Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Caution: If you are using CSM, and you upgrade to ASA Version 9.6(4)24 or later, then you must upgrade CSM to Version 4.19 or later. Earlier versions of CSM are not compatible.
Revision: Version 9.6(4)45 – 09/16/2020
Files: asa964-45-smp-k8.bin
Defects resolved since 9.6(4)42:
show inventory (or) "show
environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
|
VPN-sessiondb
does not replicate to standby ASA |
|
Cisco Firepower Threat Defense
Software TCP Flood Denial of Service Vulnerability |
|
9.12.2.151 snp_cluster_ingress
traceback on FPR9300 3-node cluster nested VLAN traffic |
|
Cisco Firepower Threat Defense
Software Inline Pair/Passive Mode DoS Vulnerability |
|
Cisco ASA and FTD WebVPN CRLF
Injection Vulnerability |
|
Cisco ASA and FTD Web Services
File Upload Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance
Software and Firepower Threat Defense Software Web DoS |
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense OSPFv2 DoS |
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
Cisco ASA Software and FTD
Software Web Services Cross-Site Scripting Vulnerability |
|
Cisco ASA and FTD Software
SSL/TLS Session Denial of Service Vulnerability |
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense SSL VPN DoS |
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
Cisco ASA Software and FTD
Software WebVPN Portal Access Rule Bypass Vulnerability |
|
Smart license - Security Contexts
count not matching Between Active and Standby Units 9.6.3.17 |
|
Cisco ASA and FTD Web Services Interface
Cross-Site Scripting Vulnerabilities |
|
Cisco ASA Software Web-Based Management
Interface Reflected Cross-Site Scripting Vulnerabi |
|
ASA stops processing RIP packets
after system upgrade |
Revision: Version 9.6(4)42 – 07/22/2020
Files: asa964-42-smp-k8.bin
Defects resolved since 9.6(4)41:
Cisco ASA Local File Reading Vulnerability |
Revision: Version 9.6(4)41 – 05/06/2020
Files: asa964-41-smp-k8.bin
Defects resolved since 9.6(4)40:
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
Revision: Version 9.6(4)40 – 02/24/2020
Files: asa964-40-smp-k8.bin
Defects resolved since 9.6(4)36:
UDP flood causes Lina to run out of memory if blocked |
|
Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability |
|
Need to add inactivity timer for aware server sockets |
|
Cisco ASA and FTD Software Path Traversal Vulnerability |
|
ASA/FTD may traceback and reload
in Thread Name ‘PTHREAD-1533’ |
|
Cisco Adaptive Security Appliance Software and Firepower
Threat Defense Software Web DoS |
|
Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability |
Revision: Version 9.6(4)36 – 11/19/2019
Files: asa964-36-smp-k8.bin
Defects resolved since 9.6(4)34:
ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After
Successful SSL handshake |
|
segfault in ctm_ipsec_pfkey_parse_msg
at ctm_ipsec_pfkey.c:602 |
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
Watchdog traceback due to lina_host_file_stat calls |
|
OpenSSL 0-byte Record Padding
Oracle Information Disclosure Vulnerability |
|
ASA Memory Leak - snp_svc_insert_dtls_session |
|
OSPFv3 neighborship is flapping
every ~30 minutes |
|
When only IP communication is
disrupted on failover link LANTEST msg is not sent on data interfaces |
|
ASA5515-K9 standby traceback in
Thread Name ssh |
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
|
Traceback: Cluster unit lina assertion in thread name:Cluster
controller |
|
ASA cluster does not flush OSPF
routes |
|
Cisco VPN session replay vulnerability : STRAP fix on ASA for SSL(OpenSSL 1.0.2) and SCEP proxy |
|
Management interface
configuration leads to immediate traceback and reload |
|
ASA:BGP recursive route lookup
for destination 3 hop away is failing. |
|
Cannot add neighbor in BGP when
the neighbor is on the same subnet as one interface |
|
Active device is not reporting
correct peer state. |
|
WRL6 and WRL8 commit id update
in CCM layer (sprint 67) |
|
Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability |
|
ASA: VPN traffic fails to take
the tunnel route when the default route is learnt over BGP. |
|
ASA may traceback on display_hole_og |
|
FTD/LINA Standby may traceback
and reload during logging command replication from Active |
|
App-sync failure if unit tries
to join HA during policy deployment |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability |
Revision: Version 9.6(4)34 – 08/27/2019
Files: asa964-34-smp-k8.bin
Defects resolved since 9.6(4)30:
Multi-context - IKEv2 SA fail to
establish |
||||||||
show environment output is
incomplete and may show "Error displaying driver status" |
||||||||
reload command does not work
properly on ASAv |
||||||||
Bonita BPM app's web pages
access fail via webvpn |
||||||||
ASA WebVPN - incorrect rewriting
for SAP Netweaver |
||||||||
Port-Channel issues on HA link |
||||||||
SDI - SUSPENDED servers cause
15sec delay in the completion of a authentication
with a good server |
||||||||
ASA Enhancement: Generate syslog
message once member of the SDI cluster changes state |
||||||||
Traceback in VPN Clustering HA
timer thread when member tries to join the cluster |
||||||||
ASA traceback in thread SSH |
||||||||
management-only of diagnostic
I/F on secondary FTD get disappeared |
||||||||
Cisco ASA Software and FTD
Software FTP Inspection Denial of Service Vulnerability |
|
|||||||
Simultaneous FINs on
flow-offloaded flows lead to stale conns |
|
|||||||
ASA traceback and reload
observed in Datapath due to SIP inspection. |
|
|||||||
Cisco ASA Software and FTD
Software MGCP Denial of Service Vulnerabilities |
|
|||||||
Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities |
|
|||||||
Unable to process gtpv1
identification req message for header TEID : 0 |
|
|||||||
ASA drops GTPV1 SGSN Context Req
message with header TEID:0 |
|
|||||||
Cisco ASA and Firepower Threat Defense
Software WebVPN Cross-Site Scripting Vulnerability |
||||||||
ASA sends invalid redirect
response for POST request |
|
|||||||
DHCP NACK silently dropped by
ASA sent from DHCP server if configured as DHCP relay |
|
|||||||
Cisco ASA Software and FTD
Software OSPF LSA Processing Denial of Service Vulnerability |
|
|||||||
LINA traceback on ASA in HA
Active Unit repeatedly |
|
|||||||
IP Address stuck in local pool
and showing as "In Use" even when the AnyConnect client disconnects |
|
|||||||
Thread Name: CP DP SFR Event
Processing traceback |
|
|||||||
ASA Failover split brain (both units
active) after rebooting a Firepower chassis |
|
|||||||
Cisco ASA and FTD Software
WebVPN CPU Denial of Service Vulnerability |
||||||||
Unsupported runtime JavaScript
exception handling in the client side WebVPN rewriter |
|
|||||||
ASA 9.9.2 Clientless WebVPN -
HTML entities are incorrectly decoded when processing HTML |
|
|||||||
Firepower 4100 connection counts
mismatch between active and standby ASA |
|
|||||||
Executing 'failover' twice on
active unit, clears interface configuration on standby unit |
|
|||||||
LINA Traceback after upgrade to
9.12.2.1 |
|
|||||||
Traceback: "saml identity-provider" command will crash
multi-context ASAs |
|
|||||||
When deleting context
the ssh key-exchange goes to Default GLOBALLY! |
|
|||||||
ssl trust-point command will be removed when restoring
backup via CLI |
|
|||||||
Watchdog on ASAv
when logging to buffer |
|
|||||||
GTP response messages with non existent cause are getting
dropped with error message TID is 0 |
|
|||||||
ENH: ASA Cluster debug for syn
cookie issues |
|
|||||||
FTD/ASA : Traceback in Datapath
with assert snp_tcp_intercept_assert_disabled |
|
|||||||
Connections fail to replicate in
failover due to failover descriptor mis-match on port-channels |
|
|||||||
ASA generates incorrect error
message about PCI cfg space when enumerating
Internal-Data0/1 |
|
|||||||
Revision: Version 9.6(4)30 – 05/24/2019
Files: asa964-30-smp-k8.bin
Defects resolved since 9.6(4)29:
Traceback on Thread Name:
DATAPATH-2-1785 |
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
OSPF Route may become stale and
stuck in the routing table after failover events |
|
ASA is getting traceback with
reboot only on Spyker aftr
shutdown SFR module |
|
Linux Kernel cdrom_ioctl_media_changed
Function Kernel Memory Read Vul |
|
ASA Traceback (watchdog timeout)
when syncing config from active unit (inc. cachefs_umount) |
|
ASA is stuck on "reading
from flash" for several hours |
|
FTD Lina traceback while
removing OSPF configuration. |
|
Route tracking failure |
|
ASA traceback on slave/standby during
sync config due to OSPF/EIGRP and IPv6 used together in ACE |
|
FTD: Routing tables added by ICMP
redirects gets stuck in routing table cache forever |
|
Traceback in Firepower 4120 |
|
The 'show memory' CLI output is
incorrect on ASAv |
|
ACL Unable to configure an ACL
after access-group configuration error |
|
Computing Processor PortSmash Side-Channel Information Disclosure Vuln |
|
Graceful Restart BGP does not
work intermittently |
|
ASA Multicontext
traceback and reload due to allocate-interface out of range command |
|
Deployment on FTD with low memory
results on interface nameif to be removed |
|
Deploy from FMC fails due to OOM
with no indication of why |
|
DHCPRelay does not consume DHCP Offer packet with Unicast flag |
|
EIGRP breaks when new
sub-interface is added and "mac-address auto" is enabled |
|
Traceback in threadname
DATAPATH-0-1668 while freeing memory block |
|
ASA SCP transfer to box stall
mid-transfer |
|
VPN sessions failing due to PKI
handles not freed during rekeys |
|
Cisco Adaptive Security Appliance Software Secure Copy Denial of Service Vulnerability |
|
ASA traceback and reloads when
issuing "show inventory" command |
|
ASA Traceback and reload while
running IKE Debug |
|
ASA: BGP routes is cleared on
routing table after failover occur and bgp routes
are changed |
|
Traceback and reload citing
Datapath as affected thread |
|
Enhancement: add counter for
Duplicate remote proxy |
|
ASA may traceback and reload.
Potentially related to WebVPN traffic |
|
Standby Firewall reloads with a
traceback upon doing a manual failover |
|
HTTP with ipv6 using w3m is
failing |
|
ASA unable to authenticate users
with special characters via https |
|
Memory leak while inspecting GTP
traffic |
|
ASA may traceback and reload.
suspecting webvpn related |
|
ASA: Watchdog traceback in
Datapath |
|
FTD lina
cored with Thread name: cli_xml_server |
|
Random SGT tags added by FTD |
|
established tcp
does not work post 9.6.2 |
Revision: Version 9.6(4)29 – 05/10/2019
Files: asa964-29-smp-k8.bin
Defects resolved since 9.6(4)25:
SSP-NTP: ssp-ntp
script monitoring script enhancements for XRU, KP |
|
Clock sync issue on ASA with
FXOS |
|
ASA 5506/5508/5516 traceback in
Thread Name octnic_hm_thread |
Revision: Version 9.6(4)25 – 04/08/2019
Files: asa964-25-smp-k8.bin
Defects resolved since 9.6(4)24:
Smart Tunnel bookmarks don't work after upgrade giving certificate error |
Revision: Version 9.6(4)24 – 03/28/2019
Files: asa964-24-smp-k8.bin
Defects resolved since 9.6(4)23:
ASA scansafe connector takes too long to failover to secondary CWS Tower |
|
ASA traceback and reload when trying to switch from ACTIVE to STANDBY. Thread Name: fover_FSM_thread |
Revision: Version 9.6(4)23 – 03/04/2019
Files: asa964-23-smp-k8.bin
Defects resolved since 9.6(4)22:
Unable to remove access-list with 'log default' keyword |
Revision: Version 9.6(4)22 – 02/28/2019
Files: asa964-22-smp-k8.bin
Defects resolved since 9.6(4)20:
Support for more than 255 characters for Split DNS value |
||||
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
||||
Traceback in DATAPATH on standby FTD |
||||
Cisco
Adaptive Security Appliance Software Cross-site Request Forgery Vulnerability |
||||
Active FTP Data transfers fail with FTP inspection and NAT |
||||
SSH session stuck after committing changes within a Configure Session. |
||||
ASA CP core pinning leads to exhaustion of core-local blocks |
||||
ENH: Addition of 'show fragment' to 'show tech' output |
||||
ENH: Addition of 'show aaa-server' to 'show tech' output |
||||
CSCvk44166 |
Cisco
ASA and FTD TCP Proxy Denial of Service Vulnerability |
|||
ERROR: The entitlement is already acquired while the configuration is cached. |
||||
GTP inspection should not process TCP packets |
||||
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
||||
Qos applied on interfaces doesn't work. |
||||
Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail. |
||||
Initiating write net command with management access for BVI interfaces does not succeed |
||||
HA failed primary unit shows active while "No Switchover" status on FP platforms |
||||
ASA not inspecting H323 H225 |
||||
SSH Service on ASA echoes back each typed/pasted character in its own packet |
||||
FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage. |
||||
FTD device rebooted after taking Active State for less than 5 minutes |
||||
Prevent administrators from installing CXSC module on ASA 5500-X |
||||
Traceback and reload when displaying CPU profiling results |
||||
SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface |
||||
ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment |
||||
ASA traceback when removing interface configuration used in call-home |
||||
ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted |
||||
ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled |
||||
ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later |
||||
ASA stops authenticating new AnyConnect connections due to fiber exhaustion |
||||
DTLS fails after rekey |
||||
ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading |
||||
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
||||
ASA as an SSL Client Memory Leak in Handshake Error path |
||||
Cisco
Adaptive Security Appliance Clientless SSL VPN Denial of Service
Vulnerability |
|
|||
Process Name: lina | ASA traceback caused by Netflow |
|
|||
Memory Leak in DMA_Pool in binsize 1024 |
|
|||
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures |
|
|||
Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961 |
|
|||
Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6 |
|
|||
Revision: Version 9.6(4)20 – 11/28/2018
Files: asa964-20-smp-k8.bin
Defects resolved since 9.6(4)18:
RDP session does not establish after changing SSL certificate on ASA. |
||
Stuck uauth entry rejects AnyConnect user connections |
||
ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets |
||
Active FTP Data transfers fail with FTP inspection and NAT |
||
ENH: Addition of 'show ipv6 interface' to 'show tech' output |
||
The CPU profiler stops running without having hit the threshold and without collecting any samples. |
||
FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
||
GTP delete bearer request is being dropped |
||
PIX-ASA rest-api unauthorized access. |
|
|
Traceback high availability standby unit Thread Name: vpnfol_thread_msg |
||
ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG) |
||
Unable to modify access control license entry with log default command |
||
FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured |
||
ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device) |
||
ASA : Failed SSL connection not getting deleted and depleting DMA memory |
Revision: Version 9.6(4)18 – 11/13/2018
Files: asa964-18-smp-k8.bin
Defects resolved since 9.6(4)17:
Cisco Adaptive Security Appliance Software and FTD Software Denial of Service Vulnerability |
Revision: Version 9.6(4)17 – 10/19/2018
Files: asa964-17-smp-k8.bin
Defects resolved since 9.6(4)14:
ASA boot loop caused by logs sent after FIPS boot test |
|
IPV4: Implementing buffered reliability mechanism for routing updates |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
Change 2-tuple and 4-tuple hash table to lockless |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled. |
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
Traceback and reload due to GTP inspection and Failover |
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
CVE-2018-5391 Remote denial of service via improper IP fragment handling |
|
Using EEM to track VPN connection events may cause traceback and reload |
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
Revision: Version 9.6(4)14 – 08/28/2018
Files: asa964-14-smp-k8.bin
Defects resolved since 9.6(4)12:
BGP ASN cause policy deployment failures. |
|||
Traceback and reload with 'show tech' on ASA with No Payload Encryption (NPE) |
|||
ASA: dns expire-entry-timer configuration disappears after reboot |
|||
ASA 9.4.4.8, SNMP causing slow memory leak |
|||
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|||
LDAP over SSL crypto engine error |
|||
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|||
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|||
Flow-offload rewrite rules not updated when MAC address of interface changes |
|||
Cisco ASA/FTD Software WebVPN
Denial of Service Vulnerability |
|
||
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|||
5506/5508 assertion and reload under SSL/ASDM handler stress test |
|||
webvpn-l7-rewriter: Bookmark logout fails on IE |
|||
Flows get stuck in lina conn table in half-closed state |
|||
ASA 5525 running 9.8.2.20 memory exhaustion. |
|||
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|||
Unwanted IE present error when parsing GTP APN Restriction |
|||
ASA: Need a knob to en-/disable computation of Used/Free mem in the GSP
pool’s snmpwalk |
|||
Certificate import from Local CA fails due to invalid Content-Encoding |
|||
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|||
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|||
FTD 6.2.3: Low DMA memory leading to VPN failures due to incorrect crypto maps |
|||
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|||
Clientless webvpn fails when ASA sends HTTP as a message-body |
|||
Revision: Version 9.6(4)12 – 07/18/2018
Files: asa964-12-smp-k8.bin
Defects resolved since 9.6(4)10:
ASA policy-map configuration is not replicated to cluster slave |
|||
_lina_assert in createFoverInterface when configuring failover |
|||
AVT : Missing Content-Security-Policy Header in ASA 9.5.2 |
|||
ASA traceback in DATAPATH thread while running captures |
|||
Traceback when syslog sent over VPN tunnel |
|||
icmp/telnet traffic fail by ipv6 address on transparent ASA |
|||
IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message |
|||
Rest-API gives empty response for certain queries |
|||
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|||
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|||
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|||
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|||
REST-API:500 Internal Server Error |
|||
ASA 9.6(4): WebVPN page not loading correctly |
|||
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|||
CWE-20: Improper Input Validation |
|||
ASA memory Leak - snp_svc_insert_dtls_session |
|||
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|||
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|||
Static IPv6 route prefix will be removed from the ASA configuration |
|||
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|||
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|||
Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability |
|
||
Large Config and ACL May Cause Data Interface Health Check Fail on Slave Join |
|||
WebPage is not loading due to client rewriter issue on JS files |
|||
GTP soft traceback seen while processing v2 handoff |
|||
ASA traceback with Thread Name: DATAPATH-1-2325 |
|||
Enabling compression necessary to load ASA SSLVPN login page customization |
|||
Revision: Version 9.6(4)10 – 06/19/2018
Files: asa964-10-smp-k8.bin
Defects resolved since 9.6(4)8:
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
OSPF continuously flaps after master change (L2 cluster, multi-ctx) |
|
AVT : Missing X-Content-Type-Options in ASA 9.5.2 |
|
ASA/Threat Defense traceback when clearing capture-assertion "0" failed: mps_hash_table_debug.c file |
|
Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688 |
|
ASA traceback on failover sync with WebVPN and shared storage-url config |
|
Netflow Returns Large Values for Bytes Sent/Received and IP address switch |
|
Standby ASA has high CPU usage due to extremely large PAT pool range |
|
Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability |
|
ASA watchdog traceback during context modification/configuration sync |
|
FQDN object are getting resolved after removing access-group configuration |
|
upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON) |
|
RADIUS authentication/authorization fails for ASDM |
|
CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition |
|
ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure |
|
ASA does not report accurate free memory under "show memory" output |
|
PIM Auto-RP packets are dropped after cluster master switchover |
|
ASA generate traceback in DATAPATH thread |
|
ASA traceback during output of "show service-policy" with a high number of interfaces and qos |
|
Blade kernel crash on FPR4140 |
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
ASA - zonelabs-integrity : Traceback and High CPU due to Process 'Integrity FW task' |
|
FPR-ASA : Device sends only ID certificate in SSL server certificate packet after reload |
|
portal-access-rule changing from "deny" to "permit" |
|
ASA memory Leak - snp_svc_insert_dtls_session |
Revision: Version 9.6(4)8 – 04/26/2018
Files: asa964-8-smp-k8.bin
Defects resolved since 9.6(4)6:
ASA unable to remove ACE with 'log disable' option |
|
ASA: traceback in DATAPATH-2-1157 |
|
ASA Routes flushed after failover when etherchannel fails |
|
ASA : ICMPv6 syslog messages after upgrade to 962. |
|
ASA traceback due to deadlock between DATAPATH and webvpn processes |
|
ASA traceback due to 1550 block exhaustion. |
|
SSL handshake fails with large certificate chain size |
|
ASA - ICMP flow drops with "no-adjacency" on interface configured in zone when inspection enabled |
|
9300 FTD standby stuck in Bulk-Sync state with high CPS traffics on active |
|
traceback related to SIP inspection processing |
|
Cisco Adaptive Security Appliance TCP Syslog Denial of Service Vulnerability |
|
ASA sending DHCP decline | not assiging address to AC clients via DHCP |
|
ASA Traceback and goes to boot loop on 9.6.3.1 |
|
webvpn: multiple rendering issues on Confluence and Jira applications |
|
ASA: Traceback in Thread Name UserFromCert |
|
Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h", line 480 |
|
ASA 9.7.1.15 Traceback while releasing a vpn context spin lock |
|
IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey |
|
WebVPN rewriter: drop down menu doesn't work in BMC Remedy |
|
ASA Cut-Through Proxy allowing user to access website, but displaying "authentication failed" |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", even after removing captures |
|
Not able to do snmpwalk when snmpv1&2c host group configured. |
|
IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey |
|
Memory leak on webvpn |
|
ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group. |
|
Illegal update occurs when device removes itself from the cluster |
Revision: Version 9.6(4)6 – 03/16/2018
Files: asa964-6-smp-k8.bin
Defects resolved since 9.6(4)5:
FTD with low IPSec lifetime traceback with traffic |
|
9.7.1 traceback in snp_fp_qos |
|
ASA Portal Java plug-ins fail with the latest Java updates |
|
ASA Traceback on Kenton in Thread Name: CTM message handler |
|
ASA fails to rejoin the failover HA Or a cluster with insufficient memory error, OGS enabled |
|
ASA: Software traceback in Thread Name: Dynamic Filter updater |
|
ASA:OpenSSL Vulnerabilities CVE-2017-3737 and CVE-2017-3738 |
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
ASA - Traceback in thread name SSH while applying BGP show commands |
|
ASDM stops working with hostscan enabled. ASDM works with hostscan disabled. |
|
ASA traceback with thread name "idfw_proc " |
|
Traceback : 5506 crash when SFR module and RestAPI both enabled |
|
ASA traceback when failing over to standby unit |
|
ASA Traceback in Thread Name: Unicorn Proxy Thread |
|
ASA traceback with Thread Name: fover_parse |
|
Standby ASA traceback during replication from mate 9.2(4)27 |
|
CSCvh95456 |
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
Revision: Version 9.6(4)5 – 02/20/2018
Files: asa964-5-smp-k8.bin
Defects resolved since 9.6(4)3:
ASA using TACACS authentication and configured 'password-policy lifetime' will deny access |
|
FPR4100 Chassis Manager and CLI still shows the presence of SSD even after removal |
|
ASA Memory depletion due to scansafe inspection |
|
ASA crashes on DATAPATH due to SIP traffic hitting dynamic NAT rule |
|
ASA, when acting as an HTTP client (file copy, etc) sometimes fail to close the connection |
|
FP4120 / ASA 9.6(3)230 "established tcp" not working anymore after SW upgrade |
|
ASA L2TP/IPSEC SMB upload of big files fails - tcp-buffer-timeout drops |
|
ASA reports incorrectly double input packets traffic on PPPoe/VPDN interface |
|
Split brain after recovery from interface failure when fover and then data ifc goes down in order. |
|
SSPs with ASA in multiple context moves in active-active situation while failover is occurring |
|
FTD prefilter policy only fast-paths single direction of bidirectional flow |
|
Failover Master Passphrase Crash via ASDM |
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
Memory leak in idfw component on ASA |
|
'no snmp-server host <interface> <ip-address>' does not work |
Revision: Version 9.6(4)3 – 02/03/2018
Files: asa964-3-smp-k8.bin
Defects resolved since 9.6(4):
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Memory leak in IKE for aggregate-auth |