Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important:
These images were not fully regression tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status
in mind if you decide to run them in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.12(4)67 – 4/01/2024
Defects
resolved since 9.12(4)65
|
FTD: Traceback and Reload in
Process Name: lina |
|
|
Multiple lina
cores on 7.2.6 KP2110 managed by cdFMC |
|
RCE with disk0: called
client_bundle_install.zip that contains a csco_config.lua |
|
|
Remove unused AGG AUTH attributes from code
to reduce attack surfaces |
|
|
Cisco ASA and FTD Software Web Services
Denial of Service Vulnerability |
|
|
Remove uncalled function ewsStringPrintable() |
|
|
Code Hardening for Backup and Restore to
not use Linux Shell Commands. |
|
|
IFS file system directory traversal file
system vulnerabilities |
Revision: Version 9.12(4)65 – 1/25/2024
Defects resolved since 9.12(4)62:
|
ASA concatenates syslog event to
other syslog event while sending to the syslog server |
|
|
FTD/ASA: Reordering of
AnyConnect image fails with error Unable to remove/install image |
|
|
Lina Netflow
sending permited events to Stealthwatch but they are block by snort afterwards |
|
|
ASA/FTD may traceback and reload
during ACL changes linked to PBR config |
|
|
TPK: No nameif
during traffic causes the device traceback, lina
core is generated. |
|
|
FPR 4115- primary unit lost all
HA config after ftd HA upgrade |
|
|
ASA/FTD: Traceback and reload
due to high rate of SCTP traffic |
|
|
KP - multimode: ASA traceback
observed during HA node break and rejoin. |
|
|
ASA/FTD: Traceback and reload
with Thread Name 'PTHREAD' |
|
|
Remove Priority-queue command
from FTD|| Priority-queue command causes silent egress packet drops |
|
|
show route all summary executed
on transparent mode FTD is causing CLISH to become Sluggish. |
|
|
FTD taking longer than expected
to form OSPF adjacencies after a failover switchover |
|
|
Units get kicked out of the
cluster randomly due to HB miss | ASA 9.16.3.220 |
|
|
FTD: Traceback and reload during
OSPF redistribution process execution |
|
|
ASDM application randomly
exits/terminates with an alert message on multi-context setup |
|
|
Incorrect Hit count statistics
on ASA Cluster only for Cluster-wide output |
|
|
ASA/FTD Cluster: Reuse of TCP
Randomized Sequence number on two different conns with same 5 tuple |
|
|
ASA traceback when
re-configuring access-list |
|
|
ASDM management-sessions quota
reached due to HTTP sessions stuck in CLOSE_WAIT |
|
|
ASA/FTD: NAT64 error
"overlaps with inside standby interface address" for Standalone ASA |
|
|
show aaa-server
command always shows the Average round trip time 0ms. |
|
|
ASA/FTD may traceback and reload
while running show inventory all |
|
|
ASA: unexpected logs for
initiating inbound connection for DNS query response |
|
|
ASA/FTD traceback and reload
with IPSec VPN, possibly involving upgrade |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' while processing DAP data |
|
|
LINA show tech-support fails to
generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
|
ASA: Traceback and reload when
restore configuration using CLI |
|
|
FPRM Audit logs not generated
for user log in |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
FTD sends multiple replicated
NetFlow records for the same flow event |
|
|
OSPF Redistribution route-map
with prefix-list not working after upgrade |
|
|
ASA/FTD: Traceback and reload
when running show tech and under High Memory utilization condition |
Revision: Version 9.12(4)62 – 11/12/2023
Files: asa9124-58-smp-k8.bin, cisco-asa-fp2k.9.12.4.58.SPA, cisco-asa.9.12.4.58.SPA.csp
Defects resolved since 9.12(4)58:
|
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
|
Stratix5950 and ISA3000 LACP
channel member SFP port suspended after reload |
|
|
Multiple traceback seen on
standby unit. |
|
|
Deleting a BVI in FTD interfaces
is causing packet drops in other BVIs |
|
|
FP2100:Update
LINA asa.log files to avoid recursive messages-<date>.1.gz rotated
filenames |
|
|
PIM register packets are not
sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
|
ASA / FTD Traceback and reload
when removing isakmp capture |
|
|
ASA/FTD :
Degradation for TCP tput on FPR2100 via IPSEC VPN
when there is delay between VPN peers |
|
|
Default DLY value of
port-channel sub interface mismatch with parent Portchannel |
|
|
ASA/FTD traceback and reload on
thread DATAPATH-14-11344 when SIP inspection is enabled |
|
|
ASA/FTD traceback and reload due
citing thread name: cli_xml_server in tm_job_add |
|
|
ASA Traceback and reload in
parse thread due ha_msg corruption |
|
|
ngfwManager process continuously restarting leading to ZMQ Out of
Memory traceback |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
FTD : Traceback in ZMQ running 7.3.0 |
|
|
ASA Traceback and reload citing
process name 'lina' |
|
|
TCP normalizer needs stats that
show actions like packet drops |
|
|
ASDM replaces custom policy-map
with default map on class inspect options at backup restore. |
|
|
ASA may traceback and reload in
Thread Name 'DHCPv6 Relay' |
|
|
ASA Packet-tracer displays the
first ACL rule always, though matches the right ACL |
|
|
Unable to establish BGP when
using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
|
ASA/FTD: Connection information
in SIP-SDP header remains untranslated with destination static Any |
|
|
ASA access-list entries have the
same hash after upgrade |
|
|
[IMS_7_4_0] - Virtual FDM
Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
|
ASA/FTD may traceback and reload
citing process name "lina" |
|
|
99.20.1.16 lina
crash on nat_remove_policy_from_np |
|
|
ASA/FTD: Traceback and reload
when issuing 'show memory webvpn all objects' |
|
|
Reduce time taken to clear stale
IKEv2 SAs formed after Duplicate Detection |
|
|
ASA: Checkheaps
traceback and reload due to Clientless WebVPN |
|
|
OSPFv3 Traffic is Centralized in
Transparent Mode |
|
|
ASA/FTD may traceback and reload
in when changing capture buffer size |
|
|
PAC Key file missing on standby
on reload |
|
|
Cisco ASA and FTD Software
Remote Access SSL VPN Multiple Certificate Auth Bypass |
|
|
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability |
|
|
Cisco ASA and FTD Software Remote
Access VPN Unauthorized Access Vulnerability |
|
|
Cisco ASA and FTD Software
Remote Access VPN Unauthorized Access Vulnerability |
|
|
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability |
Revision: Version 9.12(4)58 – 05/17/2023
Files: asa9124-58-smp-k8.bin, cisco-asa-fp2k.9.12.4.58.SPA, cisco-asa.9.12.4.58.SPA.csp
Defects resolved since 9.12(4)56:
|
ASA/FTD: Traceback and Reload in
Thread Name: Route Table Timestamp Update |
|
|
700-1158: 9 out of 150 VTI
sessions down |
|
|
user-name from certificate feature does not work with SER option |
|
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount'
failed" on LINA. |
|
|
FTD traceback and reload while
deploying PAT POOL |
|
|
Cluster data unit drops non-VPN
traffic with ASP reason "VPN reclassify failure |
|
|
256-byte memory block gets
depleted on start if jumbo frame is enabled with FTD on ASA5516 |
|
|
ASA/FTD may drop multicast
packets due to no-mcast-intrf
ASP drop reason until UDP timeout expires |
|
|
Multicast connection built or
teardown syslog messages may not always be generated |
|
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
|
ASA/FTD Show chunkstat
top command implementation |
|
|
ASA/FTD: High failover delay
with large number of (sub)interfaces and http server enabled |
|
|
Stale IKEv2 SA formed during
simultaneous IKE SA handling when missing delete from the peer |
|
|
Syslog ASA-6-611101 is generated
twice for a single ssh connection |
|
|
ASA/FTD drops traffic to BVI if
floating conn is not default value due to no valid adjacency |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
ASA/FTD reboots due to traceback
pointing to watchdog timeout on p3_tree_lookup |
|
|
ASA Multicontext
'management-only' interface attribute not synced during creation |
|
|
ASA reboots due to heartbeat
loss and "Communication with NPU lost" |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' due to due to tcp intercept stat |
|
|
ASA/FTD: Ensure flow-offload
states within cluster are the same |
|
|
ASA/FTD may traceback and reload |
|
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when
deleting any created context |
|
|
ASA - Standby device may
traceback and reload during synchronization of ACL DAP |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
Last fragment from SIP IPv6
packets has MF equal to 1, flagging that more packets are expected |
|
|
AnyConnect - mobile devices are
not able to connect when hostscan is enabled |
|
|
ASA/FTD may traceback and reload
in Thread Name 'pix_flash_config_thread' |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
Dynamic interface NAT rules
cause SSH/ICMP to fail with nat-no-xlate-to-pat-pool in ASA cluster |
|
|
Serial number attribute from the
subject DN of certificate should be taken as the username |
|
|
Threat-detection does not
recognize exception objects with a prefix in IPv6 |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina'. |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ci/console' |
|
|
Cisco FTD Software Software for Cisco Firepower 2100 Series Inspection Rules
DoS Vulnerability |
|
|
User with no vpn-filter
may get additional access when per-user-override is set |
|
|
User with no vpn-filter
may get additional access when per-user-override is set (IKEv2 RAVPN) |
Revision: Version 9.12(4)56 – 03/07/2023
Files: asa9124-56-smp-k8.bin, cisco-asa-fp2k.9.12.4.56.SPA, cisco-asa.9.12.4.56.SPA.csp
Defects resolved since 9.12(4)55:
|
deploying anyconnect
group-alias causes breaking HA and ungraceful failover |
|
|
ASA/FTD Traceback and reload in
Process Name: lina |
|
|
ESP rule missing in vpn-context may cause IPSec
traffic drop |
|
|
ASA: ASDM sessions stuck in
CLOSE_WAIT causing lack of MGMT |
|
|
ASA/FTD Cluster Traceback and
Reload during node leave |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
Cluster registration is failing
because DATA_NODE isn't joining the cluster |
|
|
ASA restore is not applying vlan configuration |
|
|
FTD Lina traceback and reload in
Thread Name 'IP Init Thread' |
|
|
Clientless Accessing Web
Contents using application/octet-stream vs text/plain |
|
|
FPR2100: Increase in failover
convergence time with ASA in Appliance mode |
|
|
AC clients fail to match DAP
rules due to attribute value too large |
|
|
FP4125 2.10.1.166 FTD
applications in HA went into not responding state |
|
|
Port-channel interfaces of
secondary unit are in waiting status after reload |
|
|
S2S Tunnels do not come up due
to DH computation failure caused by DSID Leak |
|
|
ASA configured with HA may
traceback and reload with multiple input/output error messages |
|
|
LINA Traceback on FPR-1010 under
Thread Name: update_cpu_usage |
|
|
Observing some devcmd failures and checkheaps
traceback when flow offload is not used. |
|
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
|
ASA/FTD may traceback and reload
in logging_cfg processing |
|
|
Clientless VPN users are unable
to download large files through the WebVPN portal |
|
|
Anyconnect users unable to connect when ASA using different
authentication and authorization server |
|
|
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability |
|
|
Primary ASA traceback upon
rebooting the secondary |
|
|
ASA/FTD traceback and reload,
Thread Name: rtcli async executor process |
|
|
ASA is unexpected reload when
doing backup |
|
|
ASA/FTD: External IDP SAML
authentication fails with Bad Request message |
|
|
FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
|
|
FTD - 'show memory top-usage'
providing improper value for memory allocation |
|
|
ASA/FTD may traceback and reload
in Thread Name: CTM Daemon |
|
|
ASA/FTD may traceback and reload
in Thread Name 'None' at lua_getinfo |
|
|
Cisco ASA and FTD ICMPv6 Message
Processing Denial of Service Vulnerability |
Revision: Version 9.12(4)55 – 12/13/2022
Files: asa9124-55-smp-k8.bin, cisco-asa-fp2k.9.12.4.55.SPA, cisco-asa.9.12.4.55.SPA.csp
Defects resolved since 9.12(4)54:
|
FP2100: ASA/FTD with
threat-detection statistics may traceback and reload in Thread Name 'lina' |
|
|
ASA: Failed ASA in HA pair not
recovering by itself, after an "HA state progression failed" |
|
|
High Control Plane CPU due to dhcpp_add_ipl_stby |
|
|
Cisco ASA Software SSL VPN
Client-Side Request Smuggling Vulnerability |
|
|
External Authorization randomly
fails on ASAv when using LDAP over SSL |
|
|
Constant no-buffer drops on
Internal Data interfaces despite little evidence of CPU hog |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' ip
routing ndbshr |
|
|
ASA HA failover triggers HTTP
server restart failure and ASDM outage |
|
|
ISA3000 LACP channel member SFP
port suspended after reload |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ikev2_fo_event' |
|
|
ASA/FTD may traceback with large
number of network objects deployment using distribute-list |
|
|
With TCM enabled new ACL's are not working on ASA if non access-group command
disabled twice |
|
|
Device should not move to Active
state once Reboot is triggered |
|
|
Lina traceback and reload - VPN
parent channel (SAL) has an invalid underlying channel |
|
|
Syslog 106016 is not
rate-limited by default |
|
|
Serviceability Enhancement -
Unable to parse payload are silently drop by ASA/FTD |
|
|
ASA traceback and reload due to
DNS inspection |
|
|
ASA - traceback and reload when Webvpn Portal is used |
|
|
After establishing multicontext HA ,SNMP no longer
outputs interface information. |
|
|
ASA/FTD: Object Group Search
Syslog for flows exceeding threshold |
|
|
show tech-support generation
does not include "show inventory" when run on FTD |
|
|
Misleading drop reason in
"show asp drop" |
|
|
ASA: Standby may get stuck in
"Sync Config" status upon reboot when there is EEM is configured |
Revision: Version 9.12(4)54 – 10/26/2022
Files: asa9124-54-smp-k8.bin, cisco-asa-fp2k.9.12.4.54.SPA, cisco-asa.9.12.4.54.SPA.csp
Defects resolved since 9.12(4)52:
|
nat-no-xlate-to-pat-pool drops
when master leaves cluster and after rebalance |
|
|
Need dedicated Rx rings for to
the box BGP traffic on Firepower platform |
|
|
Cruz ASIC CLU filter has the
incorrect src/dst IP
subnet when a custom CCL IP subnet is set |
|
|
ASA Traceback & reload in
thread name: Datapath |
|
|
ASA/FTD Traceback and Reload in
Thread name Lina or Datatath |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
ASA/FTD: GTP inspection causing
9344 sized blocks leak |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
FXOS-based Firepower platform
showing 'no buffer' drops despite high values for RX ring watermarks |
|
|
ASA/FTD OSPFv3 does not generate messages
Type 8 LSA for IPv6 |
|
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
|
TACACS Accounting includes an
incorrect IPv6 address of the client |
|
|
Call home configuration on
standby device is lost after reload |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-11-32591' |
|
|
During the deployment time,
device got stuck processing the config request. |
|
|
Unable to configure 'match ip address' under route-map when using object-group in
access list |
|
|
ASA traceback and reload due to
null pointer in Umbrella after modifying DNS inspection policy |
|
|
ASA 9.12(4)47 with
<user-statistics>, will affects the "policy-server xxxx global" visibility. |
|
|
Using write standby in a user
context leaves secondary firewall license status in an invalid state |
|
|
ASA/FTD tracebacks due to ctm_n5
resets |
|
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
|
ASA/FTD may traceback and reload
when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
|
ASA might generate traceback in
ikev2 process and reload |
Revision: Version 9.12(4)52 – 08/30/2022
Files: asa9124-52-smp-k8.bin, cisco-asa-fp2k.9.12.4.52.SPA, cisco-asa.9.12.4.52.SPA.csp
Defects resolved since 9.12(4)50:
|
FTD: NAS-IP-Address:0.0.0.0 in
Radius Request packet as network interface for aaa-server
not defined |
|
|
ASA disconnects the VTY session
using of Active IP address and Standby MAC address after failed over |
|
|
Number of interfaces on Active
and Standby are not consistent should trigger warning syslog |
|
|
ASA disconnects the ssh, https session using of Active IP address and Standby
MAC address after FO |
|
|
Different CG-NAT port-block
allocated for same source IP causing per-host PAT port block exhaustion |
|
|
Cisco Firepower Threat Defense
Software Privilege Escalation Vulnerability |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
ASA/FTD may traceback and reload
in Thread Name 'None' |
|
|
Interface internal data0/0 is
up/up from cli but up/down from SNMP polling |
|
|
ASA/FTD IPSEC debugs missing
reason for change of peer address and timer delete |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
9344 Block leak due to
fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
ASA Traceback and Reload on process name Lina |
|
|
NAT64 translates all IPv6
Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
|
ASA/FTD may traceback and reload
while executing SCH code |
|
|
FTD - Traceback and reload when
performing IPv4 <> IPv6 NAT translations |
|
|
ASA HA - Restore in primary does
not remove new interface configuration done after backup |
|
|
FTD - Traceback and reload on
NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
ASA/FTD Cluster Split Brain due
to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete
network statement under OSPF process and is present in show run |
|
|
IKEv2 rekey - Responding Invalid
SPI for the new SPI received right after Create_Child_SA
response |
|
|
ASA fails to rekey with IPSEC
ERROR: Failed to allocate an outbound hardware context |
Revision: Version 9.12(4)50 – 08/16/2022
Files: asa9124-50-smp-k8.bin, cisco-asa-fp2k.9.12.4.50.SPA, cisco-asa.9.12.4.50.SPA.csp
Defects resolved since 9.12(4)48:
|
Cisco ASDM and ASA Software
Client-side Arbitrary Code Execution Vulnerability |
|
|
ASA Traceback and reload in aaa_shim_thread |
Revision: Version 9.12(4)48 – 07/19/2022
Files: asa9124-48-smp-k8.bin, cisco-asa-fp2k.9.12.4.48.SPA, cisco-asa.9.12.4.48.SPA.csp
Defects resolved since 9.12(4)47:
|
BGP table not removing connected
route when interface goes down |
|
|
ASA Crashing with 'Unicorn Proxy
Thread cpu: 9 watchdog_cycles'
after stopping scaled stress test. |
|
|
Conditional flow-offload
debugging produces no output |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
ASA/FTD traceback and reload at
IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
|
Unable to identify dynamic rate
liming mechanism & not following msg limit per/sec at syslog server. |
|
|
ASA/FTD Traceback and reload
caused by Smart Call Home process sch_dispatch_to_url |
|
|
PBR not working on ASA routed
mode with zone-members |
|
|
RIP is advertising all connected
Anyconnect users and not matching route-map for
redistribution |
|
|
Cisco ASA Software and FTD Software Web Services Interface Denial of
Service Vulnerability |
|
|
We can't monitor the interface
via "snmpwalk" once interface is removed
from context. |
|
|
ASA graceful shut down when
applying ACL's with forward reference feature and
FIPS enabled. |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ci/console' |
|
|
ASA tracebacks after SFR was
upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when
modifying DNS inspection policy via CSM or CLI |
|
|
ASA - Restore not remove the new
configuration for an interface setup
after backup |
|
|
show nat
pool cluster commands run within EEM scripts lead to traceback and reload |
|
|
ASA/FTD can
not parse UPN from SAN field of user's certificate |
Revision: Version 9.12(4)47 – 06/21/2022
Files: asa9124-47-smp-k8.bin, cisco-asa-fp2k.9.12.4.47.SPA, cisco-asa.9.12.4.47.SPA.csp
Defects resolved since 9.12(4)41:
|
HA during failover active having
traffic with high CPU the system may reload unexpected |
|
|
ASA/FTD 9344 blocks depleted due
to high volume of fragmented traffic |
|
|
FP4100 platform: Active-Standby
changed to dual Active after running "show conn" command |
|
|
ASA/FTD stops serving SSL
connections |
|
|
Inconsistent logging timestamp
with RFC5424 enabled |
|
|
Wrong syslog message format for
414004 |
|
|
ASA: Reload and Traceback in
Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
|
ASDM session/quota count
mismatch in ASA when multiple context switch before and after failover |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-9-11543' |
|
|
Standby FTD/ASA sends DNS
queries with source IP of 0.0.0.0 |
|
|
ASA traceback and reload on
routing |
|
|
ASA drops existing anyconnect sessions and stop accepting new ayconnect sessions |
|
|
ASA/FTD: Mitigation of OpenSSL
vulnerability CVE-2022-0778 |
|
|
ASA Traceback and reload in
process name: lina |
|
|
FTD: IKEv2 tunnels flaps every
24 hours and crypto archives are generated |
|
|
Configuring pbr
access-list with line number failed. |
|
|
ASA/FTD may traceback (watchdog)
and reload when generating a syslog from the VPN Failover subsystem |
|
|
ASA/FTD Traceback in memory
allocation failed |
|
|
FP4112|4115 Traceback &
reload on Thread Name: netfs_thread_init |
|
|
Cisco Firepower Threat Defense Software Generic Routing Encapsulation
DoS Vulnerability |
|
|
ASA traceback in Thread Name:
SXP CORE |
|
|
ASA traceback in Thread Name: fover_parse and triggered by snmp
related functions |
|
|
ASA traceback and reload with
error "assertion "0" failed: file "timer_services.c",
line 165" |
|
|
FTD offloads SGT tagged packets
although it should not |
|
|
ASA/FTD firewall may traceback
and reload when tearing down IKE tunnels |
|
|
ASA HA Active/standby tracebacks
seen approximately every two months. |
|
|
Lina traceback and reload during
EIGRP route update processing. |
|
|
ASA: Multiple Context Mixed Mode
SFR Redirection Validation |
|
|
ASA/FTD traceback and reload with
timer services assertion |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DoS |
Revision: Version 9.12(4)41 – 05/24/2022
Files: asa9124-41-smp-k8.bin, cisco-asa-fp2k.9.12.4.41.SPA, cisco-asa.9.12.4.41.SPA.csp
Defects resolved since 9.12(4)40:
|
Cisco ASA and FTD Software SSL
VPN Denial of Service Vulnerability |
Revision: Version 9.12(4)40 – 04/20/2022
Files: asa9124-40-smp-k8.bin, cisco-asa-fp2k.9.12.4.40.SPA, cisco-asa.9.12.4.40.SPA.csp
Defects resolved since 9.12(4)39:
|
IPv6 PMTU discovery does not
work for RA VPN Cllient with tunneled route |
|
|
Cisco FTD Bleichenbacher Attack
Vulnerability |
|
|
ASAv traceback when SD_WAN ACL enabled, then disabled (or
vice-versa) in PBR |
|
|
ASA reload and traceback in
Thread Name: PIX Garbage Collector |
|
|
Cisco ASA and FTD Software
SSL/TLS Client Denial of Service Vulnerability |
|
|
Traceback: Lina traceback and
reload on thread name: Logger |
|
|
ASA/FTD Failover: Joining
Standby reboots when receiving configuration replication from Active mate |
|
|
Lina may traceback and reload on
tcpmod_proxy_handle_mixed_mode |
|
|
Traceback: Standby FTD reboots
and generates crashinfo and lina
core on thread name cli_xml_server |
|
|
ASA/FTD MAC modification is seen
in handling fragmented packets with INSPECT on |
|
|
FTD/ASA: Traceback on BFD
function causing unexpected reboot |
|
|
Single Pass - Traceback due to
stale ifc |
Revision: Version 9.12(4)39 – 03/17/2022
Files: asa9124-39-smp-k8.bin, cisco-asa-fp2k.9.12.4.39.SPA, cisco-asa.9.12.4.39.SPA.csp
Defects resolved since 9.12(4)38:
|
ASA: 256 bytes block depletion
when syslog rate is high |
|
|
Management Sessions fail to
connect after several weeks |
|
|
Deleting The Context from ASA
taking Almost 2 Minutes with ikev2 tunnel |
|
|
ASA Traceback and Reload due to CTM daemon during internal health test |
|
|
ASA/FTD - Memory leak observed
when VPN is deployed |
|
|
ASA traceback in HTTP cli EXEC code |
|
|
DHCP Offer not seen on control
plane |
|
|
New access-list are not taking
effect after removing non-existance ACL with
objects. |
|
|
Coverity 859475:
CONSTANT_EXPRESSION_RESULT in snp_ha_trans_tear_down_ch |
|
|
Polling OID
"1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the
associated tunnel |
|
|
ASA traceback and reload in
Unicorn Admin Handler when change interface configuration via ASDM |
|
|
Offloaded GRE tunnels may be
silently un-offloaded and punted back to CPU |
|
|
FTP inspection stops working
properly after upgrading the ASA to 9.12.4.x |
|
|
Traceback and reload after
enabling debug webvpn cifs
255 |
|
|
Traffic keeps failing on Hub
when IPSec tunnel from Spoke flaps |
|
|
Multiple issues with
transactional commit diagnostics |
|
|
ASA/FTD may traceback and reload
in Thread Name 'IP Address Assign' |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-4-9608' |
|
|
ASA: Jumbo sized packets are not
fragmented over the L2TP tunnel |
|
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
FP2140 ASA 9.16.2 HA units
traceback and reload at lua_getinfo (getfuncname) |
Revision: Version 9.12(4)38 – 02/09/2022
Files: asa9124-38-smp-k8.bin, cisco-asa-fp2k.9.12.4.38.SPA, cisco-asa.9.12.4.38.SPA.csp
Defects resolved since 9.12(4)37:
|
Data Unit traceback and reload
without traffic at Thread Name :"logger" |
|||||
|
ipv6 route table ( data and management ) in a multi-context environment. |
|||||
|
ASA Traceback and reload in occam_group_free |
|||||
|
ASA/FTD Traceback and reload on Thread
Name: IKEv2 Daemon with VTIs configured |
|||||
|
Unable to configure ipv6
address/prefix to same interface and network in different context |
|||||
|
ASA in PLR mode,"license
smart reservation" is failing. |
|||||
|
ASA55XX: Expansion module
interfaces not coming up after a software upgrade |
|||||
|
ASP drop capture output may
display incorrect drop reason |
|||||
|
Nat hitcount
not updated in FQDN_NAT |
|||||
|
FTD may traceback and reload in
Thread Name 'lina' |
|||||
|
SSL decryption not working due
to single connection on multiple in-line pairs |
|||||
|
FTD - Traceback in Thread Name:
DATAPATH |
|||||
|
While implementing management
tunnel a user can use open connect to bypass anyconnect. |
|||||
|
Cisco Adaptive Security Appliance Software and
Firepower Threat Defense Software DNS DoS |
|||||
|
Primary ASA should send GARP as
soon as split-brain is detected and peer becomes
cold standby |
|||||
|
ASDM session/quota count mismatch
in ASA when multiple context switchover is done from ASDM |
|||||
|
OSPFv2 flow missing cluster
centralized "c" flag |
|||||
|
Statelink hello messages dropped on Standby unit due to interface
ring drops on high rate traffic |
|||||
|
ASA Privilege Escalation with valid user in AD |
|||||
|
ASA show tech execution causing
spike on CPU and impacting to IKEv2 sessions |
|||||
|
FTD Deployment failure post
upgrade due to major version change on device |
|||||
|
AnyConnect users with mapped
group-policies take attributes from default GP under the tunnel-group |
|||||
|
ASA Failover Split Brain caused
by delay on state transition after "failover active" command run |
|||||
|
Cisco Firepower Threat Defense Software Denial of Service
Vulnerability |
|||||
|
ASA/FTD: remove unwanted process
call from LUA |
|||||
|
ASA drops non
DNS traffic with reason "label length 164 bytes exceeds protocol
limit of 63 bytes" |
|||||
|
Flow Offload - Compare state values
remains in error state for longer periods |
|||||
|
FTD moving UI management from
FDM to FMC causes traffic to fail |
|||||
|
Error:NAT
unable to reserve ports when using a range of ports in an object service |
|||||
|
Standby unit failed to join
failover due to large config size. |
|||||
|
Cisco Adaptive Security Appliance Software Clientless SSL VPN
Heap Overflow Vulnerability |
|||||
|
Traceback: Secondary firewall
reloading in Threadname: fover_parse |
|||||
|
ASA/FTD traceback and reload due
to pix_startup_thread |
|||||
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DAP DoS |
|
||||
|
Lina Traceback and Reload Due to
invalid memory access while accessing Hash Table |
|
||||
|
FTD Service Module Failure:
False alarm of "ND may have gone down" |
|
||||
|
ASA/FTD Change in OGS
compilation behavior causing boot loop |
|
||||
Revision: Version 9.12(4)37 – 11/18/2021
Files: asa9124-37-smp-k8.bin, cisco-asa-fp2k.9.12.4.37.SPA, cisco-asa.9.12.4.37.SPA.csp
Defects resolved since 9.12(4)35:
|
After restart of both A/S units,
not all context configs may be loaded when using SL on 2100 |
|
|
R291 :
Blade reboots continuously on doing backward compatibility testing with 9.8.4 |
|
|
2100: Corefile
and crashinfo might both be truncated and
incomplete in the event of a crash |
|
|
ASA learning a new route removes
asp route table created by floating static |
|
|
Syslogs generated for ACL transaction commit are not in
consistent format & not available some times |
|
|
FTD traceback and reload during anyconnect package verification |
|
|
FTD/ASA: Adding new ACE entries
to ACP causes removal and re-add of ACE elements in LINA |
|
|
FTDv - Lina Traceback and reload |
|
|
ASA/FTD Traceback and Reload
during bulk VPN session connect |
|
|
ASA traffic dropped by Implicit
ACL despite the fact of explicit rules present on Access-list |
|
|
ASA traceback due to SCTP
traffic. |
|
|
ASA: IPv6 Neighbor reachability
issues |
|
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
|
|
ASA/FTD Traceback and reload due
to memory corruption when generating ICMP unreachable message |
|
|
ASA traceback and reload in SSH
process when executing the command "show access-list" |
|
|
OSPFv3: FTD Wrong
"Forwarding address" added in ospfv3 database |
|
|
ASA/FTD traceback and reload
caused by "timer services" function |
|
|
ASASM traceback and reload on
"snp_svcmod_heart_beat_timeout_cb"
function |
|
|
SSL VPN performance degraded and
significant stability issues after upgrade |
|
|
BGP routes shows unresolved and
dropping packet with asp-drop reason "No route to host" |
|
|
IPv6 PIM packets are dropped in
ASP with invalid-ip-length drop reason |
|
|
Cisco ASA Software and FTD Software Remote Access SSL VPN
Denial of Service |
Revision: Version 9.12(4)35 – 10/12/2021
Files: asa9124-35-smp-k8.bin, cisco-asa-fp2k.9.12.4.35.SPA, cisco-asa.9.12.4.35.SPA.csp
Defects resolved since 9.12(4)30:
|
ENH: Support a tolerance time
for the "NotValidBefore" timestamp, while
using SAML auth |
|
|
Traceback on ASA by Smart Call
Home process |
|
|
%ASA-3-737403 is used
incorrectly when vpn-addr-assign
local reuse-delay is configured |
|
|
Memory leak: due to snp_tcp_intercept_stat_top_n_integrate() in threat detection |
|
|
Active tries to send CoA update
to Standby in case of "No Switchover" |
|
|
ASA/FTD sends continuous Radius
Access Requests Even After Max Retry Count is Reached |
|
|
ASA: Orphaned SSH session not
allowing us to delete a policy-map from CLI |
|
|
Twice nat's
un-nat not happening if nat
matches a pbr acl that
matches a port number instead of IP |
|
|
ASA: ARP entries from custom
context not removed when an interface flap occurs on system context |
|
|
If ASA fails to download DACL it
will never stop trying |
|
|
BGP packets dropped for non directly connected neighbors |
|
|
Traceback observed on ASA while handling SAML handler |
Revision: Version 9.12(4)30 – 08/24/2021
Files: asa9124-30-smp-k8.bin, cisco-asa-fp2k.9.12.4.30.SPA, cisco-asa.9.12.4.30.SPA.csp
Defects resolved since 9.12(4)26:
|
FMC generates Connection Events
from a SYN flood attack |
|
|
ASA show processes cpu-usage output is misleading on multi-core platforms |
|
|
Crypto engine errors when GRE
header protocol field doesn't match protocol field in inner ip header |
|
|
Snmpwalk showing traffic counter as 0 for failover interface |
|
|
ASA CP CPU wrong calculation
leads to high percentage (100% CP CPU) |
|
|
Unwanted console output during
SAML transactions |
|
|
VPN conn fails from same user if
Radius server sends a dACL and vpn-simultaneous-logins
is set to 1 |
|
|
FTD/ASA: PATed
traffic impacted when configured on ixgbe-vf SRIOV
interfaces in HA |
|
|
UN-NAT created on FTD once a
prior dynamic xlate is created |
|
|
Remote Access IKEv2 VPN session
cannot be established because of stuck Uauth entry |
|
|
Time out of sync between Lina
and FXOS |
|
|
SNMP MIB value for crasLocalAddress is not showing the IP address |
|
|
The standby device is sending
the keep alive messages for ssl traffic after the
failover |
|
|
Revert 'fix' introduced by
CSCvr33428 and CSCvy39659 |
|
|
FTD lina
traceback and reload in thread Name Checkheaps |
|
|
FTD reload with Lina traceback
during xlate replication in Cluster |
|
|
ASA traceback and reload thread
name: Datapath |
|
|
ASA/FTD may traceback and reload
in loop processing Anyconnect profile |
|
|
ASA/FTD blackholes traffic due
to 1550 block depletion when BVI is configured as DHCP client |
Revision: Version 9.12(4)29 – 07/27/2021
Files: asa9124-29-smp-k8.bin, cisco-asa-fp2k.9.12.4.29.SPA, cisco-asa.9.12.4.29.SPA.csp
Defects resolved since 9.12(4)26:
|
ENH: ASA should save the
timestamp of the MAXHOG in 'show proc cpu-hog' |
|
|
AWS FTD: Deployment failure with
ERROR: failed to set interface to promiscuous mode |
|
|
ASA traceback with crashinfo of size "0" |
|
|
FPR1120 running ASA traceback
and reload in crypto process. |
|
|
ASA Traceback and reload on the
A/S failover pair at IKEv2. |
|
|
FTD traceback and reload on Lic TMR Thread on Multi Instance FTD |
|
|
ASA Traceback & reload on
process name lina due to memory header validation |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
|
ASA traceback in IKE Daemon
process and reload |
|
|
Firepower flow-offload stops
offloading all existing and new flows |
|
|
ASA/FTD may traceback and reload
in Thread Name 'webvpn_task' |
|
|
RSA keys & Certs get removed
post reload on WS-SVC-ASA-SM1-K7 with ASA code 9.12.x |
|
|
ASAv adding non-identity L2 entries for own addresses on MAC
table and dropping HA hellos |
|
|
FTD HA stuck in bulk state due
to stuck vpnfol_sync/Bulk-sync keytab |
|
|
ASA accounting reports incorrect
Acct-Session-Time |
|
|
FTD traceback and reload related
to SSL after upgrade to 7.0 |
|
|
Traceback in webvpn
and reload experienced periodically after ASA upgrade |
Revision: Version 9.12(4)26 – 06/22/2021
Files: asa9124-26-smp-k8.bin, cisco-asa-fp2k.9.12.4.26.SPA, cisco-asa.9.12.4.26.SPA.csp
Defects resolved since 9.12(4)24:
|
ASA may Traceback with Thread
Name: Unicorn Admin Handler |
|
|
2 CPU Cores continuously spike
on firepower appliances |
|
|
traceback: ASA reloaded
snp_fdb_destroy_fh_callback+104 |
|
|
ASA will not import CA
certificate with name constraint of RFC822Name set as empty |
|
|
ASA traceback and reload on
engineering ASA build - 9.12.3.237 |
|
|
IKEv2 rekey - Invalid SPI for
ESP packet using new SPI received right after Create_Child_SA
response |
|
|
SAML: SAML Authentication may
fail if we have 2 or more IDP certs with same Subject Name |
|
|
Traceback and reload due to
Umbrella |
|
|
FPR 2100 running ASA in HA. Traceback and reload on watchdog during
failover |
|
|
ASA traceback and reload when
copying files with long destination filenames using cluster command |
|
|
Traceback on FPR 4115 in Thread
- Lic HA Cluster |
|
|
improve debugging capability for
uauth |
|
|
AnyConnect certificate
authentication fails if user certificate has 8192 bits key size |
|
|
ASA traceback when
re-configuring access-list |
|
|
Port-forwarding application blocked
by Java |
|
|
ASA Traceback and Reload in
Thread Name: DATAPATH |
|
|
ASA cluster Traceback with
Thread Name: Unicorn Admin Handler even when running fix for CSCuz67596 |
|
|
Traceback: ASA on FPR 2110
traceback and reload on process Lina |
|
|
REST API Login Page Issue |
|
|
FTD unnecessarily ACKing TCP flows on inline-pair deployment |
|
|
ASA fails to process the OCSP
response when the string 'OK' is missing in the HTTP response |
|
|
Ambiguous command error is shown
for 'show route bgp' or 'show route isis' if DNS lookup is enabled |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-15-14815' |
Revision: Version 9.12(4)24 – 05/11/2021
Files: asa9124-24-smp-k8.bin, cisco-asa-fp2k.9.12.4.24.SPA, cisco-asa.9.12.4.24.SPA.csp
Defects resolved since 9.12(4)18:
|
DP-CP arp-in
and adj-absent queues need to be separated |
|
|
ASA Traceback on tcp_intercept Thread name :
Threat detection |
|
|
ctm crashed while sending emix
traffic over VTI tunnel |
|
|
ASA5555 traceback and reload on
Thread Name: ace_work |
|
|
ASA duplicate MAC addresses in Shared
Interfaces of different Contexts causing traffic impact |
|
|
ASA traceback in the LINA
process |
|
|
FTD/HA: "no shutdown"
command disappear from running-config of standby |
|
|
ASA traceback and reload in
Thread: Ikev2 Daemon |
|
|
Lack of throttling of ARP miss
indications to CP leads to oversubscription |
|
|
ASA may traceback and reload in
Thread Name 'webvpn_task' |
|
|
X-Frame-Options header is not
set in webvpn response pages |
|
|
Firewall CPU can increase after
a bulk routing update with flow offload |
|
|
IP address in DHCP GIADDR field
is reversed after sending DHCP DECLINE to DHCP server |
|
|
CPU performance degrade with
lots of route updates with flow offload enabled |
|
|
ASA reload with FIPS failure |
|
|
FPR4150 ASA Standby Ready unit
Loops to failed and remove config to install it again |
|
|
ASA/FTD Watchdog forced
traceback and reload in Thread name: vnet-proxy
(rip: socks_proxy_datarelay) |
|
|
X-Frame-Options header support
for older versions of IE and windows platforms |
|
|
ASP capture dispatch-queue-limit
shows no packets |
|
|
Smart Tunnel Code signing
certificate renewal |
|
|
FPR2100: enable kernel panic on octeon for UE events to trigger crash |
|
|
ASA - unable to import CA
certificate when countryName is encoded as UTF8 |
|
|
ASA/FTD Traceback and reload in
Thread Name: pix_startup_thread due to
asa_run_ttyS0 script |
|
|
ASA: "ERROR: Unable to
delete entries from Hash Table" with CSM |
|
|
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 |
|
|
ASA traceback while taking
captures |
|
|
ASA(lina) clock (always shows Jan 2010) does not sync properly
with fxos |
|
|
Supportive change in ASA to
differentiate, new ASDM connections from existing ASDM context switch |
|
|
ASA/FTD tracebacks due to CTM
message handler |
|
|
Port-forwarding application
blocked by Java |
Revision: Version 9.12(4)18 – 03/31/2021
Files: asa9124-18-smp-k8.bin, cisco-asa-fp2k.9.12.4.18.SPA, cisco-asa.9.12.4.18.SPA.csp
Defects resolved since 9.12(4)13:
|
Implement detection and auto-fix
capability for scheduler corruption problems |
|
|
LINA cores are generated when
FTD is configured to do SSL decryption. |
|
|
ASA should allow null sequence
encoding in certificates for client authentication. |
|
|
Intermittently embedded ping
reply over GRE drops on FTD cluster if traffic passes asymmetrically. |
|
|
Secondary unit not able to join
the cluster |
|
|
ASA/FTD Traceback and reload in
Thread Name: Logger |
|
|
FPR 4K: SSL trust-point removed
from new active ASA after manual Failover |
|
|
Standby/Secondary cluster unit might crash in Thread Name: fover_parse and "cluster config sync" |
|
|
ASA Tracebacks when making
"configuration session" changes regarding an ACL. |
|
|
ASA traceback and reload with
Thread name: ssh when capture was removed |
|
|
Traceback in
inspect_h323_ras+1810 |
|
|
Traceback in Thread Name: Lic TMR |
|
|
When SGT name is unresolved and used
in ACE, line is not being ignored/inactive |
|
|
ASA reload is removing
'content-security-policy' config |
|
|
ASA: default IPv6/IPv4 route
tunneled does not work |
|
|
Firepower 2110 silently dropping
traffic with TFC enabled on the remote end |
|
|
ASA/FTD traceback in Thread
Name: PTHREAD-4432 |
|
|
DHCP Proxy Offer is getting drop
on the ASA/FTD |
|
|
Snort PDTS buffer corruption
during upgrade or heavy traffic load |
|
|
Firepower platforms generate
corrupted coredump due to lina
monitor |
|
|
FTD traceback and reload on
process lina on FPR2100 series |
|
|
ASA: Unable to import PAC file
if FIPS is enabled. |
|
|
ASA 9.15.1.7 traceback and
reload in Thread
Name: DATAPATH |
|
|
Concurrent modification of ACL
configuration breaks output of "show running-config"
completely |
|
|
ASA EIGRP route stuck after neighbour disconnected |
|
|
FTD/ASA traceback in Thread Name : Unicorn Proxy Thread |
|
|
SSL Decrypted https flow EOF
events showing 'Initiator/Responder' Packets as 0 |
|
|
Traceback in Thread Name: fover_health_monitoring_thread |
|
|
ASA traceback and reload in SNMP
Notify Thread while deleting transparent context |
|
|
COA Received before data tunnel
comes up results in tear down of parent session |
Revision: Version 9.12(4)13 – 02/16/2021
Files: asa9124-13-smp-k8.bin, cisco-asa-fp2k.9.12.4.13.SPA, cisco-asa.9.12.4.13.SPA.csp
Defects resolved since 9.12(4)10:
|
ASA - rare cp processing
corruption causes console lock |
|
|
ASA core blocks depleted when
host unreachable in IRB/TFW configuration |
|
|
FTD - Inner Flow: Carrier id
flow lookup enhancement |
|
|
ASA on FP1010 Traceback in http_exec_cli thread |
|
|
ASAv failover traffic on SR-IOV interfaces might be dropped
due to interface-down |
|
|
FXOS - Recover hwclock of service module from corruption due to simultaneous
write collision |
|
|
ASA traceback with thread: idfw_proc |
|
|
FTD - Connection idle timeout
doesn't reset |
|
|
FTD Lina engine may traceback in
datapath after enabling SSL decryption policy |
|
|
stress/low memory: assert: mh->mh_mem_pool >
MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
|
ASAv Anyconnect users unexpectedly
disconnect with reason: Idle Timeout |
|
|
ASA traceback while modifying
the bookmark SSL Ciphers configuration |
|
|
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
|
|
ASA stale VPN Context seen for
site to site and AnyConnect sessions |
|
|
radius_rcv_auth can shoot up control plane CPU to 100%. |
|
|
TCP File transfer (Big File) not
properly closed when Flow offload is enabled |
|
|
ASA traceback and reload on
Thread Name: ci/console |
|
|
Director/Backup flows are left
behind and traffic related to this flow is blackholed |
|
|
ASAv/2100 Smart License failure post upgrade |
|
|
TACACS+ ASCII password change
request not handled properly |
|
|
VPN syslogs
are generated at a rate of 600/s until device goes into a hang state |
|
|
ASA/FTD Traceback and reload
during PBR configuration change |
|
|
ASA: "class-default" class-map
redirecting non-DNS traffic to DNS inspection engine |
|
|
IPSec transport mode traffic corruption for inbound traffic
for some FPR platforms |
|
|
DAP stopped working after
upgrading the ASA to 9.13(1)13 |
|
|
IPv4 Default Tunneled Route
Rejected |
|
|
ASA: AnyConnect sessions cannot
be resumed due to ipv6 DACL failure |
|
|
FTD/ASA HA: Standby Unit FXOS is
still able to forward traffic even after failover due to traceback |
|
|
ASA Fails to process HTTP POST
with SAML assertion containing multiple query parameters |
|
|
FPR-4150 - ASA traceback and
reload with thread name DATAPATH |
|
|
Revocation check fails to move
to none after ocsp check fails due to server being
unavailable |
|
|
Name of anyconnect
custom attribute of type dynamic-split-exclude-domains is changed after reload |
|
|
Connection issues to directly
connected IP from FTD BVI address |
|
|
ASA: Random L2TP users cannot
access resources due to stale ACL filter entries |
|
|
ASA traceback in IKE Daemon and
reload |
|
|
ASA: OpenSSL Vulnerability
CVE-2020-1971 |
|
|
BVI HTTP/SSH access is not
working in versions 9.14.1.30 or above |
|
|
Managed device backup fails, for
FTD, if hostname exceeds 30 characters |
|
|
ASA traceback and reload webvpn thread |
|
|
ASA/FTD may traceback and reload
during certificate changes |
|
|
ASA: VPN traffic does not pass
if no dACL is provided in CoA |
|
|
ASA: dACL
with no IPv6 entries is not applied to v6 traffic after CoA |
|
|
AppAgent gets deregistered due to hearbeat
failure during config sync up on Firepower 2100s |
|
|
Offload rewrite data needs to be
fixed for identity nat traffic and clustering
environment |
|
|
ASA may traceback and reload on
thread Crypto CA |
Revision: Version 9.12(4)10 – 12/01/2020
Files: asa9124-10-smp-k8.bin, cisco-asa-fp2k.9.12.4.10.SPA, cisco-asa.9.12.4.10.SPA.csp
Defects resolved since 9.12(4)7:
|
ENH: Configure CAC as an
absolute value as well instead of just percentage of total VPN capacity. |
|
|
ENH: Missing
Content-Security-Policy Header in ASA HTTP WebVPN
portal |
|
|
ENH: Missing X-XSS-Protection
Header in ASA HTTP WebVPN portal |
|
|
ASA running 9.6.4.20 Traceback
in threadname Unicorn Proxy Thread |
|
|
ASA continues to do TCP
keepalives for Client side connections even after vpn session times out |
|
|
ASA: crypto session handles leak
on the standby unit |
|
|
ASA traceback and reload during
SSL handshake |
|
|
Traceback/Page-fault in
Clientless WebVPN due to HTTP cleanup |
|
|
Unable to access anyconnect webvpn portal from
google chrome using group-url |
|
|
With huge FTP traffic in
cluster, the SEC_FLOW messages are in a retransmit loop |
|
|
High LINA CPU due to flow
offload |
|
|
Lina traceback when FTD is
configured with passive interface in HA with span traffic on it. |
|
|
ASA traceback observed when
"config-url" is entered while creating
new context |
|
|
ASA/FTD is reading BGP
MP_REACH_NLRI attribute's next-hop bytes in reverse order |
|
|
ASA traceback and reload on
inspect esmtp |
|
|
ASA 9.12 random traceback and
reload in DATAPATH |
|
|
OSPF network commands go missing
in the startup-config after upgrading the ASA |
|
|
Traceback due to fover and ssh thread |
|
|
Unexpected traceback and reload
on FTD creating a Core file |
|
|
No deployment failure reason in
transcript if 'show running-config' is running
during deployment |
|
|
Mac address-table is flapping on
3850 when ASA etherchannel is configued
with active mode |
|
|
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very
long time to recover. |
|
|
Certificate validation syslog is
not generated on OCSP revocation check |
|
|
ASA traceback cp_midpath_process_thread |
|
|
Snort busy drops with PDTS Tx
queue stuck |
|
|
ASA traceback and reload while
executing "show tech-support" command |
|
|
FTD traceback and reload on
DATAPATH thread when processing encapsulated flows |
|
|
Secondary unit stuck in Bulk
sync infinitely due to interface of Primary stuck in init
state |
|
|
ASA syslog traceback while strncpy NULL string passed from SSL library |
|
|
IKEv2 with EAP, MOBIKE status
fails to be processed. |
|
|
ASASM traceback and reload after
upgrade up to 9.12(4)4 and higher |
|
|
9.10.1.11 ASA on FPR2110
traceback and reloads randomly |
Revision: Version 9.12(4)7 – 10/21/2020
Files: asa9124-7-smp-k8.bin, cisco-asa-fp2k.9.12.4.7.SPA, cisco-asa.9.12.4.7.SPA.csp
Defects resolved since 9.12(4)4:
|
CTM: Nitrox S/G lengths need to
be validated |
|
|
ASA - rare cp processing
corruption causes console lock |
|
|
ENH: Missing
X-Content-Type-Options Header in ASA HTTP WebVPN
portal |
|
|
AnyConnect and Management
Sessions fail to connect after several weeks |
|
|
Lina cores on multi-instance
causing a boot loop on both logical-devices |
|
|
Block exhaustion snapshot not
created when available blocks goes to zero |
|
|
traceback: ASA reloaded
lina_sigcrash+1394 |
|
|
FTD Lina traceback in datapath due to double free |
|
|
Embryonic connections limit does
not work consistently |
|
|
Cluster / aaa-server
key missing after "no key config-key" is entered |
|
|
ASA: Block new conns even when
the "logging permit-hostdown" is set
& TCP syslog is down |
|
|
Traceback in threadname
DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4 |
|
|
Observed traceback in FPR2130
while running webVPN, SNMP related traffic. |
|
|
After upgrade ASA swapped names
for disks, disk0 became disk1 and vice versa. |
|
|
ASA still doesn't allow to poll
internal-data0/0 counters via SNMP in multiple mode |
|
|
ASA logging rate-limit 1 5
message ... limits to 1 message in 10 seconds instead of 5 |
|
|
Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing
probable traffic issue |
|
|
Error parsing
flash:/LOCAL-CA-SERVER/LOCAL-CA-SERVER.cdb, when
trying to modify/read the user-db |
|
|
Removing static ipv6 route from
management-only route table affects data traffic |
|
|
ASA stops processing RIP packets
after system upgrade |
|
|
ASAv5 reloads without traceback. |
|
|
Snmpwalk showing traffic counter as 0 for failover interface |
|
|
ASA Anyconnect
url-redirect not working for ipv6 |
|
|
ASA/FTD: HA switchover doesn't
happen with graceful reboot of firepower chassis |
|
|
FTD Traceback and reload while
trying to switch peer on HA |
|
|
Traceback Cluster unit on
snpi_nat_xlate_destroy+2508 |
|
|
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN
connections to fail |
|
|
ASA/FTD traceback and reload
during AAA or CoA task of Anyconnect user |
|
|
WebSSL clientless user accounts being locked out on 1st bad
password |
|
|
ASA traceback and reload in thread:Crypto CA,mem corruption by unvirtualized pki
global table in MTX |
|
|
ASA traceback and reload in fover_parse when attempting to join the failover pair. |
|
|
ASA dropping all traffic with
reason "No route to host" when tmatch
compilation is ongoing |
|
|
Inner flow: U-turn GRE flows
trigger incorrect connection flow creation |
|
|
ASA cluster members 2048 block
depletion due to "VPN packet redirect on peer" |
|
|
ASA: EasyVPN
HW Client triggers duplicate phase 2 rekey causing disconnections across the
tunnel |
Revision: Version 9.12(4)4 – 09/09/2020
Files: asa9124-4-smp-k8.bin, cisco-asa-fp2k.9.12.4.4.SPA, cisco-asa.9.12.4.4.SPA.csp
Defects resolved since 9.12(4)2:
|
TCM doesn't work for ACE
addition/removal, ACL object/object-group edits |
|
|
ASA/FTD traceback and reload in
Thread Name: SXP CORE |
|
|
show inventory (or) "show
environment" on ASA 5515/5525/5545/5555 shows up Driver/ioctl error logs |
|
|
CPU hog from idfw
module observed in 5525 FTD |
|
|
Implement debug menu command to
show RX ring number a flow is hashed to |
|
|
Cisco Firepower Threat Defense
Software Hidden Commands Vulnerability |
|
|
FPR 2100, low block 9472 causes packet loss through the
device. |
|
|
ASA traceback Thread Name:
DATAPATH with PBR configured |
|
|
Improve ipv6 duplicate address
detection to avoid disabling ipv6 in case of transient active-active |
|
|
NTP configuration is not
synchronized to LINA on Multi Instance |
|
|
Unexpected ASA reload and/or
truncated crashinfo when issuing 'crashinfo force' |
|
|
Cisco Firepower Threat Defense
Software TCP Flood Denial of Service Vulnerability |
|
|
On FPR devices when FIPS is
enabled cannot create webtype ACLs |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DoS Vuln |
|
|
Warning Message for default
settings with Installation of Certificates in ASA/FTD - CLI |
|
|
aaa-server configuration missing on the FTD after a Remote
Access VPN policy deployment |
|
|
ASA 9.12(2) - Multiple
tracebacks due to Unicorn Proxy Thread |
|
|
Traceback observed while
performing master role change with active IGMP joins |
|
|
ASA experienced a traceback and
reloaded |
|
|
Cisco ASA and FTD Software
SSL/TLS Session Denial of Service Vulnerability |
|
|
Cisco ASA and FTD IP Fragment
Memory Leak Vulnerability |
|
|
ASA configured with TACACS REST
API: /cli api fail with "Command authorization
failed" message |
|
|
Cisco ASA and FTD Software SSL
VPN Direct Memory Access Denial of Service Vulnerability |
|
|
ASA high CPU with
intel_82576_check_link_thread impacting on overall unit performance |
|
|
FPR2100: Show crash output on
show tech does not display outputs from most recent tracebacks |
|
|
Cisco ASA Software and FTD
Software WebVPN Portal Access Rule Bypass
Vulnerability |
|
|
Cannot change (modify) interface
speed after upgrade |
|
|
SNMP IfInDiscards
OIDs for Internal-Data 0/0 and 0/1 may return incorrect values |
|
|
Multicast traffic is being
dropped with the resson no-mcast-intrf |
|
|
Multicast EIGRP traffic not seen
on internal FTD interface |
|
|
Cluster site-specific MAC
addresses not rewritten by flow-offload |
|
|
Stale VPN routes for L2TP, after
the session was terminated |
|
|
Lina Traceback during FTD
deployment when WCCP config is being pushed |
|
|
ASA gets frozen after crypto
engine failure |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Cisco Firepower 1000 Series Bleichenbacher Attack Vulnerability |
|
|
ASA Traceback and reload on
thread name Crypto CA |
|
|
Rate-limit syslogs
780001/780002 by default on ASA |
|
|
Lina traceback and reload seen
on trying to switch peer on KP HA with 6.6.1-63 |
|
|
ASA traceback when running show
asp table classify domain permit |
|
|
Cisco ASA Software Web-Based
Management Interface Reflected Cross-Site Scripting Vulnerabi |
|
|
snmpwalk for OID 1.3.6.1.2.1.47.1.1.1.1.5 on ISA 3000 returning
value of 0 for .16 and .17 |
|
|
ASA IKEv2 VTI - Failed to
request SPI from CTM as responder |
|
|
ASA: Extended downtime after reload after CSCuw51499 fix |
|
|
Cluster unit traceback on snp_cluster_forward_and_free_packet due to GRE/IPiniP passenger flows |
|
|
ASA: ACL compilation takes more
time on standby |
Revision: Version 9.12(4)2 – 06/28/2020
Files: asa9124-2-smp-k8.bin, cisco-asa-fp2k.9.12.4.2.SPA, cisco-asa.9.12.4.2.SPA.csp
Defects resolved since 9.12(4):
|
ASA should provide better
fragment-related logs and ASP drop reasons |
|
|
Stuck uauth
entry rejects AnyConnect user connections |
|
|
ASA traceback and reload due to tcp_retrans_timeout internal thread handling |
|
|
[SXP] Issue with establishing
SXP connection between ASA on FPR-2110 and switches |
|
|
ASA traceback and reload on
Thread Name SSH |
|
|
ASA traceback and reload on sysopt traffic detailed in multicontext
mode |
|
|
ENH: Addition of 'show run all sysopt' to 'show tech' output |
|
|
ENH: Addition of 'show logging
setting' to 'show tech' output |
|
|
ASA/FTD may traceback and reload
when repeatedly adding/removing multicast commands |
|
|
ASA traceback and reload
multiple times with trace "webvpn_periodic_signal" |
|
|
Traffic may match an access-list
incorrectly with object-group-search enabled |
|
|
ASA Traceback Due to Umbrella
Inspection |
|
|
ASA/FTD: Block 256 size
depletion caused by ARP of BVI not assigned to any physical interface |
|
|
Calls fail once anyconnect configuration is added to the site to site VPN tunnel |
|
|
ASA/FTD traceback and reload due
to memory leak in SNMP community string |
|
|
Multi-context ASA/LINA on FPR
not sending DHCP release message |
|
|
Erase disk0 on ISA3000 causes
file system not supported |
|
|
Dynamic RRI route is not
destroyed when IKEv2 tunnel goes down |
|
|
Pad packets received from RA
tunnel which are less than or equal 46 bytes in length with zeros |
|
|
Stuck uauth
entry rejects AnyConnect user connections despite fix of CSCvi42008 |
|
|
Fragmented packets forwarded to
fragment owner are not visible on data interface captures |
|
|
Cisco ASA and FTD Web Services
File Upload Denial of Service Vulnerability |
|
|
ASA High CPU with igb_saleen_io_sfp_mod_poll_thre process |
|
|
ASA is sending failover
interface check control packets with a wrong destination mac address |
|
|
FTD traceback and reload on
thread "IKEv2 Mgd Timer Thread" |
|
|
ASA traceback and reload for the
CLI "show asp table socket 18421590 det" |
|
|
Cisco ASA and FTD Software
OSPFv2 Link-Local Signaling Denial of Service Vulnerability |
|
|
ASA traceback and reload with
thread name coa_task |
|
|
Crypto accelerator bias setting
should be included in show tech |
|
|
Connectivity over the state link
configured with IPv6 addresses is lost after upgrading the ASA |
|
|
Certificate mapping for
AnyConnect on FTD stops working. |
|
|
IKEv2 Call Admission Statistics
"Active SAs" counter out of sync with the real number of sessions |
|
|
tsd0 not reset when ssh quota limit is hit in ci_cons_shell |
|
|
Traceback: Modifying FTD
inline-set tap-mode configuration with active traffic |
|
|
AnyConnect statistics is doubled
in both %ASA-4-113019 and RADIUS accounting |
|
|
Device loses ssh
connectivity when username and password is entered |
|
|
FPR2100: ASA console may hang
& become unresponsive in low memory conditions |
|
|
FPR-41x5: 'clear crypto
accelerator load-balance' will cause a traceback and reload |
|
|
ASA on QP platforms display
wrong coredump filesystem space (50 GB) |
|
|
DTLS v1.2 and AES-GCM cipher
when used drops a particular size packet frequently. |
|
|
Cluster data unit might fail to
synchronize SCTP configuration from the control unit after bootup |
|
|
ASA-FPWR 1010 traceback and
reload when users connect using AnyConnect VPN |
|
|
HKT - Failover time increases with
upgrade to 9.8.4.15 |
|
|
Cisco ASA and FTD Software SIP
Denial of Service Vulnerability |
|
|
FTD failover units traceback and
reload on DATAPATH |
|
|
ASA generated a traceback and
reloaded when changing the port value of a manual nat
rule |
|
|
Config_XML_Response from LINA is not in the correct format,Lina reporting as No memory available. |
|
|
FTD 6.4.0.8 traceback &
reload on thread name : CP processing |
|
|
ASA interface ACL dropping snmp control-plane traffic from ASA |
|
|
WebVPN SSO Gives Unexpected Results when Integrated with
Kerberos |
|
|
ASA Crashes in SNMP while
joining the cluster when key config-key password-encryption" is present |
|
|
SSH keys lost in ASA after reload |
|
|
FTD firewall unit cannot join
the cluster after a traceback due to invalid interface GOID entry |
|
|
ASA traceback in Thread Name kerberos_recv |
|
|
ASA traceback and reload with
Flow lookup calling traceback |
|
|
ASAv reload due to FIPS SELF-TEST FAILURE after enabling FIPS |
|
|
ASA: High CPU due to stuck
running SSH sessions / Unable to SSH to ASA |
|
|
GIADDR of DHCP Discover packet
is changed to the ip address of dhcp-network-scope |
|
|
Cisco ASA Software and FTD
Software Web Services Cross-Site Scripting Vulnerability |
|
|
ASA traceback in threadname 'ppp_timer_thread' |
|
|
[PKI] Standard Based IKEv2
Certificate Auth session does second userfromcert
lookup unnecessarily |
|
|
FMC pushes certificate map
incorrectly to lina |
|
|
ASA traceback after TACACS
authorized user made configuration changes |
|
|
IKEv2 CAC "Active SAs"
counter out of sync with the real number of sessions despite CSCvt98599 |
|
|
ASA traceback and reload on
thread name DATAPATH |
|
|
AnyConnect Connected Client IPs
Not Advertised into OSPF Intermittently |
|
|
DSCP values not preserved in
DTLS packets towards AnyConnect users |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
FTD: Traceback and reload when
changing capture buffer options on a
already applied capture |
|
|
ASA unable to delete ACEs with
remarks and display error "Specified remark does not exist" |
|
|
Dynamic routing protocols
summary route not being replicated to standby |
|
|
Cisco ASA and FTD Web Services
Interface Cross-Site Scripting Vulnerabilities |
|
|
Native VPN client with EAP-TLS
authentication fails to connect to ASA |