Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important: These images were not fully regression tested. Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality. Keep this testing status in mind if you decide to run them in a production environment. We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.
Revision: Version 9.15(1)21 – 04/12/2022
Files: asa9151-21-smp-k8.bin, cisco-asa-fp1k.9.15.1.21.SPA, cisco-asa-fp2k.9.15.1.21.SPA, cisco-asa.9.15.1.21.SPA.csp
Defects resolved since 9.15(1)17:
Unwanted console output during
SAML transactions |
|
Cisco ASA and FTD Software Dynamic Access Policies Denial of
Service Vulnerability |
|
Traceback observed on ASA while handling SAML handler |
|
Cisco Adaptive Security Appliance Software and Firepower
Threat Defense Software DNS DoS |
|
ASA/FTD traceback and reload
caused by "timer services" function |
|
Wrong syslog message format for
414004 |
|
SSL VPN performance degraded and
significant stability issues after upgrade |
|
ASA Privilege Escalation with valid user in AD |
|
Cisco ASA Software and FTD Software Remote Access SSL VPN
Denial of Service |
|
Cisco Firepower Threat Defense Software Denial of Service
Vulnerability |
|
ASA/FTD: remove unwanted process
call from LUA |
|
Cisco Adaptive Security Appliance Software Clientless SSL VPN
Heap Overflow Vulnerability |
|
Random FTD reloads with the
traceback during deployment from FMC |
|
ASA traceback and reload in
Unicorn Admin Handler when change interface configuration via ASDM |
Revision: Version 9.15(1)17 – 09/29/2021
Files: asa9151-17-smp-k8.bin, cisco-asa-fp1k.9.15.1.17.SPA, cisco-asa-fp2k.9.15.1.17.SPA, cisco-asa.9.15.1.17.SPA.csp
Defects resolved since 9.15(1)16:
AWS FTD: Deployment failure with
ERROR: failed to set interface to promiscuous mode |
|
FMC generates Connection Events
from a SYN flood attack |
|
SPLIT-BRAIN: Pre allocation of
blocks for failover control messages |
|
FTD does not try all the crl urls for getting crl file |
|
Deployment gets failed for snmp settings while deleting snmpv1 and adding snmpv3 at
a time in 6.6.3 |
|
FTD: SNMP host configured with
diagnostic int able to poll management int |
|
ASA CP CPU wrong calculation
leads to high percentage (100% CP CPU) |
|
Slow file transfer or file
upload with SSL policy is applied with Decrypt resign action |
|
HA goes to active-active state
due to cipher mismatch |
|
Web portal persistent redirects
when certificate authentication is used. |
|
FTD unnecessarily ACKing TCP flows on inline-pair deployment |
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-15-14815' |
|
Firepower flow-offload stops
offloading all existing and new flows |
|
Time out of sync between Lina
and FXOS |
|
Revert 'fix' introduced by
CSCvr33428 and CSCvy39659 |
Revision: Version 9.15(1)16 – 06/01/2021
Files: asa9151-16-smp-k8.bin, cisco-asa-fp1k.9.15.1.16.SPA, cisco-asa-fp2k.9.15.1.16.SPA, cisco-asa.9.15.1.16.SPA.csp
Defects resolved since 9.15(1)15:
ASA/FTD Watchdog forced
traceback and reload in Threadname: vnet-proxy (rip: socks_proxy_datarelay) |
|
Supportive change in ASA to differentiate,
new ASDM connections from existing ASDM context switch |
Revision: Version 9.15(1)15 – 04/28/2021
Files: asa9151-15-smp-k8.bin, cisco-asa-fp1k.9.15.1.15.SPA, cisco-asa-fp2k.9.15.1.15.SPA, cisco-asa.9.15.1.15.SPA.csp
Defects resolved since 9.15(1)10:
ASA Traceback on tcp_intercept Thread name :
Threat detection |
|
Critical RPM alert on FPR2100
Series with ASA 'Chassis 0 Cooling Fan OK' SCH message |
|
ASA5555 traceback and reload on
Thread Name: ace_work |
|
Traceback in KP in timer while
running VPN, EMIX and SNMP traffic for overnight. |
|
Secondary unit not able to join
the cluster |
|
ASA traceback in the LINA
process |
|
ASA/FTD Traceback and reload in
Thread Name: Logger |
|
FTD might crash in SNMP with rip
Netsnmp_config_req_dequeue_and_send+269 at snmp/snmp_config_utils.c |
|
Cisco ASA and FTD Software SIP Denial of Service Vulnerability |
|
AZURE ASA/FTD NIC MAC address
might get re-ordered upon a reboot |
|
FPR4120 - Lina watchdog
traceback in cli_xmlserver_thread |
|
Cisco ASA and FTD Web Services Interface Cross-Site Scripting Vulnerability |
|
ASA traceback and reload in
Thread: Ikev2 Daemon |
|
ASA Tracebacks when making
"configuration session" changes regarding an ACL. |
|
When SGT name is unresolved and
used in ACE, line is not being ignored/inactive |
|
ASA: default IPv6/IPv4 route
tunneled does not work |
|
ASA/FTD traceback in Thread
Name: PTHREAD-4432 |
|
DHCP Proxy Offer is getting drop
on the ASA/FTD |
|
Failure accessing FXOS with
connect fxos admin from Multi-Context ASA if admin
context is changed |
|
ASA may traceback and reload in
Thread Name 'webvpn_task' |
|
FPR-2100-ASA : SNMP Walk for ifType
is showing "other" for ASA interfaces in the latest versions |
|
Prevent lina
from traceback due to object loop sent by FMC. Fail the deployment instead. |
|
ASA/FTD may traceback in after
changing snmp host-group object |
|
X-Frame-Options header is not
set in webvpn response pages |
|
Traceback into snmp at handle_agentx_packet / snmp takes long time to come up on FP1k and 5508 |
|
FTD traceback and reload on
process lina on FPR2100 series |
|
ASA: Unable to import PAC file
if FIPS is enabled. |
|
Firewall CPU can increase after
a bulk routing update with flow offload |
|
IP address in DHCP GIADDR field
is reversed after sending DHCP DECLINE to DHCP server |
|
CPU performance degrade with
lots of route updates with flow offload enabled |
|
ASA reload with FIPS failure |
|
Concurrent modification of ACL
configuration breaks output of "show running-config" completely |
|
FPR4150 ASA Standby Ready unit
Loops to failed and remove config to install it again |
|
ASA EIGRP route stuck after neighbour disconnected |
|
FTD/ASA traceback in Thread Name : Unicorn Proxy Thread |
|
X-Frame-Options header support
for older versions of IE and windows platforms |
|
Traceback in Thread Name: fover_health_monitoring_thread |
|
ASA traceback and reload in SNMP
Notify Thread while deleting transparent context |
|
ASP capture dispatch-queue-limit
shows no packets |
|
Deployment failures on FTD when
multicast is enabled. |
|
FTD 6.6.1/6.7.0 is sending SNMP Ifspeed
OID (1.3.6.1.2.1.2.2.1.5) response value = 0 |
|
Smart Tunnel Code signing
certificate renewal |
|
COA Received before data tunnel
comes up results in tear down of parent session |
|
ASA traceback and reload on
Thread Name: CTM Daemon |
|
ASA internal deadlock leads to
loss of feature functionality (syslogs, reload,
ASDM, anyconnect) |
|
ASA Traceback and reload in
Thread Name: SNMP ContextThread |
|
ASA/FTD Traceback and reload in
Thread Name: pix_startup_thread due to
asa_run_ttyS0 script |
|
Optimize ifmib
polls |
|
Lasso SAML Implementation Vulnerability Affecting Cisco Products: June 2021 |
|
ASA traceback and reload in
thread ci/console when copying a system image to flash |
Revision: Version 9.15(1)10 – 3/2/2021
Files: asa9151-10-smp-k8.bin, cisco-asa-fp1k.9.15.1.10.SPA, cisco-asa-fp2k.9.15.1.10.SPA, cisco-asa.9.15.1.10.SPA.csp
Defects resolved since 9.15(1)7:
Implement detection and auto-fix
capability for scheduler corruption problems |
|
ASA - rare cp processing
corruption causes console lock |
|
ASA core blocks depleted when
host unreachable in IRB/TFW configuration |
|
FXOS - Recover hwclock of service module from corruption due to
simultaneous write collision |
|
ASAv Anyconnect users unexpectedly
disconnect with reason: Idle Timeout |
|
FPR2100 1 Gig Fiber SFP
Interfaces down in ASA appliance mode |
|
ASA traceback while modifying
the bookmark SSL Ciphers configuration |
|
ASA/FTD may traceback in thread
name fover_FSM_thread and reload |
|
Offloaded traffic not failed
over to secondary route in ECMP setup |
|
ASA/FTD Traceback and reload
during PBR configuration change |
|
ASA/FTD traceback and reload in
process name "Lina" |
|
FPR 4K: SSL trust-point removed
from new active ASA after manual Failover |
|
ASA: AnyConnect sessions cannot
be resumed due to ipv6 DACL failure |
|
Connection issues to directly
connected IP from FTD BVI address |
|
ASA: OpenSSL Vulnerability
CVE-2020-1971 |
|
BVI HTTP/SSH access is not
working in versions 9.14.1.30 or above |
|
Managed device backup fails, for
FTD, if hostname exceeds 30 characters |
|
ASA traceback and reload webvpn thread |
|
ASA/FTD may traceback and reload
during certificate changes |
|
Cisco ASA and FTD Software for FP 1000/2100 Series Command Injection Vulnerability |
|
ASA traceback and reload with
Thread name: ssh when capture was removed |
|
ASA: Traceback at emweb/https and reload when Remote Access VPN is enabled |
|
Traceback in inspect_h323_ras+1810 |
|
ASA: VPN traffic does not pass
if no dACL is provided in CoA |
|
ASA: dACL
with no IPv6 entries is not applied to v6 traffic after CoA |
|
ASAv: SNMP result for used memory value incorrect after
upgrade to 9.14 |
|
AppAgent gets deregistered due to heartbeat failure during config
sync up on Firepower 2100s |
|
Traceback in Thread Name: Lic TMR |
|
Offload rewrite data needs to be
fixed for identity nat traffic and clustering
environment |
|
ASA reload is removing
'content-security-policy' config |
|
Cisco ASA and FTD Software Command Injection Vulnerability |
|
ASA may generate a traceback in
Logger thread during configuration sync in HA |
|
Fail-to-wire ports in FPR 2100
flapping after upgrade to 6.6.1 |
|
ASA Traceback: CRL check for an Anyconnect client with a revoked certificate triggers
reload |
|
ASA may traceback and reload on
thread Crypto CA |
|
Firepower 2110 silently dropping
traffic with TFC enabled on the remote end |
|
ASA traceback and reload during
OCSP response data cleanup |
|
ASA traceback & reload due
to "show crashinfo" adding a new output
log |
|
ASA 9.15.1.7 traceback and reload
in Thread
Name: DATAPATH |
Revision: Version 9.15(1)7 – 1/27/2021
Files: asa9151-7-smp-k8.bin, cisco-asa-fp1k.9.15.1.7.SPA, cisco-asa-fp2k.9.15.1.7.SPA, cisco-asa.9.15.1.7.SPA.csp
Defects resolved since 9.15(1)1:
ASA - rare cp processing
corruption causes console lock |
|
ASA running 9.6.4.20 Traceback
in threadname Unicorn Proxy Thread |
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software Remote |
|
ASAv failover traffic on SR-IOV interfaces might be dropped
due to interface-down |
|
ASA traceback with thread: idfw_proc |
|
ASA traceback and reload during
SSL handshake |
|
Traceback/Page-fault in
Clientless WebVPN due to HTTP cleanup |
|
Lina traceback when FTD is
configured with passive interface in HA with span traffic on it. |
|
FTD Lina engine may traceback in
datapath after enabling SSL decryption policy |
|
ASA traceback observed when
"config-url" is entered while creating
new context |
|
Netflow template not sent under certain circumstances |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web DoS |
|
ASA traceback and reload on
inspect esmtp |
|
ASA 9.12 random traceback and
reload in DATAPATH |
|
OSPF network commands go missing
in the startup-config after upgrading the ASA |
|
Traceback due to fover and ssh thread |
|
Traceback leads to the purg_process |
|
Unexpected traceback and reload
on FTD creating a Core file |
|
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
|
ASA: EasyVPN
HW Client triggers duplicate phase 2 rekey causing disconnections across the
tunnel |
|
ASA/FTD: Mac address-table flap
seen on connected switch after a HA switchover |
|
FTD 6.6 :
High CPU spikes on snmpd process |
|
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very
long time to recover. |
|
ASA traceback and reload due to
VPN thread on firepower 2140 |
|
Snort busy drops with PDTS Tx
queue stuck |
|
ASA traceback and reload while
executing "show tech-support" command |
|
ASA stale VPN Context seen for
site to site and AnyConnect sessions |
|
FTD traceback and reload on
DATAPATH thread when processing encapsulated flows |
|
radius_rcv_auth can shoot up control plane CPU to 100%. |
|
Secondary unit stuck in Bulk
sync infinitely due to interface of Primary stuck in init
state |
|
TCP File transfer (Big File) not
properly closed when Flow offload is enabled |
|
ASA syslog traceback while strncpy NULL string passed from SSL library |
|
ASA traceback and reload on
Thread Name: ci/console |
|
IKEv2 with EAP, MOBIKE status
fails to be processed. |
|
SNMP process crashed, while upgrading the QP to
v9.14.1.109 |
|
FTD traceback and reload due to
memory corruption in SNMP |
|
Director/Backup flows are left
behind and traffic related to this flow is blackholed |
|
[6.6.1-91] snmpwalk allowed for all configured v3 users |
|
ASASM traceback and reload after
upgrade up to 9.12(4)4 and higher |
|
TACACS+ ASCII password change
request not handled properly |
|
VPN syslogs
are generated at a rate of 600/s until device goes into a hang state |
|
9.10.1.11 ASA on FPR2110
traceback and reloads randomly |
|
ASA: "class-default"
class-map redirecting non-DNS traffic to DNS inspection engine |
|
ASAv snmp traceback on reload |
|
IPSec transport mode traffic corruption for inbound traffic
for some FPR platforms |
|
DAP Stopped Working After
Upgrading ASA to 9.13(1)13 |
|
IPv4 Default Tunneled Route
Rejected |
|
Cisco ASA and FTD Software Web Services Buffer Overflow Denial of Service Vulnerability |
|
ASA Fails to process HTTP POST
with SAML assertion containing multiple query parameters |
|
M500IT Model Solid State Drives
on ASA5506 may go unresponsive after 3.2 Years in service |
|
FPR-4150 - ASA traceback and
reload with thread name DATAPATH |
|
Name of anyconnect
custom attribute of type dynamic-split-exclude-domains is changed after reload |
|
ASA: Random L2TP users cannot
access resources due to stale ACL filter entries |
|
ASA traceback in IKE Daemon and
reload |
|
Standby FTD 6.6.1 core at
Process Name: lina |
|
ASA traceback and reload on
Thread name snmp_alarm_thread |
|
M500IT Model Solid State Drives
on ISA3000 may go unresponsive after 3.2 Years in service |
Revision: Version 9.15(1)1 – 11/24/2020
Files: asa9151-1-smp-k8.bin, cisco-asa-fp1k.9.15.1.1.SPA, cisco-asa-fp2k.9.15.1.1.SPA, cisco-asa.9.15.1.1.SPA.csp
Defects resolved since 9.15(1):
ASA/FTD traceback and reload related to SNMP and management-access configuration |
Note: With the fix for CSCvw46885, users will experience defect CSCvw56551 ASA displays cosmetic NAT warning message when making the interface config changes. As the bug headline says, this is a cosmetic issue and has no functional impact.