Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and
will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a
production environment. We strongly
encourage you to upgrade to a fully tested Maintenance or Feature release when
it becomes available.
Revision: Version 9.3(3)11 – 10/19/2016
Files: asa933-11-smp-k8.bin
Defects resolved since 9.3(3)10:
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
Cisco ASA Software Local Certificate Authority Denial of Service
Vulnerability |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |
Revision: Version 9.3(3)10 – 08/24/2016
Files: asa933-10-smp-k8.bin
Defects resolved since 9.3(3)9:
|
IPv6 neighbor discovery packet processing behavior |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
Revision: Version 9.3(3)9 – 03/08/2016
Files: asa933-9-smp-k8.bin
Defects resolved since 9.3(3)7:
|
CPU hog due to snmp polling of ASA
memory pool information |
|
|
ASA traceback when retrieving idfw topn user from slave |
|
|
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet |
|
|
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows
7 |
|
|
SXP Version Mismatch Between ASA & N7K with clustering |
|
|
RRI static routing changes not updated in routing table |
|
|
LU allocate connection failed on the Standby ASA unit |
|
|
ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
|
ASDM upload causes traceback,
OCTEON_CRYPTO: SG buffers exceeds limit |
|
|
Transactional ACL commit will bypass security policy during
compilation |
|
|
Share licenses are not activated on failover pair after power
cycle |
|
|
ASA fails to pass ipv6 address to anyconnect
client when using RADIUS |
|
|
ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
|
ASA traceback in DATAPATH Thread due
to Double Block Free |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad
RSA Sig |
|
|
Standby ASA does not apply OSPF route after config
replication |
|
|
ASA allows citrix ICA connection
without authentication |
|
|
Anyconnect SSL VPN certificate authentication fails o ASA |
|
|
EIGRP authentication not working with simple pasword |
|
|
Per-session PAT RST sent to incorrect direction after closing
session |
|
|
Interface TLV to SFR is corrupt when frame is longer than 2048
bytes |
|
|
ASA: High CPU on standby due to RDP conn to AC client from CL
SSL portal |
|
|
ASA traceback because of TD tcp-intercept feature |
|
|
Corrupted host name may occur with DHCP |
|
|
ASA tunnel-group"password-expire-in-days"not prompting a password change |
|
|
Investigate impact of jumbo-frame reservation on low-end ASA
platforms |
|
|
ASA WebVPN clientless cookie authentication bypass |
|
|
ASA: Anyconnect IPv6 Traceroute does not work as expected |
|
|
ASA CX - Data Plane marked as DOWN untill
ASA reload. |
|
|
ASA WebVPN: HTTP 302 Location URL rewritten incorrectly |
|
|
ASA %ASA-3-201011: Connection limit exceeded when not hitting
max limit |
|
|
ASA: Traceback with Thread Name - AAA |
|
|
ASA cluster: ICMP loop on CCL for ICMP packet destined to the
VPN tunnel |
|
|
ASA OSPF database not reflect changes |
|
|
ASA WebVPN: Javascript fails to
execute when accessing internal portal |
|
|
asa Traceback with Thread Name idfw_proc |
|
|
ASA Name Constraints dirName
improperly verified |
|
|
ASA CA certificate import fails with different types of Name
Constraints |
|
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
|
ASA not checking the MAC of the TLS records |
|
|
ASA change non-default port to 443 for https traffic redirected
to CWS |
|
|
9.5.2 Gold Setup - Traceback in
DATAPATH-6-2596 snp_fp_get_frag_chain |
|
|
Auth-prompt configured in one context appears in another context |
|
|
Traceback in Thread CP Processing |
|
|
ASA failover due to issue show local-host command make CPU-hog |
|
|
Webvpn rewrite issues for Confluence - by atlassian
on latest v6.4.5 |
|
|
DHCP-DHCP Proxy thread traceback
shortly after failover and reload |
|
|
ASA Traceback in Thread Name ssh/client |
|
|
conn-max counter is not decreased accordingly |
|
|
When > 510 characters entered in CLI, context switches to
admin/system |
|
|
Immediate FIN from client after GET breaks scansafe
connection |
|
|
ASA: Traceback while copying file
using SCP on ASA |
|
|
ASA: traceback in IDFW AD agent |
|
|
Clientless webvpn on ASA does not
display asmx files |
|
|
ASATraceback in ssh whilst
adding new line to extended ACL |
|
|
ASA: CLI commands not showing help(?)
options for local authorization |
|
|
ASA5505 permanent base license, temp secplus,
failover, vlan count issue |
|
|
'redistribute' cmds
under 'router eigrp' removed on deleting any
context |
|
|
Unable to authenticate with remove aaa-server
from different context |
|
|
Traceback in Thread Name: ssh when using
capture or continuous ping |
|
|
rewriter returns 302 for a file download |
|
|
ASA cluster-Incorrect "current conns" counter in
service-policy |
|
|
ASA: Watchdog Traceback with Thread
Name:- SXP CORE |
|
|
ASA may tracebeck when displaying
packet capture with trace option |
|
|
ASA traceback on Standby device during
config sync in thread DATAPATH |
|
|
Standby ASA inside IP not reachable after Anyconnect
disconnect |
|
|
SSL : Unable to Join nodes in Cluster |
|
|
ASA PKI: cert auth fails after upgrade
to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
|
Traceback in Thread Name: DATAPATH on modifying "set
connection" in MPF |
|
|
ASA picks incorrect trustpoint to
verify OCSP Response |
|
|
FO: ASAv traceback
while syncing during upgrade from 9.4.1 to 9.5.1 |
|
|
Standby traceback during config replication with customization export |
|
|
ASA traceback: SSH Thread: many users
logged in and dACLs being modified |
|
|
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open
CONNS |
|
|
ASA traceback in Thread Name: CP Crypto Result Processing. |
|
|
ASA truncates url-redirect at 160
chars for ra vpn clients
(ISE 1.3+) |
|
|
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST |
|
|
Trace back with Thread Name: IP Address Assign |
|
|
ASA EIGRP does not send poison reverse for neighbors to remove
route |
|
|
Improper S2S IPSec Datapath Selection
for Remote Overlapping Networks |
|
|
ASA traceback while restoring backup
configuration from ASDM |
|
|
ASA traceback when removing dynamic
PAT statement from cluster |
|
|
ASA:Traceback in Thread Name:- netfs_thread_init |
|
|
ASA: Traceback in Thread Unicorn Admin
Handler due to Threat Detection |
|
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
|
ASA: ICMP error loop on cluster CCL with Interface PAT |
|
|
filter sfr traffic may cause memory corruption |
|
|
DNS Traceback in channel_put() |
|
|
Traceback in WebVPN rewriter |
|
|
SSH connections are not timed out on Standby ASA (stuck in rtcli) |
|
|
Standby ASA traceback in Thread Name:
EIGRP-IPv4 |
|
|
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI |
|
|
SAML won't be able select Oracle OAM tunnel group |
|
|
ASA: Traceback in Thread name
DATAPATH-7-1918 |
|
|
PCP 10.6 Clientless VPN Access is Denied when accessing Pages |
|
|
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads
Unexpectedly |
|
|
Traceback in thread name: Unicorn Proxy Thread |
|
|
ASA: assertion "pp->pd == pd" failed: file
"main.c", line 192 |
|
|
http-form authentication fails after 9.3.2 |
|
|
ASA traceback when using an ECDSA
certificate |
|
|
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later |
|
|
ASA 9.1.6.10 traceback after remove
compact flash and execute dir cmd |
|
|
DAP URL-List Command Says It Supports 491 Characters; Only
Supports 245 |
|
|
ASA TCP normalizer checksum verification cannot be disabled |
|
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
|
Cisco signed certificate expired for WebVpn
Port Forward Binary on ASA |
|
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
|
|
SSL sessions stop processing -"Unable to create session
directory" error |
|
|
ASA L7 policy-map comes into affect only if the inspection is
re-applied |
|
|
ASA: Traceback on ASA device after
adding FQDN objects in NAT rule |
|
|
ASA TACACS+: process tacplus_snd uses large
percentage of CPU |
|
|
ASA Traceback on Thread Name: Unicorn
Admin Handler |
|
|
ASA WebVPN: Java RDP Plugin does not launch |
|
|
ASA traceback in Thread Name: https_proxy |
|
|
ASA traceback in DATAPATH thread |
|
|
ASA traceback in Thread Name: Unicorn
Proxy Thread. |
|
|
ASA traceback and reload citing Thread
Name: idfw_proc |
|
|
ASA 5585 traceback when the User name
is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP
Processing thread during TLS processing |
Revision: Version 9.3(3)7 – 01/14/2016
Files: asa933-7-smp-k8.bin
Defects resolved since 9.3(3)6:
|
ASA
IKEv1 and IKEv2 Vulnerability |
|
|
|
IKEv2
Fragments may get dropped with a specific sequence of fragments |
||
Revision: Version 9.3(3)6 – 10/30/2015
Files: asa933-6-smp-k8.bin
Defects resolved since 9.3(3)2:
|
Cut Through proxy not working correctly with TLS1.2 |
|
|||
|
AnyConnect upgrade from AC 2.5 to AC 3.1 fails |
|
|||
|
WebVPN Rewriter: "parse" method returns curly brace
instead of semicolon |
|
|||
|
ASA traceback in threadname Checkheaps when it hits dhcpv6 packet |
|
|||
|
Kenton 5516: Interface dropping ARPs after flapping under
traffic load |
|
|||
|
HTTP redirect to the VPNLB address using HTTPS fails in 9.1.5 |
|
|||
|
ISAKMP SERVER traffic from codenomicon
crashes ASA |
||||
|
L2TP/IPsec traffic dropped due to
"vpn-overlap-conflict" |
|
|||
|
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions
reached |
|
|||
|
ASA: Silently Drops packets with SFR Module installed. |
|
|||
|
ASA Traceback in vpnfol_thread_msg |
|
|||
|
ASA traceback in Thread Name: CP
Processing |
|
|||
|
ASA: ECMP stopped working after upgrade to 9.3.2 |
|
|||
|
Object nat rule is not matched |
|
|||
|
ASA 5506X: ESP Packet drop due to crypto accelerator ring
timeout |
|
|||
|
eglibc 2.18 is missing
upstream fix #15073 |
|
|||
|
Cert Auth fails with 'max
simultaneous-login restriction' error |
|
|||
|
ASA - access list address argument changed from host 0.0.0.0 to host :: |
|
|||
|
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA |
|
|||
|
ASA not generating PIM register packet for directly connected
sources |
|
|||
|
Evaluation of OpenSSL June 2015 |
|
|||
|
ASAv traceback in DATAPATH when used for
WebVPN |
|
|||
|
ASA-3-317012 and "No route to host" errors even though
the route exists |
|
|||
|
ASA:OSPF over L2L tunnels is not working with multiple cry map
entries |
|
|||
|
Need to prevent crash in js_parser_print_rest |
|
|||
|
ASA LDAP CRL query baseObject DN string
is malformed |
|
|||
|
Memory leak @regcomp_unicorn with APCF
configured |
|
|||
|
AddThis widget is not shown causing Traceback
in Unicorn Proxy Thread |
|
|||
|
ASA: LDAP over SSL Authentication failure |
|
|||
|
Dynamic Route Not Installed After Failover |
|
|||
|
HTTP chunked data causing watchdog |
|
|||
|
Webvpn: JS parser may crash if the underlying connection is closed |
|
|||
|
ASA traceback in Thread Name: fover_parse (ak47/ramfs) |
|
|||
|
Unicorn proxy thread traceback with
RAMFS processing |
|
|||
|
Request allow packets to pass when snort is down for ASA
configurations |
|
|||
|
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards |
|
|||
|
ASA 9.3.3.224 traceback in ak47_platform.c with
WebVPN stress test |
|
|||
Revision: Version 9.3(3)2 – 06/11/2015
Files: asa933-2-smp-k8.bin
Defects resolved since 9.3(3)1:
|
ASA is not correctly handling
errors on AES-GCM ICV |
Revision: Version 9.3(3)1 – 05/22/2015
Files: asa933-1-smp-k8.bin
Defects resolved since 9.3(3):
|
ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
|
ASA/ASASM drops SIP invite packets with From field containing
"" and \ |
|
|
Traceback on standby ASA during hitless upgrade |
|
|
ASA 9.2.1 - DATAPATH Traceback in L2 cluster
environment |
|
|
ASA - Traceback in thread name SSH while
applying BGP show commands |
|
|
Cisco ASA XAUTH Bypass Vulnerability |
|
|
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: |
|
|
Certificate Validation Failure after upgrade post 9.1.5(12) |
|
|
Network Object NAT is not working when config-register
== 0x41 |
|
|
ASA Cluster member traceback in
DATAPATH |
|
|
ASA traceback in aaa_shim_thread |
|
|
Active ASA
in failover setup reboots on its own |
|
|
ASA redirection to Scansafe tower
fails with log id "775002" in syslog |
|
|
EIGRP configuration not being correctly replicated between
failover ASAs |
|
|
MARCH 2015 OpenSSL Vulnerabilities |
|
|
Traceback in thread CP Processing |
|
|
WebVPN: Tsweb fails to work through
clientless portal |