Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Caution: If you are using CSM, and you upgrade to ASA Version 9.8(3)26 or later, then you must upgrade CSM to Version 4.19 or later. Earlier versions of CSM are not compatible.
Revision: Version 9.8(3)29 – 04/08/2019
Files: asa983-29-smp-k9.bin
Defects resolved since 9.8(3)26:
CPU profiling dump not working after the profiler is enabled |
|
Traceback at Thread "IP Address Assign" while testing HA Cert Auth AnyConnect |
Revision: Version 9.8(3)26 – 03/28/2019
Files: asa983-26-smp-k9.bin
Defects resolved since 9.8(3)21:
Support for more than 255 characters for Split DNS value |
|
ha-replace action not working when peer not present |
|
ASA HA with NSF: NSF is not triggered properly when there is an Interface failure in ASA HA |
|
SSH session stuck after committing changes within a Configure Session. |
|
Initiating write net command with management access for BVI interfaces does not succeed |
|
Traceback and reload when displaying CPU profiling results |
|
ADI process fails to start on ASA on Firepower 4100 |
|
The 'show memory' CLI output is incorrect on ASAv |
|
ACL Unable to configure an ACL after access-group configuration error |
|
ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled |
|
DTLS fails after rekey |
|
KP:AnyConnect used IP from pool shows as available |
|
Process Name: lina | ASA traceback caused by Netflow |
|
Memory Leak in DMA_Pool in binsize 1024 with SCP download |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures |
|
Upgrading ASA cluster to 9.10.1.7 cause traceback |
|
Deploy from FMC fails due to OOM with no indication of why |
|
Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961 |
|
Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel. |
|
Unable to remove access-list with 'log default' keyword |
|
AnyConnect session rejected due to resource issue in multi context deployments |
|
Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6 |
|
ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI |
|
ASA traceback and reload when trying to switch from ACTIVE to STANDBY. Thread Name: fover_FSM_thread |
|
Smart Tunnel bookmarks don't work after upgrade giving certificate error |
Revision: Version 9.8(3)21 – 02/04/2019
Files: asa983-21-smp-k9.bin
Defects resolved since 9.8(3)18:
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
GTP inspection may spike cpu usage |
|
Firepower 2100 Series might report failure due to MIO-blade heartbeat failure |
|
Traceback in DATAPATH on standby FTD |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
ASA CP core pinning leads to exhaustion of core-local blocks |
|
ENH: Addition of 'show fragment' to 'show tech' output |
|
ENH: Addition of 'show aaa-server' to 'show tech' output |
|
ERROR: The entitlement is already acquired while the configuration is cached. |
|
Qos applied on interfaces doesn't work. |
|
Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail. |
|
HA failed primary unit shows active while "No Switchover" status on FP platforms |
|
ASA not inspecting H323 H225 |
|
ASA core blocks depleted when host unreachable in IRB configuration |
|
SSH Service on ASA echoes back each typed/pasted character in its own packet |
|
FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage. |
|
FTD device rebooted after taking Active State for less than 5 minutes |
|
Prevent administrators from installing CXSC module on ASA 5500-X |
|
ASA may traceback due to SCTP traffic inspection without NULL check |
|
SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface |
|
ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment |
|
ASA traceback when removing interface configuration used in call-home |
|
Standby node traceback in wccp_int_statechange() with HA configuration sync |
|
ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted |
|
ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later |
|
RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server |
|
ASA stops authenticating new AnyConnect connections due to fiber exhaustion |
|
ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading |
|
To support multiple retry on devcmd failure to CRUZ during flow table configuration update. |
|
ISA300 interop issue with Nokia 7705 router |
|
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
|
ASA 5585 9.8.3.14 traceback in Datapath with ipsec |
|
ASA as an SSL Client Memory Leak in Handshake Error path |
|
traceback on inspect_process |
Revision: Version 9.8(3)18 – 12/14/2018
Files: asa983-18-smp-k9.bin
Defects resolved since 9.8(3)16:
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
||
ENH: Addition of 'show ipv6 interface' to 'show tech' output |
||
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
||
GTP delete bearer request is being dropped |
||
PIX-ASA rest-api unauthorized access. |
|
|
ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached |
||
ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136 |
||
Unable to modify access control license entry with log default command |
||
FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured |
||
FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through |
||
ASA : Failed SSL connection not getting deleted and depleting DMA memory |
Revision: Version 9.8(3)16 – 11/13/2018
Files: asa983-16-smp-k9.bin
Defects resolved since 9.8(3)14:
Cisco Adaptive Security Appliance Software and FTD Software Denial of Service Vulnerability |
Revision: Version 9.8(3)14 – 10/26/2018
Files: asa983-14-smp-k9.bin
Defects resolved since 9.8(3)11:
IPV4: Implementing buffered reliability mechanism for routing updates |
|
An ASA may Traceback and reload when processing traffic |
|
Stuck uauth entry rejects AnyConnect user connections |
|
Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX |
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
Multicast dropped after deleting a security context |
|
Change 2-tuple and 4-tuple hash table to lockless |
|
ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets |
|
ASA traceback with Thread Name: DATAPATH-1-2325 |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled. |
|
KVM (FTD): Mapping web server through outside not working consistent with other platforms |
|
Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic |
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
The CPU profiler stops running without having hit the threshold and without collecting any samples. |
|
ASA 9.8(2)24 traceback on FPR9K-SM-44 |
|
Using EEM to track VPN connection events may cause traceback and reload |
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
ASA Traceback: Thread Name NIC Status Poll. |
|
Make Object Group Search Threshold disabled by default, and configurable. Causes outages. |
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
|
Traceback HA standby unit Thread Name: vpnfol_thread_msg |
|
ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG) |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
Revision: Version 9.8(3)11 – 09/21/2018
Files: asa983-11-smp-k8.bin
Defects resolved since 9.8(3)8:
WebVPN 'enable intf' with DHCP , CLI missing when ASA boot |
|
ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory |
|
ASA boot loop caused by logs sent after FIPS boot test |
|
asdm displays error uploading image |
|
ASA may traceback and reload in Thread Name: fover_rep during conn replication |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
Flow-offload rewrite rules not updated when MAC address of interface changes |
|
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|
clear crypto ipsec ikev2 commands not replicated to standby |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage |
|
IP Local pools configured with the same name. |
|
ASA traceback when logging host command is enable for IPv6 after each reboot |
|
webvpn-l7-rewriter: Bookmark logout fails on IE |
|
show memory binsize and "show memory top-usage" do not show correct information (Complete fix) |
|
Flows get stuck in lina conn table in half-closed state |
|
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|
Certificate import from Local CA fails due to invalid Content-Encoding |
|
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
Traceback and reload due to GTP inspection and Failover |
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
Async queue issues with fragmented packets leading to block depletion 9344 |
|
Firepower Threat Defense: Low DMA memory leading to VPN failures due to incorrect crypto maps |
|
ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
|
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|
Clientless webvpn fails when ASA sends HTTP as a message-body |
Revision: Version 9.8(3)8 – 08/09/2018
Files: asa983-8-smp-k8.bin
Defects resolved since 9.8(3):
AVT : Missing Content-Security-Policy Header in ASA 9.5.2 |
|
ASA policy-map configuration is not replicated to cluster slave |
|
ASA traceback in DATAPATH thread while running captures |
|
Traceback when syslog sent over VPN tunnel |
|
Default DLY value of port-channel sub interface mismatch |
|
ASA Running config through REST-API Full Backup does not contain the specified context configuration |
|
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|
BGP ASN cause policy deployment failures. |
|
Layer 2 traffic should not be hardcoded to be sent to Snort for inspection |
|
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|
REST-API:500 Internal Server Error |
|
LDAP over SSL crypto engine error |
|
256 Byte block leak observed due to ARP traffic when using VTI |
|
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|
ASA - zonelabs-integrity : Traceback and High CPU due to Process 'Integrity FW task' |
|
ASA : Device sends only ID certificate in SSL server certificate packet after reload |
|
CWE-20: Improper Input Validation |
|
LINA traceback in Thread Name: DATAPATH-14-17303 |
|
portal-access-rule changing from "deny" to "permit" |
|
ASA memory Leak - snp_svc_insert_dtls_session |
|
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
Static IPv6 route prefix will be removed from the ASA configuration |
|
Traceback in cli_xml_server Thread |
|
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|
1550 Block Depletions leading to ASA reload. |
|
Large Config and ACL May Cause Data Interface Health Check Fail on Slave Join |
|
WebPage is not loading due to client rewriter issue on JS files |
|
ASA may traceback due to SCTP traffic |
|
ASA 5525 running 9.8.2.20 memory exhaustion. |
|
GTP soft traceback seen while processing v2 handoff |
|
Enabling compression necessary to load ASA SSLVPN login page customization |
|
Unwanted IE present error when parsing GTP APN Restriction |
|
ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH |
|
ASA 9.8.3 Smart Licensing Default Config Incorrect |