Release Notes for the Cisco ASA Series, 9.10(x)
This document contains release information for Cisco ASA software Version 9.10(x).
Important Notes
-
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution
The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1) or later, the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade. The FirePOWER image and its configuration remains intact on the SSD. If you want to downgrade, you can copy the ASA configuration from the backup to restore functionality.
-
These ciphers are currently unsupported for DTLS 1.2 in FIPS mode for the Firepower 2100 (KP) platforms:
-
DHE-RSA-AES256-SHA
-
AES256-SHA
-
DHE-RSA-AES128-SHA
-
AES128-SHA
-
-
If you are using SAML authentication with AnyConnect 4.4 or 4.5 and you deploy ASA version 9.10(1), the defaulted SAML behavior is the embedded browser, which is not supported on AnyConnect 4.4 and 4.5. Therefore, you must enable the saml external-browser command in tunnel group configuration in order for AnyConnect 4.4 and 4.5 clients to authenticate with SAML using the external (native) browser.
Note
The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6 or later. Because of security limitations, use this solution only as part of a temporary migration while upgrading AnyConnect software. The command itself will be depreciated in the future.
-
New ROMMON Version 1.1.12 for the ASA 5506-X, 5508-X, and 5516-X—We recommend that you upgrade your ROMMON for several crucial fixes. See https://www.cisco.com/go/asa-firepower-sw, choose your model > ASA Rommon Software > 1.1.12. Refer to the release notes on the software download page for more information. To upgrade the ROMMON, see Upgrade the ROMMON Image (ASA 5506-X, 5508-X, and 5516-X). Note that the ASA running Firepower Threat Defense does not yet support upgrading to this ROMMON version; you can, however, successfully upgrade it in ASA and then reimage to Firepower Threat Defense.
-
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.10(1)
Released: October 25, 2018
Feature |
Description |
---|---|
Platform Features |
|
ASAv VHD custom images for Azure |
You can now create your own custom ASAv images on Azure using a compressed VHD image available from Cisco. To deploy using a VHD image, you upload the VHD image to your Azure storage account. Then, you can create a managed image using the uploaded disk image and an Azure Resource Manager template. Azure templates are JSON files that contain resource descriptions and parameter definitions. |
ASAv for Azure |
The ASAv is available in the Azure China Marketplace. |
ASAv support for DPDK |
DPDK (Dataplane Development Kit) is integrated into the dataplane of the ASAv using poll-mode drivers. |
ISA 3000 support for FirePOWER module Version 6.3 |
The previous supported version was FirePOWER 5.4. |
Firewall Features |
|
Cisco Umbrella support |
You can configure the device to redirect DNS requests to Cisco Umbrella, so that your Enterprise Security policy defined in Cisco Umbrella can be applied to user connections. You can allow or block connections based on FQDN, or for suspicious FQDNs, you can redirect the user to the Cisco Umbrella intelligent proxy, which can perform URL filtering. The Umbrella configuration is part of the DNS inspection policy. New/Modified commands: umbrella , umbrella-global , token , public-key , timeout edns , dnscrypt , show service-policy inspect dns detail |
GTP inspection enhancements for MSISDN and Selection Mode filtering, anti-replay, and user spoofing protection |
You can now configure GTP inspection to drop Create PDP Context messages based on Mobile Station International Subscriber Directory Number (MSISDN) or Selection Mode. You can also implement anti-replay and user spoofing protection. New/Modified commands: anti-replay , gtp-u-header-check , match msisdn , match selection-mode |
Default idle timeout for TCP state bypass |
The default idle timeout for TCP state bypass connections is now 2 minutes instead of 1 hour. |
Support for removing the logout button from the cut-through proxy login page |
If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address. New/Modified commands: aaa authentication listener no-logout-button Also in 9.8(3). |
Trustsec SXP connection configurable delete hold down timer |
The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds. New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections Also in 9.8(3). |
Support for offloading NAT'ed flows in transparent mode. |
If you are using flow offload (the flow-offload enable and set connection advanced-options flow-offload commands), offloaded flows can now include flows that require NAT in transparent mode. |
Support for transparent mode deployment for a Firepower 4100/9300 ASA logical device |
You can now specify transparent or routed mode when you deploy the ASA on a Firepower 4100/9300. New/Modified FXOS commands: enter bootstrap-key FIREWALL_MODE , set value routed , set value transparent |
VPN Features |
|
Support for legacy SAML authentication |
If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6 (or later). This option will be deprecated in the near future. New/Modified commands: saml external-browser Also in 9.8(3). |
DTLS 1.2 support for AnyConnect VPN remote access connections. |
DTLS 1.2, as defined in RFC- 6347, is now supported for AnyConnect remote access in addition to the currently supported DTLS 1.0 (1.1 version number is not used for DTLS.) This applies to all ASA models except the 5506-X, 5508-X, and 5516-X; and applies when the ASA is acting as a server only, not a client. DTLS 1.2 supports additional ciphers, as well as all current TLS/DTLS cyphers, and a larger cookie size. New/Modified commands: show run ssl, show vpn-sessiondb detail anyconnectssl cipher, ssl server-version |
High Availability and Scalability Features |
|
Cluster control link customizable IP Address for the Firepower 4100/9300 |
By default, the cluster control link uses the 127.2.0.0/16 network. You can now set the network when you deploy the cluster in FXOS. The chassis auto-generates the cluster control link interface IP address for each unit based on the chassis ID and slot ID: 127.2.chassis_id.slot_id. However, some networking deployments do not allow 127.2.0.0/16 traffic to pass. Therefore, you can now set a custom /16 subnet for the cluster control link in FXOS except for loopback (127.0.0.0/8) and multicast (224.0.0.0/4) addresses. New/Modified FXOS commands: set cluster-control-link network |
Parallel joining of cluster units per Firepower 9300 chassis |
For the Firepower 9300, this feature ensures that the security modules in a chassis join the cluster simultaneously, so that traffic is evenly distributed between the modules. If a module joins very much in advance of other modules, it can receive more traffic than desired, because the other modules cannot yet share the load. New/Modified commands: unit parallel-join |
Cluster interface debounce time now applies to interfaces changing from a down state to an up state |
When an interface status update occurs, the ASA waits the number of milliseconds specified in the health-check monitor-interface debounce-time command or the ASDM screen before marking the interface as failed and the unit is removed from the cluster. This feature now applies to interfaces changing from a down state to an up state. For example, in the case of an EtherChannel that transitions from a down state to an up state (for example, the switch reloaded, or the switch enabled an EtherChannel), a longer debounce time can prevent the interface from appearing to be failed on a cluster unit just because another cluster unit was faster at bundling the ports. We did not modify any commands. |
Active/Backup High Availability for ASAv on Microsoft Azure Government Cloud |
The stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud is now available in the Azure Government Cloud. New or modified command: failover cloud
|
Interface Features |
|
show interface ip brief and show ipv6 interface output enhancement to show the supervisor association for the Firepower 2100/4100/9300 |
For the Firepower 2100/4100/9300, the output of the command is enhanced to indicate the supervisor association status of the interfaces. New/Modified commands: show interface ip brief, show ipv6 interface |
The set lacp-mode command was changed to set port-channel-mode on the Firepower 2100 |
The set lacp-mode command was changed to set port-channel-mode to match the command usage in the Firepower 4100/9300. New/Modified FXOS commands: set port-channel-mode |
Administrative, Monitoring, and Troubleshooting Features |
|
Support for NTP Authentication on the Firepower 2100 |
You can now configure SHA1 NTP server authentication in FXOS. New/Modified FXOS commands: enable ntp-authentication, set ntp-sha1-key-id, set ntp-sha1-key-string New/Modified Firepower Chassis Manager screens:
New/Modified options: NTP Server Authentication: Enable check box, Authentication Key field, Authentication Value field |
Packet capture support for matching IPv6 traffic without using an ACL |
If you use the match keyword for the capture command, the any keyword only matches IPv4 traffic. You can now specify any4 and any6 keywords to capture either IPv4 or IPv6 traffic. The any keyword continues to match only IPv4 traffic. New/Modified commands: capture match |
Support for public key authentication for SSH to FXOS on the Firepower 2100 |
You can set the SSH key so you can use public key authentication instead of/as well as password authentication. New/Modified FXOS commands: set sshkey |
Support for GRE and IPinIP encapsulation |
When you do a packet capture on interface inside, the output of the command is enhanced to display the GRE and IPinIP encapsulation on ICMP, UDP, TCP, and others. New/Modified commands: show capture |
Support to enable memory threshold that restricts application cache allocations |
You can restrict application cache allocations on reaching certain memory threshold so that there is a reservation of memory to maintain stability and manageability of the device. New/Modified commands: memory threshold enable, show run memory threshold,clear conf memory threshold |
Support for RFC 5424 logging timestamp |
You can enable the logging timestamp as per RFC 5424 format. New/Modified command: logging timestamp |
Support to display memory usage of TCB-IPS |
Shows application level memory cache for TCB-IPS New/Modified command: show memory app-cache |
Support to enable and disable the results for free memory and used memory statistics during SNMP walk operations |
To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations. New/Modified command: snmp-server enable oid |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
CLI—Use the show version command.
-
ASDM—Choose
.
See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.9(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) |
9.8(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) |
9.7(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) |
9.6(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) |
9.5(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) |
9.4(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) |
9.3(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) |
9.2(x) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
9.0(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.6(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.5(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.4(1) through 8.4(4) |
Any of the following: → 9.0(2), 9.0(3), or 9.0(4) → 8.4(6) |
→ 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.3(x) |
→ 8.4(6) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
8.2(x) and earlier |
→ 8.4(6) |
Any of the following: → 9.10(x) → 9.9(x) → 9.8(x) → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.10(x)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA must not set RS-bit longer than RouterDeadInterval sec - NSF Cisco |
|
ASA Stops Accepting Anyconnect Sessions/Terminates Connections Right After Successful SSL handshake |
|
Formatting the blade results in "Format Failure" |
|
Management Interface shows up even when connected switchport is shutdown |
|
GTP inspection may spike cpu usage |
|
ASA traceback in Thread name: idfw_proc on running "show access-list" |
|
Traceback when trying to save/view access-list with object groups (display_hole_og) |
|
ASA Traceback in Assert "0" failed: file "timer_services.c" |
|
Priority Queueing does not work correctory on ASA5516 platform |
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
Traceback and reload when removing access-list configuration |
|
Traceback in DATAPATH on standby FTD |
|
ASA may traceback and reload with combination of packet-tracer and captures |
|
Traceback in thread icmp_thread during syslog notify |
|
QoS Police not limiting traffic as expected |
|
Withdrawal advertisements for specific prefixes are flooded before flooding aggregate prefix |
|
FPR4110: ASA drops VPN traffic during rekeying on enabling "crypto engine accelerator-bias ipsec" |
|
ASA5585 doesn't use priority RX ring when FlowControl is enabled |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
ASA Traceback (watchdog timeout) when syncing config from active unit (inc. cachefs_umount) |
|
SSH session stuck after committing changes within a Configure Session. |
|
Watchdog on 2100 FTD when logging to flash wraps |
|
ASA may traceback in Checkheap due to issue with malloc buffer |
|
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
|
ASA: Cisco Secure Desktop Host Scanner Bypass |
|
Stuck IP from IP Local pool even when user disconnects from Anyconnect |
|
Configuration Generation in the crypto portion changes without configuration change |
|
Lina traceback at Thread Name: appAgent_monitor_nd_thread |
|
VTI IKEv1: Responder-only breaks tunnel during rekey |
|
Qos applied on interfaces doesn't work. |
|
ASA is stuck on "reading from flash" for several hours |
|
CPU spikes on cores in ASA5585-SSP-10 |
|
Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail. |
|
ASA traceback and reload when issuing "sw-module module ips reload" |
|
Inconsistency in the hash value generated in the ASA logs |
|
ASA stops encrypting traffic for long sessions |
|
match incorrect ACL |
|
ASA traceback Thread Name: CMGR Server Processand after upgrade FiePOWER module |
|
Port-Channel issues on HA link |
|
ASA sending syslog traffic using the wrong interface. |
|
ASA traceback on cluster slave node during cluster join due to OSPF and IPv6 used together in ACE |
|
ASA may traceback and reload without generating a crashinfo file. |
|
ASA stops listening Direct Authentication port for HTTP |
|
REST-API on ASA fails with SERVER ERROR when pushing extensive group-policy configuration. |
|
BGP tears down in 180 second when used with the VTI. |
|
Caveat traceback on FTD 6.2.3.5 Lina process causing HA lost and outage |
|
ASA: IPSec SA installation failure due to 'Failed to create session mgmt entry for SPI <>' |
|
Access-lists missing / expansion problem, causing outage |
|
Connected routes not distributing after new Master election in cluster |
|
ASA not inspecting H323 H225 |
|
ASA core blocks depleted when host unreachable in IRB configuration |
|
Upgrade failed on the blade while upgrading ASA from 9.10.0.6 to .8 build |
|
ASA Round Robin Pat Ip stickiness not working |
|
Only first line of traceroute is captured in event manager output |
|
DATAPATH traceback on ASA5585 involving 10GE interface driver (ixgbe) |
|
NTP synchronization don't work when setting BVI IF as NTP source interface |
|
REST-API Large Data transfer is failing to/from device |
|
traceback on ASA5515 with CP Processing thread (accompanied by long CPU hog on the thread) |
|
ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device) |
|
ASA/IKEv2-L2L: Do not allow two IPsec tunnels with identical proxy IDs |
|
FTD HA with encrypted failover link see block depletion of 1550 block |
|
FTD crashed with thread name DATAPATH-19-14446 causing failover |
|
after failover occurs ASA closes existing management connections with new IP but old MAC |
Resolved Bugs in Version 9.10(1)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
ASA unable to remove ACE with 'log disable' option |
|
WebVPN 'enable intf' with DHCP , CLI missing when ASA boot |
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
Failover crypto IPsec IKEv2 config does not match when sync with standby |
|
AVT : Missing Content-Security-Policy Header in ASA 9.5.2 |
|
AVT : Missing X-Content-Type-Options in ASA 9.5.2 |
|
ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory |
|
ASA "show tech" some commands twice, show running-config/ak47 detailed/startup-config errors |
|
ASA policy-map configuration is not replicated to cluster slave |
|
ASA traceback in DATAPATH thread while running captures |
|
Traceback when syslog sent over VPN tunnel |
|
Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688 |
|
ASA boot loop caused by logs sent after FIPS boot test |
|
ASA traceback on failover sync with WebVPN and shared storage-url config |
|
Netflow Returns Large Values for Bytes Sent/Received and IP address switch |
|
ERROR: Unable to create crypto map: limit reached, when adding entry |
|
ASA : ICMPv6 syslog messages after upgrade to 962. |
|
asdm displays error uploading image |
|
Standby ASA has high CPU usage due to extremely large PAT pool range |
|
ASA traceback due to deadlock between DATAPATH and webvpn processes |
|
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
ASA traceback due to 1550 block exhaustion. |
|
Smart licensing doesn't work if ASA hostname is "ASAv" |
|
Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
Default DLY value of port-channel sub interface mismatch |
|
icmp/telnet traffic fail by ipv6 address on transparent ASA |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
|
ASA watchdog traceback during context modification/configuration sync |
|
Slow 2048 byte block leak due to fragmented traffic over VPN |
|
ASA - ICMP flow drops with "no-adjacency" on interface configured in zone when inspection enabled |
|
IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message |
|
ASA on Firepower Threat Defense devices traceback due to SSL |
|
Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000 |
|
ASA Running config through REST-API Full Backup does not contain the specified context configuration |
|
Firepower 2110 ASA : Shared management across context unable to reach to GW |
|
change failover standby unit license status "invalid" to "not applicable in standby state" |
|
FQDN object are getting resolved after removing access-group configuration |
|
Rest-API gives empty response for certain queries |
|
ASAv - Traceback in DATAPATH thread due to panic in spin_lock |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|
ASA sending DHCP decline | not assiging address to AC clients via DHCP |
|
upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON) |
|
ASA Traceback and goes to boot loop on 9.6.3.1 |
|
ASDM/Webvpn stops working after reload if IPv6 address configured on the interface |
|
Using the "match" keyword in capture command causes IPv6 traffic to be ignored in capture |
|
KP traceback illegal memory access inside a vendor Modular Exponentiation implementation |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
webvpn: multiple rendering issues on Confluence and Jira applications |
|
Upon reboot, non-default SSL commands are removed from the Firepower 4100 |
|
BGP ASN cause policy deployment failures. |
|
ASA: Traceback in Thread Name UserFromCert |
|
FTD: Layer 2 protocol packets (ex: BPDUs) are dropped during snort process restarts |
|
CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition |
|
ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure |
|
Multicast ip-proto-50 (ESP) dropped by ASP citing 'np-sp-invalid-spi' |
|
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|
ASA - Traceback while releasing a vpn context spin lock |
|
IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey |
|
Traceback and reload with 'show tech' on ASA with No Payload Encryption (NPE) |
|
WebVPN rewriter: drop down menu doesn't work in BMC Remedy |
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
ASA Cut-Through Proxy allowing user to access website, but displaying "authentication failed" |
|
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|
Stuck uauth entry rejects AnyConnect user connections |
|
ASA does not report accurate free memory under "show memory" output |
|
Port-channel's subinterfaces share same MAC address on both unit of Threat Defense pair |
|
"show memory binsize" and "show memory top-usage" do not show correct information, all show PC 0x0 |
|
Not able to do snmpwalk when snmpv1&2c host group configured. |
|
ASA: DNS expire-entry-timer configuration disappears after reboot |
|
Allow ASA to process packet with hop limit of 0 (Follow RFC 8200) |
|
SNMP causing slow memory leak |
|
Azure: ASAv running Cloud high availability gets in a watchdog crash loop |
|
REST-API:500 Internal Server Error |
|
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|
IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey |
|
ASA5585 device power supply Serial Number not in the snmp response |
|
Memory leak on webvpn |
|
Firepower 2100 Incorrect reply for SNMP get request 1.3.6.1.2.1.1.2.0 |
|
Zeroize RSA key after Failover causes REST API to fail to changeto System context |
|
FTD: AAB might force a snort restart with relatively low load on the system |
|
PIM Auto-RP packets are dropped after cluster master switchover |
|
ASA 9.6(4): WebVPN page not loading correctly |
|
ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group. |
|
Illegal update occurs when device removes itself from the cluster |
|
LDAP over SSL crypto engine error |
|
256 Byte block leak observed due to ARP traffic when using VTI |
|
Cisco Firepower 2100 Series POODLE TLS security scanner alerts |
|
ASA generate traceback in DATAPATH thread |
|
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|
ASA traceback during output of "show service-policy" with a high number of interfaces and qos |
|
Neighbour Solicitation messages are observed for IPv6 traffic |
|
ASA self-signed RSA certificate is not allowed for TLS in FIPS mode |
|
pki handles: increase and fail to decrement |
|
Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX |
|
ASA not matching IPv6 traffic correctly in access control license with "any" keyword configured |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|
Traceback at snmp address not mapped when snmp-server not enabled |
|
Flow-offload rewrite rules not updated when MAC address of interface changes |
|
In version 9.7 and lower ASA does not honor "no signature" under saml configuration |
|
Cluster: Enhance ifc monitor debounce-time for interface down->up scenario |
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
ASA - zonelabs-integrity : Traceback and High CPU due to Process 'Integrity FW task' |
|
ASA : Device sends only ID certificate in SSL server certificate packet after reload |
|
CWE-20: Improper Input Validation |
|
Traceback: Thread Name: IPsec message handler |
|
Bonita BPM app's web pages access fail via webvpn |
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
ASA traceback in Thread Name: DATAPATH-14-17303 |
|
portal-access-rule changing from "deny" to "permit" |
|
Firepower Threat Defense 2100 asa traceback for unknown reason |
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
ASA memory Leak - snp_svc_insert_dtls_session |
|
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|
Scansafe feature doesn't work at all for HTTPS traffic |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
Remove/Increase the maximum 255 characters error limit in result of a cli command! |
|
Excessive logging from ftdrpcd process on 2100 series appliances |
|
Static IPv6 route prefix will be removed from the ASA configuration |
|
clear crypto ipsec ikev2 commands not replicated to standby |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
Traceback in cli_xml_server Thread |
|
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|
Usage of 'virtual http' or 'virtual telnet' incorrectly needs 'same-security permit intra-interface' |
|
2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage |
|
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|
Packet capture fails for interface named "management" on Firepower Threat Defense |
|
IP Local pools configured with the same name. |
|
Clock sync issue on ASA with FXOS |
|
ASA traceback when logging host command is enable for IPv6 after each reboot |
|
1550 Block Depletion Causes ASA to reload 6.2.3.3. |
|
webvpn-l7-rewriter: Bookmark logout fails on IE |
|
WebPage is not loading due to client rewriter issue on JS files |
|
ASA Smart Licensing messaging fails with 'nonce failed to match' |
|
ASA may traceback due to SCTP traffic |
|
ASA: 9.6.4, 9.8.2 - Failover logging message appears in user context |
|
"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix) |
|
Flows get stuck in lina conn table in half-closed state |
|
webvpn: Bookmark fails to render on Firefox and Chrome. IE fine. |
|
ASA 5525 running 9.8.2.20 memory exhaustion. |
|
ASA generates warning messages regarding IKEv1 L2L tunnel-groups |
|
GTP soft traceback seen while processing v2 handoff |
|
ASA traceback with Thread Name: DATAPATH-1-2325 |
|
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|
Enabling compression necessary to load ASA SSLVPN login page customization |
|
Unwanted IE present error when parsing GTP APN Restriction |
|
IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled. |
|
Large ACL taking long time to compile on boot causing outage |
|
Certificate import from Local CA fails due to invalid Content-Encoding |
|
ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH |
|
WebVPN: Grammar Based Parser fails to handle META tags |
|
ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response |
|
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|
ASA CP core pinning leads to exhaustion of core-local blocks |
|
Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic |
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback |
|
Traceback and reload due to GTP inspection and Failover |
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
ASA WebVPN - incorrect rewriting for SAP Netweaver |
|
AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers |
|
GTP inspection should not process TCP packets |
|
Async queue issues with fragmented packets leading to block depletion 9344 |
|
Firepower Threat Defense: Low DMA memory leading to VPN failures due to incorrect crypto maps |
|
ASA IKEv2 crash while deleting SAs |
|
FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
|
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|
Clientless webvpn fails when ASA sends HTTP as a message-body |
|
RDP bookmark plugin won't launch |
|
Using EEM to track VPN connection events may cause traceback and reload |
|
"capture stop" command doesn't work for asp-drop type capture |
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
ASA Traceback: Thread Name NIC Status Poll. |
|
Incorrect calculation of AAB in ASA causes random AAB invocations. |
|
Firepower 2100 ASA Smart Licensing Hostname Change Not Reflected in Smart Account |
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
|
ASA: Add additional IKEv2/IPSec debugging for CSCvm70848 |
|
ASA: IPSec SA installation failure due to 'Failed to create session mgmt entry for SPI <>' |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.