Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.1(6)11 – 02/16/2016
Files: asa916-11-smp-k8.bin,
asa916-11-k8.bin
Defects resolved since 9.1(6)10:
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
Revision: Version 9.1(6)10 – 09/18/2015
Files: asa916-10-smp-k8.bin,
asa916-10-k8.bin
Defects resolved since 9.1(6)8:
vpn load-balancing
configuration exits sub-command menu unexpectedly |
|
URLF: Websense v4 message length
calculation is incorrect by 2 bytes |
|
ASA: CLI commands are not displaying options for local
authorization |
|
ASA Threat detection adds Shun entry for attacker based on
routing table |
|
ASA: Page fault traceback in SXP CORE
thread |
|
'client-services' is not accepted if
the interface has no IP addr |
|
Failover assembly remained in active-active state permanantly |
|
ASA: High CPU on standby due to RDP conn to AC client from CL
SSL portal |
|
ASA: Anyconnect IPv6 Traceroute does not work as expected |
|
9.5.2 Gold Setup - Traceback in
DATAPATH-6-2596 snp_fp_get_frag_chain |
|
Auth-prompt configured in one context appears in another context |
|
ASA failover due to issue show local-host command make CPU-hog |
|
ASA: Traceback while copying file
using SCP on ASA |
|
Clientless webvpn on ASA does not
display asmx files |
|
ASA5505 permanent base license, temp secplus,
failover, vlan count issue |
|
Unable to authenticate with remove aaa-server
from different context |
|
ASA cluster-Incorrect "current conns" counter in
service-policy |
|
ASA may tracebeck when displaying
packet capture with trace option |
|
ASA PKI: cert auth fails after upgrade
to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
ASA: 1550 block depletion to due to L2L VPN traffic |
|
Standby traceback during config replication with customization export |
Revision: Version 9.1(6)8 – 08/06/2015
Files: asa916-8-smp-k8.bin,
asa916-8-k8.bin
Defects resolved since 9.1(6)6:
RRI static routing changes not updated in routing table |
||
ASA: ICMP loop when cluster member rejoins the cluster. |
||
WebVPN Rewriter: "parse" method returns curly brace
instead of semicolon |
||
NAT conversion fails when port range 1024 65535 is source |
||
SCH enrollment issue with Saleen
serial number |
||
inspect esmtp replace the packet data to 'X' |
||
ISAKMP SERVER traffic from codenomicon
crashes ASA |
|
|
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft
app |
||
Clustering: Eigrp RIB not replicated
to slave node |
||
ASA WebVPN clientless cookie authentication bypass |
||
ASA Traceback in vpnfol_thread_msg |
||
Drop reasons missing from asp-drop capture |
||
ASA %ASA-3-201011: Connection limit exceeded when not hitting
max limit |
||
ASA inspection-MPF ACL changes not inserted into ASP table
properly |
||
Object nat rule is not matched |
||
ASA: Traceback with Thread Name - AAA |
||
ASA not checking the MAC of the TLS records |
||
ASA change non-default port to 443 for https traffic redirected
to CWS |
||
Webvpn rewrite issues for Confluence - by atlassian
on latest v6.4.5 |
||
Evaluation of OpenSSL June 2015 |
||
DHCP-DHCP Proxy thread traceback
shortly after failover and reload |
||
ASA Traceback in Thread Name ssh/client |
||
ASA: traceback in IDFW AD agent |
||
ASATraceback in ssh whilst adding
new line to extended ACL |
||
Memory leak @regcomp_unicorn with APCF
configured |
||
AddThis widget is not shown causing Traceback
in Unicorn Proxy Thread |
Revision: Version 9.1(6)6 – 06/10/2015
Files: asa916-6-smp-k8.bin,
asa916-6-k8.bin
Defects resolved since 9.1(6)4:
ASA: DHCP relay does not validate the Server Identifier of a
reply |
|
Multiple problems with output of show processes memory |
|
traceback in Thread Name:
IKEv2 Daemon |
|
ASA DNS lookups always prefer IPv6 response |
|
Add cli to control masked username in syslog |
|
LU allocate connection failed on the Standby ASA unit |
|
ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC
IKEv2 |
|
NetFlow incorrect reporting for PPTP VPN over GRE |
|
ipsec-datapath:TFW management
connection via VPN takes a few minutes |
|
Cisco ASA XAUTH Bypass Vulnerability |
|
HTTP redirect to the VPNLB address using HTTPS fails in 9.1.5 |
|
ASA clears the TOS value of ICMP echo reply packet from ASA's
interface |
|
More than 255 messages in multicast packet with jumbo frames |
|
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. |
|
ASA traceback in DATAPATH Thread due
to Double Block Free |
|
ASA WEBVPN: Usernames shown as '*' in logs for failed
authentication |
|
Duplicate IPv6 address is configurable in 1 ASA or context |
|
[ASA] CTP not working if proxyACL port_argument is gt |
|
Traceback in thread CP Processing |
|
ASA crashes because of TD tcp-intercept
feature |
|
Corrupted host name may occur with DHCP |
|
L2TP/IPsec traffic dropped due to
"vpn-overlap-conflict" |
|
ASA Traceback in PPP |
|
ASA crash in Thread Name: CP Processing |
|
ASA cluster: ICMP loop on CCL for ICMP packet destined to the
VPN tunnel |
|
ASA WebVPN: Javascript fails to
execute when accessing internal portal |
|
Cert Auth fails with 'max
simultaneous-login restriction' error |
|
asa Traceback with Thread Name idfw_proc |
|
ASA Name Constraints dirName
improperly verified |
|
ASA CA certificate import fails with different types of Name
Constraints |
Revision: Version 9.1(6)4 – 05/15/2015
Files: asa916-4-smp-k8.bin,
asa916-4-k8.bin
Defects resolved since 9.1(6)1:
Certificate chain verification improvement |
|
Authentication is successful, but http browser with error msg displayed |
|
ASA traceback in checkheaps
due to snmp natmib |
|
Cisco ASA CX Crafted Packets DoS
Vulnerability |
|
Cisco ASA fix for CSCun56954 |
|
ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
ASA traceback: thread name "scansafe_poll" |
|
Cisco ASA Failover Command Injection Vulnerability |
|
Mac version smart-tunnel uses SSLv3 which is a vulnerability |
|
ASA SMTP inspection should not disable TLS by default |
|
ASA:Dataplane capture doesn't
capture packets From Service module to ASA |
|
ASA teardown connection after receiving same direction fins |
|
ASA traceback in DATAPATH-1-2414 after
software upgrade |
|
ASA: Traceback when removing manual
NAT rule |
|
ASA traceback in Thread Name: fover_parse |
|
ASA - Traceback in Thread Name: fover_parse |
|
ASA 9.1.5 does not always drop connections after receiving
RST+ACK flag |
|
ASA fails to sync objects with name ANY after upgrade from 8.4
to 9.x |
|
LDAP over SSL fails when using TLS1.2 on ASA |
|
Certificate Validation Failure after upgrade post 9.1.5(12) |
|
Network Object NAT is not working when config-register
== 0x41 |
|
Adding subnet(s) to the object group for NAT causes high CPU |
|
ASA Cluster member traceback in DATAPATH |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
NFS connections not timing out after failover |
|
ASA: XFRAME support for .JS and .JNLP
URL's |
|
Both ASAs in failover use the same MAC address |
|
Standby ASA does not apply OSPF route after config
replication |
|
ASA allows citrix ICA connection
without authentication |
|
Anyconnect SSL VPN certificate authentication fails o ASA |
|
Active ASA
in failover setup reboots on its own |
|
ASA redirection to Scansafe tower
fails with log id "775002" in syslog |
|
Per-session PAT RST sent to incorrect direction after closing
session |
|
MARCH 2015 OpenSSL Vulnerabilities |
|
WebVPN: Tsweb fails to work through
clientless portal |
Revision: Version 9.1(6)1 – 04/08/2015
Files: asa916-1-smp-k8.bin,
asa916-1-k8.bin
Defects resolved since 9.1(6):
2048-byte block leak if DNS server replies with "No such
name" |