in DATAPATH thread |
|
|
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728 |
|
|
ASA traceback in Thread Name: Unicorn Proxy Thread. |
|
|
ASA traceback and reload citing Thread Name: idfw_proc |
|
|
ASA 5585 traceback when the User name is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP Processing thread during TLS processing |
|
|
VPN Load-Balancing does not send load-balancing cert for IPv6 Address |
|
|
ASA traceback in thread name snmp after upgrade to 9.1(7) |
|
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
|
|
OCSP validation fails when multiple certs in chain are verified |
|
|
Traceback at gtpv1_process_pdp_create_req |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Feedback