Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco
TAC and will remain on the download site only until the next Maintenance
release is available. If you do not have a specific problem
which is resolved by an Interim release, we recommend that you use the
Feature or Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them
in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.1.2(8) – 09/03/2013
Files: asa912-8-smp-k8.bin
Defects resolved since 9.1.2:
reload due to block depletion needs post-event detection mechanism |
|
ASA: multicast 80-byte
block leak in combination with phone-proxy |
|
Protocol Violation does not
detect violation from client without a space |
|
Editing NAT object/objgrp cfg causes 305006
translation creation failure |
|
Traceback in DATAPATH-1-1143 thread: abort with unknown reason |
|
Traceback in ci/console during context creation
- ssl configuration |
|
Proxy ARP Generated for
Identity NAT Configuration in Transparent Mode |
|
Nested Traceback
from Watchdog in tmatch_release_recursive_locks() |
|
ASA doesn't allow reuse of
object when pat-pool keyword is configured |
|
CP Processing hogs in SMP
platform causing failover problems, overruns |
|
FIPS Self-Test failure,fips_continuous_rng_test
[-1:8:0:4:4] |
|
ASA Allows duplicate xlate-persession config lines |
|
ASA verify /md5 shows
incorrect sum for files |
|
ASA stops decrypting
traffic after phase2 rekey under certain conditions |
|
ASA IKEv2 fails to accept
incoming IKEV2 connections |
|
ASA 8.6/9.x
: Fails to parse symbols in LDAP attribute name |
|
ASA: Random traceback with HA setup with 9.1.(1) |
|
ASA: 256 byte blocks
depleted when syslog server unreachable across VPN |
|
ACL migration issues with
NAT |
|
ASA: cpu-hog
in uauth_urlb clean causing interface overruns. |
|
Standby sends proxy
neighbor advertisements after failover |
|
ASA may traceback
due to watchdog timer while getting mapped address |
|
Connections not timing out
when the route changes on the ASA |
|
Cisco ASA Xlates Table Exhaustion Vulnerability |
|
Mem leak in PKI: crypto_get_DN_DER |
|
OSPF routes missing for 10 secs when we failover one of ospf
neighbour |
|
ENH: Reload ASA when free
memory is low |
|
Multicast,Broadcast traffic
is corrupted on a shared interface on 5585 |
|
Crypto accelerator resets
with error code 23 |
|
ASA removes TCP connection
prematurely when RPC inspect is active |
|
ASA traceback
in datapath thread with netflow
enabled |
|
ASA 9.0.1 & 9.1.1 - 256
Byte Blocks depletion |
|
ASA - Threat detection
doesn't parse network objects with IP 'range' |
|
move OSPF from the punt event queue to its own event queue |
|
ASA assert traceback during xlate
replication in a failover setup |
|
Webvpn: Cifs SSO fails first attempt after
AD password reset |
|
ASA traceback
in Thread Name: ci/console after write erase
command |
|
Floating route takes
priority over the OSPF routes after failover |
|
ASA failover standby unit
keeps reloading while upgrade 8.4.5 to 9.0.1 |
|
No debug messages when DHCP
OFFER packet dropped due to RFC violations |
|
ASA sip inspection memory
leak in binsize 136 |
|
ASA: Page fault traceback in dbgtrace when
running debug in SSH session |
|
Incorrect NAT rules picked
up due to divert entries |
|
Cisco ASA time-range object
may have no effect |
|
ASA changes user privilege
by vpn tunnel configuration |
|
Traceback when NULL pointer was passed to the l2p function |
|
ASA LDAPS authorization
fails intermittently |
|
ASA-CX: Cosmetic parser
error "'sw-module cxsc
recover configure image" |
|
ASA 8.4.4.1 traceback in threadname Datapath |
|
No value or incorrect value
for SNMP OIDs needed to identify VPN clients |
|
ASA 9.1(1) Reboot while
applying regex dns |
|
Webvpn: OWA 2010 fails to load when navigating between portal and OWA |
|
ASA sends ICMP Unreach. thro wrong intf. under certain condn. |
|
user-identity will not retain group names with spaces on reboot |
|
cannot access Oracle BI via clentless SSL
VPN |
|
ASA has inefficient memory use when
cumulative AnyConnect session grows |
|
Anyconnect IKEv2:Truncated/incomplete debugs,missing 3 payloads |
|
ASA - "Show
Memory" Output From Admin Context is Invalid |
|
ASA Management lost after a
few days of uptime |
|
HA sync configuration stuck
-"Unable to sync configuration from Active" |
|
Standby ASA continues to
forward Multicast Traffic after Failover |
|
ASA : HTTP Conn from the box, broken on enabling TCP-State-Bypass |
|
Responder uses pre-changed
IP address of initiator in IKE negotiation |
|
Thread Name: Unicorn Proxy
Thread |
|
ASA does not assign MTU to AnyConnect client in case of IKEv2 |
|
ASA uses different mapped
ports for SDP media port and RTP stream |
|
ASA Config
Locked by another session prevents error responses. |
|
ASA upgrade from 8.4 to 9.0
changes context's mode to router |
|
ASA 9.x: DNS inspection
corrupts RFC 2317 PTR query |
|
ASA 9.1.1-7 traceback with Checkheaps
thread |
|
ASA : "ERROR:Unable to create router
process" & routing conf is lost |
|
DHCPD appends trailing dot
to option 12 [hostname] in DHCP ACK |
|
ASA scansafe
redirection drops packets if tcp mss is not set |
|
Multiple concurrent write
commands on ASA may cause failure |
|
ASA terminates SIP
connections prematurely generating syslog FIN
timeout |
|
Cannot login webvpn portal when Passwd mgmt
is enabled for Radius server |
|
ASA5585 - 9.1.1 - Traceback on IKEv2Daemon Thread |
|
ASA Priority traffic not
subject to shaping in Hierarchical QoS |
|
ASA standby traceback in fover_parse when
upgrading to 9.0.2 |
|
ASA traceback
in Thread Name: DATAPATH-4-2318 |
|
L2TP/IPSec traffic fails
because UDP 1701 is not removed from PAT |
|
Cross-site scripting
vulnerability |
|
Inconsistent behavior with dACL has syntax error |
|
webvpn
redirection fails when redirection FQDN is same as ASA FQDN |
|
ASA: EIGRP Route Is Not
Updated When Manually Adding Delay on Neighbor |
|
ASA: "clear config all" does not clear the enable password |
|
ASA IDFW: idle users not
marked as 'inactive' after default idle timeout |
|
Traceback when using VPN Load balancing feature |
|
Traceback in Thread Name: OSPF Router during interface removal |
|
Unable to display webpage
via WebVPN portal, ASA 9.0(2)9 |
|
ASA tearsdown
TCP SIP phone registration conn due to SIP
inspection |
|
WebVPN configs not synchronized when
configured in certain order |
|
Single Sign On with BASIC
authentication does not work |
|
Anyconnect sessions do not connect due to uauth
failure |
|
UDP ports 500/4500 not
reserved from PAT on multicontext ASA for IKEv1 |
|
ASA OSPF route stuck in
database and routing table |
|
Cisco ASA config rollback via CSM doesnt
work in multi context mode |
|
ASA multicontext
transparent mode incorrectly handles multicast IPv6 |
|
ASA protcol
inspection connection table fill up DOS Vulnerability |
|
quota management-session not working with ASDM |
|
Traceback after upgrade from 8.2.5 to 8.4.6 |
|
ASA 9.1.2 - Memory
corruptions in ctm hardware crypto code. |
|
ASA adds 'extended' keyword
to static manual nat configuration line |
|
Re-transmitted FIN not
allowed through with sysopt connection timewait |
|
ASA: WebVPN
rewriter fails to match opening and closing parentheses |
|
ASA:Traffic denied
'licensed host limit of 0 exceeded |
|
ASA does not obfuscate aaa-server key when timeout is configured. |
|
ASA: Watchdog traceback in SSH thread |
|
ASA memory leaks 3K bytes
each time executing the show tech-support. |
|
ASA Round-Robin PAT doesn't
work under load |
|
ASA: Page fault traceback when changing ASP drop capture buffer size |
|
ASA doesn't send NS to
stale IPv6 neighbor after failback |
|
Slow memory leak on ASA due
to SNMP |
|
ASA: Service object-group
not expanded in show access-list for IDFW ACLs |
|
ASA removed from cluster
when updating IPS signatures |
|
Different SNMPv3 Engine
Time and Engine Boots in ASA active / standby |
|
ASA: Unable to apply
"http redirect <interface_name> 80"
for webvpn |
|
ASA 9.1.2 traceback in Thread Name ssh |
|
ASA 5512 - 9.1.2 Traceback in Thread Name: ssh |
|
Tunneled default route is
being preferred for Botnet updates from ASA |
|
ASA-SM multicast boundary
command disappears after write standby |
|
Incorrect substitution
of
'CSCO_WEBVPN_INTERNAL_PASSWORD' value in SSO |
|
ASA 9.1.2 DHCP - Wireless
Apple devices are not getting an IP via DHCPD |
|
ASA5585 SSM card health
displays down in ASA version 9.1.2 |
|
nat config is missing after csm
rollback operation. |
|
ASA 5505 Ezvpn Client fails to connect to Load Balance VIP on ASA
server |
|
Traceback in DATAPATH-1-2533 after a reboot in a clustered environment |
|
Not all contexts
successfully replicated to standby ASA-SM |
|
Macro substitution fails on
External portal page customization |
|
ASA-SM can't change
firewall mode using session from switch |
|
ASA Cluster - Loss of CCL
link causes clustering to become unstable |
|
Nested Traceback
with No Crashinfo File Recorded on ACL Manipulation |
|
ASA registers incorrect
username for SSHv2 Public Key Authenticated user |
|
ASA removes RRI-injected
route when object-group is used in crypto ACL |
|
|
|