Cisco
ASA Interim Release Notes
The
software images listed below are Interim releases. They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC
and will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which is resolved by an
Interim release, we recommend that you use the Feature or Maintenance release
images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a production
environment. We strongly encourage you
to upgrade to a fully tested Maintenance or Feature release when it becomes
available.
Revision: Version 9.1(7)32 09/12/2018
Files: asa917-32-smp-k8.bin,
asa917-32-k8.bin
Defects resolved since 9.1(7)31:
|
Unable to perform write memory
on ASA |
Revision: Version 9.1(7)31 08/14/2018
Files: asa917-31-smp-k8.bin,
asa917-31-k8.bin
Defects resolved since 9.1(7)29:
|
Stale VPN Context entries cause
ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
Traceback on back-to-back 'clear
config all' when IKEv1 SA established |
|
|
ASA Traceback when
saving/viewing the configuration due to time-range ACLs |
|
|
Stale VPN Context issue seen in
9.1 code despite fix for CSCvb29688 |
|
|
webvpn: multiple rendering issues on Confluence and Jira
applications |
|
|
ASA - Traceback while releasing
a vpn context spin lock |
|
|
ASA 5525 running 9.8.2.20 memory
exhaustion. |
Revision: Version 9.1(7)29 05/08/2018
Files: asa917-29-smp-k8.bin,
asa917-29-k8.bin
Defects resolved since 9.1(7)25:
|
ASA: Traceback by Thread Name
idfw_proc |
|
|
Cisco Adaptive Security
Appliance WebVPN Cross-Site Scripting Vulnerability |
|
|
SSL handshake fails with large
certificate chain size |
|
|
ASA Traceback in Thread Name:
Unicorn Proxy Thread |
|
|
Standby ASA traceback during
replication from mate 9.2(4)27 |
|
|
Memory leak on webvpn |
Revision: Version 9.1(7)25 03/20/2018
Files: asa917-25-smp-k8.bin,
asa917-25-k8.bin
Defects resolved since 9.1(7)23:
|
9.7.1 traceback in snp_fp_qos |
|
|
ASA traceback with Thread Name: fover_parse |
Revision: Version 9.1(7)23 02/03/2018
Files: asa917-23-smp-k8.bin,
asa917-23-k8.bin
Defects resolved since 9.1(7)21:
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
|
Memory leak in IKE for aggregate-auth |
Revision: Version 9.1(7)21 01/05/2018
Files: asa917-21-smp-k8.bin, asa917-21-k8.bin
Defects resolved since 9.1(7)20:
|
Legacy Cisco ASA 5500 may be vulnerable to a Bleichenbacher attack on TLS |
Revision: Version 9.1(7)20 11/14/2017
Files: asa917-20-smp-k8.bin,
asa917-20-k8.bin
Defects resolved since 9.1(7)19:
|
Resolve any vulnerabilities in
ASA/FTD lina Heimdal Kerberos code |
|
|
ASA 9.1(7)9 Traceback with
%ASA-1-199010 and %ASA-1-716528 syslog messages |
|
|
print the thread name for non-crashing
threads in crash info |
|
|
CTP after failed attempt sends
the domain along with the username |
|
|
VTI - Some sessions do not get
cleared from vpn-sessiondb |
|
|
ASA Portal Java plug-ins fail
with the latest Java updates |
|
|
All 1700 "4 byte blocks" were depleted after a weekend VPN load
test. |
|
|
Regex is not matching for HTTP
argument field |
|
|
ASA-5-720012:(VPN-Secondary)Failed to update IPSec failover runtime data in
ASA cluster environment |
|
|
Ikev2 Remote Access client
sessions stuck in Delete state |
|
|
ASA not sending register stop
when mroute is configured |
|
|
ASA - 80 Byte memory block
depletion |
|
|
Traceback in thread DATAPATH due
to NAT |
|
|
ASA drops the IGMP Report packet
which has Source IP address 0.0.0.0 |
|
Cisco Adaptive Security
Appliance Flow Creation Denial of Service Vulnerability
|
|
|
ASA cluster intermittently drop
IP fragments when NAT is involved |
|
|
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability |
Revision: Version 9.1(7)19 08/15/2017
Files: asa917-19-smp-k8.bin,
asa917-19-k8.bin
Defects resolved since 9.1(7)16:
|
ASA should reply for ARP/IP
Probe packets with SPA 0.0.0.0 |
|
|
TP Auth fails when sub CA using
RSA keys is signed by root using ECDSA |
|
|
ASA unable to add policy NAT which
is overlapping with ip local pool |
|
|
ASA dropping packets with
"novalid adjacency" though valid ARP entry avail |
|
|
ASA PKI OCSP failing -
CRYPTO_PKI: failed to decode OCSP response data. |
|
|
EZVPN NEM client can't reconnect
after "no vpnclient enable" is entered |
|
|
Implement detection and auto-fix
capability for scheduler corruption problems |
|
|
Traceback on thread name IKE
Daemon at mqc_enable_qos_for_tunnel |
|
|
MIB object cempMemPoolHCUsed
disappeared |
|
|
ASA 1550 block gradual depletion |
|
|
gzip compression not working via
Webvpn |
|
|
ASA TCP SIP inspection translation
not working when IP phone is behind VPN tunnel |
|
|
Insufficient TCP options
validation at 2nd normalizer in tcp_norm_parse_ts |
|
|
Traceback in "Thread Name:
IPsec message handler" on EZVPN client |
|
|
Cannot delete port-object once
created under the Service object group in ASA 944 |
|
|
ASA drops web traffic when IM
inspection is enabled. |
|
|
Cisco Adaptive Security Appliance
Username Enumeration Information Disclosure Vuln. |
|
|
ASA traceback in Thread name:
idfw_proc on running "show access-list", while displaying remark |
|
|
RT#687120: Bookmark Issue with
clientless VPN - SAML |
|
|
ASA: TLS-proxy - Traceback with
thread name - Dispatch Unit |
|
|
DCERPC inspection drops packets
and breaks communication |
|
|
Cisco Adaptive Security
Appliance Authentication Denial of Service Vulnerability |
|
|
ASA traceback in Thread Name:
accept/http when ASDM is displaying "Access Rules" |
|
|
ASA May traceback when changing
a NAT related object to fqdn |
|
|
Traceback in Thread Name:
Unicorn Admin Handler |
|
|
ASA: slow memory leak when using
many DNS queries |
|
|
ASA may generate an assert
traceback while modifying access-group |
|
|
ASA local dns resolution fails
when dns server is reachable through a site to site ipsec tunnel |
|
|
Cisco Adaptive Security Appliance
Authenticated Cross-Site Scripting Vulnerability |
|
|
ASA may drop DNS reply
containing only additional RR of type TXT |
|
|
Slave should have use CCL to
forward traffic instead of blackholing when egress interface is down |
|
|
In multi-context ASA drops
traffic sourced from certain ports when interface PAT is used |
|
|
Standby ASA not learning routes
via RIP |
|
|
ASA 5585 failover secondary traceback
on Thread name: idfw_proc |
|
|
Cisco Adaptive Security
Appliance WebVPN Cross-Site Scripting Vulnerability |
|
|
ASA may traceback on displaying
access-list config or saving running config |
|
|
ASA: IPv6 protocol X rule for
passing through FW is dropping packets with Invalid IP length message |
|
|
vpn vlan mapping issue |
|
|
ASA/ 9.6.3 // WebVPN Smart
tunnel works but floods windows with event viewer |
|
|
Cisco Adaptive Security
Appliance HREF Cross Site Scripting Vulnerability |
|
|
traceback in watchdog process |
Revision: Version 9.1(7)16 04/03/2017
Files: asa917-16-smp-k8.bin,
asa917-16-k8.bin
Defects resolved since 9.1(7)15:
|
ARP functions fail after 213
days of uptime, drop with error 'punt-rate-limit-exceeded' |
Revision: Version 9.1(7)15 03/09/2017
Files: asa917-15-smp-k8.bin,
asa917-15-k8.bin
Defects resolved since 9.1(7)13:
|
ASA - TO the box traffic break
due to int. missing in asp table routing |
|
|
incorrect failover status for
contexts via SNMP |
|
|
CWS redirection on ASA may
corrupt sequence numbers with https traffic |
|
|
ASA traceback at Thread Name:
rtcli async executor process |
|
|
viewer_dart.js file not loading
correctly |
|
|
ASA matches incorrect ACL with
object-group-search enabled |
|
|
ASA cluster TCP/SSL ports are
not displayed on LISTEN state |
|
|
ASA multicontext disallowing new
conns with TCP syslog unreachable and logging permit-hostdown set |
|
|
Implement speed improvements for
ACL and NAT table compilation |
|
|
ASA traceback in Thread Name:
ssh, rip igb_disable_rx_queues after no shutdown of interface |
|
|
Webvpn portal not displayed
correctly for connections landing on default webvpn group. |
|
|
ASA inspection-MPF ACL changes
are not getting ordered correctly in the ASP Table |
|
|
ASA may traceback with Thread
Name: Unicorn Admin Handler |
|
|
Reloading Active unit in
Active/Standby ASA failover pair is not triggering a failover. |
|
|
ikev2 handles get leaked in a
L2L setup |
|
|
ASA incorrectly processing negative
numbers in wrappers, resulting in graphical webvpn
issue |
|
|
SIP: 200 OK messages with
multiple seqments not reassembled correctly |
|
|
Traceback in ASA Cluster Thread
Name: qos_metric_daemon |
|
|
ASA nat
pool not getting updated correctly. |
|
|
ASA traceback and Reload on
Config Sync Failure |
|
|
1550-byte block depletion seen
due to Radius Accounting packets |
|
|
ASA(9.1.7.12):Connection entries created for multicast
streams through standby ASA. |
|
|
L2TP connects only sometimes
when DHCP used |
|
|
5585 does not unbundle its data intfs for 30 seconds after leaving cluster |
|
|
ASA may traceback while loading
a large context config during bootup |
Revision: Version 9.1(7)13 02/08/2017
Files: asa917-13-smp-k8.bin,
asa917-13-k8.bin
Defects resolved since 9.1(7)12:
|
Cisco ASA Heap Overflow in Webvpn CIFS |
Revision: Version 9.1(7)12 12/21/2016
Files: asa917-12-smp-k8.bin,
asa917-12-k8.bin
Defects resolved since 9.1(7)11:
|
IPv6 ACLs can be bypassed with
crafted packets |
|
|
ASA IDFW Susceptible to RADIUS
CoA Replay Vulnerability |
|
|
ASA classifies TCP packets as
PAWS failure incorrectly |
|
|
CWS redirection on ASA may
corrupt sequence numbers with https traffic |
|
|
Traceback in Unicorn Proxy
Thread, in http_header_by_name |
|
|
After some time
flash operations fail and configuration can not be
saved |
|
|
ASA 9.1.7: IE 11 Clientless SSL
VPN cannot login to CIFS share |
|
|
L2TP over IPSec can not be connected after disconnection from client. |
|
|
http config missing in multicontext after reload of stdby
916.9 or later |
|
|
AnyConnect DTLS on-demand DPDs
are not sent intermittently |
|
|
ASA 9.4.2.6 High CPU due to CTM
message handler due to chip resets |
|
|
ASA: SIP Call Drops with PAT
when same media port used in multiple calls |
|
|
Cisco ASA Input Validation File
Injection Vulnerability |
|
|
ASA memory leak for CTS SGT
mappings |
|
|
issuer-name falsely detecting
duplicates in certificate map using attr |
|
|
ASA 5585-60 dropping out of
cluster with traceback |
|
|
Enqueue failures on DP-CP queue
may stall inspected TCP connection |
|
|
SIP: Address from Route: header
not translated correctly |
|
|
H.323 inspection causes Traceback
in Thread Name: CP Processing |
|
|
ASA Page fault traceback in
Thread Name: DATAPATH |
|
|
Sweet32 Vulnerability in ASA's
SSH Implementation |
|
|
Remove ACL warning messages in
show access-list when FQDN is unresolved |
|
|
ASA Traceback in thread name CP
Processing due to DCERPC inspection |
|
|
Stale VPN Context entries cause
ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
Traceback : ASA with Threadname:
DATAPATH-0-1790 |
|
|
WebVPN:VNC
plugin:Java:Connection reset by peer: socket write
error |
|
|
Thread Name: snmp
ASA5585-SSP-2 running 9.6.2 traceback |
|
|
Lower NFS throughput rate on
Cisco ASA platform |
|
|
ASA not sending Authen Session End log if user logs out manually |
|
|
IKEv2: It is NOT cleaning the
sessions after disconnected from the client. |
|
|
ASA traceback at Thread Name: rtcli |
|
|
Object-group-search redundant
service group objects are incorrectly removed |
|
|
AAA session handle leak with
IKEv2 when denied due to time range |
|
|
ASA fairly infrequently rewrites
the dest MAC address of multicast packet for client |
|
|
ASA dropping traffic with TCP
syslog configured in multicontext mode |
|
|
4GE-SSM RJ45 interface may drop
traffic due to interface "rate limit drops" |
|
|
WebVPN: Internal page login
button not working through rewriter |
|
|
ASA drops DNS PTR Reply with
reason Label length exceeded during rewrite |
|
|
ASA SIP inspection may delay
transmission of 200 OK when embedded with NOTIFY |
|
|
ASA unable to add multiple
attribute entries in a certificate map |
|
|
ASA traceback at Thread Name: sch_syslog |
|
|
ASA memory leak in CloneOctetString when using SNMP polling |
Revision: Version 9.1(7)11 09/27/2016
Files: asa917-11-smp-k8.bin,
asa917-11-k8.bin
Defects resolved since 9.1(7)9:
|
ASA traceback on standby when
SNMP polling |
|
|
ASA Traceback on 9.1.5.19 |
|
|
ASA Traceback Assert in Thread
Name: ssh_init with component ssh |
|
|
Incorrect modification of NAT
divert table. |
|
|
Commands not installed on
Standby due to parser switch |
|
|
ASA with PAT fails to untranslate SIP Via field that doesnt
contain port |
|
|
WebVPN caches incomplete
downloads |
|
|
Traceback in Thread Name: ssh when issuing show tls-proxy
session detail |
|
|
ASA drops ICMP request packets
when ICMP inspection is disabled |
|
|
ASA stuck in boot loop due to
FIPS Self-Test failure |
|
|
ipsecvpn-ikev2_oth: 5525
9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
|
ASA: CHILD_SA collision brings
down IKEv2 SA |
|
|
OTP authentication is not
working for clientless ssl vpn |
|
|
ASA Traceback when issue 'show
asp table classify domain permit' |
|
|
ASA traceback in ipsecvpn-crypto |
|
|
ASA DHCP Relay rewrites netmask
and gw received as part of DHCP Offer |
|
|
ASA as DHCP relay drops DHCP 150
Inform message |
Revision: Version 9.1(7)9 08/23/2016
Files: asa917-9-smp-k8.bin,
asa917-9-k8.bin
Defects resolved since 9.1(7)7:
|
Stale VPN Context entries cause
ASA to stop encrypting traffic |
|
|
ASA memory leak related to
Botnet |
|
|
ASA reloads with traceback in
thread name DATAPATH or CP Processing |
|
|
Cisco ASA ACL ICMP Echo Request
Code Filtering Vulnerability |
|
|
WebVPN: Webpage not fully
rewritten when ASA has the same FQDN as srv |
|
|
ASA does not respond to NS in
Active/Active HA |
|
|
IPv6 neighbor discovery packet
processing behavior |
|
|
IKEv2: Data rekey collisions can
cause inactive IPsec SAs to get stuck |
|
|
Remove ACL warning messages in
show access-list when FQDN is resolved |
|
|
Unexpected end of file
logon.html in WebVPN |
|
|
ASA not rate limiting with DSCP
bit set from the Server |
|
|
show service-policy output
reporting incorrect values |
|
|
IPv6 OSPF routes do not update
when a lower metric route is advertised |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
Cisco ASA Cross Site Scripting
SSLVPN Vulnerability |
|
|
ASA uses "::"
for host IP addresses if booted with an improper config |
|
|
Cisco ASA SNMP Remote Code
Execution Vulnerability |
Revision: Version 9.1(7)7 06/13/2016
Files: asa917-7-smp-k8.bin,
asa917-7-k8.bin
Defects resolved since 9.1(7)6:
|
Password change page can be
displayed without authentication |
|
|
ASA:Incorrect link status in show failover o/p with monitoring disabled |
|
|
Primary and Secondary ASA in HA
is traceback in Thread Name:DataPath |
|
|
DAP: debug dap trace not fully
shown after +1600 lines |
|
|
ASA traceback while viewing
large ACL |
|
|
Traceback in Thread: IPsec
message handler |
|
|
ARP source IP sanity check
against proxy-arp list |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524" |
|
|
SIP call transfer fail due to differences b/w fixing CallId
and Refer-To |
|
|
ASA AnyConnect IKEv2 scripts
help customisations not served after reload |
|
|
ASA - Traceback in CP Processing
Thread During Private Key Decryption |
|
|
AAA: RSA/SDI unable to set new
PIN |
|
|
ASA clientless rewriter failure
at 'CSCOPut_hash' function |
|
|
ENH: ASAv
should have a different pre-loaded cert |
|
|
ASA 9.1.6.4 traceback with
Thread Name: telnet/ci |
|
|
Active and Standby ASA use same
MAC addr with only active MAC configured |
|
|
infinite loop in JS rewriter
state machine when return followed by var |
|
|
ASA Traceback and reload by strncpy_sx.c |
|
|
5585-10 traceback in Thread Name:
idfw_proc |
|
|
Intranet page does not load via
WebVPN with JavaScript errors |
|
|
CSCOPut_hash can initiate unexepected
requests |
|
|
Traceback on editing a network
object on exceeding the max snmp hosts |
|
|
ASA Tback
when large ACL applied to interface with object-group-search |
|
|
ASA: Page Fault traceback in
DATAPATH on standby ASA after booting up |
|
|
ASA capture type isakmp saving malformed ISAKMP packets |
|
|
WebVPN rewrite fails for MSCA
Cert enrollment page / VBScript |
|
|
ASA memory leak due to vpnfo |
|
|
dynamic crypto map fails if
named the same as static crypto map |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
ASA Clientless SSLVPN HTTP URL
Self Sanitizer Function Issues |
|
|
ASA Access-list missing and
losing elements Warning Message enhancement |
|
|
ASA Cut-through Proxy inactivity
timeout not working |
|
|
ASA Cluster fragments
reassembled before transmission with no inspection |
|
|
ASA may Traceback with Thread
Name: Unicorn Admin Handler |
|
|
ASA: SSH being denied on the ASA
device as the maximum limit is reached |
|
|
ASA cant
delete ACL lines and remarks - Specified remark does not exist |
|
|
ASA traceback with Thread Name:
Dispatch Unit |
Revision: Version 9.1(7)6 04/08/2016
Files: asa917-6-smp-k8.bin,
asa917-6-k8.bin
Defects resolved since 9.1(7)4:
|
Packet captures cause CPU spike
on Multi-Core platforms due to spin_lock |
|
|
FIPS self
test power on fails - fipsPostDrbgKat |
|
|
Error when same-security-traffic
is deleted and added |
|
|
Traceback in Thread Name: ssh when using capture or continuous ping |
|
|
Watchdog traceback in ldap_client_thread with large number of ldap grps |
|
|
SSH connections are not timed
out on Standby ASA (stuck in rtcli) |
|
|
Rewriter errors when access IEEE
website search feature through portal |
|
|
ASA: Traceback in Thread name
DATAPATH-7-1918 |
|
|
Thread Name: DATAPATH-17-3095:
ASA in Cluster Reloads Unexpectedly |
|
|
CWS: ASA does not append XSS
headers |
|
|
ASA: Traceback in Checkheaps |
|
|
ASA traceback in Unicorn Proxy
Thread |
|
|
ASA 9.1.6.10 traceback after
remove compact flash and execute dir cmd |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
ASA: Traceback with "clear conf router" on ASA Multiple Context |
|
|
ASA TCP normalizer checksum
verification cannot be disabled |
|
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
|
"set connection timeout
idle" is not applied. |
|
|
ASA IPSEC crypto map set df-bit copy-df/clear-df does not take effect |
|
|
WebVPN: Unable to play certain
online videos |
|
|
ASA L7 policy-map comes into affect only if the inspection is re-applied |
|
|
Traffic drop due to constant
amount of arp on ASASM |
|
|
Add Asynchronous support for
DHCP proxy |
|
|
ASA TACACS+: process tacplus_snd uses large percentage of CPU |
|
|
ASA Traceback on Thread Name:
Unicorn Admin Handler |
|
|
Nat pool exhausted observed when
enabling asp transactional-commit nat |
|
|
DNS Reply Modification for
Dual-Stack does not work as expected |
|
|
ASA traceback in Thread Name: https_proxy |
|
|
ASA traceback in DATAPATH thread |
|
|
ASA using a huge dynamic ACL may
cause Anyconnect connectivity failures |
|
|
ASA traceback in Thread Name:
Unicorn Proxy Thread. |
|
|
ASA: MAC address changes on
active context when WRITE STANDBY is issued |
|
|
Smart tunnel does not work since
Firefox 32bit
version 43 |
|
|
ASA 5585 traceback when the User
name is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP
Processing thread during TLS processing |
|
|
STBY ASA does't
pass traffic via ASA-IC-6GE-SFP-B ifc after reload |
|
|
Master shows slave interfaces as
"up" when slave rejoining |
|
|
Traceback in ldap_client_thread
with ldap attr mapping
and pw-mgmt |
|
|
ASA Access-list missing and
losing elements after configuration change |
|
|
OCSP validation fails when
multiple certs in chain are verified |
|
|
ASA reloads in thread name:
DATAPATH while encrypting L2L packet |
|
|
ASA WebVPN: Java Exception with
Kronos application |
|
|
inspect ip-option is not
allowing "NOP" even when allowed |
|
|
Buffer overflow in RAMFS dirent structure causing traceback |
|
|
Traceback in thread name idfw when modifying object-group having FQDN |
|
|
Assert Traceback in Thread Name:
DATAPATH on clustered packet reassembly |
|
|
orignial master not defending all GARP packets after cluster
split brain |
|
|
ASA traceback when receive
Radius attribute with improper variable type |
Revision: Version 9.1(7)4 02/19/2016
Files: asa917-4-smp-k8.bin,
asa917-4-k8.bin
Defects resolved since 9.1(7):
|
SSL sessions stop processing -"Unable to create
session directory" error |
|
|
ASA WebVPN: Java RDP Plugin does not launch |
|
|
ASA traceback and reload citing Thread Name: idfw_proc |
|
|
ASA traceback in thread name snmp
after upgrade to 9.1(7) |
|
|
ARP source IP sanity check against proxy-arp list |
The following two bugs
were included as fixes in the 9.1.7 MR release but were not previously disclosed.
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
||