Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases.  They contain bug fixes which address specific issues found since the last Feature or Maintenance release.  The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important:  These images were not fully regression tested.  Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality.  Keep this testing status in mind if you decide to run them in a production environment.  We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

 

Revision:  Version 9.1(6)11 – 02/16/2016

Files:  asa916-11-smp-k8.bin, asa916-11-k8.bin

Defects resolved since 9.1(6)10:

 

CSCux29978

Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability

 

CSCux42019

Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability

 

 

Revision:  Version 9.1(6)10 – 09/18/2015

Files:  asa916-10-smp-k8.bin, asa916-10-k8.bin

Defects resolved since 9.1(6)8:

 

CSCul16778

vpn load-balancing configuration exits sub-command menu unexpectedly

CSCum03212

URLF: Websense v4 message length calculation is incorrect by 2 bytes

CSCuq44875

ASA: CLI commands are not displaying options for local authorization

CSCur20461

ASA Threat detection adds Shun entry for attacker based on routing table

CSCus30833

ASA: Page fault traceback in SXP CORE thread

CSCus92570

'client-services' is not accepted if the interface has no IP addr

CSCut11895

Failover assembly remained in active-active state permanantly

CSCut49034

ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal

CSCut95793

ASA: Anyconnect IPv6 Traceroute does not work as expected

CSCuu61573

9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain

CSCuu73395

Auth-prompt configured in one context appears in another context

CSCuu75901

ASA failover due to issue show local-host command make CPU-hog

CSCuu94945

ASA: Traceback while copying file using SCP on ASA

CSCuv05386

Clientless webvpn on ASA does not display asmx files

CSCuv10258

ASA5505 permanent base license, temp secplus, failover, vlan count issue

CSCuv12884

Unable to authenticate with remove aaa-server from different context

CSCuv39775

ASA cluster-Incorrect "current conns" counter in service-policy

CSCuv45756

ASA may tracebeck when displaying packet capture with trace option

CSCuv57389

ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8)

CSCuv70576

ASA: 1550 block depletion to due to L2L VPN traffic

CSCuv79552

Standby traceback during config replication with customization export

 

 

Revision:  Version 9.1(6)8 – 08/06/2015

Files:  asa916-8-smp-k8.bin, asa916-8-k8.bin

Defects resolved since 9.1(6)6:

 

CSCur09141

RRI static routing changes not updated in routing table

CSCus15721

ASA: ICMP loop when cluster member rejoins the cluster.

CSCus46895

WebVPN Rewriter: "parse" method returns curly brace instead of semicolon

CSCus47192

NAT conversion fails when port range 1024 65535 is source

CSCus49405

SCH enrollment issue with Saleen serial number

CSCus78722

inspect esmtp replace the packet data to 'X'

CSCus94026

ISAKMP SERVER traffic from codenomicon crashes ASA

 

CSCut39169

WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app

CSCut47204

Clustering: Eigrp RIB not replicated to slave node

CSCut71095

ASA WebVPN clientless cookie authentication bypass

CSCut88287

ASA Traceback in vpnfol_thread_msg

CSCuu13345

Drop reasons missing from asp-drop capture

CSCuu18989

ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit

CSCuu19489

ASA inspection-MPF ACL changes not inserted into ASP table properly

CSCuu25430

Object nat rule is not matched

CSCuu27334

ASA: Traceback with Thread Name - AAA

CSCuu52976

ASA not checking the MAC of the TLS records

CSCuu56912

ASA change non-default port to 443 for https traffic redirected to CWS

CSCuu78835

Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5

CSCuu83280

Evaluation of OpenSSL June 2015

CSCuu84085

DHCP-DHCP Proxy thread traceback shortly after failover and reload

CSCuu84697

ASA Traceback in  Thread Name ssh/client

CSCuv01177

ASA: traceback in IDFW AD agent

CSCuv07106

ASATraceback in ssh whilst adding new line to extended ACL

CSCuv12564

Memory leak @regcomp_unicorn with APCF configured

CSCuv30184

AddThis widget is not shown causing Traceback in Unicorn Proxy Thread

 

 

Revision:  Version 9.1(6)6 – 06/10/2015

Files:  asa916-6-smp-k8.bin, asa916-6-k8.bin

Defects resolved since 9.1(6)4:

 

CSCsj50741

ASA: DHCP relay does not validate the Server Identifier of a reply

CSCuj68919

Multiple problems with output of show processes memory

CSCum77083

traceback in Thread Name: IKEv2 Daemon

CSCup89922

ASA DNS lookups always prefer IPv6 response

CSCur17006

Add cli to control masked username in syslog

CSCur51051

LU allocate connection failed on the Standby ASA unit

CSCur95551

ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2

CSCur99221

NetFlow incorrect reporting for PPTP VPN over GRE

CSCus03141

ipsec-datapath:TFW management connection via VPN takes a few minutes

CSCus47259

Cisco ASA XAUTH Bypass Vulnerability

CSCus63269

HTTP redirect to the VPNLB address using HTTPS fails in 9.1.5

CSCus76060

ASA clears the TOS value of ICMP echo reply packet from ASA's interface

CSCus83476

More than 255 messages in multicast packet with jumbo frames

CSCus88626

Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect.

CSCus92856

ASA traceback in DATAPATH Thread due to Double Block Free

CSCus98250

ASA WEBVPN: Usernames shown as '*' in logs for failed authentication

CSCus98309

Duplicate IPv6 address is configurable in 1 ASA or context

CSCut22865

[ASA] CTP not working if proxyACL port_argument is gt

CSCut48009

Traceback in thread CP Processing

CSCut49111

ASA crashes because of TD tcp-intercept feature

CSCut49724

Corrupted host name may occur with DHCP

CSCut64327

L2TP/IPsec traffic dropped due to "vpn-overlap-conflict"

CSCut75983

ASA Traceback in PPP

CSCut92194

ASA crash in Thread Name: CP Processing

CSCuu28909

ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel

CSCuu32905

ASA WebVPN: Javascript fails to execute when accessing internal portal

CSCuu39636

Cert Auth fails with 'max simultaneous-login restriction' error

CSCuu45812

asa Traceback with Thread Name idfw_proc

CSCuu45813

ASA Name Constraints dirName improperly verified

CSCuu46569

ASA CA certificate import fails with different types of Name Constraints

 

 

Revision:  Version 9.1(6)4 – 05/15/2015

Files:  asa916-4-smp-k8.bin, asa916-4-k8.bin

Defects resolved since 9.1(6)1:

 

CSCuh43186

Certificate chain verification improvement

CSCui41969

Authentication is successful, but http browser with error msg displayed

CSCul02601

ASA traceback in checkheaps due to snmp natmib

CSCun56954

Cisco ASA CX Crafted Packets DoS Vulnerability

CSCuo58584

Cisco ASA fix for  CSCun56954

CSCuq57307

ASA 8.4 Memory leak due to duplicate entries in ASP table

CSCuq69907

ASA traceback: thread name "scansafe_poll"

CSCur21069

Cisco ASA Failover Command Injection Vulnerability

CSCur42776

Mac version smart-tunnel uses SSLv3 which is  a vulnerability

CSCur68226

ASA SMTP inspection should not disable TLS by default

CSCus06165

ASA:Dataplane capture doesn't capture packets From Service module to ASA

CSCus11465

ASA teardown connection after receiving same direction fins

CSCus23416

ASA traceback in DATAPATH-1-2414 after software upgrade

CSCus51289

ASA: Traceback when removing manual NAT rule

CSCus53692

ASA traceback in Thread Name: fover_parse

CSCus56590

ASA - Traceback in Thread Name: fover_parse

CSCus62884

ASA 9.1.5 does not always drop connections after receiving RST+ACK flag

CSCus64082

ASA fails to sync objects with name ANY after upgrade from 8.4 to 9.x

CSCus71190

LDAP over SSL fails when using TLS1.2 on ASA

CSCus78450

Certificate Validation Failure after upgrade post 9.1.5(12)

CSCus91407

Network Object NAT is not working when config-register == 0x41

CSCus91636

Adding subnet(s) to the object group for NAT causes high CPU

CSCus97061

ASA Cluster member traceback in DATAPATH

CSCut01856

ASA dropping traffic with TCP syslog configured in multicontext mode

CSCut04182

NFS connections not timing out after failover

CSCut06531

ASA: XFRAME support for .JS and .JNLP URL's

CSCut08663

Both ASAs in failover use the same MAC address

CSCut10078

Standby ASA does not apply OSPF route after config replication

CSCut12513

ASA allows citrix  ICA connection without authentication

CSCut15570

Anyconnect SSL VPN certificate authentication fails o ASA

CSCut28217

Active ASA  in failover setup reboots on its own

CSCut30741

ASA redirection to Scansafe tower fails with log id "775002" in syslog

CSCut39985

Per-session PAT RST sent to incorrect direction after closing session

CSCut46019

MARCH 2015 OpenSSL Vulnerabilities

CSCut58935

WebVPN: Tsweb fails to work through clientless portal

 

 

Revision:  Version 9.1(6)1 – 04/08/2015

Files:  asa916-1-smp-k8.bin, asa916-1-k8.bin

Defects resolved since 9.1(6):

 

CSCut45114

2048-byte block leak if DNS server replies with "No such name"