Release Notes for the Cisco ASA Series, 9.7(x)
This document contains release information for Cisco ASA software Version 9.7(x).
Important Notes
-
If you are using SAML authentication with AnyConnect 4.4 or 4.5 and you deploy ASA version 9.7.1.24, 9.8.2.28, or 9.9.2.1 (Release Date: 18-APR-2018), the defaulted SAML behavior is the embedded browser, which is not supported on AnyConnect 4.4 and 4.5. Therefore, you must enable the saml external-browser command in tunnel group configuration in order for AnyConnect 4.4 and 4.5 clients to authenticate with SAML using the external (native) browser.
Note
The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6 or later. Because of security limitations, use this solution only as part of a temporary migration while upgrading AnyConnect software. The command itself will be depreciated in the future.
-
Potential Traffic Outage (9.7(1) through 9.7(1.2))—Due to bug CSCvd78303, the ASA may stop passing traffic after 213 days of uptime. The effect on each network will be different, but it could range from an issue of limited connectivity to something more extensive like an outage. You must upgrade to a new version without this bug, when available. In the meantime, you can reboot the ASA to gain another 213 days of uptime. Other workarounds may be available. See Field Notice FN-64291 for affected versions and more information.
-
AnyConnect remote access VPN IPv6 DTLS tunnels in a scaled/stress environment may cause the ASA to traceback (for example: you have a large number of tunnels; or tunnels are continually connecting and disconnecting from the ASA headend). Workaround: Use IPv6 AnyConnect IKEv2 or IPv4 AnyConnect DTLS VPN remote access session types. (CSCvc77123)
-
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
-
When the ASA acts as a TLS server in a TLS proxy configuration, if the client proposes the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ciphers and those are chosen, the TLS handshake might fail. You cannot control the cipher selection when the ASA acts as a server in this release, as there is a bug whereby the global ssl encryption command no longer takes effect as the default set of ciphers. In 9.8(1), you can use the new server cipher-suite command in the TLS proxy configuration to control the cipher. If you encounter this problem, please upgrade to 9.8(1). Alternatively, you can change the configuration of the client so that it does not propose those ciphers.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.7(1.4)
Released: April 4, 2017
Note |
|
Feature |
Description |
|---|---|
|
Platform Features |
|
|
New default configuration for the ASA 5506-X series using Integrated Routing and Bridging |
A new default configuration will be used for the ASA 5506-X series. The Integrated Bridging and Routing feature provides an alternative to using an external Layer 2 switch. For users replacing the ASA 5505, which includes a hardware switch, this feature lets you replace the ASA 5505 with an ASA 5506-X or other ASA model without using additional hardware. The new default configuration includes:
If you are upgrading, you can either erase your configuration and apply the default using the configure factory-default command, or you can manually configure a BVI and bridge group members to suit your needs. Note that to easily allow intra-bridge group communication, you need to enable the same-security-traffic permit inter-interface command (this command is already present for the ASA 5506W-X default configuration). |
|
Alarm ports support on the ISA 3000 |
The ISA 3000 supports two alarm input interfaces and one alarm out interface. External sensors such as door sensors can be connected to the alarm inputs. External devices like buzzers can be connected to the alarm out interface. Alarms triggered are conveyed through two LEDs, syslogs, SNMP traps, and through devices connected to the alarm out interface.You can configure descriptions of external alarms. You can also specify the severity and trigger, for external and internal alarms. All alarms can be configured for relay, monitoring and logging. We introduced the following commands: alarm contact description, alarm contact severity, alarm contact trigger, alarm facility input-alarm, alarm facility power-supply rps, alarm facility temperature, alarm facility temperature high, alarm facility temperature low, clear configure alarm, clear facility-alarm output, show alarm settings, show environment alarm-contact. |
|
Microsoft Azure Security Center support on the ASAv10 |
Microsoft Azure is a public cloud environment that uses a private Microsoft Hyper V Hypervisor. Microsoft Azure Security Center is a Microsoft orchestration and management layer on top of Azure that simplifies the deployment of a highly secure public cloud infrastructure. Integration of the ASAv into Azure Security Center allows the ASAv to be offered as a firewall option to protect Azure environments. |
|
Precision Time Protocol (PTP) for the ISA 3000 |
The ISA 3000 supports PTP, a time synchronization protocol for nodes distributed across a network. It provides greater accuracy than other time synchronization protocols, such as NTP, due to its hardware timestamp feature. The ISA 3000 supports PTP forward mode, as well as the one-step, end-to-end transparent clock. We added the following commands to the default configuration to ensure that PTP traffic is not sent to the ASA FirePOWER module for inspection. If you have an existing deployment, you need to manually add these commands: We introduced the following commands: debug ptp, ptp domain, ptp mode e2etransparent, ptp enable, show ptp clock, show ptp internal-info, show ptp port |
|
Automatic Backup and Restore for the ISA 3000 |
You can enable auto-backup and/or auto-restore functionality using pre-set parameters in the backup and restore commands. The use cases for these features include initial configuration from external media; device replacement; roll back to an operable state. We introduced the following commands: backup-package location, backup-package auto, show backup-package status, show backup-package summary |
|
Firewall Features |
|
|
Support for SCTP multi-streaming reordering and reassembly and fragmentation. Support for SCTP multi-homing, where the SCTP endpoints have more than one IP address. |
The system now fully supports SCTP multi-streaming reordering, reassembly, and fragmentation, which improves Diameter and M3UA inspection effectiveness for SCTP traffic. The system also supports SCTP multi-homing, where the endpoints have more than one IP address each. For multi-homing, the system opens pinholes for the secondary addresses so that you do not need to write access rules to allow them. SCTP endpoints must be limited to 3 IP addresses each. We modified the output of the following command: show sctp detail . |
|
M3UA inspection improvements. |
M3UA inspection now supports stateful failover, semi-distributed clustering, and multihoming. You can also configure strict application server process (ASP) state validation and validation for various messages. Strict ASP state validation is required for stateful failover and clustering. We added or modified the following commands: clear service-policy inspect m3ua session [assocID id] , match port sctp , message-tag-validation , show service-policy inspect m3ua drop , show service-policy inspect m3ua endpoint , show service-policy inspect m3ua session , show service-policy inspect m3ua table , strict-asp-state , timeout session . |
|
Support for TLSv1.2 in TLS proxy and Cisco Unified Communications Manager 10.5.2. |
You can now use TLSv1.2 with TLS proxy for encrypted SIP or SCCP inspection with the Cisco Unified Communications Manager 10.5.2. The TLS proxy supports the additional TLSv1.2 cipher suites added as part of the client cipher-suite command. We modified the following commands: client cipher-suite |
|
Integrated Routing and Bridging |
Integrated Routing and Bridging provides the ability to route between a bridge group and a routed interface. A bridge group is a group of interfaces that the ASA bridges instead of routes. The ASA is not a true bridge in that the ASA continues to act as a firewall: access control between interfaces is controlled, and all of the usual firewall checks are in place. Previously, you could only configure bridge groups in transparent firewall mode, where you cannot route between bridge groups. This feature lets you configure bridge groups in routed firewall mode, and to route between bridge groups and between a bridge group and a routed interface. The bridge group participates in routing by using a Bridge Virtual Interface (BVI) to act as a gateway for the bridge group. Integrated Routing and Bridging provides an alternative to using an external Layer 2 switch if you have extra interfaces on the ASA to assign to the bridge group. In routed mode, the BVI can be a named interface and can participate separately from member interfaces in some features, such as access rules and DHCP server. The following features that are supported in transparent mode are not supported in routed mode: multiple context mode, ASA clustering. The following features are also not supported on BVIs: dynamic routing and multicast routing. We modified the following commands: access-group, access-list ethertype, arp-inspection, dhcpd, mac-address-table static, mac-address-table aging-time, mac-learn, route, show arp-inspection, show bridge-group, show mac-address-table, show mac-learn |
|
VM Attributes |
You can define network objects to filter traffic according to attributes associated with one or more Virtual Machines (VMs) in an VMware ESXi environment managed by VMware vCenter. You can define access control lists (ACLs) to assign policies to traffic from groups of VMs sharing one or more attributes. We added the following command: show attribute . |
|
Stale route timeout for interior gateway protocols |
You can now configure the timeout for removing stale routes for interior gateway protocols such as OSPF. We added the following command: timeout igp stale-route . |
|
Network object limitations for object group search. |
You can reduce the memory required to search access rules by enabling object group search with the the object-group-search access-control command. When enabled, object group search does not expand network or service objects, but instead searches access rules for matches based on those group definitions. Starting with this release, the following limitation is applied: For each connection, both the source and destination IP addresses are matched against network objects. If the number of objects matched by the source address times the number matched by the destination address exceeds 10,000, the connection is dropped. This check is to prevent performance degradation. Configure your rules to prevent an excessive number of matches. |
|
Routing Features |
|
|
31-bit Subnet Mask |
For routed interfaces, you can configure an IP address on a 31-bit subnet for point-to-point connections. The 31-bit subnet includes only 2 addresses; normally, the first and last address in the subnet is reserved for the network and broadcast, so a 2-address subnet is not usable. However, if you have a point-to-point connection and do not need network or broadcast addresses, a 31-bit subnet is a useful way to preserve addresses in IPv4. For example, the failover link between 2 ASAs only requires 2 addresses; any packet that is transmitted by one end of the link is always received by the other, and broadcasting is unnecessary. You can also have a directly-connected management station running SNMP or Syslog. This feature is not supported with BVIs for bridge groups or multicast routing. We modified the following commands: ip address, http, logging host, snmp-server host, ssh |
|
High Availability and Scalability Features |
|
|
Inter-site clustering improvement for the ASA on the Firepower 4100/9300 chassis |
You can now configure the site ID for each Firepower 4100/9300 chassis when you deploy the ASA cluster. Previously, you had to configure the site ID within the ASA application; this new feature eases initial deployment. Note that you can no longer set the site ID within the ASA configuration. Also, for best compatibility with inter-site clustering, we recommend that you upgrade to ASA 9.7(1) and FXOS 2.1.1, which includes several improvements to stability and performance. We modified the following command: site-id |
|
Director localization: inter-site clustering improvement for data centers |
To improve performance and keep traffic within a site for inter-site clustering for data centers, you can enable director localization. New connections are typically load-balanced and owned by cluster members within a given site. However, the ASA assigns the director role to a member at any site. Director localization enables additional director roles: a local director at the same site as the owner, and a global director that can be at any site. Keeping the owner and director at the same site improves performance. Also, if the original owner fails, the local director chooses a new connection owner at the same site. The global director is used if a cluster member receives packets for a connection that is owned on a different site. We introduced or modified the following commands: director-localization, show asp table cluster chash, show conn, show conn detail |
|
Interface link state monitoring polling for failover now configurable for faster detection |
By default, each ASA in a failover pair checks the link state of its interfaces every 500 msec. You can now configure the polling interval, between 300 msec and 799 msec; for example, if you set the polltime to 300 msec, the ASA can detect an interface failure and trigger failover faster. We introduced the following command: failover polltime link-state |
|
Bidirectional Forwarding Detection (BFD) support for Active/Standby failover health monitoring on the Firepower 9300 and 4100 |
You can enable Bidirectional Forwarding Detection (BFD) for the failover health check between two units of an Active/Standby pair on the Firepower 9300 and 4100. Using BFD for the health check is more reliable than the default health check method and uses less CPU. We introduced the following command: failover health-check bfd |
|
VPN Features |
|
|
Dynamic RRI for IKEv2 static crypto maps |
Dynamic Reverse Route Injection occurs upon the successful establishment of IPsec Security Associations (SA's) when dynamic is specified for a crypto map . Routes are added based on the negotiated selector information. The routes will be deleted after the IPsec SA's are deleted. Dynamic RRI is supported on IKEv2 based static crypto maps only. We modified the following command: crypto map set reverse-route. |
|
Virtual Tunnel Interface (VTI) support for ASA VPN module |
The ASA VPN module is enhanced with a new logical interface called Virtual Tunnel Interface (VTI), used to represent a VPN tunnel to a peer. This supports route based VPN with IPsec profiles attached to each end of the tunnel. Using VTI does away with the need to configure static crypto map access lists and map them to interfaces. We introduced the following commands: crypto ipsec profile, interface tunnel, responder-only, set ikev1 transform-set, set pfs, set security-association lifetime, tunnel destination, tunnel mode ipsec, tunnel protection ipsec profile, tunnel source interface. |
|
SAML 2.0 based SSO for AnyConnect |
SAML 2.0-based service provider IdP is supported in a private network. With the ASA as a gateway between the user and services, authentication on IdP is handled with a restricted anonymous webvpn session, and all traffic between IdP and the user is translated. We added the following command: saml idp We modified the following commands: debug webvpn saml, show saml metadata |
|
CMPv2 |
To be positioned as a security gateway device in wireless LTE networks, the ASA now supports certain management functions using the Certificate Management Protocol (CMPv2). We modified the following commands: enrollment url, keypair, auto-update, crypto-ca-trustpoint, show crypto ca server certificates, show crypto key, show tech-support |
|
Multiple certificate authentication |
You can now validate multiple certificates per session with AnyConnect SSL and IKEv2 client protocols. The Aggregate Authentication protocol has been extended to define the protocol exchange for multiple-certificate authentication and utilize this for both session types. We modified the following command: authentication {[aaa] [certificate | multiple-certificate] | saml} |
|
Increase split-tunneling routing limit |
The limit for split-tunneling routes for AC-SSL and AC-IKEv2 was increased from 200 to 1200. The IKEv1 limit was left at 200. |
|
Smart Tunnel Support on Chrome |
A new method for smart-tunnel support in the Chrome browser on Mac and Windows devices was created. A Chrome Smart Tunnel Extension has replaced Netscape Plugin Application Program Interfaces (NPAPIs) that are no longer supported on Chrome. If you click on the smart tunnel enabled bookmark in Chrome without the extension already being installed, you are redirected to the Chrome Web Store to obtain the extension. New Chrome installations will direct the user to the Chrome Web Store to download the extension. The extension downloads the binaries from ASA that are required to run smart tunnel. Your usual bookmark and application configuration while using smart tunnel is unchanged other than the process of installing the new extension. |
|
Clientless SSL VPN: Session information for all web interfaces |
All web interfaces will now display details of the current session, including the user name used to login, and user privileges which are currently assigned. This will help the user be aware of the current user session and will improve user security. |
|
Clientless SSL VPN: Validation of all cookies for web applications' sessions |
All web applications will now grant access only after validating all security-related cookies. In each request, each cookie with an authentication token or a session ID will be verified before granting access to the user session. Multiple session cookies in the same request will result in the connection being dropped. Cookies with failed validations will be treated as invalid and the event will be added to the audit log. |
|
AnyConnect: Maximum Connect Time Alert Interval is now supported in the Group Policy for AnyConnect VPN Client connections. |
The alert interval is the interval of time before max connection time is reached that a message will be displayed to the user warning them of termination. Valid time interval is 1-30 minutes. Default is 30 minutes. Previously supported for clientless and site-to-site VPN connections. The following command can now be used for AnyConnect connections: vpn-session-timeout alert-interval |
|
AAA Features |
|
|
IPv6 address support for LDAP and TACACS+ Servers for AAA |
You can now use either IPv4 or IPv6 addresses for LDAP and TACACS+ servers used for AAA. We modified the following command: aaa-server host, test aaa-server |
|
Administrative Features |
|
|
PBKDF2 hashing for all local username and enable passwords |
Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines. We modified the following commands: enable password, username |
|
Licensing Features |
|
|
Licensing changes for failover pairs on the Firepower 4100/9300 chassis |
Only the active unit requests the license entitlements. Previously, both units requested license entitlements. Supported with FXOS 2.1.1. |
|
Monitoring and Troubleshooting Features |
|
|
IPv6 address support for traceroute |
The traceroute command was modified to accept an IPv6 address. We modified the following command: traceroute |
|
Support for the packet tracer for bridge group member interfaces |
You can now use the packet tracer for bridge group member interfaces. We added two new options to the packet-tracer command; vlan-id and dmac |
|
IPv6 address support for syslog servers |
You can now configure syslog servers with IPv6 addresses to record and send syslogs over TCP and UDP. We modified the following commands: logging host, show running config, show logging |
|
SNMP OIDs and MIBs |
The ASA now supports SNMP MIB objects corresponding to the end-to-end transparent clock mode as part of the Precision Time Protocol (PTP) for the ISA 3000. The following SNMP MIB objects are supported:
|
|
Manually stop and start packet captures |
You can now manually stop and start the capture. Added/Modified commands: capture stop |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
CLI—Use the show version command.
-
ASDM—Choose .
See the following table for the upgrade path for your version. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
|
Current Version |
Interim Upgrade Version |
Target Version |
|---|---|---|
|
9.6(x) |
— |
Any of the following: → 9.7(x) → 9.6(x) |
|
9.5(x) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) |
|
9.4(x) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) |
|
9.3(x) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) |
|
9.2(x) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) |
|
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
9.0(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.6(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.5(1) |
→ 9.0(2), 9.0(3), or 9.0(4) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(5+) |
— |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.4(1) through 8.4(4) |
Any of the following: → 9.0(2), 9.0(3), or 9.0(4) → 8.4(6) |
→ 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.3(x) |
→ 8.4(6) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
|
8.2(x) and earlier |
→ 8.4(6) |
Any of the following: → 9.7(x) → 9.6(x) → 9.5(x) → 9.4(x) → 9.3(x) → 9.2(x) → 9.1(3), 9.1(4), 9.1(5), 9.1(6), 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.7(x)
If you have a Cisco support contract, use the following dynamic search for all open bugs severity 3 and higher for Version 9.7(x):
The following table lists open bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
OpenLDAP needs to be upgraded or patched |
|
|
XMLSoft libxml2 XML Content Processing External Entity Expansion Vulne |
|
|
XMLSoft libxml2 Format String Vulnerability |
|
|
Pre-fill feature extracts username from wrong cert (cert 1-machine) for double cert vs.(cert 2-user) |
|
|
cURL and libcurl Cookie Handling Content Injection Vulnerability |
|
|
cURL and libcurl Authentication Handling Session Reuse Vulnerability |
|
|
cURL and libcurl Encoding Out-of-Bounds Memory Write Vulnerability |
|
|
cURL and libcurl curl_maprintf Function Memory Double-Free Vulnerabili |
|
|
cURL and libcurl Kerberos Authentication Processing Memory Double-Free |
|
|
cURL and libcurl Character Processing URL Redirection Vulnerability |
|
|
cURL and libcurl curl_getdate Function Out of Bounds Memory Read Vulne |
|
|
cURL and libcurl curl_easy_unescape Function Heap Overflow Vulnerabili |
|
|
cURL and libcurl Shared Cookie Handling Use-After-Free Vulnerability |
|
|
Python smtplib StartTLS Man-in-the-Middle Vulnerability |
|
|
OSPF retransmissions and VPN tunnels lost after Active ASA reload |
|
|
ASA may traceback in network_tcpmod_close_conn with AnyConnect IPv6 DTLS stress scenario |
Resolved Bugs in Version 9.7(1.4)
The following table lists select resolved bugs at the time of this Release Note publication.
|
Caveat ID Number |
Description |
|---|---|
|
Increase Content-length counter from 4 to 8 byte size |
|
|
Packet captures cause CPU spike on Multi-Core platforms due to spin_lock |
|
|
ASA: ifSpeed/ifHighSpeed not populated by SNMP for port-channel |
|
|
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster |
|
|
FIPS self test power on fails - fipsPostDrbgKat |
|
|
ASA traceback on standby when SNMP polling |
|
|
Cisco ASA Software IPsec Denial of Service Vulnerability |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic |
|
|
"show resource usage detail counter all 1" causes cpu hog |
|
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
|
dhcprelay interface doesn't change by changing route |
|
|
ASA traceback in Thread name DATAPATH when handling multicast packet |
|
|
ASA - TO the box traffic break due to int. missing in asp table routing |
|
|
ASA Traceback on 9.1.5.19 |
|
|
ASA-SFR, ASA should attempt to join Cluster after SFR service module up |
|
|
ASA: "Auto-Enable" feature not working with SSH configured with PKF |
|
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
|
ASA: Protocol and Status showing UP without connecting the interface |
|
|
After some time flash operations fail and configuration can not be saved |
|
|
CWS: ASA does not append XSS headers |
|
|
ASA: Traceback in Checkheaps |
|
|
Smart Tunnel starts and Java closes without any message |
|
|
ASA traceback in Unicorn Proxy Thread |
|
|
On failover, new standby unit reports out of stack memory |
|
|
show memory indicates inaccurate free memory available |
|
|
ASA memory leak related to Botnet |
|
|
SNMP: Memory Leak Walking CISCO-ENHANCED-MEMPOOL-MIB |
|
|
Primary and Secondary ASA in HA is traceback in Thread Name:DataPath |
|
|
ASA 9.4.2 traceback in DATAPATH |
|
|
Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test |
|
|
Different output of BVI address in transparent mode on failover pair |
|
|
DAP: debug dap trace not fully shown after +1600 lines |
|
|
Traffic drop due to constant amount of arp on ASASM |
|
|
"show resource usage" gives wrong number of routes after shut/no sh |
|
|
Stub Connections Torn Down due to Shun/Threat Detection in ASA Cluster |
|
|
Nat pool exhausted observed when enabling asp transactional-commit nat |
|
|
DNS Reply Modification for Dual-Stack does not work as expected |
|
|
VLAN mapping doesn't work when connection falls back to TLS |
|
|
ASA Traceback Assert in Thread Name: ssh_init with component ssh |
|
|
ASA using a huge dynamic ACL may cause Anyconnect connectivity failures |
|
|
ASA denies to-the-box traffic intended to CX |
|
|
ASA tracebacks when replicating Xlate to the standby/slave |
|
|
ASA reloads with traceback in thread name DATAPATH or CP Processing |
|
|
ASA5516 SSD reports incorrect OID in Entity MIB |
|
|
Uploaded/downloaded files via CIFS have Zero Byte size (same WebFolder) |
|
|
Update WR OS to RCPL 27 |
|
|
Traceback in Thread: IPsec message handler |
|
|
ASA: MAC address changes on active context when WRITE STANDBY is issued |
|
|
Re-adding context creates context without configs on some slaves |
|
|
Smart tunnel does not work since Firefox 32bit version 43 |
|
|
9.5(1) ECDSA CSR sets KU KeyEnciph vice KeyAgreement |
|
|
HA: Number of interfaces mismatch after SFR module reload on both units |
|
|
ASA: Assert traceback in version 9.4.2 |
|
|
Mem leak on active ASA after executing write st then logoff repeatedly |
|
|
ASA may traceback with: DATAPATH-9-3101/DATAPATH-7-3145/DATAPATH-3-1685 |
|
|
Add support for IPv6 assigned address field in Radius Accounting packet |
|
|
ASA rewriter incorrectly handle HTML code of type <base>xxx</base> |
|
|
Traceback when drop is enabled with diameter inspection and tls-proxy |
|
|
STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload |
|
|
ASA generates unexpected syslog messages with mcast routing disabled |
|
|
VPN Load-Balancing does not send load-balancing cert for IPv6 Address |
|
|
Cisco ASA ACL ICMP Echo Request Code Filtering Vulnerability |
|
|
ASA traceback in thread name snmp after upgrade to 9.1(7) |
|
|
Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt |
|
|
VPN LB stops working when cluster encryption is configured |
|
|
ASA Crash on cluster member or on standby member of failover pair after replication of conns |
|
|
ASA Access-list missing and losing elements after configuration change |
|
|
Can't navigate to OWA 2013 due to ssl errors |
|
|
IKEv2 S2S tunnel does not come up because previous sa not deleted |
|
|
Traceback: assertion "0" failed: file "ctm_daemon.c" |
|
|
OCSP validation fails when multiple certs in chain are verified |
|
|
ASA: Not able to remove ACE with "log default" keyword |
|
|
BGP:Deployment failed with reason supported on management-only interface |
|
|
L2TP over IPSec can not be connected after disconnection from client. |
|
|
SNMP Syslog Traps are not RFC3164 Compliant for the TAG (Mnemonic) Field |
|
|
ASA reloads in thread name: DATAPATH while encrypting L2L packet |
|
|
ASA WebVPN: Java Exception with Kronos application |
|
|
BVI : Interface IPv6 address deleted from standby context on HA - A/A |
|
|
ASA : Configuration not replicated on mate if standby IP is missing |
|
|
http config missing in multicontext after reload of stdby 916.9 or later |
|
|
Traceback at gtpv1_process_pdp_create_req |
|
|
Number of routes in the active and standby units are not same |
|
|
Crash in proxyi_rx_q_timeout_timer |
|
|
Buffer overflow in RAMFS dirent structure causing traceback |
|
|
ASA corrupts data in TLS-Proxy with TLS version 1.2 |
|
|
Evaluation of pix-asa for OpenSSL March 2016 |
|
|
Unicorn Proxy Thread causing CP contention |
|
|
ASAv sub-interface failing to send traffic with customised mac-address |
|
|
Unable to configure a user for ssh public auth only (tied w/ CSCuw90580) |
|
|
IPv6 Routes not installed on QP |
|
|
Duplicate link-local address observed after failover |
|
|
If FQDN is more than 64 chars then we redirect to ip instead of FQDN |
|
|
ASA 9.1(6) traceback processing outbound DTLS Packet |
|
|
Cisco ASA Software DHCP Relay Denial of Service vulnerability |
|
|
SIP call transfer fail due to differences b/w fixing CallId and Refer-To |
|
|
Traceback in thread name idfw when modifying object-group having FQDN |
|
|
Assert Traceback in Thread Name: DATAPATH on clustered packet reassembly |
|
|
WebVPN FTP client failing with "Error contacting host" message |
|
|
orignial master not defending all GARP packets after cluster split brain |
|
|
Threat-detection: expired shun hosts remain in some ifcs in tfw mode |
|
|
FO replication failed: cmd=no disable, when disabling webvpn-cache |
|
|
OSPF routes not populating over L2L tunnel |
|
|
ASA failed to allow tcp traffic from inside to outside |
|
|
ASA crashes when global access-list config is cleared |
|
|
Rewriter error with webworker JS |
|
|
ASA traceback when receive Radius attribute with improper variable type |
|
|
BFD: ASA might traceback in snp_bfd_pp_process+101 |
|
|
ASA - Traceback in CP Processing Thread During Private Key Decryption |
|
|
ASA does not suppress EIGRP candidate default route information |
|
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
|
AAA: RSA/SDI unable to set new PIN |
|
|
ASA may stop responding to OSPF Hello packets |
|
|
ASA should not load-balance same flow traffic over port-channel CCL |
|
|
show running-config doesn't display any threat-detection commands |
|
|
ASA inconsistent logs about Connection limit exceeded |
|
|
Improve efficiency of malloc_avail_freemem() |
|
|
Slow ASA OSPF interface transition from DOWN to WAITING after failover |
|
|
ENH: ASAv should have a different pre-loaded cert |
|
|
ASA 9.1.6.4 traceback with Thread Name: telnet/ci |
|
|
IKEv2 tunnel gets re-established intermittently after a IPSec rekey |
|
|
IPSec rekey collision handling failure cases IKE tunnel drop |
|
|
Memory leak in 112 byte bin when packet hits PBR and WCCP rules |
|
|
Active and Standby ASA use same MAC addr with only active MAC configured |
|
|
Incorrect msg shown when configuring MAC addr same as already configured |
|
|
WebVPN: Webpage not fully rewritten when ASA has the same FQDN as srv |
|
|
ASA does not respond to NS in Active/Active HA |
|
|
infinite loop in JS rewriter state machine when return followed by var |
|
|
ASA Traceback and reload by strncpy_sx.c |
|
|
Cisco ASA Software Internet Key Exchange Version 1 XAUTH Denial of Service Vulnerability |
|
|
Kenton 9.5.1'boot system/boot config' commands not retained after reload |
|
|
5585-10 traceback in Thread Name: idfw_proc |
|
|
Incorrect modification of NAT divert table. |
|
|
Error messages on console "ERROR: Problem with interface " |
|
|
9.6.2 EST - assertion "0" failed: file "snp_vxlan.c" |
|
|
CSCOPut_hash can initiate unexepected requests |
|
|
ASA traceback in threadname ssh |
|
|
MH/MS:Observed traceback - mh->mh_mem_pool < MEMPOOL_MAX_TYPE |
|
|
CPU usage is high after timer dequeue failed in GTP |
|
|
Allocated memory showing high (invalid) values |
|
|
BTF is not blocking blacklisted domain with more than 2 labels in it |
|
|
Context config may get rejected if all the units in Cluster reloaded |
|
|
Network command disappears from BGP after reload with name |
|
|
Traceback in IKEv2 Daemon with 20+ second CPU hog. |
|
|
ASA QOS fails to classify packets between priority and best effort queue |
|
|
Drop down menu doesn't work on Simfosia web page |
|
|
Traceback on editing a network object on exceeding the max snmp hosts |
|
|
ASA Tback when large ACL applied to interface with object-group-search |
|
|
ASA: Page Fault traceback in DATAPATH on standby ASA after booting up |
|
|
ASA capture type isakmp saving malformed ISAKMP packets |
|
|
WebVPN rewrite fails for MSCA Cert enrollment page / VBScript |
|
|
ASA memory leak due to vpnfo |
|
|
dynamic crypto map fails if named the same as static crypto map |
|
|
ASA Stateful failover for DRP works intermittently |
|
|
ASA(HA) doesn't send RST packets when sfr module shutdown |
|
|
Traceback data path self deadlock panic while attempt to get spin lock |
|
|
Commands not installed on Standby due to parser switch |
|
|
Many "show blocks" outputs have truncated PC values with ASLR |
|
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
|
Captive-portal code should not be invoked when CX card is present |
|
|
ASA: Traceback on ASA in Datapath as we enable SFR traffic redirection |
|
|
ASA Address not mapped traceback - configuring snmp-server host |
|
|
ASA Access-list missing and losing elements Warning Message enhancement |
|
|
ASA-2-321006 May be received invalidly when memory is not high |
|
|
Interface health-check failover causes OSPF not to advertise ASA as ABR |
|
|
Observing Memory corruption, assert for debug ospf |
|
|
GTP traceback at gtp_update_sig_conn_timestamp while processing data |
|
|
ASA traceback in DATAPATH on all cluster units during context removal |
|
|
SCP Client not allow to enter password with "no ssh stricthostkeycheck" |
|
|
ASA Cut-through Proxy inactivity timeout not working |
|
|
ASA Cluster fragments reassembled before transmission with no inspection |
|
|
ASA may Traceback with Thread Name: cluster rx thread |
|
|
ASA may Traceback with Thread Name: Unicorn Admin Handler |
|
|
ASA crashed due to Election severe problem no master is promoted |
|
|
Crypto ca trustpool import does not fall back to data routing table |
|
|
ASA: SSH being denied on the ASA device as the maximum limit is reached |
|
|
Error Indication dropped with Null TID MBReq dropped with no Ctrl F-TEID |
|
|
traceback during tls-proxy handshake |
|
|
PIM BiDir DF Elections stuck in "offer" state on some interfaces |
|
|
ASA cant delete ACL lines and remarks - Specified remark does not exist |
|
|
IPv6 neighbor discovery packet processing behavior |
|
|
nat-t-disable feature is not working for ikev2 |
|
|
Ikev1 tunnel drops with reason " Peer Address Changed" |
|
|
2048/1550/9344 Byte block leak cause traffic disruption & module failure |
|
|
ASA with PAT fails to untranslate SIP Via field that doesnt contain port |
|
|
ASA crashes while clearing global access-list |
|
|
Inspect-mmp configuration is missing in latest branches. |
|
|
Hash miscalculation for "Any" address on inside |
|
|
IKEv2: Data rekey collisions can cause inactive IPsec SAs to get stuck |
|
|
ASAv ACKs FIN before all data is received during smart licensing exch |
|
|
management-only cli not available in user context of QP-D |
|
|
DNS Doctoring DNS64 is not working |
|
|
ASAv - High CPU utilization |
|
|
ASA traceback with Thread Name: Dispatch Unit |
|
|
Traceback in CP Processing thread after upgrade |
|
|
ASA 9.4.2.6 High CPU due to CTM message handler due to chip resets |
|
|
Remove ACL warning messages in show access-list when FQDN is resolved |
|
|
Unexpected end of file logon.html in WebVPN |
|
|
ASA sends invalid interface id to SFR for clientless VPN traffic |
|
|
ASA not rate limiting with DSCP bit set from the Server |
|
|
show service-policy output reporting incorrect values |
|
|
ASA : Mem leak in cluster mode due to PBR lookup |
|
|
ASA: SLA Monitor not working with floating timeout configured to nonzero |
|
|
ASAv5 shows very high memory usage |
|
|
Unable to auth a 2nd time via clientless after ASA upgrade |
|
|
ASA ASSERT traceback in DATAPATH due to sctp inspection |
|
|
snmpwalk not working for some NAT OIDs |
|
|
On reloading the ASA, ASA mounts SSD as disk 0, instead of the flash. |
|
|
IPv6 OSPF routes do not update when a lower metric route is advertised |
|
|
ASA: SIP Call Drops with PAT when same media port used in multiple calls |
|
|
TLS Proxy feature missing client trust-point command |
|
|
ASA SM on 9300 reloads multi-context over SSH when config-url is entered |
|
|
ASA : PBR Mem leak as packet dropped |
|
|
ASA treaceback at Thread Name: rtcli async executor process |
|
|
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500 |
|
|
ASA DATAPATH traceback (Cluster) |
|
|
Traceback on CP Process with H323 inspection, rip h323_service_early_msg |
|
|
BGP Socket not open in ASA after reload |
|
|
Cisco ASA Cross Site Scripting SSLVPN Vulnerability |
|
|
Cisco ASA Input Validation File Injection Vulnerability |
|
|
ASA traceback in CLI thread while making MPF changes |
|
|
Crypto accelerator ring timeout causes packet drops |
|
|
ASA 'show inventory' shows 'Driver Error, invalid query ready' |
|
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached |
|
|
ASA OSPFv3 interface ID changes upon disabling/enabling failover |
|
|
Traceback in Thread Name: ssh when issuing show tls-proxy session detail |
|
|
SCTP MH:pin hole removed and added freq on standby with dual nat |
|
|
memory leak in ssh |
|
|
ASA uses "::" for host IP addresses if booted with an improper config |
|
|
ASA capture type isakmp not saving reassembled rfc7383 IKEv2 packets |
|
|
ASAv-Azure: waagent may reload when asav deployed with load balancer |
|
|
Increasing the global ARP request pool |
|
|
CISCO-MEMORY-POOL-MIB returns incorrect values for heapcache |
|
|
Clustering: TFW asynchronous flow packet drop due to L2 entry timeout |
|
|
Shut down interfaces shows up in ASP routing table |
|
|
uauth is failed after failover |
|
|
SmartLic: Inter-chassis master switchover license race condition |
|
|
SNMPv3 active engineID is not reset when ASA is replaced |
|
|
ASA drops ICMP request packets when ICMP inspection is disabled |
|
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
|
OSPF generates Type-5 LSA with incorrect mask, which gets stuck in LSDB |
|
|
ASA stuck in boot loop due to FIPS Self-Test failure |
|
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
|
ICMP error packets in response to reply packets are dropped |
|
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
|
ipsecvpn-ikev2_oth: 5525 9.4.2.11 traceback in Thread Name: IKEv2 Daemon |
|
|
ASR9000 BGP Graceful Restart doesnt work as expected |
|
|
IPV6 address not assigned when connecting via IPSEC protocol |
|
|
ASAv hangs often during reboot |
|
|
ASAv show hostname generates smart licensing authorization request |
|
|
ASA: CHILD_SA collision brings down IKEv2 SA |
|
|
ASA memory leak for CTS SGT mappings |
|
|
FTD - 6.1 - redistribute connected is redistributing Internal-Data (NLP) |
|
|
HTML5: Guacamole server requires page refresh |
|
|
GTP traceback at gtpv1_process_msg for echo response |
|
|
OTP authentication is not working for clientless ssl vpn |
|
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
|
issuer-name falsely detecting duplicates in certificate map using attr |
|
|
ASA Traceback when issue 'show asp table classify domain permit' |
|
|
ASA Traceback in CTM Message Handler |
|
|
Cisco ASA SNMP Remote Code Execution Vulnerability |
|
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
|
ASA 5585-60 dropping out of cluster with traceback |
|
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
|
971 EST - Console hang on show capture |
|
|
SIP: Address from Route: header not translated correctly |
|
|
Traceback in IKE_DBG |
|
|
Unable to delete the SNMP config |
|
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
|
traceback in network udpmod_get after anyconnect test load application |
|
|
Internal ATA Compact Flash size is incorrectly shown in "show version" |
|
|
wr mem/ wr standby is not syncing configs on standby |
|
|
ASA DHCP Relay rewrites netmask and gw received as part of DHCP Offer |
|
|
ASA Page fault traceback in Thread Name: DATAPATH |
|
|
ASA drops ACK to DHCPINFORM message citing "DHCPRA: Ignoring ACK due to different server identity." |
|
|
ASA stops processing DHCP Offers in a based RAVPN |
|
|
Buffer Overflow in ASA Leads to Remote Code Execution |
|
|
Sweet32 Vulnerability in ASA's SSH Implementation |
|
|
Remove ACL warning messages in show access-list when FQDN is unresolved |
|
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
|
IPv6 DNS packets getting malformed when DNS inspection is enabled. |
|
|
Webvpn rewriter failing on matterport.com |
|
|
ASA 1550 block depletion with multi-context transparent firewall |
|
|
AAA authentication/authorization fails if only accessible via mgmt vrf |
|
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
|
ASA may generate DATAPATH Traceback with policy-based routing enabled |
|
|
ASA Multiple Context SNMP PAT Interface Missing |
|
|
Traceback : ASA with Threadname: DATAPATH-0-1790 |
|
|
WebVPN:VNC plugin:Java:Connection reset by peer: socket write error |
|
|
ASA traceback with passive-interface default on 9.6(2) |
|
|
Cisco ASA Signature Verification Misleading Digital Signing Text On Boot |
|
|
Cisco ASA Remove Mis-leading Secure Boot commands on non-SB hardware |
|
|
Thread Name: snmp ASA5585-SSP-2 running 9.6.2 traceback |
|
|
Failover after IKE rekey fails to initiate ph1 rekey on act device |
|
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
|
SmartLic: Trigger auth renewal from the app for cluster role change |
|
|
Lower NFS throughput rate on Cisco ASA platform |
|
|
nlp_int_tap routes seen in ASA "sh route" command |
|
|
nlp information seen in ipv6 commands |
|
|
ASA not sending Authen Session End log if user logs out manually |
|
|
Cisco ASA Software DNS Denial of Service Vulnerability |
|
|
GTPv2 Dropping instance 1 handoffs |
|
|
ASA Traceback in Checkheaps Thread |
|
|
ASA traceback with Thread Name aaa_shim_thread |
|
|
Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability |
|
|
ASDM : memory usage reading incorrect for ASAv 9.6.2 |
|
|
ASA traceback observed on auto-update thread. |
|
|
Evaluation of pix-asa for Openssl September 2016 |
|
|
Delete Bearer Req fails to delete second default bearer after v2 Handoff callflow. |
|
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
|
IKEv2: It is NOT cleaning the sessions after disconnected from the client. |
|
|
ASA traceback at Thread Name: rtcli |
|
|
RADIUS authorization request does not send Called-Station-ID attribute |
|
|
Lina core during failover with sip traffic |
|
|
viewer_dart.js file not loading correctly |
|
|
OSPF continuously flaps after master change (L2 cluster, multi-ctx) |
|
|
VPN tunnels are lost after failover due to OSPF route issue |
|
|
ASA Traceback Thread Name: emweb/https |
|
|
ASA : Discrepancy in used memory calculation for Multiple context firewall |
|
|
GARP flood done by ASAs in multi-site cluster using the site-ip address |
|
|
EIGRP: Need to add large number error handling when getting scaled bandwidth |
|
|
Object-group-search redundant service group objects are incorrectly removed |
|
|
9.6.2 TCP connection doesn't work through L2TP |
|
|
AAA session handle leak with IKEv2 when denied due to time range |
|
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
|
webvpn_state cookie information disclosure in url |
|
|
ASA traceback at Thread Name: IKE Daemon. |
|
|
SCP fails in 962 |
|
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
|
4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops" |
|
|
v1 PDP may get deleted on parse IE failure |
|
|
ASA: Stuck uauth entry rejects AnyConnect connection despite fix for CSCuu48197 |
|
|
WebVPN: Internal page login button not working through rewriter |
|
|
ASA drops DNS PTR Reply with reason Label length exceeded during rewrite |
|
|
Cluster ASA drops to-the-box ICMP replies with reason "inspect-icmp-seq-num-not-matched" |
|
|
ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY |
|
|
Incorrect behaviour when SNMP polling is done on virtual IP of an ASA cluster. |
|
|
ASA : memory leak due to ikev2 |
|
|
RDP Plugin Connection failed with error |
|
|
PLR: ASAv generates invalid reservation code |
|
|
ASA DHCP relay is incompatible with intercept-dhcp feature |
|
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
|
ASA unable to add multiple attribute entries in a certificate map |
|
|
ASAv may crash when running webvpn |
|
|
ASA fails SSL VPN session establishment with EC under load |
|
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
|
ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set |
|
|
ASA-SM 9.5.2 inspect-sctp licensing breaks existing deployments |
|
|
ASA traceback at Thread Name: sch_syslog |
|
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
|
MIB object cempMemPoolHCUsed disappeared |
|
|
ASA: OspfV3 routes are not getting installed |
|
|
ASA portal reveals that multiple context is configured when anyconnect is deployed. |
|
|
Error synchronizing the SNMPv3 user after rebooting a cluster unit |
|
|
ASA memory leak in CloneOctetString when using SNMP polling |
|
|
Implement speed improvements for ACL and NAT table compilation |
|
|
Firepower Threat Defense (FTD) IKEv2 NAT-T gets disabled after reboot |
|
|
SSL connection hangs between ASA and backend server in clientless WebVPN |
|
|
ASA with FirePOWER module generates traceback and reloads or causes process not running |
|
|
Anyconnect address assignment fails using external DHCP server when ASA is in Multi-context Mode |
|
|
ASA clustering: mac-address cmd is ignored on spanned port-channel interface in 9.6.2 |
|
|
ASA not update access-list dynamically when forward-reference enable is configured |
|
|
Webvpn portal not displayed corrrectly for connections landing on default webvpn group. |
|
|
ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table |
|
|
ASA may traceback with Thread Name: Unicorn Admin Handler |
|
|
Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover. |
|
|
ikev2 handles get leaked in a L2L setup |
|
|
ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue |
|
|
SIP: 200 OK messages with multiple seqments not reassembled correctly |
|
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric routing |
|
|
Tracking route is up while the reachability is down |
|
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
|
Traceback observed on gtpv2_process_msg on cluster |
|
|
BGP's BFD support code opens tcp/udp 3784 and 3785 to bypass access-lists |
|
|
ASA may traceback in network_tcpmod_close_conn with AnyConnect IPv6 DTLS stress scenario |
|
|
ASA watchdog traceback during cluster config sync with rest-api enabled |
|
|
ASA nat pool not getting updated correctly. |
|
|
Unable to configure ssh public auth for script users |
|
|
ASA traceback in threadname Datapath |
|
|
1550-byte block depletion seen due to Radius Accounting packets |
|
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.
Feedback