Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.
Note: ASA 9.16(4) and later requires ASDM 7.18(1)152 or later. The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image than 7.18(1.152) with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. (CSCwb05291, CSCwb05264)
Version 9.16.4.85 – September 10, 2025
Defects resolved since 9.16.4.84:
| CSCwn38761 | DNS FQDN obj doesn't go unresolved upon FQDN obj deleted on server/intf to reach sever is down in 7.7 |
| CSCwo31094 | Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
| CSCwo97439 | ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
| CSCwp37284 | "CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
| CSCwq78991 | Firewall joins a cluster although gets incomplete ACL policy rules during replication |
| CSCwq79815 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
| CSCwq79831 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
Version 9.16.4.84 – April 10, 2025
Defects resolved since 9.16.4.82:
| CSCwk46737 | ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
| CSCwn90900 | High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
| CSCwn90958 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
| CSCwo00141 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
| CSCwo00880 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
| CSCwo08017 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access VPN Web Server Denial of Service Vulnerability |
| CSCwo08042 | ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
| CSCwo09060 | SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
| CSCwo15021 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15022 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15023 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15024 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15026 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15027 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
| CSCwo18850 | Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software HTTP Server Remote Code Execution Vulnerability |
| CSCwo41250 | Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
| CSCwo49928 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
Version 9.16.4.82 – March 12, 2025
Defects resolved since 9.16.4.76:
| CSCwf25454 | Stale anyconnect entries causing issues with routing |
| CSCwh17965 | [Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
| CSCwk28058 | FTD memory depletion resulting in traceback and reload |
| CSCwk63586 | App instance stuck in STOP_FAILED with error message |
| CSCwm28007 | Browser redirects to blank page when the user clicks the WebVPN bookmark |
| CSCwm35730 | LINA may traceback in Thread Name: Datapath with NAT config |
| CSCwm36631 | FTD Secondary Unit got stuck in Bulk sync state. |
| CSCwm37455 | ASA/FTD will allow local IP pool with invalid netmask |
| CSCwm44412 | FTD inline-set ignore reverse flag for inject/rewrite |
| CSCwm49721 | ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
| CSCwm52931 | ASA/FTD may traceback and reload in Thread Name "fover_parse" |
| CSCwm56864 | show run access-list command returns warning |
| CSCwm63868 | FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
| CSCwm68211 | ASA traceback and reload on thread snmp_inspect |
| CSCwm70835 | ASA traceback and reload due to stack overflow while using APCF file |
| CSCwm71265 | ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
| CSCwm85228 | ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
| CSCwm90905 | GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
| CSCwm95070 | Cisco Secure Firewall ASA and Secure FTD Software for FP 2100 Series IPv6 over IPsec DoS Vulnerability |
| CSCwm97054 | ASA/FTD traceback and reload with high rate of SIP connections |
| CSCwm98278 | TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
| CSCwn00475 | Memory Blocks 80 and 9344 leak due to priority-queue |
| CSCwn01281 | GTP inspection not allowing GTP data packets if session create response has cause type 18 |
| CSCwn14447 | ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
| CSCwn15104 | FTD reload with traceback on swapcontext function |
| CSCwn17121 | ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
| CSCwn20024 | ASA may traceback and reload in Thread Name 'ssh' |
| CSCwn21584 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability |
| CSCwn22456 | GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
| CSCwn24577 | ASA booting process may freeze when including 'no pim' or 'no igmp' config |
| CSCwn26165 | FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
| CSCwn27819 | Jumbo frame packets are being fragmented |
| CSCwn34259 | Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
| CSCwn34659 | Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
| CSCwn34707 | Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
| CSCwn35470 | Serviceability : FQDN Packet based debug and capture trace support |
| CSCwn36120 | Enhanced Debug Image with Lina and PDTS Capabilities for FQDN Issue Resolution |
| CSCwn39780 | FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
| CSCwn42949 | Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
| CSCwn65415 | ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
| CSCwn73351 | Asia/Bangkok timezone option not listed in ASA running on firepower1k |
| CSCwn73399 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwn84557 | Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
| CSCwn92894 | Occasionally, 'show chunkstat top-usage' output does not show all entries |
| CSCwn93319 | ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
| CSCwo01557 | ASA traceback and reload on DATAPATH thread due to memory corruption |
Version 9.16.4.76 – November 13, 2024
Defects resolved since 9.16.4.71:
| CSCwa82791 | ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
| CSCwc57500 | Remove bootlogd package from FXOS to avoid ASA boot log problems |
| CSCwc87387 | Valid DNS requests are being dropped by Lina DNS inspection when Umbrella DNS is configured |
| CSCwh51872 | Message asa_log_client exited 1 time(s) seen multiple times |
| CSCwi98274 | unzip 5.52 is from 2005 is contains multiple vulnerabilities |
| CSCwj31918 | Segmentation fault with "logger_msg_dispatch" while HA sync |
| CSCwj53725 | Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
| CSCwj72013 | PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
| CSCwk08241 | FTD is not resolving FQDN for ACLs intermittently |
| CSCwk08476 | FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
| CSCwk10884 | Connectivity failure due to mismatch between l2_table and subinterface mac address |
| CSCwk16332 | ASA/FTD traceback and reload with high rate of SIP connections |
| CSCwk35710 | FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
| CSCwk61157 | FTD LINA Traceback and Reload dhcp_daemon Thread |
| CSCwk63733 | HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
| CSCwk67859 | FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
| CSCwk71992 | BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
| CSCwk75956 | ASA/FTD may traceback and reload in Thread Name SSH |
| CSCwk87457 | ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
| CSCwk88182 | FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
| CSCwk89836 | ASA/FTD may traceback and reload in Thread Name 'strlen' |
| CSCwk94382 | FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
| CSCwm01544 | Lina traceback and reload in data-path thread |
| CSCwm04650 | Increase memory usage leading to tracebacks in Lina. |
| CSCwm05520 | Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
| CSCwm08231 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
| CSCwm08232 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
| CSCwm08235 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability |
| CSCwm13141 | FTD CLISH/CLI gets locked up when trying to run any show command |
| CSCwm14509 | Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
| CSCwm30731 | The ASA's OSPF routing table is not properly synchronized with the neighbors |
| CSCwm33613 | Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
| CSCwm41847 | Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
| CSCwm49410 | Misconfigured Cross-Origin-Opener-Policy |
| CSCwm60536 | SQLNet traffic getting dropped intermittently in Clustering data unit. |
| CSCwm61282 | ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
| CSCwm78351 | Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
| CSCwm92397 | LINA core observed pointing to "IP RIB Update" thread |
Version 9.16.4.71 – September 24, 2024
Defects resolved since 9.16.4.70:
| CSCwm13199 | SIP traffic is affected due to unexpected behavior with NAT untranslations. |
| CSCwm49153 | Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
Version 9.16.4.70 – August 29, 2024
Defects resolved since 9.16.4.67:
| CSCwi44912 | ISA3000 Traceback and reload boot loop |
| CSCwk13132 | FTD/ASA 1550 blocks may get exhausted while sending logs to TCP syslog server |
Version 9.16.4.67 – August 7, 2024
Defects resolved since 9.16.4.62:
| CSCwf34069 | Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
| CSCwh10931 | ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
| CSCwh70874 | FTD: Policy Deployment failure due to abort as no progress |
| CSCwi79037 | IKEv2 client services is not getting enabled - XML profile is not downloaded |
| CSCwi90751 | FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
| CSCwj63974 | Memory manager improvements for webvpn internal lua library |
| CSCwj74323 | ASAv Memory leak involving PKI/Crypto for VPN |
| CSCwj83185 | FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
| CSCwj83634 | Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
| CSCwj87501 | ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
| CSCwk06564 | Add New Syslog for Routes for NP add/delete |
| CSCwk11983 | High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
| CSCwk12497 | Traceback and reload on active unit due to HA break operation. |
| CSCwk14909 | Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
| CSCwk21561 | Add warning message when configuring CCL MTU |
| CSCwk22034 | Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
| CSCwk24176 | FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
| CSCwk25117 | ENH: Add application support for blocking consecutive AAA failures on LINA |
| CSCwk26968 | Backup feature does not save/restore DAP configuration in multiple context mode. |
| CSCwk32501 | 256/1550 block depletion process fover_thread |
| CSCwk36312 | High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
| CSCwk44165 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
| CSCwk48975 | Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
| CSCwk53369 | Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
| CSCwk62381 | ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
| CSCwk69742 | FTD: Policy deployment failed due to mismatch of checksum. |
Version 9.16.4.62 – June 26, 2024
Defects resolved since 9.16.4.61:
| CSCwh29276 | ASA: Traceback and reload when switching from single to multiple mode |
| CSCwi05240 | ASA - Traceback the standby device while HA sync ACL-DAP |
| CSCwi94356 | Lina traceback and reload in Thread Name: cli_xml_request_process |
| CSCwj17447 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
| CSCwj19125 | Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
| CSCwj20804 | Cisco ASA and FTD Software VPN Web Server Limited Information Disclosure Vulnerability |
| CSCwj24828 | Issue when two FQDN objects with same IP are added in source or destination (FTD/ASA) |
| CSCwj30980 | Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
| CSCwj43345 | SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
| CSCwj44398 | when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
| CSCwj49745 | Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
| CSCwj68783 | FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
| CSCwj72683 | ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
| CSCwj73061 | SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
| CSCwj76503 | Syslogs continue to be sent after disabling logging class on ASA |
| CSCwj82247 | Cisco ASA and FTD SSL VPN Memory Management Denial of Service Vulnerability |
| CSCwj82736 | TLS Handshake Fails if Segmented or Fragmented Client Hello Packet is Received Out of Order |
| CSCwj86116 | High LINA CPU observed due to NetFlow configuration |
| CSCwj88400 | FTD may traceback and reload in process name lina while processing appAgent msg reply |
| CSCwj89264 | FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
| CSCwj91570 | Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
| CSCwj95590 | Browser redirects to logon page when the user clicks the WebVPN bookmark |
| CSCwj99043 | Cisco ASA & FTD Software IKEv2 Denial of Service Vulnerability |
| CSCwk02804 | WebVPN connections stuck in CLOSEWAIT state |
| CSCwk02928 | ASA/FTD may traceback and reload in Thread Name PTHREAD |
| CSCwk04492 | ASA CLI hangs with 'show run' with multiple ssh sessions |
| CSCwk05851 | "set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
| CSCwk07934 | Clock skew between FXOS and Lina causes SAML assertion processing failure |
| CSCwk08576 | command to print the debug menu setting of service worker |
| CSCwk12698 | SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
| CSCwk12738 | Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
| CSCwk13812 | ASA/FTD incorrectly forwards extended community attribute after upgrade. |
| CSCwk17637 | State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
| CSCwk17854 | FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
| CSCwk21561 | Add warning message when configuring CCL MTU |
| CSCwk22759 | Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
| CSCwk27830 | ASA/FTD may traceback and reload in Thread Name 'lina' |
Version 9.16.4.61 – May 21, 2024
Defects resolved since 9.16.4.57:
| CSCvy51481 | [ENH] FTD should show error/warning when attaching a not valid certificate to the interface for VPN |
| CSCwb03293 | IKEv2 debugs: Received Policies and Expected Policies are empty |
| CSCwe11754 | Nodes randomly fail to join cluster due to internal clustering error |
| CSCwe12645 | Secondary state flips between Ready & Failed when node is rebooted and mgmt interface is shutdown |
| CSCwe18462 | ASA/FTD: Improve GTP Inspection Logging |
| CSCwe18467 | ASA/FTD: GTP Inspection engine serviceability |
| CSCwf63256 | Firepower reloads unexpectedly with a traceback |
| CSCwf75694 | ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
| CSCwf84318 | ASA/FTD traceback and reload on thread DATAPATH |
| CSCwh43945 | FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
| CSCwh60971 | NAT pool is not working properly despite is not reaching the 32k object ID limit. |
| CSCwh68068 | Firepower WCCP router-id changes randomly when VRFs are configured |
| CSCwh83021 | ASA/FTD HA pair EIGRP routes getting flushed after failover |
| CSCwh95443 | Datapath hogs causing clustering units to get kicked out of the cluster |
| CSCwi06797 | ASA/FTD traceback and reload on thread DATAPATH |
| CSCwi42291 | Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability |
| CSCwi43492 | ASA traceback and reload on Thread Name: DATAPATH |
| CSCwi49770 | ASA|FTD Traceback & reload in thread name Datapath |
| CSCwi56499 | Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
| CSCwi60430 | CVE-2023-51385 (Medium Sev) In ssh in OpenSSH before 9.6, OS command injection might occur if a us |
| CSCwi68625 | Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
| CSCwi84314 | ASA CLI hangs with 'show run' on multiple SSH |
| CSCwi95796 | FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
| CSCwi97836 | ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
| CSCwi97948 | EIGRP bandwidth is changing after upgrade or after "shutdown"/"no shutdown" commands |
| CSCwi99429 | Policy deployment failure rollback didnt reconfigure the FTD devices |
| CSCwj05151 | ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
| CSCwj06675 | Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
| CSCwj10451 | The secondary device reloaded while rebooting the primary device. |
| CSCwj15792 | Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
| CSCwj16125 | Traceback and Reload when testing or loading an invalid hostscan image |
| CSCwj17447 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
| CSCwj22235 | Lina traceback and reload due to mps_hash_memory pointing to null hash table |
| CSCwj22990 | After upgrading the ASA, \u201cSlot 1: ATA Compact Flash memory\u201d shows a ditterent value |
| CSCwj25975 | FTD/ASA : CSR generation with comma between \u201cCompany Name\u201d attribute does not work expected |
| CSCwj32035 | Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
| CSCwj33487 | ASA/FTD may traceback and reload while handling DTLS traffic |
| CSCwj33580 | IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
| CSCwj48704 | ASA traceback and reload when accessing file system from ASDM |
| CSCwj49958 | Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
| CSCwj55036 | ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
| CSCwj59861 | ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
| CSCwj60265 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
| CSCwj68783 | FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
| CSCwj82285 | ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
Version 9.16.4.57 – April 1, 2024
Defects resolved since 9.16.4.55:
| CSCvz70310 | ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
| CSCwd16850 | More information is required on Syslog 202010 messages for troubleshooting |
| CSCwd67100 | ASA traceback and reload on Datapath process |
| CSCwe02012 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe11902 | FTD: HA traceback and reload |
| CSCwe47485 | FTD: CLISH slowness due to command execution locking LINA prompt |
| CSCwe93736 | ASA not updating Timezone despite taking commands |
| CSCwf17389 | ASA accepts replayed SAML assertions for RA VPN authentication |
| CSCwf23262 | Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
| CSCwf39108 | Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
| CSCwf44621 | Traceback and reload on Thread DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
| CSCwf69880 | Firewall Traceback and reload due to SNMP thread |
| CSCwh19352 | comm alarm is raised and unit switches over even if one ack is dropped. |
| CSCwh40294 | ASA traceback due to panic event during SNMP configuration |
| CSCwh45450 | 2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
| CSCwh69156 | FTD-HA does not fail over sometimes when snort3 traceback |
| CSCwh71161 | ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
| CSCwh84376 | In FPR4200/FPR3100-HA/cluster observed crashinfo/corefile.lina observed on device reboot. |
| CSCwh91065 | Lina Traceback : Thread Name: DATAPATH during session terminate |
| CSCwh92345 | crypto_archive file generated after the software upgrade. |
| CSCwh95025 | GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
| CSCwh95277 | FTD traceback due to system memory exhaustion |
| CSCwh96055 | Management DNS Servers may be unreacheable if data interface is used as the gateway |
| CSCwi01381 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi02754 | FTD 1120 Traceback and reload on standby unit with SNMP enabled. |
| CSCwi03407 | Traceback on FP2140 without any trigger point. |
| CSCwi04351 | FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
| CSCwi20045 | ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog (watchdog_time = 0) |
| CSCwi31966 | FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
| CSCwi40193 | Hairpinning of DCE/RPC/FTP traffic during the suboptimal lookup |
| CSCwi44208 | low memory/stress causing traceback in SNMP |
| CSCwi46010 | ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
| CSCwi48699 | ASA traceback and reload on Thread Name: pix_flash_config_thread |
| CSCwi49884 | TCP MSS is changed back to the default value when a VTI or loopback interface is created |
| CSCwi50343 | Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
| CSCwi55938 | The "show asp drop" command usage requires better updates for cluster-related drops |
| CSCwi59525 | Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
| CSCwi59831 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi60285 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi63113 | Null pointer dereference in SNMP that results in traceback and reload |
| CSCwi63743 | ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
| CSCwi64829 | traceback and reload around function HA |
| CSCwi65116 | DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
| CSCwi66676 | ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
| CSCwi74214 | ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
| CSCwi75198 | Standby FTD experiencing periodic traceback and reload |
| CSCwi76002 | Memory exhaustion due to absence of freeing up mechanism for tmatch |
| CSCwi76361 | Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
| CSCwi76630 | FP2100/FP1000: ASA Smart licenses lost after reload |
| CSCwi79042 | FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
| CSCwi79703 | Incorrect Timezone Format on FTD When Configured via FXOS |
| CSCwi80465 | CCM ID 63 - LTS18 |
| CSCwi87382 | Traceback and reload on Primary unit while running debugs over the SSH session |
| CSCwi90040 | Cisco ASA and FTD Software Command Injection Vulnerability |
| CSCwi90399 | FTD/ASA system clock resets to year 2023 |
| CSCwi90571 | Access to website via Clientless SSL VPN Fails |
| CSCwi95228 | "crypto ikev2 limit queue sa_init" resets after reboot |
| CSCwi95708 | FTD: Hostname Missing from Syslog Message |
| CSCwi95994 | Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
| CSCwi97839 | FTD traceback assert in vni_idb_get_mode and reloaded |
| CSCwi98284 | Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
| CSCwj02505 | ASA Checkheaps traceback while entering same engineID twice |
| CSCwj09110 | Upload files through Clientless portal is not working as expected after the ASA upgrade |
| CSCwj10955 | Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
| CSCwj14028 | CCM ID 67 - LTS18 |
Version 9.16.4.55 – February 6, 2024
Defects resolved since 9.16.4.48:
| CSCvx37329 | Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
| CSCwc31953 | Prevention of RSA private key leaks regardless of root cause. |
| CSCwc40352 | Lina Netflow sending permited events to Stealthwatch but they are block by snort afterwards |
| CSCwd10822 | Failover trigger due to Inspection engine in other unit has failed due to disk failure |
| CSCwd31806 | ASAv show crashinfo printing in loop continuously |
| CSCwe06562 | FPR1K/FPR2K: Increase in failover time in Transparent Mode with high number of Sub-Interfaces |
| CSCwe21884 | Write wrapper around "kill" command to log who is calling it |
| CSCwe72330 | FTD LINA traceback and reload in Datapath thread after adding Static Routing |
| CSCwe97939 | ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
| CSCwf08387 | LSP version not updated to latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
| CSCwf34070 | Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
| CSCwf36419 | ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
| CSCwf59571 | FTD/Lina - ZMQ issue OUT OF MEMORY. due to less Msglyr pool memory on certain platforms |
| CSCwf63589 | FTD snmpd process traceback and restart |
| CSCwf89959 | ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
| CSCwf99303 | Management UI presents self-signed cert rather than custom CA signed one after upgrade |
| CSCwh09113 | FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
| CSCwh14863 | FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
| CSCwh16759 | SNMP is not working on the primary active ASA unit in multi-context environment |
| CSCwh30346 | ASA/FTD: 1 Second failover delay for each NLP NAT rule |
| CSCwh47053 | ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
| CSCwh58467 | ASA does not sent 'warmstart' snmp trap |
| CSCwh65128 | LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
| CSCwh68482 | Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vu |
| CSCwh69346 | ASA: Traceback and reload when restore configuration using CLI |
| CSCwh71665 | ASA traceback under match_partial_keyword during CPU profiling |
| CSCwh77348 | ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
| CSCwh83254 | ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
| CSCwh91574 | FTD: Traceback in threadname cli_xml_request_process |
| CSCwh93710 | 'Last Hit' Timestamp fails to Update to latest value on ASA, ASDM, and FTD |
| CSCwh95010 | Unexpected traceback on thread name Lina and device experienced reboot |
| CSCwi01085 | FTD VMWare tracebacks at PTHREAD-3587 |
| CSCwi02134 | FTD sends multiple replicated NetFlow records for the same flow event |
| CSCwi11520 | FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
| CSCwi12284 | Cisco ASA webvpn XSS Vulnerability |
| CSCwi15409 | ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
| CSCwi15595 | ASA traceback and reload during ACL configuration modification |
| CSCwi18581 | Firewall traceback and reload due to SSH thread |
| CSCwi19145 | FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
| CSCwi19849 | VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
| CSCwi20114 | Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
| CSCwi20848 | ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
| CSCwi20955 | FTD with may traceback in data-path during deployment when enabling TAP mode |
| CSCwi21625 | FailSafe admin password is not properly sync'd with system context enable pw |
| CSCwi26895 | ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
| CSCwi27338 | Stale asp entry for TCP 443 remains on standby after changing default port |
| CSCwi31091 | OSPF Redistribution route-map with prefix-list not working after upgrade |
| CSCwi32063 | ASA/FTD: SSL VPN Second Factor Fields Disappear |
| CSCwi32759 | Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
| CSCwi33817 | ASA/FTD: 'IKEv2 Negotiation aborted due to ERROR: Platform errors' during a rekey |
| CSCwi34125 | ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
| CSCwi36311 | use kill tree function in SMA instead of SIGTERM |
| CSCwi40536 | ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
| CSCwi42992 | ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
| CSCwi43782 | GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
| CSCwi46023 | FTD drops double tagged BPDUs. |
| CSCwi53150 | Service object-group protocol type mismatch error seen while access-list referencing already |
| CSCwi53431 | Unable to Synch more then 100 environment-data with data unit |
| CSCwi56048 | Interface fragment queue may get stuck at 2/3 of fragment database size |
| CSCwi62683 | The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
Version 9.16.4.48 – November 28, 2023
Defects resolved since 9.16.4.42:
| CSCwb41189 | LINA time-sync correction |
| CSCwd02864 | logging/syslog is impacted by SNMP traps and logging history |
| CSCwd34079 | FTD: Traceback & reload in process name lina |
| CSCwd87438 | Enhance logging mechanism for syslogs |
| CSCwe03631 | Need to provide rate-limit on "logging history " |
| CSCwe18472 | [FTD Multi-Instance][SNMP] - CPU OIDs return incomplete list of associated CPUs |
| CSCwe25342 | ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
| CSCwe44099 | Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
| CSCwe58207 | Memory leak observed on ASA/FTD when logging history is enabled |
| CSCwe65516 | show xlate does not display xlate entries for internal interfaces (nlp_int_tap) after enabling ssh. |
| CSCwe87134 | ASA/FTD: Traceback and reload due to high rate of SCTP traffic |
| CSCwe93137 | KP - multimode: ASA traceback observed during HA node break and rejoin. |
| CSCwf64590 | Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
| CSCwf92661 | ASA|FTD: Traceback & reload due to a free buffer corruption |
| CSCwf94450 | FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
| CSCwh14352 | Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
| CSCwh19897 | ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
| CSCwh21474 | ASA traceback when re-configuring access-list |
| CSCwh40106 | FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
| CSCwh42412 | FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
| CSCwh47701 | ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
| CSCwh49244 | "show aaa-server" command always shows the Average round trip time 0ms. |
| CSCwh53745 | ASA: unexpected logs for initiating inbound connection for DNS query response |
| CSCwh59199 | ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
| CSCwh60604 | ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
| CSCwh60631 | Fragmented UDP packet via MPLS tunnel reassemble fail |
| CSCwh66359 | ASDM can not see log timestamp after enable logging timestamp on cli |
| CSCwh70323 | Timestamp entry missing for some syslog messages sent to syslog server |
| CSCwh70481 | Community string sent from router is not matching ASA |
| CSCwh95175 | ASA/FTD may traceback and reload in Thread Name 'lina' |
Version 9.16.4.42 – October 4, 2023
Defects resolved since 9.16.4.39:
| CSCvy81493 | traceback and reload with 'CHECKHEAPS HAS DETECTED A MEMORY CORRUPTION' |
| CSCwc78781 | ASA/FTD may traceback and reload during ACL changes linked to PBR config |
| CSCwd28037 | No nameif during traffic causes the device traceback, lina core is generated. |
| CSCwd38583 | ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during upgrades |
| CSCwe28912 | Primary Unit lost all HA config after FTD HA upgrade |
| CSCwe42061 | Deleting a BVI in FTD interfaces is causing packet drops in other BVIs |
| CSCwe67816 | ASA / FTD Traceback and reload when removing isakmp capture |
| CSCwe90609 | Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
| CSCwe98319 | ASAConfig multiple restarts are leaking 16K memory in every Restart leading to ZMQ Out Of Memory. |
| CSCwf35233 | Cisco Adaptive Security Appliance Software and Firepower Threat Defense DoS |
| CSCwf35573 | Traffic may be impacted if TLS Server Identity probe timeout is too long |
| CSCwf47227 | Remove Priority-queue command from FTD|| Priority-queue command causes silent egress packet drops |
| CSCwf54510 | ASA traceback and reload on Thread Name: DHCPRA Monitor |
| CSCwf60590 | "show route all summary" executed on transparent mode FTD is causing CLISH to become Sluggish. |
| CSCwf62820 | Failover: standby unit traceback and reload during modifying access-lists |
| CSCwf63872 | FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
| CSCwf69901 | FTD: Traceback and reload during OSPF redistribution process execution |
| CSCwf95147 | OSPFv3 Traffic is Centralized in Transparent Mode |
| CSCwh04395 | ASDM application randomly exits/terminates with an alert message on multi-context setup |
| CSCwh08481 | ASA traceback on Lina process with FREEB and VPN functions |
| CSCwh13821 | ASA/FTD may traceback and reload in when changing capture buffer size |
| CSCwh15223 | Lina Traceback and reload when DAQ/Snort sends malformed L3 header |
| CSCwh16301 | Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
| CSCwh23567 | PAC Key file missing on standby on reload |
| CSCwh27230 | Connections are not cleared after idle timeout when the interfaces are in inline mode. |
| CSCwh28144 | Specific OID 1.3.6.1.2.1.25 should not be responding |
| CSCwh30891 | ASA/FTD may traceback and reload in Thread Name 'ssh' when adding SNMPV3 config |
| CSCwh31495 | FTD - Traceback and reload due to nat rule removed by CPU core |
| CSCwh32118 | ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
| CSCwh41127 | ASA/FTD: NAT64 error "overlaps with inside standby interface address" for Standalone ASA |
| CSCwh49483 | ASA/FTD may traceback and reload while running show inventory |
Version 9.16.4.39 – September 20, 2023
Defects resolved since 9.16.4.38:
| CSCwh45108 | Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
Version 9.16.4.38 – August 30, 2023
Defects resolved since 9.16.4.27:
| CSCvt25221 | FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
| CSCvx04003 | Lack of throttling of ARP miss indications to CP leads to oversubscription |
| CSCvx54562 | High System Overhead memory on FTD |
| CSCwc82205 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwd89095 | Stratix5950 and ISA3000 LACP channel member SFP port suspended after reload |
| CSCwd98316 | Cisco ASA and FTD Software VPN Packet Validation Vulnerability |
| CSCwe12705 | multimode-tmatch_df_hijack_walk traceback observed during shut/unshut on FO connected switch interfa |
| CSCwe28407 | LINA traceback with icmp_thread |
| CSCwe51443 | ASA Evaluation of OpenSSL vulnerability CVE-2022-4450 |
| CSCwe65245 | FP2100 series devices might use excessive memory if there is a very high SNMP polling rate |
| CSCwe74089 | ASA/FTD may traceback and reload in Thread Name DATAPATH-1-1656 |
| CSCwe82704 | PortChannel sub-interfaces configured as data/data-sharing, in multi-instance HA go into "waiting" |
| CSCwe83255 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe86225 | ASA/FTD traceback and reload due citing thread name: cli_xml_server in tm_job_add |
| CSCwe93561 | Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
| CSCwe99550 | Add knob to pause/resume file specific logging in asa log infra. |
| CSCwf05295 | FTD running on FP1000 series might drop packets on TLS flows after the "Client Hello" message. |
| CSCwf10910 | FTD : Traceback in ZMQ running 7.3.0 |
| CSCwf14126 | ASA Traceback and reload citing process name 'lina' |
| CSCwf15902 | ASAv in Hyper-V drops packets on management interface |
| CSCwf17042 | ASDM replaces custom policy-map with default map on class inspect options at backup restore. |
| CSCwf22005 | ASA/FTD : Packet-tracer may displays incorrect ACL rule, though produces correct verdict. |
| CSCwf26407 | FP2130- Unable to disassociate member from port channel, deployment fails, member is lost on FTD/FMC |
| CSCwf26534 | ASA/FTD: Connection information in SIP-SDP header remains untranslated with destination static Any |
| CSCwf33904 | [IMS_7_4_0] - Virtual FDM Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
| CSCwf34500 | FTD: GRE traffic is not being load balanced between CPU cores |
| CSCwf35207 | ASA: Traceback and reload while updating ACLs on ASA |
| CSCwf39163 | ASAv - High latency is experienced on Azure environment for ICMP ping packets while running snmpwalk |
| CSCwf43537 | traceback and reload in thread name: cli_xml_request_process during FTD cluster upgrade |
| CSCwf44537 | Traceback and reload on nat_remove_policy_from_np |
| CSCwf47924 | Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
| CSCwf48599 | VPN load-balancing cluster encryption using deprecated ciphers |
| CSCwf49573 | ASA/FTD: Traceback and reload when issuing 'show memory webvpn all objects' |
| CSCwf50497 | DNS cache entry exhaustion leads to traceback |
| CSCwf51933 | FTD username with dot fails AAA-RADIUS external authentication login after upgrade |
| CSCwf52810 | ASA SNMP polling not working and showing "Unable to honour this request now" on show commands |
| CSCwf54418 | Reduce time taken to clear stale IKEv2 SAs formed after Duplicate Detection |
| CSCwf56386 | vFTD runs out of memory and goes to failed state |
| CSCwf56811 | ASA Traceback & reload on process name lina due to memory header validation |
| CSCwf58876 | KP2140-HA, reloaded primary unit not able to detect the peer unit |
| CSCwf60311 | ASA generating traceback with thread-name: DATAPATH-53-18309 after upgrade to 9.16.4.19 |
| CSCwf62729 | Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
| CSCwf72434 | Add meaningful logs when the maximums system limit rules are hit |
| CSCwf77191 | ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
| CSCwf78321 | ASA: Checkheaps traceback and reload due to Clientless WebVPN |
| CSCwf81058 | FTD: Firepower 3100 Dynamic Flow Offload showing as Enabled |
| CSCwf82247 | Policy deployment fails when a route same prefix/metric is configured in a separate VRF. |
| CSCwf82742 | FTD: SNMP not working on management interface |
| CSCwf92135 | ASA: Traceback and reload on Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
| CSCwf92646 | ECDSA Self-signed certificate using SHA384 for EC521 |
| CSCwf94677 | "failover standby config-lock" config is lost after both HA units are reloaded simultaneously |
| CSCwh04365 | ASA Traceback & reload on process name lina due to memory header validation - webvpn side fix |
| CSCwh05863 | ASA omits port in host field of HTTP header of OCSP request if non-default port begins with 80 |
| CSCwh06452 | Interface speed mismatch in SNMP response using OID .1.3.6.1.2.1.2.2 |
| CSCwh11764 | ASA/FTD may traceback and reload in Thread Name "RAND_DRBG_bytes" and CTM function on n5 platforms |
| CSCwh23100 | Cisco ASA and FTD Software Remote Access VPN Unauthorized Access Vulnerability |
| CSCwh30676 | Ping to the configured systemIP on management interface getting failed in cluster setup. |
Version 9.16.4.27 – June 15, 2023
Defects resolved since 9.16.4.19:
| CSCwb88729 | FTD - %FTD-3-199015: port-manager: Error: DOM Block Read failure, port X, st = X log false/positive |
| CSCwb95453 | ASA: The timestamp for all logs generated by Admin context are the same |
| CSCwb95784 | cache and dump last 20 rmu request response packets in case failures/delays while reading registers |
| CSCwd34288 | FP1000 - During boot process in LINA mode, broadcasts leaked between interfaces resulting in storm |
| CSCwd67101 | FPR1150 : Exec format error seen and the device hung until reload when erase secure all is executed |
| CSCwd74839 | 30+ seconds data loss when unit re-join cluster |
| CSCwd94183 | Blade not coming up after FXOS update support on multi-instance due to ssp_ntp.log log rotation prob |
| CSCwd96493 | Link Up seen for a few seconds on FPR1010 during bootup |
| CSCwe03529 | FTD traceback and reload while deploying PAT POOL |
| CSCwe20714 | Traffic drop when primary device is active |
| CSCwe20918 | Cisco ASA and FTD Software Remote Access SSL VPN Multiple Certificate Auth Bypass |
| CSCwe22302 | Partition "/opt/cisco/config" gets full due to wtmp file not getting logrotated |
| CSCwe26612 | FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
| CSCwe30867 | Workaround to set hwclock from ntp logs on low end platforms |
| CSCwe38029 | Multiple traceback seen on standby unit. |
| CSCwe39425 | 2100: Power switch toggle leads to ungraceful shutdowns and "PowerCycleRequest" reset |
| CSCwe40463 | Stale IKEv2 SA formed during simultaneous IKE SA handling when missing delete from the peer |
| CSCwe44311 | FP2100:Update LINA asa.log files to avoid recursive messages-.1.gz rotated filenames |
| CSCwe50993 | SNMPD running on FXOS platform goes down and won't come back up |
| CSCwe52120 | SSL decrypted conns fails when tx chksum-offload is enabled with the egress interface a pppoe. |
| CSCwe59737 | ASA/FTD reboots due to traceback pointing to watchdog timeout on p3_tree_lookup |
| CSCwe59809 | CCM seq 45 - WR6, WR8, LTS18 and LTS21. |
| CSCwe59919 | FTD Traceback and reload on Thread Name "NetSnmp Event mib process" |
| CSCwe61928 | PIM register packets are not sent to RP after a reload if FTD uses a default gateway to reach the RP |
| CSCwe63266 | Need fault/error for invalid firmware MF-111-234949 |
| CSCwe70202 | Multiple times the failover may be disabled by wrongly seeing a different "Mate operational mode". |
| CSCwe74916 | Interface remains DOWN in an Inline-set with propagate link state |
| CSCwe77123 | ASA/FTD : Degradation for TCP tput on FPR2100 via IPSEC VPN when there is delay between VPN peers |
| CSCwe80063 | Default DLY value of port-channel sub interface mismatch with parent Portchannel |
| CSCwe85432 | ASA/FTD traceback and reload on thread DATAPATH-14-11344 when SIP inspection is enabled |
| CSCwe89731 | Notification Daemon false alarm of Service Down |
| CSCwe90720 | ASA Traceback and reload in parse thread due ha_msg corruption |
| CSCwe92905 | ngfwManager process continuously restarting leading to ZMQ Out of Memory traceback |
| CSCwe93202 | FXOS REST API: Unable to create a keyring with type "ecdsa" |
| CSCwe93489 | Threat-detection does not recognize exception objects with a prefix in IPv6 |
| CSCwe93561 | Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
| CSCwe95729 | Cisco ASA & FTD SAML Authentication Bypass Vulnerability |
| CSCwe95757 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe96023 | ASa/FTD: SNMP related traceback and reload immediately after upgrade from 6.6.5 to 7.0.1 |
| CSCwe97277 | Observed ASA traceback and reload when performing hitless upgrade while VPN traffic running |
| CSCwe99040 | traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
| CSCwf03490 | portmanager.sh outputing continuous bash warnings to log files |
| CSCwf04831 | ASA/FTD may traceback and reload in Thread Name 'ci/console' |
| CSCwf06377 | Setting heartbeat timeout to 6sec for Firepower 4100 and 9300 |
| CSCwf07791 | ASA running out of SNMP PDU and SNMP VAR chunks |
| CSCwf08043 | Lina traceback and reload due to fragmented packets |
| CSCwf12005 | ASA sends OCSP request without user-agent and host |
| CSCwf12408 | ASA: After upgrade to 9.16.4 all type-8 passwords are lost on first reboot |
| CSCwf14735 | traceback and reload in Process Name: lina related to Nat/Pat |
| CSCwf14811 | TCP normalizer needs stats that show actions like packet drops |
| CSCwf15858 | LDAP authentication over SSL not working for users that send large authorisation profiles |
| CSCwf17814 | ASA/FTD may traceback and reload in Thread Name '19', free block checksum failure |
| CSCwf20338 | ASA may traceback and reload in Thread Name 'DHCPv6 Relay' |
| CSCwf21106 | ASA/FTD: Traceback on thread name: snmp_master_callback_thread during SNMP and interface changes |
| CSCwf23564 | Unable to establish BGP when using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
| CSCwf26939 | FTD may fail to create a NAT rule with error: "IPv4 dst real obj address range is huge" |
| CSCwf28488 | Inconsistent log messages seen when emblem is configured and buffer logging is set to debug |
| CSCwf30716 | ASA in multi context shows standby device in failed stated even after MIO HB recovery. |
| CSCwf30727 | ASA integration with umbrella does not work without validation-usage ssl-server. |
| CSCwf31701 | ASA traceback and reload with the Thread name: **CP Crypto Result Processing** |
| CSCwf31820 | Firewall may drop packets when routing between global or user VRFs |
| CSCwf33574 | ASA access-list entries have the same hash after upgrade |
| CSCwf42144 | ASA/FTD may traceback and reload citing process name "lina" |
| CSCwf43288 | Traceback in Thread Name: ssh/client in a clustered setup |
| CSCwf57261 | ASA: Traceback and reload due to clientless webvpn session closure |
Version 9.16.4.19 – May 4, 2023
Defects resolved since 9.16.4.18:
| CSCvx71936 | FXOS: Fault "The password encryption key has not been set." displayed on FPR1000 and FPR2100 devices |
| CSCwa29934 | Interfaces on standalone 2120 and 2110 FTD show as modified after upgrade to 7.0.1-84 from 6.6.5 |
| CSCwa89116 | Clean up session index handling in IKEv2/SNMP/Session-mgr for MIB usage |
| CSCwb19387 | ASA SNMP Poll is failing & show display "Unable to honour this request now.Please try again later." |
| CSCwb24306 | duplicate log entry for /mnt/disk0/log/asa_snmp.log |
| CSCwb97486 | FPR3100: 25G optic may show link up on some 1/10G capable only fiber ports |
| CSCwd10880 | critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
| CSCwd22413 | ASA/FTD: Traceback and reload in Thread Name: EIGRP-IPv4 |
| CSCwd42410 | Expected snmp output is not found in 'show run | in fxos snmp' |
| CSCwd43666 | Analyze why there is no logrotate for /opt/cisco/config/var/log/ASAconsole.log |
| CSCwd54360 | FP2100: FXOS side changes for HA is not resilient to unexpected lacp process termination issue |
| CSCwd68088 | ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
| CSCwd72680 | FXOS: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
| CSCwd80343 | MI FTD running 7.0.4 is on High disk utilization |
| CSCwd95415 | The Standby Device going in failed state due to snort heartbeat failure |
| CSCwd96766 | FPR41xx/9300: Blade does not capture or log a reboot signal |
| CSCwe07722 | Cluster data unit drops non-VPN traffic with ASP reason "VPN reclassify failure |
| CSCwe08729 | FPR1120:connections are getting teardown after switchover in HA |
| CSCwe11119 | ASA: Traceback and reload while processing SNMP packets |
| CSCwe21187 | ASA/FTD may drop multicast packets due to no-mcast-intrf ASP drop reason until UDP timeout expires |
| CSCwe21280 | Multicast connection built or teardown syslog messages may not always be generated |
| CSCwe22176 | WR6, WR8, LTS18 and LTS21 commit id update in CCM layer (Seq 43) |
| CSCwe26612 | FTD taking longer than expected to form OSPF adjacencies after a failover switchover |
| CSCwe28094 | ASA/FTD may traceback and reload after executing 'clear counters all' when VPN tunnels are created |
| CSCwe28726 | The command "app-agent heartbeat" is getting removed when deleting any created context |
| CSCwe29529 | FTD MI does not adjust PVID on vlans attached to BVI |
| CSCwe29850 | ASA/FTD Show chunkstat top command implementation |
| CSCwe30228 | ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
| CSCwe36176 | ASA/FTD: High failover delay with large number of (sub)interfaces and http server enabled |
| CSCwe44311 | FP2100:Update LINA asa.log files to avoid recursive messages-.1.gz rotated filenames |
| CSCwe44672 | Syslog ASA-6-611101 is generated twice for a single ssh connection |
| CSCwe45093 | User with no vpn-filter may get additional access when per-user-override is set (IKEv2 RAVPN) |
| CSCwe45779 | ASA/FTD drops traffic to BVI if floating conn is not default value due to no valid adjacency |
| CSCwe51286 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe54288 | syslog-ng process may hang and would lead the module to a frozen state |
| CSCwe54529 | FTD on FPR2140 - Lina traceback and reload by TCP normalization |
| CSCwe59380 | FTD: "timeout floating-conn" not operating as expected for connections dependent on VRF routing |
| CSCwe61969 | ASA Multicontext 'management-only' interface attribute not synced during creation |
| CSCwe62361 | ASA reboots due to heartbeat loss and "Communication with NPU lost" |
| CSCwe62997 | ASA/FTD traceback in snp_tracer_format_route |
| CSCwe63067 | ASA/FTD may traceback and reload in Thread Name 'lina' due to due to tcp intercept stat |
| CSCwe63232 | ASA/FTD: Ensure flow-offload states within cluster are the same |
| CSCwe64404 | ASA/FTD may traceback and reload |
| CSCwe64557 | ASA: Prevent SFR module configuration on unsuported platforms |
| CSCwe64563 | The command "neighbor x.x.x.x ha-mode graceful-restart" removed when deleting any created context |
| CSCwe65634 | ASA - Standby device may traceback and reload during synchronization of ACL DAP |
| CSCwe66132 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe67751 | Last fragment from SIP IPv6 packets has MF equal to 1, flagging that more packets are expected |
| CSCwe68159 | Failover fover_trace.log file is flooding and gets overwritten quickly |
| CSCwe70378 | Connections not replicated to Standby FTD |
| CSCwe71284 | ASA/FTD may traceback and reload in Thread Name DATAPATH-3-21853 |
| CSCwe72535 | Unable to login to FTD using external authentication |
| CSCwe74059 | logrotate is not compressing files on 9.16 ASA or 7.0 FTD |
| CSCwe74328 | AnyConnect - mobile devices are not able to connect when hostscan is enabled |
| CSCwe78977 | ASA/FTD may traceback and reload in Thread Name 'pix_flash_config_thread' |
| CSCwe79072 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe81684 | ASA: Standby failure on parsing of "management-only" not reported to parser/failover subsystem |
| CSCwe89030 | Serial number attribute from the subject DN of certificate should be taken as the username |
| CSCwe90202 | ASA: Standby failure on parsing of "management-only" for dynamic configuraiton changes |
| CSCwe93532 | ASA/FTD may traceback and reload in Thread Name 'lina'. |
| CSCwe94287 | FTD DHCP Relay drops NACK if multiple DHCP Servers are configured |
| CSCwe96068 | ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
| CSCwe98687 | Cisco FTD Software Software for Cisco Firepower 2100 Series Inspection Rules DoS Vulnerability |
Version 9.16.4.18 – March 27, 2023
Defects resolved since 9.16.4.14:
| CSCvu24703 | FTD - Flow-Offload should be able to coexist with Rate-limiting Feature (QoS) |
| CSCwa96920 | ASA/FTD may traceback and reload in process Lina |
| CSCwb00871 | ENH: Reduce latency in log_handler_file to reduce watchdog under scale or stress |
| CSCwc82188 | FTD Traceback and reload when applying long commands from FMC UI or CLISH |
| CSCwd07278 | ASA/FTD tmatch compilation check when unit joins the cluster, when TCM is off |
| CSCwd30856 | User with no vpn-filter may get additional access when per-user-override is set |
| CSCwd33054 | DHCP Relay is looping back the DHCP offer packet causing dhcprelay to fail on the FTD/ASA |
| CSCwd39468 | ASA/FTD Traceback and reload when configuring ISAKMP captures on device |
| CSCwd46741 | fxos log rotate failing to cycle files, resulting in large file sizes |
| CSCwd69454 | Port-channel interfaces of secondary unit are in waiting status after reload |
| CSCwd81538 | FTD Traffic failure due to 9344 block depletion in peer_proxy_tx_q |
| CSCwd85927 | Traceback and reload when webvpn users match DAP access-list with 36k elements |
| CSCwd86929 | Cut-Through Proxy does not work with HTTPS traffic |
| CSCwd87438 | Enhance logging mechanism for syslogs |
| CSCwd88585 | ASA/FTD NAT Pool Cluster allocation and reservation discrepancy between units |
| CSCwd96755 | ASA is unexpected reload when doing backup |
| CSCwe00864 | License Commands go missing in Cluster data unit if the Cluster join fails. |
| CSCwe09811 | FTD traceback and reload during policy deployment adding/removing/editing of NAT statements. |
| CSCwe14514 | ASA/FTD Traceback and reload of Standby Unit while removing capture configurations |
| CSCwe18974 | ASA/FTD may traceback and reload in Thread Name: CTM Daemon |
| CSCwe20043 | 256-byte memory block gets depleted on start if jumbo frame is enabled with FTD on ASA5516 |
| CSCwe23039 | NTP polling frequency changed from 5 minutes to 1 second causes large useless log files |
| CSCwe25342 | ASA/FTD - SNMP related memory leak behavior when snmp-server is not configured |
| CSCwe29179 | CLUSTER: ICMP reply arrives at director earlier than CLU add flow request from flow owner. |
| CSCwe29583 | ASA/FTD may traceback and reload in Thread Name 'None' at lua_getinfo |
| CSCwe41898 | ASA: FP2100 FTW timeout triggered by high CPU usage during FTD Access Control Policy deploy. |
Version 9.16.4.14 – February 7, 2023
Defects resolved since 9.16.4.9:
| CSCvy84336 | Add a warning when member interfaces of the port-channel are different between active and standby |
| CSCwa04262 | Cisco ASA Software SSL VPN Client-Side Request Smuggling Vulnerability via "/"URI |
| CSCwb09606 | FP2100: ASA/FTD high availability is not resilient to unexpected lacp process termination |
| CSCwb44848 | ASA/FTD Traceback and reload in Process Name: lina |
| CSCwc03332 | FTD on FP2100 can take over as HA active unit during reboot process |
| CSCwc64923 | ASA/FTD may traceback and reload in Thread Name 'lina' ip routing ndbshr |
| CSCwc67687 | ASA HA failover triggers HTTP server restart failure and ASDM outage |
| CSCwc77680 | FTD may traceback and reload in Thread Name 'DATAPATH-0-4948' |
| CSCwc89924 | FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
| CSCwc95290 | ESP rule missing in vpn-context may cause IPSec traffic drop |
| CSCwd04210 | ASA: ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT |
| CSCwd19053 | ASA/FTD may traceback with large number of network objects deployment using distribute-list |
| CSCwd23188 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwd28236 | standby unit using both active and standby IPs causing duplicate IP issues due to nat "any" |
| CSCwd33811 | Cluster registration is failing because DATA_NODE isn't joining the cluster |
| CSCwd46061 | FPR 2100: 10G interfaces with 1G SFP goes down post reload |
| CSCwd46780 | ASA/FTD: Traceback and reload in Thread Name: appAgent_reply_processor_thread |
| CSCwd48633 | ASA - traceback and reload when Webvpn Portal is used |
| CSCwd50218 | ASA restore is not applying vlan configuration |
| CSCwd53135 | ASA/FTD: Object Group Search Syslog for flows exceeding threshold |
| CSCwd53340 | FTD PDTS LINA RX queue can become stuck when snort send messages with 4085-4096 bytes size |
| CSCwd56254 | "show tech-support" generation does not include "show inventory" when run on FTD |
| CSCwd56296 | FTD Lina traceback and reload in Thread Name 'IP Init Thread' |
| CSCwd56774 | Misleading drop reason in "show asp drop" |
| CSCwd56995 | Clientless Accessing Web Contents using application/octet-stream vs text/plain |
| CSCwd57698 | Recursive panic under lina_duart_write |
| CSCwd58528 | Memory depletion while running EMIX traffic profile on QP HA active node |
| CSCwd59736 | ASA/FTD: Traceback and reload due to SNMP group configuration during upgrade |
| CSCwd61016 | ASA: Standby may get stuck in "Sync Config" status upon reboot when there is EEM is configured |
| CSCwd62138 | ASA Connections stuck in idle state when DCD is enabled |
| CSCwd62859 | Cisco ASA and FTD AnyConnect SSL/TLS VPN Denial of Service Vulnerability |
| CSCwd63580 | FPR2100: Increase in failover convergence time with ASA in Appliance mode |
| CSCwd63961 | AC clients fail to match DAP rules due to attribute value too large |
| CSCwd66709 | FP4125 2.10.1.166 FTD applications in HA went into not responding state |
| CSCwd66815 | Lina changes to support - Snort3 traceback in daq-pdts while handling FQDN based traffic |
| CSCwd74116 | S2S Tunnels do not come up due to DH computation failure caused by DSID Leak |
| CSCwd77581 | Cisco ASA and FTD ICMPv6 Message Processing Denial of Service Vulnerability |
| CSCwd78123 | ASA/FTD traceback and reload when IPSec/Ikev2 vpn session bringup with dh group 31 in fips mode |
| CSCwd78624 | ASA may traceback and reload with multiple input/output error messages |
| CSCwd82235 | LINA Traceback on FPR-1010 under Thread Name: update_cpu_usage |
| CSCwd84133 | ASA/FTD may traceback and reload in Thread Name 'telnet/ci' |
| CSCwd84868 | Observing some devcmd failures and checkheaps traceback when flow offload is not used. |
| CSCwd85178 | AWS ASAv PAYG Licensing not working in GovCloud regions. |
| CSCwd91421 | ASA/FTD may traceback and reload in logging_cfg processing |
| CSCwd93376 | Clientless VPN users are unable to download large files through the WebVPN portal |
| CSCwd94096 | Anyconnect users unable to connect when ASA using different authentication and authorization server |
| CSCwd95043 | Cisco ASA and FTD VPN Web Client Services Client-Side Request Smuggling Vulnerability |
| CSCwd95436 | Primary ASA traceback upon rebooting the secondary |
| CSCwd95908 | ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
| CSCwd96845 | Cisco ASA and FTD AnyConnect Access Control List Bypass Vulnerability |
| CSCwd97020 | ASA/FTD: External IDP SAML authentication fails with Bad Request message |
| CSCwe03991 | FTD/ASA traceback and reload during to tmatch compilation process |
| CSCwe05913 | FTD traceback/reloads - Icmp error packet processing involves snp_nat_xlate_identity |
| CSCwe09074 | None option under trustpoint doesn't work when CRL check is failing |
| CSCwe12407 | High Lina memory use due to leaked SSL handles |
| CSCwe14174 | FTD - 'show memory top-usage' providing improper value for memory allocation |
| CSCwe25025 | 8x10Gb netmod fails to come online |
Version 9.16.4.9 – November 29, 2022
Defects resolved in this release:
| CSCvy65770 | ASA/FTD: Traceback and reload during BGP route update |
| CSCvz34289 | In some cases transition to lightweight proxy doesn't work for Do Not Decrypt flows |
| CSCvz41551 | FP2100: ASA/FTD with threat-detection statistics may traceback and reload in Thread Name 'lina' |
| CSCwa96860 | Failover high convergence causes traffic failures |
| CSCwc03507 | No-buffer drops on Internal Data interfaces despite little evidence of CPU hog |
| CSCwc23844 | ASAv high CPU and stack memory allocation errors despite over 30% free memory |
| CSCwc27846 | Traceback and Reload while HA sync after upgrading and reloading. |
| CSCwc37256 | SSL AnyConnect access blocked after upgrade |
| CSCwc66757 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwc67886 | ASA/FTD may traceback and reload in Thread Name 'lina_inotify_file_monitor_thread' |
| CSCwc68656 | ASA CLI for TCP Maximum unprocessed segments |
| CSCwc72155 | ASA/FTD Traceback and reload on function "snp_cluster_trans_allocb" |
| CSCwc72284 | TACACS Accounting includes an incorrect IPv6 address of the client |
| CSCwc74103 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-11-32591' |
| CSCwc77519 | FPR1000 ASA/FTD: Primary takes active role after reloading |
| CSCwc80234 | "inspect snmp" config difference between active and standby |
| CSCwc81184 | ASA/FTD traceback and reload caused by SNMP process failure |
| CSCwc90091 | ASA 9.12(4)47 with user-statistics, will affects the "policy-server xxxx global" visibility. |
| CSCwc93166 | Using write standby in a user context leaves secondary firewall license status in an invalid state |
| CSCwc94466 | Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability |
| CSCwc94501 | ASA/FTD memory leak and tracebacks due to ctm_n5 resets |
| CSCwc96805 | traceback and reload due to tcp intercept stat in thread unicorn |
| CSCwc99242 | ISA3000 LACP channel member SFP port suspended after reload |
| CSCwd00386 | ASA/FTD may traceback and reload when clearing the configration due to "snp_clear_acl_log_flow_all" |
| CSCwd00778 | ifAdminStatus output is abnormal via snmp polling |
| CSCwd01032 | ASA/FTD may traceback and reload when RAVPN with SAML is configured |
| CSCwd02864 | logging/syslog is impacted by SNMP traps and logging history |
| CSCwd03793 | FTD Traceback and reload |
| CSCwd11303 | ASA might generate traceback in ikev2 process and reload |
| CSCwd11855 | ASA/FTD may traceback and reload in Thread Name 'ikev2_fo_event' |
| CSCwd14972 | ASA/FTD Traceback and Reload in Thread Name: pix_flash_config_thread |
| CSCwd16294 | GTP inspection drops packets for optional IE Header Length being too short |
| CSCwd16517 | GTP drops not always logged on buffer and syslog |
| CSCwd16689 | ASA/FTD traceback due to block data corruption |
| CSCwd17856 | ASA goes for traceback/reload with message - snmp_ma_kill_restart: vf is NULL |
| CSCwd18744 | FPR1K FTD fails to form HA due to reason "Other unit has different set of hwidb index" |
| CSCwd20627 | ASA/FTD: NAT configuration deployment failure |
| CSCwd22907 | ASA/FTD High CPU in SNMP Notify Thread |
| CSCwd23913 | FTD in HA traceback multiple times after adding a BGP neighbour with prefix list. |
| CSCwd25201 | ASA/FTD SNMP traps enqueued when no SNMP trap server configured |
| CSCwd25256 | ASA/FTD Transactional Commit may result in mismatched rules and traffic loss |
| CSCwd26867 | Device should not move to Active state once Reboot is triggered |
| CSCwd31181 | Lina traceback and reload - VPN parent channel (SAL) has an invalid underlying channel |
| CSCwd38805 | Syslog 106016 is not rate-limited by default |
| CSCwd40260 | Serviceability Enhancement - Unable to parse payload are silently drop by ASA/FTD |
| CSCwd41083 | ASA traceback and reload due to DNS inspection |
| CSCwd51757 | Unable to get polling results using snmp GET for connection rate OID\u2019s |