Cisco ASA Interim Release Notes

 

The software images listed below are Interim releases.  They contain bug fixes which address specific issues found since the last Feature or Maintenance release.  The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available. If you do not have a specific problem which is resolved by an Interim release, we recommend that you use the Feature or Maintenance release images.

 

Important:  These images were not fully regression tested.  Each individual fix was unit tested, and the image has had a limited amount of automated regression testing to confirm a baseline of functionality.  Keep this testing status in mind if you decide to run them in a production environment.  We strongly encourage you to upgrade to a fully tested Maintenance or Feature release when it becomes available.

 

Revision:  Version 9.14(4)24 – 05/01/2024

Defects resolved since 9.14(4)23:

 

CSCwi90040

Cisco ASA and FTD Software Command Injection Vulnerability

CSCwi97975

IFS file system directory traversal file system vulnerabilities

CSCwi98284

Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability

CSCwj01344

Remove unused AGG AUTH attributes from code to reduce attack surfaces

CSCwj10955

Cisco ASA and FTD Software Web Services Denial of Service Vulnerability

CSCwj14573

Remove uncalled function ewsStringPrintable()

 

 

Revision:  Version 9.14(4)23 – 03/01/2023

Defects resolved since 9.14(4)22:

 

CSCvy65770

ASA/FTD: Traceback and reload during BGP route update

CSCvz54471

ASA:Failed ASA in HA pair not recovering by itself, after an "HA state progression failed"

CSCwb44848

ASA/FTD Traceback and reload in Process Name: lina

CSCwb76423

ASA/FTD traceback and reload when checking CRL

CSCwc23844

ASAv high CPU and stack memory allocation errors despite over 30% free memory

CSCwc64923

ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr

CSCwc67687

ASA HA failover triggers HTTP server restart failure and ASDM outage

CSCwc80234

inspect snmp config difference between active and standby

CSCwc89924

FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters

CSCwc95290

ESP rule missing in vpn-context may cause IPSec traffic drop

CSCwc99242

ISA3000 LACP channel member SFP port suspended after reload

CSCwd04210

ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT

CSCwd06005

ASA/FTD Cluster Traceback and Reload during node leave

CSCwd14972

ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread

CSCwd16294

GTP inspection drops packets for optional IE Header Length being too short

CSCwd16517

GTP drops not always logged on buffer and syslog

CSCwd17856

ASA goes for traceback/reload with message - snmp_ma_kill_restart: vf is NULL

CSCwd19053

ASA/FTD may traceback with large number of network objects deployment using distribute-list

CSCwd20627

ASA/FTD: NAT configuration deployment failure

CSCwd22907

ASA/FTD High CPU in SNMP Notify Thread

CSCwd23188

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwd25256

ASA/FTD Transactional Commit may result in mismatched rules and traffic loss

CSCwd31181

Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel

CSCwd33054

DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA

CSCwd33811

Cluster registration is failing because DATA_NODE isn't joining the cluster

CSCwd38805

Syslog 106016 is not rate-limited by default

CSCwd40260

Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD

CSCwd41083

ASA traceback and reload due to DNS inspection

CSCwd46780

ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread

CSCwd48633

ASA - traceback and reload when Webvpn Portal is used

CSCwd50218

ASA restore is not applying vlan configuration

CSCwd51757

Unable to get polling results using snmp GET for connection rate OID s

CSCwd53135

ASA/FTD: Object Group Search Syslog for flows exceeding threshold

CSCwd56254

show tech-support generation does not include "show inventory" when run on FTD

CSCwd56296

FTD Lina traceback and reload in Thread Name 'IP Init Thread'

CSCwd56774

Misleading drop reason in "show asp drop"

CSCwd56995

Clientless Accessing Web Contents using application/octet-stream vs text/plain

CSCwd61016

ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured

CSCwd62138

ASA Connections stuck in idle state when DCD is enabled

CSCwd63580

FPR2100: Increase in failover convergence time with ASA in Appliance mode

CSCwd63961

AC clients fail to match DAP rules due to attribute value too large

CSCwd66709

FP4125 2.10.1.166 FTD applications in HA went into not responding state

CSCwd69454

Port-channel interfaces of secondary unit are in waiting status after reload

CSCwd74116

S2S Tunnels do not come up due to DH computation failure caused by DSID Leak

CSCwd78624

ASA configured with HA may traceback and reload with multiple input/output error messages

CSCwd82235

LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage

CSCwd84868

Observing some devcmd failures and checkheaps traceback when flow offload is not used.

CSCwd85927

Traceback and reload when webvpn users match DAP access-list with 36k elements

CSCwd91006

ASA  5555 9.14.4.13 Traceback and reload with SSL encryption

CSCwd91421

ASA/FTD may traceback and reload in logging_cfg processing

CSCwd93376

Clientless VPN users are unable to download large files through the WebVPN portal

CSCwd94096

Anyconnect users unable to connect when ASA using different authentication and authorization server

CSCwd95436

Primary ASA traceback upon rebooting the secondary

CSCwd95908

ASA/FTD traceback and reload, Thread Name: rtcli async executor process

CSCwd96755

ASA is unexpected reload when doing backup

CSCwd97020

ASA/FTD: External IDP SAML authentication fails with Bad Request message

CSCwe05913

FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity

CSCwe09074

None option under trustpoint doesn't work when CRL check is failing

CSCwe14174

FTD - 'show memory top-usage' providing improper value for memory allocation

CSCwe18974

ASA/FTD may traceback and reload in Thread Name: CTM Daemon

CSCwe29583

ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo

 

Revision:  Version 9.14(4)22 – 2/01/2023

Files:  asa9144-22-smp-k8.bin, cisco-asa-fp1k.9.14.4.22.SPA, cisco-asa-fp2k.9.14.4.22.SPA, cisco-asa.9.14.4.22.SPA.csp

Defects resolved since 9.14(4)17:

 

CSCvz34289

In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows

CSCwa04262

Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI

CSCwa43311

Snort blocking and dropping packet, with bigger size(1G) file download

CSCwc03507

No-buffer drops on Internal Data interfaces despite little evidence of CPU hog

 

Revision:  Version 9.14(4)17 – 11/01/2022

Defects resolved since 9.14(4)15:

 

CSCvy65178

Need dedicated Rx rings for to the box BGP traffic on Firepower platform

CSCvy86817

Cruz ASIC CLU filter has the incorrect src/dst IP subnet when a custom CCL IP subnet is set

CSCvz41551

FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread Name 'lina'

CSCwa36535

Standby unit failed to join failover due to large config size.

CSCwb89963

ASA Traceback & reload in thread name: Datapath

CSCwb93914

Cisco ASA Software and FTD Software Web Services Interface Denial of Service Vulnerability

CSCwc26648

ASA/FTD Traceback and Reload in Thread name Lina or Datatath

CSCwc36905

ASA  traceback and reload due to "Heap memory corrupted at slib_malloc.c

CSCwc49095

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwc51326

FXOS-based Firepower platform showing 'no buffer' drops despite high values for RX ring watermarks

CSCwc61912

ASA/FTD  OSPFv3 does not generate messages Type 8 LSA for IPv6

CSCwc66757

ASA/FTD may traceback and reload in Thread Name 'lina'

CSCwc67886

ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread'

CSCwc72155

ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb"

CSCwc72284

TACACS Accounting includes an incorrect IPv6 address of the client

CSCwc73224

Call home configuration on standby device is lost after reload

CSCwc74103

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591'

CSCwc79366

During the deployment time, device got stuck processing the config request.

CSCwc81184

ASA/FTD traceback and reload caused by SNMP process failure

CSCwc81960

Unable to configure 'match ip address' under route-map when using object-group in access list

CSCwc88897

ASA traceback and reload due to null pointer in Umbrella after modifying DNS inspection policy

CSCwc90091

ASA 9.12(4)47 with <user-statistics>, will affects the "policy-server xxxx global" visibility.

CSCwc93166

Using write standby in a user context leaves secondary firewall license status in an invalid state

CSCwc94501

ASA/FTD tracebacks due to ctm_n5 resets

CSCwc96805

traceback and reload due to tcp intercept stat in thread unicorn

CSCwd00386

ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all"

CSCwd00778

ifAdminStatus output is abnormal via snmp polling

CSCwd11303

ASA might generate traceback in ikev2 process and reload

CSCwd11855

ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event'

CSCwd26867

Device should not move to Active state once Reboot is triggered

 

 

Revision:  Version 9.14(4)15 – 09/06/2022

Defects resolved since 9.14(4)14:

 

CSCvw29647

FTD: NAS-IP-Address:0.0.0.0 in Radius Request packet as network interface for aaa-server not defined

CSCvz71596

Number of interfaces on Active and Standby are not consistent should trigger warning syslog

CSCvz78816

ASA disconnects the ssh, https session using of Active IP address and Standby MAC address after FO

CSCwa47737

ASA/FTD may hit a watchdog traceback related to snmp config writing

CSCwa55562

Different CG-NAT port-block allocated for same source IP causing per-host PAT port block exhaustion

CSCwa59907

LINA observed traceback on thread name "snmp_client_callback_thread"

CSCwa72929

SNMPv3 polling may fail using privacy algorithms AES192/AES256

CSCwc10792

ASA/FTD IPSEC debugs missing reason for change of peer address and timer delete

CSCwc13017

FTD/ASA traceback and reload at at ../inspect/proxy.h:439

CSCwc28532

9344 Block leak due to fragmented GRE traffic over inline-set interface inner-flow processing

CSCwc28806

ASA Traceback and Reload on process name Lina

CSCwc28854

Incorrect IF-MIB response when failover is configured on multiple contexts

CSCwc32246

NAT64 translates all IPv6 Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used

CSCwc38567

ASA/FTD may traceback and reload while executing SCH code

CSCwc44289

FTD - Traceback and reload when performing IPv4 <> IPv6 NAT translations

CSCwc45108

ASA/FTD: GTP inspection causing 9344 sized blocks leak

CSCwc45397

ASA HA - Restore in primary not remove new interface configuration done after backup

CSCwc48375

Inbound IPSEC SA stuck inactive - many inbound SPIs for one outbound SPI in "show crypto ipsec sa"

CSCwc50887

FTD - Traceback and reload on NAT IPv4<>IPv6 for UDP flow redirected over CCL link

CSCwc52351

ASA/FTD Cluster Split Brain due to NAT with "any" and Global IP/range matching broadcast IP

CSCwc53280

ASA parser accepts incomplete network statement under OSPF process and is present in show run

CSCwc54984

IKEv2 rekey - Responding Invalid SPI for the new SPI received right after Create_Child_SA response

CSCwc60037

ASA fails to rekey with IPSEC ERROR: Failed to allocate an outbound hardware context

 

 

Revision:  Version 9.14(4)14 – 08/16/2022

Defects resolved since 9.14(4)13:

 

CSCwb05291

Cisco ASDM and ASA Software Client-side Arbitrary Code Execution Vulnerability

 

 

Revision:  Version 9.14(4)13 – 07/26/2022

Defects resolved since 9.14(4)12:

 

CSCvy50598

BGP table not removing connected route when interface goes down

CSCvz36903

ASA traceback and reload while allocating a new block for cluster keepalive packet

CSCwb05148

Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability

CSCwb15795

Audit message not generated by: no logging enable from ASAv9.12

CSCwb17963

Unable to identify dynamic rate liming mechanism & not following msg limit per/sec at syslog server.

CSCwb31699

Primary takes active role after reload

CSCwb52401

Cisco Firepower Threat Defense Software Privilege Escalation Vulnerability

CSCwb53328

ASA/FTD Traceback and reload caused by Smart Call Home process sch_dispatch_to_url

CSCwb73248

FW traceback in timer infra / netflow timer

CSCwb74571

PBR not working on ASA routed mode with zone-members

CSCwb79812

RIP is advertising all connected Anyconnect users and not matching route-map for redistribution

CSCwb83691

ASA/FTD traceback and reload due to the initiated capture from FMC

CSCwb87950

Cisco ASA Software and FTD Software Web Services Interface Denial of Service Vulnerability 

CSCwb92709

We can't monitor the interface via "snmpwalk" once interface is removed from context.

CSCwb94190

ASA graceful shut down when applying ACL's with forward reference feature and FIPS enabled.

CSCwb97251

ASA/FTD may traceback and reload in Thread Name 'ssh'

CSCwc02488

ASA/FTD may traceback and reload in Thread Name 'None'

CSCwc03069

Interface internal data0/0 is up/up from cli but up/down from SNMP polling

CSCwc09414

ASA/FTD may traceback and reload in Thread Name 'ci/console'

CSCwc11597

ASA tracebacks after SFR was upgraded to 6.7.0.3

CSCwc11663

ASA traceback and reload when modifying DNS inspection policy via CSM or CLI

CSCwc13994

ASA - Restore not remove the  new configuration for an  interface setup after backup

CSCwc18312

show nat pool cluster commands run within EEM scripts lead to traceback and reload

CSCwc23695

ASA/FTD can not parse UPN from SAN field of user's certificate

CSCwc24906

ASA/FTD traceback and reload on Thread id: 1637

CSCwc27797

ASA mgmt ip cannot be released

 

 

Revision:  Version 9.14(4)12 – 06/21/2022

Defects resolved since 9.14(4)7:

 

CSCvw82067

ASA/FTD 9344 blocks depleted due to high volume of fragmented traffic

CSCvz09106

Cisco ASA and FTD Software SSL VPN Denial of Service Vulnerability

CSCvz60142

ASA/FTD stops serving SSL connections

CSCvz61658

CPU hogs in update_mem_reference

CSCvz69729

Unstable client processes may cause LINA zmqio traceback on FTD

CSCvz94573

MIO heartbeat failure caused by heartbeat dropped by delay

CSCwa62025

IPv6: Some of egress interfaces of global and user vrf routes are missing in asp table

CSCwa67884

Conditional flow-offload debugging produces no output

CSCwa75966

ASA: Reload and Traceback in Thread Name: Unicorn Proxy Thread with Page fault: Address not mapped

CSCwa99931

update_mem_reference process taking high CPU in HA pair

CSCwb06847

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-9-11543'

CSCwb07908

Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0

CSCwb08644

ASA/FTD traceback and reload at IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test

CSCwb19648

SNMP queries for crasLocalAddress are not returning the assigned IPs for SSL/DTLS tunnels.

CSCwb24039

ASA traceback and reload on routing

CSCwb53172

FTD: IKEv2 tunnels flaps every 24 hours and crypto archives are generated

CSCwb54791

ASA DHCP server fails to bind reserved address to Linux devices

CSCwb59465

ASA/FTD may traceback (watchdog) and reload when generating a syslog from the VPN Failover subsystem

CSCwb67040

FP4112|4115 Traceback & reload on Thread Name: netfs_thread_init

CSCwb66761

Cisco Firepower Threat Defense Software Generic Routing Encapsulation DoS Vulnerability 

CSCwb68642

ASA traceback in Thread Name: SXP CORE

CSCwb71460

ASA traceback in Thread Name: fover_parse and triggered by snmp related functions

CSCwb74938

ASA traceback and reload with error "assertion "0" failed: file "timer_services.c", line 165"

CSCwb80559

FTD offloads SGT tagged packets although it should not

CSCwb82796

ASA/FTD firewall may traceback and reload when tearing down IKE tunnels

CSCwb83388

ASA HA Active/standby tracebacks seen approximately every two months.

CSCwb85633

Snmpwalk output of memory does not match show memory/show memory detail

CSCwb87498

Lina traceback and reload during EIGRP route update processing.

CSCwb90074

ASA: Multiple Context Mixed Mode SFR Redirection Validation

CSCwb93932

ASA/FTD traceback and reload with timer services assertion

 

 

Revision:  Version 9.14(4)7 – 05/03/2022

Defects resolved since 9.14(4)6:

 

CSCvw56551

ASA displays cosmetic NAT warning message when making the interface config changes

CSCvy73130

FP4100 platform: Active-Standby changed to dual Active after running "show conn"  command

CSCwa41936

Cisco FTD Bleichenbacher Attack Vulnerability 

CSCwa61361

ASAv traceback when SD_WAN ACL enabled, then disabled (or vice-versa) in PBR

CSCwa72530

FTD: Time gap/mismatch seen when new node joins a Cluster Control node under history

CSCwa73172

ASA reload and traceback in Thread Name: PIX Garbage Collector

CSCwa76564

ASDM session/quota count mismatch in ASA when multiple context switch before and after failover

CSCwa81795

Cisco ASA and FTD Software VPN Authorization Bypass Vulnerability 

CSCwa85043

Traceback: Lina traceback and reload on thread name: Logger

CSCwa87597

ASA/FTD Failover: Joining Standby reboots when receiving configuration replication from Active mate

CSCwa95079

ASA/FTD Traceback and reload due to NAT configuration

CSCwa96759

Lina may traceback and reload on tcpmod_proxy_handle_mixed_mode

CSCwb07981

Traceback: Standby FTD reboots and generates crashinfo and lina core on thread name cli_xml_server

CSCwb17187

SNMP cores are generated every minute while running snmpwalk on QP-HA

CSCwb25809

Single Pass - Traceback due to stale ifc

CSCwb28849

ASA/FTD: Mitigation of OpenSSL vulnerability CVE-2022-0778

CSCwb51707

ASA Traceback and reload in process name: lina

CSCwb59488

ASA/FTD Traceback in memory allocation failed

 

 

Revision:  Version 9.14(4)6 – 03/31/2022

Defects resolved since 9.14(4):

 

CSCvw62288

ASA: 256 byte block depletion when syslog rate is high

CSCvw80255

ASA/FTD traceback and reload when doing show conn details | g TCP

CSCvy04430

Management Sessions fail to connect after several weeks

CSCvy75724

ZMQ OOM due to less Msglyr pool memory in low end platforms

CSCvy95430

SNMP MA Debug tokens first 3 chars are missing.

CSCvz70958

High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby

CSCvz89126

ASDM session/quota count mismatch in ASA when multiple context switchover is done from ASDM

CSCvz95949

FP1120 9.14.3 : temporary split brain happened after active device reboot

CSCwa02929

FTD Blocks Traffic with SSL Flow Error CORRUPT_MESSAGE

CSCwa06960

ASA Traceback and Reload due to CTM daemon during internal health test

CSCwa28895

FTD SSL Proxy should allow configurable or dynamic maximum TCP window size

CSCwa35200

Some syslogs for AnyConnect SSL are generated in admin context instead of user context

CSCwa42594

ASA: IP Header check validation failure when GTP Header have SEQ and EXT field

CSCwa44950

ASA/FTD - Memory leak observed when VPN is deployed

CSCwa53489

Lina Traceback and Reload Due to invalid memory access while accessing Hash Table

CSCwa56449

ASA traceback in HTTP cli EXEC  code

CSCwa56975

DHCP Offer not seen on control plane

CSCwa57115

New access-list are not taking effect after removing non-existance ACL with objects.

CSCwa60574

Coverity 859475: CONSTANT_EXPRESSION_RESULT in snp_ha_trans_tear_down_ch

CSCwa61218

Polling OID "1.3.6.1.4.1.9.9.171.1.3.2.1.2" gives negative index value of the associated tunnel

CSCwa65389

ASA traceback and reload in Unicorn Admin Handler when change interface configuration via ASDM

CSCwa67882

Offloaded GRE tunnels may be silently un-offloaded and punted back to CPU

CSCwa68660

FTP inspection stops working properly after upgrading the ASA to 9.12.4.x

CSCwa74900

Traceback and reload after enabling debug webvpn cifs 255

CSCwa77073

SNMP is responding to snmpgetbulk with unexpected order of results

CSCwa79494

Traffic keep failing on Hub when IPSec tunnel from Spoke flaps

CSCwa79980

SNMP get command in FPR does not show interface index.

CSCwa85138

Multiple issues with transactional commit diagnostics

CSCwa87315

ASA/FTD may traceback and reload in Thread Name 'IP Address Assign'

CSCwa94894

ASA/FTD may traceback and reload in Thread Name 'DATAPATH-4-9608'

CSCwa97784

ASA: Jumbo sized packets are not fragmented over the L2TP tunnel

CSCwa98684

Console has an excessive rate of warnings during policy deployment

CSCwb01700

ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA

CSCwb01919

FP2140 ASA 9.16.2 HA units traceback and reload at lua_getinfo (getfuncname)

CSCwb11939

ASA/FTD MAC modification is seen in handling fragmented packets with INSPECT on

CSCwb18252

FTD/ASA: Traceback on BFD function causing unexpected reboot