Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases.  They contain bug fixes which address specific issues found since the last Feature or Maintenance release.  The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important:  These images were not fully regression tested.  Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality.  Keep this testing status in mind if you decide to run them in a production environment.  We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

Revision:  Version 9.15(1)21 – 04/12/2022

Files:  asa9151-21-smp-k8.bin, cisco-asa-fp1k.9.15.1.21.SPA, cisco-asa-fp2k.9.15.1.21.SPA, cisco-asa.9.15.1.21.SPA.csp

Defects resolved since 9.15(1)17:

 

CSCvx64478

Unwanted console output during SAML transactions

CSCvz62379

Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability

CSCvz70595

Traceback observed on ASA while handling SAML handler

CSCvz76966

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software DNS DoS

CSCvz84850

ASA/FTD traceback and reload caused by "timer services" function

CSCvz85683

Wrong syslog message format for 414004

CSCvz89545

SSL VPN performance degraded and significant stability issues after upgrade

CSCvz92016

ASA Privilege Escalation with valid user in AD

CSCwa04461

Cisco ASA Software and FTD Software Remote Access SSL VPN Denial of Service

CSCwa14485

Cisco Firepower Threat Defense Software Denial of Service Vulnerability

CSCwa15185

ASA/FTD: remove unwanted process call from LUA

CSCwa33898

Cisco Adaptive Security Appliance Software Clientless SSL VPN Heap Overflow Vulnerability

CSCwa36678

Random FTD reloads with the traceback during deployment from FMC

CSCwa65389

ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM

 

 

Revision:  Version 9.15(1)17 – 09/29/2021

Files:  asa9151-17-smp-k8.bin, cisco-asa-fp1k.9.15.1.17.SPA, cisco-asa-fp2k.9.15.1.17.SPA, cisco-asa.9.15.1.17.SPA.csp

Defects resolved since 9.15(1)16:

 

CSCvr11958

AWS FTD: Deployment failure with ERROR: failed to set interface to promiscuous mode

CSCvr33428

FMC generates Connection Events from a SYN flood attack

CSCvt62869

SPLIT-BRAIN: Pre allocation of blocks for failover control messages

CSCvv67196

FTD does not try all the crl urls for getting crl file

CSCvx19934

Deployment gets failed for snmp settings while deleting snmpv1 and adding snmpv3 at a time in 6.6.3

CSCvx29448

FTD: SNMP host configured with diagnostic int able to poll management int

CSCvx50980

ASA CP CPU wrong calculation leads to high percentage (100% CP CPU)

CSCvx79793

Slow file transfer or file upload with SSL policy is applied with Decrypt resign action

CSCvy09217

HA goes to active-active state due to cipher mismatch

CSCvy19136

Web portal persistent redirects when certificate authentication is used.

CSCvy23349

FTD unnecessarily ACKing TCP flows on inline-pair deployment

CSCvy39659

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-15-14815'

CSCvy51814

Firepower flow-offload stops offloading all existing and new flows

CSCvy61008

Time out of sync between Lina and FXOS

CSCvy96625

Revert 'fix' introduced by CSCvr33428 and CSCvy39659

 

 

Revision:  Version 9.15(1)16 – 06/01/2021

Files:  asa9151-16-smp-k8.bin, cisco-asa-fp1k.9.15.1.16.SPA, cisco-asa-fp2k.9.15.1.16.SPA, cisco-asa.9.15.1.16.SPA.csp

Defects resolved since 9.15(1)15:

 

CSCvx45976

ASA/FTD Watchdog forced traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay)

CSCvx95255

Supportive change in ASA to differentiate, new ASDM connections from existing ASDM context switch

 

 

Revision:  Version 9.15(1)15 – 04/28/2021

Files:  asa9151-15-smp-k8.bin, cisco-asa-fp1k.9.15.1.15.SPA, cisco-asa-fp2k.9.15.1.15.SPA, cisco-asa.9.15.1.15.SPA.csp

Defects resolved since 9.15(1)10:

 

CSCvp69936

ASA Traceback on tcp_intercept Thread name : Threat detection

CSCvs82926

Critical RPM alert on FPR2100 Series with ASA 'Chassis 0 Cooling Fan OK' SCH message

CSCvv85029

ASA5555 traceback and reload on Thread Name: ace_work

CSCvv86861

Traceback in KP in timer while running VPN, EMIX and SNMP traffic for overnight.

CSCvv97877

Secondary unit not able to join the cluster

CSCvw18614

ASA traceback in the LINA process

CSCvw23199

ASA/FTD Traceback and reload in Thread Name: Logger

CSCvw24084

FTD might crash in SNMP with rip Netsnmp_config_req_dequeue_and_send+269 at snmp/snmp_config_utils.c

CSCvw26544

Cisco ASA and FTD Software SIP Denial of Service Vulnerability

CSCvw38614

AZURE ASA/FTD NIC MAC address might get re-ordered upon a reboot

CSCvw53596

FPR4120 - Lina watchdog traceback in cli_xmlserver_thread

CSCvw53796

Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability

CSCvw71766

ASA traceback and reload in Thread: Ikev2 Daemon

CSCvw82629

ASA Tracebacks when making "configuration session" changes regarding an ACL.

CSCvx04057

When SGT name is unresolved and used in ACE, line is not being ignored/inactive

CSCvx08734

ASA: default IPv6/IPv4 route tunneled does not work

CSCvx13694

ASA/FTD traceback in Thread Name: PTHREAD-4432

CSCvx15040

DHCP Proxy Offer is getting drop on the ASA/FTD

CSCvx16317

Failure accessing FXOS with connect fxos admin from Multi-Context ASA if admin context is changed

CSCvx17664

ASA may traceback and reload in Thread Name 'webvpn_task'

CSCvx17780

FPR-2100-ASA :  SNMP Walk for ifType is showing "other" for ASA interfaces in the latest versions

CSCvx17842

Prevent lina from traceback due to object loop sent by FMC. Fail the deployment instead.

CSCvx20303

ASA/FTD may traceback in after changing snmp host-group object

CSCvx25719

X-Frame-Options header is not set in webvpn response pages

CSCvx26221

Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508

CSCvx26808

FTD traceback and reload on process lina on FPR2100 series

CSCvx27430

ASA: Unable to import PAC file if FIPS is enabled.

CSCvx29771

Firewall CPU can increase after a bulk routing update with flow offload

CSCvx29814

IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server

CSCvx29832

CPU performance degrade with lots of route updates with flow offload enabled

CSCvx34237

ASA reload with FIPS failure

CSCvx41171

Concurrent modification of ACL configuration breaks output of "show running-config" completely

CSCvx42081

FPR4150 ASA Standby Ready unit Loops to failed and remove config to install it again

CSCvx42197

ASA EIGRP route stuck after neighbour disconnected

CSCvx44401

FTD/ASA traceback in Thread Name : Unicorn Proxy Thread

CSCvx47230

X-Frame-Options header support for older versions of IE and windows platforms

CSCvx50366

Traceback in Thread Name: fover_health_monitoring_thread

CSCvx52122

ASA traceback and reload in SNMP Notify Thread while deleting transparent context

CSCvx54235

ASP capture dispatch-queue-limit shows no packets

CSCvx54396

Deployment failures on FTD when multicast is enabled.

CSCvx54606

FTD 6.6.1/6.7.0  is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0

CSCvx57417

Smart Tunnel Code signing certificate renewal

CSCvx59120

COA Received before data tunnel comes up results in tear down of parent session

CSCvx63647

ASA traceback and reload on Thread Name: CTM Daemon

CSCvx68128

ASA internal deadlock leads to loss of feature functionality (syslogs, reload, ASDM, anyconnect)

CSCvx69405

ASA Traceback and reload in Thread Name: SNMP ContextThread

CSCvx71434

ASA/FTD Traceback and reload in Thread Name: pix_startup_thread due to asa_run_ttyS0 script

CSCvx72904

Optimize ifmib polls

CSCvx73164

Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021

CSCvx76233

ASA traceback and reload in thread ci/console when copying a system image to flash

 

 

Revision:  Version 9.15(1)10 – 3/2/2021

Files:  asa9151-10-smp-k8.bin, cisco-asa-fp1k.9.15.1.10.SPA, cisco-asa-fp2k.9.15.1.10.SPA, cisco-asa.9.15.1.10.SPA.csp

Defects resolved since 9.15(1)7:

 

CSCvc07112

Implement detection and auto-fix capability for scheduler corruption problems

CSCvg69380

ASA - rare cp processing corruption causes console lock

CSCvm82290

ASA core blocks depleted when host unreachable in IRB/TFW configuration

CSCvs72450

FXOS - Recover hwclock of service module from corruption due to simultaneous write collision

CSCvv19230

ASAv Anyconnect users unexpectedly disconnect with reason: Idle Timeout

CSCvv60998

FPR2100 1 Gig Fiber SFP Interfaces down in ASA appliance mode

CSCvv70984

ASA traceback while modifying the bookmark SSL Ciphers configuration

CSCvv89708

ASA/FTD may traceback in thread name fover_FSM_thread and reload

CSCvw16619

Offloaded traffic not failed over to secondary route in ECMP setup

CSCvw43486

ASA/FTD Traceback and reload during PBR configuration change

CSCvw51307

ASA/FTD traceback and reload in process name "Lina"

CSCvw51950

FPR 4K: SSL trust-point removed from new active ASA after manual Failover

CSCvw51985

ASA: AnyConnect sessions cannot be resumed due to ipv6 DACL failure

CSCvw59035

Connection issues to directly connected IP from FTD BVI address

CSCvw81897

ASA: OpenSSL Vulnerability CVE-2020-1971

CSCvw83572

BVI HTTP/SSH access is not working in versions 9.14.1.30 or above

CSCvw84339

Managed device backup fails, for FTD, if hostname exceeds 30 characters

CSCvw87788

ASA traceback and reload webvpn thread

CSCvw89365

ASA/FTD may traceback and reload during certificate changes

CSCvw93139

Cisco ASA and FTD Software for FP 1000/2100 Series Command Injection Vulnerability

CSCvw95301

ASA traceback and reload with Thread name: ssh when capture was removed

CSCvw95368

ASA: Traceback at emweb/https and reload when Remote Access VPN is enabled

CSCvw96488

Traceback in inspect_h323_ras+1810

CSCvw97821

ASA: VPN traffic does not pass if no dACL is provided in CoA

CSCvw98840

ASA: dACL with no IPv6 entries is not applied to v6 traffic after CoA

CSCvw99916

ASAv: SNMP result for used memory value incorrect after upgrade to 9.14

CSCvx01805

AppAgent gets deregistered due to heartbeat failure during config sync up on Firepower 2100s

CSCvx02869

Traceback in Thread Name: Lic TMR

CSCvx03764

Offload rewrite data needs to be fixed for identity nat traffic and clustering environment

CSCvx04643

ASA reload is removing 'content-security-policy' config

CSCvx05381

Cisco ASA and FTD Software Command Injection Vulnerability

CSCvx05385

ASA may generate a traceback in Logger thread during configuration sync in HA

CSCvx06385

Fail-to-wire ports in FPR 2100 flapping after upgrade to 6.6.1

CSCvx09535

ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers reload

CSCvx11295

ASA may traceback and reload on thread Crypto CA

CSCvx11460

Firepower 2110 silently dropping traffic with TFC enabled on the remote end

CSCvx22695

ASA traceback and reload during OCSP response data cleanup

CSCvx25836

ASA traceback & reload due to "show crashinfo" adding a new output log

CSCvx30314

ASA 9.15.1.7 traceback and reload in  Thread Name: DATAPATH

 

 

Revision:  Version 9.15(1)7 – 1/27/2021

Files:  asa9151-7-smp-k8.bin, cisco-asa-fp1k.9.15.1.7.SPA, cisco-asa-fp2k.9.15.1.7.SPA, cisco-asa.9.15.1.7.SPA.csp

Defects resolved since 9.15(1)1:

 

CSCvg69380

ASA - rare cp processing corruption causes console lock

CSCvo34210

ASA running 9.6.4.20 Traceback in threadname Unicorn Proxy Thread

CSCvr85295

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote

CSCvs13204

ASAv failover traffic on SR-IOV interfaces might be dropped due to interface-down

CSCvs84542

ASA traceback with thread: idfw_proc

CSCvt71529

ASA traceback and reload during SSL handshake

CSCvt75760

Traceback/Page-fault in Clientless WebVPN due to HTTP cleanup

CSCvu66332

Lina traceback when FTD is configured with passive interface in HA with span traffic on it.

CSCvu98222

FTD Lina engine may traceback in datapath after enabling SSL decryption policy

CSCvv15572

ASA traceback observed when "config-url" is entered while creating new context

CSCvv17585

Netflow template not sent under certain circumstances

CSCvv56644

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv65184

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS

CSCvv66005

ASA traceback and reload on inspect esmtp

CSCvv67500

ASA 9.12 random traceback and reload in DATAPATH

CSCvv72466

OSPF network commands go missing in the startup-config after upgrading the ASA

CSCvv73017

Traceback due to fover and ssh thread

CSCvv80782

Traceback leads to the purg_process

CSCvv86926

Unexpected traceback and reload on FTD creating a Core file

CSCvv87232

ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process

CSCvv88017

ASA: EasyVPN HW Client triggers duplicate phase 2 rekey causing disconnections across the tunnel

CSCvv90720

ASA/FTD: Mac address-table flap seen on connected switch after a HA switchover

CSCvv94165

FTD 6.6 : High CPU spikes on snmpd process

CSCvv94701

ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover.

CSCvw00161

ASA traceback and reload due to VPN thread on firepower 2140

CSCvw07000

Snort busy drops with PDTS Tx queue stuck

CSCvw12008

ASA traceback and reload while executing "show tech-support" command

CSCvw12100

ASA stale VPN Context seen for site to site and AnyConnect sessions

CSCvw21844

FTD traceback and reload on DATAPATH thread when processing encapsulated flows

CSCvw22881

radius_rcv_auth can shoot up control plane CPU to 100%.

CSCvw22986

Secondary unit stuck in Bulk sync infinitely due to interface of Primary stuck in init state

CSCvw24556

TCP File transfer (Big File) not properly closed when Flow offload is enabled

CSCvw26171

ASA syslog traceback while strncpy NULL string passed from SSL library

CSCvw26331

ASA traceback and reload on Thread Name: ci/console

CSCvw27301

IKEv2 with EAP, MOBIKE status fails to be processed.

CSCvw28814

SNMP process crashed, while upgrading  the QP to v9.14.1.109

CSCvw30252

FTD traceback and reload due to memory corruption in SNMP

CSCvw31569

Director/Backup flows are left behind and traffic related to this flow is blackholed

CSCvw31710

[6.6.1-91] snmpwalk allowed for all configured v3 users

CSCvw32518

ASASM traceback and reload after upgrade up to 9.12(4)4 and higher

CSCvw36662

TACACS+ ASCII password change request not handled properly

CSCvw37259

VPN syslogs are generated at a rate of 600/s until device goes into a hang state

CSCvw42999

9.10.1.11 ASA on FPR2110 traceback and reloads randomly

CSCvw44122

ASA: "class-default" class-map redirecting non-DNS traffic to DNS inspection engine

CSCvw45863

ASAv snmp traceback on reload

CSCvw47321

IPSec transport mode traffic corruption for inbound traffic for some FPR platforms

CSCvw48517

DAP Stopped Working After Upgrading ASA to 9.13(1)13

CSCvw51462

IPv4 Default Tunneled Route Rejected

CSCvw52609

Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability

CSCvw53427

ASA Fails to process HTTP POST with SAML assertion containing multiple query parameters

CSCvw53884

M500IT Model Solid State Drives on ASA5506 may go unresponsive after 3.2 Years in service

CSCvw54640

FPR-4150 - ASA traceback and reload with thread name DATAPATH

CSCvw58414

Name of anyconnect custom attribute of type dynamic-split-exclude-domains is changed after reload

CSCvw63862

ASA: Random L2TP users cannot access resources due to stale ACL filter entries

CSCvw74940

ASA traceback in IKE Daemon and reload

CSCvw83780

Standby FTD 6.6.1 core at Process Name: lina

CSCvw84786

ASA traceback and reload on Thread name snmp_alarm_thread

CSCvx09123

M500IT Model Solid State Drives on ISA3000 may go unresponsive after 3.2 Years in service

 

 

Revision:  Version 9.15(1)1 – 11/24/2020

Files:  asa9151-1-smp-k8.bin, cisco-asa-fp1k.9.15.1.1.SPA, cisco-asa-fp2k.9.15.1.1.SPA, cisco-asa.9.15.1.1.SPA.csp

Defects resolved since 9.15(1):

 

CSCvw46885

ASA/FTD traceback and reload related to SNMP and management-access configuration

 

Note: With the fix for CSCvw46885, users will experience defect CSCvw56551 ASA displays cosmetic NAT warning message when making the interface config changes.  As the bug headline says, this is a cosmetic issue and has no functional impact.