Cisco ASA Interim Release Notes
The
software images listed below are Interim releases. They contain bug fixes
which address specific issues found since the last Feature or Maintenance
release. The images are fully supported by Cisco TAC and will remain on
the download site only until the next Maintenance release is available. If you
do not have a specific problem which is resolved by an Interim release, we
recommend that you use the Feature or Maintenance release images.
Important:
These images were not fully regression tested. Each individual fix was
unit tested, and the image has had a limited amount of automated regression
testing to confirm a baseline of functionality. Keep this testing status
in mind if you decide to run them in a production environment. We
strongly encourage you to upgrade to a fully tested Maintenance or Feature
release when it becomes available.
Revision: Version 9.16(4)61 – 5/21/2024
Defects resolved
since 9.16(4)57
[ENH] FTD should show error/warning when attaching a not valid
certificate to the interface for VPN |
|
IKEv2 debugs: Received Policies and Expected Policies are empty |
|
Nodes randomly fail to join cluster due to internal clustering
error |
|
Secondary state flips between Ready & Failed when node is
rebooted and mgmt interface is shutdown |
|
ASA/FTD: Improve GTP Inspection Logging |
|
ASA/FTD: GTP Inspection engine serviceability |
|
ASA - The GTP inspection dropped the message 'Delete PDP Context
Response' due to an invalid TEID=0 |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
FTD/ASA traceback and reload may occur when ssl
packet debugs are enabled |
|
NAT pool is not working properly despite is not reaching the 32k
object ID limit. |
|
Firepower WCCP router-id changes randomly when VRFs are
configured |
|
ASA/FTD HA pair EIGRP routes getting flushed after failover |
|
Datapath hogs causing clustering units to get kicked out of the
cluster |
|
ASA/FTD traceback and reload on thread DATAPATH |
|
ASA traceback and reload on Thread Name: DATAPATH |
|
ASA|FTD Traceback & reload in thread name Datapath |
|
Cut-Through Proxy feature spikes CP CPU with a flood of
un-authenticated traffic |
|
CVE-2023-51385 (Medium Sev) In ssh in
OpenSSH before 9.6, OS command injection might occur if a us |
|
Continuous snmpd restarts observed if
SNMP host is configured before the IP is configured |
|
FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for
SysProc Average |
|
ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
|
EIGRP bandwidth is changing after upgrade or after
"shutdown"/"no shutdown" commands |
|
Policy deployment failure rollback didnt
reconfigure the FTD devices |
|
ASA/FTD may traceback and reload in Thread Name DATAPATH due to
GTP Spin Lock Assertion |
|
The secondary device reloaded while rebooting the primary
device. |
|
ASA/FTD may traceback and reload in Thread Name
'DATAPATH-6-26174' |
|
Lina traceback and reload due to mps_hash_memory
pointing to null hash table |
|
After upgrading the ASA, \u201cSlot 1: ATA Compact Flash
memory\u201d shows a ditterent value |
|
FTD/ASA : CSR generation with comma between
\u201cCompany Name\u201d attribute does not work expected |
|
Clientless VPN users are unable to reach pages with HTTP Basic
Authentication |
|
ASA/FTD may traceback and reload while handling DTLS traffic |
|
IKEv2 tunnels flap due to fragmentation and throttling caused by
multiple ciphers/proposal |
|
ASA traceback and reload when accessing file system from ASDM |
|
Crypto IPSEC Negotiation Failing At "Failed to compute a
hash value" |
|
ASA/FTD: A delay in an async crypto command induces a traceback
and subsequently a reload. |
|
ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
|
ASA/FTD may traceback and reload in Thread Name
'DATAPATH-1-16803' |
|
ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
Revision: Version 9.16(4)57 – 4/1/2024
Defects resolved
since 9.16(4)55:
ASA may fail to create NAT rule
for SNMP with: "error NAT unable to reserve ports." |
|
More information is required on
Syslog 202010 messages for troubleshooting |
|
ASA traceback and reload on
Datapath process |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
FTD: HA crash and interfaces
down on FPR4200 |
|
FTD: CLISH slowness due to
command execution locking LINA prompt |
|
ASA not updating Timezone despite taking commands |
|
Firewall rings may get stuck and
cause packet loss when asp load-balance per-packet auto is used |
|
Traceback and reload on Thread
DATAPATH-6-21369 and linked to generation of syslog message ID 202010 |
|
Firewall Traceback and reload
due to SNMP thread |
|
ASA traceback due to panic event
during SNMP configuration |
|
2100: Interfaces missing from
FTD after removing interfaces as members of a port-channel |
|
ASA|FTD: Traceback & reload
in thread Name: update_mem_reference |
|
In FPR4200/FPR3100-cluster observed
core file ?core.lina? observed on device reboot. |
|
Lina Traceback
: Thread Name: DATAPATH during session terminate |
|
crypto_archive file generated after the software upgrade. |
|
GTP connections, under certain
circumstances do not get cleared on issuing clear conn. |
|
FTD VMWARE 7.0.5 trackbacks due to system memory
exhaustion |
|
Management DNS Servers may be unreacheable if data interface is used as the gateway |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
FTD 1120 standby sudden reboot |
|
Traceback on FP2140 without any
trigger point. |
|
FTD upgrade failling
on script 999_finish/999_zz_install_bundle.sh |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' due to a watchdog in
9.16.3.23 code |
|
FTD ADI debugs may show
incorrect server_group and/or realm_id
for SAML-authenticated sessions |
|
Hairpinning of DCE/RPC traffic during the suboptimal lookup |
|
low memory/stress causing
traceback in SNMP |
|
ASA/FTD: Cluster incorrectly
generating syslog 202010 for invalid packets destined to PAT IP |
|
ASA traceback and reload on
Thread Name: pix_flash_config_thread |
|
TCP MSS is changed back to the
default value when a VTI or loopback interface is created |
|
Their standalone FTD running
7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
|
The "show asp drop"
command usage requires better updates for cluster-related drops |
|
Multiple lina
cores on 7.2.6 KP2110 managed by cdFMC |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
ASA/FTD may traceback and reload
in Thread Name
"appAgent_monitor_nd_thread"
& Rip: _lina_assert. |
|
traceback and reload around
function HA |
|
DHCPv6:ASA
traceback on Thread Name: DHCPv6 CLIENT. |
|
ASA/FTD may traceback and reload
in Thread Name 'webvpn_task' |
|
ASA/FTD traceback and reload in Thread
Name: IKEv2 Daemon when moving from active to standby HA |
|
Standby FTD experiencing
periodic traceback and reload |
|
Memory exhaustion due to absence
of freeing up mechanism for tmatch |
|
Transparent firewall MAC filter
does not capture frames with STP-UplinkFast dst MAC consistently |
|
FP2100/FP1000: ASA Smart
licenses lost after reload |
|
FTD/Lina traceback and reload of
HA pairs, in data path, after adding NAT policy |
|
Incorrect Timezone
Format on FTD When Configured via FXOS |
|
CCM ID 63 - LTS18 |
|
Traceback and reload on Primary
unit while running debugs over the SSH session |
|
FTD/ASA system clock resets to
year 2023 |
|
Access to website via Clientless
SSL VPN Fails |
|
crypto ikev2 limit queue sa_init resets after reboot |
|
FTD: Hostname Missing from
Syslog Message |
|
Chromium-based browsers have SSL
connection conflicts when FIPS CC is enabled on the firewall. |
|
FTD traceback assert in vni_idb_get_mode and reloaded |
|
ASA Checkheaps
traceback while entering same engineID twice |
|
Upload files through Clientless
portal is not working as expected after the ASA upgrade |
|
RCE with disk0: called
client_bundle_install.zip that contains a csco_config.lua |
|
Remove unused AGG AUTH
attributes from code to reduce attack surfaces |
|
Cisco ASA and FTD Software Web
Services Denial of Service Vulnerability |
|
Remove uncalled function ewsStringPrintable() |
|
Code Hardening for Backup and
Restore to not use Linux Shell Commands. |
|
IFS file system directory
traversal file system vulnerabilities |
Revision: Version 9.16(4)55 – 2/6/2024
Defects resolved
since 9.16(4)48:
Remove Syslog Messages 852001
and 852002 in Firewall Threat Defense |
|
Prevention of RSA private key
leaks regardless of root cause. |
|
Lina Netflow
sending permited events to Stealthwatch but they are block by snort afterwards |
|
Failover trigger due to
Inspection engine in other unit has failed due to disk failure |
|
ASAv show crashinfo printing in
loop continuously |
|
FPR1K/FPR2K: Increase in
failover time in Transparent Mode with high number of Sub-Interfaces |
|
Write wrapper around
"kill" command to log who is calling it |
|
FTD LINA traceback and reload in
Datapath thread after adding Static Routing |
|
ASA/FTD Cluster: Change
"cluster replication delay" with max value increase from 15 to 50
sec |
|
LSP version not updated to
latest in LINA Prompt in SSP_CLUSTER with 7.2.4 build. |
|
ASA/FTD: Traceback and reload
with Thread Name 'PTHREAD' |
|
FTD/Lina - ZMQ issue OUT OF
MEMORY. due to less Msglyr pool memory on certain platforms |
|
FTD snmpd
process traceback and restart |
|
ASA: ISA3000 does not respond to
entPhySensorValue OID SNMP polls |
|
Management UI presents self-signed
cert rather than custom CA signed one after upgrade |
|
FPR1010 in HA failed to send or
receive to GARP/ARP with error "edsa_rcv: out_drop" |
|
FTD 7.0.4 cluster drops Oracle's
sqlnet packets due to tcp-not-syn |
|
SNMP is not working on the
primary active ASA unit in multi-context environment |
|
ASA/FTD: 1 Second failover delay
for each NLP NAT rule |
|
ASA/FTD may traceback and reload
in Thread Name 'dns_cache_timer' |
|
ASA does not sent
'warmstart' snmp trap |
|
LINA show tech-support fails to
generate as part of sf_troubleshoot.pl (Troubleshoot file) |
|
FTD: Traceback and Reload in
Process Name: lina |
|
ASA: Traceback and reload when
restore configuration using CLI |
|
ASA traceback under match_partial_keyword during CPU profiling |
|
ASA: Traceback and reload when
executing the command "show nat pool
detail" on a cluster setup |
|
ASA/FTD: Traceback and reload on
thread name CP Crypto Result Processing |
|
FTD: Traceback in threadname cli_xml_request_process |
|
Last Rule hit shows a hex value
ahead of current time in ASA and ASDM |
|
Unexpected traceback on thread
name Lina and device experienced reboot |
|
FTD VMWare tracebacks at
PTHREAD-3587 |
|
FTD sends multiple replicated
NetFlow records for the same flow event |
|
FTD OSPFV3 IPV6 Routing: FTD is
sending unsupported extended LSA request to neighbor routers |
|
ASA/FTD - may traceback and reload
in Thread Name 'Unicorn Proxy Thread' |
|
ASA traceback and reload during
ACL configuration modificatione |
|
Firewall traceback and reload
due to SSH thread |
|
FTD/ASA may traceback and reload
in PKI, syslog, during upgrade |
|
VPN load-balancing cluster
encryption using Phase 2 deprecated ciphers |
|
ASA/FTD high memory usage due to SNMP caused by
RAVPN OID polling |
|
FTD with may traceback in
data-path during deployment when enabling TAP mode |
|
ASA SNMP OID cpmCPUTotalPhysicalIndex
returning zero values instead of CPU index values |
|
Stale asp entry for TCP 443
remains on standby after changing default port |
|
OSPF Redistribution route-map
with prefix-list not working after upgrade |
|
ASA/FTD: SSL VPN Second Factor
Fields Disappear |
|
Username-from-certificate
secondary attribute is not extracted if the first attribute is missing |
|
ASA/FTD: 'IKEv2 Negotiation
aborted due to ERROR: Platform errors' during a rekey |
|
ASA: Snmpwalk
shows "No Such Instance" for the OID ceSensorExtThresholdValue |
|
ASA/FTD: Traceback and reload
when running show tech and under High Memory utilization condition |
|
ASA/FTD may traceback and reload
in Thread Name IKEv2 Daemon |
|
GTP inspection dropping packets
with IE 152 due to header length being invalid for IE type 152 |
|
FTD drops double tagged BPDUs. |
|
Service object-group protocol
type mismatch error seen while access-list referencing already |
|
Unable to Synch more then 100
environment-data with data unit |
|
Interface fragment queue may get
stuck at 2/3 of fragment database size |
|
Update CiscoSSH
to address CVE-2023-48795 |
|
LINA would randomly generate a
traceback and reload on FPR-1K |
Revision: Version 9.16(4)48 – 11/28/2023
Defects resolved
since 9.16(4)42:
LINA time-sync correction |
|
logging/syslog is impacted by
SNMP traps and logging history |
|
FTD: Traceback & reload in
process name lina |
|
Enhance logging mechanism for syslogs |
|
Need to provide rate-limit on
"logging history <mode>" |
|
[FTD Multi-Instance][SNMP]
- CPU OIDs return incomplete list of associated CPUs |
|
ASA/FTD - SNMP related memory
leak behavior when snmp-server is not configured |
|
Memory leak observed on ASA/FTD
when logging history is enabled |
|
show xlate
does not display xlate entries for internal
interfaces (nlp_int_tap) after enabling ssh. |
|
Lina core created during high
traffic testing |
|
KP - multimode: ASA traceback
observed during HA node break and rejoin. |
|
Units get kicked out of the
cluster randomly due to HB miss | ASA 9.16.3.220 |
|
ASA|FTD: Traceback & reload
due to a free buffer corruption |
|
FTD Lina traceback Thread Name:
DATAPATH-3-11917 due to double free |
|
Lina CiscoSSL
upgrade to 1.1.1v and FOM 7.3a |
|
ASA/FTD Cluster: Reuse of TCP Randomized
Sequence number on two different conns with same 5 tuple |
|
ASA traceback when
re-configuring access-list |
|
FTD hosted on KP incorrectly
dropping decoded ESP packets if pre-filter action is analyze |
|
FTD Block 9344 leak due to
fragmented GRE traffic over inline-set interface inner-flow processing |
|
ASA allows same BGP Dynamic
routing process for Physical Data and management-only interfaces |
|
show aaa-server
command always shows the Average round trip time 0ms. |
|
ASA: unexpected logs for initiating
inbound connection for DNS query response |
|
ASA/FTD traceback and reload
with IPSec VPN, possibly involving upgrade |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' while processing DAP data |
|
Fragmented UDP packet via MPLS
tunnel reassemble fail |
|
ASDM can not
see log timestamp after enable logging timestamp on cli |
|
Timestamp entry missing for some
syslog messages sent to syslog server |
|
Community string sent from
router is not matching ASA |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
Revision: Version 9.16(4)42 – 10/04/2023
Defects resolved
since 9.16(4)39:
traceback and reload with
'CHECKHEAPS HAS DETECTED A MEMORY CORRUPTION' |
|
ASA/FTD may traceback and reload
during ACL changes linked to PBR config |
|
TPK: No nameif
during traffic causes the device traceback, lina
core is generated. |
|
ASA/FTD: Command "no snmp-server enable oid mempool" enabled by default or enforced during
upgrades |
|
FPR 4115- primary unit lost all
HA config after ftd HA upgrade |
|
Deleting a BVI in FTD interfaces
is causing packet drops in other BVIs |
|
ASA / FTD Traceback and reload
when removing isakmp capture |
|
Traffic may be impacted if TLS
Server Identity probe timeout is too long |
|
Priority-queue command causes
silent egress packet drops on all port-channel interfaces |
|
ASA traceback and reload on
Thread Name: DHCPRA Monitor |
|
show route all summary executed
on transparent mode FTD is causing CLISH to become Sluggish. |
|
FTD taking longer than expected
to form OSPF adjacencies after a failover switchover |
|
FTD: Traceback and reload during
OSPF redistribution process execution |
|
OSPFv3 Traffic is Centralized in
Transparent Mode |
|
Cisco Adaptive Security
Appliance Software and Firepower Threat Defense DoS |
|
ASDM application randomly
exits/terminates with an alert message on multi-context setup |
|
ASA traceback on Lina process
with FREEB and VPN functions |
|
ASA/FTD may traceback and reload
in when changing capture buffer size |
|
Incorrect Hit count statistics on
ASA Cluster only for Cluster-wide output |
|
PAC Key file missing on standby
on reload |
|
Connections are not cleared
after idle timeout when the interfaces are in inline mode. |
|
Specific OID 1.3.6.1.2.1.25
should not be responding |
|
ASA/FTD may traceback and reload
in Thread Name 'ssh' when adding SNMPV3 config |
|
FTD - Traceback and reload due
to nat rule removed by CPU core |
|
ASDM management-sessions quota
reached due to HTTP sessions stuck in CLOSE_WAIT |
|
ASA/FTD: NAT64 error
"overlaps with inside standby interface address" for Standalone ASA |
|
ASA/FTD may traceback and reload
while running show inventory all |
Revision: Version 9.16(4)39 – 09/20/2023
Defects resolved
since 9.16(4)38:
Cisco ASA and FTD Software
Remote Access VPN Unauthorized Access Vulnerability |
Revision: Version 9.16(4)38 – 08/30/2023
Defects resolved
since 9.16(4)27:
FTD traceback in Thread Name cli_xml_server when deploying QoS policy |
|
||
Lack of throttling of ARP miss
indications to CP leads to oversubscription |
|
||
High System Overhead memory on
FTD |
|
||
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
||
Stratix5950 and ISA3000 LACP
channel member SFP port suspended after reload |
|
||
multimode-tmatch_df_hijack_walk
traceback observed during shut/unshut on FO connected switch interfa |
|
||
LINA traceback with icmp_thread |
|
||
ASA Evaluation of OpenSSL
vulnerability CVE-2022-4450 |
|
||
FP2100 series devices might use excessive
memory if there is a very high SNMP polling rate |
|
||
ASA/FTD may traceback and reload
in Thread Name DATAPATH-1-1656 |
|
||
PortChannel sub-interfaces configured as data/data-sharing, in
multi-instance HA go into "waiting" |
|
||
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
||
ASA/FTD traceback and reload due
citing thread name: cli_xml_server in tm_job_add |
|
||
Add knob to pause/resume file
specific logging in asa log infra. |
|
||
FTD running on FP1000 series might
drop packets on TLS flows after the "Client Hello" message. |
|
||
FTD : Traceback in ZMQ running 7.3.0 |
|
||
ASA Traceback and reload citing
process name 'lina' |
|
||
ASAv in Hyper-V drops packets on management interface |
|
||
ASDM replaces custom policy-map
with default map on class inspect options at backup restore. |
|
||
ASA Packet-tracer displays the
first ACL rule always, though matches the right ACL |
|
||
FP2130- Unable to disassociate
member from port channel, deployment fails, member is lost on FTD/FMC |
|
||
ASA/FTD: Connection information
in SIP-SDP header remains untranslated with destination static Any |
|
||
[IMS_7_4_0] - Virtual FDM
Upgrade fails: HA configStatus='OUT_OF_SYNC after UpgradeOnStandby |
|
||
FTD: GRE traffic is load
balanced between CPU cores |
|
||
ASA: Traceback and reload while
updating ACLs on ASA |
|
||
ASAv - High latency is experienced on Azure environment for
ICMP ping packets while running snmpwalk |
|
||
VPN load-balancing cluster
encryption using deprecated ciphers |
|
||
ASA/FTD: Traceback and reload when
issuing 'show memory webvpn all objects' |
|
||
DNS cache entry exhaustion leads
to traceback |
|
||
FTD username with dot fails
AAA-RADIUS external authentication login after upgrade |
|
||
ASA SNMP polling not working and
showing "Unable to honour this request
now" on show commands |
|
||
Reduce time taken to clear stale
IKEv2 SAs formed after Duplicate Detection |
|
||
ASA Traceback & reload on
process name lina due to memory header validation |
|
||
KP2140-HA, reloaded primary unit
not able to detect the peer unit |
|
||
ASA generating traceback with
thread-name: DATAPATH-53-18309 after upgrade to 9.16.4. 19 |
|
||
Cisco ASA/FTD Firepower 2100
SSL/TLS Denial of Service Vulnerability |
|
||
Add meaningful logs when the
maximums system limit rules are hit |
|||
ASA appliance mode - 'connect fxos [admin]' will get ERROR: failed to open connection. |
|||
ASA: Checkheaps
traceback and reload due to Clientless WebVPN |
|||
FTD: Firepower 3100 Dynamic Flow
Offload showing as Enabled |
|||
Policy deployment fails when a
route same prefix/metric is configured in a separate VRF. |
|||
ASA: Traceback and reload on
Tread name "fover_FSM_thread" and ha_ntfy_prog_process_timer |
|||
ECDSA Self-signed certificate
using SHA384 for EC521 |
|||
failover standby config-lock
config is lost after both HA units are reloaded simultaneously |
|||
ASA Traceback & reload on
process name lina due to memory header validation -
webvpn side fix |
|||
Interface speed mismatch in SNMP
response using OID .1.3.6.1.2.1.2.2 |
|||
ASA/FTD may traceback and reload
in Thread Name "RAND_DRBG_bytes" and CTM
function on n5 platforms |
|||
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability |
|||
Cisco ASA and FTD VPN Web Client
Services Client-Side Request Smuggling Vulnerability |
|||
Cisco ASA and FTD Software
Remote Access VPN Unauthorized Access Vulnerability |
|||
Revision: Version 9.16(4)27 – 06/15/2023
Defects resolved
since 9.16(4)19:
FTD - %FTD-3-199015:
port-manager: Error: DOM Block Read failure, port X, st
= X log false/positive |
|
ASA: The timestamp for all logs
generated by Admin context are the same |
|
FP1000 - During boot process in
LINA mode, broadcasts leaked between interfaces resulting in storm |
|
FPR1150 :
Exec format error seen and the device hung until reload when erase secure all
is executed |
|
30+ seconds data loss when unit
re-join cluster |
|
Blade not coming up after FXOS
update support on multi-instance due to ssp_ntp.log log rotation prob |
|
Link Up seen for a few seconds
on FPR1010 during bootup |
|
FTD traceback and reload while
deploying PAT POOL |
|
Partition
"/opt/cisco/config" gets full due to wtmp
file not getting logrotated |
|
Workaround to set hwclock from ntp logs on low
end platforms |
|
Multiple traceback seen on
standby unit. |
|
2100: Power switch toggle leads
to ungraceful shutdowns and "PowerCycleRequest"
reset |
|
Stale IKEv2 SA formed during
simultaneous IKE SA handling when missing delete from the peer |
|
FP2100:Update
LINA asa.log files to avoid recursive messages-<date>.1.gz rotated
filenames |
|
SNMP on SFR module goes down and
won't come back up |
|
SSL decrypted conns fails when tx chksum-offload is enabled
with the egress interface a pppoe. |
|
ASA/FTD reboots due to traceback
pointing to watchdog timeout on p3_tree_lookup |
|
FTD Traceback and reload on
Thread Name "NetSnmp Event mib process" |
|
PIM register packets are not
sent to RP after a reload if FTD uses a default gateway to reach the RP |
|
Need fault/error for invalid
firmware MF-111-234949 |
|
Multiple times the failover may
be disabled by wrongly seeing a different "Mate operational mode". |
|
Interface remains DOWN in an Inline-set with propagate link state |
|
ASA/FTD :
Degradation for TCP tput on FPR2100 via IPSEC VPN
when there is delay between VPN peers |
|
Default DLY value of
port-channel sub interface mismatch with parent Portchannel |
|
ASA/FTD traceback and reload on
thread DATAPATH-14-11344 when SIP inspection is enabled |
|
Notification Daemon false alarm
of Service Down |
|
ASA Traceback and reload in
parse thread due ha_msg corruption |
|
ngfwManager process continuously restarting leading to ZMQ Out of
Memory traceback |
|
FXOS REST API: Unable to create
a keyring with type "ecdsa" |
|
Threat-detection does not
recognize exception objects with a prefix in IPv6 |
|
Cisco ASA & FTD SAML
Authentication Bypass Vulnerability |
|
ASA/FTD may traceback and reload
in Thread Name 'lina' |
|
ASa/FTD: SNMP related traceback and reload immediately after
upgrade from 6.6.5 to 7.0.1 |
|
traceback and reload thread datapath on process tcpmod_proxy_continue_bp |
|
ASA/FTD may traceback and reload
in Thread Name 'ci/console' |
|
Setting HB timeout to 6sec for
BS and QP |
|
ASA running out of SNMP PDU and
SNMP VAR chunks |
|
Lina traceback and reload due to
fragmented packets |
|
ASA sends OCSP request without
user-agent and host |
|
ASA: After upgrade to 9.16.4 all
type-8 passwords are lost on first reboot |
|
traceback and reload in Process
Name: lina related to Nat/Pat |
|
TCP normalizer needs stats that
show actions like packet drops |
|
LDAP authentication over SSL not
working for users that send large authorisation
profiles |
|
ASA/FTD may traceback and reload
in Thread Name '19', free block checksum failure |
|
ASA may traceback and reload in
Thread Name 'DHCPv6 Relay' |
|
ASA/FTD: Traceback on thread
name: snmp_master_callback_thread during SNMP and
interface changes |
|
Unable to establish BGP when
using MD5 authentication over GRE TUNNEL and FTD as passthrough device |
|
FTD may fail to create a NAT
rule with error: "IPv4 dst real obj address
range is huge" |
|
Inconsistent log messages seen
when emblem is configured and buffer logging is set
to debug |
|
ASA in multi context shows
standby device in failed stated even after MIO HB recovery. |
|
ASA integration with umbrella
does not work without validation-usage ssl-server. |
|
ASA traceback and reload with
the Thread name: **CP Crypto Result Processing** |
|
ASA access-list entries have the
same hash after upgrade |
|
ASA/FTD may traceback and reload
citing process name "lina" |
|
Traceback in Thread Name:
ssh/client in a clustered setup |
|
ASA: Traceback and reload due to
clientless webvpn session close null pointer |
|
Cisco ASA and FTD Software
Remote Access SSL VPN Multiple Certificate Auth Bypass |
CSCwf06377 Setting
heartbeat timeout to 6sec for Firepower 4100 and 9300
Revision: Version 9.16(4)19 – 05/04/2023
Defects resolved
since 9.16(4)18:
FXOS: Fault "The password encryption
key has not been set." displayed on FPR1000 and FPR2100 devices |
|
Clean up session index handling in
IKEv2/SNMP/Session-mgr for MIB usage |
|
ASA SNMP Poll is failing & show display
"Unable to honour this request now.Please try again
later." |
|
FPR3100: 25G optic may show link up on some
1/10G capable only fiber ports |
|
critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)'
on 2100/3100 devices |
|
EIGRPv6 - Crashed with "mem_lock: Assertion mem_refcount'
failed" on LINA. |
|
Expected snmp
output is not found in 'show run | in fxos snmp' |
|
Analyze why there is no logrotate
for /opt/cisco/config/var/log/ASAconsole.log |
|
ASA|FTD: Implement different TLS diffie-hellman prime based on RFC recommendation |
|
FXOS: FP2100 FTW timeout triggered by high
CPU usage during FTD Access Control Policy deploy. |
|
MI FTD running 7.0.4 is on High disk
utilization |
|
The Standby Device going in failed state
due to snort heartbeat failure |
|
41xx: Blade does not capture or log a
reboot signal |
|
Cluster data unit drops non-VPN traffic
with ASP reason "VPN reclassify failure |
|
FPR1120:connections
are getting teardown after switchover in HA |
|
ASA: Traceback and reload while processing
SNMP packets |
|
ASA/FTD may drop multicast packets due to
no-mcast-intrf ASP drop
reason until UDP timeout expires |
|
Multicast connection built or teardown
syslog messages may not always be generated |
|
ASA/FTD may traceback and reload after
executing 'clear counters all' when VPN tunnels are created |
|
The command "app-agent heartbeat"
is getting removed when deleting any created context |
|
FTD MI does not adjust PVID on vlans attached to BVI |
|
ASA/FTD Show chunkstat
top command implementation |
|
ASA/FTD might traceback in funtion "snp_fp_l2_capture_internal" due to cf_reinject_hide flag |
|
ASA/FTD: High failover delay with large
number of (sub)interfaces and http server enabled |
|
FP2100:Update LINA
asa.log files to avoid recursive messages-<date>.1.gz rotated filenames |
|
Syslog ASA-6-611101 is generated twice for
a single ssh connection |
|
ASA/FTD drops traffic to BVI if floating
conn is not default value due to no valid adjacency |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' |
|
FTD on FPR2140 - Lina traceback and reload
by TCP normalization |
|
FTD: "timeout floating-conn" not
operating as expected |
|
ASA Multicontext 'management-only'
interface attribute not synced during creation |
|
ASA reboots due to heartbeat loss and
"Communication with NPU lost" |
|
ASA/FTD traceback in snp_tracer_format_route |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' due to due to tcp
intercept stat |
|
ASA/FTD: Ensure flow-offload states within
cluster are the same |
|
ASA/FTD may traceback and reload after
changing IP of authentication server |
|
ASA: Prevent SFR module configuration on unsuported platforms |
|
The command "neighbor x.x.x.x ha-mode graceful-restart" removed when
deleting any created context |
|
ASA - Standby device may traceback and
reload during synchronization of ACL DAP |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' |
|
Last fragment from SIP IPv6 packets has MF
equal to 1, flagging that more packets are expected |
|
Failover fover_trace.log file is flooding
and gets overwritten quickly |
|
ASA/FTD may traceback and reload in Thread
Name DATAPATH-3-21853 |
|
Unable to login to FTD using external
authentication |
|
AnyConnect - mobile devices are not able to
connect when hostscan is enabled |
|
ASA/FTD may traceback and reload in Thread
Name 'pix_flash_config_thread' |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' |
|
ASA: Standby failure on parsing of
"management-only" not reported to parser/failover subsystem |
|
Serial number attribute from the subject DN
of certificate should be taken as the username |
|
ASA: Standby failure on parsing of
"management-only" for dynamic configuraiton
changes |
|
ASA/FTD may traceback and reload in Thread
Name 'lina'. |
|
FTD DHCP Relay drops NACK if multiple DHCP
Servers are configured |
|
ASA: Configurable CLU for Large amount of under/overruns on CLU RX/TX queues |
|
Cisco FTD Software Software
for Cisco Firepower 2100 Series Inspection Rules DoS Vulnerability |
|
User with no vpn-filter
may get additional access when per-user-override is set (IKEv2 RAVPN) |
Revision: Version 9.16(4)18 – 03/27/2023
Defects resolved
since 9.16(4)14:
FTD - Flow-Offload should be able to
coexist with Rate-limiting Feature (QoS) |
|
ASA/FTD may traceback and reload in process
Lina |
|
ENH: Reduce latency in log_handler_file
to reduce watchdog under scale or stress |
|
FTD Traceback and reload when applying long
capture commands from FMC UI |
|
ASA/FTD tmatch
compilation check when unit joins the cluster, when TCM is off |
|
DHCP Relay is looping back the DHCP offer
packet causing dhcprelay to fail on the FTD/ASA |
|
fxos
log rotate failing to cycle files, resulting in large file sizes |
|
Need corrections in log_handler_file
watchdog crash fix |
|
Port-channel interfaces of secondary unit
are in waiting status after reload |
|
FTD Traffic failure due to 9344 block
depletion in peer_proxy_tx_q |
|
Traceback and reload when webvpn users match DAP access-list with 36k elements |
|
Cut-Through Proxy does not work with HTTPS
traffic |
|
ASA/FTD NAT Pool Cluster allocation and
reservation discrepancy between units |
|
ASA is unexpected reload when doing backup |
|
License Commands go missing in Cluster data
unit if the Cluster join fails. |
|
FTD traceback and reload during policy
deployment adding/removing/editing of NAT statements. |
|
ASA/FTD Traceback and reload of Standby
Unit while removing capture configurations |
|
ASA/FTD may traceback and reload in Thread
Name: CTM Daemon |
|
256-byte memory block gets depleted on
start if jumbo frame is enabled with FTD on ASA5516 |
|
NTP polling frequency changed from 5
minutes to 1 second causes large useless log files |
|
CLUSTER: ICMP reply arrives at director
earlier than CLU add flow request from flow owner. |
|
ASA/FTD may traceback and reload in Thread
Name 'None' at lua_getinfo |
|
ASA: FP2100 FTW timeout triggered by high
CPU usage during FTD Access Control Policy deploy. |
|
User with no vpn-filter
may get additional access when per-user-override is set |
Revision: Version 9.16(4)14 – 02/07/2023
Defects resolved
since 9.16(4)9:
Add a warning when member interfaces of the
port-channel are different between active and standby |
|
Cisco ASA Software SSL VPN Client-Side
Request Smuggling Vulnerability via "/"URI |
|
Failover high convergence causes traffic
failures |
|
FTD Snort3 traceback in daq-pdts
while handling FQDN based traffic |
|
FP2100: ASA/FTD high availability is not
resilient to unexpected lacp process termination |
|
ASA/FTD Traceback and reload in Process
Name: lina |
|
FTD on FP2100 can take over as HA active
unit during reboot process |
|
Traceback and Reload while HA sync after upgrading and
reloading. |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' ip routing ndbshr |
|
ASA HA failover triggers HTTP server
restart failure and ASDM outage |
|
ASA/FTD may traceback and reload in Thread
Name 'DATAPATH-0-4948' |
|
FXOS ASA/FTD SNMP OID to poll Internal-data 'no buffer' interface counters |
|
ESP rule missing in vpn-context
may cause IPSec traffic drop |
|
ASA: ASDM sessions stuck in CLOSE_WAIT
causing lack of MGMT |
|
ASA/FTD may traceback with large number of
network objects deployment using distribute-list |
|
ASA/FTD High CPU in SNMP Notify Thread |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' |
|
standby unit using both active and standby
IPs causing duplicate IP issues due to nat
"any" |
|
FPR 2100: 10G interfaces with 1G SFP goes
down post reload |
|
ASA/FTD: Traceback and reload in Thread
Name: appAgent_reply_processor_thread |
|
ASA - traceback and reload when Webvpn Portal is used |
|
ASA restore is not applying vlan configuration |
|
ASA/FTD: Object Group Search Syslog for
flows exceeding threshold |
|
FTD PDTS LINA RX queue can become stuck
when snort send messages with 4085-4096 bytes size |
|
show tech-support generation does not
include "show inventory" when run on FTD |
|
FTD Lina traceback and reload in Thread
Name 'IP Init Thread' |
|
Misleading drop reason in "show asp
drop" |
|
Clientless Accessing Web Contents using
application/octet-stream vs text/plain |
|
Recursive panic under lina_duart_write |
|
ASA/FTD: Traceback and reload due to SNMP
group configuration during upgrade |
|
ASA: Standby may get stuck in "Sync
Config" status upon reboot when there is EEM is configured |
|
ASA Connections stuck in idle state when
DCD is enabled |
|
FPR2100: Increase in failover convergence
time with ASA in Appliance mode |
|
AC clients fail to match DAP rules due to
attribute value too large |
|
FP4125 2.10.1.166 FTD applications in HA
went into not responding state |
|
Lina changes to support CSCwb04975 - Snort3
traceback in daq-pdts while handling FQDN based
traffic |
|
S2S Tunnels do not come up due to DH
computation failure caused by DSID Leak |
|
ASA configured with HA may traceback and
reload with multiple input/output error messages |
|
LINA Traceback on FPR-1010 under Thread
Name: update_cpu_usage |
|
ASA/FTD may traceback and reload in Thread
Name 'telnet/ci' |
|
Observing some devcmd
failures and checkheaps traceback when flow offload
is not used. |
|
AWS ASAv PAYG
Licensing not working in GovCloud regions. |
|
ASA/FTD may traceback and reload in logging_cfg processing |
|
Clientless VPN users are unable to download
large files through the WebVPN portal |
|
Anyconnect
users unable to connect when ASA using different authentication and
authorization server |
|
Primary ASA traceback upon rebooting the
secondary |
|
ASA/FTD traceback and reload, Thread Name: rtcli async executor process |
|
ASA/FTD: External IDP SAML authentication
fails with Bad Request message |
|
FTD/ASA traceback and reload during to tmatch compilation process |
|
FTD traceback/reloads - Icmp
error packet processing involves snp_nat_xlate_identity |
|
None option under trustpoint
doesn't work when CRL check is failing |
|
FTD - 'show memory top-usage' providing
improper value for memory allocation |
|
Cisco ASA and FTD VPN Web Client Services
Client-Side Request Smuggling Vulnerability |
|
Cisco ASA and FTD AnyConnect SSL/TLS VPN
Denial of Service Vulnerability |
|
Cisco ASA and FTD ICMPv6 Message Processing
Denial of Service Vulnerability |
Revision: Version 9.16(4)9 – 11/29/2022
Defects resolved
since 9.16(4):
ASA/FTD: Traceback and reload during BGP
route update |
|
In some cases
transition to lightweight proxy doesn't work for Do Not Decrypt flows |
|
FP2100: ASA/FTD with threat-detection
statistics may traceback and reload in Thread Name 'lina' |
|
Failover high convergence causes traffic
failures |
|
Constant no-buffer drops on Internal Data
interfaces despite little evidence of CPU hog |
|
ASAv
high CPU and stack memory allocation errors despite over 30% free memory |
|
Traceback and Reload while HA sync after upgrading and
reloading. |
|
SSL AnyConnect access blocked after upgrade |
|
ASA/FTD may traceback and reload in Thread
Name 'lina' |
|
ASA/FTD may traceback and reload in Thread
Name 'lina_inotify_file_monitor_thread' |
|
ASA/FTD Traceback and reload on function
"snp_cluster_trans_allocb" |
|
TACACS Accounting includes an incorrect
IPv6 address of the client |
|
ASA/FTD may traceback and reload in Thread
Name 'DATAPATH-11-32591' |
|
FPR1120-ASA:Primary
takes active role after reloading |
|
inspect snmp
config difference between active and standby |
|
ASA/FTD traceback and reload caused by SNMP
process failure |
|
ASA 9.12(4)47 with user-statistics, will
affects the "policy-server xxxx global"
visibility. |
|
Using write standby in a user context
leaves secondary firewall license status in an invalid state |
|
ASA/FTD tracebacks due to ctm_n5 resets |
|
traceback and reload due to tcp intercept stat in thread unicorn |
|
ISA3000 LACP channel member SFP port
suspended after reload |
|
ASA/FTD may traceback and reload when
clearing the configration due to "snp_clear_acl_log_flow_all" |
|
ifAdminStatus
output is abnormal via snmp polling |
|
Changing the buffer size impacting logging
to buffer |
|
FTD Traceback and reload |
|
ASA might generate traceback in ikev2
process and reload |
|
ASA/FTD may traceback and reload in Thread
Name 'ikev2_fo_event' |
|
ASA/FTD Traceback and Reload in Thread
Name: pix_flash_config_thread |
|
GTP inspection drops packets for optional
IE Header Length being too short |
|
GTP drops not always logged on buffer and
syslog |
|
ASA/FTD traceback due to block data
corruption |
|
FTD | Failure to join HA due to "Other
unit has different set of hwidb index" |
|
ASA/FTD: NAT configuration deployment
failure |
|
ASA/FTD High CPU in SNMP Notify Thread |
|
FTD in HA traceback multiple times after
adding a BGP neighbour with prefix list. |
|
ASA/FTD SNMP traps enqueued when no SNMP
trap server configured |
|
With TCM enabled new ACL's
are not working on ASA if non access-group command disabled twice |
|
Device should not move to Active state once
Reboot is triggered |
|
Lina traceback and reload - VPN parent
channel (SAL) has an invalid underlying channel |
|
Syslog 106016 is not rate-limited by
default |
|
Serviceability Enhancement - Unable to
parse payload are silently drop by ASA/FTD |
|
ASA traceback and reload due to DNS
inspection |
|
Unable to get polling results using snmp GET for connection rate OIDs |
|
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial
of Service Vulnerability |