Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.
Important:
These images were not fully regression tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status
in mind if you decide to run them in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.14(4)24 – 05/01/2024
Defects resolved since 9.14(4)23:
Cisco ASA and FTD Software
Command Injection Vulnerability |
|
IFS file system directory
traversal file system vulnerabilities |
|
Cisco ASA and FTD Software
Persistent Local Code Execution Vulnerability |
|
Remove unused AGG AUTH
attributes from code to reduce attack surfaces |
|
Cisco ASA and FTD Software Web
Services Denial of Service Vulnerability |
|
Remove uncalled function
ewsStringPrintable() |
Revision: Version 9.14(4)23 – 03/01/2023
Defects resolved since 9.14(4)22:
ASA/FTD: Traceback and reload
during BGP route update |
|
ASA:Failed ASA in HA pair not
recovering by itself, after an "HA state progression failed" |
|
ASA/FTD Traceback and reload in
Process Name: lina |
|
ASA/FTD traceback and reload
when checking CRL |
|
ASAv high CPU and stack memory
allocation errors despite over 30% free memory |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' ip routing ndbshr |
|
ASA HA failover triggers HTTP
server restart failure and ASDM outage |
|
inspect snmp config difference
between active and standby |
|
FXOS ASA/FTD SNMP OID to poll
Internal-data 'no buffer' interface counters |
|
ESP rule missing in vpn-context
may cause IPSec traffic drop |
|
ISA3000 LACP channel member SFP
port suspended after reload |
|
ASA: ASDM sessions stuck in
CLOSE_WAIT causing lack of MGMT |
|
ASA/FTD Cluster Traceback and
Reload during node leave |
|
ASA/FTD Traceback and Reload in
Thread Name: pix_flash_config_thread |
|
GTP inspection drops packets for
optional IE Header Length being too short |
|
GTP drops not always logged on
buffer and syslog |
|
ASA goes for traceback/reload
with message - snmp_ma_kill_restart: vf is NULL |
|
ASA/FTD may traceback with large
number of network objects deployment using distribute-list |
|
ASA/FTD: NAT configuration
deployment failure |
|
ASA/FTD High CPU in SNMP Notify
Thread |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
ASA/FTD Transactional Commit may
result in mismatched rules and traffic loss |
|
Lina traceback and reload - VPN
parent channel (SAL) has an invalid underlying channel |
|
DHCP Relay is looping back the
DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
|
Cluster registration is failing
because DATA_NODE isn't joining the cluster |
|
Syslog 106016 is not
rate-limited by default |
|
Serviceability Enhancement -
Unable to parse payload are silently drop by ASA/FTD |
|
ASA traceback and reload due to
DNS inspection |
|
ASA/FTD: Traceback and reload in
Thread Name: appAgent_reply_processor_thread |
|
ASA - traceback and reload when
Webvpn Portal is used |
|
ASA restore is not applying vlan
configuration |
|
Unable to get polling results
using snmp GET for connection rate OID s |
|
ASA/FTD: Object Group Search
Syslog for flows exceeding threshold |
|
show tech-support generation
does not include "show inventory" when run on FTD |
|
FTD Lina traceback and reload in
Thread Name 'IP Init Thread' |
|
Misleading drop reason in
"show asp drop" |
|
Clientless Accessing Web
Contents using application/octet-stream vs text/plain |
|
ASA: Standby may get stuck in
"Sync Config" status upon reboot when there is EEM is configured |
|
ASA Connections stuck in idle
state when DCD is enabled |
|
FPR2100: Increase in failover
convergence time with ASA in Appliance mode |
|
AC clients fail to match DAP
rules due to attribute value too large |
|
FP4125 2.10.1.166 FTD
applications in HA went into not responding state |
|
Port-channel interfaces of
secondary unit are in waiting status after reload |
|
S2S Tunnels do not come up due
to DH computation failure caused by DSID Leak |
|
ASA configured with HA may
traceback and reload with multiple input/output error messages |
|
LINA Traceback on FPR-1010 under
Thread Name: update_cpu_usage |
|
Observing some devcmd failures
and checkheaps traceback when flow offload is not used. |
|
Traceback and reload when webvpn
users match DAP access-list with 36k elements |
|
ASA 5555 9.14.4.13 Traceback and reload with
SSL encryption |
|
ASA/FTD may traceback and reload
in logging_cfg processing |
|
Clientless VPN users are unable
to download large files through the WebVPN portal |
|
Anyconnect users unable to
connect when ASA using different authentication and authorization server |
|
Primary ASA traceback upon
rebooting the secondary |
|
ASA/FTD traceback and reload,
Thread Name: rtcli async executor process |
|
ASA is unexpected reload when
doing backup |
|
ASA/FTD: External IDP SAML
authentication fails with Bad Request message |
|
FTD traceback/reloads - Icmp
error packet processing involves snp_nat_xlate_identity |
|
None option under trustpoint
doesn't work when CRL check is failing |
|
FTD - 'show memory top-usage'
providing improper value for memory allocation |
|
ASA/FTD may traceback and reload
in Thread Name: CTM Daemon |
|
ASA/FTD may traceback and reload
in Thread Name 'None' at lua_getinfo |
|
Revision: Version 9.14(4)22 – 2/01/2023
Files: asa9144-22-smp-k8.bin, cisco-asa-fp1k.9.14.4.22.SPA, cisco-asa-fp2k.9.14.4.22.SPA, cisco-asa.9.14.4.22.SPA.csp
Defects resolved since 9.14(4)17:
In some cases transition to
lightweight proxy doesn't work for Do Not Decrypt flows |
|
Cisco ASA Software SSL VPN
Client-Side Request Smuggling Vulnerability via "/"URI |
|
Snort blocking and dropping
packet, with bigger size(1G) file download |
|
No-buffer drops on Internal Data
interfaces despite little evidence of CPU hog |
Revision: Version 9.14(4)17 – 11/01/2022
Defects resolved since 9.14(4)15:
Need dedicated Rx rings for to
the box BGP traffic on Firepower platform |
|
Cruz ASIC CLU filter has the
incorrect src/dst IP subnet when a custom CCL IP subnet is set |
|
FP2100: ASA/FTD with
threat-detection statistics may traceback and reload in Thread Name 'lina' |
|
Standby unit failed to join
failover due to large config size. |
|
ASA Traceback & reload in
thread name: Datapath |
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
ASA/FTD Traceback and Reload in
Thread name Lina or Datatath |
|
ASA traceback and reload due to "Heap
memory corrupted at slib_malloc.c |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
FXOS-based Firepower platform showing
'no buffer' drops despite high values for RX ring watermarks |
|
ASA/FTD OSPFv3 does not generate messages Type 8
LSA for IPv6 |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
ASA/FTD may traceback and reload
in Thread Name 'lina_inotify_file_monitor_thread' |
|
ASA/FTD Traceback and reload on
function "snp_cluster_trans_allocb" |
|
TACACS Accounting includes an
incorrect IPv6 address of the client |
|
Call home configuration on
standby device is lost after reload |
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-11-32591' |
|
During the deployment time,
device got stuck processing the config request. |
|
ASA/FTD traceback and reload
caused by SNMP process failure |
|
Unable to configure 'match ip
address' under route-map when using object-group in access list |
|
ASA traceback and reload due to
null pointer in Umbrella after modifying DNS inspection policy |
|
ASA 9.12(4)47 with
<user-statistics>, will affects the "policy-server xxxx
global" visibility. |
|
Using write standby in a user context
leaves secondary firewall license status in an invalid state |
|
ASA/FTD tracebacks due to ctm_n5
resets |
|
traceback and reload due to tcp
intercept stat in thread unicorn |
|
ASA/FTD may traceback and reload
when clearing the configration due to "snp_clear_acl_log_flow_all" |
|
ifAdminStatus output is abnormal
via snmp polling |
|
ASA might generate traceback in
ikev2 process and reload |
|
ASA/FTD may traceback and reload
in Thread Name 'ikev2_fo_event' |
|
Device should not move to Active
state once Reboot is triggered |
Revision: Version 9.14(4)15 – 09/06/2022
Defects resolved since 9.14(4)14:
FTD: NAS-IP-Address:0.0.0.0 in
Radius Request packet as network interface for aaa-server not defined |
|
Number of interfaces on Active
and Standby are not consistent should trigger warning syslog |
|
ASA disconnects the ssh, https
session using of Active IP address and Standby MAC address after FO |
|
ASA/FTD may hit a watchdog
traceback related to snmp config writing |
|
Different CG-NAT port-block
allocated for same source IP causing per-host PAT port block exhaustion |
|
LINA observed traceback on
thread name "snmp_client_callback_thread" |
|
SNMPv3 polling may fail using
privacy algorithms AES192/AES256 |
|
ASA/FTD IPSEC debugs missing
reason for change of peer address and timer delete |
|
FTD/ASA traceback and reload at
at ../inspect/proxy.h:439 |
|
9344 Block leak due to
fragmented GRE traffic over inline-set interface inner-flow processing |
|
ASA Traceback and Reload on
process name Lina |
|
Incorrect IF-MIB response when
failover is configured on multiple contexts |
|
NAT64 translates all IPv6
Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
|
ASA/FTD may traceback and reload
while executing SCH code |
|
FTD - Traceback and reload when
performing IPv4 <> IPv6 NAT translations |
|
ASA/FTD: GTP inspection causing
9344 sized blocks leak |
|
ASA HA - Restore in primary not
remove new interface configuration done after backup |
|
Inbound IPSEC SA stuck inactive
- many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
FTD - Traceback and reload on
NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
ASA/FTD Cluster Split Brain due
to NAT with "any" and Global IP/range matching broadcast IP |
|
ASA parser accepts incomplete
network statement under OSPF process and is present in show run |
|
IKEv2 rekey - Responding Invalid
SPI for the new SPI received right after Create_Child_SA response |
|
ASA fails to rekey with IPSEC
ERROR: Failed to allocate an outbound hardware context |
Revision: Version 9.14(4)14 – 08/16/2022
Defects resolved since 9.14(4)13:
Cisco ASDM and ASA Software
Client-side Arbitrary Code Execution Vulnerability |
Revision: Version 9.14(4)13 – 07/26/2022
Defects resolved since 9.14(4)12:
BGP table not removing connected
route when interface goes down |
|
ASA traceback and reload while
allocating a new block for cluster keepalive packet |
|
Cisco ASA Software and FTD
Software SNMP Denial of Service Vulnerability |
|
Audit message not generated by:
no logging enable from ASAv9.12 |
|
Unable to identify dynamic rate
liming mechanism & not following msg limit per/sec at syslog server. |
|
Primary takes active role after
reload |
|
Cisco Firepower Threat Defense
Software Privilege Escalation Vulnerability |
|
ASA/FTD Traceback and reload
caused by Smart Call Home process sch_dispatch_to_url |
|
FW traceback in timer infra /
netflow timer |
|
PBR not working on ASA routed
mode with zone-members |
|
RIP is advertising all connected
Anyconnect users and not matching route-map for redistribution |
|
ASA/FTD traceback and reload due
to the initiated capture from FMC |
|
Cisco ASA Software and FTD Software Web Services
Interface Denial of Service Vulnerability |
|
We can't monitor the interface
via "snmpwalk" once interface is removed from context. |
|
ASA graceful shut down when
applying ACL's with forward reference feature and FIPS enabled. |
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
ASA/FTD may traceback and reload
in Thread Name 'None' |
|
Interface internal data0/0 is
up/up from cli but up/down from SNMP polling |
|
ASA/FTD may traceback and reload
in Thread Name 'ci/console' |
|
ASA tracebacks after SFR was
upgraded to 6.7.0.3 |
|
ASA traceback and reload when
modifying DNS inspection policy via CSM or CLI |
|
ASA - Restore not remove
the new configuration for an interface setup after backup |
|
show nat pool cluster commands
run within EEM scripts lead to traceback and reload |
|
ASA/FTD can not parse UPN from
SAN field of user's certificate |
|
ASA/FTD traceback and reload on
Thread id: 1637 |
|
ASA mgmt ip cannot be released |
Revision: Version 9.14(4)12 – 06/21/2022
Defects resolved since 9.14(4)7:
ASA/FTD 9344 blocks depleted due
to high volume of fragmented traffic |
|
Cisco ASA and FTD Software SSL
VPN Denial of Service Vulnerability |
|
ASA/FTD stops serving SSL
connections |
|
CPU hogs in update_mem_reference |
|
Unstable client processes may
cause LINA zmqio traceback on FTD |
|
MIO heartbeat failure caused by
heartbeat dropped by delay |
|
IPv6: Some of egress interfaces
of global and user vrf routes are missing in asp table |
|
Conditional flow-offload
debugging produces no output |
|
ASA: Reload and Traceback in
Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped |
|
update_mem_reference process
taking high CPU in HA pair |
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-9-11543' |
|
Standby FTD/ASA sends DNS
queries with source IP of 0.0.0.0 |
|
ASA/FTD traceback and reload at
IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
SNMP queries for
crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels. |
|
ASA traceback and reload on
routing |
|
FTD: IKEv2 tunnels flaps every
24 hours and crypto archives are generated |
|
ASA DHCP server fails to bind
reserved address to Linux devices |
|
ASA/FTD may traceback (watchdog)
and reload when generating a syslog from the VPN Failover subsystem |
|
FP4112|4115 Traceback &
reload on Thread Name: netfs_thread_init |
|
Cisco Firepower Threat Defense Software Generic
Routing Encapsulation DoS Vulnerability |
|
ASA traceback in Thread Name:
SXP CORE |
|
ASA traceback in Thread Name:
fover_parse and triggered by snmp related functions |
|
ASA traceback and reload with
error "assertion "0" failed: file
"timer_services.c", line 165" |
|
FTD offloads SGT tagged packets
although it should not |
|
ASA/FTD firewall may traceback
and reload when tearing down IKE tunnels |
|
ASA HA Active/standby tracebacks
seen approximately every two months. |
|
Snmpwalk output of memory does
not match show memory/show memory detail |
|
Lina traceback and reload during
EIGRP route update processing. |
|
ASA: Multiple Context Mixed Mode
SFR Redirection Validation |
|
ASA/FTD traceback and reload
with timer services assertion |
Revision: Version 9.14(4)7 – 05/03/2022
Defects resolved since 9.14(4)6:
ASA displays cosmetic NAT
warning message when making the interface config changes |
|
FP4100 platform: Active-Standby
changed to dual Active after running "show conn" command |
|
Cisco FTD Bleichenbacher Attack Vulnerability |
|
ASAv traceback when SD_WAN ACL
enabled, then disabled (or vice-versa) in PBR |
|
FTD: Time gap/mismatch seen when
new node joins a Cluster Control node under history |
|
ASA reload and traceback in
Thread Name: PIX Garbage Collector |
|
ASDM session/quota count
mismatch in ASA when multiple context switch before and after failover |
|
Cisco ASA and FTD Software VPN Authorization Bypass
Vulnerability |
|
Traceback: Lina traceback and
reload on thread name: Logger |
|
ASA/FTD Failover: Joining
Standby reboots when receiving configuration replication from Active mate |
|
ASA/FTD Traceback and reload due
to NAT configuration |
|
Lina may traceback and reload on
tcpmod_proxy_handle_mixed_mode |
|
Traceback: Standby FTD reboots
and generates crashinfo and lina core on thread name cli_xml_server |
|
SNMP cores are generated every
minute while running snmpwalk on QP-HA |
|
Single Pass - Traceback due to
stale ifc |
|
ASA/FTD: Mitigation of OpenSSL
vulnerability CVE-2022-0778 |
|
ASA Traceback and reload in
process name: lina |
|
ASA/FTD Traceback in memory
allocation failed |
Revision: Version 9.14(4)6 – 03/31/2022
Defects resolved since 9.14(4):
ASA: 256 byte block depletion
when syslog rate is high |
|
ASA/FTD traceback and reload
when doing show conn details | g TCP |
|
Management Sessions fail to
connect after several weeks |
|
ZMQ OOM due to less Msglyr pool
memory in low end platforms |
|
SNMP MA Debug tokens first 3
chars are missing. |
|
High Control Plane CPU on
StandBy due to dhcpp_add_ipl_stby |
|
ASDM session/quota count
mismatch in ASA when multiple context switchover is done from ASDM |
|
FP1120 9.14.3 : temporary split
brain happened after active device reboot |
|
FTD Blocks Traffic with SSL Flow
Error CORRUPT_MESSAGE |
|
ASA Traceback and Reload due to
CTM daemon during internal health test |
|
FTD SSL Proxy should allow configurable
or dynamic maximum TCP window size |
|
Some syslogs for AnyConnect SSL
are generated in admin context instead of user context |
|
ASA: IP Header check validation
failure when GTP Header have SEQ and EXT field |
|
ASA/FTD - Memory leak observed
when VPN is deployed |
|
Lina Traceback and Reload Due to
invalid memory access while accessing Hash Table |
|
ASA traceback in HTTP cli
EXEC code |
|
DHCP Offer not seen on control
plane |
|
New access-list are not taking
effect after removing non-existance ACL with objects. |
|
Coverity 859475:
CONSTANT_EXPRESSION_RESULT in snp_ha_trans_tear_down_ch |
|
Polling OID
"1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the
associated tunnel |
|
ASA traceback and reload in
Unicorn Admin Handler when change interface configuration via ASDM |
|
Offloaded GRE tunnels may be
silently un-offloaded and punted back to CPU |
|
FTP inspection stops working
properly after upgrading the ASA to 9.12.4.x |
|
Traceback and reload after
enabling debug webvpn cifs 255 |
|
SNMP is responding to
snmpgetbulk with unexpected order of results |
|
Traffic keep failing on Hub when
IPSec tunnel from Spoke flaps |
|
SNMP get command in FPR does not
show interface index. |
|
Multiple issues with
transactional commit diagnostics |
|
ASA/FTD may traceback and reload
in Thread Name 'IP Address Assign' |
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-4-9608' |
|
ASA: Jumbo sized packets are not
fragmented over the L2TP tunnel |
|
Console has an excessive rate of
warnings during policy deployment |
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
FP2140 ASA 9.16.2 HA units
traceback and reload at lua_getinfo (getfuncname) |
|
ASA/FTD MAC modification is seen
in handling fragmented packets with INSPECT on |
|
FTD/ASA: Traceback on BFD
function causing unexpected reboot |