Release Notes for the Cisco ASA Series, 9.12(x)
This document contains release information for Cisco ASA software Version 9.12(x).
Important Notes
-
ASDM signed-image support in 9.12(4.50)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)
-
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution
The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
SSH security improvements and new defaults in 9.12(1)—See the following SSH security improvements:
-
SSH version 1 is no longer supported; only version 2 is supported. The ssh version 1 command will be migrated to ssh version 2 .
-
Diffie-Hellman Group 14 SHA256 key exchange support. This setting is now the default (ssh key-exchange group dh-group14-sha256 ). The former default was Group 1 SHA1. Make sure that your SSH client supports Diffie-Hellman Group 14 SHA256. If it does not, you may see an error such as "Couldn't agree on a key exchange algorithm." For example, OpenSSH supports Diffie-Hellman Group 14 SHA256.
-
HMAC-SHA256 integrity cipher support. The default is now the high security set of ciphers (hmac-sha2-256 only as defined by the ssh cipher integrity high command). The former default was the medium set.
-
-
Diffie-Hellman Group 1 Removal in 9.12(1)— Diffie-Hellman Group 1 used by the ASA IKE and IPsec modules is considered insecure and has been removed.
IKEv1: The following subcommands were removed:
-
crypto ikev1 policy priority:
-
group 1
-
IKEv2: The following subcommands were removed:
-
crypto ikev2 policy priority
-
group 1
-
IPsec: The following subcommands were removed:
-
crypto ipsec profile name
-
set pfs group1
-
SSL: The following commands were removed:
-
ssl dh-group group1
Crypto Map: The following commands were removed:
-
crypto map name sequence set pfs group1
-
crypto dynamic-map name sequence set pfs group1
-
crypto map name sequence set ikev1 phase1-mode aggressive group1
-
-
No support in 9.10(1) and later for the ASA FirePOWER module on the ASA 5506-X series and the ASA 5512-X—The ASA 5506-X series and 5512-X no longer support the ASA FirePOWER module in 9.10(1) and later due to memory constraints. You must remain on 9.9(x) or lower to continue using this module. Other module types are still supported. If you upgrade to 9.10(1) or later, the ASA configuration to send traffic to the FirePOWER module will be erased; make sure to back up your configuration before you upgrade. The FirePOWER image and its configuration remains intact on the SSD. If you want to downgrade, you can copy the ASA configuration from the backup to restore functionality.
-
The NULL-SHA TLSv1 cipher is deprecated and removed in 9.12(1)—Because NULL-SHA doesn't offer encryption and is no longer considered secure against modern threats, it will be removed when listing supported ciphers for TLSv1 in the output of tls-proxy mode commands/options and show ssl ciphers all . The ssl cipher tlsv1 all and ssl cipher tlsv1 custom NULL-SHA commands will also be deprecated and removed.
-
Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued certificates. This feature has become obsolete and hence the crypto ca server command is deprecated.
-
The default trustpool is removed in 9.12(1)—In order to comply with PSB requirement, SEC-AUT-DEFROOT, the "default" trusted CA bundle is removed from the ASA image. As a result, crypto ca trustpool import default and crypto ca trustpool import clean default commands are also removed along with other related logic. However, in existing deployments, certificates that were previously imported using these command will remain in place.
-
The ssl encryption command is removed in 9.12(1)—In 9.3(2) the deprecation was announced and replaced by ssl cipher . In 9.12(1), ssl encryption is removed and no longer supported.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.12(4)
Released: May 26, 2020
Feature |
Description |
---|---|
Routing Features |
|
Multicast IGMP interface state limit raised from 500 to 5000 |
The multicast IGMP state limit per interface was raised from 500 to 5000. New/Modified commands: igmp limit |
Troubleshooting Features |
|
show tech-support command enhanced |
The show ssl objects and show ssl errors command was added to the output of the show tech-support command. New/Modified commands: show tech-support |
VPN Features |
|
Support for configuring the maximum in-negotiation SAs as an absolute value |
You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed. New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value |
New Features in ASA 9.12(3)
Released: November 25, 2019
There are no new features in this release.
New Features in ASA 9.12(2)
Released: May 30, 2019
Feature |
Description |
---|---|
Platform Features |
|
Firepower 9300 SM-56 support |
We introduced the following security modules: SM-56. Requires FXOS 2.6.1.157 No modified commands. |
Administration Features |
|
Setting the SSH key exchange mode is restricted to the Admin context |
You must set the SSH key exchange in the Admin context; this setting is inherited by all other contexts. New/Modified commands: ssh key-exchange |
New Features in ASA 9.12(1)
Released: March 13, 2019
Feature |
Description |
---|---|
Platform Features |
|
ASA for the Firepower 4115, 4125, and 4145 |
We introduced the Firepower 4115, 4125, and 4145. Requires FXOS 2.6.1. No modified commands. |
Support for ASA and FTD on separate modules of the same Firepower 9300 |
You can now deploy ASA and FTD logical devices on the same Firepower 9300. Requires FXOS 2.6.1. No modified commands. |
Firepower 9300 SM-40 and SM-48 support |
We introduced the following two security modules: SM-40 and SM-48. Requires FXOS 2.6.1. No modified commands. |
Firewall Features |
|
GTPv1 release 10.12 support. |
The system now supports GTPv1 release 10.12. Previously, the system supported release 6.1. The new support includes recognition of 25 additional GTPv1 messages and 66 information elements. In addition, there is a behavior change. Now, any unknown message IDs are allowed. Previously, unknown messages were dropped and logged. No modified commands. |
Cisco Umbrella Enhancements. |
You can now identify local domain names that should bypass Cisco Umbrella. DNS requests for these domains go directly to the DNS servers without Umbrella processing. You can also identify which Umbrella servers to use for resolving DNS requests. Finally, you can define the Umbrella inspection policy to fail open, so that DNS requests are not blocked if the Umbrella server is unavailable. New/Modified commands: local-domain-bypass , resolver , umbrella fail-open . |
The object group search threshold is now disabled by default. |
If you enabled object group search, the feature was subject to a threshold to help prevent performance degradation. That threshold is now disabled by default. You can enable it by using the object-group-search threshold command. New/Modified command: object-group-search threshold . |
Interim logging for NAT port block allocation. |
When you enable port block allocation for NAT, the system generates syslog messages during port block creation and deletion. If you enable interim logging, the system generates message 305017 at the interval you specify. The messages report all active port blocks allocated at that time, including the protocol (ICMP, TCP, UDP) and source and destination interface and IP address, and the port block. New/Modified command: xlate block-allocation pba-interim-logging seconds . |
VPN Features |
|
New condition option for debug aaa . |
The condition option was added to the debug aaa command. You can use this option to filter VPN debugging based on group name, user name, or peer IP address. New/Modified commands: debug aaa condition |
Support for RSA SHA-1 in IKEv2 |
You can now generate a signature using the RSA SHA-1 hashing algorithm for IKEv2. New/Modified commands: rsa-sig-sha1 |
View the default SSL configuration for both DES and 3DES encryption licenses as well as available ciphers |
You can now view the default SSL configuration with and without the 3DES encryption license. In addition, you can view all the ciphers supported on the device. New/Modified commands: show ssl information |
Add subdomains to webVPN HSTS |
Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers. New/Modified commands: hostname(config-webvpn) includesubdomains |
High Availability and Scalability Features |
|
Per-site gratuitous ARP for clustering |
The ASA now generates gratuitous ARP (GARP) packets to keep the switching infrastructure up to date: the highest priority member at each site periodically generates GARP traffic for the global MAC/IP addresses. When using per-site MAC and IP addresses, packets sourced from the cluster use a site-specific MAC address and IP address, while packets received by the cluster use a global MAC address and IP address. If traffic is not generated from the global MAC address periodically, you could experience a MAC address timeout on your switches for the global MAC address. After a timeout, traffic destined for the global MAC address will be flooded across the entire switching infrastructure, which can cause performance and security concerns. GARP is enabled by default when you set the site ID for each unit and the site MAC address for each Spanned EtherChannel. New/Modified commands: site-periodic-garp interval |
Multiple context mode HTTPS resource management |
You can now set the maximum number of non-ASDM HTTPS sessions in a resource class. By default, the limit is set to 6 per context, the maximum. You can use up to 100 HTTPS sesssions across all contexts. New/Modified commands: limit-resource http |
Routing Features |
|
OSPF Keychain support for authentication |
OSPF authenticates the neighbor and route updates using MD5 keys. In ASA, the keys that are used to generate the MD5 digest had no lifetime associated with it. Thus, user intervention was required to change the keys periodically. To overcome this limitation, OSPFv2 supports MD5 authentication with rotating keys. Based on the accept and send lifetimes of Keys in KeyChain, OSPF authenticates, accepts or rejects keys and forms adjacency. New/Modified commands: accept-lifetime , area virtual-link authentication , cryptographic-algorithm , key , key chain , key-string , ospf authentication , send-lifetime |
Certificate Features |
|
Local CA configurable FQDN for enrollment URL |
To make the FQDN of the enrollment URL configurable instead of using the ASA's configured FQDN, a new CLI option is introduced. This new option is added to the smpt mode of crypto ca server . New/Modified commands: fqdn |
Administrative, Monitoring, and Troubleshooting Features |
|
enable password change now required on a login |
The default enable password is blank. When you try to access privileged EXEC mode on the ASA, you are now required to change the password to a value of 3 characters or longer. You cannot keep it blank. The no enable password command is no longer supported. At the CLI, you can access privileged EXEC mode using the enable command, the login command (with a user at privilege level 2+), or an SSH or Telnet session when you enable aaa authorization exec auto-enable . All of these methods require you to set the enable password. This password change requirement is not enforced for ASDM logins. In ASDM, by default you can log in without a username and with the enable password. New/Modified commands: enable password |
Configurable limitation of admin sessions |
You can configure the maximum number of aggregate, per user, and per-protocol administrative sessions. Formerly, you could configure only the aggregate number of sessions. This feature does not affect console sessions. Note that in multiple context mode, you cannot configure the number of HTTPS sessions, where the maximum is fixed at 5 sessions. The quota management-session command is also no longer accepted in the system configuration, and is instead available in the context configuration. The maximum aggregate sessions is now 15; if you configured 0 (unlimited) or 16+, then when you upgrade, the value is changed to 15. New/Modified commands: quota management-session , show quota management-session |
Notifications for administrative privilege level changes |
When you authenticate for enable access (aaa authentication enable console) or allow privileged EXEC access directly (aaa authorization exec auto-enable ), then the ASA now notifies users if their assigned access level has changed since their last login. New/Modified commands: show aaa login-history |
NTP support on IPv6 |
You can now specify an IPv6 address for the NTP server. New/Modified commands: ntp server |
SSH stronger security |
See the following SSH security improvements:
New/Modified commands: ssh cipher integrity , ssh key-exchange group dh-group14-sha256 |
Allow non-browser-based HTTPS clients to access the ASA |
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. New/Modified commands: http server basic-auth-client |
Capture control plane packets only on the cluster control link |
You can now capture control plane packets only on the cluster control link (and no data plane packets). This option is useful in the system in multiple context mode where you cannot match traffic using an ACL. New/Modified commands: capture interface cluster cp-cluster |
debug conn command |
The debug conn command was added to provide two history mechanisms that record connection processing. The first history list is a per-thread list that records the operations of the thread. The second history list is a list that records the operations into the conn-group. When a connection is enabled, processing events such as a connection lock, unlock, and delete are recorded into the two history lists. When a problem occurs, these two lists can be used to look back at the processing to determine the incorrect logic. New/Modified commands: debug conn |
show tech-support includes additional output |
The output of the show tech-support is enhanced to display the output of the following:
New/Modified commands: show tech-support |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose
. -
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2(x) was the final version for the ASA 5505. ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.10(x) |
— |
Any of the following: → 9.12(x) |
9.9(x) |
— |
Any of the following: → 9.12(x) |
9.8(x) |
— |
Any of the following: → 9.12(x) |
9.7(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.6(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.5(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.4(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.3(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.2(x) |
— |
Any of the following: → 9.12(x) → 9.8(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.6(x) → 9.1(7.4) |
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) → 9.0(4) |
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12(x) → 9.8(x) → 9.1(7.4) |
8.3(x) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.2(x) and earlier |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.12(x)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
TCM doesn't work for ACE addition/removal, ACL object/object-group edits |
|
Crash observed while performing master role change with active IGMP joins |
|
ASA scansafe connector takes too long to failover to secondary CWS Tower |
|
ASA traceback on spin_lock_release_actual |
|
Lina Traceback due to invalid TSC values |
|
Not able to ssh, ssh_exec: open(pager) error on console |
|
Traceback on 2100 - watchdog |
|
Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability |
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
Upon downgrade of an ASAv, the firewall may traceback and reload |
|
ASA: Cannot distinguish name aliases for IPv6 and displays a "incomplete command" error message |
|
ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports" |
|
ASA scp quite slow |
|
Not able to establish more than 2 simultaneous ASDM sessions |
|
FTD traffic outage due to 9344 block size depletion caused by the egress-optimization feature |
|
VPN-sessiondb does not replicate to standby ASA |
|
ASA/FTD may traceback and reload in Thread Name 'BGP Router' |
|
FPR 2100, low block 9472 causes packet loss through the device. |
|
Adding an ipv6 default route causes CLI to hang for 50 seconds |
|
OpenSSL vulnerability CVE-2019-1559 on FTD |
|
Traceback in HTTP Cli Exec with rest-api agent enabled |
|
FTD: Deployment failure when breaking HA and graceful-restart is present on config |
|
Cisco ASA Software Kerberos Authentication Bypass Vulnerability |
|
Traffic interruptions for FreeBSD systems |
|
V route is missing even after setting the reverse route in Crypto map config in HA-IKEv2 |
|
SNMP: Cannot get failover link information from oid in multiple mode |
|
Multiple context 5585 ASA, transparent context losing mangement interface configuration. |
|
Traceback in tcp-proxy |
|
Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability |
|
Hot swap of SFP is not taking effect on the ASA |
|
We need to have default route with AD and tunneled at the same time for the same next hub. |
|
ASA traceback and reload related to crypto PKI operation |
|
Dynamic flow-offload can't be disabled |
|
ASA traceback and reload for the CLI "Show nat pool" |
|
ASA Traceback in Ikev2 Daemon |
|
PPPoE session not coming up after reload. |
|
Cisco Firepower Threat Defense Software Management Access List Bypass Vulnerability |
|
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
|
Policy deployment is reported as successful on the FMC but it is actually failed |
|
Block leak on ASA while running Cisco Umbrella DNS inspection |
|
low memory causes kernel to invoke - oom and reload device - modified rlimit for KP |
|
Mac address flap on switch with wrong packet injected on ingress FTD interface |
|
ASA may traceback on display_hole_og |
|
HA FTD on FPR2110 traceback after deploy ACP from FMC |
|
Traceback on snp_policy_based_route_lookup when deleting a rule from access-list configured for PBR |
|
Dual stack ASAv failover triggered by reload issue |
|
Some 3DES related configurations are lost after booted |
|
ASA Traceback: SCTP bulk sync and HA synchronization |
|
ASA is not sending the mask in the accounting packets |
|
ASA Static route disappearing from asp table after learning default route via BGP |
|
Mac Rewrite Occurring for Identity Nat Traffic |
|
FTD/LINA traceback and reload observed in thread name: cli_xml_server |
|
Missing clean up on rule creation failure. |
|
Cisco ASA and FTD Software Path Traversal Vulnerability |
|
FTD/LINA Traceback and reload observed in thread name: cli_xml_server |
|
ASA after reload had license context count greater than platform limits |
|
RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted |
|
configurations getting wiped off from standby, while deployment fails on active |
|
Lina Traceback during FTD deployment when PBR config is being pushed |
|
Unable to auto-rejoin FTD cluster |
|
Secondary unit exceed platform context count limit in split brain scenario when failover link down |
|
Configuration might not replicated if packet loss on the failover Link |
|
FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block. |
|
I/O error occurred while writing; fd='28', error='Resource temporarily unavailable (11)' |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
|
ASA Traceback/pagefault in Datapath due to re_multi_match_ascii |
|
HSTS config option not updated on show run all |
|
FTDv Deployment in Azure causes unrecoverable traceback state due to no dns domain-lookup any" |
|
Cisco ASA and Cisco FTD Software OSPF Packets Processing Memory Leak Vulnerability |
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533' |
|
ASA traceback and reload on Thread DATAPATH-0-2064 |
|
Lina traceback when changing device mode of FTD |
|
ASA OSPF: Prefix removed from the RIB when topology changes, then added back when another SPF is run |
|
Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump |
|
ASA - 9.8.4.12 traceback and reload in ssh or fover_rx Thread |
|
Decrement TTL display wrong result |
|
FTD traceback and reload on thread DATAPATH-1-15076 when SIP inspection is enabled |
|
ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK |
|
FP2100 Traceback and reload when processing traffic through more than two inline sets |
|
ERROR: entry for ::/0 exists when configuring ipv6 icmp |
|
Network Performance Degradation when SSL policy is enabled |
|
snmp poll failure with host and host-group configured |
|
mroute entries on ASA not getting refreshed. |
|
ASA Traceback in Thread Name SSH with assertion slib_malloc.c |
|
Traceback when processing SSL traffic under heavy load |
|
ASA may traceback and reload while waiting for "DATAPATH-12-1899" process to finish. |
|
ASA reporting negative memory values on "%ASA-5-321001: Resource 'memory' limit'" message |
|
OSPF Hello causing 9K block depletion, control point CPU 100% and cluster unstable. |
|
Turn off egress-optimization processing |
|
ASA/FTD may traceback and reload in Thread Name 'EIGRP-IPv4' |
|
After upgrade to version 9.6.4.34 is not possible to add an access-group |
|
Inconsistent timestamp format in syslog |
|
ASA doesn't honor SSH Timeout When Data Channel is not Negotiated |
|
ICMP not working and failed with inspect-icmp-seq-num-not-matched |
|
AnyConnect 4.8 is not working on the FPR1000 series |
|
Secondary ASA is unable to join the failover due to aggressive warning messages. |
|
reactivation-mode timed causing untimely reactivation of failed server |
|
ASA traceback and reload when running command "clear capture /" |
|
ASA cannot send syslog to two UDP ports at same time |
|
Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability |
|
ASA sends malformed RADIUS message when device-id from AnyConnect is too long |
|
Anyconnect sessions limited incorrectly |
|
ICMP Reply Dropped when matched by ACL |
|
ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
false reported value for OID "cipSecGlobalActiveTunnels" - same as ASDM |
|
SAML tokens are not removed from hash table |
|
IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision |
|
Management default route conflicts with default data routing |
|
ASA Traceback on IPsec message handler Thread |
|
Wrong Module version listed for FXOS 2.6(1.174) |
|
Traceback: spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) is held for a long time |
|
ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection |
|
ASA Traceback Thread Name: IKE Daemon |
|
FP41xx incorrect interface applied in ASA capture |
|
Placeholder to address CSCvs31470 in Multi-Context Mode |
|
ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection |
|
ASA: backup context failed to "ERROR: No such file or directory" |
|
Port-channel bundling is failing after upgrade to 9.8 version |
|
ASA/FTD may traceback and reload in Thread Name 'License Thread' |
|
FTD Traceback Lina process |
|
FPR-1000 Series Random Number Generation Error |
|
Reduce number of fsync calls during close in flash file system |
|
Invalid scp session terminates other active http, scp sessions |
|
Deployment is marked as success although LINA config was not pushed |
|
9.12.2.151 snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN traffic |
|
SCTP heartbeats failing across the firewall in Cluster deploymnet. |
|
IPv6 DNS server resolution fails when the server is reachable over the management interface. |
|
Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
|
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
|
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
ASA: Traceback in thread Unicorn Admin Handler |
|
ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry |
|
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after ASA reboot |
|
VPN failover recovery is taking approx. 30 seconds for data to resume |
|
FTD: Traceback and reload related to lina_host_file_open_raw function |
|
ASA: Active unit HA traceback and reload during Config Sync state during OSPF sync |
|
ASAv Unable to register smart licensing with IPv6 |
|
Active FTP fails when secondary interface is used on FTD |
|
Observed Crash in KP while performing Failover Switch from Standby. |
|
sctp-state-bypass is not getting invoked for inline FTD |
|
IPSec SAs are not being created for random VPN peers |
|
Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train |
|
Crypto ring stalls when the length in the ip header doesn't match the packet length |
|
ASA LDAPS connection fails on Firepower 1000 Series |
|
FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto |
|
Traffic outage due to 80 size block exhaustion on the ASA |
|
remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around |
|
"Show crypto accelerator load-balance detail" has missing and undefined output |
|
Route Fallback doesn't happen on Slave unit, upon RRI route removal. |
|
NetFlow reporting impossibly large flow bytes |
|
Adjust Firepower 4120 Maximum VPN Session Limit to 20,000 |
|
ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for AnyConnect |
|
TACACS Fallback authorization fails for Username enable_15 on ASA device. |
|
FTD traceback and reload on FP2120 LINA Active Box. VPN |
|
Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100 |
|
Time sync do not work correctly for FTD on FP1000/1100 series platform |
|
SNMP traps can't be generated via diagnostic interface |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.12(4)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
TCM doesn't work for ACE addition/removal, ACL object/object-group edits |
|
ASA scansafe connector takes too long to failover to secondary CWS Tower |
|
ASA traceback on spin_lock_release_actual |
|
Lina Traceback due to invalid TSC values |
|
Not able to ssh, ssh_exec: open(pager) error on console |
|
Traceback on 2100 - watchdog |
|
Cisco Firepower Threat Defense Software Packet Flood Denial of Service Vulnerability |
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
Upon downgrade of an ASAv, the firewall may traceback and reload |
|
FTD/ASA - Cluster/HA - Master/Active unit does not update all the route changes to Slaves/Standby |
|
ASA: Cannot distinguish name aliases for IPv6 and displays a "incomplete command" error message |
|
ASA/FTD: Twice nat Rule with same service displaying error "ERROR: NAT unable to reserve ports" |
|
ASA scp quite slow |
|
Not able to establish more than 2 simultaneous ASDM sessions |
|
FTD traffic outage due to 9344 block size depletion caused by the egress-optimization feature |
|
VPN-sessiondb does not replicate to standby ASA |
|
ASA/FTD may traceback and reload in Thread Name 'BGP Router' |
|
OSPFv3 neighborship is flapping every ~30 minutes |
|
FPR 2100, low block 9472 causes packet loss through the device. |
|
Adding an ipv6 default route causes CLI to hang for 50 seconds |
|
OpenSSL vulnerability CVE-2019-1559 on FTD |
|
Traceback in HTTP Cli Exec with rest-api agent enabled |
|
FTD: Deployment failure when breaking HA and graceful-restart is present on config |
|
Cisco ASA Software Kerberos Authentication Bypass Vulnerability |
|
Traffic interruptions for FreeBSD systems |
|
V route is missing even after setting the reverse route in Crypto map config in HA-IKEv2 |
|
SNMP: Cannot get failover link information from oid in multiple mode |
|
Multiple context 5585 ASA, transparent context losing mangement interface configuration. |
|
Traceback in tcp-proxy |
|
Cisco Firepower 1000 Series SSL/TLS Denial of Service Vulnerability |
|
Hot swap of SFP is not taking effect on the ASA |
|
We need to have default route with AD and tunneled at the same time for the same next hub. |
|
ASA traceback and reload related to crypto PKI operation |
|
Dynamic flow-offload can't be disabled |
|
ASA traceback and reload for the CLI "Show nat pool" |
|
ASA Traceback in Ikev2 Daemon |
|
PPPoE session not coming up after reload. |
|
Cisco Firepower Threat Defense Software Management Access List Bypass Vulnerability |
|
ASA: SSH and ASDM sessions stuck in CLOSE_WAIT causing lack of MGMT for the ASA |
|
Policy deployment is reported as successful on the FMC but it is actually failed |
|
Block leak on ASA while running Cisco Umbrella DNS inspection |
|
low memory causes kernel to invoke - oom and reload device - modified rlimit for KP |
|
Mac address flap on switch with wrong packet injected on ingress FTD interface |
|
ASA may traceback on display_hole_og |
|
HA FTD on FPR2110 traceback after deploy ACP from FMC |
|
Traceback on snp_policy_based_route_lookup when deleting a rule from access-list configured for PBR |
|
Dual stack ASAv failover triggered by reload issue |
|
Some 3DES related configurations are lost after booted |
|
ASA Traceback: SCTP bulk sync and HA synchronization |
|
ASA is not sending the mask in the accounting packets |
|
ASA Static route disappearing from asp table after learning default route via BGP |
|
Mac Rewrite Occurring for Identity Nat Traffic |
|
FTD/LINA traceback and reload observed in thread name: cli_xml_server |
|
Missing clean up on rule creation failure. |
|
Cisco ASA and FTD Software Path Traversal Vulnerability |
|
FTD/LINA Traceback and reload observed in thread name: cli_xml_server |
|
ASA after reload had license context count greater than platform limits |
|
RRI on static HUB/SPOKE config is not working on HUB when a new static SPOKE is added or deleted |
|
configurations getting wiped off from standby, while deployment fails on active |
|
Lina Traceback during FTD deployment when PBR config is being pushed |
|
Unable to auto-rejoin FTD cluster |
|
Secondary unit exceed platform context count limit in split brain scenario when failover link down |
|
Configuration might not replicated if packet loss on the failover Link |
|
FTD traceback when TLS tracker (tls_trk_sniff_for_tls) attempted to free a block. |
|
I/O error occurred while writing; fd='28', error='Resource temporarily unavailable (11)' |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
|
ASA Traceback/pagefault in Datapath due to re_multi_match_ascii |
|
HSTS config option not updated on show run all |
|
FTDv Deployment in Azure causes unrecoverable traceback state due to no dns domain-lookup any" |
|
Cisco ASA and Cisco FTD Software OSPF Packets Processing Memory Leak Vulnerability |
|
ASA/FTD may traceback and reload in Thread Name 'PTHREAD-1533' |
|
ASA traceback and reload on Thread DATAPATH-0-2064 |
|
Lina traceback when changing device mode of FTD |
|
ASA OSPF: Prefix removed from the RIB when topology changes, then added back when another SPF is run |
|
Clustering module needs to skip the hardware clock update to avoid the timeout error and clock jump |
|
ASA - 9.8.4.12 traceback and reload in ssh or fover_rx Thread |
|
Decrement TTL display wrong result |
|
FTD traceback and reload on thread DATAPATH-1-15076 when SIP inspection is enabled |
|
ASA TRACEBACK: sctpProcessNextSegment - SCTP_INIIT_CHUNK |
|
FP2100 Traceback and reload when processing traffic through more than two inline sets |
|
ERROR: entry for ::/0 exists when configuring ipv6 icmp |
|
Network Performance Degradation when SSL policy is enabled |
|
snmp poll failure with host and host-group configured |
|
mroute entries on ASA not getting refreshed. |
|
ASA Traceback in Thread Name SSH with assertion slib_malloc.c |
|
Traceback when processing SSL traffic under heavy load |
|
ASA may traceback and reload while waiting for "DATAPATH-12-1899" process to finish. |
|
ASA reporting negative memory values on "%ASA-5-321001: Resource 'memory' limit'" message |
|
OSPF Hello causing 9K block depletion, control point CPU 100% and cluster unstable. |
|
Turn off egress-optimization processing |
|
ASA/FTD may traceback and reload in Thread Name 'EIGRP-IPv4' |
|
After upgrade to version 9.6.4.34 is not possible to add an access-group |
|
Inconsistent timestamp format in syslog |
|
ASA doesn't honor SSH Timeout When Data Channel is not Negotiated |
|
ICMP not working and failed with inspect-icmp-seq-num-not-matched |
|
AnyConnect 4.8 is not working on the FPR1000 series |
|
Secondary ASA is unable to join the failover due to aggressive warning messages. |
|
reactivation-mode timed causing untimely reactivation of failed server |
|
ASA traceback and reload when running command "clear capture /" |
|
ASA cannot send syslog to two UDP ports at same time |
|
Cisco ASA and Cisco FTD Malformed OSPF Packets Processing Denial of Service Vulnerability |
|
ASA sends malformed RADIUS message when device-id from AnyConnect is too long |
|
Anyconnect sessions limited incorrectly |
|
ICMP Reply Dropped when matched by ACL |
|
ASA/FTD Tunneled Static Routes are Ignored by Suboptimal Lookup if Float-Conn is Enabled |
|
false reported value for OID "cipSecGlobalActiveTunnels" - same as ASDM |
|
SAML tokens are not removed from hash table |
|
IKEv2 vpn-filter drops traffic with implicit deny after volume based rekey collision |
|
Management default route conflicts with default data routing |
|
ASA Traceback on IPsec message handler Thread |
|
Wrong Module version listed for FXOS 2.6(1.174) |
|
Traceback: spin_lock_fair_mode_enqueue: Lock (np_conn_shrlock_t) is held for a long time |
|
ASA/FTD Traceback in Thread Name: DATAPATH due to DNS inspection |
|
ASA Traceback Thread Name: IKE Daemon |
|
FP41xx incorrect interface applied in ASA capture |
|
Placeholder to address CSCvs31470 in Multi-Context Mode |
|
ASA SIP connections drop after several consecutive failovers: pinhole timeout/closed by inspection |
|
ASA: backup context failed to "ERROR: No such file or directory" |
|
Port-channel bundling is failing after upgrade to 9.8 version |
|
ASA/FTD may traceback and reload in Thread Name 'License Thread' |
|
FTD Traceback Lina process |
|
FPR-1000 Series Random Number Generation Error |
|
Reduce number of fsync calls during close in flash file system |
|
Invalid scp session terminates other active http, scp sessions |
|
Deployment is marked as success although LINA config was not pushed |
|
9.12.2.151 snp_cluster_ingress traceback on FPR9300 3-node cluster nested VLAN traffic |
|
Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability |
|
SCTP heartbeats failing across the firewall in Cluster deploymnet. |
|
IPv6 DNS server resolution fails when the server is reachable over the management interface. |
|
Flow offload not working with combination of FTD 6.2(3.10) and FXOS 2.6(1.169) |
|
Incorrect access-list hitcount seen when configuring it with a capture on ASA |
|
DOC - Clarify the meaning of mp-svc-flow-control under show asp drop |
|
ASA/FTD may traceback and reload in Thread Name 'ssh' |
|
ASA: Traceback in thread Unicorn Admin Handler |
|
ASA: VTI rejecting IPSec tunnel due to no matching crypto map entry |
|
Cisco ASA and FTD Software Web Services Information Disclosure Vulnerability |
|
FTD Traceback in thread 'ctm_ipsec_display_msg' |
|
Health-check monitor-interface debounce-time in ASA Cluster resets to 9000ms after ASA reboot |
|
VPN failover recovery is taking approx. 30 seconds for data to resume |
|
FTD: Traceback and reload related to lina_host_file_open_raw function |
|
ASA: Active unit HA traceback and reload during Config Sync state during OSPF sync |
|
ASAv Unable to register smart licensing with IPv6 |
|
Active FTP fails when secondary interface is used on FTD |
|
Observed Crash in KP while performing Failover Switch from Standby. |
|
sctp-state-bypass is not getting invoked for inline FTD |
|
IPSec SAs are not being created for random VPN peers |
|
Encryption-3DES-AES should not be required when enabling ssh version 2 on 9.8 train |
|
Crypto ring stalls when the length in the ip header doesn't match the packet length |
|
ASA LDAPS connection fails on Firepower 1000 Series |
|
FPR2100 'show crypto accelerator statistics' counters do not track symmetric crypto |
|
Traffic outage due to 80 size block exhaustion on the ASA |
|
ASA traceback Thread name - webvpn_task |
|
remote acess mib - SNMP 64 bit only reporting 4Gb before wrapping around |
|
"Show crypto accelerator load-balance detail" has missing and undefined output |
|
Route Fallback doesn't happen on Slave unit, upon RRI route removal. |
|
NetFlow reporting impossibly large flow bytes |
|
Adjust Firepower 4120 Maximum VPN Session Limit to 20,000 |
|
ASA: acct-session-time accounting attribute missing from Radius Acct-Requests for AnyConnect |
|
TACACS Fallback authorization fails for Username enable_15 on ASA device. |
|
FTD traceback and reload on FP2120 LINA Active Box. VPN |
|
Redistribution of VPN advertised static routes fail after reloading the FTD on FPR2100 |
|
Time sync do not work correctly for FTD on FP1000/1100 series platform |
|
SNMP traps can't be generated via diagnostic interface |
Resolved Bugs in Version 9.12(3)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
Traceback on Thread Name: DATAPATH-2-1785 |
|
ASA IKEv2 unable to open aaa session: session limit [2048] reached |
|
ASA traceback with Thread: DATAPATH-8-2035 |
|
ASA Traceback (watchdog timeout) when syncing config from active unit (inc. cachefs_umount) |
|
Traceback in DATAPATH on ASA |
|
Route tracking failure |
|
Port-Channel issues on HA link |
|
IKEv2: IKEv2-PROTO-2: Failed to allocate PSH from platform |
|
tcp proxy: ASA traceback on DATAPATH |
|
Graceful Restart BGP does not work intermittently |
|
SDI - SUSPENDED servers cause 15sec delay in the completion of a authentication with a good server |
|
Control-plane ACL doesn't work correctly on FTD |
|
ASA Multicontext traceback and reload due to allocate-interface out of range command |
|
Deployment on FTD with low memory results on interface nameif to be removed - finetune mmap thresh |
|
ASA may traceback in thread logger when cluster is enabled on slave unit |
|
ASA may traceback and reload while waiting for "dns_cache_timer" process to finish. |
|
EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled |
|
Traceback in VPN Clustering HA timer thread when member tries to join the cluster |
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
ASA SCP transfer to box stall mid-transfer |
|
ASA traceback in thread SSH |
|
VPN sessions failing due to PKI handles not freed during rekeys |
|
Lina does not properly report the error for configuration line that is too long |
|
Cisco Adaptive Security Appliance Software Secure Copy Denial of Service Vulnerability |
|
Enhancement to address high IKE CPU seen due to tunnel replace scenario |
|
ASA traceback and reloads when issuing "show inventory" command |
|
ASA Traceback and reload while running IKE Debug |
|
ASA: BGP routes is cleared on routing table after failover occur and bgp routes are changed |
|
Traceback and reload citing Datapath as affected thread |
|
management-only of diagnostic I/F on secondary FTD get disappeared |
|
Do not decrypt rule causes traffic interruptions. |
|
ENH: ACE details for warning "found duplicate element" |
|
ASA may traceback and reload. Potentially related to WebVPN traffic |
|
ENH: Add process information to "Command Ignored, configuration in progress..." |
|
Cisco Adaptive Security Appliance Smart Tunnel Vulnerabilities |
|
Standby Firewall reloads with a traceback upon doing a manual failover |
|
Cisco ASA Software and FTD Software FTP Inspection Denial of Service Vulnerability |
|
Simultaneous FINs on flow-offloaded flows lead to stale conns |
|
HTTP with ipv6 using w3m is failing |
|
FTD inline/transparent sends packets back through the ingress interface |
|
ASA unable to authenticate users with special characters via https |
|
The delay command in interface configuration is modified after rebooted |
|
Traceback in HTTP Cli Exec when upgrading to 9.12.1 |
|
cts import-pac tftp: syntax does not work |
|
DTLS 1.2 and AnyConnect oMTU |
|
AnyConnect connections fail with TCP connection limit exceeded error |
|
ASA may traceback and reload. suspecting webvpn related |
|
Option to display port number on access-list instead of well known port name on ASA |
|
ASAv Azure: Route table BGP propagation setting reset when ASAv fails over |
|
ASA traceback and reload observed in Datapath due to SIP inspection. |
|
ASA: Watchdog traceback in Datapath |
|
FTD lina cored with Thread name: cli_xml_server |
|
Unable to process gtpv1 identification req message for header TEID : 0 |
|
ASA drops GTPV1 SGSN Context Req message with header TEID:0 |
|
ASA HA IKEv2 generic RA - AnyConnect Premium All In Use incorrect on standby |
|
Random SGT tags added by FTD |
|
FIPS mode gets disabled after rollback from a failed policy deploy |
|
"established tcp" does not work post 9.6.2 |
|
Cisco ASA and Firepower Threat Defense Software WebVPN Cross-Site Scripting Vulnerability |
|
ASA sends invalid redirect response for POST request |
|
IKEv2 RA Generic client - stuck outgoing asp table entry - traffic encrypted with stale SPI |
|
DHCP NACK silently dropped by ASA sent from DHCP server if configured as DHCP relay |
|
Cisco ASA Software and FTD Software SIP Inspection Denial of Service Vulnerability |
|
FTD traceback due to watchdog on xlate_detach |
|
Cisco ASA Software and FTD Software OSPF LSA Processing Denial of Service Vulnerability |
|
LINA traceback on ASA in HA Active Unit repeatedly |
|
IP Address stuck in local pool and showing as "In Use" even when the AnyConnect client disconnects |
|
Thread Name: CP DP SFR Event Processing traceback |
|
ASA/FTD HA Data Interface Heartbeat dropped due to Reverse Path Check |
|
After reboot, "ssh version 1 2" added to running-config |
|
MCA+AAA+OTP with RADIUS challenge fails to send aggauth handle in challenge |
|
Time zone in syslogs messages |
|
Cisco ASA and FTD Software WebVPN CPU Denial of Service Vulnerability |
|
Unsupported runtime JavaScript exception handling in the client side WebVPN rewriter |
|
ASA 9.9.2 Clientless WebVPN - HTML entities are incorrectly decoded when processing HTML |
|
Cluster master reload cause ping failure to the Management virtual IP |
|
FTD Traceback and Reload on LINA Caused by SSL Decryption DND Preservation |
|
LINA Traceback after upgrade to 9.12.2.1 |
|
ASA failover LANTEST messages are sent on first 10 interfaces in the configuration. |
|
Traceback: "saml identity-provider" command will crash multi-context ASAs |
|
Not able to establish more than 2 simultaneous ASDM sessions |
|
ASA may traceback due to SCTP traffic despite fix CSCvj98964 |
|
When deleting context the ssh key-exchange goes to Default GLOBALLY! |
|
"ssl trust-point" command will be removed when restoring backup via CLI |
|
ASA IKEv2 - ASA sends additional delete message after initiating a phase 2 rekey |
|
FP2100 - Flow oversubscribing ring/CPU core causing disruption to working flows on FP2100 platforms |
|
Watchdog on ASAv when logging to buffer |
|
GTP response messages with non existent cause are getting dropped with error message TID is 0 |
|
Memory leak observed when ASA-SFR dataplane communication flaps |
|
traceback and reload when establishing ASDM connection to fp1000 series platform |
|
ASA is unable to verify the file integrity |
|
FTD/ASA : Traceback in Datapath with assert snp_tcp_intercept_assert_disabled |
|
After failover, Active unit tcp sessions are not removed when timeout reached |
|
SSL VPN may not be able to establish due to SSL negotiation issue |
|
When only IP communication is disrupted on failover link LANTEST msg is not sent on data interfaces |
|
ASA traceback observed when moving EZVPN spokes to the device. |
|
Dual stacked ASAv manual failover issues |
|
ASA5515-K9 standby traceback in Thread Name ssh |
|
ASA Traceback on Saleen in Thread Name: IPv6 IDB |
|
Traceback in HTTP Cli Exec when upgrading to 96.4.0.41 |
|
Traceback: Cluster unit lina assertion in thread name:Cluster controller |
|
ASA cluster does not flush OSPF routes |
|
FPR2100 FTD Standby unit leaking 9K blocks |
|
ASA:BGP recursive route lookup for destination 3 hop away is failing. |
|
Connections fail to replicate in failover due to failover descriptor mis-match on port-channels |
|
ASA generates incorrect error message about PCI cfg space when enumerating Internal-Data0/1 |
|
Cannot add neighbor in BGP when the neighbor is on the same subnet as one interface |
|
Flow Offload Hashing Change of Behavior |
|
ASA traceback in Thread IPsec Message Handler |
|
ASA Traceback in Ikev2 Daemon |
|
ASAv becomes unusable while running Cisco Umbrella |
|
ASA may traceback on display_hole_og |
|
Dual stack ASAv failover triggered by reload issue |
|
Lina Traceback during FTD deployment when PBR config is being pushed |
|
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote |
Resolved Bugs in Version 9.12(2)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA may traceback and reload with combination of packet-tracer and captures |
|
ASA HA with NSF: NSF is not triggered properly when there is an Interface failure in ASA HA |
|
Deployment changes are not pushed to the device due to disk0 mounted on read-only |
|
ASA device reloads with Thread Name : ha_trans_data_tx |
|
SSH session stuck after committing changes within a Configure Session. |
|
ASA is stuck on "reading from flash" for several hours |
|
ASA traceback on slave/standby during sync config due to OSPF/EIGRP and IPv6 used together in ACE |
|
Unit traceback at Thread PIM IPv4 or IGMP IPv4 due to timer events when multicast routing is enabled |
|
Traceback and reload when displaying CPU profiling results |
|
ADI process fails to start on ASA on Firepower 4100 |
|
Digitial Signature Verification Failed during upload of Rest-Api image to ASA |
|
ACL Unable to configure an ACL after access-group configuration error |
|
ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled |
|
'No certificate ' command under certificate chain removes wrong certificate |
|
overloading of the lina msglyr infra due to the sending of VPN status messages |
|
DTLS fails after rekey |
|
ASA5506 may slowly leak memory when using NetFlow |
|
KP:AnyConnect used IP from pool shows as available |
|
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
|
FTD Address not mapped traceback on 6.3.0.x release |
|
FPR platform IPsec VPN goes down intermittently |
|
Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability |
|
ASA SNMP CPU Hogs |
|
"Process Name: lina" | ASA traceback caused by Netflow |
|
Traceback on Thread Name: Unicorn Admin Handler after adding protocol to IKEV2 ipsec-proposal |
|
Memory Leak in DMA_Pool in binsize 1024 with SCP download |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures |
|
Syslog ID 111005 generated incorrectly |
|
Upgrading ASA cluster to 9.10.1.7 cause traceback |
|
Deploy from FMC fails due to OOM with no indication of why |
|
Ikev2 tunnel creation fails |
|
Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961 |
|
Upgrading ASA cluster to 9.10.1.7 cause low memory |
|
Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel. |
|
Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability |
|
DHCPRelay does not consume DHCP Offer packet with Unicast flag |
|
Unable to remove access-list with 'log default' keyword |
|
Tunnel Group: 'no ikev2 local-authentication pre-shared-key' removes local cert authen |
|
Traceback while processing an outbound SSL packet |
|
Active FTP fails through Cluster due to xlate allocation corruption upon sync |
|
PDTS has incorrect numa node info resulting in incorrect load balancing |
|
AnyConnect session rejected due to resource issue in multi context deployments |
|
Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6 |
|
segfault in ctm_ipsec_pfkey_parse_msg at ctm_ipsec_pfkey.c:602 |
|
Traceback at Thread Name: IP Address Assign |
|
ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI |
|
FTD Lina traceback, due to packet looping in the system by normaliser |
|
ASA5506 - IBR - not able to ping with hostname if the interface is in BVI in IBR mode |
|
crypto ipsec inner-routing-lookup should not be allowed to be configured with VTI present |
|
ASA or FTD traceback and reload due to failover state change or xlates cleared |
|
SFR VPN Event Memory Leak |
|
Smart Tunnel bookmarks don't work after upgrade giving certificate error |
|
Memory leak while inspecting GTP traffic |
|
ASA on FXOS platforms reloads when establishing simultaneous ASDM sessions |
|
ASA 5506/5508/5516 traceback in Thread Name octnic_hm_thread |
Resolved Bugs in Version 9.12(1)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
WebVPN 'enable intf' with DHCP , CLI missing when ASA boot |
|
Unable to SSH over remote access VPN (telnet, asdm working) |
|
IKEv2 certificate authentication PRF SHA2 interoperability 3rd party |
|
Failover crypto IPsec IKEv2 config does not match when sync with standby |
|
AVT : Missing Content-Security-Policy Header in ASA 9.5.2 |
|
Multiple PAT rules with "any" and named interface cause 305006 "portmap translation creation failed" |
|
ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory |
|
ASA policy-map configuration is not replicated to cluster slave |
|
ASA traceback in DATAPATH thread while running captures |
|
ASA boot loop caused by logs sent after FIPS boot test |
|
asdm displays error uploading image |
|
ASA crashes in glib/g_slice when do "debug menu" self testing |
|
GTP inspection may spike cpu usage |
|
Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
Default DLY value of port-channel sub interface mismatch |
|
ENH: ASA 9.8.2 Missing HTTP Secure Header X-XSS-Protection |
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
|
Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000 |
|
ASA Running config through REST-API Full Backup does not contain the specified context configuration |
|
Cisco Firepower Threat Defense Software FTP Inspection Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|
Change the blacklist flow timeout inline with snort timeout |
|
ASDM/Webvpn stops working after reload if IPv6 address configured on the interface |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
webvpn: multiple rendering issues on Confluence and Jira applications |
|
BGP ASN cause policy deployment failures. |
|
Multicast ip-proto-50 (ESP) dropped by ASP citing 'np-sp-invalid-spi' |
|
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|
Stuck uauth entry rejects AnyConnect user connections |
|
Allow ASA to process packet with hop limit of 0 (Follow RFC 8200) |
|
REST-API:500 Internal Server Error |
|
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|
"ha-replace" action not working when peer not present |
|
ASA5585 device power supply Serial Number not in the snmp response |
|
FTD: AAB might force a snort restart with relatively low load on the system |
|
Traceback in DATAPATH on standby FTD |
|
Hanging downloads and slow downloads on a FPR4120 due to http inspect |
|
LDAP over SSL crypto engine error |
|
256 Byte block leak observed due to ARP traffic when using VTI |
|
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|
Neighbour Solicitation messages are observed for IPv6 traffic |
|
Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|
ASA is getting traceback with reboot only on Spyker aftr shutdown SFR module |
|
FTD: Flow-preserve N1 flag shouldn't apply for IPS interfaces |
|
Cluster: Enhance ifc monitor debounce-time for interface down->up scenario |
|
CWE-20: Improper Input Validation |
|
Traceback: Thread Name: IPsec message handler |
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
ASA traceback in Thread Name: DATAPATH-14-17303 |
|
Firepower 2110 with ASA DHCP does not work properly |
|
"clear capture /all" might crash Firepower 9300 MI Firepower Threat Defense |
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
ASA memory Leak - snp_svc_insert_dtls_session |
|
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|
WebVPN HSTS header is missing includeSubDomains response per RFC 6797 |
|
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
Multicast dropped after deleting a security context |
|
Remove/Increase the maximum 255 characters error limit in result of a cli command! |
|
Excessive logging from ftdrpcd process on 2100 series appliances |
|
Change 2-tuple and 4-tuple hash table to lockless |
|
Static IPv6 route prefix will be removed from the ASA configuration |
|
clear crypto ipsec ikev2 commands not replicated to standby |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
Traceback in cli_xml_server Thread |
|
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|
Usage of 'virtual http' or 'virtual telnet' incorrectly needs 'same-security permit intra-interface' |
|
2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage |
|
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|
Packet capture fails for interface named "management" on Firepower Threat Defense |
|
Withdrawal advertisements for specific prefixes are flooded before flooding aggregate prefix |
|
IP Local pools configured with the same name. |
|
Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability |
|
ASA traceback when logging host command is enable for IPv6 after each reboot |
|
1550 Block Depletion Causes ASA to reload 6.2.3.3. |
|
Invalid Http response (IO error during SSL communication) when trying to copy a file from CSM to ASA |
|
Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability |
|
ASA keeps Type 7 NSSA after losing neighbor |
|
webvpn-l7-rewriter: Bookmark logout fails on IE |
|
ASA IKEv2 capture type isakmp setting incorrect "Initiator Request" flag on decrypted IKE_AUTH_Reply |
|
ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets |
|
ASA Smart Licensing messaging fails with 'nonce failed to match' |
|
ASA may traceback due to SCTP traffic |
|
ASA: 9.6.4, 9.8.2 - Failover logging message appears in user context |
|
"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix) |
|
Flows get stuck in lina conn table in half-closed state |
|
webvpn: Bookmark fails to render on Firefox and Chrome. IE fine. |
|
ASA 5525 running 9.8.2.20 memory exhaustion. |
|
ASA generates warning messages regarding IKEv1 L2L tunnel-groups |
|
GTP soft traceback seen while processing v2 handoff |
|
ASA5585 doesn't use priority RX ring when FlowControl is enabled |
|
Crash output reports hardware ASP-## for ASA5585-SSP-##. Should correctly report full model name. |
|
SSH/Telnet Management sessions may get stuck in pc ftpc_suspend |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|
Enabling compression necessary to load ASA SSLVPN login page customization |
|
Unwanted IE present error when parsing GTP APN Restriction |
|
IKEv2 RA with EAP fails due to Windows 10 version 1803 IKEv2 fragmentation feature enabled. |
|
Large ACL taking long time to compile on boot causing outage |
|
Certificate import from Local CA fails due to invalid Content-Encoding |
|
ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH |
|
WebVPN: Grammar Based Parser fails to handle META tags |
|
SSH session stuck after committing changes within a Configure Session. |
|
ASAv and FTDv deployment fails in Microsoft Azure and/or slow console response |
|
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|
ASA CP core pinning leads to exhaustion of core-local blocks |
|
ENH: Addition of 'show fragment' to 'show tech' output |
|
ENH: Addition of 'show ipv6 interface' to 'show tech' output |
|
ENH: Addition of 'show aaa-server' to 'show tech' output |
|
KVM (FTD): Mapping web server through outside not working consistent with other platforms |
|
Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic |
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
Firepower 2110, Webvpn conditional debugging causes Threat Defense to traceback |
|
Traceback and reload due to GTP inspection and Failover |
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
ERROR: The entitlement is already acquired while the configuration is cached. |
|
ASA WebVPN - incorrect rewriting for SAP Netweaver |
|
ASA - VTI tunnel interface nameif not available for SNMP in "snmp-server host" command |
|
AnyConnect 4.6 Web-deploy fails on MAC using Safari 11.1.x browsers |
|
GTP inspection should not process TCP packets |
|
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
|
Async queue issues with fragmented packets leading to block depletion 9344 |
|
Low DMA memory leading to VPN failures due to incorrect crypto maps |
|
ASA IKEv2 traceback while deleting SAs |
|
FTD on FPR 9300 corrupts TCP headers with pre-filter enabled |
|
The CPU profiler stops running without having hit the threshold and without collecting any samples. |
|
FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
|
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|
Clientless webvpn fails when ASA sends HTTP as a message-body |
|
"Free memory" in "show memory" output is wrong as it includes memory utilisation due to overhead |
|
Qos applied on interfaces doesn't work. |
|
ASA 9.8(2)24 traceback on FPR9K-SM-44 |
|
RDP bookmark plugin won't launch |
|
Using EEM to track VPN connection events may cause traceback and reload |
|
Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail. |
|
FPR 9k ASA cluster multicon mode/vpn-mode distribute causes a reboot-loop if transparent mode conf |
|
Initiating write net command with management access for BVI interfaces does not succeed |
|
"capture stop" command doesn't work for asp-drop type capture |
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
GTP delete bearer request is being dropped |
|
ASA Traceback: Thread Name NIC Status Poll. |
|
With v1 host configured, a v2c walk from that host succeeds |
|
Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability |
|
Make Object Group Search Threshold disabled by default, and configurable. Causes outages. |
|
Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability |
|
Firepower 2100 ASA Smart Licensing Hostname Change Not Reflected in Smart Account |
|
HA failed primary unit shows active while "No Switchover" status on FP platforms |
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
|
ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached |
|
Traceback high availability standby unit Thread Name: vpnfol_thread_msg |
|
ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG) |
|
ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136 |
|
ASA: Add additional IKEv2/IPSec debugging for CSCvm70848 |
|
ASA: CLI: User should not be allowed to create network object "ANY" |
|
Unable to modify access control license entry with log default command |
|
ASA not inspecting H323 H225 |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
|
FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured |
|
Only first line of traceroute is captured in event manager output |
|
Webvpn Clientless- password management issue |
|
SSH Service on ASA echoes back each typed/pasted character in its own packet |
|
NTP synchronization don't work when setting BVI IF as NTP source interface |
|
Blocks exhaustion snapshot was not captured on ASA |
|
ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device) |
|
FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage. |
|
ASA AAA Authentication using TACACs does not work when the Server Host Key is set to 128 characters |
|
FTD device rebooted after taking Active State for less than 5 minutes |
|
Prevent administrators from installing CXSC module on ASA 5500-X |
|
ASA/FTD Connection Idle Timers Not Increasing For Inactive Offloaded Sessions |
|
FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through |
|
port-channel IF's Interface number is displayed un-assigned when running at transparent mode |
|
ASA may traceback due to SCTP traffic inspection without NULL check |
|
ASA : Failed SSL connection not getting deleted and depleting DMA memory |
|
ADI process fails to start on ASA on Firepower 4100 |
|
SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface |
|
Keepout configuration on the active ASA can not be synchronized to the standby ASA |
|
The 'show memory' CLI output is incorrect on ASAv |
|
ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment |
|
ASA traceback when removing interface configuration used in call-home |
|
Standby node traceback in wccp_int_statechange() with HA configuration sync |
|
ASA routes change during OS upgrade |
|
ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later |
|
Specified virtual mac address could not display when executing "show interface" |
|
AnyConnect Cert Auth w/ periodic cert auth fails if failover enabled but other device unreachable |
|
RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server |
|
ASA stops authenticating new AnyConnect connections due to fiber exhaustion |
|
ASA/FTD:MAC address not refreshing after changing member-interface of CCL link |
|
selective acking not happening with SSL crypto hardware offload |
|
ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading |
|
anyconnect client dns request dropped by ASA with umbrella enabled |
|
To support multiple retry on devcmd failure to CRUZ during flow table configuration update. |
|
ISA300 interop issue with Nokia 7705 router |
|
Configuring "boot config" has no effect if file was modified off-box and copied back on |
|
DPD doesn't work following a failover, which can (in rare cases) cause an outage if things fail back |
|
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
|
ASA 5585 9.8.3.14 traceback in Datapath with ipsec |
|
ASA as an SSL Client Memory Leak in Handshake Error path |
|
ASA/webvpn: FF and Chrome: Bookmark is not rendered with Grammar Based Parser |
|
"Process Name: lina" | ASA traceback caused by Netflow |
|
WebVPN: URL-Entry disabled / "Go to" address within embedded toolbar is not taking effect |
|
Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961 |
|
Upgrading ASA cluster to 9.10.1.7 cause low memory |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.