Release Notes for the Cisco ASA Series, 9.15(x)
This document contains release information for Cisco ASA software Version 9.15(x).
Important Notes
-
No support in ASA 9.15(1) and later for the ASA 5525-X, ASA 5545-X, and ASA 5555-X—ASA 9.14(x) is the last supported version. For the ASA FirePOWER module, the last supported version is 6.6.
-
Cisco announces the feature deprecation for Clientless SSL VPN effective with ASA version 9.17(1)—Limited support will continue on releases prior to 9.17(1).
-
For the Firepower 1010, invalid VLAN IDs can cause problems—Before you upgrade to 9.15(1), make sure you are not using a VLAN for switch ports in the range 3968 to 4047. These IDs are for internal use only, and 9.15(1) includes a check to make sure you are not using these IDs. For example, if these IDs are in use after upgrading a failover pair, the failover pair will go into a suspended state. See CSCvw33057 for more information.
-
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15 or later—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
Upgrade ROMMON for the ISA 3000 to Version 1.0.5 or later——There is a new ROMMON version for the ISA 3000 (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution: The ROMMON upgrade for 1.0.5 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
SAMLv1 feature deprecation—Support for SAMLv1 is deprecated.
-
Low-Security Cipher Removal in ASA 9.15(1)—Support for the following less secure ciphers used by IKE and IPsec have been removed:
-
Diffie-Hellman groups: 2 and 24
-
Encryption algorithms: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256, NULL, ESP-3DES, ESP-DES, ESP-MD5-HMAC
-
Hash algorithms: MD5
Note
Low-security SSH and SSL ciphers have not yet been removed.
Before you upgrade from an earlier version of ASA to Version 9.15(1), you must update your VPN configuration to use the ciphers supported in 9.15(1), or else the old configuration will be rejected. When the configuration is rejected, one of the following actions will occur, depending on the command:
-
The command will use the default cipher.
-
The command will be removed.
Fixing your configuration before upgrading is especially important for clustering or failover deployments. For example, if the secondary unit is upgraded to 9.15(1), and the removed ciphers are synced to this unit from the primary, then the secondary unit will reject the configuration. This rejection might cause unexpected behavior, like failure to join the cluster.
IKEv1: The following subcommands are removed:
-
crypto ikev1 policy priority:
-
hash md5
-
encryption 3des
-
encryption des
-
group 2
-
IKEv2: The following subcommands are removed:
-
crypto ikev2 policy priority:
-
prf md5
-
integrity md5
-
group 2
-
group 24
-
encryption 3des
-
encryption des
-
encryption null
-
IPsec: The following subcommands are removed:
-
crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac
-
crypto ipsec ikev2 ipsec-proposal name
-
protocol esp integrity md5
-
protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des
-
-
crypto ipsec profile name
-
set pfs group2 group24
-
Crypto Map: The following subcommands are removed:
-
crypto map name sequence set pfs group2
-
crypto map name sequence set pfs group24
-
crypto map name sequence set ikev1 phase1-mode aggressive group2
-
-
Re-introduction of CRL Distribution Point configuration—The static CDP URL configuration option, that was removed in 9.13(1), was re-introduced in the match-certificate command.
-
Restoration of bypass certificate validity checks option—The option to bypass revocation checking due to connectivity problems with the CRL or OCSP server was restored.
The following subcommands were restored:
-
revocation-check crl none
-
revocation-check ocsp none
-
revocation-check crl ocsp none
-
revocation-check ocsp crl none
-
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.15(1)
Released: November 2, 2020
Feature |
Description |
---|---|
Platform Features |
|
ASAv for the Public Cloud |
We introduced the ASAv for the following Public Cloud offerings:
No modified commands. |
ASAv support for Autoscale |
The ASAv now supports Autoscale for the following Public Could offerings:
Autoscaling increases or decreases the number of ASAv application instances based on capacity requirements. No modified commands. |
ASAv for Microsoft Azure support for Accelerated Networking (SR-IOV). |
The ASAv on the Microsoft Azure Public Cloud now supports Azure's Accelerated Networking (AN), which enables single root I/O virtualization (SR-IOV) to a VM, greatly improving its networking performance. No modified commands. |
Firewall Features |
|
Changes to PAT address allocation in clustering. The PAT pool flat option is now enabled by default and it is not configurable. |
The way PAT addresses are distributed to the members of a cluster is changed. Previously, addresses were distributed to the members of the cluster, so your PAT pool would need a minimum of one address per cluster member. Now, the master instead divides each PAT pool address into equal-sized port blocks and distributes them across cluster members. Each member has port blocks for the same PAT addresses. Thus, you can reduce the size of the PAT pool, even to as few as one IP address, depending on the amount of connections you typically need to PAT. Port blocks are allocated in 512-port blocks from the 1024-65535 range. You can optionally included the reserved ports, 1-1023, in this block allocation when you configure PAT pool rules. For example, in a 4-node cluster, each node gets 32 blocks with which it will be able to handle 16384 connections per PAT pool IP address compared to a single node handling all 65535 connections per PAT pool IP address. As part of this change, PAT pools for all systems, whether standalone or operating in a cluster, now use a flat port range of 1023 - 65535. Previously, you could optionally use a flat range by including the flat keyword in a PAT pool rule. The flat keyword is no longer supported: the PAT pool is now always flat. The include-reserve keyword, which was previously a sub-keyword to flat , is now an independent keyword within the PAT pool configuration. With this option, you can include the 1 - 1023 port range within the PAT pool. Note that if you configure port block allocation (the block-allocation PAT pool option), your block allocation size is used rather than the default 512-port block. In addition, you cannot configure extended PAT for a PAT pool for systems in a cluster. New/Modified commands: nat , show nat pool |
XDMCP inspection disabled by default in new installations. |
Previously, XDMCP inspection was enabled by default for all traffic. Now, on new installations, which includes new systems and reimaged systems, XDMCP is off by default. If you need this inspection, please enable it. Note that on upgrades, your current settings for XDMCP inspection are retained, even if you simply had it enabled by way of the default inspection settings. |
High Availability and Scalability Features |
|
Disable failover delay |
When you use bridge groups or IPv6 DAD, when a failover occurs the new active unit waits up to 3000 ms for the standby unit to finish networking tasks and transition to the standby state. Then the active unit can start passing traffic. To avoid this delay, you can disable the waiting time, and the active unit will start passing traffic before the standby unit transitions. New/Modified commands: failover wait-disable |
Routing Features |
|
Multicast IGMP interface state limit raised from 500 to 5000 |
The multicast IGMP state limit per interface was raised from 500 to 5000. New/Modified commands: igmp limit Also in 9.12(4). |
Interface Features |
|
DDNS support for the web update method |
You can now configure an interface to use DDNS with the web update method. New/Modified commands: show ddns update interface , show ddns update method , web update-url , web update-type |
Certificate Features |
|
Modifications to Match Certificate commands to support static CRL Distribution Point URL |
The static CDP URL configuration commands allowed CDPs to be mapped uniquely to each certificate in a chain that is being validated. However, only one such mapping was supported for each certificate. This modification allows statically configured CDPs to be mapped to a chain of certificates for authentication. New/Modified commands: match certificate override cdp , |
Administrative and Troubleshooting Features |
|
Manual import of node secret file from the RSA Authentication Manager for SDI AAA server groups. |
You can import the node secret file that you export from the RSA Authentication Manager for use with SDI AAA server groups. We added the following commands: aaa sdi import-node-secret , clear aaa sdi node-secret , show aaa sdi node-secrets . |
show fragment command output enhanced |
The output for show fragment command was enhanced to include IP fragment related drops and error counters. No modified commands. |
show tech-support command output enhanced |
The output for show tech-support command was enhanced to include the bias that is configured for the crypto accelerator. The bias value can be ssl, ipsec, or balanced. No modified commands. |
Monitoring Features |
|
Support to configure cplane keepalive holdtime values |
Due to communication delays caused by high CPU usage, the response to the keepalive event fails to reach ASA, resulting in trigerring failover due to card failure. You can now configure the keepalive timeout period and the maximum keepalive counter value to ensure sufficient time and retries are given. New/Modified commands: service-module |
VPN Features |
|
Support for configuring the maximum in-negotiation SAs as an absolute value |
You can now configure the maximum in-negotiation SAs as an absolute value up to 15000 or a maximum value derived from the maximum device capacity; formerly, only a percentage was allowed. New/Modified commands: crypto ikev2 limit max-in-negotiation-sa value Also in 9.12(4). |
Cross-Site Request Forgery (CSRF) Vulnerabilities Prevention for WebVPN Handlers |
ASA provides protection against CSRF attacks for WebVPN handlers. If a CSRF attack is detected, a user is notified by warning messages. This feature is enabled by default. |
Kerberos server validation for Kerberos Constrained Delegation (KCD). |
When configured for KCD, the ASA initiates an AD domain join with the configured server in order to acquire Kerberos keys. These keys are required for the ASA to request service tickets on behalf of clientless SSL VPN users. You can optionally configure the ASA to validate the identity of the server during domain join. We modified the kcd-server command to add the validate-server-certificate keyword. |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose
. -
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.14(x) was the final version for the ASA 5525-X, 5545-X, and 5555-X. ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2(x) was the final version for the ASA 5505. ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.14(x) |
— |
Any of the following: → 9.15(x) |
9.13(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) |
9.12(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) |
9.10(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.9(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.8(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) |
9.7(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.6(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.5(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.4(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.3(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.2(x) |
— |
Any of the following: → 9.15(x) → 9.14(x) → 9.12(x) → 9.8(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.6(x) → 9.1(7.4) |
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.14(x) → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) → 9.0(4) |
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.12(x) → 9.8(x) → 9.1(7.4) |
8.3(x) |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
8.2(x) and earlier |
→ 9.0(4) |
Any of the following: → 9.12(x) → 9.8(x) → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.15(x)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA - rare cp processing corruption causes console lock |
|
ASA : Traceback on tcp_intercept Thread name : Threat detection |
|
6.4.0-102 2140 w/ SSL policy runs out of 1550 and 9472 blocks. doesn't recover |
|
ASA traceback when running "no threat-detection statistics tcp-intercept" command |
|
ASA/Lina traceback in DATAPATH |
|
Using EEM on ASA may cause HA pair to reload when resources are depleted. |
|
ASA traceback with thread: idfw_proc |
|
ASA:Not replicating specific configuration to standby ASA when copying config file to the active ASA |
|
2100: incoming packets dropped due to "no buffer" and outgoing packets leading to block depletion |
|
Internal1/1 data interface goes down without any reason or logs. |
|
snort-busy counter incrementing while snort cpu less than 40% |
|
ASA: Unexpected traceback and reload due to DRBG health check failure |
|
FTD with RAVPN and sysopt connection permit-vpn, stops working when adding a monitor rule |
|
Intermittently after reboot, ADI can't join KCD |
|
Clear crypto ipsec sa inactive command not deleting outbound SAs |
|
Failover: standby unit crashed during modifying access-lists, with high CPU utilization |
|
6.7.0-1992: SSL info is not populated in the FMC connection events page |
|
Improper ordering of context between primary and secondary ASA units in multi-context mode |
|
Crypto engine errors when GRE header protocol field doesn't match protocol field in inner ip header |
|
DAP - No Client Certificate information is passed to DAP |
|
SNMP traps not generated on FP 2100 after changing from platform to appliance mode on 9.14.1.15 |
|
ISA-3000 hardware-bypass behavior is not changed after write erase |
|
ASA/FTD may traceback and reload in Thread Name 'IKE Daemon' |
|
ASA traceback while modifying the bookmark SSL Ciphers configuration |
|
ASA 256 and 1550 block depletion causes DMA Memory unreleased allocation |
|
OSPF network commands go missing in the startup-config after upgrading the ASA |
|
ASA should use IPv4 for OCSP as a fallback method because IPv6 is not supported |
|
ASA not closing connections associated with terminated S2S connection |
|
Static routes not replicating to Standby Unit. |
|
FPR-2110 traceback with crypto_pki traceback |
|
SOF seen after EOF for a connection without any further packets |
|
ASA5555 traceback and reload on Thread Name: ace_work |
|
ASA traceback "Address not mapped" "periodic_handler_internal" |
|
ASA: High number of CPU hog in igb_saleen_io_sfp_mod_poll_thread process |
|
SSL VPN connection failed to establish when the counter of active session reaching a certain value |
|
ASA keeps reloading with "octnic_hm_thread". After the reload, it takes very long time to recover. |
|
ASA5516 9.12.3 crash and reboot for the active unit (Octeon crash) |
|
Secondary unit not able to join the cluster |
|
Large object-group config with increased control point CPU usage can lead to config sync failure |
|
ASA traceback and reload due to VPN thread on firepower 2140 |
|
Fragments in Q-in-Q frames are dropped by lina when using inline set |
|
ASA is getting traceback and reload frequently due to memory corruption |
|
ASA will not import CA certificate with name constraint of RFC822Name set as empty |
|
Duplicate MAC Addresses in Shared Interfaces of Contexts |
|
FTD/HA: "no shutdown" command disappear from running-config of standby |
|
FTD Traceback On appAgent_hb_receiver_thread |
|
Stale VPN Context seen for AnyConnect IKEv2 sessions |
|
AnyConnect client-to-client communication (Cisco IP Phone Calls) blocked after upgrade to 9.12(4) |
|
ASA traceback and reload on NTP thread triggered watch dog |
|
ASAv traceback and reload in thread name Pthread on version 9.12(3)9 |
|
Heapcache Memory depleting rapidly due to certificate chain failed validation |
|
IKEv1 Phase 2 incorrectly hits deny statement of crypto ACL |
|
FPR1k ASA stops passing traffic when a member of the port-channel is down |
|
Offloaded UDP traffic not failed over to secondary route in ECMP setup |
|
Redirect failure for Chrome Popups when using bookmark for clientless VPN |
|
ASA memory usage stays at 100%. |
|
WebVPN: Not able to open the WebVPN portal |
|
ASA long CPU hogs caused by "Crypto CA" process |
|
ASA traceback in the LINA process |
|
FP2100 traceback observed in IKE daemon |
|
OSPF Database don't reflect RIB changes |
|
Enabling Jumbo frames on the ASA 5508 causes low DMA memory issues |
|
ASA Traceback and reload on SNMP functions |
|
ASA/FTD Traceback and reload in Thread Name: Logger |
|
vpn_putuauth: ERR: uxlate collision for ip x.x.x.x user xxxxx on interface outside. |
|
FTP File transfer (Big File) not properly closed when Flow offload is enabled |
|
ASA Traceback in thread name: DATAPATH |
|
ASA traceback and reload on Thread Name: ci/console |
|
IKEv2 with EAP, MOBIKE status fails to be processed. |
|
H323 Inspection not natting the Media server IP embedded in FacilityOpenLocgicalChannel packet |
|
Unable to access SAP portal hyperlinks over webvpn only from the Google Chrome |
|
ASA WM 1010: FXOS_PARSER_ERROR: curl return with error code:401 invalid IDs |
Resolved Bugs in Version 9.15(1)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA: crypto session handles leak on the standby unit |
|
Traffic does not fallback to primary interface from crypto map when interface becomes available |
|
Standby unit traceback at fover_parse and boot loop when detecting Active unit |
|
Ping Failure on ASAv - 9.13 after CAT9k reboot |
|
SNMPPOLL/SNMPTRAP to remote end (site-to-site vpn) ASA interface fails on ASA 9.14.1 |
|
traceback: ASA reloaded lina_sigcrash+1394 |
|
ASA: Block new conns even when the "logging permit-hostdown" is set & TCP syslog is down |
|
Traceback in threadname DATAPATH (5585) or Lina (2100) after upgrade to 9.12.4 |
|
After upgrade ASA swapped names for disks, disk0 became disk1 and vice versa. |
|
Interface status may be mismatched between application and chassis due to missed update |
|
ASA still doesn't allow to poll internal-data0/0 counters via SNMP in multiple mode |
|
Malformed SIP packets leads to 4k block hold-up till SIP conn timeout causing probable traffic issue |
|
Removing static ipv6 route from management-only route table affects data traffic |
|
ASA Anyconnect url-redirect not working for ipv6 |
|
Traceback Cluster unit on snpi_nat_xlate_destroy+2508 |
|
DMA memory leak in ctm_hw_malloc_from_pool causing management and VPN connections to fail |
|
ASA/FTD traceback and reload during AAA or CoA task of Anyconnect user |
|
ASA/FTD is reading BGP MP_REACH_NLRI attribute's next-hop bytes in reverse order |
|
ASA traceback and reload in fover_parse when attempting to join the failover pair. |
|
ASA dropping all traffic with reason "No route to host" when tmatch compilation is ongoing |
|
After modify network/service object name. mis-match will occur on hash value of ACL in syslog. |
|
Inner flow: U-turn GRE flows trigger incorrect connection flow creation |
|
FTD stuck in Maintenance Mode after upgrade to 6.6.1 |
|
ASA cluster members 2048 block depletion due to "VPN packet redirect on peer" |
|
DHCP-Proxy renewal timer is not started after failover |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.