Cisco
ASA Interim Release Notes
The software
images listed below are Interim releases.
They contain bug fixes which address specific
issues found since the last Feature or Maintenance release. The images are fully supported by Cisco TAC and
will remain on the download site only until the next Maintenance release is
available. If you do not have a specific problem which
is resolved by an Interim release, we recommend that you use the Feature or
Maintenance release images.
Important: These images were not fully regression
tested. Each individual fix was unit
tested, and the image has had a limited amount of automated regression testing
to confirm a baseline of functionality.
Keep this testing status in mind if you decide to run them in a
production environment. We strongly
encourage you to upgrade to a fully tested Maintenance or Feature release when
it becomes available.
Revision: Version 8.6.1(17) – 04/08/2015
Files: asa861-17-smp-k8.bin
Defects resolved since 8.6.1(15):
|
Safari Browser crashes when accessing SmartTunnel
link in Mac OS 10.7 |
|
|
Smarttunneled RDP client on MAC doesn't throw error after
incorrect auth |
|
|
Smart Tunnel failed for Safari 6.0.1/6.0.2 on OSX10.7 and 10.8 |
|
|
Mac version Smart Tunnel with Safari 6.0.1/6.0.2 issue |
|
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
|
Safari crashes when use scroll in safari on MAC 10.8 with
smart-tunnel |
|
|
Webvpn: Add permissions attribute to mac smart-tunnel jar |
|
|
1550 block leak occur if DNS replies "refused" query
response |
|
|
Failover units should accept only traffic coming from the peer |
|
|
ASA : evaluation of
SSLv3 POODLE vulnerability |
|
|
Mac version smart-tunnel uses SSLv3 which is a vulnerability |
|
|
ASA: evaluation of Poodle Bites in TLSv1 |
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
|
ASA / denial of service against xml parser. |
|
|
2048-byte block leak if DNS server replies with "No such
name" |
Revision: Version 8.6.1(15) – 10/08/2014
Files: asa861-15-smp-k8.bin
Defects resolved since 8.6.1(14):
|
Cisco ASA Privilege Escalation |
|
|
ASA: Entering Query String on /+CSCOE+/logon.html disclose
information |
Revision: Version 8.6.1(14) – 07/28/2014
Files: asa861-14-smp-k8.bin
Defects resolved since 8.6.1(13):
|
Cisco ASA SQL*NET Inspection Engine Denial of Service
Vulnerability |
|
|
Cisco ASA IKEv2 Denial of Service Vulnerability |
|
|
Cisco ASA SCH Digital Certificate Validation Vulnerability |
|
|
ASA:Tracebacks in thread
dispatch unit due to SunRPC inspection |
|
|
Multiple Vulnerabilities in OpenSSL -
June 2014 |
|
|
ASA WebVPN portal modification
vulnerability |
Revision: Version 8.6.1(13) – 04/09/2014
Files: asa861-13-smp-k8.bin
Defects resolved since 8.6.1(12):
|
Cookie usage in SSL VPN |
|
|
Add text section to coredump |
|
|
ASA sip inspection memory leak |
|
|
Privillage level 0 users getting full access |
|
|
ASA SSL VPN Privilege Escalation Vulnerability |
|
|
Page fault traceback in DATAPATH under
DoS, rip qos_topn_hosts_db_reset |
Revision: Version 8.6.1(12) – 10/09/2013
Files: asa861-12-smp-k8.bin
Defects resolved since 8.6.1(10):
|
ASA -crasActGrNumUsers
does not update tunnel groups after upgrade |
|
|
ASA CRYPTO: Hardware
Accelerator Archive File Created |
|
|
ASA traceback
in Unicorn Proxy Thread while processing lua |
|
|
ASA - SQL*Net Inspection Engine
Denial of Service Vulnerability |
|
|
ASA CIFS UNC Input
Validation Issue |
|
|
Port-channel config fails, Error: unable to get MCAST_MAC_TABLE_SIZE |
|
|
HTTP Deep Packet Inspection
Denial of Service Vulnerability |
|
|
ASA traceback
in Thread Name: ci/console after write erase command |
|
|
ASA DNS Inspection Denial
of Service Vulnerability |
|
|
ASA OSPF LSA Injection
Vulnerability |
|
|
ASA Remote Access VPN
Authentication Bypass Vulnerability |
|
|
ASA Digital Certificate
HTTP Authentication Bypass Vulnerability |
Revision: Version 8.6.1(10) – 03/13/2013
Files: asa861-10-smp-k8.bin
Defects resolved since 8.6.1(5):
|
Failover disabled due to
license incompatible different Licensed cores |
|||||
|
"Failed to update
IPSec failover runtime data" msg on the
standby unit |
|||||
|
Link outage in Etherchannel causes interface down and failover |
|||||
|
ASA may reload with traceback in Thread Name scmd
reader thread |
|||||
|
Traceback in Dispatch Unit on Standby with timeout floating-conn |
|||||
|
Standby ASA 5585 Reporting
Service Card Failure on Signature Update |
|||||
|
ASA is responding to IKE
request when in vpnclient mode |
|||||
|
ASA: Manual NAT rules
inserted above others may fail to match traffic |
|||||
|
ASA traceback
cause by Global Policy |
|||||
|
ASA may traceback
in a DATAPATH thread |
|||||
|
wrong vpn-filter gets applied when peers
have overlapping address space |
|||||
|
Corrupted route-map output
for 'config' URL used by ASDM |
|||||
|
Incorrect MPF conn counts
cause %ASA-3-201011 and DoS condition for user |
|||||
|
%ASA-3-201011: Connection
limit exceeded when not hitting value |
|||||
|
ASA: 8.3+ NAT overlap with
failover IP cause both units to go active |
|||||
|
ASA lets static NAT mapped
IP to be same as standby address on interface |
|||||
|
"X-CSTP-Tunnel-All-DNS"
not properly set in SMP images for split-dns |
|||||
|
ASA doesn't start quick
mode negotiation - stuck tunnel manager entries |
|||||
|
ASA Radius Acct-Delay-Time
does not work |
|||||
|
SNMP ciscoRasTooManySessions
trap is sent from Standby ASA |
|||||
|
(VPN-Secondary) Failed to update
IPSec failover runtime data on the stan |
|||||
|
ASA: Page fault traceback when changing port-channel load balancing |
|||||
|
ASA: May log 305006 regular
translation creation failed messages. |
|||||
|
Interface oversubscription
on active causes standby to disable failover |
|||||
|
Traceback in CP Processing when enabling H323 Debug |
|||||
|
ASA: Watchdog traceback from tmatch_element_release_actual |
|||||
|
ASA: Page fault traceback when copying new image to flash |
|||||
|
Standby ASA traceback while replicating flow from Active |
|||||
|
ASA traceback
due to nested protocol object-group used in ACL |
|||||
|
After some time "show
inventory" fails to display Power Supply SN |
|||||
|
NAT Config
Rejected on Upgrade when Objects Overlap with Failover IP |
|||||
|
ASA traceback
under threadname Dispatch Unit due to multicast
traffic |
|||||
|
ASA is max-aging OSPF LSAs
after 50 minutes |
|||||
|
ASA traceback
in IKE Daemon while handling IKEv1 message |
|
|||
|
Traceback in Thread Name: accept/http |
|||||
|
Accounting STOP with caller
ID 0.0.0.0 if admin session exits abnormally |
|||||
|
OSPF routes were missing on
the Standby Firewall after the failover |
|||||
|
TCP ts_val
for an ACK packet sent by ASA for OOO packets is incorrect |
|||||
|
ASA 8.4.4.6 and higher: no
OSPF adj can be build with Portchannel
port |
|||||
|
Traceback in threadname CP Processing |
|||||
|
ASA 5580 page fault in
thread CERT API during pki validation |
|
|||
|
Log indicating syslog
connectivity not created when server goes up/down |
|||||
|
ASA may traceback
in thread emweb/https |
|
||||
|
flash in ASA5505 got corrupted |
|
||||
|
Smart Call Home sends
Environmental message every 5 seconds for 5500-X |
|||||
Revision: Version 8.6.1(5) – 09/18/2012
Files: asa861-5-smp-k8.bin
Defects resolved since 8.6.1(2):
|
Radius upstream VSAs (Tunnel Group,Client type) for VPN
policy decisions |
|
|
ASA: IPSec outbound SA data
lifetime rekey fails |
|
|
invalid command dhcp client xxx on ASA
8.4 |
|
|
Traceback seen while running packet-tracer due to Page fault |
|
|
ASA reloads with traceback in Thread Name :
Dispatch Unit |
|
|
ASA: Radius MS-CHAPV2 with
challenge fails |
|
|
ASA: WCCP with authentication
fails in 8.3 and 8.4 |
|
|
ASA5510, 8.4(2) - page fault traceback accessing a bookmarked DFS share |
|
|
ASA: Builds conn for packets not
destined to ASA's MAC in port-channel |
|
|
DCERPC inspection does not
properly fix up port and IP in Map Response |
|
|
Outbound IPsec
traffic interruption after successful Phase2 rekey |
|
|
After upgrade, AnyConnect causes 1550 or 2048 block depletion |
|
|
SharePoint2010:Cannot
create new document |
|
|
ASA: Decrypted VPN packets
dropped due to bad-tcp-cksum
when using NAT-T |
|
|
Configuring a network object
with an invalid range causes traceback |
|
|
Syslog 199011 "Close on bad
channel in process/fiber" |
|
|
ASA: Failover due to data
channel failure when making IPS config changes |
|
|
ENH: Add Command to Allow ARP
Cache Entries from Non-Connected Subnets |
|
|
ASA-4-402116 - error message
displays outer instead of inner packet |
|
|
ASA sip inspect - duplicate
pre-allocate secondary pinholes created |
|
|
ASA: CPU profile activate
command prints incorrect instructions |
|
|
Block depletion, embedded web
client transmit queue |
|
|
5500X Software IPS console too
busy for irq can cause data plane down. |
|
|
auto-nego results in 100MB on
ASA5500-X Giga interfaces |
|
|
Traceback in Thread Name: Dispatch Unit |
|
|
pki:
import from terminal fails when 'quit' embedded in certificate |
|
|
ASA 5500-x only show 4096MB
flash in 'show ver' |
|
|
ASA:write standby
command brings down port-channel interface on standby |
|
|
config
factory-default does not clear ssl commands |
Revision: Version 8.6.1(2) – 06/11/2012
Files: asa861-2-smp-k8.bin
Defects resolved since 8.6.1(1):
|
ASA 8.2 Crypto Engine Tracebacks Multiple Times |
|
|
ASA EIGRP route not updated after
failover |
|
|
8.4.2.2: Thread Name: DATAPATH-0-1272
Page fault: Unknown |
|
|
Secondary Auth
successfully connects with blank password |
|
|
ASASM traceback
in DATAPATH-3-2265 |
|
|
ASA - Dispatch unit traceback
- snp_nat_xlate_timeout |
|
|
ASA 5580 traceback
when CSM attempts deployment |
|
|
IKEv2: ASA does not re-establish more
than one SA after disconnect |
|
|
ASA crash causes reloads when removing
stale SunRPC action hole |
|
|
ASA5500-X Chassis Serial Number Not
Visible from CLI |
|
|
ASA5515 doesn't support "config factory-default" |
Revision: Version 8.6.1(1) – 03/14/2012
Files: asa861-1-smp-k8.bin
Defects resolved since 8.6.1:
|
Port Forwarder ActiveX control contains
a Buffer Overflow vulnerability |
|
|
Clientless Port Forward control may
cause an unhandled C++ exception |
|
|
Threat Detection Denial Of Service
Vulnerability |
|
|
ActiveX RDP Plugin fails to connect
from WIn7 PC after upgrade to 8.4(3) |
|
|
RDP activex portforwarder is sometimes not loading |