Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and
will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a
production environment. We strongly
encourage you to upgrade to a fully tested Maintenance or Feature release when
it becomes available.
Revision: Version 9.1(5)21 – 12/19/2014
Files: asa915-21-smp-k8.bin,
asa915-21-k8.bin
Defects resolved since 9.1(5)19:
Syslog 106100 not generated on second context when cascading
contexts. |
|
Cluster NTP configuration not replicated to slave after unit
reloads |
|
Linux Kernel Invalid fs and gs Registry KVM Denial of Service Vulnerab |
|
Linux Kernel GUID Partition Tables Handling Arbitrary Code
Execution V |
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
WebVPN configs not synchronized when
configured in certain order 2 |
|
Idle timer and half-closed idle timer reset by out of sequence
SYN |
|
Interface Delay Option is missing in multiple mode. |
|
Duplicated CHILD SAs in 1 IKEv2 SA, traffic dropped vpn-overlap-conflict |
|
CX: Virtual CX modules may reload in some situations * (see note
below) |
|
ASA may traceback when "write
standby" command is entered twice |
|
Traceback when executing "show crypto accelerator load-balance" |
|
ASA as DHCP relay, DHCP offer is not forwarded to the client |
|
Traceback caused by WCCP |
|
Traceback in Thread Name qos_metric_daemon
caused by asdm history enable |
|
ASA:Incorrect link status in show failover o/p with
monitoring disabled |
|
DMA memory leak in 256 byte fragments with nbns-server
config |
|
ASA not sending RST packet for connections dropped by Botnet
filter |
|
IPv6 stateless autoconfiguration fails
if managed config flag in RA |
|
ASA: standby traceback during
replication of specific privilege command |
|
ASA traceback in DATAPATH-0-2078
thread |
|
1550 block leak occur if DNS replies "refused" query
response |
|
ASA5580 speed nonegotiate settings kept
link down after shut/no shut |
|
ASA: RST packet forwarded with non-zero ACK number (and ACK flag
clear) |
|
DHCP Relay reloads after changing server interface |
|
xlate per-session
commands are not synchronized |
|
SDI authentication doesn't work in more than one contexts. |
|
nested custom write functions causing blank page through rewriter |
|
ASA : evaluation of
SSLv3 POODLE vulnerability |
|
Control Plane ACL Not Working for Redirected HTTP Traffic |
|
ASA assert traceback on Standby Unit
in c_idfw.c |
|
Traceback: pki-crl: Thread Name: Crypto CA with
traffic through VPN L2L |
|
ASA Client login timeout issue due to proxy match inconsistency |
|
Hex code associated with syslog is referenced from the old
ACE/ACL |
|
ASA5585 traceback on Thread name: idfw_proc |
|
Failed to allocate global ID when adding service-policy |
|
Webvpn: Support for XFRAME for non-critical URL's |
|
webvpn href with javascript function -
arg ' incorrectly rewritten to \' |
|
Usernames obscured with asterisks in logs after upgrade to ASA
9.1(5.16) |
|
ASA IPv6 OSPF neighbor stuck in loading state |
|
ASA: Traceback while copying/exporting
captures from ASA using SCP |
|
ASA SCP Client does not prompt for password when not inc. in copy string |
|
ASA: Traceback in idfw_proc |
|
WebVPN: Cannot use non-default FTP port for filebrowsing |
|
DATAPATH Traceback in snp_mp_svc_udp_upstream_data function |
|
ASA Traceback in Thread Name:
DATAPATH-6-2544 |
|
ASA Traceback in Thread Name:
DATAPATH-3-1274 |
|
ASA crash loop while upgrading when FIPS enabled |
|
scansafe feature is
missing from registered module features |
|
Potential ICMP error storm in cluster CCL link |
* For
ASA Version 9.1.5.21 and later, only ASA CX Version 9.3.2.1 and later is
supported. When upgrading your ASA, first upgrade the ASA CX software;
otherwise the ASA CX module will become unresponsive.
Revision: Version 9.1(5)19 – 10/24/2014
Files: asa915-19-smp-k8.bin,
asa915-19-k8.bin
Defects resolved since 9.1(5)16:
ASA TCP Proxy can corrupt data, cause ACK storms and session
hangs |
|
ASA5585-SSP60 Traceback in Thread Name
SSH on Capture Command |
|
ASA does not recognise "packet too
big" for assembled ICMPv6 echo reply |
|
Jumbo Frame is not support in the ASA558560 due to wrong bigphys size |
|
Traceback in clacp_enforce_load_balance with
ASA Clustering |
|
Object Group Search causing legitimate traffic to be dropped by
ACL |
|
ASA/ASASM drops SIP invite packets with From field containing
"" and \ |
|
Traceback on standby ASA during hitless upgrade |
Revision: Version 9.1(5)16 – 10/10/2014
Files: asa915-16-smp-k8.bin,
asa915-16-k8.bin
Defects resolved since 9.1(5)12:
Implement debug/syslog message about L2TP/IPSec & xauth |
|
vpn-sessiondb detail missing
Filter Name after IKEv1 rekey |
|
ASA: Crash when out of stack memory with call-home configured |
|
SNMP MIB: Equivalent of "show xlate
count" command |
|
Observed Traceback in SNMP while
querying GET BULK for 'xlate count' |
|
Arsenal:twice NAT with service type
ftp not working. |
|
DNS: Inspection drops non in-addr.arpa
PTR queries |
|
Need Syslog containing assigned IP address for AnyConnect IKEv2 |
|
ASA has inefficient memory use when cumulative AnyConnect
session grows |
|
WebVPN portal DOM based Cross-Site-Scripting Issue |
|
ASA: Last packet in PCAP capture file not readable |
|
new operator is rewritten incorrectly when used for function from
object |
|
Wrong IP is displayed in buffered logging of ASA-6-737015 |
|
WebVPN portal page misses large title after portal redesign |
|
ASA Webvpn CIFS vnode_create:
VNODE ALLOCATION LIMIT 100000 REACHED! |
|
ASA Memory usage in a context rises |
|
ASA 8.4.6 MAC Address flapping with Port-Channels and IPv6 |
|
traffic does not match time-rang access-list configured with policy-maps |
|
ASA Transparent mode doesn't pass DHCP discover message |
|
SSH timeout on ASA |
|
negation of host-group and host command not allowed with encryption |
|
ASA Traceback in DATAPATH-1-1400 with
error message shrlock_join_domain |
|
ASA-IC-6GE-SFP-C SFP port doesn't come up |
|
XenDeskTop7:cannot relogin
to StoreFront ineterface
after logoff |
|
Invalid user names are logged in syslogs |
|
ASA Tears Down Connections With Reason of 'snp_drop_none' |
|
ASA 5505 u-turned/hairpinned conn
counts toward license local-host limit |
|
ASA 9.1 DMA Memory exhaustion in 240 binsize |
|
ASA WebVPN Memory leak leading to
Blank Portal Page/AnyConnect failure |
|
ENH: Add "speed nonegotiate"
command for fiber interfaces on ASA5585 |
|
Traceback on DATAPATH-7-1524 Generating Botnet Filter Syslog |
|
Traceback DHCP 'IP Address Assign' while upgrading ASAs in Failover |
|
ASA allows IKEv1 clients to bypass address assignment, causing
conflict |
|
ASA with SFP+4GE-SSM sends flow-control packets at line rate |
|
CWS: Large downloads on HTTPS fail when server side seq number wraps |
|
ASA: HTTP searchPendingOrders.do function failing over WebVPN |
|
ASA IKEv2 "Duplicate entry in tunnel manager" (post
9.1.5) |
|
Firewall may crash while clearing the configuration |
|
ASA allows to empty an access-list referenced elsewhere |
|
Windriver: Traceback during AnyConnect
IPv6 TLS TPS Test |
|
ASA AnyConnect failure or crash in SSL
Client compression with low mem |
|
show vpn load-balancing shows Public addr as Cluster IP addr for
Master |
|
Inconsistencies seen while sending warmstart
trap on reload |
|
Failover Standby unit has higher memory utilization |
|
ASA: Crash in DATAPATH |
|
Snmp-server hosts entries are lost when upgrading from 9.1(4) to
9.1(5) |
|
CISCO-REMOTE-ACCESS-MONITOR-MIB support for ASA-SM |
|
ASA: no auth prompt when accessing
internet website using ASA-CX |
|
ASA with CX module crashes with http traffic inspection |
|
ASA WebVPN: Script error when using port-forwarding |
|
9.0(4)5 - Unable to access internal
site via clientless SSLVPN |
|
ASA WebVPN Rewriter: Custom HTTP
Headers Not Properly Rewritten |
|
L2TP/IPsec fragmentation change
causing ICMP-PMTU being sent |
|
show webvpn kcd
Error code 2 (ERROR_FILE_NOT_FOUND) |
|
ASA - Traceback in thread name: sch_prompt anonymous reporting |
|
Traceback in Thread Name: ssh_init |
|
ASA traceback in Thread Name : Checkheaps when snmp config is cleared |
|
IKEv2 DPD is sent at an interval not correlating to the
specified value |
|
Jumbo frame calculations are incorrect or hard coded |
|
TCP intercept does not work after embryonic connection ends |
|
ASA Panic: CP Processing - ERROR: shrlock_join_domain |
|
ASA doesn't apply vpn-filter if group
policy is assigned by Cisco VSA 25 |
|
webvpn jscript post to wrong URL - ASA FQDN same as server FQDN |
|
WebVPN Problem- icons missing, buttons not working |
|
SNMP: Unable to verify presence of second power supply in ASA
5545 |
|
ASA Traceback in Thread name:
ci/console while modifying an object-group |
|
"no speed nonegotiate"
command in ASA 5580 running 9.1.5 in show run |
|
ASA - Traceback in DATAPATH-0-1275 |
|
ASA - Wrong object-group migration during upgrade from 8.2 |
|
ASA - Permitting/blocking traffic based on wrong IPs in ACL |
|
ASA: Traceback Page Fault in vpnfol_thread_msg on Standby ASA |
|
ASA with ACL optimization crashing in "fover_parse"
thread |
|
No syslogs for ASDM or clientless
access with blank username/password |
|
Flowcontrol feature broken on Benetton with 4GE SSM card |
|
Personal bookmarks get deleted with ASA in Active/Standby
failover |
|
ASA SSLVPN Citrix plugin not starting java.lang.ClassNotFoundException |
|
WebVPN: uploading customized portal.css breaks the portal login page |
|
ASA crashes with Page Fault with multiple configuration sessions |
|
ASA failover standby device reboots due to delays in config replication |
|
ASA rewrites incorrect content-length in SIP message |
|
jumbo frame enabled will cause ASA5585-20 in boot loop from 9.3.0.101 |
|
ASA Smart Call does not hide IPv6 addresses for ND |
|
IPv4 ACLs not working after merging IPv4 and IPv6 ACLs by
upgrading |
|
ASA : Failover descriptor does not change after reconfiguring VLAN |
|
accounting not per rfc in dual factor auth case |
|
SNMP: Power supply OIDs missing if no power input on 5500-X |
|
ASA providing inaccurate Tunnel count to ASDM |
|
ASA drops DNS PTR Reply w/ reason Label length exceeded during
rewrite |
|
IPsecOverNatT tunnel disappears after ASA failovers |
|
Smart Tunnels Spawn "UNKNOWN Publisher" Warning w/Java
7 Update 60 |
|
Using "?" to list files in directory with thousands of
files causing hog |
|
Show memory app-cache command shows incorrect bytes if more than
2^32 |
|
vbscript getting caught in
loop when passing thru ASA WebVPN Rewriter |
|
Local pool address not released -> Duplicate local pool
address found |
|
SCP copy generates syslog 769004 with password in it |
|
traceback in thread name: netfs_thread_init |
|
WebVPN HTML Style "Overflow:Hidden"
Breaks Custom Logon Pages |
|
ASA - Traceback in thread name SSH
while changing NAT configuration |
|
WebVPN: Rewriter issue with PATHIX Inspection Database |
|
Double Free when processing DTLS packets |
|
OpenSSL Zero-Length Fragments DTLS Memory Leak Denial of Service Vuln |
|
Webvpn: Support for XFRAME in additional portal and CSD pages |
|
Cisco ASA Failover IPSEC does not encrypt failover link |
|
ASA : timeout floating-conn not working when PPPoE
is configured |
|
ASA Radius Access-Request contains both User-Password and
CHAP-Password |
|
IPv6 tunneled route on link-local interfaces |
|
LDAP CLI: Quotes removed if ldap attribute-map
name has spaces |
|
ASA can use wrong trustpoint with
rekeyed CAs are cfg in trustpoints. |
|
ASA returns wrong content-length for cut-thru proxy
authentication page |
|
ASA tracebacks in Thread Name: ssh due to watchdog |
|
Incorrect content-length when maddr present
with URI in SIP message body |
|
ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg
for uninitialized |
|
ASA Local CA generates unexpected renewal reminder message |
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
ASA Cluster slave unit loses default route due to sla monitor |
|
Limit size for HTTP header request |
|
Webvpn Logon Form Title alignment issue w/ strings {>20 character} |
|
ASA Cluster: IDFW traceback inThread Name: DATAPATH-3-132 |
|
Inspect rule defaults in standby transparent context on write
standby |
|
User membership not updated in parent group |
|
There are two certificates related to one trustpoint
on standby unit. |
|
ASA ACL hitcount not correct for ACLs
with service object groups |
Revision: Version 9.1(5)12 – 08/26/2014
Files: asa915-12-smp-k8.bin,
asa915-12-k8.bin
Defects resolved since 9.1(5)10:
Asa 5580-20: object-group-search access-control causes failover
problem |
|
ASA stops decrypting certain L2L traffic after working for some
time |
|
ASA drops DNS PTR Reply w/ reason Label length exceeded during
rewrite |
|
object nat config
getting deleted after reloaded with vpdn config |
|
ASA NAT: Some NAT removed after upgrade from 8.6.1.5 to 9.x |
|
ASA SSLVPN Java plugins fail through proxy with Connection
Exception |
|
When ACL optimization is enabled, wrong rules get deleted |
|
ASA tmatch_summary_alloc block leak in
binsize 1024 |
|
Cisco ASA SSL VPN Portal Customization Integrity Vulnerability |
|
ASA: Page fault traceback in DATAPATH
when DNS inspection is enabled |
|
ASA traceback in thread name idfw_adagent |
|
ASA Overwrite any file on WebVPN RAMFS |
|
Cisco ASA VPN Failover Commands Injection Vulnerability |
|
Cisco ASA SSL VPN Info Disclosure and DoS
Vulnerability |
Revision: Version 9.1(5)10 – 07/07/2014
Files: asa915-10-smp-k8.bin,
asa915-10-k8.bin
Defects resolved since 9.1.5:
ENH - Add device serial number and platform string to show run
output |
|
ENH - Increase maximum SNMP message size to 1472 bytes per RFC
3417 |
|
Double auth not triggered if using
secondary-aaa-server per interface |
|
ASA allows SSL trustpoint with 4096
bit keys - SSL fails to work |
|
ASA5500-x: "speed nonegotiate"
command not available for fiber interface |
|
wr mem all produces traceback on
console |
|
ASA: Huge NAT config causes traceback due to unbalanced p3 tree |
|
ICMP destination unreachable for L2TP PMTU error not sent to
server |
|
Dropped packets/Retries/Timeout on applying a huge ACL on
existing acl |
|
ASA 9.1.2 DHCP - Wireless Apple devices are not getting an IP
via DHCPD |
|
IDFW: user-group is not deactivated even if IDFW ACL is removed |
|
ASA fails to set forward address in OSPF route redistrubution |
|
CWS: ASA forwards HTTPS packets to CWS tower in wrong sequence |
|
Traceback when using IDFW ACL's with VPN crypto maps |
|
ASA 5505 SIP packets may have extra padding one egress of 5505 |
|
ASA Unicorn rewriter memory corruption |
|
ASA traceback in Thread Name: IKE
Receiver |
|
traffic does not match time-rang access-list configured with
policy-maps |
|
VPNLB syslogs to console missing
newline |
|
ASA with ICMP insp. drops replies with 'seq
num not matched' code |
|
Case sensitivity check missing for Web Type ACL and Access-group |
|
Capture Isakmp w/ match statement cause
Standby to reload at replication |
|
WEBVPN multiple issues with LMS application |
|
ASA - DHCP Discover Sent out during boot process |
|
secondary standby looses his cluster license after upgrade to 8.4.(7.3) |
|
webvpn issue,part of the http request not sent by the client to
ASA |
|
WebVPN: ASA webVPN fails to rewrite dynamic
content of pubmed website |
|
ASA:Traceback in Thread Name:
DATAPATH-23-2334 |
|
Smart-tunnel for windows-Liveconnect exception-JRE
1.7u51 |
|
ASA should not allow interface MTU config
greater than 9202/9198 |
|
Webvpn: web applications that may refresh a page with "#"
fail |
|
Datapath:Observing Deadlock in different DATAPATH threads |
|
Traffic does not hit Twice NAT configured after Static PAT |
|
ASA5585-SSP60 Teardown process is delayed under heavy traffic
condition |
|
Traceback on standby ASASM when executing the failover active command |
|
ASA Backup scansafe tower is never polled |
|
ASA: Watchdog traceback in Unicorn
Admin Handler with TopN host stats |
|
ASA traceback in Unicorn Admin Handler |
|
ASA - VPN session leak for IKEv2 if L2L sessions land on RA
tunnel group |
|
Traceback in Thread: IPsec message handler with
rip-tlog_event_allocate |
|
ASA Cluster: Unable to stop captures on CCL in a context |
|
SunRPC GETPORT Reply dropped when two active sessions use same xid |
|
show cluster info goid output needs
formatting |
|
Aborted AnyConnect Authentications can
cause resource leak |
|
Sourcefire Defense Center not able to be rendered via Clientless SSL VPN |
|
ASA 9.1.3 SNMP Traceback in Thread
Name: SNMP |
|
Traceback in Thread Name: ci/console |
|
IKEv2 routes not installed if Dynamic and Static Crypto Map
Match |
|
ASA cluster - RSA key size 4096 bits is not replicated cluster
members |
|
Assigned IP in show vpn-sessiondb anyconnect is missing. |
|
ASA WebVPN memory leak - blank portal
page |
|
capture option to be provided to collect pcap
frm node other than master |
|
Ping doesn't work between peer IPs when answer-only is
configured |
|
Java rewriting takes too much time |
|
ASA:Tracebacks in thread
dispatch unit due to SunRPC inspection |
|
ASA: Traceback in aware_http_server_thread
after upgrade |
|
ASA traceback in Thread Name: IKE Daemon:
with CX redirect in place. |
|
DAP creates dynamic ACLs even if single ACL selected. |
|
Regex modification within context causes ASA traceback |
|
ASA EIGRP route stuck after neighbour
disconnected |
|
ASA WebVPN login page XSS
vulnerability |
|
ASA traceback when retrieving idfw topn user from slave |
|
Anyconnect: Split-Tunnel dose not work with subnet 0.0.0.0/1 |
|
AnyConnect Password Management Fails with SMS Passcode |
|
When long line is entered on cli, all chars > 510 silentl y discarded |
|
ASA using IKEv2 rejects multiple NAT_DETECTION_SOURCE_IP
payloads |
|
ASA Cluster ICMP with PAT not functional on reload |
|
Data path: ASA traceback in CTM message
handler |
|
ASA IPSec - DNS reply for RA client dropped when LZS compression
enabled |
|
L2TP/IPSec connection is failed when there is PAT router. |
|
Hash calculated for multiple ACEs on ASA are same |
|
ASA: Traceback in thread Name:
DATAPATH-1-2581 |
|
Unable to access webvpn portal when
CSD and IE content advisor enabled. |
|
ASA cut a part of credential data during cut-thru proxy
authentication |
|
Cisco ASA DHCPv6 Denial of Service Vulnerability |
|
ASDM interface graph showing bogus values in S/W and H/W output
queue |
|
ASA-SM not sending SNMP traps with 9.0.4 |
|
terminal width command is deleted when removing other context |
|
5585-20 8.4.7.11 traceback in Thread
Name Datapath w/ DCERPC inspection |
|
IDM/IME/File Transfer Slow For Certain Source and Destination IP
Pairs |
|
Posture assement failing after HS
upgrade to 3.1.05152 |
|
OSPFv3 route stuck in routing table after failover |
|
MEMLEAK: 128 byte leaks when requesting IPv6 address for AnyConnect |
|
Name for IPv6 address causes objects to became empty after
reload |
|
Cisco ASA Information Disclosure Vulnerability |
|
Packet-tracer showing incorrect result for certain NAT
configurations |
|
Nameif command not allowed on TFW multimode ASA with clustering |
|
'ASA modifies Request Host Part under 'ACK' packet for SIP
connection' |
|
ASA drops DNS PTR Reply w/ reason Label length exceeded during
rewrite |
|
High CPU with IKE daemon Process |
|
ASA drops packet due to nat-no-xlate-to-pat-pool after removing NAT rule |
|
ASA 8.4.6: Traceback with fover_FSM_thread |
|
Saleen copper module port speed/duplex changes ineffective |
|
ASA Page Fault: Invalid Permission in thread name DATAPATH |
|
To the box traffic dropped due to vpn
load-balancing (mis)configuration |
|
SNMP: cpmCPUTotal5sec/1min/5min return "0" |
|
VPN client firewall and split-tunneling mishandle
"inactive" acl rules |
|
Clientless scrollbar on right hand side of the screen doesn't
render |
|
ASA 9.0.4.1 traceback in webvpn datapath |
|
VPN-filter ACL drops all traffic after upgrade for pre 8.3 to
9.x |
|
IPsec transform sets mode changes from transport to tunnel after
editing |
|
CSCub92315 fix is incomplete |
|
Interop: relax PrintableString encoding
enforcement in PKI |
|
ASA - Cut Through Proxy sends empty redirect w/ Virtual HTTP and
Telnet |
|
ASA SIP Inspect:'From: header' in the
INVITE not NATed for outbound flow |
|
ASA: Traceback in Thread Name:
Dispatch Unit when enable debug ppp int |
|
ASA SSLVPN OWA 2007: Unable to attach files >= 1 MB with KCD
enabled |
|
ASA WebVPN Rewriter: CSCOGet_location Improperly Pulls Full Web Address |
|
Traceback with
thread DATAPATH-2-1181 |
|
ASA traceback (Page fault) during xlate replication in a failover setup |
|
ASA does not relay BOOTP packets |
|
Multicast - ASA doesn't populate mroutes
after failover |
|
WebVPN capture causes conflict with other capture types |
|
ASA: Webvpn using incorrect password
for auto-signon with Radius/OTP |
|
ASA doesn't send invalid SPI notify for non-existent NAT-T IPSec
SA |
|
ASA 9.1.(3)4 Memory Leak in KCD |
|
ASA Rewriter does not support encoded values for characters like
" ' " |
|
ASA: Traceback in DATAPATH thread
related to DNS inspection |
|
ASA: Page fault traceback in Dispatch
Unit |
|
WebVPN: Javascript rewrite issue with Secret
Server Application |
|
ASA 9.x Management Port-Channel Cannot configure management-only
in TFW |
|
Traceback when using IDFW ACL's with VPN VPN
Filters |
|
CIFS drag & drop not working with remote file explorer over webvpn |
|
Giaddr to be set to the address of interface facing the client. |
|
Standby ASA traceback on Fover_Parse with Botnet Filter |
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |