Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.5(2)14 – 07/11/2016
Files: asa952-14-smp-k8.bin
Defects resolved since 9.5(2)11:
|
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
|
Password change page can be displayed without authentication |
|
|
ASA-SFR, ASA should attempt to join Cluster after SFR service
module up |
|
|
"no ipv6-vpn-addr-assign" CLI
not working |
|
|
ASA: Traceback in Thread IP Address
Assign |
|
|
ASA traceback while viewing large ACL |
|
|
Add Asynchronous support for DHCP proxy |
|
|
Traceback in Thread: IPsec message handler |
|
|
ASA WebVPN: Java Exception with Kronos
application |
|
|
ASDM detects a config change when dACL is pushed for Anyconnect
user |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" |
|
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
|
Slow ASA OSPF interface transition from DOWN to WAITING after
failover |
|
|
ASA 9.1.6.4 traceback with Thread
Name: telnet/ci |
|
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
|
Kenton 9.5.1 'boot system/boot config'
commands not retained after reload |
|
|
5585-10 traceback in Thread Name: idfw_proc |
|
|
ASA traceback in threadname
ssh |
|
|
Allocated memory showing high (invalid) values |
|
|
ASA: Page Fault traceback in DATAPATH
on standby ASA after booting up |
|
|
ASA capture type isakmp saving
malformed ISAKMP packets |
|
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
|
ASA memory leak due to vpnfo |
|
|
Interfaces get deleted on SFR during HA configuration sync |
|
|
dynamic crypto map fails if named the same as static crypto map |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
|
ASA Address not mapped traceback -
configuring snmp-server host |
|
|
ASA Access-list missing and losing elements Warning Message
enhancement |
|
|
ASA-2-321006 May be received invalidly when memory is not high |
|
|
ASA Cut-through Proxy inactivity timeout not working |
|
|
ASA may Traceback with Thread Name:
cluster rx thread |
|
|
ASA may Traceback with Thread Name:
Unicorn Admin Handler |
|
|
ASA: SSH being denied on the ASA device as the maximum limit is
reached |
|
|
ASA cant delete ACL lines and remarks - Specified remark does
not exist |
Revision: Version 9.5(2)11 – 06/10/2016 This is only to be
used with the 1.1.3 FX-OS release only.
Files: asa952-11-smp-k8.bin
Defects resolved since 9.5(2)10:
|
RX ring no buffer drops is observed on SSP when cluster sends
CLU msgs |
|
|
9.6.1/QP - Traceback in appagent_async_client_send_thread |
Revision: Version 9.5(2)10 – 05/31/2016
Files: asa952-10-smp-k8.bin
Defects resolved since 9.5(2)6:
|
FIPS self test power on fails - fipsPostDrbgKat |
|
|
ASA Mgmt Session stuck on running
"sh block exhaustion snapshot/history" |
|
|
ASA traceback in Thread name DATAPATH
when handling multicast packet |
|
|
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL |
|
|
ASA: "Auto-Enable" feature not working with SSH
configured with PKF |
|
|
Egress ACL with ICMP Types Misbehaving. |
|
|
9.5.1 - Crash in bcm_esw_init thread |
|
|
ASA5508 5516 Unable to communicate with 100/full configured
after reboot. |
|
|
ASA: Traceback in Checkheaps |
|
|
ASA traceback in Unicorn Proxy Thread |
|
|
Primary and Secondary ASA in HA is traceback
in Thread Name:DataPath |
|
|
GTPv1 traceback in gtpv1_process_msg |
|
|
ASA traceback - WebVPN CIFS_file_rename_remove operations |
|
|
ASA "show chunkstat |
redirect" does not work |
|
|
Traceback in ctm_ssl_generate_key
with DHE ciphers SSL VPN scaled test |
|
|
ASA IPSEC crypto map set df-bit copy-df/clear-df does not take
effect |
|
|
WebVPN: Unable to play certain online videos |
|
|
DAP: debug dap trace not fully shown after +1600 lines |
|
|
Deadlock in gtp_lu_process_pdpmcb_info |
|
|
Traffic drop due to constant amount of arp
on ASASM |
|
|
Reload in Thread Name: IKE Daemon |
|
|
Nat pool exhausted observed when enabling asp transactional-commit
nat |
|
|
DNS Reply Modification for Dual-Stack does not work as expected |
|
|
ASA using a huge dynamic ACL may cause Anyconnect
connectivity failures |
|
|
Traceback when unit joins cluster |
|
|
ASA traceback with SIP inspection and
SFR enabled in 9.5.2 |
|
|
ASA: MAC address changes on active context when WRITE STANDBY is
issued |
|
|
Smart tunnel does not work since Firefox 32bit version 43 |
|
|
HA: Number of interfaces mismatch after SFR module reload on
both units |
|
|
ASA: Assert traceback in version 9.4.2 |
|
|
Traceback when drop is enabled with diameter inspection and tls-proxy |
|
|
STBY ASA does't pass traffic via
ASA-IC-6GE-SFP-B ifc after reload |
|
|
ASA Access-list missing and losing elements after configuration
change |
|
|
ASA reloads in thread name: DATAPATH while encrypting L2L packet |
|
|
ASA : Configuration not replicated on mate if standby IP is missing |
|
|
inspect ip-option is not allowing
"NOP" even when allowed |
|
|
Buffer overflow in RAMFS dirent
structure causing traceback |
|
|
ASAv sub-interface failing to send traffic with customised
mac-address |
|
|
Unable to configure a user for ssh
public auth only (tied w/ CSCuw90580) |
|
|
assert "ctm->async_ref
== 0" failed: file "ssl_common.c",
line 193-part2 |
|
|
Traceback in thread name idfw when modifying
object-group having FQDN |
|
|
Assert Traceback in Thread Name:
DATAPATH on clustered packet reassembly |
|
|
WebVPN FTP client failing with "Error contacting host"
message |
|
|
orignial master not
defending all GARP packets after cluster split brain |
|
|
FO replication failed: cmd=no disable,
when disabling webvpn-cache |
|
|
ASA traceback when receive Radius
attribute with improper variable type |
|
|
ASA - Traceback in CP Processing
Thread During Private Key Decryption |
|
|
AAA: RSA/SDI unable to set new PIN |
|
|
ASA may stop responding to OSPF Hello packets |
|
|
ASAv: Free memory is reported as negative in an OOM condition |
|
|
Traceback in DATAPATH or Hi CPU usage due to Threat Detection |
|
|
Improve efficiency of malloc_avail_freemem() |
|
|
ASA clientless rewriter failure at 'CSCOPut_hash'
function |
|
|
ENH: ASAv should have a different
pre-loaded cert |
|
|
Traceback in gtp_remove_request with duplicate
requests |
|
|
Active and Standby ASA use same MAC addr
with only active MAC configured |
|
|
ASA traceback in SSH thread |
|
|
infinite loop in JS rewriter state machine when return followed by var |
|
|
ASA Traceback and reload by strncpy_sx.c |
|
|
Intranet page does not load via WebVPN with JavaScript errors |
|
|
CSCOPut_hash can initiate unexepected
requests |
|
|
Network command disappears from BGP after reload with name |
|
|
ASA Tback when large ACL applied to
interface with object-group-search |
|
|
ASA Cluster fragments reassembled before transmission with no
inspection |
Revision: Version 9.5(2)6 – 03/21/2016
Files: asa952-6-smp-k8.bin
Defects resolved since 9.5(2)5:
|
Debug trace for mps_shash_release with
logging. |
|
|
SNMP MIB: Equivalent of "show xlate
count" command |
|
|
Observed Traceback in SNMP while
querying GET BULK for 'xlate count' |
|
|
ASA traceback when retrieving idfw topn user from slave |
|
|
ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
|
Transactional ACL commit will bypass security policy during
compilation |
|
|
Share licenses are not activated on failover pair after power
cycle |
|
|
ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
|
Interface TLV to SFR is corrupt when frame is longer than 2048
bytes |
|
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
|
Traceback in Thread Name: ssh when using
capture or continuous ping |
|
|
ASA traceback on Standby device during
config sync in thread DATAPATH |
|
|
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST |
|
|
ASA traceback while restoring backup
configuration from ASDM |
|
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
|
filter sfr traffic may cause memory corruption |
|
|
Watchdog traceback in ldap_client_thread with large number of ldap grps |
|
|
SSH connections are not timed out on Standby ASA (stuck in rtcli) |
|
|
Standby ASA traceback in Thread Name:
EIGRP-IPv4 |
|
|
ASA: Traceback in Thread name
DATAPATH-7-1918 |
|
|
ASA 9.4.1 traceback upon clearing and
reconfiguring ACL |
|
|
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads
Unexpectedly |
|
|
Traceback in thread name: Unicorn Proxy Thread |
|
|
RSA 4096 key generation causes failover |
|
|
ASA: assertion "pp->pd == pd" failed: file
"main.c", line 192 |
|
|
CWS: ASA does not append XSS headers |
|
|
http-form authentication fails after 9.3.2 |
|
|
ASA traceback when using an ECDSA
certificate |
|
|
show memory indicates inaccurate free memory available |
|
|
PBR incorrect route selection for deny clause |
|
|
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later |
|
|
VPN connection may fail when using an ECDSA certificate |
|
|
ASA 9.1.6.10 traceback after remove
compact flash and execute dir cmd |
|
|
DAP URL-List Command Says It Supports 491 Characters; Only
Supports 245 |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
ASA TCP normalizer checksum verification cannot be disabled |
|
|
PBR: Mem leak by snp_policy_based_route_lookup
in cluster mode |
|
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
|
Cisco signed certificate expired for WebVpn
Port Forward Binary on ASA |
|
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
|
|
"set connection timeout idle"
is not applied. |
|
|
ASA 9.5.1 traceback in Threadname Datapath due to SIP
Inspection |
|
|
DHCP Relay fails for cluster ASAs with long interface names |
|
|
ASA(9.5.2) changing the ACK number sent to client with SFR
redirection |
|
|
ASA L7 policy-map comes into affect only if the inspection is
re-applied |
|
|
Anyconnect IKEv2 with Host Scan can't connect with SSL disabled |
|
|
ASA showing Error as "(No such device)" while doing
write net |
|
|
WebVPN 'enable intf' with DHCP , CLI missing when ASA boots up |
|
|
ASA: Traceback on ASA device after
adding FQDN objects in NAT rule |
|
|
"show resource usage" gives
wrong number of routes after shut/no sh |
|
|
ASA TACACS+: process tacplus_snd uses
large percentage of CPU |
|
|
ASA 9.5 - OCSP check using global routing table instead of
management |
|
|
ASA Traceback on Thread Name: Unicorn
Admin Handler |
|
|
VLAN mapping doesn't work when connection falls back to TLS |
|
|
ASA traceback in Thread Name: https_proxy |
|
|
ASA traceback in DATAPATH thread |
|
|
Resolve CSCtz82865 - Equivalent of "show xlate count" command |
|
|
Uploaded/downloaded files via CIFS have Zero Byte size (same WebFolder) |
|
|
ASA traceback in Thread Name: Unicorn
Proxy Thread. |
|
|
Webvpn bookmark subtitles not visible |
|
|
ASA 5585 traceback when the User name
is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP
Processing thread during TLS processing |
|
|
VPN Load-Balancing does not send load-balancing cert for IPv6
Address |
|
|
ASA 9.5.2 does not send CERT_REQ for 512-bit certificate |
|
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
Revision: Version 9.5(2)5 – 02/23/2016
Files: asa952-5-smp-k8.bin
Defects resolved since 9.5(2)2:
|
SSL sessions stop processing -"Unable to create session
directory" error |
|
|
ASA WebVPN: Java RDP Plugin does not launch |
|
|
ASA Crashes and reloads citing Thread Name: idfw_proc |
|
|
OCSP validation fails when multiple certs in chain are verified |
Revision: Version 9.5(2)2 – 01/28/2016
Files: asa952-2-smp-k8.bin
Defects resolved since 9.5(2):
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
||