Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They
contain bug fixes which address specific issues found since the last Feature or
Maintenance release. The images are fully supported by Cisco TAC and will
remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which is resolved by an
Interim release, we recommend that you use the Feature or Maintenance release
images.
Important: These images were not fully regression
tested. Each individual fix was unit tested, and the image has had a
limited amount of automated regression testing to confirm a baseline of
functionality. Keep this testing status in mind if you decide to run them
in a production environment. We strongly encourage you to upgrade to a
fully tested Maintenance or Feature release when it becomes available.
Note: ASA 9.16(3)19 and later requires ASDM 7.18(1)152 or
later. The ASA now validates whether the ASDM image is a Cisco digitally signed
image. If you try to run an older ASDM image than 7.18(1.152) with an ASA
version with this fix, ASDM will be blocked and the message “%ERROR: Signature
not valid for file disk0:/<filename>” will be displayed at the ASA CLI.
(CSCwb05291, CSCwb05264)
Revision: Version 9.16(3)23 – 09/20/2022
Files:
asa9-16-3-23-smp-k8.bin, cisco-asa-fp1k.9.16.3.23.SPA,
cisco-asa-fp2k.9.16.3.23.SPA, cisco-asa.9.16.3.23.SPA.csp
Defects resolved since 9.16(3)19:
|
Number of interfaces on Active
and Standby are not consistent should trigger warning syslog |
|
|
ASA disconnects the ssh, https session using of Active IP address and Standby
MAC address after FO |
|
|
Standby unit failed to join
failover due to large config size. |
|
|
ASA/FTD may hit a watchdog
traceback related to snmp config writing |
|
|
SNMPv3 polling may fail using
privacy algorithms AES192/AES256 |
|
|
ASA/FTD datapath
threads may run into deadlock and generate traceback |
|
|
When inbound packet contains SGT
header, FPR2100 cannot distribute properly per 5 tuple |
|
|
Debug: async_lock_service_one_lock_internal
ASA/FTD reload and traceback in thread: DATAPATH |
|
|
ASA Traceback & reload in
thread name : Datapath |
|
|
Standby ASA goes to booting loop
during configuration replication after upgrade to 9.16(3). |
|
|
FTD: SNMP failures after upgrade
to 7.0.2 |
|
|
ASA Traceback and Reload on process name Lina |
|
|
ASA traceback and reload due to "Heap memory corrupted at slib_malloc.c |
|
|
ASA/FTD may traceback and reload
while executing SCH code |
|
|
ASA : HTTPS traffic authentication issue with Cut-through
Proxy enabled |
|
|
FTD - Traceback and reload when
performing IPv4 <> IPv6 NAT translations |
|
|
ASA/FTD: GTP inspection causing
9344 sized blocks leak |
|
|
ASA HA - Restore in primary not
remove new interface configuration done after backup |
|
|
Inbound IPSEC SA stuck inactive
- many inbound SPIs for one outbound SPI in "show crypto ipsec sa" |
|
|
FTD - Traceback and reload on
NAT IPv4<>IPv6 for UDP flow redirected over CCL link |
|
|
MPLS tagging removed by FTD |
|
|
ASA/FTD Cluster Split Brain due
to NAT with "any" and Global IP/range matching broadcast IP |
|
|
ASA parser accepts incomplete
network statement under OSPF process and is present in show run |
|
|
IKEv2 rekey - Responding Invalid
SPI for the new SPI received right after Create_Child_SA
response |
|
|
ASA fails to rekey with IPSEC
ERROR: Failed to allocate an outbound hardware context |
|
|
ASA/FTD OSPFv3 does not generate messages
Type 8 LSA for IPv6 |
|
|
During the deployment time,
device got stuck processing the config request. |
Revision:
Version 9.16(3)19 – 08/10/2022
Files:
asa9-16-3-19-smp-k8.bin, cisco-asa-fp1k.9.16.3.19.SPA, cisco-asa-fp2k.9.16.3.19.SPA,
cisco-asa.9.16.3.19.SPA.csp
Defects resolved since 9.16(3)15:
|
BGP table not removing connected
route when interface goes down |
|
|
ASA traceback and reload while
allocating a new block for cluster keepalive packet |
|
|
LINA observed traceback on
thread name "snmp_client_callback_thread" |
|
|
ISA3000 in boot loop after power
cycle |
|
|
Cisco ASDM and ASA Software
Client-side Arbitrary Code Execution Vulnerability |
|
|
Unable to identify dynamic rate
liming mechanism & not following msg limit per/sec at syslog server. |
|
|
Cisco Firepower Threat Defense
Software Privilege Escalation Vulnerability |
|
|
ASA graceful shut down when
applying ACL's with forward reference feature and
FIPS enabled. |
|
|
ASA/FTD may traceback and reload
in Thread Name 'None' |
|
|
Interface internal data0/0 is
up/up from cli but up/down from SNMP polling |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ci/console' |
|
|
ASA/FTD - Traceback in Thread
Name: appAgent_subscribe_nd_thread |
|
|
ASA/FTD IPSEC debugs missing
reason for change of peer address and timer delete |
|
|
ASA tracebacks after SFR was
upgraded to 6.7.0.3 |
|
|
ASA traceback and reload when
modifying DNS inspection policy via CSM or CLI |
|
|
FTD/ASA traceback and reload at at ../inspect/proxy.h:439 |
|
|
ASA - Restore not remove the new
configuration for an interface setup after backup |
|
|
show nat pool cluster commands run within EEM
scripts lead to traceback and reload |
|
|
ASA/FTD cannot parse UPN from
SAN field of user's certificate |
|
|
ASA/FTD traceback and reload on
Thread id: 1637 |
|
|
ASA mgmt ip cannot be released |
|
|
9344 Block leak due to
fragmented GRE traffic over inline-set interface inner-flow processing |
|
|
Incorrect IF-MIB response when
failover is configured on multiple contexts |
|
|
NAT64 translates all IPv6
Address to 0.0.0.0/0 when object subnet 0.0.0.0 0.0.0.0 is used |
Revision: Version
9.16(3)15 – 06/28/2022
Files:
asa9-16-3-15-smp-k8.bin, cisco-asa-fp1k.9.16.3.15.SPA,
cisco-asa-fp2k.9.16.3.15.SPA, cisco-asa.9.16.3.15.SPA.csp
Defects resolved since 9.16(3)14:
|
ASA/FTD 9344 blocks depleted due
to high volume of fragmented traffic |
|
|
Unstable client processes may
cause LINA zmqio traceback on FTD |
|
|
Cisco FTD Bleichenbacher
Attack Vulnerability |
|
|
Cisco ASA Software and FTD
Software SNMP Denial of Service Vulnerability |
|
|
Standby FTD/ASA sends DNS
queries with source IP of 0.0.0.0 |
|
|
ASA/FTD traceback and reload at
IKEv2 from Scaled S2S+AC-DTLS+SNMP long duration test |
|
|
SNMP queries for crasLocalAddress are not returning the assigned IPs
for SSL/DTLS tunnels. |
|
|
FTD: IKEv2 tunnels flaps every
24 hours and crypto archives are generated |
|
|
ASA/FTD Traceback and reload
caused by Smart Call Home process sch_dispatch_to_url |
|
|
ASA DHCP server fails to bind
reserved address to Linux devices |
|
|
Cisco Firepower Threat Defense
Software Generic Routing Encapsulation DoS Vulnerability |
|
|
FP4112|4115 Traceback &
reload on Thread Name: netfs_thread_init |
|
|
ASA traceback in Thread Name:
SXP CORE |
|
|
ASA traceback in Thread Name: fover_parse and triggered by snmp related functions |
|
|
FW traceback in timer infra / netflow timer |
|
|
PBR not working on ASA routed
mode with zone-members |
|
|
RIP is advertising all connected Anyconnect users and not matching route-map for
redistribution |
|
|
FTD offloads SGT tagged packets
although it should not |
|
|
ASA/FTD proxy arps any traffic when using the built-in
'any' object in translated destination |
|
|
ASA HA Active/standby tracebacks
seen approximately every two months. |
|
|
ASA/FTD traceback and reload due
to the initiated capture from FMC |
|
|
Snmpwalk output of memory does not match show memory/show memory
detail |
|
|
Lina traceback and reload during
EIGRP route update processing. |
|
|
Cisco ASA Software and FTD
Software Web Services Interface Denial of Service Vulnerability |
|
|
ASA: Multiple Context Mixed Mode
SFR Redirection Validation |
|
|
ASA/FTD traceback and reload on
NAT related function nat_policy_find_location |
|
|
We can t monitor the interface via "snmpwalk" once interface is removed from context. |
|
|
ASA/FTD traceback and reload
with timer services assertion |
|
|
Unable to apply SSH settings to
ASA version 9.16 |
|
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' |
|
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense Software DoS |
Revision:
Version 9.16(3)14 – 05/19/2022
Files:
asa9-16-3-14-smp-k8.bin, cisco-asa-fp1k.9.16.3.14.SPA, cisco-asa-fp2k.9.16.3.14.SPA,
cisco-asa.9.16.3.14.SPA.csp
Defects resolved since 9.16(3)3:
|
ASA displays cosmetic NAT warning
message when making the interface config changes |
|
|
FTD VTI reports TUNNEL_SRC_IS_UP
false despite source interface is up/up and working |
|
|
FP4100 platform: Active-Standby
changed to dual Active after running "show conn" command |
|
|
ZMQ OOM due to less Msglyr pool memory in low end platforms |
|
|
Cisco ASA and FTD Software SSL
VPN Denial of Service Vulnerability |
|
|
ASA/FTD stops serving SSL
connections |
|
|
PLR license reservation for
ASAv5 is requesting ASAv10 |
|
|
Loggerd process is getting killed due to OOM under high logging
rate |
|
|
High Control Plane CPU on StandBy due to dhcpp_add_ipl_stby |
|
|
MIO heartbeat failure caused by
heartbeat dropped by delay |
|
|
Some syslogs for AnyConnect SSL are generated in
admin context instead of user context |
|
|
Snort blocking and dropping
packet, with bigger size(1G) file download |
|
|
ASA traceback in HTTP cli EXEC code |
|
|
ASAv traceback when SD_WAN ACL enabled, then disabled (or
vice-versa) in PBR |
|
|
IPv6: Some of egress interfaces
of global and user vrf routes
are missing in asp table |
|
|
All type-8 passwords are lost
upon upgrade from ASA 9.12-9.15 to 9.16, failover gets disabled |
|
|
FTP inspection stops working properly
after upgrading the ASA to 9.12.4.x |
|
|
FTD: Time gap/mismatch seen when
new node joins a Cluster Control node under history |
|
|
ASA reload and traceback in
Thread Name: PIX Garbage Collector |
|
|
Traffic keep failing on Hub when IPSec tunnel from Spoke flaps |
|
|
Traceback: ASA/FTD may traceback
and reload in Thread Name 'Logger' |
|
|
SNMP no longer responds to polls
after upgrade to 9.15.1.17 |
|
|
SSL handshake logging showing
unknown session during AnyConnect TLSv1.2 Session establishment |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-4-9608' |
|
|
ASA/FTD Traceback and reload due
to NAT configuration |
|
|
Incorrect ifHighSpeed value for a interfaces that are port channel members |
|
|
Lina may traceback and reload on tcpmod_proxy_handle_mixed_mode |
|
|
Console has an excessive rate of
warnings during policy deployment |
|
|
update_mem_reference process taking high CPU in HA pair |
|
|
Mempool_DMA allocation issue / memory leakage |
|
|
ASA: SSH and ASDM sessions stuck
in CLOSE_WAIT causing lack of MGMT for the ASA |
|
|
snmp-group host with Invalid host range and subnet causing
traceback and reload |
|
|
ASA/FTD may traceback and reload
in Thread Name 'DATAPATH-9-11543' |
|
|
Traceback: Standby FTD reboots
and generates crashinfo and lina core on thread name cli_xml_server |
|
|
ASA/FTD: OCSP may fail to work
after upgrade due to "signer certificate not
found" |
|
|
CPU profile cannot be
reactivated even if previously active memory tracking is disabled |
|
|
SNMP cores are generated every
minute while running snmpwalk on
QP-HA |
|
|
FTD/ASA: Traceback on BFD
function causing unexpected reboot |
|
|
ASA traceback and reload on
routing |
|
|
Single Pass - Traceback due to
stale ifc |
|
|
Primary takes active role after reload |
|
|
NAT (any,any) statements in-states the failover
interface and resulting on Split Brain events |
|
|
ASA CLI gets hung randomly while
configuring SNMP |
|
|
Long delays when executing SNMP
commands |
|
|
Implement SNP API to check ifc and ip belongs to HA LU or CMD interface |
|
|
ASA/FTD Traceback in crypto hash
function |
|
|
ASA Traceback and reload in
process name: lina |
|
|
Certificate validation fails
post upgrade to 9.17.1 |
|
|
ASA/FTD may traceback (watchdog)
and reload when generating a syslog from the VPN Failover subsystem |
|
|
ASA/FTD Traceback in memory
allocation failed |
Revision:
Version 9.16(3)3 – 04/20/2022
Files:
asa9-16-3-3-smp-k8.bin, cisco-asa-fp1k.9.16.3.3.SPA,
cisco-asa-fp2k.9.16.3.3.SPA, cisco-asa.9.16.3.3.SPA.csp
Defects resolved since 9.16(3):
|
Cisco ASA and FTD Software SSL
VPN Denial of Service Vulnerability |