Cisco ASA Interim Release Notes
The software images listed below are Interim releases. They contain bug fixes which address specific issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and will remain on the download site only until the next Maintenance release is available.
Version 9.20.4.22 – March 5, 2026
Defects resolved in this release:
| CSCwk74566 | Disable csd/hostscan invokation for clientless/webvpn flow |
| CSCwm80210 | MI: core.lina.async_thr is generated after reboot |
| CSCwn90327 | FP1150 ASA/FTD - Traceback and reload triggered by watchdog timer |
| CSCwo53752 | ASA FTD traceback in Checkheaps process after enabling "controller monitor internal-interfaces free-blocks 100" command |
| CSCwp60896 | ASA Clock reverts to UTC after device reload |
| CSCwq74443 | HA Primary/Active unit goes to disabled state as "HA state progression failed due to app sync timeout" in build 10.0.0-196 |
| CSCwq77481 | 1140 FTD HA primary failed to reboot after executing the reload command from expert mode |
| CSCwq85473 | FP 4115 ASA Cluster: GTP inspection causing high lina CPU 70% - 90%+ depend on traffic |
| CSCwq88796 | Firepower: SSH access lost after timezone change in platform mode |
| CSCwq92373 | WA MI: Two apps went to Not Responding state with reason: Error in App Instance ftd. sma reported fault: Instance xxx is disabled due to restart loop. Please consider reinstalling this app-instance. |
| CSCwr10747 | ASA/FTD may traceback and reload due to memory exhaustion |
| CSCwr15611 | ASA/FTD - 1550 Block Depletion Due to Instability of TCP Syslog Channel(s) |
| CSCwr21835 | Dataplane <> Control Plane may be overwhemed in the event of a massive influx of traffic with no existing ARP Adj present |
| CSCwr21948 | WCCP redirection not working as expected on transparent FTD |
| CSCwr31136 | SNMP OID Polling for Chassis temperature not giving response |
| CSCwr43613 | FTD/ASA may traceback and reload |
| CSCwr58862 | ASA/FTD: SCEP enrollment fails with SCEP server reachable over VPN and sourced from inside interface |
| CSCwr62993 | FTD traceback and reload on DATAPATH |
| CSCwr71075 | FP2140 running FTD traceback during deployment |
| CSCwr72101 | Lina: Traceback and reload for watchdog on BGP |
| CSCwr78255 | Inconsistent Cluster State: All Nodes Acting as Data Nodes with No Control Node |
| CSCwr85470 | FTD silently drops out of order packets |
| CSCwr87102 | Problems may arise when an automated script attempts to deploy to add or delete an SNMP user in a multi-context environment. |
| CSCwr96082 | ASA: Traceback and reload on ARP code when the pinged device is unreachable |
| CSCws02848 | High cpu on block depletion |
| CSCws03492 | ASP ACL rule (dhcp network scope) fail to be removed during "no nameif" or interface deletion process |
| CSCws03807 | Memory leak in virtual-access nameif strings |
| CSCws03882 | ASA timestamp getting stuck for syslog messages until the device sync up with NTP |
| CSCws05886 | ASA may traceback during manual failover |
| CSCws06991 | Few FQDNs are not resolving after FTD upgrade |
| CSCws19908 | snmpEngineBoots does not increase when ASA reloads |
| CSCws25638 | FPR 3110 MI (shared subinterface) - Traffic outage when disabling multicast routing on one FW instance |
| CSCws27870 | LINA May Encounter Traceback and Reload if SSH Session Uses ChaCha20-Poly1305 Cipher |
| CSCws31035 | Lina Traceback and reload in Thread: "cli_xml_request_process" |
| CSCws33462 | Faults generated during first boot on 6.x can't be cleared |
| CSCws35491 | The identity cert will miss "ca" if the same cert also installed as device-certificate. Reboot will fail to install identity cert |
| CSCws35715 | ASA/FTD responding without relay_sig parameter in SAML dupicate request |
| CSCws36457 | While in App-Sync phase, cluster node does not transition to disabled state when CCL interface goes down |
| CSCws37370 | FTD , dcosAG continuously crashing |
| CSCws39799 | Traceback and reload in threadname datapath due to flow-offload. |
| CSCws59816 | ASA: Traceback with Thread Name DATAPATH-0-13302 |
| CSCws61024 | Appliance enters into fail-safe mode due to warnings thrown by nat config. |
| CSCws62173 | License registration still fails with ssl trustpoint and smart transport mode configured despite fix for CSCwp10957 |
| CSCws65199 | ASA/FTD does not accept "id-kp-ipsecIKE" or "anyExtendedKeyUsage" in EKU for usage type IPSEC VPN Peer |
| CSCws65834 | Lina: asacli Traceback & reload due to SSH/SCP initiated from firewall exec mode |
| CSCws82462 | ASA/FTD assert crash after applying capture type isakmp command from LINA CLI |
| CSCws86306 | Unable to retrieved SNMP OID crasActGrpName (1.3.6.1.4.1.9.9.392.1.3.22.1.1) |
| CSCws91179 | Warning about the usage of failsafe-exit |
| CSCws93424 | Passwordless users are not able to connect VPN from IOS/Android |
Version 9.20.4.19 – December 10, 2025
Defects resolved since 9.20.4.14:
| CSCwm80732 | ASA/FTD - Traceback and reload Due to Race Condition in TCP Proxy |
| CSCwn27583 | High lina CPU and/or Traceback and reload in spin_lock_get_actual_internal |
| CSCwn69079 | Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Exhaustion Vulnerability |
| CSCwo09439 | ASA/FTD may traceback and reload in Thread Name 'DATAPATH-3-4280' |
| CSCwo45497 | Counter from IKEV2 stats does not match the number of tunnels in VPN-Sessiondb |
| CSCwo59534 | Memory corruption leading to lina assertion and traceback |
| CSCwo72352 | Memory leak: ASA Fragment size 72 causing memory exhaustion in MEMPOOL_GLOBAL_SHARED POOL |
| CSCwo73885 | Cisco Secure Firewall ASA Software and Secure FTD Software Authenticated Command Injection Vulnerability |
| CSCwo76559 | ASA/FTD traceback and reload with SNMP Notify Thread seen on 3110 |
| CSCwo87763 | ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
| CSCwp64615 | ASA/FTD: ASP drop capture for 'invalid-ip-length' or 'sp-security-failed' does not work with match criteria |
| CSCwq31342 | FPR4200 | FPR3100 Multi Instance Chassis Deployment Failed in DNS configuration |
| CSCwq44834 | Multicast and broadcast packets do not reach all multi-instance firewalls via shared interface on 3100/4200 |
| CSCwq52188 | FTD Traceback while executing `asp load-balance per-packet` |
| CSCwq52255 | SSH login to FTD management IP address lands in FXOS shell instead of FTD CLISH due to missing /mnt/boot/application/*.def file |
| CSCwq64843 | Deployment Failure After Removing An Object From ACL Used in DAP |
| CSCwq73656 | Cisco Secure Firewall ASA Software and Secure FTD Software OSPF Memory Corruption Vulnerability |
| CSCwq74986 | FTD: Instance stuck in Boot Loop |
| CSCwq85986 | FP4225: Interface with SFP - 10/25G_LR_S (or CSR_S) is not coming up after reboot of peer side. |
| CSCwq90072 | ASDM Parsing Failure on Two Contexts |
| CSCwq95241 | Reboots on FP2130 due to missing heimdall PID |
| CSCwr01482 | FPR4215 "Not supported" alarm occurred, when insert the SFPs |
| CSCwr05837 | SNMP process continuously restarts |
| CSCwr06290 | ASA/FTD: Traceback in thread name CP Processing due to DCERPC inspection |
| CSCwr10732 | Connection blocking active although "logging permit-hostdown' is set |
| CSCwr12965 | Both the units in HA changed the encryption algorithm simultaneously |
| CSCwr14186 | add context for cmd-invalid-encap asp-drop type in the "show asp drop" command usage |
| CSCwr22508 | Device doesn't boot and gets stuck after a successful upgrade |
| CSCwr24999 | FP3140 FTD HA Upgrade Getting Stuck |
| CSCwr26857 | File policy stops working due to SMB tcp conn terminated after 1hr for unknown reason despite not idle |
| CSCwr27095 | Anyconnect users incorrectly get the prompts, based on the previous tunnel-group |
| CSCwr28908 | ASA: Traceback and reload after saving asdm image |
| CSCwr35582 | Continuous logs_archive.asa-interface-idb.log getting generated on ASA |
| CSCwr42577 | ASA/FTD may traceback and reload citing Thread Name 'lina' as the faulting thread. |
| CSCwr42969 | Dynamic Offloaded Flows Interrupted midstream |
| CSCwr43586 | Intermittent drop of self-originated ICMP TTL exceeded messages with reason "Unable to obtain connection lock (connection-lock)" |
| CSCwr48605 | Lina traceback due to the incorrect option being received in the packet. |
| CSCwr50466 | ASA/FTD: Wrong value shown for X509_STORE_CTX in 'show ssl objects' |
| CSCwr51629 | RTSP Flows are dropped with drop reason "First TCP packet not SYN" |
| CSCwr55089 | ASA/FTD - Traceback and Reload in Threadname DATAPATH |
| CSCwr58661 | Cisco Secure Firewall Adaptive Security Appliance Software TCP Flood Denial of Service Vulnerability |
| CSCwr59870 | ASAv on Hyper-v encountering boot loop issues when running netvsc driver |
| CSCwr61303 | Lina: Traceback and reload webvpn_session_release |
| CSCwr61452 | ASA traceback and reload due to memory corruption in IPsec SA pointers |
| CSCwr62800 | High network latency observed on ASAv |
| CSCwr65540 | ASA traceback while disabling GTP inspection |
| CSCwr74420 | FTD - FTD RADIUS authentication fails with "bad authenticator" after disabling Management Interface Convergence |
| CSCwr79344 | ASA/FTD traceback and reload in Lina |
| CSCwr81266 | Unable to remove certificate-group-map |
| CSCwr83527 | FP2110 Critical fault alerts for remote users |
| CSCwr84332 | ASA/FTD traceback and reload in L2 vaccess_nameif_action thread |
| CSCwr88208 | ASA/FTD: Fragmentation issue for IKE_Auth packets |
| CSCwr88733 | Collecting "show tech-support fprm" results in corefile in TAR process |
| CSCwr94517 | ASA traceback and reload while removing capture |
Version 9.20.4.14 – October 29, 2025
Defects resolved since 9.20.4.10:
| CSCvm76755 | DP-CP arp-in and adj-absent queues need to be separated |
| CSCwe13965 | Interface statistics and tunnel uptime display support for VTI/DVTI interfaces |
| CSCwk07934 | Clock skew between FXOS and Lina causes SAML assertion processing failure |
| CSCwn50760 | ASA Traceback after upgrade to 9.20.3.7 |
| CSCwo76165 | Deployment failure due to rsync |
| CSCwp10957 | SSL error causing connection to Cisco Smart Software Manager (CSSM) to terminate |
| CSCwp22743 | wpk - 1gsx link remains up on wpk but on switch side it shows as not connected |
| CSCwp97402 | WA: Traceback and reload due to lock contention on the tmatch table during deployment with large snmp config |
| CSCwq13032 | 3100/4200: 1G Management interface flapping after upgrade |
| CSCwq26863 | FP2110 - ntpd process constantly crashing |
| CSCwq29706 | Traceback and reload after editing SNMP config, with tmatch |
| CSCwq31988 | Errors on all interface of FPR1010 | line protocol is down ( not associated with supervisor ) |
| CSCwq36466 | expat/xml FW rebooted itself and no crashinfo generated |
| CSCwq39942 | CVE-2025-32463: sudo: Sudo before 1.9.17p1 allows local users to obtain |
| CSCwq39943 | CVE-2025-32462: sudo: Before 1.9.17p1, allows users to execute commands on unintended machines. |
| CSCwq43711 | Idle SSH sessions persist beyond the configured timeout without graceful termination by Fin flag |
| CSCwq46058 | ASA SNMP Response Issue - Responses Sent Only for Odd OIDs, Not for Even |
| CSCwq47622 | Lina Traceback and Reload after enabling 'TLS Server Identity Discovery' |
| CSCwq48842 | FTD: Packets Dropped due to tcp-seq-past-win due to delayed packet through Snort |
| CSCwq50373 | ASA/FTD in HA, snmptranslate process during the boot-up causing High CPU and IPC timeouts, causing split-brain. |
| CSCwq60586 | FTD upgrade failed due to bundle image existence verification failure |
| CSCwq65955 | FPR 4200: HA link arp packets getting dropped, internal uplink linkChange counters incrementing |
| CSCwq70133 | Password Expiry Age does not reset after Password Change |
| CSCwq72156 | SNMP traps are not sent to one of multiple SNMP servers, in certain conditions |
| CSCwq73994 | ASA : Performance and high CPU usage seen on Hyper-V |
| CSCwq78991 | Firewall joins a cluster although gets incomplete ACL policy rules during replication |
| CSCwq79831 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Remote Code Execution Vulnerability |
| CSCwq81480 | FTD MI: SNMP polling fails to work after the upgrade |
| CSCwq82095 | SAML response rejected with message for certain IDPs |
| CSCwq82225 | Drop counter doesn't increment for embryonic related drops in 'show service policy' |
| CSCwq92728 | ASA client IP missing from TACACS+ authorization request in SSH |
| CSCwq95810 | "no http server basic-auth-client ASDM" allows ASDM connections to ASA. |
| CSCwq96870 | Interfaces are coming up when the Firepower is shutting down |
| CSCwq98101 | Policy deployment fails when inline-set is configured on FTD HA |
| CSCwq98648 | Low RAM allocation on ASAv can trigger unexpected behavior in 'asdm image' command |
| CSCwr05406 | Traceback in HA stby node while snmpwalk on natAddrMapTable |
| CSCwr13046 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability |
| CSCwr15697 | Block 80 depletion ssl_decrypt_cb |
| CSCwr19123 | FPR HA ESP sequence number discrepancy when standby changes to Active resulting in Anti-replay drops |
| CSCwr22256 | Traceback seen while FQDN list expands more than 200 entries for a resolved ip |
| CSCwr31782 | Secure Client SAML - External Browser May Prompt for a Certificate when using IKEv2-IPsec and Certificate Mapping |
| CSCwr49028 | Secure client tunnel group authentication is affected when using SDI protocol |
| CSCwr66525 | WPK node rebooted with lina core while trying to form cluster in snp_nat_allocate_port |
Version 9.20.4.10 – September 03, 2025
Defects resolved since 9.20.4.7:
| CSCwd92327 | on 2k platform, external authentication fails for users starting with number |
| CSCwk09488 | Incorrect syslog generated on failure to process SGT from ISE during RA authentication |
| CSCwk33511 | low memory/stress causing block double free and reload |
| CSCwk87700 | Multiple core.svc_sam_statsAG on FxOS platforms |
| CSCwn27583 | High lina CPU and/or Traceback and reload in spin_lock_get_actual_internal |
| CSCwn61232 | Memory block corruption: RAVPN SSL/IKEV2 auth failure, AAA SHIM available fibers exhausted |
| CSCwn64025 | ASA: IPv6 EIGRP routes learned from other neighbors are missing in updates after failover |
| CSCwn69078 | Cisco Secure Firewall ASA Software and Secure FTD Software OSPF DoS Vulnerability |
| CSCwo27260 | Unit taking ~13 secs to become active |
| CSCwo42102 | show tech-support fprm detail command is getting stuck for longer duration |
| CSCwo58033 | [Cluster] CPU Utilization of 100% when NAT Pool exhaustion happens in a context. |
| CSCwo74009 | Cisco FXOS and UCS Manager Software Command Injection Vulnerability |
| CSCwo91748 | Lina: Traceback in thread name ssh on executing show access-list after ACL deletion |
| CSCwp13016 | FTD/ASA SSH: Terminal monitor is not showing logs |
| CSCwp22612 | Policy deploy failing on FTD when trying to remove Umbrella DNS Configuration |
| CSCwp25033 | An ICMP not reachable storm might cause high CPU on a two units FTD cluster |
| CSCwp28801 | WA HA: Error while fetching metadata for FTD HA. |
| CSCwp33077 | SAML IdP entityID increase from capped 128 character maximum |
| CSCwp36133 | Clarify the working of Fallthrough to Interface PAT (Destination Interface) as it is not working as expected |
| CSCwp66721 | Memory leak in SSL crypto causing high Lina memory usage on lower-end devices |
| CSCwp67356 | HA state should not transition from ColdStandby to Active |
| CSCwp68059 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Cross-Site Scripting Vulnerability |
| CSCwp93368 | LINA traceback Observed on FTDv Firewalls Deployed in Azure: snp_vxlan_encap_and_send_to_remote_peer |
| CSCwq01526 | Cisco Secure FTD Software Authenticated DoS Vulnerability |
| CSCwq07441 | Memory Leak observed on FP2110 running ASA due to monitoring interface configured in HA |
| CSCwq07808 | FP3105 Traceback and Reload after changing the speed on Ethernet interface |
| CSCwq16926 | Traceback and Reload while two processes attempt to free a TD subnet structure |
| CSCwq18679 | ASA from CSM/CLI - no access-list ACL_name line line_nr remark on last ACL line shows message - "Specified remark does not exist" |
| CSCwq21101 | Invalid host header reveals ASA interface IP address |
| CSCwq22206 | S2S VPN is not recovering after IPSEC-Rekey event |
| CSCwq23394 | FTD may drop traffic in the Azure cloud at mlx5 driver level. |
| CSCwq27217 | ASA: Traceback and reload on threat detection, interfaces unstable after that |
| CSCwq29375 | ASA/FTD - Assert triggered during FP_PUNT replace (aaa account match) |
| CSCwq35960 | OSPF: High CPU, Route flaps, Lina Traceback and Reload in High Availability Setup. |
| CSCwq40256 | Inbound IPsec packets are dropped by IPsec offload when the crypto map ACL is using specific ports. |
| CSCwq50189 | ASAv deploy failed - console stuck at continuous |
| CSCwq50506 | Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
| CSCwq54109 | FTD 3130 HA Lina tracebacks at ikev2_bin2hex_str |
| CSCwq70773 | show asp rule-engine issues with complete and run time |
| CSCwq74204 | IKEv1 L2Lvpn fails in phase 2 with "Rejecting IPsec tunnel: no matching crypto map entry" after upgrade |
| CSCwq74738 | RAVPN SSL/IKEV2 AUTH FAILURE: AAA PROCESS MISHANDLING BROKEN FIBER CLASS |
| CSCwq79815 | Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software VPN Web Server Unauthorized Access Vulnerability |
Version 9.20.4.7 – August 6, 2025
Defects resolved in this release:
| CSCwb07908 | Standby FTD/ASA sends DNS queries with source IP of 0.0.0.0 |
| CSCwf72285 | DAP: debug dap trace not fully shown after 3000+ lines |
| CSCwi80453 | Active node reload during peer app sync or config sync causes premature failover, config sync failure, and unexpected reboot |
| CSCwn27872 | Big chunk of Memory of around 25KB is being allocated on Stack in "eigrp_interface_ioctl" API |
| CSCwn71596 | Intf Link down (Init, mac-link-down) seen - EtherChannel Membership in Down/Down/Down state after unplug/replug of the cable |
| CSCwn92248 | FPR2100 & FPR1100: Port-channel interfaces flap with LACP |
| CSCwo00332 | Firepower wiping SSL trustpoint config after reloading. |
| CSCwo24856 | 9K block depletion causing slowdown of all traffic through firewall |
| CSCwo31094 | Virtual ASA Traceback and Reload Caused by Disk Access Issues with NFS Enabled |
| CSCwo33815 | FMC: Deployment takes longer than expected when removing SNMP hosts from Platform Settings |
| CSCwo35938 | IPv6 Management communication is lost due to a missing management-only multicast route. |
| CSCwo58260 | Add "built" and "teardown" messages for the GRE | IPinIP connections to the Lina syslog |
| CSCwo60609 | DNS doctoring not working correctly if the doctoring rule is of type dynamic and has any interface |
| CSCwo79028 | Post-Failover FQDN Resolution Deferred Until Next DNS Poll Interval |
| CSCwo79798 | Cryptochecksum changed after reloading. |
| CSCwo87763 | ASA/FTD: Primary standby unit becomes Active after reload in HA set up |
| CSCwo88204 | ASA/FTD traceback and reload triggered by the Smart Call Home process in sch_dispatch_to_url. |
| CSCwo88518 | If command replication fails to any nodes in cluster, send kick the node out from cluster to fmc |
| CSCwo89233 | Command replication failure to cluster nodes on command commit noconfirm revert-save after access-list, additional debugs |
| CSCwo91436 | FPR 4125 Multi instance: High Snort and System Core CPU Usage (100%) Triggering FMC Critical Alerts |
| CSCwo98752 | Traceback in threadname DATAPATH while trying to re-join cluster. |
| CSCwp08772 | ASA: tls-proxy maximum-session command error |
| CSCwp11382 | ASA/FTD: the ssl trust-point command deleted after a reload |
| CSCwp16739 | ASA crashinfo files not generated on FP4200 devices |
| CSCwp17700 | Syslog format is not properly printed when EMBLEM format is enabled at least in one syslog host |
| CSCwp22214 | Multiple mail drops and enq failures are seen while traffic is going through the box. |
| CSCwp26815 | CPU usage by "WebVPN Timer Process" on standby ASA device |
| CSCwp29401 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software SAML Reflected Cross-Site Scripting Vulnerability |
| CSCwp33410 | dmesg and kern.log file flooded with Tx Queue=0 logs |
| CSCwp37284 | "CSRF Token Mismatch" error seen when users click logout from Clientless VPN page |
| CSCwp39319 | ASA Memory leak while processing large CRLs. |
| CSCwp67356 | HA state should not transition from ColdStandby to Active |
| CSCwp89969 | Prolonged delays in firewall restart/reboot completion |
| CSCwp90780 | Restoring .tgz context file causes allocated interfaces to be removed from 'system' configuration |
| CSCwp97862 | If failover IPSEC PSK is 78 characters or greater HA breaks with "Could not set failover ipsec pre-shared-key" |
| CSCwq01516 | Cisco Secure Firewall ASA Software and Secure FTD Software IKEv2 DoS Vulnerability |
| CSCwq02055 | Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software VPN Web Services Client-Side Request Smuggling Vulnerability |
| CSCwq17612 | Misleading "failover reset" log printed on console when reload triggered by HA. |
| CSCwq24081 | Cisco Secure Firewall Adaptive Security Appliance Software SSH Partial Private Key Authentication Bypass Vulnerability |