Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.
Version 9.18.4.71 – December 1, 2025
Defects resolved since 9.18.4.68:
| CSCvm76755 | DP-CP arp-in and adj-absent queues need to be separated |
| CSCwd73020 | Fix Bootup Warning: Counter ID 'TLS13_DOWNSTREAM_CLIENT_CERTIFICATE_VERIFY' is too long |
| CSCwd92327 | on 2k platform, external authentication fails for users starting with number |
| CSCwi44488 | ASA/FTD: Traceback and reload reload in in process 'lina' due to ikev2_find_child_sa_by_local_spi |
| CSCwj16279 | username containing '@' character works for asa login but fails for 'connect fxos' |
| CSCwj98648 | Failure to read the signature keys (mult-instance deployment) |
| CSCwk07934 | Clock skew between FXOS and Lina causes SAML assertion processing failure |
| CSCwk09488 | Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
| CSCwk14657 | Bring back support for portal-access-rule for weblaunch for RAVPN sessions |
| CSCwk64643 | Failover prompt shows state active while the firewall is in Negotiation |
| CSCwk97677 | TPK-MI FTD instance getting validation error and ftds in splitbrain HA post upgrade 7.6.0-1685 |
| CSCwn15505 | Observing Lina Core for 2.17 in BS/QP with App Instance Stuck in 'Started' State |
| CSCwn50760 | ASA Traceback after upgrade to 9.20.3.7 |
| CSCwn55890 | SAML DNS LB fails to redirect to local host when local-base-url contains uppercase letters |
| CSCwn57674 | fix block loc oper set after free |
| CSCwn61041 | Traceback and reload during clear bgp * ipv6 unicast involving watchdog |
| CSCwo05712 | Serviceability Enhancement - Make FXOS disk errors more descriptive |
| CSCwo09439 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
| CSCwo15715 | IKEv2 Rekeys fail due to fragmentation during the IKE Rekey |
| CSCwo22091 | FTD sending "0.0.0.0" NAS-IP-Address attribute when authenticating/authorizing using Radius |
| CSCwo36485 | ASA/FTD traceback and reload in vaccess_nameif_action thread |
| CSCwo42102 | show tech-support fprm detail command is getting stuck for longer duration |
| CSCwo45497 | Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
| CSCwo57740 | '${dsk_a} missing or inoperable. Rebooting Blade.' error does not specify missing or inoperable disk |
| CSCwo72352 | Memory leak: ASA Fragment size 72 causing memory exhaustion in MEMPOOL_GLOBAL_SHARED POOL |
| CSCwo76165 | Deployment failure due to rsync |
| CSCwo76559 | ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
| CSCwo87763 | ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
| CSCwo91748 | Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
| CSCwp13016 | FTD/ASA SSH: Terminal monitor is not showing logs |
| CSCwp22612 | Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
| CSCwp25033 | An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
| CSCwp26815 | CPU usage by "WebVPN Timer Process" on standby ASA device |
| CSCwp33077 | SAML IdP entityID increase from capped 128 character maximum |
| CSCwp36133 | Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
| CSCwp64615 | ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
| CSCwp66721 | Memory leak in SSL crypto causing high Lina memory usage on lower-end devices running FTD 7.7.0 |
| CSCwp90780 | Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
| CSCwp93368 | LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
| CSCwp97402 | WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
| CSCwq07808 | FP3105 Traceback and Reload after changing the speed on Ethernet interface |
| CSCwq16926 | Traceback and Reload while two processes attempt to free a TD subnet structure |
| CSCwq18679 | ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
| CSCwq21101 | Invalid host header reveals ASA interface IP address |
| CSCwq22206 | VPN lost during a rekey with 'IKEv2 negotiation aborted due to ERROR: Platform errors' |
| CSCwq27217 | ASA: Traceback and reload on threat detection, interfaces unstable after that |
| CSCwq29375 | ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
| CSCwq29706 | Traceback and reload after editing SNMP config, with tmatch |
| CSCwq31342 | FPR4200 | FPR3100 Multi Instance Chassis Deployment Failed in DNS configuration |
| CSCwq39942 | CVE-2025-32463: sudo: Sudo before 1.9.17p1 allows local users to obtain |
| CSCwq39943 | CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
| CSCwq40256 | Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
| CSCwq43711 | Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
| CSCwq46058 | ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
| CSCwq47622 | Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
| CSCwq48842 | FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
| CSCwq50373 | ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
| CSCwq52188 | FTD Traceback while executing `asp load-balance per-packet` |
| CSCwq52255 | SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
| CSCwq54109 | FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
| CSCwq70133 | Password Expiry Age does not reset after Password Change |
| CSCwq70773 | show asp rule-engine issues with complete and run time |
| CSCwq74204 | IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
| CSCwq74738 | RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
| CSCwq74986 | FTD: Instance stuck in Boot Loop |
| CSCwq78991 | Firewall joins a cluster although gets incomplete ACL policy rules during replication |
| CSCwq82225 | Drop counter doesn't increment for embryonic related drops in 'show service policy' |
| CSCwq90072 | ASDM Parsing Failure on Two Contexts |
| CSCwq92728 | ASA client IP missing from TACACS+ authorization request in SSH |
| CSCwq95241 | Reboots on FP2130 due to missing heimdall PID |
| CSCwq95810 | "no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
| CSCwq96870 | Interfaces are coming up when the Firepower is shutting down |
| CSCwq98101 | Policy deployment fails when inline-set is configured on FTD HA |
| CSCwq98648 | Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
| CSCwr05406 | Traceback in HA stby node while snmpwalk on natAddrMapTable |
| CSCwr05837 | SNMP process continuously restarts |
| CSCwr06290 | ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
| CSCwr10732 | Connection blocking active although "logging permit-hostdown' is set |
| CSCwr10747 | ASA/FTD may traceback and reload due to memory exhaustion |
| CSCwr12965 | Both the units in HA changed the encryption algorithm simultaneously |
| CSCwr14186 | add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
| CSCwr19123 | FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
| CSCwr22256 | Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
| CSCwr26857 | File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
| CSCwr27095 | Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
| CSCwr28908 | ASA: Traceback and reload after saving asdm image |
| CSCwr31782 | Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
| CSCwr42577 | ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
| CSCwr42969 | Dynamic Offloaded Flows Interrupted midstream |
| CSCwr43586 | Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
| CSCwr48605 | Lina traceback due to the incorrect option being received in the packet. |
| CSCwr49028 | Secure client tunnel group authentication is affected when using SDI protocol |
| CSCwr50466 | ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
| CSCwr51629 | RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
| CSCwr55089 | ASA/FTD - Traceback and Reload in Threadname DATAPATH |
| CSCwr61303 | Lina: Traceback and reload webvpn_session_release |
| CSCwr61452 | ASA traceback and reload due to memory corruption in IPsec SA pointers |
| CSCwr65540 | ASA traceback while disabling GTP inspection |
| CSCwr74420 | FTD - FTD RADIUS authentication fails with "bad authenticator" after disabling Management Interface Convergence |
| CSCwr81266 | Unable to remove certificate-group-map |
| CSCwr83527 | FP2110 Critical fault alerts for remote users |
| CSCwr88208 | ASA/FTD: Fragmentation issue for IKE_Auth packets |
Version 9.18.4.68 – September 29, 2025
Defects resolved since 9.18.4.67:
| CSCwq82095 | SAML response rejected with message for certain IDPs |
Version 9.18.4.67 – September 25, 2025
Defects resolved since 9.18.4.66:
| CSCwq79815 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
| CSCwq79831 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
Version 9.18.4.66 – August 13, 2025
Defects resolved since 9.18.4.57:
| CSCwb07908 | Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
| CSCwh11677 | saml idp names longer than 128 characters cannot be used |
| CSCwh13312 | Disable Notification Daemon heartbeat action |
| CSCwi15787 | Management access over VPN not working when NAT exempt is configured with any->any |
| CSCwi57476 | interface idb logging log rotation to FXOS logrotate utility |
| CSCwj29599 | Primary/standby may transition to active amidst a shutdown sequence triggered from clish |
| CSCwj32736 | SNMP walk does not work if IP is configured after SNMP is configured on ngfw management interface. |
| CSCwk88225 | Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp) |
| CSCwm05960 | Generated Crypto checksum changes without configuration change |
| CSCwm07419 | ldap.conf does not get generated using hostname impacting external radius authentication |
| CSCwm86414 | ASA - Failover config resync failed and unexpected reboot occurred |
| CSCwm92310 | FQDNs are unresolved via DNS on data interface after reboot or traceback |
| CSCwm95189 | Redis is an open source, in-memory database that persists on disk. An |
| CSCwn06520 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-2-2854' |
| CSCwn27872 | Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
| CSCwn32978 | Traceback and reload in Thread Name Datapath |
| CSCwn36712 | NAT divert for 8305 on standby not updating post failover causing the Primary, standby FTD to show offline on FMC |
| CSCwn38761 | DNS FQDN obj doesn't go unresolved upon FQDN obj deleted on server/intf to reach sever is down in 7.7 |
| CSCwn39081 | SNMP walk results in ASCII value for IPSEC Peer instead of an IP address. |
| CSCwn59032 | FCM GUI became inaccessible after upgrading to ASA 9.18.4.22 | FPR 2130 Platform Mode |
| CSCwn60726 | Traceback and reload with Thread Name: vtemplate process |
| CSCwn69488 | ASA/FTD - Traceback and Reload in Threadname IP RIB Update |
| CSCwn80419 | Need the SVC Rx/Tx queue as a configurable option |
| CSCwn81118 | RTSP packets getting stuck in transmit queue leading to 9k blocks exhaustion. |
| CSCwn81995 | Traceback and Reload caused by Memory corruption with SNMP inspection enabled |
| CSCwn96929 | ASA: Traceback and Reload Under Thread Name SSH |
| CSCwn97630 | FTD reboot and traceback in DATAPATH due to IPv6 packet processing |
| CSCwn98402 | Debuggability: FP2100 port-channel interfaces flap after upgrade |
| CSCwo00102 | Snort3 trimming packets with invalid sequence number due to bad window size information received |
| CSCwo00332 | Firepower wiping SSL trustpoint config after reloading. |
| CSCwo00702 | Community lists should not throw an error until the last item in the list is being deleted |
| CSCwo08306 | Command authorization fallback to Local only works for users with privilege 15. |
| CSCwo08724 | Active HA unit goes into failed state before peer unit gets into a ready state during snort failure |
| CSCwo09195 | Traceback and reload during the deployment after disabling FQDNs. |
| CSCwo18838 | ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread' |
| CSCwo19762 | Unable to rejoin data node in cluster after re-enabling mac-address auto in multi-context mode |
| CSCwo24856 | 9K block depletion causing slowdown of all traffic through firewall |
| CSCwo31094 | Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
| CSCwo35783 | Enhance Debugging for add/update/withdraw of routes with neighbors |
| CSCwo35788 | Serviceability Enhancement - New 'show bgp internal' command for advanced debugging |
| CSCwo35810 | show bgp update-group a.b.c.d displays "no such neighbor" when there is a valid neighbor |
| CSCwo35938 | IPv6 Management communication is lost due to a missing management-only multicast route. |
| CSCwo44732 | ARP is silently dropping packet for an unreachable next hop |
| CSCwo49425 | Logging recipient-address not overriding the logging mail message severity levels |
| CSCwo54996 | Traffic failure due to 9344 blocks leak |
| CSCwo58191 | FTD: Large Delay in packets being inspected by snort |
| CSCwo58260 | Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
| CSCwo60609 | DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
| CSCwo61241 | Logical App Stuck in 'Start Failed' Due to checkSystemCPUs Failure |
| CSCwo65060 | FTD HA | Same MAC for port-channels causing network outage. |
| CSCwo66872 | snmp_logging_thread is utilizing high CPU in control plane |
| CSCwo71052 | FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload |
| CSCwo75810 | SNMP configuration is not applied consistently across same FTDs type and version |
| CSCwo78969 | Traceback in thread name DATAPATH when a unit is re-joining the cluster |
| CSCwo79028 | Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
| CSCwo79080 | ENH: UDP traffic flow requires Initiator and Responder fields in the "show conn detail" output. |
| CSCwo79798 | Cryptochecksum changed after reloading. |
| CSCwo80223 | BFD packets are not dropped for single-hop BFD sessions received via alternate path |
| CSCwo82639 | Local user details not replicated to data nodes in a cluster setup. |
| CSCwo82658 | ASDM: Displays Error of Keypair already exists when adding an identity certificate. |
| CSCwo87763 | ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
| CSCwo88204 | ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
| CSCwo91436 | FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
| CSCwo91965 | ASAv restarts unexpectedly |
| CSCwo94483 | LINA stays inactive without reloading after traceback on non-CP thread |
| CSCwo97439 | ACL: ASA may show false "OOB Access-list config change detected" warning after AAA authorization command is applied |
| CSCwo98752 | Traceback in threadname DATAPATH while trying to re-join cluster. |
| CSCwp04235 | ASA traceback and reload |
| CSCwp06882 | high CPU usage after ASA upgrade from 9.20.3.9 to 9.20.3.16 running on Hyper-V |
| CSCwp11382 | ASA/FTD: the ssl trust-point command deleted after a reload |
| CSCwp13540 | Wrong URL incorrectly displayed for file upload with Japanese text in file path for client-less VPN |
| CSCwp16529 | Negative value displayed for buffer drops when using " show cluster info load-monitor details" |
| CSCwp17700 | Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
| CSCwp22214 | Multiple mail drops and enq failures are seen while traffic is going through the box. |
| CSCwp33410 | dmesg and kern.log file flooded with Tx Queue=0 logs |
| CSCwp34610 | IKEv2-EAP Authentication Fails with Windows and MacOS Native VPN Clients |
| CSCwp37284 | "CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
| CSCwp39319 | ASA Memory leak while processing large CRLs. |
| CSCwp89969 | Prolonged delays in firewall restart/reboot completion |
| CSCwp97862 | If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
| CSCwq35960 | OSPF: Lina Traceback and Reload on Both Units in High Availability Setup. |
Version 9.18.4.57 – April 10, 2025
Defects resolved since 9.18.4.53:
| CSCwk46737 | ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device |
| CSCwn90900 | High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs |
| CSCwn90958 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
| CSCwo00141 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
| CSCwo00880 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability |
| CSCwo08042 | ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread |
| CSCwo09060 | SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI |
| CSCwo15021 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15022 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15023 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15024 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15026 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwo15027 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
| CSCwo18850 | Cisco Secure Firewall Adaptive Security Appliance, Secure Firewall Threat Defense Software HTTP Server Remote Code Execution Vulnerability |
| CSCwo41250 | Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition |
| CSCwo49928 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
Version 9.18.4.53 – March 5, 2025
Defects resolved since 9.18.4.52:
| CSCwe88492 | Banner login does not display when configured |
| CSCwe92324 | FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational |
| CSCwf04460 | The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed. |
| CSCwf25454 | Stale anyconnect entries causing issues with routing |
| CSCwh17965 | [Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload |
| CSCwj57435 | Cleanup stale logrotate files |
| CSCwj61086 | High CPU usage in svc_sam_dme process during deployment post breaking cluster or deleting inline-set |
| CSCwk28058 | FTD memory depletion resulting in traceback and reload |
| CSCwk48628 | FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting' |
| CSCwm36631 | FTD Secondary Unit got stuck in Bulk sync state. |
| CSCwm74289 | NAT traps have to be rate-limited |
| CSCwm95191 | In the Linux kernel, the following vulnerability has been resolved: s |
| CSCwm98278 | TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN. |
| CSCwn00475 | Memory Blocks 80 and 9344 leak due to priority-queue |
| CSCwn14130 | FTD cluster to traceback and reload after extended PAT is enabled |
| CSCwn19706 | Admin users are prompted to change local password when authenticating to external server |
| CSCwn22565 | Frequent route updates causes routes to get removed causing outages |
| CSCwn39826 | HA should prevent honouring failover requests while copy/config-sync/rollback is in progress |
| CSCwn40572 | MI: Vlan info is not applied at FXOS level when Virtual MAC is configured |
| CSCwn44335 | FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests |
| CSCwn45510 | S2S VPN tunnel Child SA unsuccessful renegotiation |
| CSCwn46855 | LINA may observe random traceback with Netflow configured |
| CSCwn47308 | Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100 |
| CSCwn63839 | Traceback in thread name Lina on configuring arp permit-nonconnected with BVI |
| CSCwn65415 | ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop |
| CSCwn73351 | Asia/Bangkok timezone option not listed in ASA running on firepower1k |
| CSCwn73399 | Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability |
| CSCwn75667 | Banner motd does not display when configured |
| CSCwn76079 | SSH works in admin context but doesn't work in any user context after changing ssh key-exchange |
| CSCwn79553 | Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD |
| CSCwn80400 | Slow download speeds with AnyConnect over TLS on networks with high latency |
| CSCwn80765 | ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled |
| CSCwn84557 | Lina traceback and reload due to "spin_lock_fair_mode_enqueue" |
| CSCwn86002 | core corruption still seen with switching to quick core feature |
| CSCwn91612 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability |
| CSCwn92894 | Occasionally, 'show chunkstat top-usage' output does not show all entries |
| CSCwn93319 | ASA/FTD may traceback and reload in Thread Name "DATAPATH" |
| CSCwo01557 | ASA traceback and reload on DATAPATH thread due to memory corruption |
| CSCwo09618 | Enabling debugs with EEM fails |
Version 9.18.4.52 – January 28, 2025
Defects resolved since 9.18.4.50:
| CSCwf42097 | PSEQ (Power-Sequencer) firmware may not be upgraded with bundled FXOS upgrade |
| CSCwi57783 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability |
| CSCwi65260 | Modification of destination entries failed, when Source Object Group and Destination Object Group contain same inner object-group |
| CSCwi94356 | Lina traceback and reload in Thread Name: cli_xml_request_process |
| CSCwk21540 | ASA/FTD - Unable to establish RAVPN sessions |
| CSCwk63586 | App instance stuck in STOP_FAILED with error message |
| CSCwm28007 | Browser redirects to blank page when the user clicks the WebVPN bookmark |
| CSCwm35730 | LINA may traceback in Thread Name: Datapath with NAT config |
| CSCwm37455 | ASA/FTD will allow local IP pool with invalid netmask |
| CSCwm44412 | FTD inline-set ignore reverse flag for inject/rewrite |
| CSCwm51874 | FXOS: messages rotates every 40 minutes due to Notification Daemon messages' being spammed |
| CSCwm63868 | FTD - Missing routes on BGP advertised-routes after FTD HA failover event |
| CSCwm68211 | ASA traceback and reload on thread snmp_inspect |
| CSCwm70835 | ASA traceback and reload due to stack overflow while using APCF file |
| CSCwm71265 | ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP |
| CSCwm96280 | FTD device stuck in rommon mode after pressing reset button |
| CSCwm96652 | Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit |
| CSCwm97054 | ASA/FTD traceback and reload with high rate of SIP connections |
| CSCwn01281 | GTP inspection not allowing GTP data packets if session create response has cause type 18 |
| CSCwn03446 | When capture enabled on cluster interface, it always includes CCL IP along with the configured rule |
| CSCwn03835 | ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread' |
| CSCwn13187 | ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4 |
| CSCwn14447 | ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread' |
| CSCwn15104 | FTD reload with traceback on swapcontext function |
| CSCwn15589 | Need unified package/fix for pseq and associated rommon fix for pseq upgrade failure |
| CSCwn17121 | ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'. |
| CSCwn19739 | HA would bring data interfaces up while moving from cold standby to failed state |
| CSCwn20024 | ASA may traceback and reload in Thread Name 'ssh' |
| CSCwn21584 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability |
| CSCwn22036 | FTD: Management0/0 status went down, line protocol is up after upgrade |
| CSCwn22456 | GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type |
| CSCwn24577 | ASA booting process may freeze when including 'no pim' or 'no igmp' config |
| CSCwn24596 | FTD may traceback and reload while executing "network-service reload" command and if it gets stuck |
| CSCwn26165 | FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets |
| CSCwn27819 | Jumbo frame packets are being fragmented |
| CSCwn31653 | FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32" |
| CSCwn34259 | Monitored interfaces may go in waiting state after upgrade to 9.20.3.7 |
| CSCwn34659 | Firewall not initiating TCP request even after receiving the TC bit set in DNS response |
| CSCwn34707 | Multiple Unicorn Admin Handler processes consume all the control plane CPU. |
| CSCwn35470 | Serviceability : FQDN Packet based debug and capture trace support |
| CSCwn39780 | FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures. |
| CSCwn42949 | Implementing forwarder flow on non-owner units handling distributed secondary flow connections |
Version 9.18.4.50 – November 14, 2024
Defects resolved since 9.18.4.47:
| CSCwb77894 | Firepower 1000/2100 may boot to ROMMON mode |
| CSCwc57500 | Remove bootlogd package from FXOS to avoid ASA boot log problems |
| CSCwf04983 | 3100 unit failed to join the cluster with error "configured object (sys/switch-A/slot-2) not found" |
| CSCwh23124 | Secondary/Standby node shows flapping between Ready & Failed when mgmt interface is shutdown |
| CSCwi05709 | Security module may reboot reboot due to filesytem event |
| CSCwj72013 | PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster |
| CSCwj98872 | eth0 may not be properly initialized after reboot |
| CSCwk11989 | Accepting duplicate object/group-object into object-group from multiple ssh sessions |
| CSCwk30049 | ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread. |
| CSCwk42676 | Virtual ASA/FTD may traceback and reload in thread PTHREAD |
| CSCwk67859 | FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
| CSCwk71227 | FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf |
| CSCwm06393 | Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps |
| CSCwm08231 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
| CSCwm08235 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software DHCP Denial of Service Vulnerability |
| CSCwm30731 | The ASA's OSPF routing table is not properly synchronized with the neighbors |
| CSCwm33529 | FXOS MTU Handling for Front Panel and Uplink Ports on Firepower devices require improvement |
| CSCwm33613 | Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes |
| CSCwm35751 | FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps |
| CSCwm41847 | Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314 |
| CSCwm42000 | FTD/ASA may traceback and reload in DATAPATH thread |
| CSCwm49154 | FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error |
| CSCwm49410 | Misconfigured Cross-Origin-Opener-Policy |
| CSCwm49721 | ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED |
| CSCwm49782 | enhance sma 2nd cruz heartbeat logging |
| CSCwm50591 | ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface |
| CSCwm52264 | Not able to remove or clear Fault "The password encryption key has not been set." |
| CSCwm52931 | ASA/FTD may traceback and reload in Thread Name "fover_parse" |
| CSCwm56864 | show run access-list command returns warning |
| CSCwm60536 | SQLNet traffic getting dropped intermittently in Clustering data unit. |
| CSCwm61282 | ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload |
| CSCwm78351 | Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code |
| CSCwm85228 | ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover |
| CSCwm89523 | 'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU |
| CSCwm90905 | GTP inspection drops packet with error ERROR-DROP:MsgType:32 |
| CSCwm92397 | LINA core observed pointing to "IP RIB Update" thread |
| CSCwm95070 | Cisco Secure Firewall ASA and Secure FTD Software for FP 2100 Series IPv6 over IPsec DoS Vulnerability |
Version 9.18.4.47 – October 9, 2024
Defects resolved since 9.18.4.40:
| CSCwi57670 | RAVPN SAML: External browser gives misleading message when FTD/ASA fails to parse assertion |
| CSCwi98274 | unzip 5.52 is from 2005 is contains multiple vulnerabilities |
| CSCwj15125 | ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra |
| CSCwk08241 | FTD is not resolving FQDN for ACLs intermittently |
| CSCwk31371 | NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any |
| CSCwk40335 | Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8 |
| CSCwk42676 | Virtual ASA/FTD may traceback and reload in thread PTHREAD |
| CSCwk61157 | FTD LINA Traceback and Reload dhcp_daemon Thread |
| CSCwk63733 | HA-monitored interfaces are going into "waiting" state and subsequently to "Failed" |
| CSCwk67859 | FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024 |
| CSCwk71866 | ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down' |
| CSCwk71992 | BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator |
| CSCwk75956 | ASA/FTD may traceback and reload in Thread Name SSH |
| CSCwk87457 | ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded |
| CSCwk88182 | FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue |
| CSCwk89836 | ASA/FTD may traceback and reload in Thread Name 'strlen' |
| CSCwk94382 | FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments |
| CSCwm01544 | Lina traceback and reload in data-path thread |
| CSCwm02801 | Unstable HA causing depolyment failure |
| CSCwm04650 | Increase memory usage leading to tracebacks in Lina. |
| CSCwm05520 | Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set |
| CSCwm07389 | CGroups errors in ASA Syslog during every reboot |
| CSCwm08232 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability |
| CSCwm13141 | FTD CLISH/CLI gets locked up when trying to run any show command |
| CSCwm13199 | SIP traffic is affected due to unexpected behavior with NAT untranslations. |
| CSCwm14509 | Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection |
| CSCwm14561 | ASA/FTD may traceback and reload in Thread Name 'fover_parse' |
| CSCwm14729 | CSF 3100 series not rebooting after power outage, requiring manual power cycle |
| CSCwm42745 | Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed |
| CSCwm49153 | Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability |
Version 9.18.4.40 – August 29, 2024
Defects resolved since 9.18.4.34:
| CSCwa82791 | ENH: Support for snapshots of RX queues on InternalData interfaces when "Blocks free curr" goes low |
| CSCwf34069 | Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
| CSCwh51872 | Message asa_log_client exited 1 time(s) seen multiple times |
| CSCwh83517 | VTI tunnel goes down due to route change detected in VRF scenario |
| CSCwi44912 | ISA3000 Traceback and reload boot loop |
| CSCwi90751 | FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces |
| CSCwj08696 | FTD lina traceback Thread Name: Non-Lina Process data Init Thread |
| CSCwj31918 | Segmentation fault with "logger_msg_dispatch" while HA sync |
| CSCwj35701 | Dns-guard prematurely closing conn due to timing condition |
| CSCwj53725 | Traceback observed while applying 'no failover' and 'failover' in the ASA standby |
| CSCwj83185 | FTD/ASA : Standby FTD traceback and reload after enabling memory tracking |
| CSCwj83634 | Seeing message "reg_fover_nlp_sessions: failover ioctl C_FOREG failed" |
| CSCwj87501 | ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread' |
| CSCwk00604 | ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client |
| CSCwk05800 | ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group |
| CSCwk06573 | Serviceablity : Improve routing infra debugs and add new for error conditions |
| CSCwk08476 | FTD/ASA traceback and reload due to 'show bgp summary' memory leak |
| CSCwk10884 | Connectivity failure due to mismatch between l2_table and subinterface mac address |
| CSCwk11983 | High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration |
| CSCwk13132 | FTD/ASA 1550 blocks may get exhausted while sending logs to TCP syslog server |
| CSCwk22574 | Remove SGT frames/packets to allow VTI decryption |
| CSCwk24176 | FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads. |
| CSCwk26968 | Backup feature does not save/restore DAP configuration in multiple context mode. |
| CSCwk27175 | ASA/FTD: Substantial increase in the time taken to load configuration |
| CSCwk35710 | FTD/LINA may traceback and reload when "show capture" command is executed in EEM script |
| CSCwk45975 | TLS1.3 Decryption configuration on SSL policy is affecting DND traffic. |
| CSCwk48975 | Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group |
| CSCwk53369 | Cisco ASA and FTD Software Remote Access VPN Denial of Service Vulnerability |
| CSCwk62381 | ASA might traceback and reload due to ssh/client hitting a null pointer while using SCP. |
| CSCwk68759 | Split brain issue in HA failover due to which outage happened on customer network |
| CSCwk69742 | FTD: Policy deployment failed due to mismatch of checksum. |
| CSCwk76142 | ASA crashing in thread PIX Garbage Collector with inspect-rtsp enabled. |
Version 9.18.4.34 – July 18, 2024
Defects resolved since 9.18.4.29:
| CSCwh09968 | ASA/FTD: Traceback and reload due to NAT change |
| CSCwh10931 | ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command |
| CSCwh63211 | Lina core at snp_nat_xlate_verify_magic.part and soft traces |
| CSCwh70874 | FTD: Policy Deployment failure due to abort as no progress |
| CSCwh78118 | ASA/FTD traceback and reload on process fsm_send_config_info_initiator |
| CSCwi05240 | ASA - Traceback the standby device while HA sync ACL-DAP |
| CSCwj17447 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
| CSCwj19125 | Cisco ASA and FTD NSG Access Control List Bypass Vulnerability |
| CSCwj20804 | Cisco ASA and FTD Software VPN Web Server Limited Information Disclosure Vulnerability |
| CSCwj24828 | Issue when two FQDN objects with same IP are added in source or destination (FTD/ASA) |
| CSCwj43345 | SNMP poll for some OIDs may cause CPU hogs and high latency can be observed for ICMP packets |
| CSCwj49745 | Cisco ASA and FTD VPN Web Client Services Cross-Site Scripting Vulnerabilities |
| CSCwj73061 | SNMP OID for CPUTotal1min omits snort cpu cores entries when polled |
| CSCwj74323 | ASAv Memory leak involving PKI/Crypto for VPN |
| CSCwj81743 | FTD - Trace back and reload due to NAT involving fqdn objects |
| CSCwj82247 | Cisco ASA and FTD SSL VPN Memory Management Denial of Service Vulnerability |
| CSCwj82736 | TLS Handshake Fails if Segmented or Fragmented Client Hello Packet is Received Out of Order |
| CSCwj86116 | High LINA CPU observed due to NetFlow configuration |
| CSCwj86320 | Standby Unit Interfaces enter "Waiting" Status Post-FTD Upgrade Due to Incorrect "Hello" Message MAC |
| CSCwj88400 | FTD may traceback and reload in process name lina while processing appAgent msg reply |
| CSCwj89264 | FTD HA: Traceback and reload in netsnmp_oid_compare_ll |
| CSCwj99043 | Cisco ASA & FTD Software IKEv2 Denial of Service Vulnerability |
| CSCwj99068 | Cisco ASA and FTD Software IKEv2 VPN Denial of Service Vulnerability |
| CSCwk02804 | WebVPN connections stuck in CLOSEWAIT state |
| CSCwk02928 | ASA/FTD may traceback and reload in Thread Name PTHREAD |
| CSCwk04290 | FPR 21xx - Traceback in Process Name: lina-mps during normal operations |
| CSCwk04492 | ASA CLI hangs with 'show run' with multiple ssh sessions |
| CSCwk05851 | "set ip next-hop" line deleted from config at reload if IP address is matched to a NAME |
| CSCwk06564 | Add New Syslog for Routes for NP add/delete |
| CSCwk07934 | Clock skew between FXOS and Lina causes SAML assertion processing failure |
| CSCwk08576 | command to print the debug menu setting of service worker |
| CSCwk09612 | Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs |
| CSCwk12497 | Traceback and reload on active unit due to HA break operation. |
| CSCwk12698 | SNMP polling of admin context mgmt interface fails to show all interfaces across all contexts |
| CSCwk12738 | Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
| CSCwk13631 | Traceback and reload during FTD upgrade due to FQDN network object NAT |
| CSCwk13812 | ASA/FTD incorrectly forwards extended community attribute after upgrade. |
| CSCwk14909 | Traffic drop with 'rule-transaction-in-progress' after failover with TCM cfgd in multi-ctx mode |
| CSCwk17637 | State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA |
| CSCwk17854 | FTD doesn't send Type A query after receiving a refuse error from one DNS server in AAAA query. |
| CSCwk20882 | ESP sequence number of 0 being sent after SA establishment/rekey |
| CSCwk21561 | Add warning message when configuring CCL MTU |
| CSCwk22034 | Snmpwalk displays incorrect interface speeds for values greater or equal than 10G |
| CSCwk22759 | Issue with Setting Certain Timezones (e.g. GMT+1) on Cisco ASA Firepower in Appliance Mode |
| CSCwk25117 | ENH: Add application support for blocking consecutive AAA failures on LINA |
| CSCwk27830 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwk32501 | 256/1550 block depletion process fover_thread |
| CSCwk36312 | High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops) |
| CSCwk44165 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability |
Version 9.18.4.29 – June 6, 2024
Defects resolved since 9.18.4.24:
| CSCvy51481 | [ENH] FTD should show error/warning when attaching a not valid certificate to the interface for VPN |
| CSCwb03293 | IKEv2 debugs: Received Policies and Expected Policies are empty |
| CSCwh29276 | ASA: Traceback and reload when switching from single to multiple mode |
| CSCwh60971 | NAT pool is not working properly despite is not reaching the 32k object ID limit. |
| CSCwh83021 | ASA/FTD HA pair EIGRP routes getting flushed after failover |
| CSCwi43492 | ASA traceback and reload on Thread Name: DATAPATH |
| CSCwi49770 | ASA|FTD Traceback & reload in thread name Datapath |
| CSCwi56499 | Cut-Through Proxy feature spikes CP CPU with a flood of un-authenticated traffic |
| CSCwi66461 | WARN msg(speed not compatible, suspended) while creating port-channel on Victoria CE |
| CSCwi95796 | FTD SNMP OID 1.3.6.1.4.1.9.9.109.1.1.1.1.7 always returns 0% for SysProc Average |
| CSCwj03764 | In Spoke dual ISP case if ISP2 is down, VTI tunnels related to ISP1 flapping. |
| CSCwj05151 | ASA/FTD may traceback and reload in Thread Name DATAPATH due to GTP Spin Lock Assertion |
| CSCwj08667 | ASA/FTD Traceback and Reload during ssl session establishment |
| CSCwj13910 | Crypto IPSEC SA Output Showing NO SA ERROR With IPSEC Offload Enabled |
| CSCwj19653 | FTD - Trace back and reload due to NAT involving fqdn objects |
| CSCwj22086 | Active unit goes to disabled state when there is a mismatch in firewall mode |
| CSCwj30980 | Addition of debugs & a show command to capture the ID usage in the CTS SXP flow. |
| CSCwj34881 | Command to show counters for access-policy filtered with a source IP address gives incorrect result |
| CSCwj34975 | Multiple context interfaces fail to pass traffic |
| CSCwj38871 | ASA traceback with thread name SSH |
| CSCwj44398 | when set the route-map in route RIP on FTD, routes update is not working after FTD reload |
| CSCwj48704 | ASA traceback and reload when accessing file system from ASDM |
| CSCwj49958 | Crypto IPSEC Negotiation Failing At "Failed to compute a hash value" |
| CSCwj50406 | All IPV6 BGP routes configured in device flapping |
| CSCwj55036 | ASA/FTD: A delay in an async crypto command induces a traceback and subsequently a reload. |
| CSCwj59861 | ASA/FTD may traceback and reload in Thread Name 'lina' due to SCP/SSH process |
| CSCwj60265 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-1-16803' |
| CSCwj62723 | Error message spammed to console on Firepower 2100 devices while enabling SSH config |
| CSCwj68096 | Console Access Stuck for ASAv hosted in CSP after Upgrade to 9.18.3.56 |
| CSCwj68783 | FTD/ASA-HA configs not in sync as the command sync process is sending configs with special chars |
| CSCwj72683 | ASA - Bookmarks on the WebVPN portal are unreachable after successful login. |
| CSCwj73053 | ASA may traceback and reload in Thread Name 'DATAPATH-21-16432' |
| CSCwj76503 | Syslogs continue to be sent after disabling logging class on ASA |
| CSCwj82285 | ASA/FTD may traceback and reload in Thread Name 'sdi_work' |
| CSCwj86116 | High LINA CPU observed due to NetFlow configuration |
| CSCwj91570 | Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability |
| CSCwj93921 | ASA after upgrade to 9.18.4.24 not able to save config with error: "Configuration line too long" |
| CSCwj95590 | Browser redirects to logon page when the user clicks the WebVPN bookmark |
Version 9.18.4.24 – May 2, 2024
Defects resolved since 9.18.4.22:
| CSCvz70310 | ASA may fail to create NAT rule for SNMP with: "error NAT unable to reserve ports." |
| CSCwc28334 | Cisco ASA and FTD Software RSA Private Key Leak Vulnerability |
| CSCwd67100 | ASA traceback and reload on Datapath process |
| CSCwe02012 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwe18462 | ASA/FTD: Improve GTP Inspection Logging |
| CSCwe18467 | ASA/FTD: GTP Inspection engine serviceability |
| CSCwe21884 | Write wrapper around "kill" command to log who is calling it |
| CSCwf39108 | Firewall rings may get stuck and cause packet loss when asp load-balance per-packet auto is used |
| CSCwf69880 | Firewall Traceback and reload due to SNMP thread |
| CSCwf75694 | ASA - The GTP inspection dropped the message 'Delete PDP Context Response' due to an invalid TEID=0 |
| CSCwf84318 | ASA/FTD traceback and reload on thread DATAPATH |
| CSCwh40294 | ASA traceback due to panic event during SNMP configuration |
| CSCwh45450 | 2100: Interfaces missing from FTD after removing interfaces as members of a port-channel |
| CSCwh68068 | Firepower WCCP router-id changes randomly when VRFs are configured |
| CSCwh69156 | FTD-HA does not fail over sometimes when snort3 traceback |
| CSCwh69843 | WM DT - ASA in transparent mode doesn't send equal IPv6 Router Advertisement packets to all nodes |
| CSCwh91065 | Lina Traceback : Thread Name: DATAPATH during session terminate |
| CSCwh92345 | crypto_archive file generated after the software upgrade. |
| CSCwh95025 | GTP connections, under certain circumstances do not get cleared on issuing clear conn. |
| CSCwh95277 | FTD traceback due to system memory exhaustion |
| CSCwh95443 | Datapath hogs causing clustering units to get kicked out of the cluster |
| CSCwh96055 | Management DNS Servers may be unreacheable if data interface is used as the gateway |
| CSCwh99398 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-34-17852' |
| CSCwi02754 | FTD 1120 Traceback and reload on standby unit with SNMP enabled. |
| CSCwi03407 | Traceback on FP2140 without any trigger point. |
| CSCwi04351 | FTD upgrade failling on script 999_finish/999_zz_install_bundle.sh |
| CSCwi06797 | ASA/FTD traceback and reload on thread DATAPATH |
| CSCwi20045 | ASA/FTD may traceback and reload in Thread Name 'lina' due to a watchdog (watchdog_time = 0) |
| CSCwi31966 | FTD ADI debugs may show incorrect server_group and/or realm_id for SAML-authenticated sessions |
| CSCwi36311 | use kill tree function in SMA instead of SIGTERM |
| CSCwi36843 | Detailed logging related to reason behind sub-interface admin state change during operations |
| CSCwi40193 | Hairpinning of DCE/RPC/FTP traffic during the suboptimal lookup |
| CSCwi42291 | Cisco Firepower Threat Defense Software TCP Snort 3 Detection Engine Bypass Vulnerability |
| CSCwi44208 | low memory/stress causing traceback in SNMP |
| CSCwi45878 | ASA/FTD: DNS Load Balancing with SAML does not work with VPN Load Balancing |
| CSCwi48699 | ASA traceback and reload on Thread Name: pix_flash_config_thread |
| CSCwi49884 | TCP MSS is changed back to the default value when a VTI or loopback interface is created |
| CSCwi53987 | SSL protocol settings does not modify the FDM GUI certificate configuration or disable TLSv1.1 |
| CSCwi55938 | The "show asp drop" command usage requires better updates for cluster-related drops |
| CSCwi56667 | ASA Traceback and reload on Thread Name "fover_parse" on Standby after Failover Group changes |
| CSCwi60285 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi61135 | Debugs failed to be enabled on SSH session |
| CSCwi62796 | ASA/FTD Traceback and reload related to SSL/DTLS traffic processing |
| CSCwi63113 | Null pointer dereference in SNMP that results in traceback and reload |
| CSCwi63743 | ASA/FTD may traceback and reload in Thread Name "appAgent_monitor_nd_thread" & Rip: _lina_assert. |
| CSCwi64829 | traceback and reload around function HA |
| CSCwi65116 | DHCPv6:ASA traceback on Thread Name: DHCPv6 CLIENT. |
| CSCwi66676 | ASA/FTD may traceback and reload in Thread Name 'webvpn_task' |
| CSCwi68625 | Continuous snmpd restarts observed if SNMP host is configured before the IP is configured |
| CSCwi68833 | ASA/FTD: Memory leak caused by Failover not freeing dnscrypt key cache due to unsyned umbrella flow |
| CSCwi69091 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi70492 | Firewall is in App Sync error in pseudo-standby mode and uses IPs from Active unit |
| CSCwi71998 | "Stream: TCP normalization error in NO_TIMESTAMP" is seen when SSL Policy decrypt all is used |
| CSCwi74214 | ASA/FTD traceback and reload in Thread Name: IKEv2 Daemon when moving from active to standby HA |
| CSCwi75198 | Standby FTD experiencing periodic traceback and reload |
| CSCwi76361 | Transparent firewall MAC filter does not capture frames with STP-UplinkFast dst MAC consistently |
| CSCwi79037 | IKEv2 client services is not getting enabled - XML profile is not downloaded |
| CSCwi79042 | FTD/Lina traceback and reload of HA pairs, in data path, after adding NAT policy |
| CSCwi79393 | Policy Deployment Fails when removing the Umbrella DNS Policy from Security Intelligence |
| CSCwi80465 | CCM ID 63 - LTS18 |
| CSCwi84314 | ASA CLI hangs with 'show run' on multiple SSH |
| CSCwi85689 | TLS Server Identify: 'show asp table socket' output shows multiple TLS_TRK entries |
| CSCwi87382 | Traceback and reload on Primary unit while running debugs over the SSH session |
| CSCwi90571 | Access to website via Clientless SSL VPN Fails |
| CSCwi90998 | ASA SNMP Polling Failure for environmental FXOS DME MIB (.1.3.6.1.4.1.9.9.826.2) |
| CSCwi95228 | "crypto ikev2 limit queue sa_init" resets after reboot |
| CSCwi95994 | Chromium-based browsers have SSL connection conflicts when FIPS CC is enabled on the firewall. |
| CSCwi96562 | Cisco ASA and FTD FXOS CLI Root Privilege Escalation Vulnerability |
| CSCwi97836 | ASA traceback and reload after configuring capture on nlp_int_tap and deleting context |
| CSCwi97839 | FTD traceback assert in vni_idb_get_mode and reloaded |
| CSCwi99429 | Policy deployment failure rollback didnt reconfigure the FTD devices |
| CSCwj02505 | ASA Checkheaps traceback while entering same engineID twice |
| CSCwj05484 | ASA upgrade from 9.16 to 9.18 causing change in AAA ldap attribute values by adding extra slash '\' |
| CSCwj06675 | Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
| CSCwj09110 | Upload files through Clientless portal is not working as expected after the ASA upgrade |
| CSCwj09999 | FP 3100 MTU change on management interface is NOT persistent across reboots (returns to default MTU) |
| CSCwj10451 | The secondary device reloaded while rebooting the primary device. |
| CSCwj14028 | CCM ID 67 - LTS18 |
| CSCwj14832 | SAML: Single sign-on AnyConnect token verification failure is seen after successful authentication |
| CSCwj15792 | Cisco ASA and FTD Software Dynamic Access Policies Denial of Service Vulnerability |
| CSCwj16125 | Traceback and Reload when testing or loading an invalid hostscan image |
| CSCwj17447 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-6-26174' |
| CSCwj20067 | ASA: Warning messages not displayed when Static interface NAT are configured |
| CSCwj21880 | FTD with Interface object optimization enabled is blocking traffic after renaming of zone names |
| CSCwj22235 | Lina traceback and reload due to mps_hash_memory pointing to null hash table |
| CSCwj22990 | After upgrading the ASA, \u201cSlot 1: ATA Compact Flash memory\u201d shows a ditterent value |
| CSCwj25975 | FTD/ASA : CSR generation with comma between \u201cCompany Name\u201d attribute does not work expected |
| CSCwj32035 | Clientless VPN users are unable to reach pages with HTTP Basic Authentication |
| CSCwj33487 | ASA/FTD may traceback and reload while handling DTLS traffic |
| CSCwj33580 | IKEv2 tunnels flap due to fragmentation and throttling caused by multiple ciphers/proposal |
| CSCwj33891 | ASA/FTD Cluster memory exhaustion caused by NAT process during release of port blocks allocations |
| CSCwj38928 | High latency observed on FPR31xx |
| CSCwj40761 | ASA/FTD may traceback in Threadname: **CTM KC FPGA stats handler** |
Version 9.18.4.22 – March 6, 2024
Defects resolved since 9.18.4.8:
| CSCvx37329 | Remove Syslog Messages 852001 and 852002 in Firewall Threat Defense |
| CSCwc31953 | Prevention of RSA private key leaks regardless of root cause. |
| CSCwe47485 | FTD: CLISH slowness due to command execution locking LINA prompt |
| CSCwe72330 | FTD LINA traceback and reload in Datapath thread after adding Static Routing |
| CSCwe93736 | ASA not updating Timezone despite taking commands |
| CSCwe97939 | ASA/FTD Cluster: Change "cluster replication delay" with max value increase from 15 to 50 sec |
| CSCwf11877 | TPK 3110 - Firmware version MISMATCH after upgrade to 7.2.4-144 |
| CSCwf34070 | Cisco ASA and FTD Remote Access SSL VPN Authentication Targeted Denial of Service Vulnerability |
| CSCwf36419 | ASA/FTD: Traceback and reload with Thread Name 'PTHREAD' |
| CSCwf82279 | Excessive logging of ssp-multi-instance-mode messages to /opt/cisco/platform/logs/messages |
| CSCwf87348 | When state-link is flapped HA state changed from Standby-ready to Bulk-sync without failover reason |
| CSCwf99303 | Management UI presents self-signed cert rather than custom CA signed one after upgrade |
| CSCwh16759 | SNMP is not working on the primary active ASA unit in multi-context environment |
| CSCwh17576 | Site-to-Site VPN tunnel status on FMC shows down even though it is UP from FTD side |
| CSCwh19352 | comm alarm is raised and unit switches over even if one ack is dropped. |
| CSCwh43945 | FTD/ASA traceback and reload may occur when ssl packet debugs are enabled |
| CSCwh47053 | ASA/FTD may traceback and reload in Thread Name 'dns_cache_timer' |
| CSCwh58467 | ASA does not sent 'warmstart' snmp trap |
| CSCwh62731 | FTD Upgrade from 6.6.5 to 7.2.5 removing OGS causing rule expansion on boot |
| CSCwh65128 | LINA show tech-support fails to generate as part of sf_troubleshoot.pl (Troubleshoot file) |
| CSCwh66636 | Configuring and unconfiguring "match ip address test" may lead to traceback |
| CSCwh69346 | ASA: Traceback and reload when restore configuration using CLI |
| CSCwh71161 | ASA|FTD: Traceback & reload in thread Name: update_mem_reference |
| CSCwh71589 | Coverity 886745: OVERRUN in verify_generic_signature |
| CSCwh83254 | ASA/FTD: Traceback and reload on thread name CP Crypto Result Processing |
| CSCwh84376 | In FPR4200/FPR3100-HA/cluster observed crashinfo/corefile.lina observed on device reboot. |
| CSCwh91574 | FTD: Traceback in threadname cli_xml_request_process |
| CSCwh93710 | 'Last Hit' Timestamp fails to Update to latest value on ASA, ASDM, and FTD |
| CSCwh95010 | Unexpected traceback on thread name Lina and device experienced reboot |
| CSCwi01085 | FTD VMWare tracebacks at PTHREAD-3587 |
| CSCwi01381 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi02134 | FTD sends multiple replicated NetFlow records for the same flow event |
| CSCwi02919 | SNMP Unresponsive when snmp-server host specified |
| CSCwi03528 | Cross ifc access: Revert PING to old non-cross ifc behavior |
| CSCwi06690 | Certificate Encoding Issue when using AnyConnect cert Authentication/Authorisation |
| CSCwi11520 | FTD OSPFV3 IPV6 Routing: FTD is sending unsupported extended LSA request to neighbor routers |
| CSCwi12284 | Cisco ASA webvpn XSS Vulnerability |
| CSCwi12772 | ASA cluster traceback Thread Name: DATAPATH-8-17824 |
| CSCwi13134 | Hardware bypass not working as expected in FP3140 |
| CSCwi15409 | ASA/FTD - may traceback and reload in Thread Name 'Unicorn Proxy Thread' |
| CSCwi18581 | Firewall traceback and reload due to SSH thread |
| CSCwi19015 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-13-6022' |
| CSCwi19145 | FTD/ASA may traceback and reload in PKI, syslog, during upgrade |
| CSCwi19849 | VPN load-balancing cluster encryption using Phase 2 deprecated ciphers |
| CSCwi20114 | Cisco ASA Software and FTD Software SNMP Denial of Service Vulnerability |
| CSCwi20848 | ASA/FTD high memory usage due to SNMP caused by RAVPN OID polling |
| CSCwi20955 | FTD with may traceback in data-path during deployment when enabling TAP mode |
| CSCwi21625 | FailSafe admin password is not properly sync'd with system context enable pw |
| CSCwi22296 | ASA: The logical device may boot into failsafe mode because of an large configuration. |
| CSCwi24461 | Device/port-channel goes down with a core generated for portmanager |
| CSCwi24880 | ASA dropping IPSEC traffic incorrectly when "ip verify reverse-path" is configured |
| CSCwi26064 | ASA : Modifying a route-map in one context affects other contexts |
| CSCwi26895 | ASA SNMP OID cpmCPUTotalPhysicalIndex returning zero values instead of CPU index values |
| CSCwi27338 | Stale asp entry for TCP 443 remains on standby after changing default port |
| CSCwi29532 | ASA/FTD traceback and reload due to sigcrash in inspect_dp_pdts_recv_service_producer_vec |
| CSCwi31091 | OSPF Redistribution route-map with prefix-list not working after upgrade |
| CSCwi31766 | PSU fan shows critical in show environment output while operating normally |
| CSCwi32063 | ASA/FTD: SSL VPN Second Factor Fields Disappear |
| CSCwi32759 | Username-from-certificate secondary attribute is not extracted if the first attribute is missing |
| CSCwi34125 | ASA: Snmpwalk shows "No Such Instance" for the OID ceSensorExtThresholdValue |
| CSCwi35267 | TLS1.3: core decode points to tls_trk_try_switch_to_bypass_aux() |
| CSCwi38957 | Policy Apply failed moving from FDM to FMC |
| CSCwi40536 | ASA/FTD: Traceback and reload when running show tech and under High Memory utilization condition |
| CSCwi42295 | Radius traffic not passing after ASA upgrade 9.18.2 and above version. |
| CSCwi42992 | ASA/FTD may traceback and reload in Thread Name IKEv2 Daemon |
| CSCwi43782 | GTP inspection dropping packets with IE 152 due to header length being invalid for IE type 152 |
| CSCwi45630 | Snort3 traceback with fqdn traffics |
| CSCwi46010 | ASA/FTD: Cluster incorrectly generating syslog 202010 for invalid packets destined to PAT IP |
| CSCwi46023 | FTD drops double tagged BPDUs. |
| CSCwi46641 | FTDv may traceback and reload in Thread Name 'PTHREAD-3744' when changing interface status |
| CSCwi50343 | Their standalone FTD running 7.2.2 on FPR-4112 experienced a traceback on the SNMP module |
| CSCwi53150 | Service object-group protocol type mismatch error seen while access-list referencing already |
| CSCwi53431 | Unable to Synch more then 100 environment-data with data unit |
| CSCwi56048 | Interface fragment queue may get stuck at 2/3 of fragment database size |
| CSCwi59525 | Multiple lina cores on 7.2.6 KP2110 managed by cdFMC |
| CSCwi59831 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi62683 | The SSH transport protocol with certain OpenSSH extensions, found in ... (CVE-2023-48795) |
| CSCwi76002 | Memory exhaustion due to absence of freeing up mechanism for tmatch |
| CSCwi76630 | FP2100/FP1000: ASA Smart licenses lost after reload |
| CSCwi79703 | Incorrect Timezone Format on FTD When Configured via FXOS |
| CSCwi80465 | CCM ID 63 - LTS18 |
| CSCwi90040 | Cisco ASA and FTD Software Command Injection Vulnerability |
| CSCwi90399 | FTD/ASA system clock resets to year 2023 |
| CSCwi95708 | FTD: Hostname Missing from Syslog Message |
| CSCwi98284 | Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability |
| CSCwj10955 | Cisco ASA and FTD Software Web Services Denial of Service Vulnerability |
Version 9.18.4.8 – November 29, 2023
Defects resolved since 9.18.4.5:
| CSCvx44261 | SNMPv3: Special characters used in FXOS SNMPv3 configuration causes authentication errors |
| CSCwd31806 | ASAv show crashinfo printing in loop continuously |
| CSCwf43850 | ECMP + NAT for ipsec sessions support request for Firepower. |
| CSCwf89959 | ASA: ISA3000 does not respond to entPhySensorValue OID SNMP polls |
| CSCwf92661 | ASA|FTD: Traceback & reload due to a free buffer corruption |
| CSCwh14863 | FTD 7.0.4 cluster drops Oracle's sqlnet packets due to tcp-not-syn |
| CSCwh18967 | Include "show env tech" in FXOS FPRM troubleshoot |
| CSCwh30346 | ASA/FTD: 1 Second failover delay for each NLP NAT rule |
| CSCwh54477 | The FMC is showing "The password encryption key has not been set" alert for a 11xx/21xx/31xx device |
| CSCwh60631 | Fragmented UDP packet via MPLS tunnel reassemble fail |
| CSCwh66359 | ASDM can not see log timestamp after enable logging timestamp on cli |
| CSCwh68482 | Cisco Firepower Threat Defense Software for Firepower 2100 Series TLS Denial of Service Vu |
| CSCwh70323 | Timestamp entry missing for some syslog messages sent to syslog server |
| CSCwh70481 | Community string sent from router is not matching ASA |
| CSCwh71665 | ASA traceback under match_partial_keyword during CPU profiling |
| CSCwh77348 | ASA: Traceback and reload when executing the command "show nat pool detail" on a cluster setup |
| CSCwh93649 | File copy via SCP using ciscossh stack fails with error "no such file or directory" |
| CSCwh95175 | ASA/FTD may traceback and reload in Thread Name 'lina' |
| CSCwi15595 | ASA traceback and reload during ACL configuration modification |
Version 9.18.4.5 – October 25, 2023
Defects resolved in this release:
| CSCwc78781 | ASA/FTD may traceback and reload during ACL changes linked to PBR config |
| CSCwd34079 | FTD: Traceback & reload in process name lina |
| CSCwe28912 | Primary Unit lost all HA config after FTD HA upgrade |
| CSCwe44099 | Cisco Adaptive Security Virtual Appliance and Secure FTD Virtual SSL VPN DoS Vulnerability |
| CSCwf36621 | access-list: Cannot mix different types of access lists. |
| CSCwf41433 | ASA/FTD client IP missing from TACACS+ request in SSH authentication |
| CSCwf63589 | FTD snmpd process traceback and restart |
| CSCwf64590 | Units get kicked out of the cluster randomly due to HB miss | ASA 9.16.3.220 |
| CSCwf69901 | FTD: Traceback and reload during OSPF redistribution process execution |
| CSCwf94450 | FTD Lina traceback Thread Name: DATAPATH due to memory corruption |
| CSCwf95288 | FPR1k Switchport passing CDP traffic |
| CSCwh09113 | FPR1010 in HA failed to send or receive to GARP/ARP with error "edsa_rcv: out_drop" |
| CSCwh14352 | Lina CiscoSSL upgrade to 1.1.1v and FOM 7.3a |
| CSCwh16301 | Incorrect Hit count statistics on ASA Cluster only for Cluster-wide output |
| CSCwh19897 | ASA/FTD Cluster: Reuse of TCP Randomized Sequence number on two different conns with same 5 tuple |
| CSCwh21474 | ASA traceback when re-configuring access-list |
| CSCwh32118 | ASDM management-sessions quota reached due to HTTP sessions stuck in CLOSE_WAIT |
| CSCwh40106 | FTD hosted on KP incorrectly dropping decoded ESP packets if pre-filter action is analyze |
| CSCwh42412 | FTD Block 9344 leak due to fragmented GRE traffic over inline-set interface inner-flow processing |
| CSCwh47701 | ASA allows same BGP Dynamic routing process for Physical Data and management-only interfaces |
| CSCwh48844 | FTD: Failover/High Availability disabled with Mate version 0.0 is not compatible |
| CSCwh49244 | "show aaa-server" command always shows the Average round trip time 0ms. |
| CSCwh53143 | ASA:Management access via IPSec tunnel is NOT working |
| CSCwh53745 | ASA: unexpected logs for initiating inbound connection for DNS query response |
| CSCwh59199 | ASA/FTD traceback and reload with IPSec VPN, possibly involving upgrade |
| CSCwh59557 | Source NAT Rule performing incorrect translation due to interface overload |
| CSCwh60604 | ASA/FTD may traceback and reload in Thread Name 'lina' while processing DAP data |
| CSCwh60778 | FTD traceback and reload within TLS tracker for TLS 1.3 SSL decryption |
| CSCwh63588 | FTD SNMPv3 host configuration gets deleted from IPTABLES after adding host-group configuration |
| CSCwh70905 | Secondary lost failover communication on Inside, using IPv6, but next testing of Inside passes |