Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 9.12(3)12 – 04/21/2020
Files: asa9123-12-smp-k8.bin, cisco-asa-fp1k.9.12.3.12.SPA, cisco-asa-fp2k.9.12.3.12.SPA, cisco-asa.9.12.3.12.SPA.csp
Defects resolved since 9.12(3)9:
|
TCM doesn't work for ACE
addition/removal, ACL object/object-group edits |
|
|
Some 3DES related configurations
are lost after booted |
|
|
RRI on static HUB/SPOKE config
is not working on HUB when a new static SPOKE is added or deleted |
|
|
Lina traceback when changing
device mode of FTD |
|
|
FP2100 Traceback and reload when
processing traffic through more than two inline sets |
|
|
After upgrade to version
9.6.4.34 is not possible to add an access-group |
|
|
ASA traceback and reload when
running command "clear capture /" |
|
|
ICMP Reply Dropped when matched
by ACL |
|
|
ASA/FTD Tunneled Static Routes
are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
|
SAML tokens are not removed from
hash table |
|
|
FP41xx incorrect interface applied in ASA capture |
|
|
ASA/FTD may traceback and reload
in Thread Name 'License Thread' |
|
|
9.12.2.151 snp_cluster_ingress
traceback on FPR9300 3-node cluster nested VLAN traffic |
|
|
IPv6 DNS server resolution fails
when the server is reachable over the management interface. |
|
|
Flow offload not working with
combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
|
|
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
|
|
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
|
|
ASA: Traceback in thread Unicorn
Admin Handler |
|
|
VPN failover recovery is taking
approx. 30 seconds for data to resume |
|
|
FTD: Traceback and reload related
to lina_host_file_open_raw function |
|
|
ASA: Active unit HA traceback
and reload during Config Sync state during OSPF sync |
|
|
ASAv Unable to register smart licensing with IPv6 |
|
|
Active FTP fails when secondary
interface is used on FTD |
|
|
Observed Crash in KP while
performing Failover Switch from Standby. |
|
|
sctp-state-bypass is not getting invoked for inline FTD |
|
|
IPSec SAs are not being created
for random VPN peers |
|
|
ASA LDAPS connection fails on
firepower 1010 |
|
|
FPR2100 'show crypto accelerator
statistics' counters do not track symmetric crypto |
|
|
Traffic outage due to 80 size
block exhaustion on the ASA |
|
|
remote acess
mib - SNMP 64 bit only
reporting 4Gb before wrapping around |
|
|
Adjust Firepower 4120 Maximum
VPN Session Limit to 20,000 |
Revision: Version 9.12(3)9 – 03/19/2020
Files: asa9123-9-smp-k8.bin, cisco-asa-fp2k.9.12.3.9.SPA, cisco-asa.9.12.3.9.SPA.csp
Defects resolved since 9.12(3)7:
|
Lina Traceback due to invalid TSC
values |
|||
|
FP9300 Cluster - Master unit
does not update all the route changes to slaves |
|||
|
Need to add inactivity
timer for aware server sockets |
|||
|
ASA traceback and reload related
to crypto PKI operation |
|
||
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
||
|
FTD/LINA Traceback and reload
observed in thread name: cli_xml_server |
|
||
|
FTDv Deployment in Azure causes unrecoverable traceback state
due to no dns domain-lookup any" |
|
||
|
ASA traceback and reload on
Thread DATAPATH-0-2064 |
|
||
|
Clustering module needs to skip
the hardware clock update to avoid the timeout error and clock jump |
|
||
|
FTD traceback and reload on thread
DATAPATH-1-15076 when SIP inspection is enabled |
|
||
|
snmp poll failure with host and host-group configured |
|
||
|
mroute entries on ASA not getting refreshed. |
|
||
|
Traceback when processing SSL
traffic under heavy load |
|
||
|
OSPF Hello causing 9K block
depletion, control point CPU 100% and cluster unstable. |
|
||
|
Inconsistent timestamp format in
syslog |
|
||
|
ICMP not working and failed with
inspect-icmp-seq-num-not-matched |
|
||
|
Secondary ASA is unable to join
the failover due to aggressive warning messages. |
|
||
|
ASA sends malformed RADIUS
message when device-id from AnyConnect is too long |
|
||
|
false reported value for OID
"cipSecGlobalActiveTunnels" - same as
ASDM |
|
||
|
ASA Traceback on IPsec message
handler Thread |
|
||
|
Wrong Module version listed for
FXOS 2.6(1.174) |
|
||
|
Traceback: spin_lock_fair_mode_enqueue:
Lock (np_conn_shrlock_t) is held for a long time |
|
||
|
ASA/FTD Traceback in Thread
Name: DATAPATH due to DNS inspection |
|
||
|
ASA Traceback Thread Name: IKE
Daemon |
|
||
|
Placeholder to address
CSCvs31470 in Multi-Context Mode |
|
||
|
FTD Traceback Lina process |
|
||
|
Reduce number of fsync calls during close in flash file system |
|
||
|
Invalid scp
session terminates other active http, scp sessions |
|
||
|
Deployment is marked as success
although LINA config was not pushed |
|
||
|
Cisco ASA and FTD Software Web Services Information
Disclosure Vulnerability |
|||
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
||
Revision: Version 9.12(3)7 – 03/03/2020
Files: asa9123-7-smp-k8.bin, cisco-asa-fp2k.9.12.3.7.SPA, cisco-asa.9.12.3.7.SPA.csp
Defects resolved since 9.12(3)2:
|
ENH: SFP transceivers attached to
ASA-IC-6GE-SFP-A are not shown by CLI |
|
||
|
ASA scansafe
connector takes too long to failover to secondary CWS Tower |
|
||
|
UDP flood causes Lina to run out of memory if blocked |
|||
|
ASA/FTD: Twice nat Rule with same service displaying error "ERROR:
NAT unable to reserve ports" |
|
||
|
OpenSSL vulnerability
CVE-2019-1559 on FTD |
|
||
|
Hot swap of SFP is not taking
effect on the ASA |
|
||
|
Policy deployment is reported as
successful on the FMC but it is actually failed |
|
||
|
low memory causes kernel to
invoke - oom and reload device - modified rlimit for KP |
|
||
|
Packet loss over failover link
triggers Split-Brain |
|
||
|
Traceback on snp_policy_based_route_lookup
when deleting a rule from access-list configured for PBR |
|
||
|
ASA Traceback: SCTP bulk sync
and HA synchronization |
|
||
|
Standby ASA logging
%ASA-4-720022: (VPN-Secondary) Cannot find trust point __tmpCiscoM1Root__ |
|
||
|
ASA/FTD may traceback and reload
in Thread Name 'PTHREAD-1533' |
|
||
|
ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK |
|
||
|
Network Performance Degradation
when SSL policy is enabled |
|
||
|
ASA Traceback in Thread Name SSH
with assertion slib_malloc.c |
|
||
|
ASA may traceback and reload
while waiting for "DATAPATH-12-1899" process to finish. |
|
||
|
ASA doesn't honor SSH Timeout
When Data Channel is not Negotiated |
|
||
|
AnyConnect 4.8 is not working on
the FPR1000 series |
|
||
|
reactivation-mode timed causing untimely
reactivation of failed server |
|
||
|
Cisco ASA and Cisco FTD Malformed OSPF Packets Processing
Denial of Service Vulnerability |
|||
|
IKEv1 on FTD stuck in either
"MM_START" or "MM_FREE" state |
|||
Revision: Version 9.12(3)2 – 12/20/2019
Files: asa9123-2-smp-k8.bin, cisco-asa-fp2k.9.12.3.2.SPA, cisco-asa.9.12.3.2.SPA.csp
Defects resolved since 9.12(3):
|
ASA OS incorrectly calculates
certificate expiry date in Syslog 717054 |
|
||
|
ASA scansafe
connector takes too long to failover to secondary CWS Tower |
|
||
|
ASA traceback on spin_lock_release_actual |
|
||
|
Not able to ssh,
ssh_exec: open(pager) error on console |
|
||
|
Traceback on 2100 - watchdog |
|
||
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
||
|
ASAv v9.12(1) cannot distinguish name aliases for IPv6 |
|
||
|
Not able to establish more than
2 simultaneous ASDM sessions |
|
||
|
FTD traffic outage due to 9344
block size depletion caused by the egress-optimization feature |
|
||
|
VPN-sessiondb
does not replicate to standby ASA |
|
||
|
After failover, Active unit tcp sessions are not removed when timeout reached |
|
||
|
ASA/FTD may traceback and reload
in Thread Name 'BGP Router' |
|
||
|
OSPFv3 neighborship is flapping
every ~30 minutes |
|
||
|
FPR 2100, low block 9472 causes packet loss through the device. |
|
||
|
Adding an ipv6 default route causes
CLI to hang for 50 seconds |
|
||
|
FP1000: AnyConnect-Parent SSL-Tunnel continuously
reconnecting |
|
||
|
Firepower Threat Defense:not clearing BGP's NSF configuration when we
break HA |
|
||
|
Cisco ASA Software Kerberos Authentication Bypass
Vulnerability |
|||
|
Traffic interruptions for
FreeBSD systems |
|
||
|
V route is missing even after
setting the reverse route in Crypto map config in HA-IKEv2 |
|
||
|
Multiple context 5585 ASA, transparent context losing mangement interface configuration. |
|
||
|
Traceback in tcp-proxy |
|||
|
Cisco Firepower 1000 Series SSL/TLS Denial of Service
Vulnerability |
|||
|
PPPoE session not coming up after reload. |
|||
|
Mac address flap on switch with
wrong packet injected on ingress FTD interface |
|||
|
VRF:bgp route not syncing to slave units when there is route
change |
|||
|
ASA Static route disappearing
from asp table after learning default route via BGP |
|||
|
Mac Rewrite Occurring for
Identity Nat Traffic |
|||
|
FTD/LINA traceback and reload
observed in thread name: cli_xml_server |
|||
|
Missing clean up on rule
creation failure. |
|||
|
ASA after reload
had license context count greater than platform limits |
|||
|
configurations getting wiped off
from standby, while deployment fails on active |
|||
|
Plaintext passwords logged in
asa-appagent.log during bootstrap configuration create/edits |
|||
|
Configuration might not replicated if packet loss on the failover Link |
|||
|
FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block. |
|||
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Remote |
|||
|
ASA Traceback/pagefault in Datapath due to re_multi_match_ascii |
|||
|
Cisco ASA and Cisco FTD Software
OSPF Packets Processing Memory Leak Vulnerability |
|||
|
Lina traceback when changing
device mode of FTD |
|||
|
ASA OSPF: Prefix removed from
the RIB when topology changes, then added back when another SPF is run |
|||
|
ASA - 9.8.4.12 traceback and
reload in ssh or fover_rx
Thread |
|||
|
Decrement TTL display wrong
result |
|||
|
ERROR: entry for ::/0 exists
when configuring ipv6 icmp |
|||