Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Caution: If you are using CSM, and you upgrade to ASA Version 9.8(3)26
or later, then you must upgrade CSM to Version 4.19 or later. Earlier versions
of CSM are not compatible.
Note: ASA 9.8(4)45 and later requires ASDM 7.18(1)152
or later. The ASA now validates whether the ASDM image is a Cisco digitally
signed image. If you try to run an older ASDM image than 7.18(1.152) with an
ASA version with this fix, ASDM will be blocked and the message “%ERROR:
Signature not valid for file disk0:/<filename>” will be displayed at the
ASA CLI. (CSCwb05291, CSCwb05264)
Revision: Version 9.8(4)48 – 02/14/2023
Files: asa984-48-smp-k8.bin, cisco-asa-fp2k.9.8.4.48.SPA, cisco-asa-fp1k.9.8.4.48.SPA, cisco-asa.9.8.4.48.SPA.csp
Defects resolved since 9.8(4)46
|
Cisco ASA Software SSL VPN
Client-Side Request Smuggling Vulnerability via "/"URI |
|
|
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability via
"/+CSCOE+/"URI |
|
Cisco ASA Software SSL VPN Client-Side Request Smuggling
Vulnerability via "/"URI |
Revision: Version 9.8(4)46 – 11/09/2022
Files: asa984-46-smp-k8.bin, cisco-asa-fp2k.9.8.4.46.SPA, cisco-asa-fp1k.9.8.4.46.SPA, cisco-asa.9.8.4.46.SPA.csp
Defects resolved since 9.8(4)45
|
Cisco ASA and FTD Software VPN
Authorization Bypass Vulnerability |
|
|
Cisco Firepower Threat Defense
Software Privilege Escalation Vulnerability |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DoS |
Revision: Version 9.8(4)45 – 08/30/2022
Files: asa984-45-smp-k8.bin, cisco-asa-fp2k.9.8.4.45.SPA, cisco-asa-fp1k.9.8.4.45.SPA, cisco-asa.9.8.4.45.SPA.csp
Defects resolved since 9.8(4)44
|
Cisco ASDM and ASA Software
Client-side Arbitrary Code Execution Vulnerability |
Revision: Version 9.8(4)44 – 06/08/2022
Files: asa984-44-smp-k8.bin, cisco-asa-fp2k.9.8.4.44.SPA, cisco-asa-fp1k.9.8.4.44.SPA, cisco-asa.9.8.4.44.SPA.csp
Defects resolved since 9.8(4)43
|
Cisco ASA and FTD Software SSL
VPN Denial of Service Vulnerability |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
Cisco Adaptive Security Appliance
Software and Firepower Threat Defense Software DNS DoS |
|
|
SSL VPN performance degraded and
significant stability issues after upgrade |
|
|
Cisco Firepower Threat Defense
Software Denial of Service Vulnerability |
|
Watchdog Traceback in Thread Name: aaa_shim_thread |
|
|
Cisco Adaptive Security
Appliance Software Clientless SSL VPN Heap Overflow Vulnerability |
Revision: Version 9.8(4)43 – 03/23/2022
Files: asa984-43-smp-k8.bin, cisco-asa-fp2k.9.8.4.43.SPA, cisco-asa-fp1k.9.8.4.43.SPA, cisco-asa.9.8.4.43.SPA.csp
Defects resolved since 9.8(4)41:
|
ASA: AnyConnect sessions cannot
be resumed due to ipv6 DACL failure |
|
|
ASA: VPN traffic does not pass
if no DACL is provided in CoA |
|
|
ASA: DACL with no IPv6 entries
is not applied to v6 traffic after CoA |
|
|
ASA/FTD Traceback and reload due
to memory corruption when generating ICMP unreachable message |
|
|
ASA Privilege Escalation with
valid user in AD |
|
|
ASA traceback and reload in
Unicorn Admin Handler when change interface configuration via ASDM |
Revision: Version 9.8(4)41 – 10/13/2021
Files: asa984-41-smp-k8.bin, cisco-asa-fp2k.9.8.4.41.SPA, cisco-asa-fp1k.9.8.4.41.SPA, cisco-asa.9.8.4.41.SPA.csp
Defects resolved since 9.8(4)40:
|
R291: Blade reboots continuously
on doing backward compatibility testing with 9.8.4 |
Revision: Version 9.8(4)40 – 09/15/2021
Files: asa984-40-smp-k8.bin, cisco-asa-fp2k.9.8.4.40.SPA, cisco-asa-fp1k.9.8.4.40.SPA, cisco-asa.9.8.4.40.SPA.csp
Defects resolved since 9.8(4)39:
|
ASA may traceback and reload on
thread Crypto CA |
|
|
Secondary ASA could not get the
startup configuration |
|
|
ASAv adding non-identity L2 entries for own addresses on MAC
table and dropping HA hellos |
Revision: Version 9.8(4)39 – 06/08/2021
Files: asa984-39-smp-k8.bin, cisco-asa-fp2k.9.8.4.39.SPA, cisco-asa-fp1k.9.8.4.39.SPA, cisco-asa.9.8.4.39.SPA.csp
Defects resolved since 9.8(4)35:
|
ASA Traceback on tcp_intercept Thread name: Threat detection |
|
|
ASA will not import CA
certificate with name constraint of RFC822 Name set as empty |
|
|
Lasso SAML Implementation
Vulnerability Affecting Cisco Products: June 2021 |
Revision: Version 9.8(4)35 – 04/28/2021
Files: asa984-35-smp-k8.bin, cisco-asa-fp2k.9.8.4.35.SPA, cisco-asa-fp1k.9.8.4.35.SPA, cisco-asa.9.8.4.35.SPA.csp
Defects resolved since 9.8(4)34:
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
ASA duplicate MAC addresses in
Shared Interfaces of different Contexts causing traffic impact |
Revision: Version 9.8(4)34 – 03/23/2021
Files: asa984-34-smp-k8.bin, cisco-asa-fp2k.9.8.4.34.SPA, cisco-asa-fp1k.9.8.4.34.SPA, cisco-asa.9.8.4.34.SPA.csp
Defects resolved since 9.8(4)33:
|
stress/low memory: assert: mh->mh_mem_pool >
MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
ASA stale VPN Context seen for
site to site and AnyConnect sessions |
|
|
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability |
|
|
ASA traceback and reload webvpn thread |
|
|
ASA traceback and reload with
Thread name: ssh when capture was removed |
|
|
ASA: Unable to import PAC file
if FIPS is enabled. |
Revision: Version 9.8(4)33 – 02/24/2021
Files: asa984-33-lfbff-k8.SPA, asa984-33-smp-k8.bin
Defects resolved since 9.8(4)32:
|
M500IT Model Solid State Drives
on ASA5506 may go unresponsive after 3.2 Years in service |
|
|
M500IT Model Solid State Drives
on ISA3000 may go unresponsive after 3.2 Years in service |
Revision: Version 9.8(4)32 – 11/17/2020
Files: asa984-32-smp-k8.bin, cisco-asa-fp2k.9.8.4.32.SPA, cisco-asa-fp1k.9.8.4.32.SPA, cisco-asa.9.8.4.32.SPA.csp
Defects resolved since 9.8(4)29:
|
Traceback in cluster_route_status_callback
while disabling/enabling cluster back-to-back |
|
|
ASA running 9.6.4.20 Traceback in
threadname Unicorn Proxy Thread |
|
|
ASA traceback and reload during
SSL handshake |
|
|
Traceback/Page-fault in
Clientless WebVPN due to HTTP cleanup |
|
|
Lina traceback when FTD is
configured with passive interface in HA with span traffic on it. |
|
|
ASA: Block new conns even when
the "logging permit-hostdown" is set
& TCP syslog is down |
|
|
ASA traceback observed when
"config-url" is entered while creating
new context |
|
|
6.6.1-71: HA switchover doesn't happen
with graceful reboot of QP chassis |
|
|
ASA/FTD is reading BGP
MP_REACH_NLRI attribute's next-hop bytes in reverse order |
|
|
ASA traceback and reload on
inspect esmtp |
|
|
access-list: FP9300 9.8.4.10ASA
missing entries in the object expand after object-group modification |
|
|
Traceback due to fover and ssh thread |
|
|
Unexpected traceback and reload
on FTD creating a Core file |
|
|
ASA: EasyVPN
HW Client triggers duplicate phase 2 rekey causing disconnections across the
tunnel |
|
|
Mac address-table is flapping on
3850 when ASA etherchannel is configued
with active mode |
|
|
Certificate validation syslog is
not generated on OCSP revocation check |
|
|
ASA traceback cp_midpath_process_thread |
|
|
ASA traceback and reload while
executing "show tech-support" command |
|
|
ASA syslog traceback while strncpy NULL string passed from SSL library |
|
|
IKEv2 with EAP, MOBIKE status
fails to be processed. |
Revision: Version 9.8(4)29 – 10/07/2020
Files: asa984-29-smp-k8.bin, cisco-asa-fp2k.9.8.4.29.SPA, cisco-asa-fp1k.9.8.4.29.SPA, cisco-asa.9.8.4.29.SPA.csp
Defects resolved since 9.8(4)26:
|
Cisco Firepower Threat Defense Software
Management Interface DoS Vulnerability |
|
|
AnyConnect and Management
Sessions fail to connect after several weeks |
|
|
ASA traceback Thread Name:
DATAPATH-0-1388 PBR 9.10(1)22 |
|
|
Lina cores on multi-instance
causing a boot loop on both logical-devices |
|
|
ASA 9.12(2) - Multiple
tracebacks due to Unicorn Proxy Thread |
|
|
Block exhaustion snapshot not
created when available blocks goes to zero |
|
|
traceback: ASA reloaded
lina_sigcrash+1394 |
|
|
ASA traceback in threadname 'ppp_timer_thread' |
|
|
ASA experienced a traceback and
reloaded |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense SSL VPN DoS |
|
|
Cluster / aaa-server
key missing after "no key config-key" is entered |
|
|
Multicast traffic is being
dropped with the resson no-mcast-intrf |
|
|
Cluster site-specific MAC
addresses not rewritten by flow-offload |
|
|
Traceback and reload in thread
DATAPATH-1-1320 after upgrade |
|
|
ASA gets frozen after crypto
engine failure |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Observed traceback in FPR2130
while running webVPN, SNMP related traffic. |
|
|
After upgrade ASA swapped names
for disks, disk0 became disk1 and vice versa. |
|
|
ASA Traceback and reload on
thread name Crypto CA |
|
|
Lina traceback and reload seen
on trying to switch peer on KP HA with 6.6.1-63 |
|
|
ASA traceback when running show
asp table classify domain permit |
|
|
Cisco ASA Software Web-Based
Management Interface Reflected Cross-Site Scripting Vulnerability |
|
|
snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning
value of 0 for .16 and .17 |
|
|
ASA IKEv2 VTI - Failed to
request SPI from CTM as responder |
|
|
Error parsing
flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.cdb, when
trying to modify/read the user-db |
|
|
Removing static ipv6 route from
management-only route table affects data traffic |
|
|
ASA stops processing RIP packets
after system upgrade |
|
|
ASAv5 reloads without traceback. |
|
|
ASA Anyconnect
url-redirect not working for ipv6 |
|
|
Traceback Cluster unit on
snpi_nat_xlate_destroy+2508 |
|
|
ASA/FTD traceback and reload
during AAA or CoA task of Anyconnect user |
|
|
WebSSL clientless user accounts being locked out on 1st bad
password |
|
|
ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki
global table in MTX |
|
|
ASA traceback and reload in fover_parse when attempting to join the failover pair. |
|
|
ASA dropping all traffic with
reason "No route to host" when tmatch
compilation is ongoing |
Revision: Version 9.8(4)26 – 08/27/2020
Files: asa984-26-smp-k8.bin, cisco-asa-fp2k.9.8.4.26.SPA, cisco-asa-fp1k.9.8.4.26.SPA, cisco-asa.9.8.4.26.SPA.csp
Defects resolved since 9.8(4)25:
|
CTM: Nitrox S/G lengths need to
be validated |
|
|
ASA/FTD traceback and reload in
Thread Name: SXP CORE |
|
|
show inventory (or) "show
environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
|
|
[SXP] Issue with establishing
SXP connection between ASA on FPR-2110 and switches |
|
|
Cisco Firepower Threat Defense
Software Hidden Commands Vulnerability |
|
|
ENH: Addition of 'show run all sysopt' to 'show tech' output |
|
|
ASA/FTD may traceback and reload
in Thread Name 'HTTP Cli Exec' |
|
|
Secondary unit exceed platform
context count limit in split brain scenario when failover link down |
|
|
ASA traceback and reload due to
routing subsystem |
|
|
ASA traceback and reload
multiple times with trace "webvpn_periodic_signal" |
|
|
Cisco Firepower Threat Defense Software
TCP Flood Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software FTP
Inspection Bypass Vulnerability |
|
|
Warning Message for default
settings with Installation of Certificates in ASA/FTD - CLI |
|
|
ASA5585 traceback and reload
after upgrading SFR from 6.4.0 to 6.4.0.9-34 |
|
|
Crypto accelerator bias setting
should be included in show tech |
|
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
|
Traceback observed while
performing master role change with active IGMP joins |
|
|
Cisco ASA and FTD Software
SSL/TLS Session Denial of Service Vulnerability |
|
|
Cisco ASA and FTD IP Fragment
Memory Leak Vulnerability |
|
|
ASA configured with TACACS REST
API: /cli api fail with "Command authorization
failed" message |
|
|
ASA traceback after TACACS
authorized user made configuration changes |
|
|
ASA high CPU with
intel_82576_check_link_thread impacting on overall unit performance |
|
|
ASA traceback and reload on
thread name DATAPATH |
|
|
AnyConnect Connected Client IPs
Not Advertised into OSPF Intermittently |
|
|
DSCP values not preserved in
DTLS packets towards AnyConnect users |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco ASA Software and FTD
Software WebVPN Portal Access Rule Bypass
Vulnerability |
|
|
ASA unable to delete ACEs with
remarks and display error "Specified remark does not exist" |
|
|
EIGRP summary route not being
replicated to standby and causing outage after switchover |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Native VPN client with EAP-TLS
authentication fails to connect to ASA |
|
|
SNMP IfDiscards
OIDs for Internal-Data 0/0 and 0/1 wrong Values |
|
|
Multicast EIGRP traffic not seen
on internal FTD interface |
|
|
Lina Traceback during FTD
deployment when WCCP config is being pushed |
Revision: Version 9.8(4)25 – 07/08/2020
Files: asa984-25-smp-k8.bin, cisco-asa-fp2k.9.8.4.25.SPA, cisco-asa-fp1k.9.8.4.25.SPA, cisco-asa.9.8.4.25.SPA.csp
Defects resolved since 9.8(4)22:
|
ASA Will Not Establish L2L With
"Detected unsupported failover version" Messages |
|
|
ASA traceback and reload on
Thread Name SSH |
|
|
After failover, Active unit tcp sessions are not removed when timeout reached |
|
|
ENH: Addition of 'show logging
setting' to 'show tech' output |
|
|
Failover ipsec
- protocol 8 IPSec SA mismatch on decaps with decrypt and verify counters |
|
|
Calls fail once anyconnect configuration is added to the site to site VPN tunnel |
|
|
ASA/FTD traceback and reload due
to memory leak in SNMP community string |
|
|
Erase disk0 on ISA3000 causes
file system not supported |
|
|
Cisco ASA and FTD Web Services
File Upload Denial of Service Vulnerability |
|
|
ASA traceback and reload for the
CLI "show asp table socket 18421590 det" |
|
|
IKEv2 Call Admission Statistics
"Active SAs" counter out of sync with the real number of sessions |
|
|
AnyConnect statistics is doubled
in both %ASA-4-113019 and RADIUS accounting |
|
|
HKT - Failover time increases
with upgrade to 9.8.4.15 |
|
|
ASA interface ACL dropping snmp control-plane traffic from ASA |
|
|
ASA Crashes in SNMP while joining
the cluster when key config-key password-encryption" is present |
|
|
SSH keys lost in ASA after reload |
|
|
FTD firewall unit cannot join
the cluster after a traceback due to invalid interface GOID entry |
|
|
ASA traceback in Thread Name kerberos_recv |
|
|
ASA: High CPU due to stuck
running SSH sessions / Unable to SSH to ASA |
|
|
GIADDR of DHCP Discover packet
is changed to the ip address of dhcp-network-scope |
|
|
Cisco ASA Software and FTD
Software Web Services Cross-Site Scripting Vulnerability |
|
|
[PKI] Standard Based IKEv2
Certificate Auth session does second userfromcert
lookup unnecessarily |
Revision: Version 9.8(4)22 – 06/02/2020
Files: asa984-22-smp-k8.bin, cisco-asa-fp2k.9.8.4.22.SPA, cisco-asa-fp1k.9.8.4.22.SPA, cisco-asa.9.8.4.22.SPA.csp
Defects resolved since 9.8(4)20:
|
ASA should provide better
fragment-related logs and ASP drop reasons |
|
|
Stuck uauth
entry rejects AnyConnect user connections |
|
|
Blocks exhaustion snapshot was
not captured on ASA |
|
|
Active unit Tracebacks in
'Thread Name: IKE Daemon' |
|
|
Hostscan: LastSuccessfulInstallParams can not be detected by Hostscan |
|
|
ASA traceback and reload due to tcp_retrans_timeout internal thread handling |
|
|
ASA: cluster exec show commands not show all output |
|
|
FTD Traceback and Reload on Lina thread for thread_logger |
|
|
Cluster: BGP route may go in out
of sync in some scenarios |
|
|
Cisco ASA & FTD devices may
reload under conditions of low memory and frequent complete MIB walks |
|
|
Unable to auto-rejoin FTD
cluster |
|
|
ASA reporting negative memory
values on "%ASA-5-321001: Resource 'memory' limit'" message |
|
|
ASA/FTD may traceback and reload
in Thread Name 'EIGRP-IPv4' |
|
|
After upgrade to version
9.6.4.34 is not possible to add an access-group |
|
|
Traffic may match an access-list
incorrectly with object-group-search enabled |
|
|
SAML tokens are not removed from
hash table |
|
|
IKEv2 vpn-filter
drops traffic with implicit deny after volume based rekey collision |
|
|
ASA/FTD: Block 256 size
depletion caused by ARP of BVI not assigned to any physical interface |
|
|
Port-channel bundling is failing
after upgrade to 9.8 version |
|
|
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
|
FTD: Traceback and reload
related to lina_host_file_open_raw function |
|
|
ASAv Unable to register smart licensing with IPv6 |
|
|
Observed traceback on 2100 while
performing Failover Switch from Standby. |
|
|
IPSec SAs are not being created for random VPN peers |
|
|
Multi-context ASA/LINA on FPR
not sending DHCP release message |
|
|
Dynamic RRI route is not
destroyed when IKEv2 tunnel goes down |
|
|
Pad packets received from RA
tunnel which are less than or equal 46 bytes in length with zeros |
|
|
Crypto ring stalls when the
length in the ip header doesn't match the packet
length |
|
|
FPR2100 'show crypto accelerator
statistics' counters do not track symmetric crypto |
|
|
Stuck uauth
entry rejects AnyConnect user connections despite fix of CSCvi42008 |
|
|
Fragmented packets forwarded to
fragment owner are not visible on data interface captures |
|
|
ASA traceback Thread name - webvpn_task |
|
|
ASA 9.13.1.7 traceback and reload while
processing hostscan data (process name LINA ) |
|
|
remote acess
mib - SNMP 64 bit only reporting 4Gb before wrapping around |
|
|
ASA is sending failover
interface check control packets with a wrong destination mac address |
|
|
Route Fallback doesn't happen on
Slave unit, upon RRI route removal. |
|
|
Cisco Adaptive Security Appliance
Software and Firepower Threat Defense Software Web DoS |
|
|
FTD traceback and reload on
FP2120 LINA Active Box. VPN |
|
|
Redistribution of VPN advertised
static routes fail after reloading the FTD on FPR2100 |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense OSPFv2 DoS |
|
|
SNMP traps can't be generated
via diagnostic interface |
|
|
ASA traceback and reload with
thread name coa_task |
|
|
Connectivity over the state link
configured with IPv6 addresses is lost after upgrading the ASA |
|
|
ASA on QP platforms display
wrong coredump filesystem space (50 GB) |
|
|
ASA-FPWR 1010 traceback and
reload when users connect using AnyConnect VPN |
|
|
ASA generated a traceback and
reloaded when changing the port value of a manual nat
rule |
|
|
WebVPN SSO Gives Unexpected Results when Integrated with
Kerberos |
Revision: Version 9.8(4)20 – 04/06/2020
Files: asa984-20-smp-k8.bin, cisco-asa-fp2k.9.8.4.20.SPA, cisco-asa.9.8.4.20.SPA.csp
Defects resolved since 9.8(4)15:
|
Cisco ASA Software and Cisco FTD Software SSL VPN Denial of Service Vulnerability |
||
|
FP9300 Cluster - Master unit
does not update all the route changes to slaves |
|
|
|
Need to add inactivity timer for aware server sockets |
||
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
|
Some 3DES related configurations
are lost after booted |
|
|
|
FTD traceback and reload on
thread DATAPATH-1-15076 when SIP inspection is enabled |
|
|
|
ASA sends malformed RADIUS
message when device-id from AnyConnect is too long |
|
|
|
ASA/FTD Tunneled Static Routes
are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
|
|
ASA Traceback on IPsec message
handler Thread |
|
|
|
Traceback: spin_lock_fair_mode_enqueue:
Lock (np_conn_shrlock_t) is held for a long time |
|
|
|
ASA/FTD Traceback in Thread
Name: DATAPATH due to DNS inspection |
|
|
|
ASA Traceback Thread Name: IKE
Daemon |
|
|
|
ASA/FTD may traceback and reload
in Thread Name 'License Thread' |
|
|
|
Reduce number of fsync calls during close in flash file system |
|
|
|
Invalid scp
session terminates other active http, scp sessions |
|
|
|
Cisco Firepower Threat Defense
Software Inline Pair/Passive Mode DoS Vulnerability |
|
|
|
Cisco ASA Local File Reading Vulnerability |
|
|
|
IPv6 DNS server resolution fails
when the server is reachable over the management interface. |
|
|
|
ASA: Traceback in thread Unicorn
Admin Handler |
|
|
|
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
||
|
Cisco ASA and FTD WebVPN CRLF Injection Vulnerability |
|
|
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
|
|
ASA: Active unit HA traceback
and reload during Config Sync state during OSPF sync |
|
|
|
sctp-state-bypass is not getting invoked for inline FTD |
|
|
|
Encryption-3DES-AES should not
be required when enabling ssh version 2 on 9.8
train |
|
|
Revision: Version 9.8(4)17 – 02/21/2020
Files: asa984-17-smp-k8.bin, cisco-asa-fp2k.9.8.4.17.SPA, cisco-asa.9.8.4.17.SPA.csp
Defects resolved since 9.8(4)15:
|
ASA OS incorrectly calculates
certificate expiry date in Syslog 717054 |
|
|
ASA scansafe
connector takes too long to failover to secondary CWS Tower |
|
|
ASA traceback on spin_lock_release_actual |
|
|
ASA may slowly leak memory when
using NetFlow |
|
|
IPsec VPN goes down
intermittently during a re-key |
|
|
UDP flood causes Lina to run out of memory if blocked |
|
|
ASAv v9.12(1) cannot distinguish name aliases for IPv6 |
|
|
VPN-sessiondb
does not replicate to standby ASA |
|
|
OpenSSL vulnerability
CVE-2019-1559 on FTD |
|
|
V route is missing even after
setting the reverse route in Crypto map config in HA-IKEv2 |
|
|
ICMP error packets being dropped
for Null pdts_info |
|
|
DCD Causes Standby to send
probes |
|
|
PPPoE session not coming up after reload. |
|
|
Traceback on snp_policy_based_route_lookup
when deleting a rule from access-list configured for PBR |
|
|
ASA Traceback: SCTP bulk sync
and HA synchronization |
|
|
IPSEC SA is deleted by failover
which is caused by link down (9.8.x train fix) |
|
|
ASA Traceback/pagefault in Datapath due to re_multi_match_ascii |
|
|
Standby ASA logging
%ASA-4-720022: (VPN-Secondary) Cannot find trust point __tmpCiscoM1Root__ |
|
|
ASA/FTD may traceback and reload
in Thread Name 'PTHREAD-1533' |
|
|
ASA traceback and reload on
Thread DATAPATH-0-2064 |
|
|
ASA OSPF: Prefix removed from
the RIB when topology changes, then added back when another SPF is run |
|
|
Clustering module needs to skip
the hardware clock update to avoid the timeout error and clock jump |
|
|
ASA - 9.8.4.12 traceback and
reload in ssh or fover_rx
Thread |
|
|
Decrement TTL display wrong
result |
|
|
ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK |
|
|
Cisco Adaptive Security Appliance
Software and Firepower Threat Defense Software Web DoS |
|
|
ERROR: entry for
::/0 exists when configuring ipv6 icmp |
|
|
mroute entries on ASA not getting refreshed. |
|
|
ASA Traceback in Thread Name SSH
with assertion slib_malloc.c |
|
|
Lina crashing continously
in latest release |
|
|
ASA may traceback and reload
while waiting for "DATAPATH-12-1899" process to finish. |
|
|
FTD-HA: Deploy fail when
interface as used inline-pair in standby unit is down |
|
|
ASA doesn't honor SSH Timeout
When Data Channel is not Negotiated |
|
|
Secondary ASA is unable to join
the failover due to aggressive warning messages. |
|
|
reactivation-mode timed causing
untimely reactivation of failed server |
|
|
Cisco ASA and Cisco FTD
Malformed OSPF Packets Processing Denial of Service Vulnerability |
Revision: Version 9.8(4)15 – 12/02/2019
Files: asa984-15-smp-k8.bin, cisco-asa-fp2k.9.8.4.15.SPA, cisco-asa.9.8.4.15.SPA.csp
Defects resolved since 9.8(4)12:
|
DP threads starves of CPU and
traceback and reloads due to single spin lock for syslog processing |
|
||
|
Traceback on 2100 - watchdog |
|
||
|
Watchdog traceback due to lina_host_file_stat calls |
|
||
|
ASA/FTD may traceback and reload
in Thread Name 'BGP Router' |
|
||
|
OSPFv3 neighborship is flapping
every ~30 minutes |
|
||
|
FPR 2100, low block 9472 causes packet loss through the
device. |
|
||
|
Adding an ipv6 default route
causes CLI to hang for 50 seconds |
|
||
|
Traceback in HTTP Cli Exec when upgrading to 96.4.0.41 |
|
||
|
Cisco ASA Software Kerberos Authentication Bypass Vulnerability |
|||
|
Management interface
configuration leads to immediate traceback and reload |
|
||
|
Multiple context 5585 ASA, transparent context losing
management interface configuration. |
|
||
|
ASA Traceback in Ikev2 Daemon |
|
||
|
Can't delete 2 or more than two
IP address-pool |
|
||
|
ASA may traceback on display_hole_og |
|
||
|
App-sync failure if unit tries
to join HA during policy deployment |
|
||
|
VRF:bgp
route not syncing to slave units when there is route change |
|
||
|
Dual stack ASAv
failover triggered by reload issue |
|
||
|
ASA Standby after a reload and
being active requests and caches smart license entitlements |
|
||
|
FTD/LINA traceback and reload
observed in thread name: cli_xml_server |
|
||
|
Missing clean up on rule
creation failure. |
|
||
|
ASA after reload
had license context count greater than platform limits |
|
||
|
ISA3k might enter in boot loop
after upgrade to certain versions |
|
||
|
configurations getting wiped off
from standby, while deployment fails on active |
|
||
|
Lina Traceback during FTD
deployment when PBR config is being pushed |
|
||
|
Plaintext passwords logged in
asa-appagent.log during bootstrap configuration create/edits |
|
||
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Remote Code
Execution Vulnerability |
|
||
Revision: Version 9.8(4)12 – 10/29/2019
Files: asa984-12-smp-k8.bin, cisco-asa-fp2k.9.8.4.12.SPA, cisco-asa.9.8.4.12.SPA.csp
Defects resolved since 9.8(4)10:
|
ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After
Successful SSL handshake |
||
|
OpenSSL 0-byte Record Padding
Oracle Information Disclosure Vulnerabil |
||
|
Unsupported runtime JavaScript
exception handling in the client side WebVPN
rewriter |
||
|
ASA Memory Leak - snp_svc_insert_dtls_session |
||
|
When only IP communication is
disrupted on failover link LANTEST msg is not sent on data interfaces |
||
|
Dual stacked ASAv
manual failover issues |
||
|
ASA5515-K9 standby traceback in
Thread Name ssh |
||
|
Traceback: Cluster unit lina assertion in thread name:Cluster controller |
||
|
ASA cluster does not flush OSPF
routes |
||
|
ASA:BGP recursive route lookup for destination 3 hop away is failing. |
||
|
Connections fail to replicate in
failover due to failover descriptor mis-match on
port-channels |
||
|
ASA generates incorrect error
message about PCI cfg space when enumerating
Internal-Data0/1 |
||
|
Cannot add neighbor in BGP when
the neighbor is on the same subnet as one interface |
||
|
Active device is not reporting
correct peer state. |
||
|
Flow Offload Hashing Change of
Behavior |
||
|
ASA traceback in Thread IPsec
Message Handler |
||
|
Cisco ASA and FTD Software IPv6 DNS Denial of Service Vulnerability |
|
|
|
ASA: VPN traffic fails to take
the tunnel route when the default route is learnt over BGP. |
||
|
FTD/LINA Standby may traceback
and reload during logging command replication from Active |
||
Revision: Version 9.8(4)10 – 08/29/2019
Files: asa984-10-smp-k8.bin, cisco-asa-fp2k.9.8.4.10.SPA, cisco-asa.9.8.4.10.SPA.csp
Defects resolved since 9.8(4)8:
|
ASA may traceback due to SCTP
traffic |
|
|||
|
Port-Channel issues on HA link |
|
|||
|
SDI - SUSPENDED servers cause 15sec
delay in the completion of a authentication with a
good server |
|
|||
|
ASA Enhancement: Generate syslog
message once member of the SDI cluster changes state |
|
|||
|
Traceback in VPN Clustering HA
timer thread when member tries to join the cluster |
|
|||
|
ENH: ACE details for warning
"found duplicate element" |
|
|||
|
ENH: Add process information to
"Command Ignored, configuration in progress..." |
|
|||
|
Cisco ASA Software and FTD Software FTP Inspection Denial of Service Vulnerability |
|
|||
|
Simultaneous FINs on
flow-offloaded flows lead to stale conns |
|
|||
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
|||
|
cts import-pac tftp:
syntax does not work |
|
|||
|
Option to display port number on
access-list instead of well known
port name on ASA |
|
|||
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
||||
|
LINA traceback on ASA in HA
Active Unit repeatedly |
|
|||
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
||||
|
ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded when
processing HTML |
||||
|
LINA Traceback after upgrade to
9.12.2.1 |
||||
|
ASA failover LANTEST messages
are sent on first 10 interfaces in the configuration. |
||||
|
Traceback: "saml identity-provider" command will crash
multi-context ASAs |
||||
|
Not able to establish more than
2 simultaneous ASDM sessions |
||||
|
ASA may traceback due to SCTP
traffic despite fix CSCvj98964 |
||||
|
When deleting context
the ssh key-exchange goes to Default GLOBALLY! |
||||
|
ssl trust-point command will be removed when restoring
backup via CLI |
||||
|
Watchdog on ASAv
when logging to buffer |
||||
|
Memory leak observed when
ASA-SFR dataplane communication flaps |
||||
|
ENH: ASA Cluster debug for syn
cookie issues |
||||
|
ASA is
unable to verify the file integrity |
||||
|
FTD/ASA :
Traceback in Datapath with assert snp_tcp_intercept_assert_disabled |
||||
|
SSL VPN may not be able to
establish due to SSL negotiation issue |
||||
|
ASA traceback observed when
moving EZVPN spokes to the device. |
||||
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
||||
Revision: Version 9.8(4)8 – 07/17/2019
Files: asa984-8-smp-k8.bin, cisco-asa-fp2k.9.8.4.8.SPA, cisco-asa.9.8.4.8.SPA.csp
Defects resolved since 9.8(4)7:
|
Multi-context - IKEv2 SA fail to
establish |
|
|
|
ASA traceback with Thread:
DATAPATH-8-2035 |
|
|
|
ASA may traceback and reload
while waiting for "dns_cache_timer"
process to finish. |
|
|
|
ASA traceback in thread SSH |
|
|
|
management-only of diagnostic
I/F on secondary FTD get disappeared |
|
|
|
LACPDUs should not be sent to
snort for inline-set interfaces |
|
|
|
The delay command in interface
configuration is modified after rebooted |
|
|
|
AnyConnect connections fail with
TCP connection limit exceeded error |
|
|
|
ASA traceback and reload
observed in Datapath due to SIP inspection. |
|
|
|
ASA sends invalid redirect
response for POST request |
|
|
|
IKEv2 RA Generic client - stuck
outgoing asp table entry - traffic encrypted with stale SPI |
|
|
|
DHCP NACK silently dropped by
ASA sent from DHCP server if configured as DHCP relay |
|
|
|
Cisco ASA Software and FTD Software OSPF LSA Processing Denial of Service Vulnerability |
||
|
Thread Name: CP DP SFR Event
Processing traceback |
|
|
|
ASA Failover split brain (both
units active) after rebooting a Firepower chassis |
|
|
|
MCA+AAA+OTP with RADIUS
challenge fails to send aggauth handle in challenge |
|
|
|
Firepower 4100 connection counts
mismatch between active and standby ASA |
|
|
Revision: Version 9.8(4)7 – 06/04/2019
Files: asa984-7-smp-k8.bin, cisco-asa-fp2k.9.8.4.7.SPA, cisco-asa.9.8.4.7.SPA.csp
Defects resolved since 9.8(4)3:
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
||
|
SSP-NTP: ssp-ntp
script monitoring script enhancements for XRU, KP |
|
||
|
Clock sync issue on ASA with
FXOS |
|
||
|
ASA Traceback (watchdog timeout)
when syncing config from active unit (inc. cachefs_umount) |
|
||
|
Traceback in Firepower 4120 |
|
||
|
Graceful Restart BGP does not
work intermittently |
|
||
|
Deployment on FTD with low
memory results on interface nameif to be removed |
|
||
|
Traceback in threadname
DATAPATH-0-1668 while freeing memory block |
|
||
|
ASA SCP transfer to box stall
mid-transfer |
|
||
|
ASA traceback and reloads when
issuing "show inventory" command |
|
||
|
ASA: BGP routes is cleared on
routing table after failover occur and bgp routes
are changed |
|
||
|
Enhancement: add counter for
Duplicate remote proxy |
|
||
|
Standby Firewall reloads with a
traceback upon doing a manual failover |
|
||
|
ASA unable to authenticate users
with special characters via https |
|
||
|
ASA may traceback and reload.
suspecting webvpn related |
|
||
|
ASA on FXOS platforms reloads
when establishing simultaneous ASDM sessions |
|
||
|
Cisco ASA Software and FTD
Software MGCP Denial of Service Vulnerabilities |
|||
|
Cisco ASA Software and FTD Software MGCP Denial of Service Vulnerabilities |
|||
|
ASA: Watchdog traceback in
Datapath |
|
||
|
FTD lina
cored with Thread name: cli_xml_server |
|
||
|
Random SGT tags added by FTD |
|
||
|
FIPS mode gets disabled after
rollback from a failed policy deploy |
|
||
|
established tcp
does not work post 9.6.2 |
|
||
|
Cisco ASA Software and FTD Software SIP Inspection Denial of Service Vulnerability |
|
||
|
ASA/FTD HA Data Interface
Heartbeat dropped due to Reverse Path Check |
|
||
Revision: Version 9.8(4)3 – 05/14/2019
Files: asa984-3-smp-k8.bin, cisco-asa-fp2k.9.8.4.3.SPA, cisco-asa.9.8.4.3.SPA.csp
Defects resolved since 9.8(4):
|
ASA 5506/5508/5516 traceback in Thread Name octnic_hm_thread |