Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases.  They contain bug fixes which address specific issues found since the last Feature or Maintenance release.  The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important:  These images were not fully regression tested.  Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality.  Keep this testing status in mind if you decide to run them in a production environment.  We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

Revision:  Version 8.7.1(18) – 02/10/2016

Files:  asa871-18-smp-k8.bin

Defects resolved since 8.7.1(17):

 

CSCux29978

ASA IKEv1 and IKEv2 Vulnerability

 

CSCux42019

IKEv2 Fragments may get dropped with a specific sequence of fragments

 

 

Revision:  Version 8.7.1(17) – 10/21/2015

Files:  asa871-17-smp-k8.bin

Defects resolved since 8.7.1(16):

 

CSCus94026

ISAKMP SERVER traffic from codenomicon crashes ASA

CSCut03495

ASA traceback in ThreadName:ci/console,while pinging DNS Server name

CSCut46019

MARCH 2015 OpenSSL Vulnerabilities

CSCuu07799

Traceback: mem_get_owner+104 at slib/../finesse/snap_api.h:163

CSCuu83280

Evaluation of OpenSSL June 2015

 

 

Revision:  Version 8.7.1(16) – 04/08/2015

Files:  asa871-16-smp-k8.bin

Defects resolved since 8.7.1(14):

 

CSCug51375

ASA SSL: Continues to accept SSLv3 during TLSv1 only mode

CSCur21069

Failover units should accept only traffic coming from the peer

CSCur23709

ASA  : evaluation of SSLv3 POODLE vulnerability

CSCus42901

JANUARY 2015 OpenSSL Vulnerabilities

CSCut45114

2048-byte block leak if DNS server replies with "No such name"

 

 

Revision:  Version 8.7.1(14) – 10/08/2014

Files:  asa871-14-smp-k8.bin

Defects resolved since 8.7.1(12):

 

CSCtq52661

Remove flash storage from library load path

CSCuq28582

Cisco ASA Privilege Escalation

CSCuq29136

ASA: Entering Query String on /+CSCOE+/logon.html disclose information

CSCuq47574

ASA1000v unauthorized access to underlying Linux shell

CSCuq77655

1550 block leak occur if DNS replies "refused" query response

 

 

Revision:  Version 8.7.1(12) – 07/28/2014

Files:  asa871-12-smp-k8.bin

Defects resolved since 8.7.1(11):

 

CSCum46027

ASA traceback on cp processing due to sqlnet inspection

CSCum56399

ASA traceback with inspection GTP

CSCun10916

Cisco ASA SCH Certificate Authentication Bypass Vulnerability

CSCun11074

ASA:Tracebacks in thread dispatch unit due to SunRPC inspection

 

CSCup22532

Multiple Vulnerabilities in OpenSSL - June 2014

 

CSCup36829

ASA WebVPN portal modification vulnerability

 

 

 

Revision:  Version 8.7.1(11) – 04/09/2014

Files:  asa871-11-smp-k8.bin

Defects resolved since 8.7.1(8):

 

CSCua85555

Cookie usage in SSL VPN

CSCub38407

Add text section to coredump

CSCuj33496

Privillage level 0 users getting full access

CSCul70099

ASA SSL VPN Privilege Escalation Vulnerability

CSCum00556

Page fault traceback in DATAPATH under DoS, rip qos_topn_hosts_db_reset

 

 

Revision:  Version 8.7.1(8) – 10/22/2013

Files:  asa871-8-smp-k8.bin

Defects resolved since 8.7.1(7):

 

CSCuh13899

ASA protcol inspection connection table fill up DOS Vulnerability

CSCui77398

ASA traceback with  thread name "Thread 0 in thread group"

 

 

Revision:  Version 8.7.1(7) – 10/09/2013

Files:  asa871-7-smp-k8.bin

Defects resolved since 8.7.1(4):

 

CSCti07431

1/5 minute input rate and output rate are always 0 with user context.

CSCto50963

ASA SIP inspection - To: in INVITE not translated after 8.3/8.4 upgrade

CSCto87674

ST not injected in mstsc.exe on 32-bit Win 7 when started through TSWeb

CSCtq12090

ACL remark line is missing when range object is configured in ACL

CSCtr65927

dynamic policy PAT fails with FTP data due to latter static NAT entry

CSCtz83605

Clientless SSL VPN causes UAC on Win 7 to fail when CSD and ST are used

CSCua22709

ASA traceback in Unicorn Proxy Thread while processing lua

CSCub58996

Cisco ASA Clientless SSLVPN CIFS Vulnerability

CSCub63148

With inline IPS and heavy load ASA could drop ICMP or DNS replies

CSCub98434

ASA - SQL*Net Inspection Engine Denial of Service Vulnerability

CSCuc14644

SIP inspect NATs Call-ID in one direction only

CSCuc40450

error 'Drop-reason: (punt-no-mem) Punt no memory' need to be specific

CSCuc65775

ASA CIFS UNC Input Validation Issue

CSCuc74488

ASA upgrade fails with large number of static policy-nat commands

CSCuc92292

ASA may not establish EIGRP adjacency with router due to version issues

CSCuc98398

ASA writes past end of file system then can't boot

CSCud08203

Smart-tunnel failing to forward tcp connections for certain application

CSCud28106

IKEv2: ASA does not clear entry from asp table classify crypto

CSCud37992

HTTP Deep Packet Inspection Denial of Service Vulnerability

CSCud40898

TLS-Proxy does not Send issuer name in the certificate

CSCud42001

Smart Tunnel hangs when list contains more than 80 entries

CSCud64725

VPNLB: Lost packet during IKEv1 not retransmitted

CSCud67392

ASA hitless upgrade from 8.2 to 8.4 - ERROR: unable to download policy

CSCud69535

OSPF routes were missing on the Active Firewall after the failover

CSCud81304

TRACEBACK, DATAPATH-8-2268, Multicast

CSCud84454

ASA in HA lose shared license post upgrade to 9.x

CSCud85831

Netbios insp translating ip in answer field to mapped ip of WINS server

CSCud86142

Anyconnect using Ikev2 is missing username in syslog messages

CSCue00850

Traceback: snp_syslog fails to recognise parent syslog flow

CSCue04309

TCP connection to multicast MAC - unicast MAC S/ACK builds new TCP conn

CSCue05458

16k blocks near exhaustion - process emweb/https (webvpn)

CSCue09762

Revert change in subnetting rules for splittunnel policy for smarttunnel

CSCue11669

ASA 5505 not Forming EIGRP neighborship after failover

CSCue15533

ASA:Traceback while deleting trustpoint

CSCue17876

Some java applets won't connect via smart tunnel on windows with jre1.7

CSCue31622

Secondary Flows Lookup Denial of Service Vulnerability

CSCue32221

LU allocate xlate failed (for NAT with service port)

CSCue33354

Mac version Smart Tunnel with Safari 6.0.1/6.0.2 issue

CSCue35343

Memory leak of 1024B blocks in webvpn failover code

CSCue36084

RADIUS Memory Leak on ASA using AD-Agent

CSCue41939

IKEv2 reply missing 4bytes of 0's after UDP header

CSCue45615

Portchannel keeps sending packets through down/down interface

CSCue48276

ASA drops packets with IP Options received via a VPN tunnel

CSCue56047

IPv6 ACL can't be modified after used as vpn-filter

CSCue56901

secondary-authentication-server-group cmd breaks Ikev1/IPsec RA VPN auth

CSCue59676

ASA shared port-channel subinterfaces and multicontext traffic failure

CSCue62470

mrib entries mayy not be seen upon failover initiated by auto-update

CSCue63881

ASA SSHv2 Denial of Service Vulnerability

CSCue73708

Group enumeration still possible on ASA

CSCue74372

Anyconnect DTLS idle-timeout is being reset by transmit traffic only

CSCue74649

When specifying two same OID in GETBULK, reply has no duplicate OID

CSCue77969

Character encoding not visible on webvpn portal pages.

CSCue82544

ASA5585 8.4.2 Traceback in Thread Name aaa while accessing Uauth pointer

CSCue84586

re-write fails for javascript generated URL with "\"

CSCue88337

Prefill username from certificate does not extract serial number

CSCue88560

ASA Traceback in Thread Name : CERT API

CSCuf06633

ASA traceback in Thread Name: UserFromCert

CSCuf16850

split-dns cli warning msg incorrect after client increasing the limit

CSCuf34123

ASA 8.3+ l2l tunnel-group name with a leading zero is changed to 0.0.0.0

CSCuf34754

Framed-IP-Address not sent with AC IKEv2 and INTERIM-ACCOUNTING-UPDATE

CSCug03975

ASA DNS Inspection Denial of Service Vulnerability

CSCug22787

Change of behavior in Prefill username from certificate SER extraction

CSCug34469

ASA OSPF LSA Injection Vulnerability

CSCug83401

ASA Remote Access VPN Authentication Bypass Vulnerability

CSCuh44815

ASA Digital Certificate HTTP Authentication Bypass Vulnerability

 

 

Revision:  Version 8.7.1(4) – 02/20/2013

Files:  asa871-4-smp-k8.bin

Defects resolved since 8.7.1(3):

 

CSCti38856

Elements in the network object group are not converted to network object

CSCtj87870

Failover disabled due to license incompatible different Licensed cores

CSCtr04553

Traceback @snp_ifc_purg_cb w/ clear conf all or write standby

CSCtr17899

Some legitimate traffic may get denied with ACL optimization

CSCtr92976

ESMTP inspection corrupts data

CSCtx32727

GTP inspect not working in Asymmetric Routing Envirement with ASR group:

CSCtx55513

ASA: Packet loss during phase 2 rekey

CSCty59567

Observing traceback @ ipigrp2_redist_metric_incompatible+88

CSCtz64218

ASA may traceback when multiple users make simultaneous change to ACL

CSCtz70573

SMP ASA traceback on periodic_handler for inspecting icmp or dns trafic

CSCua13405

ASA5505 stuck in Cold Standby after boot up

CSCua44723

ASA nat-pat: 8.4.4 assert traceback related to xlate timeout

CSCua93764

ASA: Watchdog traceback from tmatch_element_release_actual

CSCub08224

ASA 210005 and 210007 LU allocate xlate/conn failed with simple 1-1 NAT

CSCub16573

ASA: Memory leak due to SNP RT Inspect

CSCub61578

ASA: Assert traceback in PIX Garbage Collector with GTP inspection

CSCub62584

ASA unexpectedly reloads with traceback in Thread Name: CP Processing

CSCub72990

ASA is max-aging OSPF LSAs after 50 minutes

CSCub84164

ASA traceback in threadname Logger

 

CSCub85692

ASA traceback in IKE Daemon while handling IKEv1 message

 

CSCuc12119

ASA: Webvpn cookie corruption with external cookie storage

CSCuc12967

OSPF routes were missing on the Standby Firewall after the failover

CSCuc16513

'clear config crypto ipsec ikev1' removes ikev2 proposals as well

CSCuc19882

Flash filesystem does not recognize filesnames > 63 characters

CSCuc24547

TCP ts_val for an ACK packet sent by ASA for OOO packets is incorrect

CSCuc24919

ASA: May traceback in Thread Name: fover_health_monitoring_thread

CSCuc40005

PRTG app Javascript as a stream (not content) fails through the rewriter

CSCuc46026

ASA traceback: ASA reloaded when call home feature enabled

CSCuc46270

ASA never removes qos-per-class ASP rules when VPN disconnects

CSCuc46561

OWA doesn't work after the ASA upgrade

CSCuc56078

Traceback in threadname CP Processing

CSCuc60478

Management access fails via L2TP VPN client on SMP platform

CSCuc60566

ASA IPSEC error:  Internal Error, ike_lock trying to unlock bit

CSCuc60950

ASA traceback in Dispatch Unit

CSCuc72408

ASA 5580 page fault in thread CERT API during pki validation

 

CSCuc74333

EZVPN: User gets unexpected IUA prompt

CSCuc74758

Traceback: deadlock between syslog lock and host lock

CSCuc75090

Crypto IPSec SA's are created by dynamic crypto map for static peers

CSCuc75093

Log indicating syslog connectivity not created when server goes up/down

CSCuc79825

5580 - Thread Name: CP Midpath Processing eip pkp_free_ssl_ctm

CSCuc83059

traceback in fover_health_monitoring_thread

CSCuc83170

ipsecvpn-ike:IKEv1 rekey fails when IPCOMP proposal is sent

CSCuc83323

XSS in SSLVPN

CSCuc83828

ASA Logging command submits invalid characters as port zero

CSCuc84079

ASA: Multiple context mode does not allow configuration of 'mount'

CSCuc89163

Race condition can result in stuck VPN context following a rekey

CSCuc96911

ASASM platform is not exempt from MAC move wait timer

CSCuc97552

Deny rules in crypto acl blocks inbound traffic after tunnel formed

CSCud04867

Incorrect and duplicate logs about status change of port-channel intfs

CSCud07436

APCF Flag no-toolbar fails after upgrade to 8.4.4.9

CSCud07930

ASA webvpn plugin files Expires header incorrectly set

CSCud08203

Smart-tunnel failing to forward tcp connections for certain application

CSCud08385

Smart Tunnel failed for Safari 6.0.1/6.0.2 on OSX10.7 and 10.8

CSCud12924

CA certificates expiring after 2038 display wrong end date on 5500-X

 

CSCud16590

ASA may traceback in thread emweb/https

 

CSCud16105

Called-Station-Id in RADIUS acct stop after failover is standby address.

CSCud17993

ASA-Traceback in Dispatch unit due to dcerpc inspection

CSCud21714

BTF traceback in datapth when apply l4tm rule

CSCud29007

License server becomes unreachable due to "signature invalid" error

CSCud32111

Deny rules in crypto acl blocks inbound traffic after tunnel formed

CSCud36686

Deny ACL lines in crypto-map add RRI routes

CSCud37333

Increase stack size in VPN Load Balancing feature

CSCud37992

SMP ASA traceback in periodic_handler in proxyi_rx

CSCud41507

Traffic destined for L2L tunnels can prevent valid L2L from establishing

CSCud41670

ASA nested traceback with url-filtering policy during failover

CSCud42001

Smart Tunnel hangs when list contains more than 80 entries

CSCud46746

DNS resolution for "from-the-box" traffic not working with "names"

CSCud47900

ASA: adding nested object group fails with "IP version mismatch"

CSCud51281

"Failed to update IPSec failover runtime data" msg on the standby unit

CSCud57759

DAP: debug dap trace not fully shown after +1000 lines

CSCud69251

traceback in ospf_get_authtype

CSCud72383

IKEV2-L2L: DH handle leak when PFS enabled only on one peer

CSCud74941

ASA LDAP Mapping should not map 0 to values with no match

CSCud84827

ASA 5580 running 8.2(5)13 traceback

CSCud89380

ASA: Username with ampersand disconnects ASDM Firewall Dashboards

CSCud89974

flash in ASA5505 got corrupted

CSCue25524

Webvpn: Javascript based applications not working

 

 

Revision:  Version 8.7.1(3) – 11/15/2012

Files:  asa871-3-smp-k8.bin

Defects resolved since 8.7.1(1):

 

CSCsr58601

SCCP does not handle new msg StartMediaTransmissionACK

CSCti14272

Time-based License Expires Pre-maturely

CSCtj12159

ASA (8.3.2) traceback in Thread Name: DATAPATH-1-1295

CSCts15825

RRI routes are not injected after reload if IP SLA is configured.

CSCts50723

ASA: Builds conn for packets not destined to ASA's MAC in port-channel

CSCtx42698

Traceback in Thread Name: Dispatch Unit

CSCtx55814

Newly Added Failover Unit With Lesser License Rejects Configuration

CSCtx82335

Reserve 256 byte block pool for ARP processing

CSCty18976

ASA sends user passwords in AV as part of config command authorization.

CSCtz00381

RADIUS client too busy - try later

CSCtz04768

Emails from Smart Call Home are not RFC 2822 Section 2.3 compliant

CSCtz41928

Traceback: timer assert due to nf_block timer race condition

CSCtz46845

ASA 5585 with IPS inline -VPN tunnel dropping fragmented packets

CSCtz47034

ASA 5585- 10 gig interfaces may not come up after asa reload

CSCtz56155

misreported high CPU

CSCtz71022

(VPN-Secondary) Failed to update IPSec failover runtime data on the stan

CSCtz78718

ASA: access-list with name "ext" is changed to "extended" on boot

CSCtz83605

Clientless SSL VPN causes UAC on Win 7 to fail when CSD and ST are used

CSCtz87164

Deny lines in NAT exemption ACL causes ASA config migration to fail

CSCtz92779

ASA accept IKEv2 AC reconnect request once then tear it down

CSCtz92900

ASA generates "The ASA hardware accelerator encountered an error"

CSCua05034

WebVPN:  OWA server sending error message due to missing Canary Value

CSCua12795

ASA: High CPU with DTLS sessions and 'crypto engine large-mod-accel'

CSCua30564

CPU-hog during line-protocol-up event of 4GE-SSM ports

CSCua35337

Local command auth not working for certain commands on priv 1

CSCua50058

PP : TFTP ACK to last block dropped

CSCua58478

Traceback in Thread Name: CERT API

CSCua60417

8.4.3 system log messages should appear in Admin context only

CSCua61119

ASA: Page fault traceback when changing port-channel load balancing

CSCua61386

Websense URL Filtering triggers syslog 216004

CSCua62162

Clientless SSL VPN rewriter fails with javascript

CSCua67463

Anyconnect fails to connect after ASA failover due to IP conflict

CSCua68934

ASA: May log 305006 regular translation creation failed messages.

CSCua83032

Some parts of the WebVPN login susceptible to HTTP Response Splitting

CSCua86676

aaa-radius: ASA sending duplicate Radius access request

CSCua87170

Interface oversubscription on active causes standby to disable failover

CSCua88376

ASA vulnerable to CVE-2003-0001

CSCua91108

ASA unexpected system reboot with Thread Name: UserFromCert Thread

CSCua91189

Traceback in CP Processing when enabling H323 Debug

CSCua92333

Flowcontrol status is OFF on ASA, after enabling it on ASA and switch.

CSCua92556

ASA sip inspect - Pre-allocate SIP NOTIFY TCP secondary channel

CSCua93764

ASA: Watchdog traceback from tmatch_element_release_actual

CSCua95621

ASA:write standby command brings down port-channel interface on standby

CSCua98019

Cisco script injected in html tags, JS conditional comments

CSCua99003

WebVPN:"My Mail" option doesn't work for OWA2010

CSCua99091

ASA: Page fault traceback when copying new image to flash

CSCub04470

ASA: Traceback in Dispatch Unit with HTTP inspect regex

CSCub05748

ASA: Page fault traceback in DATAPATH thread with IPsec traffic

CSCub05888

Asa 5580-20: object-group-search access-control causes failover problem

CSCub06626

ASA may traceback while loading a large context config during bootup

CSCub09280

ASA Content rewrite HTML content was treated as ajax response

CSCub10537

4096 byte block depletion due to ak47_np_read

CSCub11582

ASA5550 continous reboot with tls-proxy maximum session 4500

CSCub14196

FIFO queue oversubscription drops packets to free RX Rings

CSCub15394

unexpected policy-map is added on standby ASA when new context is made

CSCub16427

Standby ASA traceback while replicating flow from Active

CSCub23840

ASA crashes due to nested protocol object-group used in ACL

CSCub24113

ASA does not check aaa-server use before removing commands

CSCub28198

ASA Webvpn rewriter compression not working

CSCub28721

Standby ASA has duplicate ACEs for webtype ACLs after 'write standby'

CSCub31151

"idle-timeout = 0" is not able to configure with AnyConnect IKEv2

CSCub37344

ASA ospf redistributing failover interface network

CSCub37882

Standby ASA allows L2 broadcast packets with asr-group command

CSCub39677

ASA Webvpn form POST is not rewritten  8.4.1.8 or later

CSCub59136

ASA: Manual NAT rules are not processed in order

CSCub59536

NAT Config Rejected on Upgrade when Objects Overlap with Failover IP

CSCub70946

ASA traceback under threadname Dispatch Unit due to multicast traffic

CSCub72545

syslog 113019 reports invalid address when VPN client disconnects.

CSCub75522

ASA TFW sends broadcast arp traffic to all interfaces in the context

CSCub83472

VPNFO should return failure to HA FSM when control channel is down

CSCub84711

OID used for authentication by EKU is trunkated

CSCub89078

ASA standby produces traceback and reloads in IPsec message handler

CSCub94635

Deleting ip local pool cause disconnect of VPN session using other pools

CSCub97263

WebVpn PortForward code signning issue

CSCub99578

High CPU HOG when connnect/disconnect VPN with large ACL

CSCub99704

WebVPN - mishandling of request from Java applet

CSCuc04636

Traceback in Thread Name: accept/http

CSCuc06857

Accounting STOP with caller ID 0.0.0.0 if admin session exits abnormally

CSCuc09055

Nas-Port attribute different for authentication/accounting Anyconnect

CSCuc14191

ASA: Webvpn rewriter not rewriting eval function call properly

CSCuc14255

Enhance RTCLI implementation of password type (BNF)

CSCuc15034

The "clear crypto ca crls <trustpoint>" command does not work

CSCuc16455

ASA packet transmission failure due to depletion of 1550 byte block

CSCuc16670

ASA - VPN connection remains up when DHCP rebind fails

CSCuc17257

ASA Traceback - MD5_Update

CSCuc23984

ASA: Port-channel config not loaded correctly when speed/duplex are set

CSCuc25787

Per tunnel webvpn customizations ignored after ASA 8.2 upgraded to 8.4

CSCuc28903

ASA 8.4.4.6 and higher: no OSPF adj can be build with Portchannel port

CSCuc34345

Multi-Mode treceback on ci/console copying config tftp to running-config

CSCuc36831

Crash when removing group-policy

CSCuc45011

ASA may traceback while fetching personalized user information

CSCuc48355

ASA webvpn - URLs are not rewritten through webvpn in 8.4(4)5

CSCuc50544

Error when connecting VPN: DTLS1_GET_RECORD Reason: wrong version number

CSCuc63592

HTTP inspection matches incorrect line when using header host regex