Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 9.14(1)30 – 09/23/2020
Files: asa9141-30-smp-k8.bin, cisco-asa-fp1k.9.14.1.30.SPA, cisco-asa-fp2k.9.14.1.30.SPA, cisco-asa.9.14.1.30.SPA.csp
Defects resolved since 9.14(1)19:
|
Implement debug menu command to
show RX ring number a flow is hashed to |
|
|
AnyConnect and Management
Sessions fail to connect after several weeks |
|
|
FPR 2100, low block 9472 causes packet loss through the device. |
|
|
ASA traceback Thread Name:
DATAPATH-0-1388 PBR 9.10(1)22 |
|
|
On FPR devices when FIPS is
enabled cannot create webtype ACLs |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DoS
Vulnerability |
|
|
ASA should allow null sequence
encoding in certificates for client authentication. |
|
|
Lina cores on multi-instance
causing a boot loop on both logical-devices |
|
|
ASA 9.12(2) - Multiple
tracebacks due to Unicorn Proxy Thread |
|
|
ASA: Lack of specific syslog
messages to external IPv6 logging server after ASA upgrade |
|
|
ASA inconsistent behavior with
DNS doctoring |
|
|
FTD Lina traceback in datapath due to double free |
|
|
ASA & FTD Cluster unit
traceback in thread Name "cluster config sync" or "fover_FSM_thread" |
|
|
ASA experienced a traceback and
reloaded |
|
|
ASA configured with TACACS REST
API: /cli api fail with "Command authorization
failed" message |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense SSL VPN DoS |
|
|
FPR2100: Show crash output on
show tech does not display outputs from most recent tracebacks |
|
|
Embryonic connections limit does
not work consistently |
|
|
Cluster / aaa-server
key missing after "no key config-key" is entered |
|
|
ASA licensed via PLR does not
have 'export-controlled functionality enabled' flag set correctly |
|
|
ASA 'session sfr'
command disconnects from FirePOWER module for
initial setup |
|
|
Multicast traffic is being
dropped with the resson no-mcast-intrf |
|
|
Multicast EIGRP traffic not seen
on internal FTD interface |
|
|
Cluster site-specific MAC
addresses not rewritten by flow-offload |
|
|
Stale VPN routes for L2TP, after
the session was terminated |
|
|
SNMP get-response using snmpget with multiple OIDs on hardwareStatus
MIB returns noSuchObject |
|
|
ASA gets frozen after crypto
engine failure |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco Firepower 1000 Series Bleichenbacher Attack Vulnerability |
|
|
Observed traceback in FPR2130
while running webVPN, SNMP related traffic. |
|
|
ASA: Watchdog Traceback and
reload on SNMP functions |
|
|
ASA Traceback and reload on
thread name Crypto CA |
|
|
Rate-limit syslogs
780001/780002 by default on ASA |
|
|
SNMP: Memory leak in VPN polling |
|
|
Lina traceback and reload seen
on trying to switch peer on KP HA with 6.6.1-63 |
|
|
Intermittently embedded ping
reply over GRE drops on FTD cluster if traffic passes asymmetrically. |
|
|
ASA traceback when running show
asp table classify domain permit |
|
|
Cisco ASA Software Web-Based Management
Interface Reflected Cross-Site Scripting Vulnerability |
|
|
snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning
value of 0 for .16 and .17 |
|
|
ASA IKEv2 VTI - Failed to
request SPI from CTM as responder |
|
|
ASA stops processing RIP packets
after system upgrade |
|
|
Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows |
|
|
ASAv5 reloads without traceback. |
|
|
Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection |
|
|
ASA traceback and realod when running Packet Tracer commands |
|
|
WebSSL clientless user accounts being locked out on 1st bad
password |
|
|
ASA traceback and reload in thread:Crypto CA,mem corruption
by unvirtualized pki global table in MTX |
|
|
FTD stuck in Maintenance Mode
after upgrade to 6.6.1 |
Revision: Version 9.14(1)19 – 08/12/2020
Files: asa9141-19-smp-k8.bin, cisco-asa-fp1k.9.14.1.19.SPA, cisco-asa-fp2k.9.14.1.19.SPA, cisco-asa.9.14.1.19.SPA.csp
Defects resolved since 9.14(1)15:
|
ASA/FTD traceback and reload in
Thread Name: SXP CORE |
|
|
show inventory (or) "show
environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
|
|
[SXP] Issue with establishing
SXP connection between ASA on FPR-2110 and switches |
|
|
Cisco Firepower Threat Defense Software
Hidden Commands Vulnerability |
|
|
ASA/FTD may traceback and reload
in Thread Name 'HTTP Cli Exec' |
|
|
ASA traceback and reload
multiple times with trace "webvpn_periodic_signal" |
|
|
ASA Traceback Due to Umbrella
Inspection |
|
|
Warning Message for default
settings with Installation of Certificates in ASA/FTD - CLI |
|
|
aaa-server configuration missing on the FTD after a Remote
Access VPN policy deployment |
|
|
FTD Cluster unable to rejoin due
to "process_create: out of stack memory " |
|
|
FTD traceback and reload by
Thread Name: cli_xml_server |
|
|
Traceback observed while
performing master role change with active IGMP joins |
|
|
ASA traceback and reload with
Flow lookup calling traceback |
|
|
ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS |
|
|
ASA crashed after TACACS
authorized user made configuration changes |
|
|
ASA high CPU with
intel_82576_check_link_thread impacting on overall unit performance |
|
|
IKEv2 CAC "Active SAs"
counter out of sync with the real number of sessions despite CSCvt98599 |
|
|
Deployment failure after
configure sub-interfaces on POE enabled interfaces |
|
|
AnyConnect Connected Client IPs
Not Advertised into OSPF Intermittently |
|
|
DSCP values not preserved in
DTLS packets towards AnyConnect users |
|
|
FTD: Traceback and reload when
changing capture buffer options on a
already applied capture |
|
|
ASA unable to delete ACEs with
remarks and display error "Specified remark does not exist" |
|
|
Cannot change (modify) interface
speed after upgrade |
|
|
EIGRP summary route not being
replicated to standby and causing outage after switchover |
|
|
ASA may traceback and
unexpectedly reload on Thread snmp_alarm_thread |
|
|
Native VPN client with EAP-TLS
authentication fails to connect to ASA |
|
|
Lina Traceback during FTD
deployment when WCCP config is being pushed |
|
|
ASA traceback and reload
unexpectedly on "Process Name: lina" |
|
Cisco ASA and FTD Software FTP
Inspection Bypass Vulnerability |
|
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
|
Cisco ASA and FTD Software
SSL/TLS Session Denial of Service Vulnerability |
|
|
Cisco ASA and FTD IP Fragment
Memory Leak Vulnerability |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco ASA Software and FTD
Software WebVPN Portal Access Rule Bypass
Vulnerability |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
Revision: Version 9.14(1)15 – 07/16/2020
Files: asa9141-15-smp-k8.bin, cisco-asa-fp1k.9.14.1.15.SPA, cisco-asa-fp2k.9.14.1.15.SPA, cisco-asa.9.14.1.15.SPA.csp
Defects resolved since 9.14(1)10:
|
ASA revocation-check to fall
back to none only if CDP is unavailable |
|
|
ASA should provide better
fragment-related logs and ASP drop reasons |
|
|
ASA traceback and reload on
Thread Name SSH |
|
|
ENH: Addition of 'show run all sysopt' to 'show tech' output |
|
|
ENH: Addition of 'show logging
setting' to 'show tech' output |
|
|
Calls fail once anyconnect configuration is added to the site to site VPN
tunnel |
|
|
ASA/FTD traceback and reload due
to memory leak in SNMP community string |
|
|
Erase disk0 on ISA3000 causes
file system not supported |
|
|
Pad packets received from RA
tunnel which are less than or equal 46 bytes in length with zeros |
|
|
ASA5585 traceback and reload
after upgrading SFR from 6.4.0 to 6.4.0.9-34 |
|
|
Cisco ASA and FTD Web Services
File Upload Denial of Service Vulnerability |
|
|
ASA may traceback and
unexpectedly reload after SSL handshake |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
ASA traceback and reload for the
CLI "show asp table socket 18421590 det" |
|
|
Crypto accelerator bias setting
should be included in show tech |
|
|
IKEv2 Call Admission Statistics
"Active SAs" counter out of sync with the real number of sessions |
|
|
tsd0 not reset when ssh quota limit is
hit in ci_cons_shell |
|
|
AnyConnect statistics is doubled
in both %ASA-4-113019 and RADIUS accounting |
|
|
cert map to specify CRL CDP
Override does not allow backup entries |
|
|
ASA on QP platforms display
wrong coredump filesystem space (50 GB) |
|
|
DTLS v1.2 and AES-GCM cipher
when used drops a particular size packet frequently. |
|
|
Slave unit might fail to
synchronize SCTP configuration from the cluster master after bootup |
|
|
ASA-FPWR 1010 traceback and
reload when users connect using AnyConnect VPN |
|
|
HKT - Failover time increases
with upgrade to 9.8.4.15 |
|
|
FTD failover units traceback and
reload on DATAPATH |
|
|
ASA generated a traceback and
reloaded when changing the port value of a manual nat
rule |
|
|
Config_XML_Response from LINA is not in the correct format,Lina
reporting as No memory available. |
|
|
FTD 6.4.0.8 traceback &
reload on thread name : CP processing |
|
|
ASA interface ACL dropping snmp control-plane traffic from ASA |
|
|
WebVPN SSO Gives Unexpected
Results when Integrated with Kerberos |
|
|
ASA Crashes in SNMP while
joining the cluster when key config-key password-encryption" is present |
|
|
SSH keys lost in ASA after
reload |
|
|
Memory leak: due to
resource-limit MIB handler, eventually causing reload |
|
|
FTD firewall unit cannot join
the cluster after a traceback due to invalid interface GOID entry |
|
|
ASA traceback in Thread Name kerberos_recv |
|
|
ASA: High CPU due to stuck
running SSH sessions / Unable to SSH to ASA |
|
|
GIADDR of DHCP Discover packet
is changed to the ip address of dhcp-network-scope |
|
|
Cisco ASA Software and FTD
Software Web Services Cross-Site Scripting Vulnerability |
|
|
ASA traceback in threadname 'ppp_timer_thread' |
|
|
[PKI] Standard Based IKEv2 Certificate
Auth session does second userfromcert lookup
unnecessarily |
|
|
FMC pushes certificate map
incorrectly to lina |
|
|
FTD: Snort policy changes
deployed to a HA on failed state are not fully synced |
|
|
ASA traceback and reload on
thread name DATAPATH |
Revision: Version 9.14(1)10 – 05/21/2020
Files: asa9141-10-smp-k8.bin, cisco-asa-fp1k.9.14.1.10.SPA, cisco-asa-fp2k.9.14.1.10.SPA, cisco-asa.9.14.1.10.SPA.csp
Defects resolved since 9.14(1):
|
ASA traceback and reload due to tcp_retrans_timeout internal thread handling |
|
|
ASA: cluster exec show commands
not show all output |
|
|
Need dedicated Rx rings for
failover and OSPF on Firepower platform |
|
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
RRI on static HUB/SPOKE config
is not working on HUB when a new static SPOKE is added or deleted |
|
|
Lina traceback when changing
device mode of FTD |
|
|
FP2100 Traceback and reload when
processing traffic through more than two inline sets |
|
|
After upgrade to version
9.6.4.34 is not possible to add an access-group |
|
|
Inconsistent timestamp format in
syslog |
|
|
ICMP Reply Dropped when matched
by ACL |
|
|
Cisco Firepower 2100 Series
SSL/TLS Inspection Denial of Service Vulnerability |
|
|
ASA/FTD Tunneled Static Routes
are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
|
FPR1010 temperature thresholds
should be changed |
|
|
ASA/FTD: Block 256 size depletion
caused by ARP of BVI not assigned to any physical interface |
|
|
ASA/FTD Traceback in Thread
Name: DATAPATH due to DNS inspection |
|
|
Port-channel bundling is failing
after upgrade to 9.8 version |
|
|
ASA/FTD may traceback and reload
in Thread Name 'License Thread' |
|
|
Reduce number of fsync calls during close in flash file system |
|
|
Deployment is marked as success
although LINA config was not pushed |
|
|
9.12.2.151 snp_cluster_ingress
traceback on FPR9300 3-node cluster nested VLAN traffic |
|
|
Cisco Firepower Threat Defense
Software Inline Pair/Passive Mode DoS Vulnerability |
|
|
Cisco ASA Local File Reading Vulnerability |
|
|
IPv6 DNS server resolution fails
when the server is reachable over the management interface. |
|
|
Flow offload not working with
combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
|
|
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
|
|
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
|
ASA: Traceback in thread Unicorn
Admin Handler |
|
|
Cisco ASA and FTD WebVPN CRLF Injection Vulnerability |
|
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
|
VPN failover recovery is taking
approx. 30 seconds for data to resume |
|
|
FTD: Traceback and reload
related to lina_host_file_open_raw function |
|
|
ASAv Unable to register smart licensing with IPv6 |
|
|
Active FTP fails when secondary
interface is used on FTD |
|
|
sctp-state-bypass is not getting invoked for inline FTD |
|
|
FPR2100 - ASA in Appliance Mode
- SNMP Delay |
|
|
Encryption-3DES-AES should not
be required when enabling ssh version 2 on 9.8
train |
|
|
Multi-context ASA/LINA on FPR
not sending DHCP release message |
|
|
Dynamic RRI route is not
destroyed when IKEv2 tunnel goes down |
|
|
Crypto ring stalls when the
length in the ip header doesn't match the packet
length |
|
|
ASA LDAPS connection fails on
Firepower 1000 Series |
|
|
FPR2100 'show crypto accelerator
statistics' counters do not track symmetric crypto |
|
|
Stuck uauth
entry rejects AnyConnect user connections despite fix of CSCvi42008 |
|
|
Fragmented packets forwarded to
fragment owner are not visible on data interface captures |
|
|
Traffic outage due to 80 size
block exhaustion on the ASA |
|
|
ASA traceback Thread name - webvpn_task |
|
|
LINA cores are generated when
FTD is configured to do SSL decryption. |
|
|
ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process |
|
|
remote acess
mib - SNMP 64 bit only reporting 4Gb before
wrapping around |
|
|
ASA is sending failover
interface check control packets with a wrong destination mac address |
|
|
Route Fallback doesn't happen on
Slave unit, upon RRI route removal. |
|
|
NetFlow reporting impossibly large
flow bytes |
|
|
FTD traceback and reload on
thread "IKEv2 Mgd Timer Thread" |
|
|
Adjust Firepower 4120 Maximum
VPN Session Limit to 20,000 |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Web DoS |
|
|
FTD traceback and reload on
FP2120 LINA Active Box. VPN |
|
|
Redistribution of VPN advertised
static routes fail after reloading the FTD on FPR2100 |
|
|
Unable to access anyconnect webvpn portal from
google chrome using group-url |
|
|
SNMP traps can't be generated
via diagnostic interface |
|
|
ASA traceback and reload with
thread name coa_task |
|
|
Connectivity over the state link
configured with IPv6 addresses is lost after upgrading the ASA |
|
|
Certificate mapping for
AnyConnect on FTD stops working. |
|
|
ASAv on AWS 9.13.1.7 BYOL image cannot be enabled for PLR |
|
|
Traceback: Modifying FTD
inline-set tap-mode configuration with active traffic |
|
|
Device loses ssh
connectivity when username and password is entered |
|
|
FPR2100: ASA console may hang
& become unresponsive in low memory conditions |
|
|
ASAv/AWS: Unable to upgrade or downgrade C5 ASAv code on AWS |
|
|
ASAv - Traceback and reload on SNMP process |
|
|
Timestamp format will be shown always
in UTC |
|
|
FPR-41x5: 'clear crypto
accelerator load-balance' will cause a traceback and reload |
|
|
ASA traceback and reload on
function snmp_master_callback_thread |