Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 9.14(2)15 – 04/28/2021
Files: asa9-14-2-15-smp-k8.bin, cisco-asa-fp1k.9.14.2.15.SPA, cisco-asa-fp2k.9.14.2.15.SPA, cisco-asa.9.14.2.15.SPA.csp
Defects resolved since 9.14(2)13:
HTTPS access on FTD data
interface (off-box management) is failing |
|
ASA : Traceback on tcp_intercept
Thread name : Threat detection |
|
ASA5555 traceback and reload on
Thread Name: ace_work |
|
ASA duplicate MAC addresses in Shared
Interfaces of different Contexts causing traffic impact |
|
ASA traceback in the LINA
process |
|
FTD/HA: "no shutdown"
command disappear from running-config of standby |
|
ASA traceback and reload in
Thread: Ikev2 Daemon |
|
ASA Tracebacks when making
"configuration session" changes regarding an ACL. |
|
S2S traffic fails due to missing
V routes after Primary cluster unit gets disabled |
|
When SGT name is unresolved and
used in ACE, line is not being ignored/inactive |
|
ASA: default IPv6/IPv4 route
tunneled does not work |
|
ASA/FTD traceback in Thread
Name: PTHREAD-4432 |
|
ASA may traceback and reload in
Thread Name 'webvpn_task' |
|
X-Frame-Options header is not
set in webvpn response pages |
|
FTD traceback and reload on
process lina on FPR2100 series |
|
Firewall CPU can increase after
a bulk routing update with flow offload |
|
IP address in DHCP GIADDR field
is reversed after sending DHCP DECLINE to DHCP server |
|
CPU performance
degrade with lots of route updates with flow offload enabled |
|
ASA reload with FIPS failure |
|
Core-local block alloc failure on cores where CP is pinned leading to
drops |
|
Concurrent modification of ACL
configuration breaks output of "show running-config" completely |
|
FPR4150 ASA Standby Ready unit
Loops to failed and remove config to install it again |
|
FTD/ASA traceback in Thread Name : Unicorn Proxy Thread |
|
ASA/FTD Watchdog forced
traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay) |
|
X-Frame-Options header support
for older versions of IE and windows platforms |
|
Traceback in Thread Name: fover_health_monitoring_thread |
|
ASA traceback and reload in SNMP
Notify Thread while deleting transparent context |
|
ASP capture dispatch-queue-limit
shows no packets |
|
Deployment failures on FTD when
multicast is enabled. |
|
FTD 6.6.1/6.7.0 is sending SNMP Ifspeed
OID (1.3.6.1.2.1.2.2.1.5) response value = 0 |
|
Smart Tunnel Code signing certifcate renewal |
|
COA Received before data tunnel
comes up results in tear down of parent session |
|
ASA traceback and reload on
Thread Name: CTM Daemon |
|
ASA internal deadlock leads to
loss of feature functionality (syslogs, reload,
ASDM, anyconnect) |
|
ASA - unable to import CA
certificate when countryName is encoded as UTF8 |
|
ASA Traceback and reload in
Thread Name: SNMP ContextThread |
|
ASA/FTD Traceback and reload in
Thread Name: pix_startup_thread due to asa_run_ttyS0
script |
|
ASA: "ERROR: Unable to
delete entries from Hash Table" with CSM |
|
Optimise ifmib polls |
|
ASA traceback while taking
captures |
|
VPN Load Balancing may get stuck
and disconnect from the group |
Revision: Version 9.14(2)13 – 03/16/2021
Files: asa9-14-2-13-smp-k8.bin, cisco-asa-fp1k.9.14.2.13.SPA, cisco-asa-fp2k.9.14.2.13.SPA, cisco-asa.9.14.2.13.SPA.csp
Defects resolved since 9.14(2)8:
FXOS - Recover hwclock of service module from corruption due to
simultaneous write collision |
|
Critical RPM alert on FPR1000
Series with ASA 'Chassis 0 Cooling Fan OK' SCH message |
|
ASA traceback while modifying
the bookmark SSL Ciphers configuration |
|
Traceback in KP in timer while
running VPN, EMIX and SNMP traffic for overnight. |
|
Secondary unit not able to join
the cluster |
|
ASA/FTD Traceback and reload in
Thread Name: Logger |
|
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
|
ASA/FTD traceback and reload in
process name "Lina" |
|
FPR 4K: SSL trust-point removed
from new active ASA after manual Failover |
|
ASA: OpenSSL Vulnerability
CVE-2020-1971 |
|
ASA/FTD may traceback and reload
during certificate changes |
|
Cisco ASA and FTD Software for FP 1000/2100 Series Appliances Command Injection Vuln |
|
ASA traceback and reload with
Thread name: ssh when capture was removed |
|
Traceback in
inspect_h323_ras+1810 |
|
ASAv: SNMP result for used memory value incorrect after
upgrade to 9.14 |
|
AppAgent gets deregistered due to hearbeat
failure during config sync up on Firepower 2100s |
|
Traceback in Thread Name: Lic TMR |
|
Offload rewrite data needs to be
fixed for identity nat traffic and clustering
environment |
|
ASA reload is removing
'content-security-policy' config |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
ASA may generate a traceback in
Logger thread during configuration sync in HA |
|
Fail-to-wire ports in FPR 2100
flapping after upgrade to 6.6.1 |
|
SNMP walk for v2 and v3 fails
with No Such Object available on this agent at this OID is seen |
|
ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers
reload |
|
ASA may traceback and reload on
thread Crypto CA |
|
Firepower 2110 silently dropping
traffic with TFC enabled on the remote end |
|
DHCP Proxy Offer is getting drop
on the ASA/FTD |
|
FPR-2100-ASA : SNMP Walk for ifType
is showing "other" for ASA interfaces in the latest versions |
|
Prevent lina
from traceback due to object loop sent by FMC. Fail the deployment instead. |
|
ASA/FTD may traceback in after
changing snmp host-group object |
|
ASA traceback and reload during
OCSP response data cleanup |
|
Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508 |
|
ASA: Unable to import PAC file
if FIPS is enabled. |
|
ASA 9.15.1.7 traceback and
reload in Thread
Name: DATAPATH |
|
ASA EIGRP route stuck after neighbour disconnected |
Revision: Version 9.14(2)8 – 02/02/2021
Files: asa9-14-2-8-smp-k8.bin, cisco-asa-fp1k.9.14.2.8.SPA, cisco-asa-fp2k.9.14.2.8.SPA, cisco-asa.9.14.2.8.SPA.csp
Defects resolved since 9.14(2)4:
ASA core blocks depleted when
host unreachable in IRB/TFW configuration |
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Remote |
|
ASAv failover traffic on SR-IOV interfaces might be dropped
due to interface-down |
|
ASA traceback with thread: idfw_proc |
|
ASAv Anyconnect users unexpectedly
disconnect with reason: Idle Timeout |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
FPR2100 1 Gig Fiber SFP
Interfaces down in ASA appliance mode |
|
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
|
ASA/FTD may traceback in thread
name fover_FSM_thread and reload |
|
Offloaded UDP traffic not failed
over to secondary route in ECMP setup |
|
ASA traceback and reload on
Thread Name: ci/console |
|
ASA/FTD Traceback and reload
during PBR configuration change |
|
ASA: "class-default"
class-map redirecting non-DNS traffic to DNS inspection engine |
|
IPSec transport mode traffic corruption for inbound traffic
for some FPR platforms |
|
DAP Stopped Working After
Upgrading ASA to 9.13(1)13 |
|
ASA/FTD may traceback and reload
during upgrade |
|
ASA: AnyConnect sessions cannot
be resumed due to ipv6 DACL failure |
|
Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability |
|
FTD/ASA HA: Standby Unit FXOS is
still able to forward traffic even after failover due to crash |
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability |
|
M500IT Model Solid State Drives
on ASA5506 may go unresponsive after 3.2 Years in service |
|
FPR-4150 - ASA traceback and
reload with thread name DATAPATH |
|
Name of anyconnect
custom attribute of type dynamic-split-exclude-domains is changed after reload |
|
Connection issues to directly
connected IP from FTD BVI address |
|
ASA: Random L2TP users cannot
access resources due to stale ACL filter entries |
|
Standby ASA linkdown
SNMPtrap sent from standby interface with active IP
address |
|
ASA traceback in IKE Daemon and
reload |
|
BVI HTTP/SSH access is not
working in versions 9.14.1.30 or above |
|
Standby FTD 6.6.1 core at
Process Name: lina |
|
ASA traceback and reload on
Thread name snmp_alarm_thread |
|
ASA traceback and reload webvpn thread |
|
M500IT Model Solid State Drives
on ISA3000 may go unresponsive after 3.2 Years in service |
Revision: Version 9.14(2)4 – 12/17/2020
Files: asa9-14-2-4-smp-k8.bin, cisco-asa-fp1k.9.14.2.4.SPA, cisco-asa-fp2k.9.14.2.4.SPA, cisco-asa.9.14.2.4.SPA.csp
Defects resolved since 9.14(2):
CTM: Nitrox S/G lengths need to
be validated |
|
ASA - rare cp processing
corruption causes console lock |
|
ASA running 9.6.4.20 Traceback
in threadname Unicorn Proxy Thread |
|
Standby unit traceback at fover_parse and boot loop when detecting Active unit |
|
ASA traceback and reload during
SSL handshake |
|
Traceback/Page-fault in
Clientless WebVPN due to HTTP cleanup |
|
Ping Failure on ASAv - 9.13 after CAT9k reboot |
|
traceback: ASA reloaded
lina_sigcrash+1394 |
|
Lina traceback when FTD is
configured with passive interface in HA with span traffic on it. |
|
ASA: Block new conns even when
the "logging permit-hostdown" is set
& TCP syslog is down |
|
FTD Lina engine may traceback in
datapath after enabling SSL decryption policy |
|
OSPF neighbourship
is not establising |
|
Traceback in threadname
DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4 |
|
ASA traceback observed when
"config-url" is entered while creating
new context |
|
Netflow template not sent under certain circumstances |
|
Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing
probable traffic issue |
|
Removing static ipv6 route from
management-only route table affects data traffic |
|
ASA Anyconnect
url-redirect not working for ipv6 |
|
Traceback Cluster unit on
snpi_nat_xlate_destroy+2508 |
|
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN
connections to fail |
|
ASA/FTD is reading BGP
MP_REACH_NLRI attribute's next-hop bytes in reverse order |
|
ASA traceback and reload in fover_parse when attempting to join the failover pair. |
|
ASA dropping all traffic with
reason "No route to host" when tmatch
compilation is ongoing |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
ASA traceback and reload on
inspect esmtp |
|
Inner flow: U-turn GRE flows
trigger incorrect connection flow creation |
|
ASA 9.12 random traceback and
reload in DATAPATH |
|
OSPF network commands go missing
in the startup-config after upgrading the ASA |
|
Traceback due to fover and ssh thread |
|
Unexpected traceback and reload
on FTD creating a Core file |
|
ASA: EasyVPN
HW Client triggers duplicate phase 2 rekey causing disconnections across the
tunnel |
|
ASA SNMPv3 Poll fails when using
AES 256 |
|
No deployment failure reason in
transcript if 'show running-config' is running during deployment |
|
ASA/FTD: Mac address-table flap
seen on connected switch after a HA switchover |
|
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very
long time to recover. |
|
Snort busy drops with PDTS Tx
queue stuck |
|
ASA traceback and reload while
executing "show tech-support" command |
|
ASA stale VPN Context seen for
site to site and AnyConnect sessions |
|
FTD traceback and reload on
DATAPATH thread when processing encapsulated flows |
|
radius_rcv_auth can shoot up control plane CPU to 100%. |
|
Secondary unit stuck in Bulk
sync infinitely due to interface of Primary stuck in init
state |
|
TCP File transfer (Big File) not
properly closed when Flow offload is enabled |
|
ASA syslog traceback while strncpy NULL string passed from SSL library |
|
IKEv2 with EAP, MOBIKE status
fails to be processed. |
|
Director/Backup flows are left
behind and traffic related to this flow is blackholed |
|
[6.6.1-91] snmpwalk allowed for all configured v3 users |
|
ASASM traceback and reload after
upgrade up to 9.12(4)4 and higher |
|
TACACS+ ASCII password change
request not handled properly |
|
VPN syslogs
are generated at a rate of 600/s until device goes into a hang state |
|
9.10.1.11 ASA on FPR2110
traceback and reloads randomly |
|
IPv4 Default Tunneled Route
Rejected |
|
ASA Fails to process HTTP POST
with SAML assertion containing multiple query parameters |