Cisco ASA Interim Release Notes

The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.

Version 9.20.3.20 – April 30, 2025

Defects resolved in this release:

CSCwd83069Add capability to disable auto-negotiation for 100G ports
CSCwh53745ASA: unexpected logs for initiating inbound connection for DNS query response
CSCwj83533FAN is working as expected but FAN LED is in off state.
CSCwk70078Failures and records are not seen in "show failover statistics" after simulating failures
CSCwm05960Generated Crypto checksum changes without configuration change
CSCwm37363Portmanager and lacp sync is not programmatic
CSCwm92310FQDNs are unresolved via DNS on data interface after reboot or traceback
CSCwn39081SNMP walk results in ASCII value for IPSEC Peer instead of an IP address.
CSCwn80419Need the SVC Rx/Tx queue as a configurable option
CSCwn81995Traceback and Reload caused by Memory corruption with SNMP inspection enabled
CSCwn90900High ASA/FTD memory usage due to polling of RA VPN related SNMP OIDs
CSCwn95939Generate syslog if received CRL is older than cached CRL
CSCwn95945Generate syslog if received CRL signature validation fails
CSCwn98402Debuggability: FP2100 port-channel interfaces flap after upgrade
CSCwo00102Snort3 trimming packets with invalid sequence number due to bad window size information received
CSCwo00225VNI source MTU is not IPv6 aware after upgrade if configured prior to upgrade
CSCwo08042ASAv reloaded unexpectedly with traceback on Unicorn Proxy Thread
CSCwo18838ASA/FTD may traceback and reload in Thread Name 'lina_exec_startup_thread'
CSCwo24772debug packet-condition does not work as expected
CSCwo26258Default Route Changes from Management0 to Management1 After Reload or Upgrade on FPR 4200 Series
CSCwo35783Enhance Debugging for add/update/withdraw of routes with neighbors
CSCwo35788Serviceability Enhancement - New 'show bgp internal' command for advanced debugging
CSCwo35810show bgp update-group a.b.c.d displays "no such neighbor" when there is a valid neighbor
CSCwo41250Traceback & Reload in thread named: DATAPATH-1-23988 during low memory condition
CSCwo42230Memory leak leading to split brain
CSCwo45848SecGW: Data node fails to join the cluster with cluster_ccp_make_rpc_call failed to clnt_call error
CSCwo47978ASA may traceback and reload in Thread Name 'fover_parse'
CSCwo48439Traceback & Reload in Thread Name Unicorn Admin Handler
CSCwo49425Logging recipient-address not overriding the logging mail message severity levels
CSCwo49744DNS and default gateway are removed on FTD managed through data interface
CSCwo71052FPR1010 Ethernet1/1 trunk port is not passing Vlan traffic after a reload
CSCwo73467Interface mac stuck issue seen with peer switch reloads or after upgrade
CSCwo87938backout change preventing enabling clustering in FIPS mode


Version 9.20.3.16 – March 26, 2025

Defects resolved in this release:

CSCwe88492Banner login does not display when configured
CSCwf04460The fxos directory disappears after cancelling show tech fprm detail command with Ctr+c is executed.
CSCwf25454Stale anyconnect entries causing issues with routing
CSCwh10931ASA/FTD traceback and reload when invoking "show webvpn saml idp" CLI command
CSCwh17965[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload
CSCwj29599FDM bootstrap might be interrupted by extra reboot due to firmware upgrade
CSCwj57435Cleanup stale logrotate files
CSCwk28058FTD memory depletion resulting in traceback and reload
CSCwk42676Virtual ASA/FTD may traceback and reload in thread PTHREAD
CSCwk46737ASA on HA: alloc_ch() alloc from chunk mem Failed message on one context in Standby device
CSCwk47035CMI is disabled if pre-CMI nameif on diagnostic interface is MANAGEMENT
CSCwk82557FTD upgrade to 7.4.2 via FDM is blocked
CSCwm35624Long boot time seen with one AC rule having object-group and other plain ACL's
CSCwm36631FTD Secondary Unit got stuck in Bulk sync state.
CSCwm74289NAT traps have to be rate-limited
CSCwn19190Memory fragmentation resulted in huge pages unavailable for lina
CSCwn40572MI: Vlan info is not applied at FXOS level when Virtual MAC is configured
CSCwn44335FXOS - Download command generates an extra "/" over HTTP and HTTPS GET requests
CSCwn45510S2S VPN tunnel Child SA unsuccessful renegotiation
CSCwn46855LINA may observe random traceback with Netflow configured
CSCwn47308Critical health alerts 'user configuration(FSM.sam.dme.AaaUserEpUpdateUserEp)' on FPR 1100/2100/3100
CSCwn51845Tracebacks observed in a cluster member running ASA 9.20.3.4
CSCwn65415ASA: floating-conn not closing UDP conns if conn was created without ARP entry for next hop
CSCwn73399Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability
CSCwn75667Banner motd does not display when configured
CSCwn76079SSH works in admin context but doesn't work in any user context after changing ssh key-exchange
CSCwn79553Unreachable LDAP/AD referrals may cause delays or timeouts in external authentication on FTD
CSCwn80765ISA3000 with ASA Refuses SSH Access If CiscoSSH is Enabled
CSCwn84557Lina traceback and reload due to "spin_lock_fair_mode_enqueue"
CSCwn86002core corruption still seen with switching to quick core feature
CSCwn90958Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability
CSCwn91612Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Authenticated Command Injection Vulnerability
CSCwn92894Occasionally, 'show chunkstat top-usage' output does not show all entries
CSCwn93319ASA/FTD may traceback and reload in Thread Name "DATAPATH"
CSCwn96929ASA: Traceback and Reload Under Thread Name SSH
CSCwo00880Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Server Denial of Service Vulnerability
CSCwo01557ASA traceback and reload on DATAPATH thread due to memory corruption
CSCwo08306Command authorization fallback to Local only works for users with privilege 15.
CSCwo09060SSL trustpoint with 4096 bit RSA keys not allowed by ASA if renewed via CLI
CSCwo09195Traceback and reload during the deployment after disabling FQDNs.
CSCwo09618Enabling debugs with EEM fails
CSCwo15022Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability
CSCwo15023Cisco Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability
CSCwo15027Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability
CSCwo21767Port scan alerts not getting generated for custom configuration


Version 9.20.3.13 – February 5, 2025

Defects resolved in this release:

CSCwe92324FPR31xx - SNMP poll reports incorrect FanTray Status at Down while actually operational
CSCwh82305Lina core at swapcontext on FTD during policy deployment
CSCwj77877Disable/Enable an MI instance results it in "State Failed"
CSCwk32984FPR3K SFP+(10G) optics:Port Channel mem intf becomes down after reload/flap/reinsertion on peer side
CSCwk36144Update Fan RPM Thresholds for 42xx platforms
CSCwk48628FTD/FxOS - Upgrade/erase configuration result in App-instance 'Operational State: Starting'
CSCwm28007Browser redirects to blank page when the user clicks the WebVPN bookmark
CSCwm37455ASA/FTD will allow local IP pool with invalid netmask
CSCwm44412FTD inline-set ignore reverse flag for inject/rewrite
CSCwm52973TPK Low End FPR3100:Changing interface speed from 1g to 100mbps/100mps to 1g bring downs the link
CSCwm63868FTD - Missing routes on BGP advertised-routes after FTD HA failover event
CSCwm68211ASA traceback and reload on thread snmp_inspect
CSCwm70835ASA traceback and reload due to stack overflow while using APCF file
CSCwm96652Cluster assigning wrong nat for unit, traffic not being forwarded properly back to unit
CSCwm97054ASA/FTD traceback and reload with high rate of SIP connections
CSCwm98278TCP Conn not being flagged as Half-Closed after receiving the ACK for the FIN.
CSCwn00475Memory Blocks 80 and 9344 leak due to priority-queue
CSCwn03446When capture enabled on cluster interface, it always includes CCL IP along with the configured rule
CSCwn11728FPR9K-SM-56 module intermittently lock up and cause traffic impact.
CSCwn14130FTD cluster to traceback and reload after extended PAT is enabled
CSCwn14447ASA/FTD may traceback and reload in Thread Name 'ldap_client_thread'
CSCwn17121ASA/FTD may traceback and reload in Thread Name 'cli_xml_request_process'.
CSCwn19706Admin users are prompted to change local password when authenticating to external server
CSCwn19739HA would bring data interfaces up while moving from cold standby to failed state
CSCwn20024ASA may traceback and reload in Thread Name 'ssh'
CSCwn21584Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Web Services Denial of Service Vulnerability
CSCwn22036FTD: Management0/0 status went down, line protocol is up after upgrade
CSCwn22456GTPv2 IE-type 157 (Signaling Priority Indication) is dropped with reason as unknown IE type
CSCwn22565Frequent route updates causes routes to get removed causing outages
CSCwn24577ASA booting process may freeze when including 'no pim' or 'no igmp' config
CSCwn24596FTD may traceback and reload while executing "network-service reload" command and if it gets stuck
CSCwn26165FTD/ASA May Traceback and Reload - During Deployment / Radius changes - Due to Radius Packets
CSCwn27819Jumbo frame packets are being fragmented
CSCwn29611Radius user ssh login fails with error: username is not defined with a service type that is valid
CSCwn31653FTD may traceback and reload in Thread Name "FPRLI_FPR4K-SM-32"
CSCwn34259Monitored interfaces may go in waiting state after upgrade to 9.20.3.7
CSCwn34659Firewall not initiating TCP request even after receiving the TC bit set in DNS response
CSCwn34707Multiple Unicorn Admin Handler processes consume all the control plane CPU.
CSCwn35470Serviceability : FQDN Packet based debug and capture trace support
CSCwn39780FTD Deployment Resilience: Skip non-critical / non-existing commands to avoid deployment failures.
CSCwn39826HA should prevent honouring failover requests while copy/config-sync/rollback is in progress
CSCwn40485MI: Traffic fails to reach the Secondary FTD when enabled with data-sharing interface
CSCwn42949Implementing forwarder flow on non-owner units handling distributed secondary flow connections
CSCwn46426ASA 21xx: 'sh environment temperature' shows incorrect temperature values
CSCwn63839Traceback in thread name Lina on configuring arp permit-nonconnected with BVI
CSCwn73351Asia/Bangkok timezone option not listed in ASA running on firepower1k


Version 9.20.3.10 – December 10, 2024

Defects resolved in this release:

CSCwb77894Firepower 1000/2100 may boot to ROMMON mode
CSCwe45584FP2130 - Incorrect spelling seen in tech_support_brief in FPRM
CSCwh40635Syslogs over management interface don't go through loggerd after FTD reboot or lina reload
CSCwh69156FTD-HA does not fail over sometimes when snort3 traceback
CSCwh81366[Multi-Instance] Second Hard Drive (FPR-MSP-SSD) not in use
CSCwi49884TCP MSS is changed back to the default value when a VTI or loopback interface is created
CSCwi57783Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Access Control Rules Bypass Vulnerability
CSCwj33187Internal cached access-group list maintenance issue with unexpected clear configure access-list
CSCwj34204Disk quota for the corefile should be revisited based on platform
CSCwj43902FTDv - The interface connected to the AWS GW may have connection issues for DHCP or an idle state.
CSCwj74716tpk_mi upgrade failed from 7.4.1.1 > 7.6.0 000_start/000_00_run_cli_kick_start.sh.
CSCwk11989Accepting duplicate object/group-object into object-group from multiple ssh sessions
CSCwk21540ASA/FTD - Unable to establish RAVPN sessions
CSCwk30049ASA/FTD May traceback & reload citing Thread Name 'lina' as the faulting thread.
CSCwk52890FTD / ASA High Memory Usage Due to HTTP-based Path Monitoring
CSCwk63586App instance stuck in STOP_FAILED with error message
CSCwk67859FTD and FXOS: RADIUS Protocol Spoofing Vulnerability (Blast-RADIUS): July 2024
CSCwk76362FTDv traceback in Thread name - PTHREAD
CSCwm04021ASA|FTD Traceback & reload in process name lina
CSCwm06393Changes in port-channel membership or member status may cause periodic OSPF/EIGRP adjacency flaps
CSCwm35730LINA may traceback in Thread Name: Datapath with NAT config
CSCwm35751FPR3100: Interface may go to half duplex speed is hardcoded to 100mbps
CSCwm40531FTD/ASA : 1SXF interfaces on FP3100 stay in a link-down state when connected to a Nexus 9K Switch
CSCwm49154FXOS fault F1738 seen in deploymet with Error: CSP_OP_ERROR. CSP signature verification error
CSCwm49410Misconfigured Cross-Origin-Opener-Policy
CSCwm49721ASA Traceback and Reload due to MEMORY CORRUPTION WAS DETECTED
CSCwm49782enhance sma 2nd cruz heartbeat logging
CSCwm51874FXOS: messages rotates every 40 minutes due to Notification Daemon messages' being spammed
CSCwm52264Not able to remove or clear Fault "The password encryption key has not been set."
CSCwm52931ASA/FTD may traceback and reload in Thread Name "fover_parse"
CSCwm56864show run access-list command returns warning
CSCwm60536SQLNet traffic getting dropped intermittently in Clustering data unit.
CSCwm64553Incompatible members warning message after Po member interface flaps unable to rejoin Po
CSCwm71265ASA traceback and reload on thread DATAPATH when processing gtpv1 end marker msg for PDP
CSCwm78351Potential High CPU usage in Multi-Context Cluster setup with unconditional execution of capture code
CSCwm79169ASA/FTD may traceback and reload in DATAPATH-1-20757
CSCwm85228ASA/FTD may traceback and reload in Thread Name "IKEv2 Daemon" while joining failover
CSCwm89523'no capture /all' failed to disable capture completely in the backend, causing high datapath CPU
CSCwm90905GTP inspection drops packet with error ERROR-DROP:MsgType:32
CSCwm91176Cisco ASA/FTD Firepower 3100/4200 Series TLS 1.3 Cipher Denial of Service Vulnerability
CSCwm92397LINA core observed pointing to "IP RIB Update" thread
CSCwm95070Cisco Secure Firewall ASA and Secure FTD Software for FP 2100 Series IPv6 over IPsec DoS Vulnerability
CSCwm96280FTD device stuck in rommon mode after pressing reset button
CSCwn01281GTP inspection not allowing GTP data packets if session create response has cause type 18
CSCwn03835ASA/FTD may traceback and reload in Thread Name 'SSH Ctxt Thread'
CSCwn13187ASA upgrade failing from 9.20.2.21 to the target version 9.20.3.4
CSCwn13597Customer FQDNs for VPN can be found on the internet unexpectedly
CSCwn13672Bind ESP to VTI Tunnel Source Interface To Avoid Additional Route-Lookup Post Encryption
CSCwn15104FTD reload with traceback on swapcontext function


Version 9.20.3.7 – October 22, 2024

Defects resolved in this release:

CSCwh17965[Display]FXOS: PC member interface is shown as down & unassociated/unassigned after reload
CSCwh71161ASA|FTD: Traceback & reload in thread Name: update_mem_reference
CSCwi98274unzip 5.52 is from 2005 is contains multiple vulnerabilities
CSCwj72013PAT communication via using PAT pool fails for about 40 seconds when a device joins a cluster
CSCwk08241FTD is not resolving FQDN for ACLs intermittently
CSCwk09612Clock skew: FXOS clock diverges from Lina NTP time ~1-10 secs
CSCwk31371NAT_HARDEN: CGNAT breaks when mapped ifc is configured as any
CSCwk40335Trigger Alert/Warning when the associated FQDN IDs of an IP address surpasses the set limit of 8
CSCwk71992BlastRADIUS vulnerability phase-1 fix for pix-asa - Message Authenticator
CSCwk87457ASA/FTD may traceback and reload in Process Name "lina" after device was reloaded
CSCwk88225Critical fault : [FSM:FAILED]: user configuration(FSM:sam:dme:AaaUserEpUpdateUserEp)
CSCwk94382FTD: Lina might fail to respond to CONFIG_XML_REQUEST leading to stuck deployments
CSCwk96912FTD: Username missing in syslog message ID 302013 after upgrade to 7.4.1
CSCwm01544Lina traceback and reload in data-path thread
CSCwm04650Increase memory usage leading to tracebacks in Lina.
CSCwm05520Disable cluster syn cookie decoding when FTD cluster is deployed with inline-set
CSCwm08231Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability
CSCwm08232Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability
CSCwm13141FTD CLISH/CLI gets locked up when trying to run any show command
CSCwm14509Wrong drops seen with Invalid length for 23, 24 and 25 IE-Types during GTP inspection
CSCwm14561ASA/FTD may traceback and reload in Thread Name 'fover_parse'
CSCwm30731The ASA's OSPF routing table is not properly synchronized with the neighbors
CSCwm33229SAML Force re-authentication Is Not Enforcing User To re-enter Credentials Upon Retrying To Connect
CSCwm33613Default Group Policy is applied when receiving multiple Group Policies in SAML assertion attributes
CSCwm34333FTD - \u00a0Multi-Instance, docker0 interface overlap with private network 172.17.0.0/16
CSCwm35035SAML Auth Request by FTD Will Always Be Signed By Sha1 Irrelevant Of the Algorithm Configured
CSCwm41847Serviceability to capture PDTS writing/reading block to help root cause CSCwm36314
CSCwm42000FTD/ASA may traceback and reload in DATAPATH thread
CSCwm42745Dynamic Site-to-Site tunnels stuck in IN-NEG state When IKE_AUTH Is Missed
CSCwm61282ASA/FTD: RA VPN tunnel causing memory leak leading to traceback & Reload


Version 9.20.3.4 – September 26, 2024

Defects resolved in this release:

CSCwi00713 A memory leak flaw was found in Libtiff's tiffcrop utility. This issue
CSCwi44912 ISA3000 Traceback and reload boot loop
CSCwi90751 FTD/ASA - SNMP queries using snmpwalk are not displaying all "nameif" interfaces
CSCwj08696 FTD lina traceback Thread Name: Non-Lina Process data Init Thread
CSCwj15125 ASA/FTD may traceback and reload in Thread Name 'lina' related to Netflow timer infra
CSCwj35701 Dns-guard prematurely closing conn due to timing condition
CSCwj74323 ASAv Memory leak involving PKI/Crypto for VPN
CSCwj79895 ENH Logs FP4110 (FXOS 2.10.1.179) Security module stopped responding after device reboot
CSCwj83185 FTD/ASA : Standby FTD traceback and reload after enabling memory tracking
CSCwj87501 ASA/FTD may traceback and reload in Thread Name 'fover_FSM_thread'
CSCwk00604 ASA Fails to initiate AAA Authentication with IKEv2-EAP and Windows Native VPN Client
CSCwk05800 ASA/FTD SNMP polling fails due to overlapping networks in snmp-server host-group
CSCwk06564 Add New Syslog for Routes for NP add/delete
CSCwk06573 Serviceablity : Improve routing infra debugs and add new for error conditions
CSCwk08476 FTD/ASA traceback and reload due to 'show bgp summary' memory leak
CSCwk10884 Connectivity failure due to mismatch between l2_table and subinterface mac address
CSCwk11983 High LINA CPU observed due to NetFlow due to 'flow-export delay flow-create' configuration
CSCwk14685 FTD : Management interface showing down despite being up and operational
CSCwk17637 State Link Stops Sending Hello Messages Post-Failover Triggered by Snort traceback in FTD HA
CSCwk22034 Snmpwalk displays incorrect interface speeds for values greater or equal than 10G
CSCwk22574 Remove SGT frames/packets to allow VTI decryption
CSCwk24176 FTD/ASA - VPN traffic flowing through the device may trigger tracebacks and reloads.
CSCwk26968 Backup feature does not save/restore DAP configuration in multiple context mode.
CSCwk27175 ASA/FTD: Substantial increase in the time taken to load configuration
CSCwk32501 256/1550 block depletion process fover_thread
CSCwk35710 FTD/LINA may traceback and reload when "show capture" command is executed in EEM script
CSCwk36312 High cpu on "update block depletion" with secondary effects (Bgp flaps, traffic drops)
CSCwk37371 SGT INLINE-TAG added after upgrade to 7.4.x
CSCwk41007 ASA/FTD may traceback and reload
CSCwk44165 Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Remote Access SSL VPN Denial of Service Vulnerability
CSCwk45975 TLS1.3 Decryption configuration on SSL policy is affecting DND traffic.
CSCwk48975 Packet-tracer output incorrectly appends 'control-plane' to drops for data-plane access-group
CSCwk59009 IPv6 SSL Anyconnect access blocked in HA pair
CSCwk59458 21xx: debug log process hangs preventing recovery from stuck writing operations
CSCwk61157 FTD LINA Traceback and Reload dhcp_daemon Thread
CSCwk63733 HA-monitored interfaces are going into "waiting" state and subsequently to "Failed"
CSCwk69742 FTD: Policy deployment failed due to mismatch of checksum.
CSCwk71227 FTD running on FPR 2k with LDAP skips backslash when updating ldap.conf
CSCwk71866 ASA: Site-to-Site VPN between contexts on the same device drops traffic due to 'ipsec-tun-down'
CSCwk74813 Cisco Adaptive Security Appliance and Firepower Threat Defense TLS Denial of Service Vulnerability
CSCwk75035 Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vul
CSCwk75406 FMC in CC-mode audit over syslog not working
CSCwk75956 ASA/FTD may traceback and reload in Thread Name SSH
CSCwk78030 ASA/FTD: Memory Exhaustion due to Threat-Detection
CSCwk86582 'ENDPOINT_TIME_OUT_OF_SYNC' Error Causing SAML Auth to Not Complete
CSCwk88182 FTDv50 traceback during normal operation at PTHREAD-8141 spin_lock_fair_mode_enqueue
CSCwk88201 S2S VPN with 3rd party broken after upgrading FPR 9.20
CSCwk89836 ASA/FTD may traceback and reload in Thread Name 'strlen'
CSCwm02801 Unstable HA causing depolyment failure
CSCwm03142 IPv6 Neighbor Discovery/multicast traffic affected on shared interface in multi instance setup
CSCwm07389 CGroups errors in ASA Syslog during every reboot
CSCwm13199 SIP traffic is affected due to unexpected behavior with NAT untranslations.
CSCwm14729 CSF 3100 series not rebooting after power outage, requiring manual power cycle
CSCwm49153 Cisco Adaptive Security Appliance Software SSH Server Resource DoS Vulnerability
CSCwm50591 ASA/FTD: Inbound IPsec packets are dropped when IPsec offload is enabled with VTI and sub-interface
CSCwm50936 100GB interface flaps with Innolight QSFPs in both ends


Last edited on: August 25, 2025