Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 9.12(2)9 – 10/02/2019
Files: asa9122-9-smp-k8.bin, cisco-asa-fp2k.9.12.2.9.SPA, cisco-asa.9.12.2.9.SPA.csp
Defects resolved since 9.12(2)5:
|
SDI - SUSPENDED servers cause
15sec delay in the completion of a authentication
with a good server |
|
|
ASA Enhancement: Generate syslog
message once member of the SDI cluster changes state |
|
|
Traceback in VPN Clustering HA
timer thread when member tries to join the cluster |
|
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
|
ENH: ACE details for warning
"found duplicate element" |
|
|
ENH: Add process information to
"Command Ignored, configuration in progress..." |
|
|
cts import-pac tftp:
syntax does not work |
|
|
Option to display port number on
access-list instead of well known
port name on ASA |
|
|
ASA HA IKEv2 generic RA -
AnyConnect Premium All In Use incorrect on standby |
|
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
|
|
LINA traceback on ASA in HA
Active Unit repeatedly |
|
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
|
|
Cluster master reload cause ping
failure to the Management virtual IP |
|
|
ASA failover LANTEST messages
are sent on first 10 interfaces in the configuration. |
|
|
FTD LINA traceback at
DATAPATH-8-15821 |
|
|
FP2100 - Flow oversubscribing
ring/CPU core causing disruption to working flows on FP2100 platforms |
|
|
ENH: ASA Cluster debug for syn
cookie issues |
|
|
ASA is unable to verify the file integrity |
|
|
FTD/ASA : Traceback in Datapath
with assert snp_tcp_intercept_assert_disabled |
|
|
SSL VPN may not be able to
establish due to SSL negotiation issue |
|
|
When only IP communication is
disrupted on failover link LANTEST msg is not sent on data interfaces |
|
|
ASA traceback observed when
moving EZVPN spokes to the device. |
|
|
Dual stacked ASAv
manual failover issues |
|
|
ASA5515-K9 standby traceback in
Thread Name ssh |
|
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
|
|
Traceback: Cluster unit lina assertion in thread name:Cluster
controller |
|
|
ASA cluster does not flush OSPF
routes |
|
|
FPR2100 FTD Standby unit leaking
9K blocks |
|
|
ASA:BGP recursive route lookup
for destination 3 hop away is failing. |
|
|
Connections fail to replicate in
failover due to failover descriptor mis-match on
port-channels |
|
|
ASA generates incorrect error
message about PCI cfg space when enumerating
Internal-Data0/1 |
|
|
Cannot add neighbor in BGP when
the neighbor is on the same subnet as one interface |
|
|
Flow Offload Hashing Change of
Behavior |
|
|
ASA traceback in Thread IPsec
Message Handler |
Revision: Version 9.12(2)5 – 08/26/2019
Files: cisco-asa-fp2K.9.12.2.5.SPA
Defects resolved since 9.12(2)4:
|
FP2100: Upgrade or new install attempts to 9.12.2.4 results in ASA application start failures |
Note: The 9.12.2.5 interim release is only needed for Firepower 2100 platforms. Other ASA platforms do not require this fix.
Revision: Version 9.12(2)4 – 08/06/2019
Files: asa9122-4-smp-k8.bin, cisco-asa-fp2k.9.12.2.4.SPA, cisco-asa.9.12.2.4.SPA.csp
Defects resolved since 9.12(2)1:
|
ASA traceback with Thread:
DATAPATH-8-2035 |
|
|
ASA may traceback due to SCTP
traffic |
|
|
Port-Channel issues on HA link |
|
|
Control-plane ACL doesn't work
correctly on FTD |
|
|
ASA may traceback and reload
while waiting for "dns_cache_timer"
process to finish. |
|
|
Cisco ASA Software and FTD Software FTP Inspection Denial of Service Vulnerability |
|
|
Simultaneous FINs on
flow-offloaded flows lead to stale conns |
|
|
LACPDUs should not be sent to
snort for inline-set interfaces |
|
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
|
AnyConnect connections fail with
TCP connection limit exceeded error |
|
|
ASA sends invalid redirect
response for POST request |
|
|
IKEv2 RA Generic client - stuck
outgoing asp table entry - traffic encrypted with stale SPI |
|
|
DHCP NACK silently dropped by
ASA sent from DHCP server if configured as DHCP relay |
|
|
Fail-Closed FTD passes packets
through on Snort processes down |
|
|
Deploy fails on FTD HA due to
exception when parsing big xml response |
|
|
ASA Failover split brain (both
units active) after rebooting a Firepower chassis |
|
|
MCA+AAA+OTP with RADIUS
challenge fails to send aggauth handle in challenge |
|
|
Unsupported runtime JavaScript
exception handling in the client side WebVPN rewriter |
|
|
ASA 9.9.2 Clientless WebVPN -
HTML entities are incorrectly decoded when processing HTML |
|
|
Firepower 4100 connection counts
mismatch between active and standby ASA |
|
|
Executing 'failover' twice on active unit, clears interface configuration on standby unit |
|
|
FTD traceback and reload on LINA
thread |
|
|
Traceback: "saml identity-provider" command will crash
multi-context ASAs |
|
|
Not able to establish more than
2 simultaneous ASDM sessions |
|
|
ASA may traceback due to SCTP
traffic despite fix CSCvj98964 |
|
|
When deleting context
the ssh key-exchange goes to Default GLOBALLY! |
|
|
ssl trust-point command will be removed when restoring
backup via CLI |
|
|
ASA IKEv2 - ASA sends additional
delete message after initiating a phase 2 rekey |
|
|
Watchdog on ASAv
when logging to buffer |
|
|
Memory leak observed when
ASA-SFR dataplane communication flaps |
Revision: Version 9.12(2)1 – 06/25/2019
Files: asa9122-1-smp-k8.bin, cisco-asa-fp2k.9.12.2.1.SPA, cisco-asa.9.12.2.1.SPA.csp
Defects resolved since 9.12(2):
|
Traceback on Thread Name:
DATAPATH-2-1785 |
|
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
|
SSP-NTP: ssp-ntp
script monitoring script enhancements for XRU, KP |
|
|
ASA is getting traceback with
reboot only on Spyker aftr
shutdown SFR module |
|
|
ASA Traceback (watchdog timeout)
when syncing config from active unit (inc. cachefs_umount) |
|
|
Traceback in DATAPATH on ASA |
|
|
Route tracking failure |
|
|
ENH: ASA - support for more than
4 servers in multiple mode. |
|
|
IKEv2: IKEv2-PROTO-2: Failed to
allocate PSH from platform |
|
|
tcp proxy: ASA traceback on DATAPATH |
|
|
Traceback in Firepower 4120 |
|
|
Graceful Restart BGP does not
work intermittently |
|
|
ASA Multicontext
traceback and reload due to allocate-interface out of range command |
|
|
Deployment on FTD with low
memory results on interface nameif to be removed |
|
|
ASA may traceback in thread
logger when cluster is enabled on slave unit |
|
|
EIGRP breaks when new
sub-interface is added and "mac-address auto" is enabled |
|
|
Traceback in threadname
DATAPATH-0-1668 while freeing memory block |
|
|
FMC shows connection events with
packet count as 0 |
|
|
ASA SCP transfer to box stall
mid-transfer |
|
|
ASA traceback in thread SSH |
|
|
VPN sessions failing due to PKI
handles not freed during rekeys |
|
|
Lina does not properly report
the error for configuration line that is too long |
|
|
SCP large file transfer to the
box result in a traceback |
|
|
Enhancement to address high IKE
CPU seen due to tunnel replace scenario |
|
|
ASA traceback and reloads when
issuing "show inventory" command |
|
|
ASA Traceback and reload while
running IKE Debug |
|
|
ASA: BGP routes is cleared on
routing table after failover occur and bgp routes
are changed |
|
|
Traceback and reload citing
Datapath as affected thread |
|
|
Enhancement: add counter for
Duplicate remote proxy |
|
|
easyVPN got broke on lina_dev
[201.4.1.106] |
|
|
management-only of diagnostic
I/F on secondary FTD get disappeared |
|
|
Do not decrypt rule causes
traffic interruptions. |
|
|
ASA may traceback and reload.
Potentially related to WebVPN traffic |
|
|
Standby Firewall reloads with a
traceback upon doing a manual failover |
|
|
HTTP with ipv6 using w3m is
failing |
|
|
ASA sends password in plain text
for "copy" command |
|
|
ASA unable to authenticate users
with special characters via https |
|
|
The delay command in interface
configuration is modified after rebooted |
|
|
DTLS 1.2 and AnyConnect oMTU |
|
|
ASA may traceback and reload.
suspecting webvpn related |
|
|
ASAv Azure: Route table BGP propagation setting reset when ASAv fails over |
|
|
ASA traceback and reload
observed in Datapath due to SIP inspection. |
|
|
ASA: Watchdog traceback in
Datapath |
|
|
FTD lina
cored with Thread name: cli_xml_server |
|
|
Random SGT tags added by FTD |
|
|
FIPS mode gets disabled after
rollback from a failed policy deploy |
|
|
established tcp
does not work post 9.6.2 |
|
|
Unable to configure more than
100 aaa-server group limit
reached |
|
|
Cisco ASA Software and FTD Software SIP Inspection Denial of Service Vulnerability |
|
|
Cisco ASA Software and FTD Software OSPF LSA Processing Denial of Service Vulnerability |
|
|
IP Address stuck in local pool
and showing as "In Use" even when the AnyConnect client disconnects |
|
|
Thread Name: CP DP SFR Event
Processing traceback |
|
|
ASA/FTD HA Data Interface
Heartbeat dropped due to Reverse Path Check |
|
|
After reboot, "ssh version 1 2" added to running-config |
|
|
Time zone in syslogs messages |