Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Caution: If you are using CSM, and you upgrade to ASA Version 9.9(2)42 or later, then you must upgrade CSM to Version 4.19 or later. Earlier versions of CSM are not compatible.
Revision: Version 9.9(2)85 04/08/2021
Files: asa992-85-smp-k8.bin, cisco-asa-fp1k.9.9.2.85.SPA, cisco-asa-fp2k.9.9.2.85.SPA, cisco-asa.9.9.2.85.SPA.csp
Defects resolved since 9.9(2)83:
|
ASA traceback Thread Name:
DATAPATH with PBR configured |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software Web
Services Buffer Overflow Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerability |
Revision: Version 9.9(2)83 02/24/2021
Files: asa992-83-lfbff-k8.SPA, asa992-83-smp-k8.bin
Defects resolved since 9.9(2)80:
|
M500IT Model Solid State Drives
on ASA5506 may go unresponsive after 3.2 Years in service |
|
|
M500IT Model Solid State Drives
on ISA3000 may go unresponsive after 3.2 Years in service |
Revision: Version 9.9(2)80 09/01/2020
Files: asa992-80-smp-k8.bin, cisco-asa-fp1k.9.9.2.80.SPA, cisco-asa-fp2k.9.9.2.80.SPA, cisco-asa.9.9.2.80.SPA.csp
Defects resolved since 9.9(2)74:
|
[SXP] Issue with establishing
SXP connection between ASA on FPR-2110 and switches |
|
|
ASA traceback and reload on
Thread Name SSH |
|
|
ASA reloads when establishing
simultaneous ASDM sessions |
|
|
Cisco ASA Software and Cisco FTD
Software SSL VPN Denial of Service Vulnerability |
|
|
FTD/ASA - Cluster/HA -
Master/Active unit does not update all the route changes to Slaves/Standby |
|
|
Firepower 4100 connection counts
mismatch between active and standby ASA |
|
|
Cisco ASA Software and Cisco FTD
Software SSL VPN Denial of Service Vulnerability |
|
|
Cisco Firepower Threat Defense
Software Hidden Commands Vulnerability |
|
|
Cisco Firepower Threat Defense
Software TCP Flood Denial of Service Vulnerability |
|
|
Cisco Firepower Threat Defense
Software Inline Pair/Passive Mode DoS Vulnerability |
|
|
Cisco ASA and FTD Software FTP
Inspection Bypass Vulnerability |
|
|
Cisco ASA and FTD WebVPN CRLF Injection Vulnerability |
|
|
Cisco ASA and FTD Web Services
File Upload Denial of Service Vulnerability |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense OSPFv2 DoS |
|
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
|
Cisco ASA Software and FTD
Software Web Services Cross-Site Scripting Vulnerability |
|
|
Cisco ASA and FTD Software
SSL/TLS Session Denial of Service Vulnerability |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense SSL VPN DoS |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco ASA Software and FTD
Software WebVPN Portal Access Rule Bypass
Vulnerability |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco ASA Software Web-Based
Management Interface Reflected Cross-Site Scripting Vulnerability |
Revision: Version 9.9(2)74 07/22/2020
Files: asa992-74-smp-k8.bin, cisco-asa-fp1k.9.9.2.74.SPA, cisco-asa-fp2k.9.9.2.74.SPA, cisco-asa.9.9.2.74.SPA.csp
Defects resolved since 9.9(2)67:
|
Mac address flap on switch with
wrong packet injected on ingress FTD interface |
|
|||
|
Cisco Firepower 2100 Series
Security Appliances ARP Denial of Service Vulnerability |
|
|||
|
Cisco ASA Local File Reading Vulnerability |
|
|||
|
sctp-state-bypass is not getting invoked for inline FTD |
|
|||
|
Stuck uauth
entry rejects AnyConnect user connections despite fix of CSCvi42008 |
|
|||
|
ASA traceback Thread name - webvpn_task |
|
|||
|
Traceback:
Modifying FTD inline-set tap-mode configuration with active traffic |
||||
Revision: Version 9.9(2)67 04/23/2020
Files: asa992-67-smp-k8.bin, cisco-asa-fp1k.9.9.2.67.SPA, cisco-asa-fp2k.9.9.2.67.SPA, cisco-asa.9.9.2.67.SPA.csp
Defects resolved since 9.9(2)66:
|
ASA: cluster exec show commands
not show all output |
|
|
Cisco ASA and FTD Software Web
Services Information Disclosure Vulnerability |
Revision: Version 9.9(2)66 03/04/2020
Files: asa992-66-smp-k8.bin, cisco-asa-fp2k.9.9.2.66.SPA, cisco-asa.9.9.2.66.SPA.csp
Defects resolved since 9.9(2)61:
|
Not able to ssh,
ssh_exec: open(pager) error on console |
|
|||||||
|
Cisco Firepower Threat Defense Software VPN System Logging Denial of Service Vulnerability |
|
|||||||
|
Cisco Adaptive Security
Appliance Smart Tunnel Vulnerabilities |
|
|||||||
|
UDP flood causes Lina to run out of memory if blocked |
|
|||||||
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
|||||||
|
Cisco ASA Software and FTD
Software MGCP Denial of Service Vulnerabilities |
|
|||||||
|
Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities |
|
|||||||
|
Traceback while Reverting the
primary system as active |
|
|||||||
|
Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability |
||||||||
|
Need to add inactivity timer for aware server sockets |
||||||||
|
Not able to establish more than
2 simultaneous ASDM sessions |
|
|||||||
|
When deleting context
the ssh key-exchange goes to Default GLOBALLY! |
|
|||||||
|
FPR2100 FTD Standby unit leaking
9K blocks |
|
|||||||
|
Cisco ASA Software Kerberos Authentication Bypass Vulnerability |
|
|||||||
|
Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability |
|
|||||||
|
ASA/FTD may traceback and reload
in Thread Name 'PTHREAD-1533' |
|
|||||||
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|||||||
|
Cisco ASA and Cisco FTD
Malformed OSPF Packets Processing Denial of Service Vulnerability |
|
|||||||
Revision: Version 9.9(2)61 12/05/2019
Files: asa992-61-smp-k8.bin, cisco-asa-fp2k.9.9.2.61.SPA, cisco-asa.9.9.2.61.SPA.csp
Defects resolved since 9.9(2)59:
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability |
Revision: Version 9.9(2)59 09/10/2019
Files: asa992-59-smp-k8.bin, cisco-asa-fp2k.9.9.2.59.SPA, cisco-asa.9.9.2.59.SPA.csp
Defects resolved since 9.9(2)56:
|
IKEv2: IKEv2-PROTO-2: Failed to
allocate PSH from platform |
|
|
ASA traceback in thread SSH |
|
|
Lina does not properly report
the error for configuration line that is too long |
|
|
management-only of diagnostic
I/F on secondary FTD get disappeared |
|
|
FTD inline/transparent sends
packets back through the ingress interface |
|
|
LACPDUs should not be sent to
snort for inline-set interfaces |
|
|
ASA traceback and reload
observed in Datapath due to SIP inspection. |
|
|
ASA sends invalid redirect
response for POST request |
|
|
Cisco ASA Software and FTD Software OSPF LSA Processing
Denial of Service Vulnerability |
|
|
Flows are getting offloaded on
inline-sets |
|
|
Fail-Closed FTD passes packets
through on Snort processes down |
|
|
LINA traceback on ASA in HA
Active Unit repeatedly |
|
|
Deploy fails on FTD HA due to
exception when parsing big xml response |
|
|
Executing 'failover' twice on
active unit, clears interface configuration on standby unit |
|
|
Memory leak observed when
ASA-SFR dataplane communication flaps |
|
|
FTD/ASA : Traceback in Datapath
with assert snp_tcp_intercept_assert_disabled |
Revision: Version 9.9(2)56 08/08/2019
Files: asa992-56-smp-k8.bin, cisco-asa-fp2k.9.9.2.56.SPA, cisco-asa.9.9.2.56.SPA.csp
Defects resolved since 9.9(2)52:
|
tcp proxy: ASA traceback on DATAPATH |
|
|||||||
|
Deployment on FTD with low
memory results on interface nameif to be removed -
finetune mmap thresh |
|
|||||||
|
FTD Lina traceback, due to
packet looping in the system by normaliser |
|
|||||||
|
ASA traceback and reloads when
issuing "show inventory" command |
|
|||||||
|
Cisco ASA Software and FTD Software FTP Inspection Denial of Service Vulnerability |
|
|||||||
|
incorrect HTML <base> tag
handling by Grammar Based Parser |
|
|||||||
|
URL inside HTML base tag is not
rewritten after it is handled by GBP |
|
|||||||
|
ASA: Watchdog traceback in
Datapath |
|
|||||||
|
FTD lina
cored with Thread name: cli_xml_server |
|
|||||||
|
Random SGT tags added by FTD |
|
|||||||
|
FIPS mode gets disabled after
rollback from a failed policy deploy |
|
|||||||
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
||||||||
|
Cisco ASA Software and FTD Software SIP Inspection Denial of Service Vulnerability |
|
|||||||
|
ASA/FTD HA Data Interface
Heartbeat dropped due to Reverse Path Check |
|
|||||||
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
||||||||
|
|
|
|
||||||
Revision: Version 9.9(2)52 05/10/2019
Files: asa992-52-smp-k8.bin, cisco-asa-fp2k.9.9.2.52.SPA, cisco-asa.9.9.2.52.SPA.csp
Defects resolved since 9.9(2)50:
|
ASA 5506/5508/5516 traceback in Thread Name octnic_hm_thread |
Revision: Version 9.9(2)50 04/29/2019
Files: asa992-50-smp-k8.bin, cisco-asa-fp2k.9.9.2.50.SPA, cisco-asa.9.9.2.50.SPA.csp
Defects resolved since 9.9(2)47:
|
Support for more than 255
characters for Split DNS value |
|
|
Traceback on Thread Name:
DATAPATH-2-1785 |
|
|
OSPF Route may become stale and
stuck in the routing table after failover events |
|
|
ASA is getting traceback with
reboot only on Spyker after shutdown SFR module |
|
|
Deployment changes are not
pushed to the device due to disk0 mounted on read-only |
|
|
SSH session stuck after
committing changes within a Configure Session. |
|
|
ASA CP core pinning leads to
exhaustion of core-local blocks |
|
|
Qos applied on interfaces doesn't work. |
|
|
ASA is stuck on "reading
from flash" for several hours |
|
|
Standby unit sending BFD packets
with active unit IP, causing BGP neighborship to fail. |
|
|
FXOS ASA/FTD needs means to poll
Internal-data interface counters |
|
|
Initiating write net command
with management access for BVI interfaces does not succeed |
|
|
FTD Lina traceback while
removing OSPF configuration. |
|
|
Route tracking failure |
|
|
ASA not inspecting H323 H225 |
|
|
ASA core blocks depleted when
host unreachable in IRB configuration |
|
|
Spin lock traceback when
changing vpn-mode with traffic |
|
|
ADI process fails to start on
ASA on Firepower 4100 |
|
|
Traceback in Firepower 4120 |
|
|
The 'show memory' CLI output is
incorrect on ASAv |
|
|
ASA Traceback in emweb/https during Anyconnect
Auth/DAP assessment |
|
|
ACL Unable to configure an ACL
after access-group configuration error |
|
|
IKEv2 Failed to obtain an Other
VPN license |
|
|
ASA: Not able to load Quovadis Root Certificate as trustpoint
when FIPS is enabled |
|
|
overloading of the lina msglyr infra due to the
sending of VPN status messages |
|
|
DTLS fails after rekey |
|
|
Configuring "boot
config" has no effect if file was modified off-box and copied back on |
|
|
ASA5506 may slowly leak memory
when using NetFlow |
|
|
KP:AnyConnect used IP from pool shows as available |
|
|
ASA 5585 9.8.3.14 traceback in
Datapath with ipsec |
|
|
FPR platform IPsec VPN goes down
intermittently |
|
|
ASA as an SSL Client Memory Leak
in Handshake Error path |
|
|
Control-plane ACL doesn't work
correctly on FTD |
|
|
ASA Multicontext
traceback and reload due to allocate-interface out of range command |
|
|
Process Name: lina | ASA traceback caused by Netflow |
|
|
Traceback on Thread Name:
Unicorn Admin Handler after adding protocol to IKEV2 ipsec-proposal |
|
|
Memory Leak in DMA_Pool in binsize 1024 with SCP
download |
|
|
Packet Tracer fails with
"ERROR: TRACER: NP failed tracing packet", with circular asp drop
captures |
|
|
Upgrading ASA cluster to
9.10.1.7 cause traceback |
|
|
Ikev2 tunnel creation fails |
|
|
Support more than 255 chars for
Split DNS-commit issue in hanover for CSCuz22961 |
|
|
DHCPRelay does not consume DHCP Offer packet with Unicast flag |
|
|
Unable to remove access-list
with 'log default' keyword |
|
|
EIGRP breaks when new
sub-interface is added and "mac-address auto" is enabled |
|
|
AnyConnect session rejected due
to resource issue in multi context deployments |
|
|
Standby may enter reboot loop
upon upgrading to 9.6(4)20 from 9.6(4)6 |
|
|
ASA IPSec
VPN EAP Fails to Load Valid Certificate in PKI |
|
|
VPN sessions failing due to PKI
handles not freed during rekeys |
|
|
Cisco Adaptive Security Appliance Software Secure Copy
Denial of Service Vulnerability |
|
|
crypto ipsec
inner-routing-lookup should not be allowed to be configured with VTI present |
|
|
Enhancement to address high IKE
CPU seen due to tunnel replace scenario |
|
|
ASA Traceback and reload while
running IKE Debug |
|
|
Traceback and reload citing
Datapath as affected thread |
|
|
Enhancement: add counter for
Duplicate remote proxy |
|
|
Do not decrypt rule causes
traffic interruptions. |
|
|
ASA may traceback and reload.
Potentially related to WebVPN traffic |
|
|
HTTP with ipv6 using w3m is
failing |
|
|
Memory leak while inspecting GTP
traffic |
Revision: Version 9.9(2)47 02/04/2019
Files: asa992-47-smp-k8.bin, cisco-asa-fp2k.9.9.2.47.SPA, cisco-asa.9.9.2.47.SPA.csp
Defects resolved since 9.9(2)40:
|
"ha-replace" action not working when peer not present |
|
|
|
Cisco
Adaptive Security Appliance Software Cross-site Request Forgery Vulnerability |
||
|
FP 2130 traceback - segmentation fault with a NULL channel pointer with outage |
|
|
|
Traceback and reload when displaying CPU profiling results |
|
|
|
Deploy from FMC fails due to OOM with no indication of why |
|
|
|
Cisco ASA Software and FTD Software IKEv1 Denial of Service Vulnerability |
|
|
|
ASA traceback and reload when trying to switch from ACTIVE to STANDBY. Thread Name: fover_FSM_thread |
|
|
|
Smart Tunnel bookmarks don't work after upgrade giving certificate error |
|
|
Revision: Version 9.9(2)40 02/04/2019
Files: asa992-40-smp-k8.bin, cisco-asa-fp2k.9.9.2.40.SPA, cisco-asa.9.9.2.40.SPA.csp
Defects resolved since 9.9(2)36:
|
ASA: traceback in DATAPATH-2-1157 |
|
|
GTP inspection may spike cpu usage |
|
|
ASA Routes flushed after failover when etherchannel fails |
|
|
SSL handshake fails with large certificate chain size |
|
|
Traceback in DATAPATH, assertion "0" failed: file "./snp_cluster_transport.h", line 480 |
|
|
Traceback in DATAPATH on standby FTD |
|
|
ASA is getting traceback with reboot only on Spyker aftr shutdown SFR module |
|
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
|
ERROR: The entitlement is already acquired while the configuration is cached. |
|
|
GTP inspection should not process TCP packets |
|
|
GTP delete bearer request is being dropped |
|
|
HA failed primary unit shows active while "No Switchover" status on FP platforms |
|
|
ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136 |
|
|
SSH Service on ASA echoes back each typed/pasted character in its own packet |
|
|
Blocks exhaustion snapshot was not captured on ASA |
|
|
FTD device rebooted after taking Active State for less than 5 minutes |
|
|
Prevent administrators from installing CXSC module on ASA 5500-X |
|
|
ASA may traceback due to SCTP traffic inspection without NULL check |
|
|
ASA : Failed SSL connection not getting deleted and depleting DMA memory |
|
|
SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface |
|
|
ASA traceback when removing interface configuration used in call-home |
|
|
Standby node traceback in wccp_int_statechange() with HA configuration sync |
|
|
ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted |
|
|
ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later |
|
|
RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server |
|
|
ASA stops authenticating new AnyConnect connections due to fiber exhaustion |
|
|
selective acking not happening with SSL crypto hardware offload |
|
|
ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading |
|
|
To support multiple retry on devcmd failure to CRUZ during flow table configuration update. |
|
|
ISA300 interop issue with Nokia 7705 router |
|
|
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
|
|
ASA/webvpn: FF and Chrome: Bookmark is not rendered with Grammar Based Parser |
|
|
traceback on inspect_process |
Revision: Version 9.9(2)36 12/14/2018
Files: asa992-36-smp-k8.bin, cisco-asa-fp2k.9.9.2.36.SPA, cisco-asa.9.9.2.36.SPA.csp
Defects resolved since 9.9(2)32:
|
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
|
ENH: Addition of 'show fragment' to 'show tech' output |
|
|
ENH: Addition of 'show aaa-server' to 'show tech' output |
|
|
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
|
|
PIX-ASA rest-api unauthorized access. |
|
|
FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage. |
|
|
FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through |
Revision: Version 9.9(2)32 11/08/2018
Files: asa992-32-smp-k8.bin, cisco-asa-fp2k.9.9.2.32.SPA, cisco-asa.9.9.2.32.SPA.csp
Defects resolved since 9.9(2)32:
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
||
|
Multicast dropped after deleting a security context |
||
|
Change 2-tuple and 4-tuple hash table to lockless |
||
|
ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets |
||
|
Active FTP Data transfers fail with FTP inspection and NAT |
||
|
ENH: Addition of 'show ipv6 interface' to 'show tech' output |
||
|
KVM (FTD): Mapping web server through outside not working consistent with other platforms |
||
|
FTD on FPR 9300 corrupts TCP headers with pre-filter enabled |
||
|
The CPU profiler stops running without having hit the threshold and without collecting any samples. |
||
|
show memory output shows wrong memory |
||
|
ASA 9.8(2)24 traceback on FPR9K-SM-44 |
|
|
|
Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability |
||
|
Make Object Group Search Threshold disabled by default, and configurable. Causes outages. |
||
|
ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached |
||
|
Traceback HA standby unit Thread Name: vpnfol_thread_msg |
||
|
ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG) |
||
|
Unable to modify ACL entry with log default command |
||
|
FTD: SSH to LINA Data interface fails if overlapping NAT statement is configured |
||
Revision: Version 9.9(2)27 10/23/2018
Files: asa992-27-smp-k8.bin, cisco-asa-fp2k.9.9.2.27.SPA, cisco-asa.9.9.2.27.SPA.csp
Defects resolved since 9.9(2)25:
|
ASA: Add additional IKEv2/IPSec debugging for CSCvm70848 |
|
|
Need to update Smart Call Home built-in CA certificate for tools.cisco.com |
Revision: Version 9.9(2)25 10/03/2018
Files: asa992-25-smp-k8.bin, cisco-asa-fp2k.9.9.2.25.SPA, cisco-asa.9.9.2.25.SPA.csp
Defects resolved since 9.9(2)18:
|
WebVPN 'enable intf' with DHCP , CLI missing when ASA boot |
|
|
ASA boot loop caused by logs sent after FIPS boot test |
|
|
asdm displays error uploading image |
|
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
|
ASA 9.4.4.8, SNMP causing slow memory leak |
|
|
Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX |
|
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
|
Excessive logging from ftdrpcd process on 2100 series appliances |
|
|
clear crypto ipsec ikev2 commands not replicated to standby |
|
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
|
Packet capture fails for interface named "management" on Firepower Threat Defense |
|
|
Flows get stuck in lina conn table in half-closed state |
|
|
ASA traceback with Thread Name: DATAPATH-1-2325 |
|
|
IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled. |
|
|
Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic |
|
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
|
Traceback and reload due to GTP inspection and Failover |
|
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
|
Firepower Threat Defense: Low DMA memory leading to VPN failures due to incorrect crypto maps |
|
|
ASA IKEv2 crash while deleting SAs |
|
|
ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
|
|
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|
|
Clientless webvpn fails when ASA sends HTTP as a message-body |
|
|
Using EEM to track VPN connection events may cause traceback and reload |
|
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
|
ASA Traceback: Thread Name NIC Status Poll. |
|
|
Incorrect calculation of AAB in ASA causes random AAB invocations. |
|
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
Revision: Version 9.9(2)18 08/27/2018
Files: asa992-18-smp-k8.bin, cisco-asa-fp2k.9.9.2.18.SPA, cisco-asa.9.9.2.18.SPA.csp
Defects resolved since 9.9(2)14:
|
ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory |
|
|||
|
Traceback when syslog sent over VPN tunnel |
|
|||
|
KP 2110 ASA : Shared management across context unable to reach to GW |
|
|||
|
webvpn: multiple rendering issues on Confluence and Jira applications |
|
|||
|
BGP ASN cause policy deployment failures. |
|
|||
|
Traceback and reload with 'show tech' on ASA with No Payload Encryption (NPE) |
|
|||
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
|||
|
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|
|||
|
show memory binsize and "show memory top-usage" do not show correct information, all show PC 0x0 |
|
|||
|
ASA: dns expire-entry-timer configuration disappears after reboot |
|
|||
|
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|
|||
|
Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0 |
|
|||
|
FTD: AAB might force a snort restart with relatively low load on the system |
|
|||
|
LDAP over SSL crypto engine error |
|
|||
|
256 Byte block leak observed due to ARP traffic when using VTI |
|
|||
|
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|
|||
|
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|
|||
|
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|
|||
|
Flow-offload rewrite rules not updated when MAC address of interface changes |
|
|||
|
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|
|||
|
Static IPv6 route prefix will be removed from the ASA configuration |
|
|||
|
Firepower 2100: stopping/pausing capture from FMC doesn't lower the CPU usage |
|
|||
|
IP Local pools configured with the same name. |
|
|||
|
ASA traceback when logging host command is enable for IPv6 after each reboot |
|
|||
|
webvpn-l7-rewriter: Bookmark logout fails on IE |
|
|||
|
ASA may traceback due to SCTP traffic |
|
|||
|
show memory binsize and "show memory top-usage" do not show correct information (Complete fix) |
|
|||
|
ASA 5525 running 9.8.2.20 memory exhaustion. |
|
|||
|
GTP soft traceback seen while processing v2 handoff |
|
|||
|
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|
|||
|
Enabling compression necessary to load ASA SSLVPN login page customization |
|
|||
|
Unwanted IE present error when parsing GTP APN Restriction |
|
|||
|
ASA: Need a knob to en-/disable computation of Used/Free mem in the GSP
pools snmpwalk |
||||
|
Large ACL taking long time to compile on boot causing outage |
|
|||
|
Certificate import from Local CA fails due to invalid Content-Encoding |
|
|||
|
ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH |
|
|||
|
WebVPN: Grammar Based Parser fails to handle META tags |
|
|||
|
ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response |
|
|||
|
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|
|||
|
Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback |
|
|||
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
|||
|
AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers |
|
|||
|
Async queue issues with fragmented packets leading to block depletion 9344 |
|
|||
|
RDP bookmark plugin wont launch |
|
|||
Revision: Version 9.9(2)14 07/16/2018
Files: asa992-14-smp-k8.bin, cisco-asa-fp2k.9.9.2.14.SPA, cisco-asa.9.9.2.14.SPA.csp
Defects resolved since 9.9(2)9:
|
AVT : Missing Content-Security-Policy Header in ASA 9.5.2 |
|
|
ASA policy-map configuration is not replicated to cluster slave |
|
|
ASA traceback in DATAPATH thread while running captures |
|
|
Default DLY value of port-channel sub interface mismatch |
|
|
icmp/telnet traffic fail by ipv6 address on transparent ASA |
|
|
IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message |
|
|
Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000 |
|
|
ASA Running config through REST-API Full Backup does not contain the specified context configuration |
|
|
FQDN object are getting resolved after removing access-group configuration |
|
|
Rest-API gives empty response for certain queries |
|
|
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|
|
Using the "match" keyword in capture command causes IPv6 traffic to be ignored in capture |
|
|
Layer 2 traffic should not be hardcoded to be sent to Snort for inspection |
|
|
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
|
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|
|
Stuck uauth entry rejects AnyConnect user connections |
|
|
REST-API:500 Internal Server Error |
|
|
ASA 9.6(4): WebVPN page not loading correctly |
|
|
pki handles: increase and fail to decrement |
|
|
ASA responds to MOBIKE but clears SA due to DPD. |
|
|
ASA - zonelabs-integrity : Traceback and High CPU due to Process 'Integrity FW task' |
|
|
ASA : Device sends only ID certificate in SSL server certificate packet after reload |
|
|
CWE-20: Improper Input Validation |
|
|
Traceback: Thread Name: IPsec message handler |
|
|
LINA traceback in Thread Name: DATAPATH-14-17303 |
|
|
portal-access-rule changing from "deny" to "permit" |
|
|
Firepower Threat Defense 2100 asa traceback for unknown reason |
|
|
ASA memory Leak - snp_svc_insert_dtls_session |
|
|
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|
|
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
|
Traceback in cli_xml_server Thread |
|
|
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|
|
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|
|
Clock sync issue on ASA with FXOS |
|
|
1550 Block Depletions leading to ASA reload. |
|
|
WebPage is not loading due to client rewriter issue on JS files |
|
|
webvpn: Bookmark fails to render on Firefox and Chrome. IE fine. |
Revision: Version 9.9(2)9 06/13/2018
Files: asa992-9-smp-k8.bin, cisco-asa-fp2k.9.9.2.9.SPA, cisco-asa.9.9.2.9.SPA.csp
Defects resolved since 9.9(2)1:
|
ASA unable to remove ACE with 'log disable' option |
|
|
AVT : Missing X-Content-Type-Options in ASA 9.5.2 |
|
|
ASA "show tech" some commands twice, show running-config/ak47 detailed/startup-config errors |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688 |
|
|
ASA traceback on failover sync with WebVPN and shared storage-url config |
|
|
Netflow Returns Large Values for Bytes Sent/Received and IP address switch |
|
|
ERROR: Unable to create crypto map: limit reached, when adding entry |
|
|
ASA : ICMPv6 syslog messages after upgrade to 962. |
|
|
Standby ASA has high CPU usage due to extremely large PAT pool range |
|
|
ASA traceback due to deadlock between DATAPATH and webvpn processes |
|
|
ASA traceback due to 1550 block exhaustion. |
|
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
|
|
ASA watchdog traceback during context modification/configuration sync |
|
|
Slow 2048 byte block leak due to fragmented traffic over VPN |
|
|
ASA - ICMP flow drops with "no-adjacency" on interface configured in zone when inspection enabled |
|
|
ASA on Firepower Threat Defense devices traceback due to SSL |
|
|
ASA sending DHCP decline | not assiging address to AC clients via DHCP |
|
|
upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON) |
|
|
ASA Traceback and goes to boot loop on 9.6.3.1 |
|
|
KP traceback illegal memory access inside a vendor Modular Exponentiation implementation |
|
|
Upon reboot, non-default SSL commands are removed from the Firepower 4100 |
|
|
ASA: Traceback in Thread Name UserFromCert |
|
|
CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition |
|
|
ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure |
|
|
ASA 9.7.1.15 Traceback while releasing a vpn context spin lock |
|
|
IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey |
|
|
WebVPN rewriter: drop down menu doesn't work in BMC Remedy |
|
|
ASA Cut-Through Proxy allowing user to access website, but displaying "authentication failed" |
|
|
ASA does not report accurate free memory under "show memory" output |
|
|
Not able to do snmpwalk when snmpv1&2c host group configured. |
|
|
Azure: ASAv running Cloud high availability gets in a watchdog crash loop |
|
|
IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey |
|
|
Memory leak on webvpn |
|
|
Zeroize RSA key after Failover causes REST API to fail to changeto System context |
|
|
PIM Auto-RP packets are dropped after cluster master switchover |
|
|
ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group. |
|
|
Illegal update occurs when device removes itself from the cluster |
|
|
Cisco Firepower 2100 Series POODLE TLS security scanner alerts |
|
|
ASA generate traceback in DATAPATH thread |
|
|
ASA traceback during output of "show service-policy" with a high number of interfaces and qos |
|
|
ASA self-signed RSA certificate is not allowed for TLS in FIPS mode |
|
|
ASA not matching IPv6 traffic correctly in ACL with "any" keyword configured |
|
Traceback at snmp address not mapped when snmp-server not enabled |
|
|
Cluster: Enhance ifc monitor debounce-time for interface down->up scenario |
|
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
|
Scansafe feature doesn't work at all for HTTPS traffic |
Revision: Version 9.9(2)1 04/18/2018
Files: asa992-1-smp-k8.bin, cisco-asa-fp2k.9.9.2.1.SPA, cisco-asa.9.9.2.1.SPA.csp
Defects resolved since 9.9(2):
|
Cisco Adaptive Security Appliance WebVPN Denial of Service Vulnerability |
|
|
ASA, Threat Defense, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
|
New CLI for Supporting Legacy method SAML Auth using external browser on endpoint |
|
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |