Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

 

Revision: Version 9.1(7)20 11/14/2017

Files: asa917-20-smp-k8.bin, asa917-20-k8.bin

Defects resolved since 9.1(7)19:

 

CSCto19051

Resolve any vulnerabilities in ASA/FTD lina Heimdal Kerberos code

CSCvb53233

ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528 syslog messages

CSCvc18200

print the thread name for non-crashing threads in crash info

CSCvc61818

CTP after failed attempt sends the domain along with the username

CSCvd00293

VTI - Some sessions do not get cleared from vpn-sessiondb

CSCve20395

ASA Portal Java plug-ins fail with the latest Java updates

CSCve73025

All 1700 "4 byte blocks" were depleted after a weekend VPN load test.

CSCvf01873

Regex is not matching for HTTP argument field

CSCvf16142

ASA-5-720012:(VPN-Secondary)Failed to update IPSec failover runtime data in ASA cluster environment

CSCvf16429

Ikev2 Remote Access client sessions stuck in Delete state

CSCvf28749

ASA not sending register stop when mroute is configured

CSCvf54981

ASA - 80 Byte memory block depletion

CSCvf61419

Traceback in thread DATAPATH due to NAT

CSCvf63108

ASA drops the IGMP Report packet which has Source IP address 0.0.0.0

CSCvf89504

ASA cluster intermittently drop IP fragments when NAT is involved

 

 

Revision: Version 9.1(7)19 08/15/2017

Files: asa917-19-smp-k8.bin, asa917-19-k8.bin

Defects resolved since 9.1(7)16:

 

CSCtq82053

ASA should reply for ARP/IP Probe packets with SPA 0.0.0.0

CSCuv11963

TP Auth fails when sub CA using RSA keys is signed by root using ECDSA

CSCux70993

ASA unable to add policy NAT which is overlapping with ip local pool

CSCuz72137

ASA dropping packets with "novalid adjacency" though valid ARP entry avail

CSCvb38522

ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data.

CSCvb75685

EZVPN NEM client can't reconnect after "no vpnclient enable" is entered

CSCvc07112

Implement detection and auto-fix capability for scheduler corruption problems

CSCvc24380

Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel

CSCvc24657

MIB object cempMemPoolHCUsed disappeared

CSCvc82270

ASA 1550 block gradual depletion

CSCvc83462

gzip compression not working via Webvpn

CSCvd01130

ASA TCP SIP inspection translation not working when IP phone is behind VPN tunnel

CSCvd10251

Insufficient TCP options validation at 2nd normalizer in tcp_norm_parse_ts

CSCvd20013

Traceback in "Thread Name: IPsec message handler" on EZVPN client

CSCvd21541

Cannot delete port-object once created under the Service object group in ASA 944

CSCvd24066

ASA drops web traffic when IM inspection is enabled.

CSCvd47888

Cisco Adaptive Security Appliance Username Enumeration Information Disclosure Vuln.

CSCvd50107

ASA traceback in Thread name: idfw_proc on running "show access-list", while displaying remark

CSCvd50389

RT#687120: Bookmark Issue with clientless VPN - SAML

CSCvd54680

ASA: TLS-proxy - Traceback with thread name - Dispatch Unit

CSCvd58417

DCERPC inspection drops packets and breaks communication

CSCvd59063

Cisco Adaptive Security Appliance Authentication Denial of Service Vulnerability

CSCvd62509

ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules"

CSCvd65797

ASA May traceback when changing a NAT related object to fqdn

CSCvd68518

Traceback in Thread Name: Unicorn Admin Handler

CSCvd71473

ASA: slow memory leak when using many DNS queries

CSCvd77893

ASA may generate an assert traceback while modifying access-group

CSCvd79797

ASA local dns resolution fails when dns server is reachable through a site to site ipsec tunnel

CSCvd82064

Cisco Adaptive Security Appliance Authenticated Cross-Site Scripting Vulnerability

CSCvd99859

ASA may drop DNS reply containing only additional RR of type TXT

CSCve04326

Slave should have use CCL to forward traffic instead of blackholing when egress interface is down

CSCve08947

In multi-context ASA drops traffic sourced from certain ports when interface PAT is used

CSCve14758

Standby ASA not learning routes via RIP

CSCve16198

ASA 5585 failover secondary traceback on Thread name: idfw_proc

CSCve19179

Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability

CSCve23784

ASA may traceback on displaying access-list config or saving running config

CSCve42583

ASA: IPv6 protocol X rule for passing through FW is dropping packets with Invalid IP length message

CSCve57150

vpn vlan mapping issue

CSCve78986

ASA/ 9.6.3 // WebVPN Smart tunnel works but floods windows with event viewer

CSCve91068

Cisco Adaptive Security Appliance HREF Cross Site Scripting Vulnerability

CSCvf41547

traceback in watchdog process

 

 

Revision: Version 9.1(7)16 04/03/2017

Files: asa917-16-smp-k8.bin, asa917-16-k8.bin

Defects resolved since 9.1(7)15:

 

CSCvd78303

ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded'

 

 

Revision: Version 9.1(7)15 03/09/2017

Files: asa917-15-smp-k8.bin, asa917-15-k8.bin

Defects resolved since 9.1(7)13:

 

CSCut07712

ASA - TO the box traffic break due to int. missing in asp table routing

CSCut09459

incorrect failover status for contexts via SNMP

CSCuv61791

CWS redirection on ASA may corrupt sequence numbers with https traffic

CSCva31378

ASA treaceback at Thread Name: rtcli async executor process

CSCvb52157

viewer_dart.js file not loading correctly

CSCvb92548

ASA matches incorrect ACL with object-group-search enabled

CSCvc05005

ASA cluster TCP/SSL ports are not displayed on LISTEN state

CSCvc14502

ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set

CSCvc33796

Implement speed improvements for ACL and NAT table compilation

CSCvc36535

ASA traceback in Thread Name: ssh, rip igb_disable_rx_queues after no shutdown of interface

CSCvc52072

Webvpn portal not displayed corrrectly for connections landing on default webvpn group.

CSCvc52272

ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table

CSCvc52504

ASA may traceback with Thread Name: Unicorn Admin Handler

CSCvc52879

Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover.

CSCvc55974

ikev2 handles get leaked in a L2L setup

CSCvc58272

ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue

CSCvc60254

SIP: 200 OK messages with multiple seqments not reassembled correctly

CSCvc62556

Traceback in ASA Cluster Thread Name: qos_metric_daemon

CSCvc79371

ASA nat pool not getting updated correctly.

CSCvc87914

ASA traceback and Reload on Config Sync Failure

CSCvc88411

1550-byte block depletion seen due to Radius Accounting packets

CSCvc93947

ASA(9.1.7.12):Connection entries created for multicast streams through standby ASA.

CSCvd01736

L2TP connects only sometimes when DHCP used

CSCvd21154

5585 does not unbundle its data intfs for 30 seconds after leaving cluste

CSCvd23471

ASA may traceback while loading a large context config during bootup

 

 

Revision: Version 9.1(7)13 02/08/2017

Files: asa917-13-smp-k8.bin, asa917-13-k8.bin

Defects resolved since 9.1(7)12:

 

CSCvc23838

Cisco ASA Heap Overflow in Webvpn CIFS

 

 

Revision: Version 9.1(7)12 12/21/2016

Files: asa917-12-smp-k8.bin, asa917-12-k8.bin

Defects resolved since 9.1(7)11:

 

CSCtz88975

IPv6 ACLs can be bypassed with crafted packets

CSCuj45332

ASA IDFW Susceptible to RADIUS CoA Replay Vulnerability

CSCuq80704

ASA classifies TCP packets as PAWS failure incorrectly

CSCuv61791

CWS redirection on ASA may corrupt sequence numbers with https traffic

CSCuw71147

Traceback in Unicorn Proxy Thread, in http_header_by_name

CSCuw95262

After some time flash operations fail and configuration can not be saved

CSCux29678

ASA 9.1.7: IE 11 Clientless SSL VPN cannot login to CIFS share

CSCuy43438

L2TP over IPSec can not be connected after disconnection from client.

CSCuy47545

http config missing in multicontext after reload of stdby 916.9 or later

CSCuy89288

AnyConnect DTLS on-demand DPDs are not sent intermittently

CSCva00190

ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets

CSCva22048

ASA: SIP Call Drops with PAT when same media port used in multiple calls

CSCva38556

Cisco ASA Input Validation File Injection Vulnerability

CSCva85382

ASA memory leak for CTS SGT mappings

CSCva90419

issuer-name falsely detecting duplicates in certificate map using attr

CSCva92975

ASA 5585-60 dropping out of cluster with traceback

CSCva94702

Enqueue failures on DP-CP queue may stall inspected TCP connection

CSCva98240

SIP: Address from Route: header not translated correctly

CSCvb05667

H.323 inspection causes Traceback in Thread Name: CP Processing

CSCvb15265

ASA Page fault traceback in Thread Name: DATAPATH

CSCvb20256

Sweet32 Vulnerability in ASA's SSH Implementation

CSCvb21922

Remove ACL warning messages in show access-list when FQDN is unresolved

CSCvb22435

ASA Traceback in thread name CP Processing due to DCERPC inspection

CSCvb29688

Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416

CSCvb31833

Traceback : ASA with Threadname: DATAPATH-0-1790

CSCvb32297

WebVPN:VNC plugin:Java:Connection reset by peer: socket write error

CSCvb36199

Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback

CSCvb39147

Lower NFS throughput rate on Cisco ASA platform

CSCvb40847

ASA not sending Authen Session End log if user logs out manually

CSCvb49445

IKEv2: It is NOT cleaning the sessions after disconnected from the client.

CSCvb50301

ASA traceback at Thread Name: rtcli

CSCvb58087

Object-group-search redundant service group objects are incorrectly removed

CSCvb63503

AAA session handle leak with IKEv2 when denied due to time range

CSCvb64161

ASA fairly infrequently rewrites the dest MAC address of multicast packet for client

CSCvb74249

ASA dropping traffic with TCP syslog configured in multicontext mode

CSCvb78614

4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops"

CSCvb89988

WebVPN: Internal page login button not working through rewriter

CSCvb92125

ASA drops DNS PTR Reply with reason Label length exceeded during rewrite

CSCvb92823

ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY

CSCvc06150

ASA unable to add multiple attribute entries in a certificate map

CSCvc19318

ASA traceback at Thread Name: sch_syslog

CSCvc25409

ASA memory leak in CloneOctetString when using SNMP polling

 

 

Revision: Version 9.1(7)11 09/27/2016

Files: asa917-11-smp-k8.bin, asa917-11-k8.bin

Defects resolved since 9.1(7)9:

 

CSCum74032

ASA traceback on standby when SNMP polling

CSCuu50708

ASA Traceback on 9.1.5.19

CSCux92157

ASA Traceback Assert in Thread Name: ssh_init with component ssh

CSCuz16398

Incorrect modification of NAT divert table.

CSCuz44968

Commands not installed on Standby due to parser switch

CSCuz92074

ASA with PAT fails to untranslate SIP Via field that doesnt contain port

CSCva41711

WebVPN caches incomplete downloads

CSCva46920

Traceback in Thread Name: ssh when issuing show tls-proxy session detail

CSCva68987

ASA drops ICMP request packets when ICMP inspection is disabled

CSCva69799

ASA stuck in boot loop due to FIPS Self-Test failure

CSCva77852

ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon

CSCva84635

ASA: CHILD_SA collision brings down IKEv2 SA

CSCva87160

OTP authentication is not working for clientless ssl vpn

CSCva90806

ASA Traceback when issue 'show asp table classify domain permit'

CSCvb14664

ASA traceback in ipsecvpn-crypto

CSCvb14997

ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer

CSCvb19251

ASA as DHCP relay drops DHCP 150 Inform message

 

 

Revision: Version 9.1(7)9 08/23/2016

Files: asa917-9-smp-k8.bin, asa917-9-k8.bin

Defects resolved since 9.1(7)7:

 

CSCup37416

Stale VPN Context entries cause ASA to stop encrypting traffic

CSCux17527

ASA memory leak related to Botnet

CSCux98029

ASA reloads with traceback in thread name DATAPATH or CP Processing

CSCuy25163

Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability

CSCuz06499

WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv

CSCuz09255

ASA does not respond to NS in Active/Active HA

CSCuz80281

IPv6 neighbor discovery packet processing behavior

CSCuz94862

IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck

CSCva00939

Remove ACL warning messages in show access-list when FQDN is resolved

CSCva01570

Unexpected end of file logon.html in WebVPN

CSCva02817

ASA not rate limiting with DSCP bit set from the Server

CSCva03607

show service-policy output reporting incorrect values

CSCva16471

IPv6 OSPF routes do not update when a lower metric route is advertised

CSCva35439

ASA DATAPATH traceback (Cluster)

CSCva36884

Cisco ASA Cross Site Scripting SSLVPN Vulnerability

CSCva50554

ASA uses "::" for host IP addresses if booted with an improper config

CSCva92151

Cisco ASA SNMP Remote Code Execution Vulnerability

 

 

Revision: Version 9.1(7)7 06/13/2016

Files: asa917-7-smp-k8.bin, asa917-7-k8.bin

Defects resolved since 9.1(7)6:

 

CSCuh99564

Password change page can be displayed without authentication

CSCuq47035

ASA:Incorrect link status in show failover o/p with monitoring disabled

CSCux29842

Primary and Secondary ASA in HA is traceback in Thread Name:DataPath

CSCux58172

DAP: debug dap trace not fully shown after +1600 lines

CSCux70784

ASA traceback while viewing large ACL

CSCuy00296

Traceback in Thread: IPsec message handler

CSCuy28710

ARP source IP sanity check against proxy-arp list

CSCuy54567

Evaluation of pix-asa for OpenSSL March 2016

CSCuy63642

ASA 9.1(6) traceback in webvpn-datapath : thread name "DATAPATH-2-1524"

CSCuy67333

SIP call transfer fail due to differences b/w fixing CallId and Refer-To

CSCuy74593

ASA AnyConnect IKEv2 scripts help customisations not served after reload

CSCuy87597

ASA - Traceback in CP Processing Thread During Private Key Decryption

CSCuy89425

AAA: RSA/SDI unable to set new PIN

CSCuy96391

ASA clientless rewriter failure at 'CSCOPut_hash' function

CSCuy99280

ENH: ASAv should have a different pre-loaded cert

CSCuz00077

ASA 9.1.6.4 traceback with Thread Name: telnet/ci

CSCuz06125

Active and Standby ASA use same MAC addr with only active MAC configured

CSCuz09394

infinite loop in JS rewriter state machine when return followed by var

CSCuz10371

ASA Traceback and reload by strncpy_sx.c

CSCuz14808

5585-10 traceback in Thread Name: idfw_proc

CSCuz18707

Intranet page does not load via WebVPN with JavaScript errors

CSCuz21068

CSCOPut_hash can initiate unexepected requests

CSCuz36938

Traceback on editing a network object on exceeding the max snmp hosts

CSCuz38115

ASA Tback when large ACL applied to interface with object-group-search

CSCuz38180

ASA: Page Fault traceback in DATAPATH on standby ASA after booting up

CSCuz38703

ASA capture type isakmp saving malformed ISAKMP packets

CSCuz38888

WebVPN rewrite fails for MSCA Cert enrollment page / VBScript

CSCuz40081

ASA memory leak due to vpnfo

CSCuz41033

dynamic crypto map fails if named the same as static crypto map

CSCuz52474

Evaluation of pix-asa for OpenSSL May 2016

CSCuz54357

ASA Clientless SSLVPN HTTP URL Self Sanitizer Function Issues

CSCuz58142

ASA Access-list missing and losing elements Warning Message enhancement

CSCuz66661

ASA Cut-through Proxy inactivity timeout not working

CSCuz67349

ASA Cluster fragments reassembled before transmission with no inspection

CSCuz67596

ASA may Traceback with Thread Name: Unicorn Admin Handler

CSCuz70330

ASA: SSH being denied on the ASA device as the maximum limit is reached

CSCuz79800

ASA cant delete ACL lines and remarks - Specified remark does not exist

CSCuz98220

ASA traceback with Thread Name: Dispatch Unit

 

 

Revision: Version 9.1(7)6 04/08/2016

Files: asa917-6-smp-k8.bin, asa917-6-k8.bin

Defects resolved since 9.1(7)4:

 

CSCtw90511

Packet captures cause CPU spike on Multi-Core platforms due to spin_lock

CSCum70304

FIPS self test power on fails - fipsPostDrbgKat

CSCup93708

Error when same-security-traffic is deleted and added

CSCuv20449

Traceback in Thread Name: ssh when using capture or continuous ping

CSCuw44038

Watchdog traceback in ldap_client_thread with large number of ldap grps

CSCuw51576

SSH connections are not timed out on Standby ASA (stuck in rtcli)

CSCuw59382

Rewriter errors when access IEEE website search feature through portal

CSCuw87331

ASA: Traceback in Thread name DATAPATH-7-1918

CSCuw92005

Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly

CSCux08783

CWS: ASA does not append XSS headers

CSCux08838

ASA: Traceback in Checkheaps

CSCux11440

ASA traceback in Unicorn Proxy Thread

CSCux23659

ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd

CSCux29929

ASA 9.4.2 traceback in DATAPATH

CSCux34679

ASA: Traceback with "clear conf router" on ASA Multiple Context

CSCux35272

ASA TCP normalizer checksum verification cannot be disabled

CSCux37303

Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related

CSCux41622

"set connection timeout idle" is not applied.

CSCux41876

ASA IPSEC crypto map set df-bit copy-df/clear-df does not take effect

CSCux55923

WebVPN: Unable to play certain online videos

CSCux59122

ASA L7 policy-map comes into affect only if the inspection is re-applied

CSCux66866

Traffic drop due to constant amount of arp on ASASM

CSCux70812

Add Asynchronous support for DHCP proxy

CSCux72610

ASA TACACS+: process tacplus_snd uses large percentage of CPU

CSCux81683

ASA Traceback on Thread Name: Unicorn Admin Handler

CSCux82835

Nat pool exhausted observed when enabling asp transactional-commit nat

CSCux83705

DNS Reply Modification for Dual-Stack does not work as expected

CSCux87457

ASA traceback in Thread Name: https_proxy

CSCux88237

ASA traceback in DATAPATH thread

CSCux94598

ASA using a huge dynamic ACL may cause Anyconnect connectivity failures

CSCuy01420

ASA traceback in Thread Name: Unicorn Proxy Thread.

CSCuy05949

ASA: MAC address changes on active context when WRITE STANDBY is issued

CSCuy07753

Smart tunnel does not work since Firefox 32bit version 43

CSCuy11905

ASA 5585 traceback when the User name is mentioned in the Access list

CSCuy13937

ASA Watchdog traceback in CP Processing thread during TLS processing

CSCuy21287

STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload

CSCuy25445

Master shows slave interfaces as "up" when slave rejoining

CSCuy32321

Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt

CSCuy34265

ASA Access-list missing and losing elements after configuration change

CSCuy41986

OCSP validation fails when multiple certs in chain are verified

CSCuy43839

ASA reloads in thread name: DATAPATH while encrypting L2L packet

CSCuy43857

ASA WebVPN: Java Exception with Kronos application

CSCuy49902

inspect ip-option is not allowing "NOP" even when allowed

CSCuy51918

Buffer overflow in RAMFS dirent structure causing traceback

CSCuy73652

Traceback in thread name idfw when modifying object-group having FQDN

CSCuy74218

Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly

CSCuy78802

orignial master not defending all GARP packets after cluster split brain

CSCuy85243

ASA traceback when receive Radius attribute with improper variable type

 

 

Revision: Version 9.1(7)4 02/19/2016

Files: asa917-4-smp-k8.bin, asa917-4-k8.bin

Defects resolved since 9.1(7):

 

CSCux45179

SSL sessions stop processing -"Unable to create session directory" error

CSCux85725

ASA WebVPN: Java RDP Plugin does not launch

CSCuy03024

ASA traceback and reload citing Thread Name: idfw_proc

CSCuy27428

ASA traceback in thread name snmp after upgrade to 9.1(7)

CSCuy28710

ARP source IP sanity check against proxy-arp list

 

 

The following two bugs were included as fixes in the 9.1.7 MR release but were not previously disclosed.

 

CSCux29978

Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability

 

CSCux42019

Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability