Release Notes for the Cisco ASA Series, 9.4(x)
This document contains release information for Cisco ASA software Version 9.4(x).
Important Notes
-
Potential Traffic Outage (9.4(3.11) through 9.4(4))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.
-
For the ASA 5506H-X, when you upgrade to ASA Version 9.5(2), the correct licensing level is applied. Earlier ASA versions apply the same licensing as the ASA 5506-X base license. For earlier versions, you can contact Cisco to receive the ASA 5506-X Security Plus license, which is equivalent to the correct ASA 5506H-X base license; or simply upgrade to 9.5(2).
-
Unified Communications Phone Proxy and Intercompany Media Engine Proxy are deprecated—In ASA Version 9.4, the Phone Proxy and IME Proxy are no longer supported.
-
Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:
ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA: DES-CBC-SHA:RC4-SHA:RC4-MD5" -
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
 Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.4(4.5)
Released: April 3, 2017
Note |
There are no new features in this release.
New Features in ASA 9.4(3)
Released: April 25, 2016
|
Feature |
Description |
||
|---|---|---|---|
|
Firewall Features |
|||
|
Connection holddown timeout for route convergence |
You can now configure how long the system should maintain a connection when the route used by the connection no longer exists or is inactive. If the route does not become active within this holddown period, the connection is freed. You can reduce the holddown timer to make route convergence happen more quickly. However, the 15 second default is appropriate for most networks to prevent route flapping. We added the following command: timeout conn-holddown |
||
|
Remote Access Features |
|||
|
Configurable SSH encryption and HMAC algorithm. |
Users can select cipher modes when doing SSH encryption management and can configure HMAC and encryption for varying key exchange algorithms. We introduced the following commands: ssh cipher encryption, ssh cipher integrity. Also available in 9.1(7). |
||
|
HTTP redirect support for IPv6 |
When you enable HTTP redirect to HTTPS for ASDM access or clientless SSL VPN, you can now redirect traffic sent an to IPv6 address. We added functionality to the following command: http redirect Also available in 9.1(7). |
||
|
Monitoring Features |
|||
|
SNMP engineID sync for Failover |
In a failover pair, the SNMP engineIDs of the paired ASAs are synced on both units. Three sets of engineIDs are maintained per ASA—synced engineID, native engineID and remote engineID. An SNMPv3 user can also specify the engineID of the ASA when creating a profile to preserve localized snmp-server user authentication and privacy options. If a user does not specify the native engineID, the show running config output will show two engineIDs per user. We modified the following command: snmp-server user |
||
|
show tech support enhancements |
The show tech support command now:
We modified the following command: show tech support Also available in 9.1(7). |
||
|
Support for the cempMemPoolTable in the CISCO-ENHANCED-MEMPOOL-MIB |
The cempMemPoolTable of the CISCO-ENHANCED-MEMPOOL-MIB is now supported. This is a table of memory pool monitoring entries for all physical entities on a managed system.
We did not add or modify any commands. Also available in 9.1(7). |
||
New Features in ASA 9.4(2.145)
Released: November 13, 2015
There are no new features in this release.
Note |
This release supports only the Firepower 9300 ASA security module. |
New Features in ASA 9.4(2)
Released: September 24, 2015
There are no new features in this release.
Note |
ASAv 9.4(1.200) features are not included in this release. |
Note |
This version does not support the ISA 3000. |
New Features in ASA 9.4(1.225)
Released: September 17, 2015
Note |
This release supports only the Cisco ISA 3000. |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
Cisco ISA 3000 Support |
The Cisco ISA 3000 is a DIN Rail mounted, ruggedized, industrial security appliance. It is low-power, fan-less, with Gigabit Ethernet and a dedicated management port. This model comes with the ASA Firepower module pre-installed. Special features for this model include a customized transparent mode default configuration, as well as a hardware bypass function to allow traffic to continue flowing through the appliance when there is a loss of power. We introduced the following commands: hardware-bypass, hardware-bypass manual, hardware-bypass boot-delay, show hardware-bypass This feature is not available in Version 9.5(1). |
New Features in ASA 9.4(1.152)
Released: July 13, 2015
Note |
This release supports only the ASA on the Firepower 9300. |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
ASA security module on the Firepower 9300 |
We introduced the ASA security module on the Firepower 9300.
|
||
|
High Availability Features |
|||
|
Intra-chassis ASA Clustering for the Firepower 9300 |
You can cluster up to 3 security modules within the Firepower 9300 chassis. All modules in the chassis must belong to the cluster. We introduced the following commands: cluster replication delay, debug service-module, management-only individual, show cluster chassis |
||
|
Licensing Features |
|||
|
Cisco Smart Software Licensing for the ASA on the Firepower 9300 |
We introduced Smart Software Licensing for the ASA on the Firepower 9300. We introduced the following commands: feature strong-encryption, feature mobile-sp, feature context |
||
New Features in ASAv 9.4(1.200)
Released: May 12, 2015
Note |
This release supports only the ASAv. |
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
ASAv on VMware no longer requires vCenter support |
You can now install the ASAv on VMware without vCenter using the vSphere client or the OVFTool using a Day 0 configuration. |
||
|
ASAv on Amazon Web Services (AWS) |
You can now use the ASAv with Amazon Web Services (AWS) and the Day 0 configuration.
|
||
New Features in ASA 9.4(1)
Released: March 30, 2015
|
Feature |
Description |
||
|---|---|---|---|
|
Platform Features |
|||
|
ASA 5506W-X, ASA 5506H-X, ASA 5508-X, ASA 5516-X |
We introduced the ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA 5508-X, and ASA 5516-X models. We introduced the following command: hw-module module wlan recover image, hw-module module wlan recover image. |
||
|
Certification Features |
|||
|
Department of Defense Unified Capabilities Requirements (UCR) 2013 Certification |
The ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this table for the following features that were added for this certification:
|
||
|
FIPS 140-2 Certification compliance updates |
When you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA to be FIPS 140-2 compliant. Restrictions include:
To see the FIPS certification status for the ASA, see: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf This PDF is updated weekly. See the Computer Security Division Computer Security Resource Center site for more information: http://csrc.nist.gov/groups/STM/cmvp/inprocess.html We modified the following command: fips enable |
||
|
Firewall Features |
|||
|
Improved SIP inspection performance on multiple core ASAs. |
If you have multiple SIP signaling flows going through an ASA with multiple cores, SIP inspection performance has been improved. However, you will not see improved performance if you are using a TLS, phone, or IME proxy. We did not modify any commands. |
||
|
SIP inspection support for Phone Proxy and UC-IME Proxy was removed. |
You can no longer use Phone Proxy or UC-IME Proxy when configuring SIP inspection. Use TLS Proxy to inspect encrypted traffic. We removed the following commands: phone-proxy, uc-ime. We removed the phone-proxy and uc-ime keywords from the inspect sip command. |
||
|
DCERPC inspection support for ISystemMapper UUID message RemoteGetClassObject opnum3. |
The ASA started supporting non-EPM DCERPC messages in release 8.3, supporting the ISystemMapper UUID message RemoteCreateInstance opnum4. This change extends support to the RemoteGetClassObject opnum3 message. We did not modify any commands. |
||
|
Unlimited SNMP server trap hosts per context |
The ASA supports an unlimited number of SNMP server trap hosts per context. The show snmp-server host command output displays only the active hosts that are polling the ASA, as well as the statically configured hosts. We modified the following command: show snmp-server host. |
||
|
VXLAN packet inspection |
The ASA can inspect the VXLAN header to enforce compliance with the standard format. We introduced the following command: inspect vxlan. |
||
|
DHCP monitoring for IPv6 |
You can now monitor DHCP statistics and DHCP bindings for IPv6. |
||
|
ESMTP inspection change in default behavior for TLS sessions. |
The default for ESMTP inspection was changed to allow TLS sessions, which are not inspected. However, this default applies to new or reimaged systems. If you upgrade a system that includes no allow-tls , the command is not changed. The change in default behavior was also made in these older versions: 8.4(7.25), 8.5(1.23), 8.6(1.16), 8.7(1.15), 9.0(4.28), 9.1(6.1), 9.2(3.2) 9.3(1.2), 9.3(2.2). |
||
|
High Availability Features |
|||
|
Blocking syslog generation on a standby ASA |
You can now block specific syslogs from being generated on a standby unit. We introduced the following command: no logging message syslog-id standby. |
||
|
Enable and disable ASA cluster health monitoring per interface |
You can now enable or disable health monitoring per interface. Health monitoring is enabled by default on all port-channel, redundant, and single physical interfaces. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster control link; it is always monitored. You might want to disable health monitoring of non-essential interfaces, for example, the management interface. We introduced the following command: health-check monitor-interface. |
||
|
ASA clustering support for DHCP relay |
You can now configure DHCP relay on the ASA cluster. Client DHCP requests are load-balanced to the cluster members using a hash of the client MAC address. DHCP client and server functions are still not supported. We introduced the following command: debug cluster dhcp-relay |
||
|
SIP inspection support in ASA clustering |
You can now configure SIP inspection on the ASA cluster. A control flow can be created on any unit (due to load balancing), but its child data flows must reside on the same unit. TLS Proxy configuration is not supported. We introduced the following command: show cluster service-policy |
||
|
Routing Features |
|||
|
Policy Based Routing |
Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections. We introduced the following commands: set ip next-hop verify-availability, set ip next-hop, set ip next-hop recursive, set interface, set ip default next-hop, set default interface, set ip df, set ip dscp, policy-route route-map, show policy-route, debug policy-route |
||
|
Interface Features |
|||
|
VXLAN support |
VXLAN support was added, including VXLAN tunnel endpoint (VTEP) support. You can define one VTEP source interface per ASA or security context. We introduced the following commands: debug vxlan, default-mcast-group, encapsulation vxlan, inspect vxlan, interface vni, mcast-group, nve, nve-only, peer ip, segment-id, show arp vtep-mapping, show interface vni, show mac-address-table vtep-mapping, show nve, show vni vlan-mapping, source-interface, vtep-nve, vxlan port |
||
|
Monitoring Features |
|||
|
Memory tracking for the EEM |
We have added a new debugging feature to log memory allocations and memory usage, and to respond to memory logging wrap events. We introduced or modified the following commands: memory logging, show memory logging, show memory logging include, event memory-logging-wrap |
||
|
Troubleshooting crashes |
The show tech-support command output and show crashinfo command output includes the most recent 50 lines of generated syslogs. Note that you must enable the logging buffer command to enable these results to appear. |
||
|
Remote Access Features |
|||
|
Support for ECDHE-ECDSA ciphers |
TLSv1.2 added support for the following ciphers:
We introduced the following command: ssl ecdh-group. |
||
|
Clientless SSL VPN session cookie access restriction |
You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.
We introduced the following command: http-only-cookie. This feature is also in 9.2(3). |
||
|
Virtual desktop access control using security group tagging |
The ASA now supports security group tagging-based policy control for Clientless SSL remote access to internal applications and websites. This feature uses Citrix’s virtual desktop infrastructure (VDI) with XenDesktop as the delivery controller and the ASA’s content transformation engine. See the following Citrix product documentation for more information:
|
||
|
OWA 2013 feature support has been added for Clientless SSL VPN |
Clientless SSL VPN supports the new features in OWA 2013 except for the following:
We did not modify any commands. |
||
|
Citrix XenDesktop 7.5 and StoreFront 2.5 support has been added for Clientless SSL VPN |
Clientless SSL VPN supports the access of XenDesktop 7.5 and StoreFront 2.5. See http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html for the full list of XenDesktop 7.5 features, and for more details. See http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html for the full list of StoreFront 2.5 features, and for more details. We did not modify any commands. |
||
|
Periodic certificate authentication |
When you enable periodic certificate authentication, the ASA stores certificate chains received from VPN clients and re-authenticates them periodically. We introduced or modified the following commands: periodic-authentication certificate, revocation-check, show vpn-sessiondb |
||
|
Certificate expiration alerts |
The ASA checks all CA and ID certificates in the trust points for expiration once every 24 hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure the reminder and recurrence intervals. By default, reminders will start at 60 days prior to expiration and recur every 7 days. We introduced or modified the following commands: crypto ca alerts expiration |
||
|
Enforcement of the basic constraints CA flag |
Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default. The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. You can configure the ASA to allow installation of these certificates if desired. We introduced the following command: ca-check |
||
|
IKEv2 invalid selectors notification configuration |
Currently, if the ASA receives an inbound packet on an SA, and the packet’s header fields are not consistent with the selectors for the SA, then the ASA discards the packet. You can now enable or disable sending an IKEv2 notification to the peer. Sending this notification is disabled by default.
We introduced the following command: crypto ikev2 notify invalid-selectors |
||
|
IKEv2 pre-shared key in Hex |
You can now configure the IKEv2 pre-shared keys in hex. We introduced the following command: ikev2 local-authentication pre-shared-key hex, ikev2 remote-authentication pre-shared-key hex |
||
|
Administrative Features |
|||
|
ASDM management authorization |
You can now configure management authorization separately for HTTP access vs. Telnet and SSH access. We introduced the following command: aaa authorization http console |
||
|
ASDM Username From Certificate Configuration |
When you enable ASDM certificate authentication (http authentication-certificate), you can configure how ASDM extracts the username from the certificate; you can also enable pre-filling the username at the login prompt. We introduced the following command: http username-from-certificate |
||
|
terminal interactive command to enable or disable help when you enter ? at the CLI |
Normally, when you enter ? at the ASA CLI, you see command help. To be able to enter ? as text within a command (for example, to include a ? as part of a URL), you can disable interactive help using the no terminal interactive command. We introduced the following command: terminal interactive |
||
|
REST API Features |
|||
|
REST API Version 1.1 |
We added support for the REST API Version 1.1. |
||
|
Support for token-based authentication (in addition to existing basic authentication) |
Client can send log-in request to a specific URL; if successful, a token is returned (in response header). Client then uses this token (in a special request header) for sending additional API calls. The token is valid until explicitly invalidated, or the idle/session timeout is reached. |
||
|
Limited multiple-context support |
The REST API agent can now be enabled in multi-context mode; the CLI commands can be issued only in system-context mode (same commands as single-context mode). Pass-through CLI API commands can be used to configure any context, as follows. If the context parameter is not present, it is assumed that the request is directed to the admin context. |
||
|
Advanced (granular) inspection |
Granular inspection of these protocols is supported:
|
||
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
CLI—Use the show version command.
-
ASDM—Choose .
See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.3(x) |
— |
Any of the following: → 9.4(x) → 9.3(x) |
|
9.2(x) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.6(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.5(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(1) through 8.4(4) |
Any of the following: → 9.0(2), 9.0(3), or 9.0(4) → 8.4(6) |
→ 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.3(x) |
→ 8.4(6) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.2(x) and earlier |
→ 8.4(6) |
Any of the following: → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.4(x)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher for Version 9.4(x):
The following table lists open bugs at the time of this Release Note publication.
|
Identifier |
Description |
|---|---|
|
Failover synchronization errors upon bulk synchronization operations |
|
|
TLS CTP does not work in TLSv1.2 when GCM ciphers are used |
|
|
Duplicate crypto ACE above an existing may cause traffic blackholling |
|
|
"mac-address auto" command is not enabled by default |
|
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
|
Alpha:Getting: LU allocate connection failed syslog on standby |
|
|
ASA5508X SSD LED always green even when SSD is removed |
|
|
After some time flash operations fail and configuration can not be saved |
|
|
ASA: IPSEC failover not encrypting IP Protocol 8 packets after failover |
|
|
XMLSoft libxml2 Encoding Conversion Denial of Service Vulnerability |
|
|
XMLSoft libxml2 xmlParserInputGrow Function Denial of Service Vulnerab |
|
|
XMLSoft libxml2 XML Entity Processing Denial of Service Vulnerability |
|
|
XMLSoft libxml2 xmlNextChar Function Memory Corruption Vulnerability |
|
|
XMLSoft libxml2 xmlParseXMLDecl Function Denial of Service Vulnerabili |
|
|
Clientless SSL VPN CIFS stress test: ramfs_webvpn_file_open traceback |
|
|
ASA : inspect ipsec-pass-thru not working after upgrade |
|
|
Traceback while deleting an ACL element |
|
|
Authentication failing after 9.4.2.11 upgrade. |
|
|
libxml2 htmlParseNameComplex() Function Denial of Service Vulnerabilit |
|
|
Page fault in DATAPATH thread, rip snp_fp |
|
|
ASA: OSPF neighborship failing on the Management Interface |
|
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
|
XMLSoft libxml2 xmlStringGetNodeList Function Memory Exhaustion Denial |
|
|
ASA traceback in SSH thread |
|
|
Share license server shows -939704796 local usage after upgrade |
|
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
|
ASA : Traceback in Thread name: Session manager |
|
|
ASA traceback in threadname ssh |
|
|
ASA 5506 product power up issue if connected to 100M full duplex partner |
|
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
|
IPv6 neighbor discovery packet processing behavior |
|
|
ASA/SFR Data Plane Down (2048 block exhaustion) |
|
|
TCP conn count shows as negative - MPF policy blocks ALL TCP requests |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
Crash in CP Processing thread after upgrade |
|
|
ASA 9.4.2.6 High CPU due to CTM message handler |
|
|
Traceback Thread Name: ci/console : debug menu ctm 103 crashes the ASA |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA not rate limiting with DSCP bit set from the Server |
|
|
ASA crashing with thread name: DATAPATH-0-1903. |
|
|
Secondary ASA not sending PIM register message to RP |
|
|
ASA block 1550 depletion |
|
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.4(4.5)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
|
ASA: ifSpeed/ifHighSpeed not populated by SNMP for port-channel |
|
|
ASA block new conns with "logging permit-hostdown" & TCP syslog is down |
|
|
ASA traceback on standby when SNMP polling |
|
|
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster |
|
|
Cisco ASA Software IPsec Denial of Service Vulnerability |
|
|
ASA traceback on standby when SNMP polling |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
|
Cisco ASA Software IPsec Denial of Service Vulnerability |
|
|
"show resource usage detail counter all 1" causes cpu hog |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
|
"show resource usage detail counter all 1" causes cpu hog |
|
|
dhcprelay interface doesn't change by changing route |
|
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
|
ASA traceback in Thread name DATAPATH when handling multicast packet |
|
|
dhcprelay interface doesn't change by changing route |
|
|
ASA - TO the box traffic break due to int. missing in asp table routing |
|
|
ASA traceback in Thread name DATAPATH when handling multicast packet |
|
|
ASA Traceback on 9.1.5.19 |
|
|
ASA - TO the box traffic break due to int. missing in asp table routing |
|
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
|
ASA Traceback on 9.1.5.19 |
|
|
AVT : Missing HTTP Strict-Transport-Security Header in ASA 9.5.2 |
|
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
|
An assertion was seen on the stby ASA after config sync |
|
|
AVT : Missing HTTP Strict-Transport-Security Header in ASA 9.5.2 |
|
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
|
An assertion was seen on the stby ASA after config sync |
|
|
ASA: Protocol and Status showing UP without connecting the interface |
|
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
|
After some time flash operations fail and configuration can not be saved |
|
|
ASA: Protocol and Status showing UP without connecting the interface |
|
|
Smart Tunnel starts and Java closes without any message |
|
|
After some time flash operations fail and configuration can not be saved |
|
|
ASA memory leak related to Botnet |
|
|
Smart Tunnel starts and Java closes without any message |
|
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
|
ASA memory leak related to Botnet |
|
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
|
Traceback in Thread: IPsec message handler |
|
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
|
Re-adding context creates context without configs on some slaves |
|
|
Traceback in Thread: IPsec message handler |
|
|
HA: Number of interfaces mismatch after SFR module reload on both units |
|
|
Re-adding context creates context without configs on some slaves |
|
|
Add support for IPv6 assigned address field in Radius Accounting packet |
|
|
HA: Number of interfaces mismatch after SFR module reload on both units |
|
|
ASA generates unexpected syslog messages with mcast routing disabled |
|
|
Add support for IPv6 assigned address field in Radius Accounting packet |
|
|
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability |
|
|
ASA generates unexpected syslog messages with mcast routing disabled |
|
|
Traceback: assertion "0" failed: file "ctm_daemon.c" |
|
|
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability |
|
|
L2TP over IPSec can not be connected after disconnection from client. |
|
|
Traceback: assertion "0" failed: file "ctm_daemon.c" |
|
|
http config missing in multicontext after reload of stdby 916.9 or later |
|
|
L2TP over IPSec can not be connected after disconnection from client. |
|
|
Number of routes in the active and standby units are not same |
|
|
http config missing in multicontext after reload of stdby 916.9 or later |
|
|
ASA corrupts data in TLS-Proxy with TLS version 1.2 |
|
|
Number of routes in the active and standby units are not same |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
ASA corrupts data in TLS-Proxy with TLS version 1.2 |
|
|
Unicorn Proxy Thread causing CP contention |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
Unable to configure a user for ssh public auth only (tied w/ CSCuw90580) |
|
|
Unicorn Proxy Thread causing CP contention |
|
|
ASA 9.1(6) traceback processing outbound DTLS Packet |
|
|
Unable to configure a user for ssh public auth only (tied w/ CSCuw90580) |
|
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
|
ASA 9.1(6) traceback processing outbound DTLS Packet |
|
|
ASA AnyConnect IKEv2 scripts help customisations not served after reload |
|
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
|
ASA - Traceback in CP Processing Thread During Private Key Decryption |
|
|
ASA AnyConnect IKEv2 scripts help customisations not served after reload |
|
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
|
ASA - Traceback in CP Processing Thread During Private Key Decryption |
|
|
AAA: RSA/SDI unable to set new PIN |
|
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
|
ASA should not load-balance same flow traffic over port-channel CCL |
|
|
AAA: RSA/SDI unable to set new PIN |
|
|
Slow ASA OSPF interface transition from DOWN to WAITING after failover |
|
|
ASA should not load-balance same flow traffic over port-channel CCL |
|
|
ASA 9.4.1.5 - Incorrect memory usage reported in 'show mem det' |
|
|
Slow ASA OSPF interface transition from DOWN to WAITING after failover |
|
|
ASA 9.1.6.4 traceback with Thread Name: telnet/ci |
|
|
ASA 9.4.1.5 - Incorrect memory usage reported in 'show mem det' |
|
|
IPSec rekey collision handling failure cases IKE tunnel drop |
|
|
ASA 9.1.6.4 traceback with Thread Name: telnet/ci |
|
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
|
IPSec rekey collision handling failure cases IKE tunnel drop |
|
|
Active and Standby ASA use same MAC addr with only active MAC configured |
|
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
|
Incorrect msg shown when configuring MAC addr same as already configured |
|
|
Active and Standby ASA use same MAC addr with only active MAC configured |
|
|
WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv |
|
|
Incorrect msg shown when configuring MAC addr same as already configured |
|
|
ASA traceback in SSH thread |
|
|
WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv |
|
|
ASA does not respond to NS in Active/Active HA |
|
|
ASA traceback in SSH thread |
|
|
ASA does not respond to NS in Active/Active HA |
|
|
infinite loop in JS rewriter state machine when return followed by var |
|
|
infinite loop in JS rewriter state machine when return followed by var |
|
|
Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability |
|
|
Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability |
|
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
|
5585-10 traceback in Thread Name: idfw_proc |
|
|
5585-10 traceback in Thread Name: idfw_proc |
|
|
Incorrect modification of NAT divert table. |
|
|
Incorrect modification of NAT divert table. |
|
|
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c" |
|
|
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c" |
|
|
ASA traceback in threadname ssh |
|
|
ASA traceback in threadname ssh |
|
|
BTF is not blocking blacklisted domain with more than 2 labels in it |
|
|
BTF is not blocking blacklisted domain with more than 2 labels in it |
|
|
Context config may get rejected if all the units in Cluster reloaded |
|
|
Context config may get rejected if all the units in Cluster reloaded |
|
|
Network command disappears from BGP after reload with name |
|
|
Network command disappears from BGP after reload with name |
|
|
Traceback in IKEv2 Daemon with 20+ second CPU hog. |
|
|
Traceback in IKEv2 Daemon with 20+ second CPU hog. |
|
|
Drop down menu doesn't work on Simfosia web page |
|
|
Drop down menu doesn't work on Simfosia web page |
|
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
|
ASA Tback when large ACL applied to interface with object-group-search |
|
|
ASA Tback when large ACL applied to interface with object-group-search |
|
|
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up |
|
|
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up |
|
|
ASA capture type isakmp saving malformed ISAKMP packets |
|
|
ASA capture type isakmp saving malformed ISAKMP packets |
|
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
|
ASA memory leak due to vpnfo |
|
|
ASA memory leak due to vpnfo |
|
|
Interfaces get deleted on SFR during HA configuration sync |
|
|
Interfaces get deleted on SFR during HA configuration sync |
|
|
dynamic crypto map fails if named the same as static crypto map |
|
|
dynamic crypto map fails if named the same as static crypto map |
|
|
ASA Stateful failover for DRP works intermittently |
|
|
ASA Stateful failover for DRP works intermittently |
|
|
Commands not installed on Standby due to parser switch |
|
|
Commands not installed on Standby due to parser switch |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
|
ASA Address not mapped traceback - configuring snmp-server host |
|
|
ASA Address not mapped traceback - configuring snmp-server host |
|
|
ASA Access-list missing and losing elements Warning Message enhancement |
|
|
ASA Access-list missing and losing elements Warning Message enhancement |
|
|
ASA-2-321006 May be received invalidly when memory is not high |
|
|
ASA-2-321006 May be received invalidly when memory is not high |
|
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
|
Observing Memory corruption, assert for debug ospf |
|
|
Observing Memory corruption, assert for debug ospf |
|
|
SCP Client not allow to enter password with "no ssh stricthostkeycheck" |
|
|
SCP Client not allow to enter password with "no ssh stricthostkeycheck" |
|
|
ASA Cut-through Proxy inactivity timeout not working |
|
|
ASA Cut-through Proxy inactivity timeout not working |
|
|
ASA Cluster fragments reassembled before transmission with no inspection |
|
|
ASA Cluster fragments reassembled before transmission with no inspection |
|
|
ASA may Traceback with Thread Name: cluster rx thread |
|
|
ASA may Traceback with Thread Name: cluster rx thread |
|
|
ASA may Traceback with Thread Name: Unicorn Admin Handler |
|
|
ASA may Traceback with Thread Name: Unicorn Admin Handler |
|
|
ASA crashed due to Election severe problem no master is promoted |
|
|
ASA crashed due to Election severe problem no master is promoted |
|
|
ASA: SSH being denied on the ASA device as the maximum limit is reached |
|
|
ASA: SSH being denied on the ASA device as the maximum limit is reached |
|
|
traceback during tls-proxy handshake |
|
|
traceback during tls-proxy handshake |
|
|
OSPF multicast filter rules missing in cluster slave |
|
|
OSPF multicast filter rules missing in cluster slave |
|
|
PIM BiDir DF Elections stuck in "offer" state on some interfaces |
|
|
PIM BiDir DF Elections stuck in "offer" state on some interfaces |
|
|
ASA cant delete ACL lines and remarks - Specified remark does not exist |
|
|
ASA cant delete ACL lines and remarks - Specified remark does not exist |
|
|
IPv6 neighbor discovery packet processing behavior |
|
|
IPv6 neighbor discovery packet processing behavior |
|
|
nat-t-disable feature is not working for ikev2 |
|
|
nat-t-disable feature is not working for ikev2 |
|
|
Ikev1 tunnel drops with reason " Peer Address Changed" |
|
|
Ikev1 tunnel drops with reason " Peer Address Changed" |
|
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
|
ASA with PAT fails to untranslate SIP Via field that doesnt contain port |
|
|
ASA with PAT fails to untranslate SIP Via field that doesnt contain port |
|
|
ASA crashes while clearing global access-list |
|
|
ASA crashes while clearing global access-list |
|
|
Inspect-mmp configuration is missing in latest branches. |
|
|
Inspect-mmp configuration is missing in latest branches. |
|
|
Hash miscalculation for "Any" address on inside |
|
|
Hash miscalculation for "Any" address on inside |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
DNS Doctoring DNS64 is not working |
|
|
DNS Doctoring DNS64 is not working |
|
|
ASA traceback with Thread Name: Dispatch Unit |
|
|
ASA traceback with Thread Name: Dispatch Unit |
|
|
Traceback in CP Processing thread after upgrade |
|
|
Traceback in CP Processing thread after upgrade |
|
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets |
|
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets |
|
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
|
Unexpected end of file logon.html in WebVPN |
|
|
Unexpected end of file logon.html in WebVPN |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA not rate limiting with DSCP bit set from the Server |
|
|
ASA not rate limiting with DSCP bit set from the Server |
|
|
show service-policy output reporting incorrect values |
|
|
show service-policy output reporting incorrect values |
|
|
ASA: SLA Monitor not working with floating timeout configured to nonzero |
|
|
ASA: SLA Monitor not working with floating timeout configured to nonzero |
|
|
Unable to auth a 2nd time via clientless after ASA upgrade |
|
|
Unable to auth a 2nd time via clientless after ASA upgrade |
|
|
snmpwalk not working for some NAT OIDs |
|
|
snmpwalk not working for some NAT OIDs |
|
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash. |
|
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash. |
|
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
|
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
|
|
ASA: SIP Call Drops with PAT when same media port used in multiple calls |
|
|
ASA: SIP Call Drops with PAT when same media port used in multiple calls |
|
|
TLS Proxy feature missing client trust-point command |
|
|
TLS Proxy feature missing client trust-point command |
|
|
ASA treaceback at Thread Name: rtcli async executor process |
|
|
ASA treaceback at Thread Name: rtcli async executor process |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
Traceback on CP Process with H323 inspection, rip h323_service_early_msg |
|
|
Traceback on CP Process with H323 inspection, rip h323_service_early_msg |
|
|
BGP Socket not open in ASA after reload |
|
|
BGP Socket not open in ASA after reload |
|
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
|
Cisco ASA Input Validation File Injection Vulnerability |
|
|
Cisco ASA Input Validation File Injection Vulnerability |
|
|
ASA traceback in CLI thread while making MPF changes |
|
|
ASA traceback in CLI thread while making MPF changes |
|
|
Interfaces get deleted on SFR during cluster rejoining |
|
|
Interfaces get deleted on SFR during cluster rejoining |
|
|
Crypto accelerator ring timeout causes packet drops |
|
|
Crypto accelerator ring timeout causes packet drops |
|
|
ASA 'show inventory' shows 'Driver Error, invalid query ready' |
|
|
ASA 'show inventory' shows 'Driver Error, invalid query ready' |
|
|
ASA OSPFv3 interface ID changes upon disabling/enabling failover |
|
|
ASA OSPFv3 interface ID changes upon disabling/enabling failover |
|
|
Traceback in Thread Name: ssh when issuing show tls-proxy session detail |
|
|
Traceback in Thread Name: ssh when issuing show tls-proxy session detail |
|
|
SCTP MH:pin hole removed and added freq on standby with dual nat |
|
|
SCTP MH:pin hole removed and added freq on standby with dual nat |
|
|
memory leak in ssh |
|
|
memory leak in ssh |
|
|
ASA uses "::" for host IP addresses if booted with an improper config |
|
|
ASA uses "::" for host IP addresses if booted with an improper config |
|
|
Increasing the global ARP request pool |
|
|
Increasing the global ARP request pool |
|
|
Clustering: TFW asynchronous flow packet drop due to L2 entry timeout |
|
|
Clustering: TFW asynchronous flow packet drop due to L2 entry timeout |
|
|
Shut down interfaces shows up in ASP routing table |
|
|
Shut down interfaces shows up in ASP routing table |
|
|
SNMPv3 active engineID is not reset when ASA is replaced |
|
|
SNMPv3 active engineID is not reset when ASA is replaced |
|
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB |
|
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB |
|
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
|
ICMP error packets in response to reply packets are dropped |
|
|
ICMP error packets in response to reply packets are dropped |
|
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
|
ASR9000 BGP Graceful Restart doesnt work as expected |
|
|
ASR9000 BGP Graceful Restart doesnt work as expected |
|
|
IPV6 address not assigned when connecting via IPSEC protocol |
|
|
IPV6 address not assigned when connecting via IPSEC protocol |
|
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
|
ASA memory leak for CTS SGT mappings |
|
|
ASA memory leak for CTS SGT mappings |
|
|
HTML5: Guacamole server requires page refresh |
|
|
HTML5: Guacamole server requires page refresh |
|
|
OTP authentication is not working for clientless ssl vpn |
|
|
OTP authentication is not working for clientless ssl vpn |
|
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
|
ASA Traceback when issue 'show asp table classify domain permit' |
|
|
ASA Traceback when issue 'show asp table classify domain permit' |
|
|
ASA Traceback in CTM Message Handler |
|
|
ASA Traceback in CTM Message Handler |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
|
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
|
ASA 5585-60 dropping out of cluster with traceback |
|
|
ASA 5585-60 dropping out of cluster with traceback |
|
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
|
971 EST - Console hang on show capture |
|
|
971 EST - Console hang on show capture |
|
|
SIP: Address from Route: header not translated correctly |
|
|
SIP: Address from Route: header not translated correctly |
|
|
Traceback in IKE_DBG |
|
|
Traceback in IKE_DBG |
|
|
Unable to delete the SNMP config |
|
|
Unable to delete the SNMP config |
|
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
|
traceback in network udpmod_get after anyconnect test load application |
|
|
traceback in network udpmod_get after anyconnect test load application |
|
|
wr mem/ wr standby is not syncing configs on standby |
|
|
wr mem/ wr standby is not syncing configs on standby |
|
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
|
ASA Page fault traceback in Thread Name: DATAPATH |
|
|
ASA Page fault traceback in Thread Name: DATAPATH |
|
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
|
ASA as DHCP relay drops DHCP 150 Inform message |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |
|
|
Sweet32 Vulnerability in ASA's SSH Implementation |
|
|
Sweet32 Vulnerability in ASA's SSH Implementation |
|
|
Remove ACL warning messages in show access-list when FQDN is unresolved |
|
|
Remove ACL warning messages in show access-list when FQDN is unresolved |
|
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
|
Webvpn rewriter failing on matterport.com |
|
|
Webvpn rewriter failing on matterport.com |
|
|
ASA 1550 block depletion with multi-context transparent firewall |
|
|
ASA 1550 block depletion with multi-context transparent firewall |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
ASA Multiple Context SNMP PAT Interface Missing |
|
|
ASA Multiple Context SNMP PAT Interface Missing |
|
|
Traceback : ASA with Threadname: DATAPATH-0-1790 |
|
|
Traceback : ASA with Threadname: DATAPATH-0-1790 |
|
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
|
Cisco ASA Signature Verification Misleading Digital Signing Text On Boot |
|
|
Cisco ASA Signature Verification Misleading Digital Signing Text On Boot |
|
|
Cisco ASA Remove Mis-leading Secure Boot commands on non-SB hardware |
|
|
Cisco ASA Remove Mis-leading Secure Boot commands on non-SB hardware |
|
|
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback |
|
|
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback |
|
|
Failover after IKE rekey fails to initiate ph1 rekey on act device |
|
|
Failover after IKE rekey fails to initiate ph1 rekey on act device |
|
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
|
Lower NFS throughput rate on Cisco ASA platform |
|
|
Lower NFS throughput rate on Cisco ASA platform |
|
|
ASA not sending Authen Session End log if user logs out manually |
|
|
ASA not sending Authen Session End log if user logs out manually |
|
|
Cisco ASA Software DNS Denial of Service Vulnerability |
|
|
Cisco ASA Software DNS Denial of Service Vulnerability |
|
|
ASA Traceback in Checkheaps Thread |
|
|
ASA Traceback in Checkheaps Thread |
|
|
ASA traceback with Thread Name aaa_shim_thread |
|
|
ASA traceback with Thread Name aaa_shim_thread |
|
|
Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability |
|
|
Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability |
|
|
ASA traceback observed on auto-update thread. |
|
|
ASA traceback observed on auto-update thread. |
|
|
Evaluation of pix-asa for Openssl September 2016 |
|
|
Evaluation of pix-asa for Openssl September 2016 |
|
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
|
IKEv2: It is NOT cleaning the sessions after disconnected from the client. |
|
|
IKEv2: It is NOT cleaning the sessions after disconnected from the client. |
|
|
ASA traceback at Thread Name: rtcli |
|
|
ASA traceback at Thread Name: rtcli |
|
|
RADIUS authorization request does not send Called-Station-ID attribute |
|
|
RADIUS authorization request does not send Called-Station-ID attribute |
|
|
viewer_dart.js file not loading correctly |
|
|
viewer_dart.js file not loading correctly |
|
|
ASA Traceback Thread Name: emweb/https |
|
|
ASA Traceback Thread Name: emweb/https |
|
|
EIGRP: Need to add large number error handling when getting scaled bandwidth |
|
|
EIGRP: Need to add large number error handling when getting scaled bandwidth |
|
|
Object-group-search redundant service group objects are incorrectly removed |
|
|
Object-group-search redundant service group objects are incorrectly removed |
|
|
AAA session handle leak with IKEv2 when denied due to time range |
|
|
AAA session handle leak with IKEv2 when denied due to time range |
|
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
|
webvpn_state cookie information disclosure in url |
|
|
webvpn_state cookie information disclosure in url |
|
|
ASA traceback at Thread Name: IKE Daemon. |
|
|
ASA traceback at Thread Name: IKE Daemon. |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops" |
|
|
4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops" |
|
|
Evaluation of pix-asa for CVE-2016-5195 (DIRTY CoW) |
|
|
Evaluation of pix-asa for CVE-2016-5195 (DIRTY CoW) |
|
|
Failed to ssh management interface after failover and plug-in/out |
|
|
Failed to ssh management interface after failover and plug-in/out |
|
|
WebVPN: Internal page login button not working through rewriter |
|
|
WebVPN: Internal page login button not working through rewriter |
|
|
ASA drops DNS PTR Reply with reason Label length exceeded during rewrite |
|
|
ASA drops DNS PTR Reply with reason Label length exceeded during rewrite |
|
|
ASA matches incorrect ACL with object-group-search enabled |
|
|
ASA matches incorrect ACL with object-group-search enabled |
|
|
ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY |
|
|
ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY |
|
|
ASA : memory leak due to ikev2 |
|
|
ASA : memory leak due to ikev2 |
|
|
ASA DHCP relay is incompatible with intercept-dhcp feature |
|
|
ASA DHCP relay is incompatible with intercept-dhcp feature |
|
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
|
ASA unable to add multiple attribute entries in a certificate map |
|
|
ASA unable to add multiple attribute entries in a certificate map |
|
|
ASAv may crash when running webvpn |
|
|
ASAv may crash when running webvpn |
|
|
ASA fails SSL VPN session establishment with EC under load |
|
|
ASA fails SSL VPN session establishment with EC under load |
|
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
|
ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set |
|
|
ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set |
|
|
ASA traceback at Thread Name: sch_syslog |
|
|
ASA traceback at Thread Name: sch_syslog |
|
|
DSCP Markings Not Copied to Outer IP Header With IPsec Encapsulation |
|
|
DSCP Markings Not Copied to Outer IP Header With IPsec Encapsulation |
|
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
|
Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel |
|
|
Traceback on thread name IKE Daemon at mqc_enable_qos_for_tunnel |
|
|
MIB object cempMemPoolHCUsed disappeared |
|
|
MIB object cempMemPoolHCUsed disappeared |
|
|
ASA: OspfV3 routes are not getting installed |
|
|
ASA: OspfV3 routes are not getting installed |
|
|
Error synchronizing the SNMPv3 user after rebooting a cluster unit |
|
|
Error synchronizing the SNMPv3 user after rebooting a cluster unit |
|
|
ASA memory leak in CloneOctetString when using SNMP polling |
|
|
ASA memory leak in CloneOctetString when using SNMP polling |
|
|
Implement speed improvements for ACL and NAT table compilation |
|
|
Implement speed improvements for ACL and NAT table compilation |
|
|
ASA traceback in Thread Name: ssh, rip igb_disable_rx_queues after no shutdown of interface |
|
|
ASA traceback in Thread Name: ssh, rip igb_disable_rx_queues after no shutdown of interface |
|
|
SSL connection hangs between ASA and backend server in clientless WebVPN |
|
|
SSL connection hangs between ASA and backend server in clientless WebVPN |
|
|
ASA with FirePOWER module generates traceback and reloads or causes process not running |
|
|
ASA with FirePOWER module generates traceback and reloads or causes process not running |
|
|
ASA clustering: mac-address cmd is ignored on spanned port-channel interface in 9.6.2 |
|
|
ASA clustering: mac-address cmd is ignored on spanned port-channel interface in 9.6.2 |
|
|
ASA not update access-list dynamically when forward-reference enable is configured |
|
|
ASA not update access-list dynamically when forward-reference enable is configured |
|
|
Webvpn portal not displayed corrrectly for connections landing on default webvpn group. |
|
|
Webvpn portal not displayed corrrectly for connections landing on default webvpn group. |
|
|
ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table |
|
|
ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table |
|
|
ASA may traceback with Thread Name: Unicorn Admin Handler |
|
|
ASA may traceback with Thread Name: Unicorn Admin Handler |
|
|
Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover. |
|
|
Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover. |
|
|
ASA: IPSec SA failed to come up |
|
|
ASA: IPSec SA failed to come up |
|
|
ikev2 handles get leaked in a L2L setup |
|
|
ikev2 handles get leaked in a L2L setup |
|
|
CEP records edit page take minutes to load |
|
|
CEP records edit page take minutes to load |
|
|
ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue |
|
|
ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue |
|
|
SIP: 200 OK messages with multiple seqments not reassembled correctly |
|
|
SIP: 200 OK messages with multiple seqments not reassembled correctly |
|
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric routing |
|
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric routing |
|
|
CTP after failed attempt sends the domain along with the username |
|
|
CTP after failed attempt sends the domain along with the username |
|
|
Tracking route is up while the reachability is down |
|
|
Tracking route is up while the reachability is down |
|
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
|
ASA nat pool not getting updated correctly. |
|
|
ASA nat pool not getting updated correctly. |
|
|
Unable to configure ssh public auth for script users |
|
|
Unable to configure ssh public auth for script users |
|
|
ASA traceback in threadname Datapath |
|
|
ASA traceback in threadname Datapath |
|
|
ASA does not respond to IPv6 MLD Query. |
|
|
ASA does not respond to IPv6 MLD Query. |
|
|
ASA traceback and Reload on Config Sync Failure |
|
|
ASA traceback and Reload on Config Sync Failure |
|
|
1550-byte block depletion seen due to Radius Accounting packets |
|
|
1550-byte block depletion seen due to Radius Accounting packets |
|
|
ASA(9.1.7.12):Connection entries created for multicast streams through standby ASA. |
|
|
ASA(9.1.7.12):Connection entries created for multicast streams through standby ASA. |
|
|
L2TP connects only sometimes when DHCP used |
|
|
L2TP connects only sometimes when DHCP used |
|
|
Unable to configure SSH public key auth for non-system contexts |
|
|
Unable to configure SSH public key auth for non-system contexts |
|
|
ASA-FP9300 Crashed in thread name IPSEC MESSAGE HANDLER after upgrade |
|
|
ASA-FP9300 Crashed in thread name IPSEC MESSAGE HANDLER after upgrade |
|
|
Slow Memory leak in ASA |
|
|
Slow Memory leak in ASA |
|
|
Port Forwarding Session times out due to "vpn-idle-timeout" in group-policy while passing data |
|
|
Port Forwarding Session times out due to "vpn-idle-timeout" in group-policy while passing data |
|
|
5585 does not unbundle its data intfs for 30 seconds after leaving cluste |
|
|
5585 does not unbundle its data intfs for 30 seconds after leaving cluste |
|
|
Cannot delete port-object once created under the Service object group in ASA 944 |
|
|
Cannot delete port-object once created under the Service object group in ASA 944 |
|
|
ASA may traceback when copying capture out using tftp |
|
|
ASA may traceback when copying capture out using tftp |
|
|
ASA may traceback while loading a large context config during bootup |
|
|
ASA may traceback while loading a large context config during bootup |
|
|
ASA drops web traffic when IM inspection is enabled. |
|
|
ASA drops web traffic when IM inspection is enabled. |
|
|
ASA: PBR Memory leak for ICMP traffic |
|
|
ASA: PBR Memory leak for ICMP traffic |
|
|
Cluster C-Hash table is updated with one more unit despite the new unit didn't join the setup |
|
|
Cluster C-Hash table is updated with one more unit despite the new unit didn't join the setup |
|
|
Access-lists not being matched for a newly created object-group |
|
|
Access-lists not being matched for a newly created object-group |
|
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
|
RT#687120: Bookmark Issue with clientless VPN - SAML |
|
|
RT#687120: Bookmark Issue with clientless VPN - SAML |
|
|
ASA FirePOWER module data plane down after reload of module |
|
|
ASA FirePOWER module data plane down after reload of module |
|
|
ASA: TLS-proxy - Traceback with thread name - Dispatch Unit |
|
|
ASA: TLS-proxy - Traceback with thread name - Dispatch Unit |
|
|
ASA in cluster results in incorrect user group mappings between the Master and Slave |
|
|
ASA in cluster results in incorrect user group mappings between the Master and Slave |
|
|
Traceback in Thread Name: dhcp_daemon |
|
|
Traceback in Thread Name: dhcp_daemon |
|
|
%ASA-3-216001: internal error in ci_cons_shell: thread data misuse |
|
|
%ASA-3-216001: internal error in ci_cons_shell: thread data misuse |
|
|
DCERPC inspection drops packets and breaks communication |
|
|
DCERPC inspection drops packets and breaks communication |
|
|
ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
|
ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
|
ASA May crash when changing a NAT related object to fqdn |
|
|
ASA May crash when changing a NAT related object to fqdn |
|
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
|
ASA policy-map configuration is not replicated to cluster slave |
|
|
ASA policy-map configuration is not replicated to cluster slave |
|
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
|
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
|
|
The interactive icons on internal bookmark site not showing properly (+CSCO+0undefined) |
|
|
The interactive icons on internal bookmark site not showing properly (+CSCO+0undefined) |
|
|
ASA may drop DNS reply containing only additional RR of type TXT |
|
|
ASA may drop DNS reply containing only additional RR of type TXT |
|
|
ASA reloaded while joining cluster and active as slave |
|
|
ASA reloaded while joining cluster and active as slave |
Resolved Bugs in Version 9.4(3)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.4(3):
The following table lists resolved bugs at the time of this Release Note publication.
|
Identifier |
Description |
|---|---|
|
Increase Content-length counter from 4 to 8 byte size |
|
|
Error messages on console due to QoS configuration |
|
|
Can get around dynamic-filter by using caps in domain name |
|
|
Incorrect ARP MAC Address conversion |
|
|
CPU hog due to snmp polling of ASA memory pool information |
|
|
Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
|
Remove Code for Type 0 Routing Headers |
|
|
IPv6 Complete Packet Fragment Reassembly Check Bypass |
|
|
ASA doesn't set ACE inactive when time-range expires |
|
|
ARP: Proxy IP traffic is hijacked. |
|
|
5585 interface counters show 0 for working interfaces and console errors |
|
|
ASA WebVPN: Java Signer Certificate chain is incomplete with >3 CA Certs |
|
|
FIPS self test power on fails - fipsPostDrbgKat |
|
|
ASA traceback when retrieving idfw topn user from slave |
|
|
Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet |
|
|
ARP debug messages are printing without new line on standby unit |
|
|
Inspect-DNS: PTR Query failed when DNS-Doctoring enabled |
|
|
WebVPN Citrix client browser couldn't save Java Client as preferred |
|
|
WebVPN client browser doesn't show all content from flash site |
|
|
SXP Version Mismatch Between ASA & N7K with clustering |
|
|
TLSv1.2 Client Cert Auth Connection Establishment Failure |
|
|
ASA Mgmt Session stuck on running "sh block exhaustion snapshot/history" |
|
|
ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
|
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit |
|
|
show traffic protocol stats show large counter values-enhanced pkt stats |
|
|
Transactional ACL commit will bypass security policy during compilation |
|
|
seamless upgrade on spyker A floods error messages to both asa units |
|
|
Share licenses are not activated on failover pair after power cycle |
|
|
ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
|
Failover State Link Must Support Directly Connected Redundant Interface |
|
|
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig |
|
|
ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL |
|
|
Cisco ASA XML Denial of Service Vulnerability |
|
|
ASA crashes after clear configure all command |
|
|
SVG Parser not mangling xlink:href attribute |
|
|
Interface TLV to SFR is corrupt when frame is longer than 2048 bytes |
|
|
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
|
Investigate impact of jumbo-frame reservation on low-end ASA platforms |
|
|
ASA WebVPN clientless cookie authentication bypass |
|
|
Standard Based IKEv2: Incorrect command to configure DPD |
|
|
Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL |
|
|
ASA CX - Data Plane marked as DOWN untill ASA reload. |
|
|
ASA: Stuck uauth entry rejects AnyConnect user connections |
|
|
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain |
|
|
http servershows as enable in running config while not |
|
|
Auth-prompt configured in one context appears in another context |
|
|
ASA - URL filter - traceback on thread name uauth_urlb clean |
|
|
ikev2 with DH 19 and above fails to pass traffic after phase2 rekey |
|
|
ASAv traceback in DATAPATH when used for WebVPN |
|
|
When > 510 characters entered in CLI, context switches to admin/system |
|
|
Immediate FIN from client after GET breaks scansafe connection |
|
|
ASA built and teardown log messages show "any" information |
|
|
Need to prevent traceback in js_parser_print_rest |
|
|
ASA: CLI commands not showing help(?) options for local authorization |
|
|
ASA: "Auto-Enable" feature not working with SSH configured with PKF |
|
|
TP Auth fails when sub CA using RSA keys is signed by root using ECDSA |
|
|
Traceback in Thread Name: ssh when using capture or continuous ping |
|
|
Cisco ASA tunnel group parameter validation |
|
|
ASA SSLVPN RDP Plugin session freezes under heavy load with activex |
|
|
ASA: LDAP over SSL Authentication failure |
|
|
ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads |
|
|
ASA - slow NFSv3 transfer with sunrpc inspection |
|
|
ASA: Not able to remove ACE with "log default" keyword |
|
|
ASA cluster-Incorrect "current conns" counter in service-policy |
|
|
Egress ACL with ICMP Types Misbehaving. |
|
|
ASA: Watchdog Traceback with Thread Name:- SXP CORE |
|
|
ASA may tracebeck when displaying packet capture with trace option |
|
|
9.5.1 - Crash in bcm_esw_init thread |
|
|
ASA: Unable to ping fover IPv6 address in multiple mode |
|
|
ASA traceback on Standby device during config sync in thread DATAPATH |
|
|
Standby ASA inside IP not reachable after Anyconnect disconnect |
|
|
SSL : Unable to Join nodes in Cluster |
|
|
Cannot change "management-only" for port-channel interfaces on 5500-X |
|
|
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
|
Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF |
|
|
Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability |
|
|
Cisco ASA Clientless SSL VPN portal hangs |
|
|
"show ipv6 neighbor" command not available in system space |
|
|
ASA picks incorrect trustpoint to verify OCSP Response |
|
|
HTTP chunked data causing watchdog |
|
|
Cisco ASA VPN Memory Block Exhaustion Vulnerability |
|
|
FO: ASAv traceback while syncing during upgrade from 9.4.1 to 9.5.1 |
|
|
object-group-search access-control enabled, nested object group issue |
|
|
ISA3000 crashed while generating crypto rsa keys |
|
|
Standby traceback during config replication with customization export |
|
|
ASA allows AC session with existing AAA assigned address after failover |
|
|
Group-lock value can be set with space in a tunnel-group name |
|
|
ASA sending incorrect ACL hash for ASDM TopN ACL statistics on a cluster |
|
|
Webvpn: JS parser may crash if the underlying connection is closed |
|
|
ASA traceback in Thread Name: fover_parse (ak47/ramfs) |
|
|
Unicorn proxy thread traceback with RAMFS processing |
|
|
RA validation failed when CA/subCA contains name constraints |
|
|
WEBVPN Rewriter: Stops mangling after hex code of Period on Bookmark URL |
|
|
All Remarks in ACLs are pushed to the end of each ACL after upgrade |
|
|
Request allow packets to pass when snort is down for ASA configurations |
|
|
ASA traceback: SSH Thread: many users logged in and dACLs being modified |
|
|
ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS |
|
|
ASA Lina: fix memory leak in debug menu option 20 |
|
|
ASA traceback in Thread Name: CP Crypto Result Processing. |
|
|
ASA User Ident MAC mismatch remove command not applied |
|
|
OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards |
|
|
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) |
|
|
ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST |
|
|
ASA not installing external LSA with recursive forwarding address |
|
|
DHCPD Search domain shorter than 10 characters is corrupted |
|
|
ASA: Traceback in Thread Name Checkheaps due to webvpn |
|
|
ipAdEntNetMask is not gettable using snmpget with failover IP address |
|
|
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
|
Trace back with Thread Name: IP Address Assign |
|
|
Fix broken gcov build in dublin/main |
|
|
Backup unknown with dynamic pat pool |
|
|
ASA EIGRP does not send poison reverse for neighbors to remove route |
|
|
Improper S2S IPSec Datapath Selection for Remote Overlapping Networks |
|
|
ASA traceback while restoring backup configuration from ASDM |
|
|
ASA traceback when removing dynamic PAT statement from cluster |
|
|
ASA:Traceback in Thread Name:- netfs_thread_init |
|
|
ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection |
|
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
|
traffic-forward interface command is not working on 5585 |
|
|
ASA5508 5516 Unable to communicate with 100/full configured after reboot. |
|
|
ASA stacktrace in vpn client disconnect that had dACL applied |
|
|
ASA BGP peering flaps with password and ikev2 tunnel. |
|
|
IKEv2: crypto iskamp identity auto doesn't work - DN not IKE ID but IP. |
|
|
RA-VPN transactions are shown as 0 in PRSM Dashboard |
|
|
ASA: ICMP error loop on cluster CCL with Interface PAT |
|
|
filter sfr traffic may cause memory corruption |
|
|
DHCP proxy overrites chosen DHCP server in multiple DHCP server scenario |
|
|
DNS Traceback in channel_put() |
|
|
Watchdog traceback in ldap_client_thread with large number of ldap grps |
|
|
Traceback in WebVPN rewriter |
|
|
QEMU coredump: qemu_thread_create: Resource temporarily unavailable |
|
|
ASA 9.4 - missing server authenticate-client command for tls proxy |
|
|
SSH connections are not timed out on ASA (stuck in rtcli) |
|
|
Standby ASA traceback in Thread Name: EIGRP-IPv4 |
|
|
Rewriter errors when access IEEE website search feature through portal |
|
|
ASA DNS doctoring not working with "any" keyword |
|
|
PBR set ip next-hop lost on boot if name configured for IP argument |
|
|
DHCP Server Process stuck if dhcpd auto_config already enabled from CLI |
|
|
ASA 9.4 - The source of CoA packet does not match tunnel-group config |
|
|
ASA packet-tracer and trace capture incorrect result in case of ECMP |
|
|
Default inspection engines enabled on Standby but not on Active ASA |
|
|
SAML won't be able select Oracle OAM tunnel group |
|
|
ASA: Traceback in Thread name DATAPATH-7-1918 |
|
|
PCP 10.6 Clientless VPN Access is Denied when accessing Pages |
|
|
BGP not working when admin context is in transparent mode |
|
|
ASA 9.4.1 traceback upon clearing and reconfiguring ACL |
|
|
Thread Name: DATAPATH-17-3095: ASA in Cluster Reloads Unexpectedly |
|
|
clustering nat : Observing crash on blade after disabling cluster on uut |
|
|
Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS) |
|
|
Traceback in thread name: Unicorn Proxy Thread |
|
|
RSA 4096 key generation causes failover |
|
|
ASA: assertion "pp->pd == pd" failed: file "main.c", line 192 |
|
|
Session Manager debugs missing identifiers and logoff oldest wrap issue |
|
|
CWS: ASA does not append XSS headers |
|
|
ASA: Traceback in Checkheaps |
|
|
ASA not denying initial SYN to non gateway of host |
|
|
http-form authentication fails after 9.3.2 |
|
|
ASA traceback when using an ECDSA certificate |
|
|
ASA traceback in Unicorn Proxy Thread |
|
|
"failover standby config-lock" is not loaded in ASA correctly |
|
|
PBR incorrect route selection for deny clause |
|
|
OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later |
|
|
Clustering NAT: ASA crash during NAT configuration |
|
|
ASA: FAILOVER not working with password encryption. |
|
|
VPN connection may fail when using an ECDSA certificate |
|
|
ASA 9.1.6.10 traceback after remove compact flash and execute dir cmd |
|
|
DAP URL-List Command Says It Supports 491 Characters; Only Supports 245 |
|
|
L2TP/IPSec fails with Multilink PPP enabled on Win client |
|
|
BOSC Runtime Buffer overflow error detected while executing OSPFV3 Tests |
|
|
The copy command does not verify the integrity of the image |
|
|
IPv6: ASA denies IPv6-ICMP request to the ASA when failover |
|
|
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16] |
|
|
ASA "show chunkstat | redirect" does not work |
|
|
ASA TCP normalizer checksum verification cannot be disabled |
|
|
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test |
|
|
PBR: Mem leak in cluster mode due to policy based route |
|
|
Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related |
|
|
Cisco signed certificate expired for WebVpn Port Forward Binary on ASA |
|
|
Different output of BVI address in transparent mode on failover pair |
|
|
Evaluation of pix-asa for OpenSSL December 2015 Vulnerabilities |
|
|
"set connection timeout idle" is not applied. |
|
|
ASA IPSEC crypto map set df-bit copy-df/clear-df does not take effect |
|
|
Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability |
|
|
ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection |
|
|
Allow a larger (4GB) coredump filesystem to be configured on ASA |
|
|
DHCP Relay fails for cluster ASAs with long interface names |
|
|
SSL sessions stop processing -"Unable to create session directory" error |
|
|
ASA coredumped after enable,disable webvpn on interface |
|
|
ASA(9.5.2) changing the ACK number sent to client with SFR redirection |
|
|
asa fails to format disk1 USB drive |
|
|
WebVPN: Unable to play certain online videos |
|
|
"no ipv6-vpn-addr-assign" CLI not working |
|
|
DAP: debug dap trace not fully shown after +1600 lines |
|
|
ASA L7 policy-map comes into affect only if the inspection is re-applied |
|
|
ASA: Traceback in Thread IP Address Assign |
|
|
webvpn cache-disabled msg is too disruptive and may cause config issues |
|
|
IPAA needs improved debugging - Part 2- add Syslogs 737034-737036 |
|
|
Incorrect NTP authentication behavior |
|
|
Traffic drop due to constant amount of arp on ASASM |
|
|
ASA: Traceback on ASA device after adding FQDN objects in NAT rule |
|
|
ASA Crash while viewing large ACL |
|
|
ASA unable to add policy NAT which is overlapping with ip local pool |
|
|
Reload in Thread Name: IKE Daemon |
|
|
"show resource usage" gives wrong number of routes after shut/no sh |
|
|
ASA TACACS+: process tacplus_snd uses large percentage of CPU |
|
|
PBR "set interface" failing to use default and less preferred route |
|
|
ASA Traceback on Thread Name: Unicorn Admin Handler |
|
|
Stub Connections Torn Down due to Shun/Threat Detection in ASA Cluster |
|
|
Nat pool exhausted observed when enabling asp transactional-commit nat |
|
|
DNS Reply Modification for Dual-Stack does not work as expected |
|
|
ASA WebVPN: Java RDP Plugin does not launch |
|
|
FIPS: Continuous RNG test can mistakenly report an error |
|
|
ASA traceback in Thread Name: https_proxy |
|
|
ASA traceback in DATAPATH thread |
|
|
"backup" command does not include anyconnect client profile files |
|
|
Resolve CSCtz82865 - Equivalent of "show xlate count" command |
|
|
Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728 |
|
|
ASA using a huge dynamic ACL may cause Anyconnect connectivity failures |
|
|
ASA5516 SSD reports incorrect OID in Entity MIB |
|
|
Uploaded/downloaded files via CIFS have Zero Byte size (same WebFolder) |
|
|
ASA traceback in Thread Name: Unicorn Proxy Thread. |
|
|
ASA traceback and reload citing Thread Name: idfw_proc |
|
|
ASA: MAC address changes on active context when WRITE STANDBY is issued |
|
|
Smart tunnel does not work since Firefox 32bit version 43 |
|
|
9.5(1) ECDSA CSR sets KU KeyEnciph vice KeyAgreement |
|
|
Not able to re-use the community-list name. |
|
|
ASA: Assert traceback in version 9.4.2 |
|
|
ASA 5585 traceback when the User name is mentioned in the Access list |
|
|
ASA Watchdog traceback in CP Processing thread during TLS processing |
|
|
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload |
|
|
VPN Load-Balancing does not send load-balancing cert for IPv6 Address |
|
|
ASA 9.5.2 does not send CERT_REQ for 512-bit certificate |
|
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
|
|
ASA Access-list missing and losing elements after configuration change |
|
|
Can't navigate to OWA 2013 due to ssl errors |
|
|
OCSP validation fails when multiple certs in chain are verified |
|
|
ASA reloads in thread name: DATAPATH while encrypting L2L packet |
|
|
ASA WebVPN: Java Exception with Kronos application |
|
|
inspect ip-option is not allowing "NOP" even when allowed |
|
|
Buffer overflow in RAMFS dirent structure causing traceback |
|
|
If FQDN is more than 64 chars then we redirect to ip instead of FQDN |
|
|
assert "ctm->async_ref == 0" failed: file "ssl_common.c", line 193-part2 |
|
|
Traceback in thread name idfw when modifying object-group having FQDN |
|
|
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly |
|
|
WebVPN FTP client failing with "Error contacting host" message |
|
|
orignial master not defending all GARP packets after cluster split brain |
|
|
FO replication failed: cmd=no disable, when disabling webvpn-cache |
|
|
Rewriter error with webworker JS |
|
|
ASA traceback when receive Radius attribute with improper variable type |
|
|
ASA does not suppress EIGRP candidate default route information |
|
|
ASA clientless rewriter failure at 'CSCOPut_hash' function |
|
|
ENH: ASAv should have a different pre-loaded cert |
|
|
ASA Traceback and reload by strncpy_sx.c |
|
|
Intranet page does not load via WebVPN with JavaScript errors |
|
|
CSCOPut_hash can initiate unexepected requests |
Resolved Bugs in Version 9.4(2.145)
There were no bugs fixed in 9.4(2.145).
Resolved Bugs in Version 9.4(2)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.4(2):
The following table lists resolved bugs at the time of this Release Note publication.
|
Identifier |
Description |
|---|---|
|
Can get around dynamic-filter by using caps in domain name |
|
|
Migration of max_conn/em_limit to MPF is completely wrong in 8.3 |
|
|
ASA allows removing address pool conf even if it is in use in grp-policy |
|
|
Possible to add multiple identical lines under certificate maps |
|
|
Last transaction time in 'show aaa-server' cmd changes. |
|
|
Observed Traceback in SNMP while querying GET BULK for 'xlate count' |
|
|
Remove Code for Type 0 Routing Headers |
|
|
IPv6 Complete Packet Fragment Reassembly Check Bypass |
|
|
ISAKMP debugs display incorrect Message ID and length data |
|
|
Can't use an object-group for NAT which was used for pat-pool earlier |
|
|
HTML/Java File Browser- created file or folder shows 9 months offset |
|
|
Misleading error msg for pat-pool with mapped object |
|
|
IPv6 ND not replicating to Slave units |
|
|
ASA WebVPN: Java Signer Certificate chain is incomplete with >3 CA Certs |
|
|
Multiple problems with output of show processes memory |
|
|
Cisco ASA SNMP Denial of Service Vulnerability |
|
|
ASA DNS lookups always prefer IPv6 response |
|
|
ASA "debug webvpn anyconnect 255" not showing empty certificate issue |
|
|
Windows 8 with new JRE, IE is not gaining access to smart tunnel |
|
|
Traceback and reload triggered by failover configuration |
|
|
WebVPN Citrix client browser couldn't save Java Client as preferred |
|
|
ASA 8.4 Memory leak due to duplicate entries in ASP table |
|
|
WEBVPN: Citrix 5/6 application doesn't launch with IE10/Windows 7 |
|
|
ASA/ASASM drops SIP invite packets with From field containing "" and \ |
|
|
Traceback on standby ASA during hitless upgrade |
|
|
SXP Version Mismatch Between ASA & N7K with clustering |
|
|
RRI static routing changes not updated in routing table |
|
|
Add cli to control masked username in syslog |
|
|
ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment |
|
|
Cisco ASA Failover Command Injection Vulnerability |
|
|
LU allocate connection failed on the Standby ASA unit |
|
|
RPC error in request config after replicated a large configuration |
|
|
QEMU virtqueue_map_sg() Function Input Validation Buffer Overflow Vuln |
|
|
NetFlow incorrect reporting for PPTP VPN over GRE |
|
|
Codenomicon HTTP-server suite may cause crash |
|
|
ASA:Dataplane capture doesn't capture packets From Service module to ASA |
|
|
ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit |
|
|
seamless upgrade on spyker A floods error messages to both asa units |
|
|
"no nameif" is removing the policy-route configuration |
|
|
Extra space after newline in some syslogs |
|
|
Cisco ASA DHCPv6 Relay DoS Vulnerability |
|
|
Cut Through proxy not working correctly with TLS1.2 |
|
|
ASA - Traceback in thread name SSH while applying BGP show commands |
|
|
AnyConnect upgrade from AC 2.5 to AC 3.1 fails |
|
|
WebVPN Rewriter: "parse" method returns curly brace instead of semicolon |
|
|
Cisco ASA XAUTH Bypass Vulnerability |
|
|
SCH enrollment issue with Saleen serial number |
|
|
ASA traceback in Thread Name: fover_parse |
|
|
Cisco ASA DHCPv6 Relay Denial of Service Vulnerability |
|
|
ASA - Traceback in Thread Name: fover_parse |
|
|
Kenton 5516: Interface dropping ARPs after flapping under traffic load |
|
|
ASA 9.1.5 does not always drop connections after receiving RST+ACK flag |
|
|
HTTP redirect to the VPNLB address using HTTPS fails in 9.1.5 |
|
|
ASA - Traceback in thread name: CERT API |
|
|
Misleading route-map warning message |
|
|
5506-X: 'no buffer' interface counter reports incorrect errors |
|
|
ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: |
|
|
LDAP over SSL fails when using TLS1.2 on ASA |
|
|
Close-overlay function not working thru rewriter |
|
|
Cisco ASA PIM Multicast Registration Vulnerability |
|
|
ASA clears the TOS value of ICMP echo reply packet from ASA's interface |
|
|
assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMP |
|
|
ASA cert validation fails when suitable TP is above the resident CA cert |
|
|
inspect esmtp replace the packet data to 'X' |
|
|
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg |
|
|
More than 255 messages in multicast packet with jumbo frames |
|
|
ASA : ACL logging is not getting disabled with keyword "log disable" |
|
|
ASA crashes for the OSPFv2 packets from codenomicon |
|
|
IKEv2: IPSec SA's are created by dynamic crypto map for static peers |
|
|
PBR: DF & DSCP bits are not getting set without valid set next-hop |
|
|
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. |
|
|
Memory leak observed while adding manual NAT rule |
|
|
Exception on asdm_handler stream line: </threat-detection> |
|
|
ASA Traceback in SSL library due to DMA memory exhaustion |
|
|
Network Object NAT is not working when config-register == 0x41 |
|
|
Adding subnet(s) to the object group for NAT causes high CPU |
|
|
'client-services' is not accepted if the interface has no IP addr |
|
|
ASA traceback in DATAPATH Thread due to Double Block Free |
|
|
Cisco ASA ISAKMP Denial of Service Vulnerability |
|
|
Cisco ASA VPN XML Parser Denial of Service Vulnerability |
|
|
ASA Cluster member traceback in DATAPATH |
|
|
ASA WEBVPN: Usernames shown as '*' in logs for failed authentication |
|
|
Duplicate IPv6 address is configurable in 1 ASA or context |
|
|
ASA silently dropping OSPF LS Update messages from neighbors |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
Cisco ASA DNS Denial of Service Vulnerability |
|
|
ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig |
|
|
NFS connections not timing out after failover |
|
|
DHCPRelay Server in interface mode not getting deleted |
|
|
Handling esmtp default parameters for TLS |
|
|
ASA: XFRAME support for .JS and .JNLP URL's |
|
|
Both ASAs in failover use the same MAC address |
|
|
Standby ASA does not apply OSPF route after config replication |
|
|
Failover assembly remained in active-active state permanantly |
|
|
ASA allows citrix ICA connection without authentication |
|
|
Cisco ASA Management Interface XML Parser DoS Vulnerability |
|
|
Anyconnect SSL VPN certificate authentication fails o ASA |
|
|
[ASA] CTP not working if proxyACL port_argument is gt |
|
|
PPPoE session state timer does not initialize properly |
|
|
L2TP/IPSec Optimal MSS is not what it's supposed to be |
|
|
xszASA 9.2.1 Eigrp Authentication does not work with 16 character key |
|
|
ASA traceback in aaa_shim_thread / command author done for dACL install |
|
|
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue |
|
|
Active ASA in failover setup reboots on its own |
|
|
ASA redirection to Scansafe tower fails with log id "775002" in syslog |
|
|
[ASA] access-list ACL_name standard permit host 0.0.0.0 deleted |
|
|
Src url of video track tag not mangled via webvpn |
|
|
Cluster destabilizes when contexts are removed |
|
|
Secondary ASA stuck in config sync while upgrading to 8.4.x |
|
|
EIGRP authentication not working with simple pasword |
|
|
WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app |
|
|
Per-session PAT RST sent to incorrect direction after closing session |
|
|
Traceback in snp_cluster_get_buffer |
|
|
EIGRP configuration not being correctly replicated between failover ASAs |
|
|
2048-byte block leak if DNS server replies with "No such name" |
|
|
MARCH 2015 OpenSSL Vulnerabilities |
|
|
Traceback in thread CP Processing |
|
|
Incorrect cert chain sent to connecting IPSec clients |
|
|
ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal |
|
|
ASA traceback because of TD tcp-intercept feature |
|
|
show cluster mem indicates incorrect values |
|
|
Corrupted host name may occur with DHCP |
|
|
Cisco ASA OSPFv2 Denial of Service Vulnerability |
|
|
ASA tunnel-group"password-expire-in-days"not prompting a password change |
|
|
Clustering: Traceback in DATAPATH with transparent FW |
|
|
WebVPN: Tsweb fails to work through clientless portal |
|
|
L2TP/IPsec traffic dropped due to "vpn-overlap-conflict" |
|
|
To-the-box UDP traffic not getting inspected and getting dropped on ASA |
|
|
ASA :Top 10 Users status is not getting enabled from ASDM. |
|
|
Investigate impact of jumbo-frame reservation on low-end ASA platforms |
|
|
CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached |
|
|
Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. |
|
|
ASA WebVPN clientless cookie authentication bypass |
|
|
PKI: potential pki session handle leak in IKEv2 L2L configurations |
|
|
ASA Traceback in PPP |
|
|
Ikev2 Session with bogus assigned IP address stays on ASA |
|
|
USB device hot plug not supported in running ASA |
|
|
Issue with downloading images from Sharepoint |
|
|
ASA: Silently Drops packets with SFR Module installed. |
|
|
ASA Traceback in vpnfol_thread_msg |
|
|
ASA traceback in Thread Name: CP Processing |
|
|
ASA 9.0.3 not logging permitted UDP traffic |
|
|
ASA: Anyconnect IPv6 Traceroute does not work as expected |
|
|
ASA : Password creation date is decrementing by one with every reboot |
|
|
ASA: ECMP stopped working after upgrade to 9.3.2 |
|
|
Remove demo and eval warning for sfr monitor-only |
|
|
DNS should perform IPv4 lookups if IPv6 address is not reachable |
|
|
snmpwalk causes slow memory leak on ASA |
|
|
"ssh scopy enable" deleted from configuration |
|
|
Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno) |
|
|
Cisco ASA DNS Denial of Service Vulnerability |
|
|
ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ |
|
|
ASAv: RSA key pair needs to be automatically generated with 2048 bits |
|
|
ASA Dataplane captures dont capture packets when using match/access-list |
|
|
Drop reasons missing from asp-drop capture |
|
|
ASA: failover logging messages appear in user context |
|
|
ASA WebVPN: HTTP 302 Location URL rewritten incorrectly |
|
|
ASA WebVPN : jQuery based Calendar table fails to load; Empty frame |
|
|
ASA %ASA-3-201011: Connection limit exceeded when not hitting max limit |
|
|
ASA inspection-MPF ACL changes not inserted into ASP table properly |
|
|
Object nat rule is not matched |
|
|
ASA: Traceback with Thread Name - AAA |
|
|
ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel |
|
|
AAA Authorization HTTP sends username in password field of authorization |
|
|
ASA OSPF database not reflect changes |
|
|
ASA WebVPN: Javascript fails to execute when accessing internal portal |
|
|
ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout |
|
|
eglibc 2.18 is missing upstream fix #15073 |
|
|
Cert Auth fails with 'max simultaneous-login restriction' error |
|
|
IPv6 local host route fail when setting link-local/Global simultaneously |
|
|
asa Traceback with Thread Name idfw_proc |
|
|
ASA Name Constraints dirName improperly verified |
|
|
ASA Traceback in cp_syslog |
|
|
ASA CA certificate import fails with different types of Name Constraints |
|
|
ASA - access list address argument changed from host 0.0.0.0 to host :: |
|
|
WebVpn: portal is not displayed after re-login |
|
|
ASA not checking the MAC of the TLS records |
|
|
ASA does not set forward address or p-bit in OSPF redistrubution in NSSA |
|
|
All Static routes not removed on adding zone membership to an interface |
|
|
ASA Remote Access - Phase 1 terminated after xauth |
|
|
ASA change non-default port to 443 for https traffic redirected to CWS |
|
|
9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain |
|
|
ASA not generating PIM register packet for directly connected sources |
|
|
ASA is not correctly handling errors on AES-GCM ICV |
|
|
Standalone AnyConnect fails to connect due to empty DAP user message |
|
|
Auth-prompt configured in one context appears in another context |
|
|
Traceback in Thread CP Processing |
|
|
Cryptomaps lose trustpoint when syncing configuration from cluster unit |
|
|
kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250 |
|
|
ASA failover due to issue show local-host command make CPU-hog |
|
|
Traps are not sent after hyperlite bootsup with all data interfaces shut |
|
|
ASA - URL filter - traceback on thread name uauth_urlb clean |
|
|
Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 |
|
|
ASA tunnel-group-map cannot contain spaces |
|
|
Evaluation of OpenSSL June 2015 |
|
|
DHCP-DHCP Proxy thread traceback shortly after failover and reload |
|
|
ASA Traceback in Thread Name ssh/client |
|
|
conn-max counter is not decreased accordingly |
|
|
ASAv traceback in DATAPATH when used for WebVPN |
|
|
Ampersand (&) not encoded in packet tracer phase 'extra' field |
|
|
Doubling counting flow bytes for decrypted packets |
|
|
ASA sets non-zero FA in OSPF for anyconnect redistrubuted network |
|
|
Cisco ASA Poodle TLS Variant |
|
|
ASA: Traceback while copying file using SCP on ASA |
|
|
'terminal pager' does not clear when authorization auto-enable is used |
|
|
SSL connection failing to WebVPN portal |
|
|
ASA-3-317012 and "No route to host" errors even though the route exists |
|
|
Saleen Alarm LED lit when BMC SEL log is full |
|
|
ASA:OSPF over L2L tunnels is not working with multiple cry map entries |
|
|
ASA: traceback in IDFW AD agent |
|
|
EEM action not executed on absolute time when NTP is configured |
|
|
Standby ipv6 address setting is not replicated to standby |
|
|
Clientless webvpn on ASA does not display asmx files |
|
|
Need to prevent traceback in js_parser_print_rest |
|
|
ASATraceback in ssh whilst adding new line to extended ACL |
|
|
ikev2 enable added to config when zones are used despite ERROR msg |
|
|
ASA: CLI commands not showing help(?) options for local authorization |
|
|
ASA: "Auto-Enable" feature not working with SSH configured with PKF |
|
|
ASA5505 permanent base license, temp secplus, failover, vlan count issue |
|
|
'redistribute' cmds under 'router eigrp' removed on deleting any context |
|
|
ASA LDAP CRL query baseObject DN string is malformed |
|
|
TP Auth fails when sub CA using RSA keys is signed by root using ECDSA |
|
|
Memory leak @regcomp_unicorn with APCF configured |
|
|
Unable to authenticate with remove aaa-server from different context |
|
|
ASA : Unable to save configuration or copy files on ASA flash |
|
|
ASA: TLS-Proxy fails with pkp error |
|
|
bgp ipv6 neighborship fails with ASA after hard reset on router |
|
|
ASA SSLVPN RDP Plugin session freezes under heavy load with activex |
|
|
AddThis widget is not shown causing Traceback in Unicorn Proxy Thread |
|
|
ASA: LDAP over SSL Authentication failure |
|
|
ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads |
|
|
IPv6 packets with a next header of 8 is dropped by failover code |
|
|
ASA: Not able to remove ACE with "log default" keyword |
|
|
rewriter returns 302 for a file download |
|
|
ASA cluster-Incorrect "current conns" counter in service-policy |
|
|
Dynamic Route Not Installed After Failover |
|
|
ASA: Watchdog Traceback with Thread Name:- SXP CORE |
|
|
ASA may tracebeck when displaying packet capture with trace option |
|
|
SSL : Unable to Join nodes in Cluster |
|
|
Cannot change "management-only" for port-channel interfaces on 5500-X |
|
|
ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) |
|
|
Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability |
|
|
Cisco ASA Clientless SSL VPN portal hangs |
|
|
"show ipv6 neighbor" command not available in system space |
|
|
HTTP chunked data causing watchdog |
|
|
Cisco ASA VPN Memory Block Exhaustion Vulnerability |
|
|
Standby traceback during config replication with customization export |
|
|
Group-lock value can be set with space in a tunnel-group name |
|
|
Webvpn: JS parser may crash if the underlying connection is closed |
|
|
Unicorn proxy thread traceback with RAMFS processing |
|
|
RA validation failed when CA/subCA contains name constraints |
|
|
All Remarks in ACLs are pushed to the end of each ACL after upgrade |
|
|
Request allow packets to pass when snort is down for ASA configurations |
|
|
ASA Lina: fix memory leak in debug menu option 20 |
|
|
ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) |
|
|
ASA: Traceback in Thread Name Checkheaps due to webvpn |
|
|
ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
|
Active ftp-data is blocked by Firepower on Chivas Beta on 5512 |
Resolved Bugs in Version 9.4(1.225)
There were no bugs fixed in 9.4(1.225).
Resolved Bugs in Version 9.4(1.200)
There were no bugs fixed in 9.4(1.200).
Resolved Bugs in Version 9.4(1.152)
There were no bugs fixed in 9.4(1.152).
Resolved Bugs in Version 9.4(1)
If you have a Cisco support contract, use the following search for resolved bugs severity 3 and higher for Version 9.4(1):
The following table lists resolved bugs at the time of this Release Note publication.
|
Identifier |
Description |
|---|---|
|
UDP telnet/ftp/http/https intercepted for auth-proxy |
|
|
.pkcs12 should not be retrieved after ca enrollment-retrieval timeout |
|
|
TACACS+ Failure to verify reply type |
|
|
Syslog 106100 not generated on second context when cascading contexts. |
|
|
Missing input validation for specific code functions |
|
|
%ASA-6-603106 and %ASA-6-603108 message is printed on 3 lines |
|
|
Arsenal:twice NAT with service type ftp not working. |
|
|
Traceback seen when editing ACL configured in AAA UAuth |
|
|
ASA: Change warning message when L2L tunnel-group is named |
|
|
ASA displays incorrect auth type in some IKEv2 L2L configurations |
|
|
Cluster NTP configuration not replicated to slave after unit reloads |
|
|
WebVPN: Latest JQuery library doesn't work through ASA |
|
|
Linux Kernel Invalid fs and gs Registry KVM Denial of Service Vulnerab |
|
|
uLinux Kernel agp_generic_remove_memory() Local Privilege Escalation Vu |
|
|
ASA SSL: Continues to accept SSLv3 during TLSv1 only mode |
|
|
Idle timer and half-closed idle timer reset by out of sequence SYN |
|
|
Authentication is successful, but http browser with error msg displayed |
|
|
IPv6 ND not replicating to Slave units |
|
|
Cisco ASA SNMP Denial of Service Vulnerability |
|
|
Assert in CTM Daemon |
|
|
ASA5585-SSP60 Traceback in Thread Name SSH on Capture Command |
|
|
Duplicated CHILD SAs in 1 IKEv2 SA, traffic dropped vpn-overlap-conflict |
|
|
ASA may traceback when "write standby" command is entered twice |
|
|
ASA does not recognise "packet too big" for assembled ICMPv6 echo reply |
|
|
ASA allows IKEv1 clients to bypass address assignment, causing conflict |
|
|
Cisco ASA fix for CSCun56954 |
|
|
Cisco ASA Information Disclosure Vulnerability |
|
|
TLS-proxy capture decodes not handling large SIP segments |
|
|
ASA - Traceback in DATAPATH-0-1275 |
|
|
HA: "Interfaces on Active and Standby are not consistent" Message on MFM |
|
|
accounting not per rfc in dual factor auth case |
|
|
ASA providing inaccurate Tunnel count to ASDM |
|
|
ASA drops DNS PTR Reply w/ reason Label length exceeded during rewrite |
|
|
"verify /signature running" command output does not show via ssh |
|
|
Traceback when executing "show crypto accelerator load-balance" |
|
|
Local pool address not released -> Duplicate local pool address found |
|
|
SCP copy operations exposes sensitive information in syslogs |
|
|
Traceback and reload triggered by failover configuration |
|
|
ASA as DHCP relay, DHCP offer is not forwarded to the client |
|
|
ASA: Increased processor temperature after upgrade |
|
|
PPPoE with static IP address deny packets after reload ASA |
|
|
Traceback caused by WCCP |
|
|
Cisco ASA Failover IPSEC does not encrypt failover link |
|
|
ASA : timeout floating-conn not working when PPPoE is configured |
|
|
Traceback in Thread Name qos_metric_daemon caused by asdm history enable |
|
|
ASA: CLI commands are not displaying options for local authorization |
|
|
TLS proxy packet capture incorrectly displays IPv6 packets in wireshark |
|
|
DMA memory leak in 256 byte fragments with nbns-server config |
|
|
ASA not sending RST packet for connections dropped by Botnet filter |
|
|
Traceback may occur on bring up of multiple SSL sessions w/DHE |
|
|
ASA can use wrong trustpoint with rekeyed CAs are cfg in trustpoints. |
|
|
ASA not sending PIM register message to RP |
|
|
ASA traceback in cluster with DATAPATH thread |
|
|
ASA tracebacks in Thread Name: ssh due to watchdog |
|
|
IPv6 stateless autoconfiguration fails if managed config flag in RA |
|
|
ASA L2TP Split-Tunnel DHCPC: DHCP daemon got msg for uninitialized |
|
|
ASA: standby traceback during replication of specific privilege command |
|
|
ASA Local CA generates unexpected renewal reminder message |
|
|
Cisco ASA Software Version Information Disclosure Vulnerability |
|
|
Traceback in clacp_enforce_load_balance with ASA Clustering |
|
|
ASA Cluster slave unit loses default route due to sla monitor |
|
|
Cisco ASA SSL VPN Memory Blocks Exhaustion Vulnerability |
|
|
ASA traceback: thread name "scansafe_poll" |
|
|
ASA - 80 Byte memory block depletion |
|
|
ASA traceback in DATAPATH-0-2078 thread |
|
|
ASA:Page fault traceback ACL FQDN Object-group |
|
|
Clientless WebVPN Session Cookie should have configurable HttpOnly flag |
|
|
ASA Cluster: IDFW traceback inThread Name: DATAPATH-3-132 |
|
|
Cisco ASA DNS Memory Exhaustion Vulnerability |
|
|
Inspect rule defaults in standby transparent context on write standby |
|
|
ASA5580 speed nonegotiate settings kept link down after shut/no shut |
|
|
User membership not updated in parent group |
|
|
ASA: RST packet forwarded with non-zero ACK number (and ACK flag clear) |
|
|
There are two certificates related to one trustpoint on standby unit. |
|
|
Object Group Search causing legitimate traffic to be dropped by ACL |
|
|
Traceback on ASA when Attempting to Join Cluster with Low Memory |
|
|
ASA ACL hitcount not correct for ACLs with service object groups |
|
|
Traceback on standby ASA during hitless upgrade |
|
|
ASA cut-through proxy limiting authentication attempts from user |
|
|
WebVPN Citrix IPv6 connections fail |
|
|
DHCP Relay reloads after changing server interface |
|
|
SDI authentication doesn't work in more than one contexts. |
|
|
nested custom write functions causing blank page through rewriter |
|
|
ASA Threat detection adds Shun entry for attacker based on routing table |
|
|
Cisco ASA Failover Command Injection Vulnerability |
|
|
ASA : evaluation of SSLv3 POODLE vulnerability |
|
|
Control Plane ACL Not Working for Redirected HTTP Traffic |
|
|
ASA assert traceback on Standby Unit in c_idfw.c |
|
|
Traceback: pki-crl: Thread Name: Crypto CA with traffic through VPN L2L |
|
|
SCH not using trustpool after trustpoint expiration failure |
|
|
ASA Client login timeout issue due to proxy match inconsistency |
|
|
Evaluate OpenSSL DTLS SRTP Memory Leak - CVE-2014-3513 |
|
|
Hex code associated with syslog is referenced from the old ACE/ACL |
|
|
Evaluate Session Ticket Memory Leak (CVE-2014-3567) |
|
|
EIGRP tag incorrectly send by ASA |
|
|
ASA DSCP marking applies to all SSL traffic |
|
|
CoA: ASA terminates AC SSL session w/out ACL after second CoA update |
|
|
L2L Test w/ DFP, SFR and debug SFR results in ASA becoming unresponsive |
|
|
HTTP and FTP Copy operations exposes sensitive information in syslogs |
|
|
Mac version smart-tunnel uses SSLv3 which is a vulnerability |
|
|
Failed to allocate global ID when adding service-policy |
|
|
traceback @ hash_table_simple.c:192 |
|
|
ASA crashes in DHCPV6 Relay agent feature Functionality |
|
|
ASA Crash in vpnfol_thread_msg thread |
|
|
Traceback due to fiber_create failure in unicorn remove session dir |
|
|
Webvpn: Support for XFRAME for non-critical URL's |
|
|
webvpn href with javascript function - arg ' incorrectly rewritten to \' |
|
|
ASA accounting request does not contain radius-class(25) attribute |
|
|
Usernames obscured with asterisks in logs after upgrade to ASA 9.1(5.16) |
|
|
RPC error in request config after replicated a large configuration |
|
|
inspect conn not replicated to standby with cut_thru missing punt |
|
|
ASA/SFR data plane connection may drop under heavy load |
|
|
ASA SCP Client does not prompt for password when not inc. in copy string |
|
|
ASA: Traceback in idfw_proc |
|
|
WebVPN: Cannot use non-default FTP port for filebrowsing |
|
|
DATAPATH Traceback in snp_mp_svc_udp_upstream_data function |
|
|
ASA Traceback in Thread Name: DATAPATH-6-2544 |
|
|
NAT pool address distribution fails,with NATtransactional-commit enabled |
|
|
ASA Traceback in Thread Name: DATAPATH-3-1274 |
|
|
ASA SMTP inspection should not disable TLS by default |
|
|
ASA sporadic crypto errors with SSL VPN using TLS1.x DHE ciphers |
|
|
acl rules are not removed when service object-group entry is deleted. |
|
|
ASA crash loop while upgrading when FIPS enabled |
|
|
ACL Hash not updated when object is renamed |
|
|
scansafe feature is missing from registered module features |
|
|
ASA : 256 Byte Block Depletion with CoA enabled |
|
|
ASA traceback in Thread Name: ci/console, assertion "snp_sp_action.c" |
|
|
OSPF over L2L tunnels is broken on ASA in 9.2.1 onwards |
|
|
ASA5506: Packet-tracer shows output interface as "NP Identity Ifc" |
|
|
Potential ICMP error storm in cluster CCL link |
|
|
ASA IPSEC client PKI username from certificate authorization failure |
|
|
ASA: Traceback while changing the Ikev1 configuration |
|
|
NTP authentication config replication fails in ASA failover and cluster. |
|
|
ASA - Additional empty fields in RADIUS Access-Request packet |
|
|
ASA prefers Suite-B algorithms w/ AC Essentials enabled for AC IKEv2 |
|
|
ASA: 'no monitor-interface service-module' command gone after reload. |
|
|
ASA WebVPN: Cosmetic Syslog 734004 DAP: processing error: Code 2991 |
|
|
ipsec-datapath:TFW management connection via VPN takes a few minutes |
|
|
ASA:Dataplane capture doesn't capture packets From Service module to ASA |
|
|
ASA5580-20 8.4.7.23: Traceback in Thread Name: ssh |
|
|
ASA: evaluation of Poodle Bites in TLSv1 |
|
|
"sysopt traffic detailed-statistics" not visible in "show run" |
|
|
ASA teardown connection after receiving same direction fins |
|
|
ASA generate pool exhausted for sip inspect with embedded IP but no port |
|
|
ASA: ICMP loop when cluster member rejoins the cluster. |
|
|
"no nameif" is removing the policy-route configuration |
|
|
ASA traceback in DATAPATH-1-2414 after software upgrade |
|
|
ASA Cluster: Default OSPF route gone on Master unit |
|
|
ASA:- SSH un-authenticated connections are not timing out |
|
|
SSL: Sporadic TLS 1.2 connection errors on 5500-X platforms with DHE |
|
|
ASA: Page fault traceback in SXP CORE thread |
|
|
ASA fails to pass ipv6 address to anyconnect client when using RADIUS |
|
|
Cannot bootup ASAv-KVM when deployed via RHEL/OpenStack |
|
|
JANUARY 2015 OpenSSL Vulnerabilities |
|
|
ASA : Failover descriptor does not change after reconfiguring VLAN |
|
|
NAT conversion fails when port range 1024 65535 is source |
|
|
genikev2: EAP with successful Authentication + Authorization may fail |
|
|
Tunnel default gateway no longer works in 9.3.2 |
|
|
SCH enrollment issue with Saleen serial number |
|
|
ASA: Traceback when removing manual NAT rule |
|
|
ASAv requires a reboot for the license to take effect. |
|
|
ASA 9.3.2:DAP intermittently uses dflt policy for VPN RA sessions |
|
|
Misleading route-map warning message |
|
|
5506-X: 'no buffer' interface counter reports incorrect errors |
|
|
LDAP over SSL fails when using TLS1.2 on ASA |
|
|
ASA clears the TOS value of ICMP echo reply packet from ASA's interface |
|
|
assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMP |
|
|
Policy based routing is not working with twice NAT |
|
|
ASAv crashes when CiscoTAC-1 profile pointed to Transport Gateway w/ dbg |
|
|
ASAv cannot send SL messages after toggeling of "service call-home" cmd |
|
|
ASA : ACL logging is not getting disabled with keyword "log disable" |
|
|
PBR: DF & DSCP bits are not getting set without valid set next-hop |
|
|
Exception on asdm_handler stream line: </threat-detection> |
|
|
ASA Traceback in SSL library due to DMA memory exhaustion |
|
|
Cisco ASA ISAKMP Denial of Service Vulnerability |
|
|
Cisco ASA VPN XML Parser Denial of Service Vulnerability |
|
|
ASA WEBVPN: Usernames shown as '*' in logs for failed authentication |
|
|
DHCPRelay Server in interface mode not getting deleted |
|
|
Failover assembly remained in active-active state permanantly |
|
|
AAA: RSA/SDI integration failing with ASA 9.3(2) - node secret issue |
|
|
2048-byte block leak if DNS server replies with "No such name" |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Feedback