Release Notes for the Cisco ASA Series, 9.9(x)

This document contains release information for Cisco ASA software Version 9.9(x).

Important Notes

  • Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.


    The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.

  • If you are using SAML authentication with AnyConnect 4.4 or 4.5 and you deploy ASA version,, or (Release Date: 18-APR-2018), the defaulted SAML behavior is the embedded browser, which is not supported on AnyConnect 4.4 and 4.5. Therefore, you must enable the saml external-browser command in tunnel group configuration in order for AnyConnect 4.4 and 4.5 clients to authenticate with SAML using the external (native) browser.


    The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6 or later. Because of security limitations, use this solution only as part of a temporary migration while upgrading AnyConnect software. The command itself will be depreciated in the future.

  • ASA 5506-X memory issues with large configurations on 9.9(2)—If you upgrade to 9.9(2), parts of a very large configuration might be rejected due to insufficient memory with the following message: "ERROR: Insufficient memory to install the rules". One option is to enter the object-group-search access-control command to improve memory usage for ACLs; your performance might be impacted, however. Alternatively, you can downgrade to 9.9(1).

  • New ROMMON Version 1.1.12 for the ASA 5506-X, 5508-X, and 5516-X—We recommend that you upgrade your ROMMON for several crucial fixes. See, choose your model > ASA Rommon Software > 1.1.12. Refer to the release notes on the software download page for more information. To upgrade the ROMMON, see Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X). Note that the ASA running Firepower Threat Defense does not yet support upgrading to this ROMMON version; you can, however, successfully upgrade it in ASA and then reimage to Firepower Threat Defense.

  • The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.

    For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.

System Requirements

This section lists the system requirements to run this release.

ASA and ASDM Compatibility

For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.

New Features

This section lists new features for each release.


New, changed, and deprecated syslog messages are listed in the syslog message guide.

New Features in ASA 9.9(2)

Released: March 26, 2018



Platform Features

ASAv support for VMware ESXi 6.5

The ASAv virtual platform supports hosts running on VMware ESXi 6.5. New VMware hardware versions have been added to the vi.ovf and esxi.ovf files to enable optimal performance and usability of the ASAv on ESXi 6.5.

We did not modify any commands.

ASAv support for VMXNET3 interfaces

The ASAv virtual platform supports VMXNET3 interfaces on VMware hypervisors.

We did not modify any commands.

ASAv support for virtual serial console on first boot

You can now configure the ASAv to use the virtual serial console on first boot, instead of the virtual VGA console, to access and configure the ASAv.

New or Modified commands: console serial

ASAv support to update user-defined routes in more than one Azure subscription for High Availability on Microsoft Azure

You can now configure the ASAv in an Azure High Availability configuration to update user-defined routes in more than one Azure subscription.

New or Modified commands: failover cloud route-table

VPN Features

Remote Access VPN multi-context support extended to IKEv2 protocol

Support for configuring ASA to allow Anyconnect and third party Standards-based IPSec IKEv2 VPN clients to establish Remote Access VPN sessions to ASA operating in multi-context mode.

IPv6 connectivity to Radius Servers

ASA 9.9.2 now supports IPv6 connectivity to external AAA Radius Servers.

Easy VPN Enhancements for BVI Support

Easy VPN has been enhanced to support a Bridged Virtual Interface (BVI) as its internal secure interface, and you can now directly configure which interface to use as the internal secure interface. Otherwise, the ASA chooses its internal secure interface using security levels.

Also, management services, such as telnet, http, and ssh, can now be configured on a BVI if VPN management-access has been enabled on that BVI. For non-VPN management access, you should continue to configure these services on the bridge group member interfaces.

New or Modified commands: vpnclient secure interface [interface-name], https, telnet, ssh, management-access

Distributed VPN Session Improvements

  • The Active Session Redistribution logic, which balances Distributed S2S VPN active and backup sessions, has been improved. Also, the balancing process may be repeated up to eight times in the background for a single cluster redistribute vpn-sessiondb command entered by the administrator.

  • The handling of dynamic Reverse Route Injections (RRI) across the cluster has been improved.

High Availability and Scalability Features

Automatically rejoin the cluster after an internal failure

Formerly, many error conditions caused a cluster unit to be removed from the cluster, and you were required to manually rejoin the cluster after resolving the issue. Now, a unit will attempt to rejoin the cluster automatically at the following intervals by default: 5 minutes, 10 minutes, and then 20 minutes. These values are configurable. Internal failures include: application sync timeout; inconsistent application statuses; and so on.

New or Modified commands: health-check system auto-rejoin, show cluster info auto-join

Configurable debounce time to mark an interface as failed for the ASA 5000-X series

You can now configure the debounce time before the ASA considers an interface to be failed and the unit is removed from the cluster on the ASA 5500-X series. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds. This feature was previously available for the Firepower 4100/9300.

New or modified command: health-check monitor-interface debounce-time

Show transport related statistics for cluster reliable transport protocol messages

You can now view per-unit cluster reliable transport buffer usage so you can identify packet drop issues when the buffer is full in the control plane.

New or modified command: show cluster info transport cp detail

Show failover history from peer unit

You can now view failover history from the peer unit, using the details keyword . This includes failover state changes and reason for the state change.

New or modified command: show failover

Interface Features

Unique MAC address generation for single context mode

You can now enable unique MAC address generation for VLAN subinterfaces in single context mode. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses.

New or modified command: mac-address auto

Also in 9.8(3) and 9.8(4).

Administrative Features

RSA key pair supports 3072-bit keys

You can now set the modulus size to 3072.

New or modified command: crypto key generate rsa modulus

The FXOS bootstrap configuration now sets the enable password

When you deploy the ASA on the Firepower 4100/9300, the password setting in the bootstrap configuration now sets the enable password as well as the admin user password. Requires FXOS Version 2.3.1.

Monitoring and Troubleshooting Features

SNMP IPv6 support

The ASA now supports SNMP over IPv6, including communicating with SNMP servers over IPv6, allowing the execution of queries and traps over IPv6, and supporting IPv6 addresses for existing MIBs. We added the following new SNMP IPv6 MIB objects as described in RFC 8096.

  • ipv6InterfaceTable (OID:—Contains per-interface IPv6-specific information.

  • ipAddressPrefixTable (OID:—Includes all the prefixes learned by this entity.

  • ipAddressTable (OID:—Contains addressing information relevant to the entity's interfaces.

  • ipNetToPhysicalTable (OID:—Contains the mapping from IP addresses to physical addresses.

New or modified command: snmp-server host


The snmp-server host-group command does not support IPv6.

Conditional Debugging to troubleshoot a single user session

Conditional debugging feature now assists you to verify the logs of specific ASA VPN sessions based on the filter conditions that are set. Support for "any, any" for IPv4 and IPv6 subnets is provided.

New Features in ASA 9.9(1)

Released: December 4, 2017



Firewall Features

Ethertype access control list changes

EtherType access control lists now support Ethernet II IPX (EII IPX). In addition, new keywords are added to the DSAP keyword to support common DSAP values: BPDU (0x42), IPX (0xE0), Raw IPX (0xFF), and ISIS (0xFE). Consequently, existing EtherType access contol entries that use the BPDU or ISIS keywords will be converted automatically to use the DSAP specification, and rules for IPX will be converted to 3 rules (DSAP IPX, DSAP Raw IPX, and EII IPX). In addition, packet capture that uses IPX as an EtherType value has been deprecated, because IPX corresponds to 3 separate EtherTypes.

New or modified command: access-list ethertype added the new keywords eii-ipx and dsap {bpdu | ipx | isis | raw-ipx} ; capture ethernet-type no longer supports the ipx keyword.

VPN Features

Distributed Site-to-Site VPN with clustering on the Firepower 9300

An ASA cluster on the Firepower 9300 supports Site-to-Site VPN in distributed mode. Distributed mode provides the ability to have many Site-to-Site IPsec IKEv2 VPN connections distributed across members of an ASA cluster, not just on the control unit (as in centralized mode). This significantly scales VPN support beyond Centralized VPN capabilities and provides high availability. Distributed S2S VPN runs on a cluster of up to two chassis, each containing up to three modules (six total cluster members), each module supporting up to 6K active sessions (12K total), for a maximum of approximately 36K active sessions (72K total).

New or modified commands: cluster redistribute vpn-sessiondb, show cluster vpn-sessiondb, vpn mode , show cluster resource usage, show vpn-sessiondb , show connection detail, show crypto ikev2

High Availability and Scalability Features

Active/Backup High Availability for ASAv on Microsoft Azure

A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud.

New or modified command: failover cloud

Monitoring > Properties > Failover > Status

Monitoring > Properties > Failover > History

Also in 9.8(1.200).

Improved chassis health check failure detection for the Firepower chassis

You can now configure a lower holdtime for the chassis health check: 100 ms. The previous minimum was 300 ms.

New or modified command: app-agent heartbeat interval

Inter-site redundancy for clustering

Inter-site redundancy ensures that a backup owner for a traffic flow will always be at the other site from the owner. This feature guards against site failure.

New or modified commands: site-redundancy, show asp cluster counter change, show asp table cluster chash-table, show conn flag

cluster remove unit command behavior matches no enable behavior

The cluster remove unit command now removes a unit from the cluster until you manually reenable clustering or reload, similar to the no enable command. Previously, if you redeployed the bootstrap configuration from FXOS, clustering would be reenabled. Now, the disabled status persists even in the case of a bootstrap configuration redeployment. Reloading the ASA, however, will reenable clustering.

New/Modified command: cluster remove unit

Administrative, Monitoring, and Troubleshooting Features

SSH version 1 has been deprecated

SSH version 1 has been deprecated, and will be removed in a future release. The default setting has changed from both SSH v1 and v2 to just SSH v2.

New/Modified commands: ssh version

Enhanced packet tracer and packet capture capabilities

The packet tracer has been enhanced with the following features:

  • Trace a packet when it passes between cluster units.

  • Allow simulated packets to egress the ASA.

  • Bypass security checks for a similated packet.

  • Treat a simulated packet as an IPsec/SSL decrypted packet.

The packet capture has been enhanced with the following features:

  • Capture packets after they are decrypted.

  • Capture traces and retain them in the persistent list.

New or modified commands: cluster exec capture test trace include-decrypted, cluster exec capture test trace persist, cluster exec clear packet-tracer, cluster exec show packet-tracer id, cluster exec show packet-tracer origin, packet-tracer persist, packet-tracer transmit, packet-tracer decrypted, packet-tracer bypass-checks

Upgrade the Software

This section provides the upgrade path information and a link to complete your upgrade.

ASA Upgrade Path

To view your current version and model, use one of the following methods:

  • CLI—Use the show version command.

  • ASDM—Choose Home > Device Dashboard > Device Information.

See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.


For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories.


ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM.

ASA 9.2(x) was the final version for the ASA 5505.

ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580.

Current Version

Interim Upgrade Version

Target Version


Any of the following:

→ 9.9(x)



Any of the following:

→ 9.9(x)


Any of the following:

→ 9.9(x)

9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)


→ 9.1(2)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)

9.0(2), 9.0(3), or 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)


Any of the following:

→ 9.9(x)

→ 9.1(7.4)

→ 9.0(4)

8.4(1) through 8.4(4)

→ 9.0(4)

→ 9.9(x)

→ 9.1(7.4)


→ 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)

8.2(x) and earlier

→ 9.0(4)

Any of the following:

→ 9.9(x)

→ 9.1(7.4)

Open and Resolved Bugs

The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.


You must have a account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.

For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.

Open Bugs in Version 9.9(x)

The following table lists select open bugs at the time of this Release Note publication.

Caveat ID Number



9.9.1/SecGW: QP-HA w/ subsecond failover will occasionally have 10-20% packet loss for few mins


SecGW - During ASR a window of no vpn-context/rule exists on the cluster


ASA reloads when establishing simultaneous ASDM sessions

Resolved Bugs

This section lists resolved bugs per release.

Resolved Bugs in Version 9.9(2)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number



Many HTTP GET for webvpn login page cause high CPU in UnicornProxyThread


ASA IKEv2 RA VPN does not clearly communicate "No License" status to AnyConnect user


ASA BFD echo function fails if RPF is enabled first.


ASA using TACACS authentication and configured 'password-policy lifetime' will deny access


ASA/FTD giving incorrect results for "trace" output in packet capture


ENH: Lower timeout for igp stale-route should be reduced to a value lower than 10 seconds


ENH: ASAv cannot boot up when installed in KVM AHV Nutanix.


ASA/FTD traceback when clearing capture - assertion "0" failed: file "mps_hash_table_debug.c"


ASA 9.8.1 BVI in routed mode is not doing route lookup for traffic generated from ASA


Certificates not synced to Standby/All certificates cleared on Standby post deployment failure


FP2100 IFT customer cannot use ASDM to download image to pc


ASAv on Hyper-V shows incorrect 'show interface' outputs: Half-Duplex, 10 Mbps


ASA Webvpn HTTP Strict-Transport-Security Header missing despite fix of CSCvc82150


IPV4: Implementing buffered reliability mechanism for routing updates


Permanent License Reservation license not installed on ASAv


Firepower 2100 Threat Defense pair reporting failed status due to "Detect service module failure"


When IPSec is enabled HA goes in Active-Failed state with 6.2.3 FMC and 6.2.1 KP


HTTP server and Anyconnect SSL VPN cannot coexists on the same interface/port on FTD


CSM failed to parse the tcp-state-bypass logs


ASA and putty: Incoming packet was garbled on decryption


RADIUS authentication/authorization fails for ASDM

Resolved Bugs in Version 9.9(1)

The following table lists select resolved bugs at the time of this Release Note publication.

Caveat ID Number



aggregate-auth debugs should mask passwords


ASA Traceback in thread SSH when ran "show service set conn detail"


ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528 syslog messages


asa Rest-api - component monitoring - empty value/blank value


ASA SSL client does not respond to renegotiation request


ENH: Lower timeout for igp stale-route should be reduced to a value lower than 10 seconds


Traceback in DATAPATH-1-2084 ASA 9.(8)1


All 1700 "4 byte blocks" were depleted after a weekend VPN load test.


Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled


ASA: Low free DMA Memory on versions 9.6 and later


ENH: Unique IPv6 link-local addresses assigned when sub-interface is being created


IPv6 Addresses intermittently assigned to AnyConnect clients


Unable to SSH to Active Unit//TCP connection Limit Exceeded


ASA Exports ECDSA as corrupted PKCS12


An ASA with low free memory fails to join existing cluster and could traceback and reload


ASA 9.8.1 BVI in routed mode is not doing route lookup for traffic generated from ASA


DAP config restored but inactive after backup restore


ASA not sending register stop when mroute is configured


ASA Connections stuck in idle state with DCD enabled


Install 6.2.2-1290 sfr on a ASA with firepower - asa cores


ASA creates a BVi0 interface on a custom routed context


ASA traceback in fover_parse after version up


Unable to add new networks to existing EIGRP configuration


Certificates not synced to Standby/All certificates cleared on Standby post deployment failure


ASA// 9.6 // FTP inspection does not allocate new NAT entrie for DATA traffic on Active FTP with PAT


OSPF route not getting installed on peer devices when an ASA failover happens with NSF enabled


ASA 9.x: DNS inspection appending "0" on PTR query


iOS and OS X IKEv2 Native Clients unable to connect to ASA with EAP-TLS


ASA on FXOS is sending SNMP Ifspeed OID ( response value = 0


TLS version 1.1 connection failed no shared signature algorithms@t1_lib.c:3106


ASA - 80 Byte memory block depletion


ASA 9.6(2), 9.6(3) traceback in DataPath


ASA doesn't send LACP PDU during port flap in port-channel


Transparent Firewall: Ethertype ACLs installed with incorrect DSAP value


Traceback in thread DATAPATH due to NAT


ASA drops the IGMP Report packet which has Source IP address


ERROR: Captive-portal port not available. Try again


FTD may traceback in Thread Name appAgent_monitor_nd_thread during device registration


ASAv image in AWS GovCloud not working in Hourly Billing Mode


IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached


OpenSSL CVE-2017-3735 "incorrect text display of the certificate"


management-only comes back after reboot


Memory leak in 112 byte bin when packet hits PBR and connection is built


'Incomplete command' error with some inspects due to K7 license


Slave kicked out due to CCL link failure and rejoins, but loses v3 user in multiple context mode


ASA: Traceback by Thread Name idfw_proc


ASA - rare scheduler corruption causes console lock


ASA cluster intermittently drop IP fragments when NAT is involved


ASA Webvpn HTTP Strict-Transport-Security Header missing despite fix of CSCvc82150


ASA on FP 2100 traceback when uploading AnyConnect image via ASDM


ASA does not create pinholes for DCERPC inspection, debug dcerpc shows "MEOW not found".


ASA : After upgrading from 9.2(4) to 9.2(4)18 serial connection hangs


Permanent License Reservation license not installed on ASAv


"clear local-host <IP>" deletes all stub flows present in the entire ASA cluster for all hosts/conns


FP2100 Threat Defense pair reporting failed status due to "Detect service module failure"


ASA-SSP HA reload in CP Processing due to DNS inspect


traceback with Show OSPF Database Commands


ASA local DNS resolution fails when DNS server is reachable over a site to site sec VPN tunnel


One node rejoined and traffic restarted will cause the unit 100% CPU due to snpi_untranslate


REST-API residues on SSP


Assert Traceback, thread name : cli_xml_server


ASA Inter-Site Clustering - Extra ARP not generated when ASA receives unicast ARP request


When IPSec is enabled HA goes in Active-Failed state with 6.2.3 FMC and 6.2.1 KP


"OCTEON:DROQ[8] idx: 494 len:0" message appearing on console access of the device


ASA 9.8.1+ IKEv2 vpn load-balancing sends DELETE following IKE_AUTH