Release Notes for the Cisco ASA Series, 9.8(x)
This document contains release information for Cisco ASA software Version 9.8(x).
Important Notes
-
ASDM signed-image support in 9.8(4.45)/7.18(1.152) and later—The ASA now validates whether the ASDM image is a Cisco digitally signed image. If you try to run an older ASDM image with an ASA version with this fix, ASDM will be blocked and the message “%ERROR: Signature not valid for file disk0:/<filename>” will be displayed at the ASA CLI. ASDM release 7.18(1.152) and later are backwards compatible with all ASA versions, even those without this fix. (CSCwb05291, CSCwb05264)
-
Upgrade ROMMON for ASA 5506-X, 5508-X, and 5516-X to Version 1.1.15—There is a new ROMMON version for these ASA models (May 15, 2019); we highly recommend that you upgrade to the latest version. To upgrade, see the instructions in the ASA configuration guide.
Caution
The ROMMON upgrade for 1.1.15 takes twice as long as previous ROMMON versions, approximately 15 minutes. Do not power cycle the device during the upgrade. If the upgrade is not complete within 30 minutes or it fails, contact Cisco technical support; do not power cycle or reset the device.
-
Before upgrading to 9.8(2) or later, FIPS mode requires the failover key to be at least 14 characters—Before you upgrade to 9.8(2) or later in FIPS mode, you must change the failover key or failover ipsec pre-shared-key to be at least 14 characters long. If your failover key is too short, when you upgrade the first unit, the failover key will be rejected, and both units will become active until you set the failover key to a valid value.
-
If you are using SAML authentication with AnyConnect 4.4 or 4.5 and you deploy ASA version 9.7.1.24, 9.8.2.28, or 9.9.2.1 (Release Date: 18-APR-2018), the defaulted SAML behavior is the embedded browser, which is not supported on AnyConnect 4.4 and 4.5. Therefore, you must enable the saml external-browser command in tunnel group configuration in order for AnyConnect 4.4 and 4.5 clients to authenticate with SAML using the external (native) browser.
Note
The saml external-browser command is for migration purposes for those upgrading to AnyConnect 4.6 or later. Because of security limitations, use this solution only as part of a temporary migration while upgrading AnyConnect software. The command itself will be depreciated in the future.
-
Do not upgrade to 9.8(1) for ASAv on Amazon Web Services--Due to CSCve56153, you should not upgrade to 9.8(1). After upgrading, the ASAv becomes unreachable. Upgrade to 9.8(1.5) or later instead.
-
ASAv5 memory issues—Starting in Version 9.7(1), the ASAv5 may experience memory exhaustion where certain functions such as enabling AnyConnect or downloading files to the ASAv fail. The following bugs were fixed in 9.8(1.5) to transparently improve memory function and to optionally allow you to assign more memory to the ASAv5 if necessary: CSCvd90079 and CSCvd90071.
-
The RSA toolkit version used in ASA 9.x is different from what was used in ASA 8.4, which causes differences in PKI behavior between these two versions.
For example, ASAs running 9.x software allow you to import certificates with an Organizational Name Value (OU) field length of 73 characters. ASAs running 8.4 software allow you to import certificates with an OU field name of 60 characters. Because of this difference, certificates that can be imported in ASA 9.x will fail to be imported to ASA 8.4. If you try to import an ASA 9.x certificate to an ASA running version 8.4, you will likely receive the error, "ERROR: Import PKCS12 operation failed.
System Requirements
This section lists the system requirements to run this release.
ASA and ASDM Compatibility
For information about ASA/ASDM software and hardware requirements and compatibility, including module compatibility, see Cisco ASA Compatibility.
VPN Compatibility
For VPN compatibility, see Supported VPN Platforms, Cisco ASA 5500 Series.
New Features
This section lists new features for each release.
Note |
New, changed, and deprecated syslog messages are listed in the syslog message guide. |
New Features in ASA 9.8(4)
Released: April 24, 2019
Feature |
Description |
---|---|
VPN Features |
|
Add subdomains to webVPN HSTS |
Allows domain owners to submit what domains should be included in the HSTS preload list for web browsers. New/Modified commands: hostname(config-webvpn) includesubdomains Also in 9.12(1). |
Administrative Features |
|
Allow non-browser-based HTTPS clients to access the ASA |
You can allow non-browser-based HTTPS clients to access HTTPS services on the ASA. By default, ASDM, CSM, and REST API are allowed. Many specialty clients (for example, python libraries, curl, and wget) do not support Cross-site request forgery (CSRF) token-based authentication, so you need to specifically allow these clients to use the ASA basic authentication method. For security purposes, you should only allow required clients. New/Modified commands: http server basic-auth-client Also in 9.12(1). |
show tech-support includes additional output |
The output of the show tech-support is enhanced to display the output of the following:
New/Modified commands: show tech-support Also in 9.12(1). |
Support to enable and disable the results for free memory and used memory statistics during SNMP walk operations |
To avoid overutilization of CPU resources, you can enable and disable the query of free memory and used memory statistics collected through SNMP walk operations. New/Modified command: snmp-server enable oid Also in 9.10(1). |
New Features in ASA 9.8(3)
Released: July 2, 2018
Feature |
Description |
---|---|
Platform Features |
|
Firepower 2100 Active LED now lights amber when in standby mode |
Formerly, the Active LED was unlit in standby mode. |
Firewall Features |
|
Support for removing the logout button from the cut-through proxy login page. |
If you configure the cut-through proxy to obtain user identity information (the AAA authentication listener), you can now remove the logout button from the page. This is useful in case where users connect from behind a NAT device and cannot be distinguished by IP address. When one user logs out, it logs out all users of the IP address. New/Modified commands: aaa authentication listener no-logout-button . |
Trustsec SXP connection configurable delete hold down timer |
The default SXP connection hold down timer is 120 seconds. You can now configure this timer, between 120 to 64000 seconds. New/Modified commands: cts sxp delete-hold-down period , show cts sxp connection brief , show cts sxp connections |
VPN Features |
|
Support for legacy SAML authentication |
If you deploy an ASA with the fix for CSCvg65072, then the default SAML behavior is to use the embedded browser, which is not supported on AnyConnect 4.4 or 4.5. Therefore, to continue to use AnyConnect 4.4 or 4.5, you must enable the legacy external browser SAML authentication method. Because of security limitations, use this option only as part of a temporary plan to migrate to AnyConnect 4.6. This option will be deprecated in the near future. New/Modified commands: saml external-browser |
Interface Features |
|
Unique MAC address generation for single context mode |
You can now enable unique MAC address generation for VLAN subinterfaces in single context mode. Normally, subinterfaces share the same MAC address with the main interface. Because IPv6 link-local addresses are generated based on the MAC address, this feature allows for unique IPv6 link-local addresses. New or modified command: mac-address auto Also in 9.9(2) and later. |
New Features in ASA 9.8(2)
Released: August 28, 2017
Feature |
Description |
---|---|
Platform Features |
|
ASA for the Firepower 2100 series |
We introduced the ASA for the Firepower 2110, 2120, 2130, and 2140. Similar to the Firepower 4100 and 9300, the Firepower 2100 runs the base FXOS operating system and then the ASA operating system as an application. The Firepower 2100 implementation couples FXOS more closely with the ASA than the Firepower 4100 and 9300 do (pared down FXOS functions, single device image bundle, easy management access for both ASA and FXOS). FXOS owns configuring hardware settings for interfaces, including creating EtherChannels, as well as NTP services, hardware monitoring, and other basic functions. You can use the Firepower Chassis Manager or the FXOS CLI for this configuration. The ASA owns all other functionality, including Smart Licensing (unlike the Firepower 4100 and 9300). The ASA and FXOS each have their own IP address on the Management 1/1 interface, and you can configure management of both the ASA and FXOS instances from any data interface. We introduced the following commands: connect fxos, fxos https, fxos snmp, fxos ssh, ip-client |
Department of Defense Unified Capabilities Approved Products List |
The ASA was updated to comply with the Unified Capabilities Approved Products List (UC APL) requirements. In this release, when you enter the fips enable command, the ASA will reload. Both failover peers must be in the same FIPS mode before you enable failover. We modified the following command: fips enable |
ASAv for Amazon Web Services M4 instance support |
You can now deploy the ASAv as an M4 instance. We did not modify any commands. |
ASAv5 1.5 GB RAM capability |
Starting in Version 9.7(1), the ASAv5 may experience memory exhaustion where certain functions such as enabling AnyConnect or downloading files to the ASAv fail. You can now assign 1.5 GB (up from 1 GB) of RAM to the ASAv5. We did not modify any commands. |
VPN Features |
|
HTTP Strict Transport Security (HSTS) header support |
HSTS protects websites against protocol downgrade attacks and cookie hijacking on clientless SSL VPN. It lets web servers declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. We introduced the following commands: hsts enable, hsts max-age age_in_seconds |
Interface Features |
|
VLAN support for the ASAv50 |
The ASAv50 now supports VLANs on the ixgbe-vf vNIC for SR-IOV interfaces. We did not modify any commands. |
New Features in ASA 9.8(1.200)
Released: July 30, 2017
Note |
This release is only supported on the ASAv for Microsoft Azure. These features are not supported in Version 9.8(2). |
Feature |
Description |
---|---|
High Availability and Scalability Features |
|
Active/Backup High Availability for ASAv on Microsoft Azure |
A stateless Active/Backup solution that allows for a failure of the active ASAv to trigger an automatic failover of the system to the backup ASAv in the Microsoft Azure public cloud. We introduced the following commands: failover cloud No ASDM support. |
New Features in ASA 9.8(1)
Released: May 15, 2017
Feature |
Description |
---|---|
Platform Features |
|
ASAv50 platform |
The ASAv platform has added a high-end performance ASAv50 platform that provides 10 Gbps Firewall throughput levels. The ASAv50 requires ixgbe-vf vNICs, which are supported on VMware and KVM only. |
SR-IOV on the ASAv platform |
The ASAv platform supports Single Root I/O Virtualization (SR-IOV) interfaces, which allows multiple VMs to share a single PCIe network adapter inside a host. ASAv SR-IOV support is available on VMware, KVM, and AWS only. |
Automatic ASP load balancing now supported for the ASAv |
Formerly, you could only manually enable and disable ASP load balancing. We modified the following command: asp load-balance per-packet auto |
Firewall Features |
|
Support for setting the TLS proxy server SSL cipher suite |
You can now set the SSL cipher suite when the ASA acts as a TLS proxy server. Formerly, you could only set global settings for the ASA using the ssl cipher command. We introduced the following command: server cipher-suite |
Global timeout for ICMP errors |
You can now set the idle time before the ASA removes an ICMP connection after receiving an ICMP echo-reply packet. When this timeout is disabled (the default), and you enable ICMP inspection, then the ASA removes the ICMP connection as soon as an echo-reply is received; thus any ICMP errors that are generated for the (now closed) connection are dropped. This timeout delays the removal of ICMP connections so you can receive important ICMP errors. We added the following command: timeout icmp-error |
High Availability and Scalability Features |
|
Improved cluster unit health-check failure detection |
You can now configure a lower holdtime for the unit health check: .3 seconds minimum. The previous minimum was .8 seconds. This feature changes the unit health check messaging scheme to heartbeats in the data plane from keepalives in the control plane. Using heartbeats improves the reliability and the responsiveness of clustering by not being susceptible to control plane CPU hogging and scheduling delays. Note that configuring a lower holdtime increases cluster control link messaging activity. We suggest that you analyze your network before you configure a low holdtime; for example, make sure a ping from one unit to another over the cluster control link returns within the holdtime/3, because there will be three heartbeat messages during one holdtime interval. If you downgrade your ASA software after setting the hold time to .3 - .7, this setting will revert to the default of 3 seconds because the new setting is unsupported. We modified the following commands: health-check holdtime, show asp drop cluster counter, show cluster info health details |
Configurable debounce time to mark an interface as failed for the Firepower 4100/9300 chassis |
You can now configure the debounce time before the ASA considers an interface to be failed, and the unit is removed from the cluster. This feature allows for faster detection of interface failures. Note that configuring a lower debounce time increases the chances of false-positives. When an interface status update occurs, the ASA waits the number of milliseconds specified before marking the interface as failed and the unit is removed from the cluster. The default debounce time is 500 ms, with a range of 300 ms to 9 seconds. New or modified command: health-check monitor-interface debounce-time |
VPN Features |
|
Support for IKEv2, certificate based authentication, and ACL in VTI |
Virtual Tunnel Interface (VTI) now supports BGP (static VTI). You can now use IKEv2 in standalone and high availability modes. You can use certificate based authentication by setting up a trustpoint in the IPsec profile. You can also apply access lists on VTI using access-group commands to filter ingress traffic. We introduced the following command in the IPsec profile configuration mode: set trustpoint. |
Mobile IKEv2 (MobIKE) is enabled by default |
Mobile devices operating as remote access clients require transparent IP address changes while moving. Supporting MobIKE on ASA allows a current IKE security association (SA) to be updated without deleting the current SA. MobIKE is “always on.” We introduced the following command: ikev2 mobike-rrc. Used to enable/disable return routability checking. |
SAML 2.0 SSO Updates |
The default signing method for a signature in a SAML request changed from SHA1 to SHA2, and you can configure which signing method you prefer: rsa-sha1, rsa-sha256, rsa-sha384, or rsa-sha512. We changed the following command in webvpn mode: saml idp signature can be configured with a value. Disabled is still the default. |
Change for tunnelgroup webvpn-attributes |
We changed the pre-fill-username and secondary-pre-fill-username value from ssl-client to client . We changed the following commands in webvpn mode: pre-fill-username and secondary-pre-fill-username can be configured with a client value. |
AAA Features |
|
Login history |
By default, the login history is saved for 90 days. You can disable this feature or change the duration, up to 365 days. This feature only applies to usernames in the local database when you enable local AAA authentication for one or more of the management methods (SSH, ASDM, Telnet, and so on). We introduced the following commands: aaa authentication login-history, show aaa login-history |
Password policy enforcement to prohibit the reuse of passwords, and prohibit use of a password matching a username |
You can now prohibit the reuse of previous passwords for up to 7 generations, and you can also prohibit the use of a password that matches a username. We introduced the following commands: password-history, password-policy reuse-interval, password-policy username-check |
Separate authentication for users with SSH public key authentication and users with passwords |
In releases prior to 9.6(2), you could enable SSH public key authentication (ssh authentication ) without also explicitly enabling AAA SSH authentication with the Local user database (aaa authentication ssh console LOCAL ). In 9.6(2), the ASA required you to explicitly enable AAA SSH authentication. In this release, you no longer have to explicitly enable AAA SSH authentication; when you configure the ssh authentication command for a user, local authentication is enabled by default for users with this type of authentication. Moreover, when you explicitly configure AAA SSH authentication, this configuration only applies for usernames with passwords, and you can use any AAA server type (aaa authentication ssh console radius_1 , for example). For example, some users can use public key authentication using the local database, and other users can use passwords with RADIUS. We did not modify any commands. Also in Version 9.6(3). |
Monitoring and Troubleshooting Features |
|
Saving currently-running packet captures when the ASA crashes |
Formerly, active packet captures were lost if the ASA crashed. Now, packet captures are saved to disk 0 at the time of the crash with the filename [context_name.]capture_name.pcap. We did not modify any commands. |
Upgrade the Software
This section provides the upgrade path information and a link to complete your upgrade.
ASA Upgrade Path
To view your current version and model, use one of the following methods:
-
ASDM: Choose
. -
CLI: Use the show version command.
This table provides upgrade paths for ASA. Some older versions require an intermediate upgrade before you can upgrade to a newer version. Recommended versions are in bold.
Note |
Be sure to check the upgrade guidelines for each release between your starting version and your ending version. You may need to change your configuration before upgrading in some cases, or else you could experience an outage. |
Note |
For guidance on security issues on the ASA, and which releases contain fixes for each issue, see the ASA Security Advisories. |
Note |
ASA 9.12(x) was the final version for the ASA 5512-X, 5515-X, 5585-X, and ASASM. ASA 9.2(x) was the final version for the ASA 5505. ASA 9.1(x) was the final version for the ASA 5510, 5520, 5540, 5550, and 5580. |
Current Version |
Interim Upgrade Version |
Target Version |
---|---|---|
9.7(x) |
— |
Any of the following: → 9.8(x) |
9.6(x) |
— |
Any of the following: → 9.8(x) |
9.5(x) |
— |
Any of the following: → 9.8(x) |
9.4(x) |
— |
Any of the following: → 9.8(x) |
9.3(x) |
— |
Any of the following: → 9.8(x) |
9.2(x) |
— |
Any of the following: → 9.8(x) |
9.1(2), 9.1(3), 9.1(4), 9.1(5), 9.1(6), or 9.1(7.4) |
— |
Any of the following: → 9.8(x) → 9.1(7.4) |
9.1(1) |
→ 9.1(2) |
Any of the following: → 9.8(x) → 9.1(7.4) |
9.0(2), 9.0(3), or 9.0(4) |
— |
Any of the following: → 9.8(x) → 9.6(x) → 9.1(7.4) |
9.0(1) |
→ 9.0(4) |
Any of the following: → 9.8(x) → 9.1(7.4) |
8.6(1) |
→ 9.0(4) |
Any of the following: → 9.8(x) → 9.1(7.4) |
8.5(1) |
→ 9.0(4) |
Any of the following: → 9.8(x) → 9.1(7.4) |
8.4(5+) |
— |
Any of the following: → 9.8(x) → 9.1(7.4) → 9.0(4) |
8.4(1) through 8.4(4) |
→ 9.0(4) |
→ 9.8(x) → 9.1(7.4) |
8.3(x) |
→ 9.0(4) |
Any of the following: → 9.8(x) → 9.1(7.4) |
8.2(x) and earlier |
→ 9.0(4) |
Any of the following: → 9.8(x) → 9.1(7.4) |
Upgrade Link
To complete your upgrade, see the ASA upgrade guide.
Open and Resolved Bugs
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note |
You must have a Cisco.com account to log in and access the Cisco Bug Search Tool. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches. |
For more information about the Cisco Bug Search Tool, see the Bug Search Tool Help & FAQ.
Open Bugs in Version 9.8(x)
The following table lists select open bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA VPN with multiple peers drops incoming packets after failover |
|
Configuration Generation in the crypto portion changes without configuration change |
|
ASA Traceback with Thread Name: Cluster CFG CLI Rep after removing captures and saving configuration |
|
Active unit Tracebacks in 'Thread Name: IKE Daemon' |
|
ASDM load fails with the error message:The flash device is in use by another task. |
|
[SXP] Issue with establishing SXP connection between ASA on FPR-2110 and switches |
|
ASA may log negative values for conn-max exceeded syslog and drop permitted traffic |
|
ASA may traceback and reload while waiting for "dns_cache_timer" process to finish. |
|
Throughput drop when LINA capture is applied on various platforms |
|
FasterXML jackson-databind axis2-jaxws Class Server-Side Request Forge |
|
FasterXML jackson-databind openjpa Class Blocking Vulnerability |
|
FasterXML jackson-databind jboss-common-core Class Blocking Vulnerabil |
|
FasterXML jackson-databind axis2-transport-jms Class Blocking Vulnerab |
|
FasterXML jackson-databind slf4j-ext Class Arbitrary Code Execution Vu |
|
FasterXML jackson-databind Blaze-ds-Opt and Blaze-ds-Core Classes Arbi |
|
FasterXML jackson-databind Polymorphic Deserialization External XML En |
|
ASA L2TP clients fail to receive IP address from local pool |
|
ASA SCP transfer to box stall mid-transfer |
|
IKEv2: VTI tunnel doesn't work as expected when both sides are configured as initiator |
|
BGP redistribution to OSPF is getting wrong behavior if monitor-interface is enabled |
|
Secondary/active FTD does not block connections while TCP syslog server is not reachable. |
|
ASA traceback DATAPATH: Thread Name: SXP CORE |
|
ASA: Watchdog traceback in Datapath |
|
ASA may traceback and reload because the CPU is not yielded for "dns_cache_timer" thread. |
|
OSPF neighbor command not replicated to standy after write standby or reload |
Resolved Bugs
This section lists resolved bugs per release.
Resolved Bugs in Version 9.8(4)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
WebVPN 'enable intf' with DHCP , CLI missing when ASA boot |
|
Unable to SSH over remote access VPN (telnet, asdm working) |
|
ASA traceback at first boot in 5506 due to unable to allocate enough LCMB memory |
|
ASA policy-map configuration is not replicated to cluster slave |
|
ASA traceback in DATAPATH thread while running captures |
|
Traceback when syslog sent over VPN tunnel |
|
ASA boot loop caused by logs sent after FIPS boot test |
|
Traceback on Thread Name: DATAPATH-2-1785 |
|
asdm displays error uploading image |
|
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
GTP inspection may spike cpu usage |
|
Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
Default DLY value of port-channel sub interface mismatch |
|
An ASA may Traceback and reload when processing traffic |
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
|
ASA may traceback and reload in Thread Name: fover_rep during conn replication |
|
Firepower 2100 Series might report failure due to MIO-blade heartbeat failure |
|
Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000 |
|
ASA Running config through REST-API Full Backup does not contain the specified context configuration |
|
DHCP Relay With Dual ISP and Backup IPSEC Tunnels Causes Flapping |
|
ASDM/Webvpn stops working after reload if IPv6 address configured on the interface |
|
ASA/FTD Deployment ERROR 'Management interface is not allowed as Data is in use by this instance' |
|
BGP ASN cause policy deployment failures. |
|
FTD: Layer 2 packets (ex: BPDUs) are dropped during snort restarts (Inline/Passive Interfaces Only) |
|
Multicast ip-proto-50 (ESP) dropped by ASP citing 'np-sp-invalid-spi' |
|
ASA fails to encrypt after performing IPv6 to IPv4 NAT translation |
|
ASA does not send 104001 and 104002 messages to TCP/UDP syslog |
|
PKI:- ASA fails to process CRL's with error "Add CA req to pool failed. Pool full." |
|
ASA pair: IPv6 static/connected routes are not sync/replicated between Active/Standby pairs. |
|
Stuck uauth entry rejects AnyConnect user connections |
|
Allow ASA to process packet with hop limit of 0 (Follow RFC 8200) |
|
REST-API:500 Internal Server Error |
|
ASA NAT position discrepancy between CLI and REST-API causing REST to delete wrong config |
|
"ha-replace" action not working when peer not present |
|
ASA5585 device power supply Serial Number not in the snmp response |
|
Traceback in DATAPATH on standby FTD |
|
Hanging downloads and slow downloads on a FPR4120 due to http inspect |
|
LDAP over SSL crypto engine error |
|
256 Byte block leak observed due to ARP traffic when using VTI |
|
ASA5515 Low DMA memory when ASA-IC-6GE-SFP-A module is installed |
|
Neighbour Solicitation messages are observed for IPv6 traffic |
|
pki handles: increase and fail to decrement |
|
Edit GUI language on ASDM AC downloads but ignores the change FPR-21XX |
|
Slave unit drops UDP/500 and IPSec packets for S2S instead of redirecting to Master |
|
To-the-box traffic being routing out a data interface when failover is transitioning on a New Active |
|
Standby traceback in Thread "Logger" after executing "failover active" with telnet access |
|
ASA HA with NSF: NSF is not triggered properly when there is an Interface failure in ASA HA |
|
Flow-offload rewrite rules not updated when MAC address of interface changes |
|
In version 9.7 and lower ASA does not honor "no signature" under saml configuration |
|
reload command does not work properly on ASAv |
|
ASA - zonelabs-integrity : Traceback and High CPU due to Process 'Integrity FW task' |
|
ASA : Device sends only ID certificate in SSL server certificate packet after reload |
|
CWE-20: Improper Input Validation |
|
Traceback: Thread Name: IPsec message handler |
|
Bonita BPM app's web pages access fail via webvpn |
|
ASA 9.8.2 Receiving syslog 321006 reporting System Memory as 101% |
|
ASA traceback in Thread Name: DATAPATH-14-17303 |
|
Firepower 2110 with ASA DHCP does not work properly |
|
portal-access-rule changing from "deny" to "permit" |
|
Firepower Threat Defense 2100 asa traceback for unknown reason |
|
"clear capture /all" might crash Firepower 9300 MI Firepower Threat Defense |
|
ASA SIP and Skinny sessions drop, when two subsequent failovers take place |
|
ASA memory Leak - snp_svc_insert_dtls_session |
|
Trustsec SXP delete hold down timer value needs to be configurable |
|
ASA traceback on Firepower Threat Defense 2130-ASA-K9 |
|
ASA portchannel lacp max-bundle 1 hot-sby port not coming up after link failure |
|
create/delete context stress test causes traceback in nameif_install_arp_punt_service |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
Multicast dropped after deleting a security context |
|
Remove/Increase the maximum 255 characters error limit in result of a cli command! |
|
Change 2-tuple and 4-tuple hash table to lockless |
|
Static IPv6 route prefix will be removed from the ASA configuration |
|
clear crypto ipsec ikev2 commands not replicated to standby |
|
FTD does not send Marker for End-of-RIB after a BGP Graceful Restart |
|
Traceback in cli_xml_server Thread |
|
Traceback at "ssh" when executing 'show service-policy inspect gtp pdp-context detail' |
|
Usage of 'virtual http' or 'virtual telnet' incorrectly needs 'same-security permit intra-interface' |
|
2100/4100/9300: stopping/pausing capture from Management Center doesn't lower the CPU usage |
|
Netflow configuration on Active ASA is replicated in upside down order on Standby unit |
|
Withdrawal advertisements for specific prefixes are flooded before flooding aggregate prefix |
|
IP Local pools configured with the same name. |
|
Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability |
|
ASA traceback when logging host command is enable for IPv6 after each reboot |
|
1550 Block Depletion Causes ASA to reload 6.2.3.3. |
|
Invalid Http response (IO error during SSL communication) when trying to copy a file from CSM to ASA |
|
Cisco Adaptive Security Appliance Access Control List Bypass Vulnerability |
|
Large Config and ACL May Cause Data Interface Health Check Fail on Slave Join |
|
ASA keeps Type 7 NSSA after losing neighbor |
|
webvpn-l7-rewriter: Bookmark logout fails on IE |
|
WebPage is not loading due to client rewriter issue on JS files |
|
ASA IKEv2 capture type isakmp is saving corrupted packets or is missing packets |
|
ASA Smart Licensing messaging fails with 'nonce failed to match' |
|
ASA may traceback due to SCTP traffic |
|
ASA: 9.6.4, 9.8.2 - Failover logging message appears in user context |
|
"show memory binsize" and "show memory top-usage" do not show correct information (Complete fix) |
|
Flows get stuck in lina conn table in half-closed state |
|
ASA 5525 running 9.8.2.20 memory exhaustion. |
|
ASA generates warning messages regarding IKEv1 L2L tunnel-groups |
|
GTP soft traceback seen while processing v2 handoff |
|
ASA5585 doesn't use priority RX ring when FlowControl is enabled |
|
SSH/Telnet Management sessions may get stuck in pc ftpc_suspend |
|
ASA traceback with Thread Name: DATAPATH-1-2325 |
|
Active FTP Data transfers fail with FTP inspection and NAT |
|
ASA Traceback and reload when executing show process (rip: inet_ntop6) |
|
Enabling compression necessary to load ASA SSLVPN login page customization |
|
Unwanted IE present error when parsing GTP APN Restriction |
|
Traceback loop seen on fresh ASAv Azure, KVM and VMWare deployments |
|
Certificate import from Local CA fails due to invalid Content-Encoding |
|
ASA may traceback and reload when acessing qos metrics via ASDM/Telnet/SSH |
|
SSH session stuck after committing changes within a Configure Session. |
|
ASA "snmp-server enable traps memory-threshold" hogs CPU resulting in "no buffer" drops |
|
ASA CP core pinning leads to exhaustion of core-local blocks |
|
KVM (FTD): Mapping web server through outside not working consistent with other platforms |
|
Firepower 2100 tunnel flap at data rekey with high throughput Lan-to-Lan VPN traffic |
|
When logging into the ASA via ASDM, syslog 611101 shows IP as 0.0.0.0 as remote IP |
|
mac address is flapping on huasan switch when asa etherchannel is configued with active mode |
|
Traceback and reload due to GTP inspection and Failover |
|
Traceback: ASA 9.8.2.28 while doing mutex lock |
|
ASA cluster: Traffic loop on CCL with NAT and high traffic |
|
ASA WebVPN - incorrect rewriting for SAP Netweaver |
|
GTP inspection should not process TCP packets |
|
FTD IPV6 traffic outage after interface edit and deployment part 1/2 |
|
Async queue issues with fragmented packets leading to block depletion 9344 |
|
Low DMA memory leading to VPN failures due to incorrect crypto maps |
|
The CPU profiler stops running without having hit the threshold and without collecting any samples. |
|
ASA 9.8.3 Smart Licensing Default Config Incorrect |
|
FTD or ASA traceback and reload in "Thread Name: Logger Page fault: Address not mapped" |
|
ASA unable to handle Chunked Transfer-encoding returned in HTTP response pages in Clientless WebVPN |
|
Clientless webvpn fails when ASA sends HTTP as a message-body |
|
"Free memory" in "show memory" output is wrong as it includes memory utilisation due to overhead |
|
Qos applied on interfaces doesn't work. |
|
ASA is stuck on "reading from flash" for several hours |
|
ASA 9.8(2)24 traceback on FPR9K-SM-44 |
|
Using EEM to track VPN connection events may cause traceback and reload |
|
Standby unit sending BFD packets with active unit IP, causing BGP neighborship to fail. |
|
Initiating write net command with management access for BVI interfaces does not succeed |
|
"capture stop" command doesn't work for asp-drop type capture |
|
ASA: Memory leak due to PC cssls_get_crypto_ctxt |
|
GTP delete bearer request is being dropped |
|
ASA Traceback: Thread Name NIC Status Poll. |
|
IPSEC RAVPN on Spyker fails due to IKEv2 Xuauth install failure |
|
With v1 host configured, a v2c walk from that host succeeds |
|
Route tracking failure |
|
Cisco ASA and FTD Denial of Service or High CPU due to SIP inspection Vulnerability |
|
Make Object Group Search Threshold disabled by default, and configurable. Causes outages. |
|
ASA traceback on slave/standby during sync config due to OSPF/EIGRP and IPv6 used together in ACE |
|
Cisco Adaptive Security Appliance Software Privilege Escalation Vulnerability |
|
Firepower 2100 ASA Smart Licensing Hostname Change Not Reflected in Smart Account |
|
HA failed primary unit shows active while "No Switchover" status on FP platforms |
|
Cisco Adaptive Security Appliance WebVPN - VPN not connecting through Browser |
|
ASA wrongly removes dACL for all Anyconnect clients which has the same dACL attached |
|
Traceback high availability standby unit Thread Name: vpnfol_thread_msg |
|
ASA kerberos auth fails switch to TCP if server has response too big (ERR_RESPONSE_TOO_BIG) |
|
ASA: Memory leak due to PC alloc_fo_ipsec_info_buffer_ver_1+136 |
|
ASA: CLI: User should not be allowed to create network object "ANY" |
|
Unable to modify access control license entry with log default command |
|
ASA not inspecting H323 H225 |
|
ASAv/FP2100 Smart Licensing - Unable to register/renew license |
|
ASA core blocks depleted when host unreachable in IRB configuration |
|
FTD: SSH to ASA Data interface fails if overlapping NAT statement is configured |
|
Spin lock traceback when changing vpn-mode with traffic |
|
Only first line of traceroute is captured in event manager output |
|
Webvpn Clientless- password management issue |
|
NTP synchronization don't work when setting BVI IF as NTP source interface |
|
ASA 5506 %Error copying http://x.x.x.x/asasfr-5500x-boot-6.2.3-4.img(No space left on device) |
|
FTD - When "object-group-search" is pushed through flexconfig, all ACLs get deleted causing outage. |
|
FTD device rebooted after taking Active State for less than 5 minutes |
|
Prevent administrators from installing CXSC module on ASA 5500-X |
|
show memory has negative values for used memory when low memory condition hit |
|
FTD: Need ability to trust ethertype ACLs from the parser. Need to allow BPDU to pass through |
|
port-channel IF's Interface number is displayed un-assigned when running at transparent mode |
|
ASA may traceback due to SCTP traffic inspection without NULL check |
|
Traceback and reload when displaying CPU profiling results |
|
ASA : Failed SSL connection not getting deleted and depleting DMA memory |
|
ADI process fails to start on ASA on Firepower 4100 |
|
SNMPv2 pulls empty ifHCInOctets value if Nameif is configured on the interface |
|
Keepout configuration on the active ASA can not be synchronized to the standby ASA |
|
The 'show memory' CLI output is incorrect on ASAv |
|
ASA Traceback in emweb/https during Anyconnect Auth/DAP assessment |
|
ACL Unable to configure an ACL after access-group configuration error |
|
IKEv2 Failed to obtain an Other VPN license |
|
ASA traceback when removing interface configuration used in call-home |
|
Standby node traceback in wccp_int_statechange() with HA configuration sync |
|
ASA routes change during OS upgrade |
|
ASA should allow GCM(SSL) connections to use DMA_ALT1 when primary DMA pool is exhausted |
|
ASA: Not able to load Quovadis Root Certificate as trustpoint when FIPS is enabled |
|
'No certificate ' command under certificate chain removes wrong certificate |
|
ASA discards OSPF hello packets with LLS TLVs sent from a neighbor running on IOS XE 16.5.1 or later |
|
Specified virtual mac address could not display when executing "show interface" |
|
AnyConnect Cert Auth w/ periodic cert auth fails if failover enabled but other device unreachable |
|
RA VPN + SAML authentication causes 2 authorization requests against the RADIUS server |
|
ASA stops authenticating new AnyConnect connections due to fiber exhaustion |
|
ASA/FTD:MAC address not refreshing after changing member-interface of CCL link |
|
DTLS fails after rekey |
|
ASA 5500-X may reload without crashinfo written due to CXSC module continuously reloading |
|
To support multiple retry on devcmd failure to CRUZ during flow table configuration update. |
|
ASA's fail to reboot after power cycle if disk is FSCK'd |
|
ISA3000 interoperability issue with Nokia 7705 router |
|
DPD doesn't work following a failover, which can (in rare cases) cause an outage if things fail back |
|
KP:AnyConnect used IP from pool shows as available |
|
ASA traceback and reload due to multiple threads waiting for the same lock - watchdog |
|
ASA 5585 9.8.3.14 traceback in Datapath with ipsec |
|
ASA as an SSL Client Memory Leak in Handshake Error path |
|
traceback on inspect_process |
|
ASA Multicontext traceback and reload due to allocate-interface out of range command |
|
ASA SNMP CPU Hogs |
|
"Process Name: lina" | ASA traceback caused by Netflow |
|
Memory Leak in DMA_Pool in binsize 1024 with SCP download |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", with circular asp drop captures |
|
Syslog ID 111005 generated incorrectly |
|
Upgrading ASA cluster to 9.10.1.7 cause traceback |
|
Deploy from FMC fails due to OOM with no indication of why |
|
Support more than 255 chars for Split DNS-commit issue in hanover for CSCuz22961 |
|
Memory leak found in IPsec when we establish and terminate a new IKEv1 tunnel. |
|
DHCPRelay does not consume DHCP Offer packet with Unicast flag |
|
Failover fsm gets stuck in a multicontext active/active in case of module difference. |
|
Unable to remove access-list with 'log default' keyword |
|
Tunnel Group: 'no ikev2 local-authentication pre-shared-key' removes local cert authen |
|
EIGRP breaks when new sub-interface is added and "mac-address auto" is enabled |
|
AnyConnect session rejected due to resource issue in multi context deployments |
|
Standby may enter reboot loop upon upgrading to 9.6(4)20 from 9.6(4)6 |
|
ASA IPSec VPN EAP Fails to Load Valid Certificate in PKI |
|
OSPF Process ID doesnot change even after clearing OSPF process |
|
ASA5506 - IBR - not able to ping with hostname if the interface is in BVI in IBR mode |
|
VPN sessions failing due to PKI handles not freed during rekeys |
|
SCP large file transfer to the box result in a traceback |
|
crypto ipsec inner-routing-lookup should not be allowed to be configured with VTI present |
|
ASA traceback and reload when trying to switch from ACTIVE to STANDBY. Thread Name: fover_FSM_thread |
|
Failover mac address configured on interface does not allow to delete subinterface |
|
ASA Traceback and reload while running IKE Debug |
|
Smart Tunnel bookmarks don't work after upgrade giving certificate error |
|
ASA fails command authorization if tcp syslog is down. |
|
Traceback and reload citing Datapath as affected thread |
|
ASA may traceback and reload. Potentially related to WebVPN traffic |
|
Memory leak while inspecting GTP traffic |
Resolved Bugs in Version 9.8(3)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA 8.0: CSCOPF.CAB has expired Code Signing cert . |
|
aggregate-auth debugs should mask passwords |
|
ASA Traceback in thread SSH when ran "show service set conn detail" |
|
ASA: traceback in DATAPATH-2-1157 |
|
ASA unable to remove ACE with 'log disable' option |
|
Cisco Adaptive Security Appliance Traffic Flow Confidentiality Denial of Service Vulnerability |
|
ASA traceback in Unicorn Proxy Thread |
|
9.7.1 traceback in snp_fp_qos |
|
ASA 9.1(7)9 Traceback with %ASA-1-199010 and %ASA-1-716528 syslog messages |
|
asa Rest-api - component monitoring - empty value/blank value |
|
Threat Defense: Interface capture on ASA CLI causes all traffic to be dropped on data-plane |
|
_lina_assert in createFoverInterface when configuring failover |
|
ASA "show tech" some commands twice, show running-config/ak47 detailed/startup-config errors |
|
ASA Traceback when saving/viewing the configuration due to time-range ACLs |
|
ASA SSL client does not respond to renegotiation request |
|
ASA 9.6.2.11 - Intermittent authentication with CTP uauth in cluster |
|
ENH: Lower timeout for igp stale-route should be reduced to a value lower than 10 seconds |
|
Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability |
|
ASA Portal Java plug-ins fail with the latest Java updates |
|
Cisco Adaptive Security Appliance TLS Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
Traceback in DATAPATH-1-2084 ASA 9.(8)1 |
|
All 1700 "4 byte blocks" were depleted after a weekend VPN load test. |
|
ASA Memory depletion due to scansafe inspection |
|
ASA Traceback on Kenton in Thread Name: CTM message handler |
|
Capturing asp-drop causes unexpected ASA failure |
|
Snort IAB on FTD requires PDTS to provide perfstat |
|
SNMP::User is not added to a user-list or host ,after reconfigure it. |
|
Stale VPN Context issue seen in 9.1 code despite fix for CSCvb29688 |
|
ASA: Low free DMA Memory on Versions 9.6 and later (Applies to ASA 5515 ONLY) |
|
AnyConnect multi-cert auth fails with IPsec and tunnel group URL |
|
ENH: Unique IPv6 link-local addresses assigned when sub-interface is being created |
|
IPv6 Addresses intermittently assigned to AnyConnect clients |
|
ASA Exports ECDSA as corrupted PKCS12 |
|
ASA traceback on failover sync with WebVPN and shared storage-url config |
|
FTD on 2100/4100/9300 Traceback in DATAPATH due to flow offload |
|
An ASA with low free memory fails to join existing cluster and could traceback and reload |
|
ASA 9.8.1 BVI in routed mode is not doing route lookup for traffic generated from ASA |
|
DAP config restored but inactive after backup restore |
|
ASA not sending register stop when mroute is configured |
|
ASA crashes on DATAPATH due to SIP traffic hitting dynamic NAT rule |
|
ASA creates a BVi0 interface on a custom routed context |
|
Netflow Returns Large Values for Bytes Sent/Received and IP address switch |
|
Unable to add new networks to existing EIGRP configuration |
|
ERROR: Unable to create crypto map: limit reached, when adding entry |
|
Certificates not synced to Standby/All certificates cleared on Standby post deployment failure |
|
Webvpn rewriter failing for internal URL |
|
ASA// 9.6 // FTP inspection does not allocate new NAT entrie for DATA traffic on Active FTP with PAT |
|
OSPF route not getting installed on peer devices when an ASA failover happens with NSF enabled |
|
"no capture <name> stop" doesn't change capture status from Stopped |
|
ENH: GOID allocation and sync cleanup |
|
ASA on FXOS is sending SNMP Ifspeed OID (1.3.6.1.2.1.2.2.1.5) response value = 0 |
|
ASA - 80 Byte memory block depletion |
|
ASA 9.6(2), 9.6(3) traceback in DataPath |
|
KP: CPU hogs on standby ASA in fover_parse when performing "write mem all" on active ASA |
|
ASA doesn't send LACP PDU during port flap in port-channel |
|
Transparent Firewall: Ethertype ACLs installed with incorrect DSAP value |
|
Optimization: Allow multiple DATAPATH threads to read compiling tmatch structure in parallel |
|
Traceback in thread DATAPATH due to NAT |
|
ASA: entConfigChange is unexpectedly sent when secondary ASA is reloaded |
|
ASA drops the IGMP Report packet which has Source IP address 0.0.0.0 |
|
Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability |
|
ERROR on Firepower Threat Defense device: Captive-portal port not available. Try again |
|
FP2100 IFT customer cannot use ASDM to download image to pc |
|
FXOS - ASA/FTD standby unit in transparent mode may still traffic for offloaded flows |
|
Firepower Threat Defense may traceback in Thread Name appAgent_monitor_nd_thread during registration |
|
ASAv image in AWS GovCloud not working in Hourly Billing Mode |
|
ASA crash with snp_egress_capture_sgt() |
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached |
|
Hostscan: Errors in cscan.log downloading Microsoft and Panda .dll files |
|
OpenSSL CVE-2017-3735 "incorrect text display of the certificate" |
|
management-only comes back after reboot |
|
Memory leak in 112 byte bin when packet hits PBR and connection is built |
|
ASA Routes flushed after failover when etherchannel fails |
|
'Incomplete command' error with some inspects due to K7 license |
|
ASA : ICMPv6 syslog messages after upgrade to 962. |
|
Traceback with traffic in 3 node Intra Chassis Cluster |
|
Slave kicked out due to CCL link failure and rejoins, but loses v3 user in multiple context mode |
|
ASA: Traceback by Thread Name idfw_proc |
|
ASA - rare scheduler corruption causes console lock |
|
ASA cluster intermittently drop IP fragments when NAT is involved |
|
ASA/Firepower Threat Defense traceback when enabling or clearing the packet capture buffer |
|
Cisco Firepower 2100 Series Security Appliances IP Fragmentation Denial of Service Vulnerability |
|
ASA Webvpn HTTP Strict-Transport-Security Header missing despite fix of CSCvc82150 |
|
ASA on FP 2100 traceback when uploading AnyConnect image via ASDM or show file system |
|
Standby ASA has high CPU usage due to extremely large PAT pool range |
|
ASA fails to rejoin the failover HA Or a cluster with insufficient memory error, OGS enabled |
|
ASA crashes in glib/g_slice when do "debug menu" self testing |
|
ASA does not create pinholes for DCERPC inspection, debug dcerpc shows "MEOW not found". |
|
ASA : After upgrading from 9.2(4) to 9.2(4)18 serial connection hangs |
|
Permanent License Reservation license not installed on ASAv |
|
"clear local-host <IP>" deletes all stub flows present in the entire ASA cluster for all hosts/conns |
|
Upon joining cluster slave unit generates ASA-3-202010: NAT/PAT pool exhausted for all PAT'd conns |
|
ASA traceback due to deadlock between DATAPATH and webvpn processes |
|
Firepower 2100 Threat Defense pair reporting failed status due to "Detect service module failure" |
|
ASA : High memory utilization when inspection enabled |
|
iPhone IKEv2 PKI leaks over Wi-Fi using local certificate authentication on ASA 5555 9.6.3 |
|
ASA-SSP HA reload in CP Processing due to DNS inspect |
|
Chunk memory not released back to the system after stopping traffic |
|
Traceback with Show OSPF Database Commands |
|
ASA local DNS resolution fails when DNS server is reachable over a site to site sec VPN tunnel |
|
One node rejoined and traffic restarted will cause the unit 100% CPU due to snpi_untranslate |
|
REST-API residues on Firepower Threat Defense (2100, 4100, 9300 Series) |
|
ASA panic/crash spin_lock_fair_mode_enqueue: Lock (mps_shash_bucket_t) is held for a long time |
|
ASA getting stuck in hung state because of STATIC NAT configuration for SNMP ports |
|
FORWARD PORT: 1550/2048/9344 byte memory block depletion due to identity UDP traffic |
|
Crash on Standby Firepower 4140 module after Policy deployment. |
|
ASA Inter-Site Clustering - Extra ARP not generated when ASA receives unicast ARP request |
|
High CPU observed with SFR monitoring mode |
|
Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled |
|
When IPSec is enabled, high availability goes in Active-Failed state |
|
ASA, when acting as an HTTP client (file copy, etc) sometimes fail to close the connection |
|
ASA SNMP OID for ifInDiscards always 0 |
|
Javascript elements rewriter issue |
|
ASA broadcasting packets sent to subnet address as destination IP |
|
"OCTEON:DROQ[8] idx: 494 len:0" message appearing on console access of the device |
|
Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability |
|
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability |
|
ASA AC client PKI username from cert longer than 64 characters - radius username is cut short to 64 |
|
SNMP deployment failure causes policy rollback |
|
FP4120 / ASA 9.6(3)230 "established tcp" not working anymore after SW upgrade |
|
ASA traceback due to 1550 block exhaustion. |
|
Offloaded flows fail to update their idle timer resulting in connections being incorrectly timed out |
|
ASA traceback: thread name scansafe |
|
High CPU in IKE Daemon causing slow convergence of VPN tunnels in a scaled environment |
|
9300 pair NGFWs in inlineIPS mode do not trigger SNAP packet updates with proper VLAN tags |
|
Unable to save configuration in system context after enabling password encryption in ASA |
|
"dir /recursive cache:/stc" and "dir cache:stc/2/" list AnyConnect.xsd differently on ASA9.8.2 |
|
ASA 5506 running on 9.8.2.8 version, memory block of size 80 is getting depleted |
|
ASA 9.8.1+ IKEv2 vpn load-balancing sends DELETE following IKE_AUTH |
|
SSL handshake fails with large certificate chain size |
|
ASA L2TP/IPSEC SMB upload of big files fails - tcp-buffer-timeout drops |
|
Modifying service object-groups (add and remove objects) removes ACE |
|
ASA reports incorrectly double input packets traffic on PPPoe/VPDN interface |
|
Elevated CPU Using Flow-Offload & High Rate of Flow Table Collisions |
|
Sysopt permit-vpn behavior change to prevent unintended clear-text traffic |
|
SSH/Telnet Traffic, 3-WHS, ACK packets with data is getting dropped - reason (intercept-unexpected) |
|
ASA: Software traceback in Thread Name: Dynamic Filter updater |
|
Cisco ASA sw, FTD sw, and AnyConnect Secure Mobility Client SAML Auth Session Fixation Vulnerability |
|
GTP echo response is dropped in ASA cluster |
|
ASA backs out of connection when it receives Server Key exchange with named curve as x25519 |
|
segfault while processing TCP traffic (StreamQueue). |
|
Direct Authentication is not working in ASA cluster. |
|
ASA/FTD: OSPFv3 stops redistributing routes due to missing LSA after failover |
|
Split brain after recovery from interface failure when fover and then data ifc goes down in order. |
|
RDP session does not establish after changing SSL certificate on ASA. |
|
Memory Leaking on ASA with vpnfol_memory_allocate and vpnfol_data_dyn_string_allocator |
|
FTD: IPv6 traffic is not being load-balanced as per 5-tuple algorithm |
|
Kenton: ASA5506 traceback on policy deploy |
|
ERSPAN not working on Firepower Threat Defense running 6.2.2 |
|
ASA:multi-session command being configured after write erase |
|
ASA crashed with Thread name DATAPATH-1-27929 in 3 node Firepower 9300 Distributed Cluster |
|
CSM failed to parse the tcp-state-bypass logs |
|
icmp/telnet traffic fail by ipv6 address on transparent ASA |
|
Blocks of size 80 leak observed when IRB is used in conjunction with multicast traffic |
|
SSPs with ASA in multiple context moves in active-active situation while failover is occurring |
|
NAT'd traffic with flow offload is not working in transparent mode. |
|
Firepower Threat Defense prefilter policy only fast-paths single direction of bidirectional flow |
|
ASA ping to IPv6 address selects egress interface source IP instead of specified source IP |
|
Failover Master Passphrase Crash via ASDM |
|
ASA does not unrandomize the SLE and SRE values for SACK packet generated by ASA module |
|
ARP traffic should not be hardcoded to be sent to Snort for inspection |
|
ASA:OpenSSL Vulnerabilities CVE-2017-3737 and CVE-2017-3738 |
|
IKEv2 MOBIKE session with Strongswan/3rd party client fails due to DPD with NAT detection payload. |
|
snmp: After upgradet to 9.6(3)1, the snmpwalk results are different |
|
Cisco Adaptive Security Appliance Clientless SSL VPN Cross-Site Scripting Vulnerability |
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
ACLs with source objects that are ranges incorrectly track hit counts |
|
Both ASA traceback in high availability pair on 4140 chassis |
|
ASA - Traceback in thread name SSH while applying BGP show commands |
|
ASDM stops working with hostscan enabled. ASDM works with hostscan disabled. |
|
ASA takes significant time to send ICMPv6 echo when pinging. |
|
ASA watchdog traceback during context modification/configuration sync |
|
Memory leak in idfw component on ASA |
|
Freed memory not released back to the system quick enough on ASA 5506-x platforms |
|
ASAv5: Low free DMA memory on 9.8(2) and later |
|
Slow 2048 byte block leak due to fragmented traffic over VPN |
|
ASA - ICMP flow drops with "no-adjacency" on interface configured in zone when inspection enabled |
|
'no snmp-server host <interface> <ip-address>' does not work |
|
Unable to completely disable scansafe application health checking |
|
IPv6 protocol 112 packets passing through L2FW are dropping with Invalid IP length message |
|
ASA on Firepower Threat Defense devices traceback due to SSL |
|
ASA traceback with thread name "idfw_proc " |
|
Firepower Threat Defense device unable to stablish ERSPAN with Nexus 9000 |
|
ASA and putty: Incoming packet was garbled on decryption |
|
ASA backup command fails to backup identity certificate |
|
Firepower 9300 standby stuck in Bulk-Sync state with high CPS traffics on active |
|
ASA traceback in threadname CP Processing |
|
ASA 9.8.2 Cluster Slave unit traceback when joining cluster and SNMPv3 sync |
|
5506 traceback when ASA module and RestAPI both enabled |
|
FQDN object are getting resolved after removing access-group configuration |
|
Usename and privilege display are incorrect when x-auth-token is used for REST API |
|
traceback related to SIP inspection processing |
|
ASA traceback when failing over to standby unit |
|
Rest-Api gives empty response for certain queries |
|
new Certificate configuration of primary unit does not sync to standy unit in a Active/Active setup |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
Cisco Adaptive Security Appliance Denial of Service Vulnerability |
|
ASA tracebacks intermittently with Thread Name: CTM message handler |
|
ASA interface IP and subnet mask changes to 0.0.0.0 0.0.0.0 causing outage of services on interface |
|
ASA Traceback in Thread Name: Unicorn Proxy Thread |
|
Skinny inspection in Routed ASA with BVIs not letting SCCP phones to register or denying SCCP calls |
|
IP address in DHCP GIADDR field is reversed after sending DHCP DECLINE to DHCP server |
|
ASA traceback with Thread Name: fover_parse |
|
ASA sending DHCP decline | not assiging address to AC clients via DHCP |
|
upgrade of ASA5500 series firewalls results in boot loop (not able to get past ROMMON) |
|
ASA Traceback and goes to boot loop on 9.6.3.1 |
|
Standby ASA traceback during replication from mate 9.2(4)27 |
|
Cisco Adaptive Security Appliance Application Layer Protocol Inspection DoS Vulnerabilities |
|
KP traceback illegal memory access inside a vendor Modular Exponentiation implementation |
|
RADIUS authentication/authorization fails for ASDM |
|
[ASA]-Master agent is missing user on standby device in multi-context mode |
|
webvpn: multiple rendering issues on Confluence and Jira applications |
|
Upon reboot, non-default SSL commands are removed from the Firepower 4100 |
|
vpn-idle-timeout is not triggered after switching to rebooted failover pair |
|
ASA: Traceback in Thread Name UserFromCert |
|
CWS redirection on ASA doesn't treat SSL Client Hello retransmission properly in specific condition |
|
Cisco Adaptive Security Appliance WebVPN Denial of Service Vulnerability |
|
ASA traceback and reload due to watchdog timeout when DATAPATH accesses compiling ACL structure |
|
ASA 9.7.1.15 Traceback while releasing a vpn context spin lock |
|
IKEv1 RRI : With Answer-only Reverse Route gets deleted during Phase 1 rekey |
|
IKEv2 stuck Tunnel Manager Entries |
|
WebVPN rewriter: drop down menu doesn't work in BMC Remedy |
|
ASA Cut-Through Proxy allowing user to access website, but displaying "authentication failed" |
|
Packet Tracer fails with "ERROR: TRACER: NP failed tracing packet", even after removing captures |
|
ASA does not report accurate free memory under "show memory" output |
|
Not able to do snmpwalk when snmpv1&2c host group configured. |
|
ASA: dns expire-entry-timer configuration disappears after reboot |
|
ASA: IKEv2 S2S VPN with a dynamic crypto map - ASP table not programmed correctly |
|
IKEv1 RRI : With Originate-only Reverse Route gets deleted during Phase 1 rekey |
|
inteface shutdown command not replicating in HA. |
|
Memory leak on webvpn |
|
Zeroize RSA key after Failover causes REST API to fail to changeto System context |
|
ASA far exceeds 100% rate in TCP Intercept output |
|
PIM Auto-RP packets are dropped after cluster master switchover |
|
Standby ASA not sending NTP packets to NTP server |
|
ASA 9.6(4): WebVPN page not loading correctly |
|
ASA:netsnmp:Snmpwalk is failed on some group of IPs of a host-group. |
|
Illegal update occurs when device removes itself from the cluster |
|
Cisco Firepower 2100 Series POODLE TLS security scanner alerts |
|
ASA Lots of 'PPPoE daemon not configured' messages are outputted in console |
|
ASA generate traceback in DATAPATH thread |
|
ASA traceback during output of "show service-policy" with a high number of interfaces and qos |
|
ASA self-signed RSA certificate is not allowed for TLS in FIPS mode |
|
pki handles: increase and fail to decrement |
|
ASA not matching IPv6 traffic correctly in ACL with "any" keyword configured |
|
show environment output incompletely from show tech |
|
Reapplying Certificate Chain Configuration Renders LOCAL CA TP Status "Not Authenticated" |
|
ASA responds to MOBIKE but clears SA due to DPD. |
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
Traceback: Thread Name: IPsec message handler |
|
Firepower 2110 with ASA DHCP does not work properly |
|
FPR 2100 asa traceback for unknown reason |
|
Trustsec SXP delete hold down timer value needs to be configurable |
|
Scansafe feature doesn't work at all for HTTPS traffic |
Resolved Bugs in Version 9.8(2)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASDM: doesn't show the source port, even when an ACE has one |
|
Resolve any vulnerabilities in ASA/FTD lina Heimdal Kerberos code |
|
OpenLDAP needs to be upgraded or patched in ASA/FTD lina process |
|
ASA block new conns with "logging permit-hostdown" & TCP syslog is down |
|
TLS CTP does not work in TLSv1.2 when GCM ciphers are used |
|
ASA traceback in Thread Name:ci/console while running show ospf commands |
|
FTP data conn scaling fails with dynamic PAT |
|
Support for more than 255 characters for Split DNS value |
|
Evaluation of pix-asa for OpenSSL May 2016 |
|
ASA dropping packets with "novalid adjacency" though valid ARP entry avail |
|
OSPF multicast filter rules missing in cluster slave |
|
NGFW CLI 'show tech-support' missing SNORT data |
|
9.7.1 traceback in snp_fp_qos |
|
Default inspect statements are missing on ASA 5500-x and 2100 device running Threat Defense |
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
ASA - Incorrect interface-based route-lookup if more specific route exist out different interface |
|
ENH: Remove DES and 3DES from ASDM AnyConnect IKEv2 Wizard |
|
Implement detection and auto-fix capability for scheduler corruption problems |
|
Logs lost when TCP is used as transport protocol for Syslogs |
|
CEP records edit page take minutes to load |
|
Implement debugs to troubleshoot issue where flash becomes read only after ASA is up a long time. |
|
981 VTI - Slow BGP neighbor formation after state change |
|
PSB Requirement SEC-HTP-HSTS.x4i : HTTP Strict-Transport-Security Header |
|
ASA 1550 block gradual depletion |
|
gzip compression not working via Webvpn |
|
ASA does not respond to IPv6 MLD Query. |
|
ASA: IKEv2 ipsec-proposal command removed if more than 9 proposals configured in single command |
|
VTI - Some sessions do not get cleared from vpn-sessiondb |
|
Syslog logging messages performance is low with tcp protocol |
|
ASA TCP SIP inspection translation not working when IP phone is behind VPN tunnel |
|
Error configuring the interface in multi-context mode |
|
Copy to running-config with a loop reloads the box with no indication as to why |
|
ASA IKEv1: Set non-zero SPI in INVALID_ID_INFO Notify |
|
Traceback in "Thread Name: IPsec message handler" on EZVPN client |
|
Traceback when modifying interfaces. Assert in interface_action.c |
|
ASA erroneously triggers syslog ID 201011 |
|
Crash when clearing interface configuration and NAT |
|
Traceback in thread name DATAPATH |
|
Ether-channel: 5585-60 LACP state shows SYSTEM ID of old neighbor on interface which is in disabled |
|
9.6.2 DHCPRA: Maximum relay bindings (500) exceeded |
|
Packets encrypted through virtual tunnel interface have source MAC of 0000.0000.0000 |
|
ASA crashes after entering the command "debug menu ike-common 11" |
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
ASA with 9.5.1 and above does not show SXP socket when managment0/0 is used as src-ip |
|
ASA traceback in Thread name: idfw_proc on running "show access-list", while displaying remark |
|
ASA Traceback when saving/viewing the configuration due to time-range ACLs |
|
ASA in cluster results in incorrect user group mappings between the Master and Slave |
|
ASA traceback in ARP thread, PBR configured |
|
Web folder filebrowser applet code signing certificate expired |
|
Error deploying ASAv on ESXi vCenter 6.5 |
|
ASA fails to contact the secondary LDAP server with reactivation mode timed configured |
|
ASA: slow memory leak when using many DNS queries |
|
Threat Defense DHCP Client tries to request a DHCP address instead of declining |
|
Sub-Interfaces Not Supported on SRIOV/IXGBE-VF |
|
tcp-options md5 allow is pushed to slave units as tcp-options md5 clear |
|
ASA policy-map configuration is not replicated to cluster slave |
|
ASA may generate an assert traceback while modifying access-group |
|
Traceback due to webvpn process configuration |
|
ASA local dns resolution fails when dns server is reachable through a site to site ipsec tunnel |
|
FTD OSPF with ECMP, packets are sent to peer in down state for existing connections |
|
In security context, cannot generate the SNMP events trap. |
|
Cisco Adaptive Security Appliance Authenticated Cross-Site Scripting Vulnerability |
|
Increase memory allocated to rest-agent on ASAv5 |
|
ASA traceback when trying to remove configured capture |
|
ASA traceback in Thread Name: fover_parse performing upgrade from 9.1.5 to 9.4.3 |
|
ASA traceback observed in Datapath due to SIP inspection |
|
Unable to switch standby unit of the failover pair to active |
|
Allow ASAv5 to operate using > 1GB memory |
|
ASAv5: Reduce DMA packet memory to 64MB |
|
WebVPN forces IE to use IE8 mode |
|
ASA981 Beta: asp load-balance output inconsistent with show run vs. show run all |
|
ASA Traceback in Unicorn Proxy Thread |
|
L2TP/IPsec fails when transform-set with mode transport is 11th in dynamic-map |
|
Traceback in thread name DATAPATH due to lan to lan VPN |
|
FTD: block depletion with continuous SSL traffic and decrypt resign enabled. |
|
FTD traceback observed during failover synchronization. |
|
ASA/FTD giving incorrect results for "trace" output in packet capture |
|
The interactive icons on internal bookmark site not showing properly (+CSCO+0undefined) |
|
ASA may drop DNS reply containing only additional RR of type TXT |
|
ASA traceback when customer was authenticating to AnyConnect |
|
ISA 3000: show tech needs to include show inventory |
|
ASA Issue with bgp route summarization(auto-summary)and route advertisement |
|
SFR Backplane is pulling the public address for policy match instead of ASA inside address |
|
Proxy ARP information for SSH NLP NAT is not updating on the FTD upon failover |
|
ASA with FirePOWER services module generates traceback and reload |
|
Slave should have use CCL to forward traffic instead of blackholing when egress interface is down |
|
ASAv Azure: Allow 750 VPN sessions on ASAv30 |
|
ASA reloaded while joining cluster and active as slave |
|
Routes do not sync properly between different minor versions during hitless upgrade |
|
CRL verification fails due to incorrect KU after CSCvd41423 |
|
Memory leak with capture with trace and clear capture |
|
In multi-context ASA drops traffic sourced from certain ports when interface PAT is used |
|
ASA: Active FTP not working with extended keyword in NAT. |
|
ASA clustering to support rollback feature with CSM |
|
Upgrading the ASA results in No Valid adjacency due to track configure on the route |
|
ASA: Multicast packets getting dropped starting code 9.6.3 |
|
ASA traceback observed in datapath |
|
Username is not fetched from certificate when certificate map is used in clientless portal |
|
Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability |
|
ASA SNI connection fails after upgrade - no shared cipher |
|
"activate-tunnel-group-scripts" not available in 9.6.3.1 |
|
CSCOGet_origin wrapper doesn't handle 'origin' property if it belongs to Location object |
|
"hostscan data-limit" service-internal command must be exposed and documented |
|
ICMP Unreachables (PMTU) dropped indicating "Routing failed to locate next hop" |
|
Auto-RP packet is dropped due to no-route - No route to host |
|
BTF not supported on ASA application on FXOS Chassis, but smart licensing show this feature enabled. |
|
ASA may traceback on displaying access-list config or saving running config |
|
Smart Licensing ID cert renewal failure should not deregister product instance |
|
ASDM doesn't display Object Descriptions |
|
Calls not working with CUCI Lync version 11.6.3 on ASA |
|
AnyConnect Cert Auth w/ periodic cert auth fails if failover enabled but other device unreachable |
|
ASA - Traceback in DATAPATH during PAT pool socket allocation |
|
ASA corrupt dst mac address of return traffic from l2tp client |
|
network_udpmod_get not releasing shr_lock in rare error case |
|
SSL Record length verification missing in remove pad length function |
|
ASA interfaces may stop passing traffic after ASA reload with FIPS mode enabled |
|
CPU Hog CI_CONSOLE Traceback During Configuration |
|
ASA does not install routes learned via OSPF over IPSec using UDP/4500 |
|
"NSF IETF/CISCO" commands getting removed on reload |
|
ASA: IPv6 protocol X rule for passing through FW is dropping packets with Invalid IP length message |
|
AnyConnect new customization creation fails on ASDM for all ASA versions above 9.5(3) |
|
ASA sends the ICMP unreachable type 3 code 4 in the wrong direction when SFR redirection enabled |
|
FTD Diagnostic Interface does Proxy ARP for br1 management subnet |
|
OSPF Rogue LSA with maximum sequence number vulnerability |
|
Slave reports Master's interface status as "init" while it is up |
|
Downloadable ACLs retrieved for Cut Through Proxy in a cluster are not marked dynamic on slaves |
|
ASA Memory Leak - RSA toolkit |
|
SSH Connections to ASA fail with SLA monitoring & nonzero floating-conn timeout |
|
"service resetoutside" impacts to-the-device traffic on all interfaces, behaves different on Standby |
|
ASDM sets service as "service tcp destination eq -1" when configuring range on service object |
|
asav in aws: asav unreachable after binary upgrade to 9.8.1 |
|
vpn vlan mapping issue |
|
ASA- Traceback in 'Thread Name : Datapath' on crypto_SSL functions |
|
ASA 9.5.1 onwards, Traffic incorrectly routed instead of management interface |
|
ASA Cluster : Potential UDP loop on cluster link with PAT pool |
|
ASA Log message 414003 may be generated with bogus IP data when TCP Syslog Server down |
|
ASA 2048 block depletion when PBR next-hop is interface address |
|
ASASM: Interface vlans going to admin down after reload. |
|
'Dynamic Access Policies' page is freezed and unable to access after HS image uninstalled. |
|
Don't offer 9.8.1 as an upgrade option for ASAs in AWS |
|
ASDM does not allow more than one static MAC address table entry per interface in transparent mode. |
|
FTD - Multicast and BPDU traffic dropped due to dst-l2_lookup-fail |
|
webvpn-l7-rewriter: Jira 7.3.0's login page through WebVPN portal does not render completely |
|
Memory leak at location "snp_fp_encrypt" when syslog server is reachable over the VPN tunnel |
|
ASA Webvpn Rewritter issue. Unable to browse tabs of WebSite over Clientless VPN |
|
IPsec SA fail to come up and flap with more than 1000 IPsec SA count in ASA5506/5508/5516 |
|
ASDM error requesting to remove prefix-list used in route-maps for dynamic routing protocol |
|
ASA traceback on websns_rcv_tcp |
|
Start of Flow Block event has incorrect number of Initiator Bytes |
|
ENH: ASAv cannot boot up when installed in KVM AHV Nutanix. |
|
ASDM Where Used option not displaying results |
|
Traceback in Unicorn Proxy Thread due to Webvpn |
|
ASA/ 9.6.3 // WebVPN Smart tunnel works but floods windows with event viewer |
|
ASA WebVPN Rewriter: WebVPN bookmark scholar.google.com not properly written |
|
Network connectivity is not enabled for more than 19 context |
|
Contexts are missing on ASA once Chassis reloads after becoming Master on 9.7 and later code |
|
Standby ASA rejects NAT rule when dest overlaps with interface IP, Active allows this |
|
Unable to copy anyconnect image via SCP to the ASA flash post upgrade to 9.8(1) |
|
ASDM Hangs when editing crypto map associated to Dynamic Site-to-Site tunnel |
|
Cannot create\edit new document with MS Office apps in SP2013 |
|
Traceback on ASA with Firepower Services during NAT rule changes and packet capture enabled |
|
Unable to scale the flash virtualisation feature up to 250 contexts |
|
CDA agent stucks in 'Probing' when domain-lookup is enable |
|
ASA OSPF interface gets stuck in State DOWN (waiting for NSF) after 3rd failover |
|
Edit Second password on ASDM AC downloads but ignores the change ASA 9.8.1 higher |
|
Regex is not matching for HTTP argument field |
|
Ports not getting reserved on ASA after adding snmp configuration. |
|
ASA - Crypto accelerator traceback in a loop |
|
Display of Cipher Algorithms at ASDM is incorrect,when TLS1.2's Cipher Security Level is "medium" |
|
Traceback: Duplicate host entries in flow-export action cause crash after policy deployment |
|
multicast traffic sourced from anyconnect pool dropped due to reverse path checked. |
|
ASA-5-720012:(VPN-Secondary)Failed to update IPSec failover runtime data in ASA cluster environment |
|
Ikev2 Remote Access client sessions stuck in Delete state |
|
Unable to SSH to Active Unit//TCP connection Limit Exceeded |
|
SAML 2.0 || (5525) 9.7.1 ASA : ASA compiler not taking the sign-in URL for SAML authentication. |
|
ssh/snmp not working in transparent mode after giving 'clear conf int' |
|
ASAv: Upgrade issues to the 9.7.1.4 and 9.8.1 when installed on Hyper-V Windows Server 2012-R2 |
|
ASA: SNMP Host Group not working as required for multi context configuration. |
|
ASA5585 traceback in DATAPATH - snp_vpn_process_natt_pkt |
|
EC Certificates that are imported to the ASA in PKCS12s cannot be used for SSL |
|
ASA Connections stuck in idle state with DCD enabled |
|
Port Manager Debug File portmgr.out contains incomplete Timestamps |
|
ASA crash in fover_parse after version up |
|
Azure-HA: 'clear configure failover' doesn't clear the Peer IP address and sometimes crashes ASAv |
|
traceback in watchdog process |
|
ASA 9.x: DNS inspection appending "0" on PTR query |
|
iOS and OS X IKEv2 Native Clients unable to connect to ASA with EAP-TLS |
|
ASA crashes with '[no] nameif ' command on cluster interface while running regression |
|
TLS version 1.1 connection failed no shared signature algorithms@t1_lib.c:3106 |
Resolved Bugs in Version 9.8(1.200)
We did not resolve any bugs in this release.
Resolved Bugs in Version 9.8(1)
The following table lists select resolved bugs at the time of this Release Note publication.
Caveat ID Number |
Description |
---|---|
ASA block new conns with "logging permit-hostdown" & TCP syslog is down |
|
ASA: Auth failures for SNMPv3 polling after unit rejoins cluster |
|
ASA classifies TCP packets as PAWS failure incorrectly |
|
ASA - TO the box traffic break due to int. missing in asp table routing |
|
ASA Traceback on 9.1.5.19 |
|
CWS redirection on ASA may corrupt sequence numbers with https traffic |
|
Traceback: ASA crash in thread name fover_health_monitoring_thread |
|
Traceback in Unicorn Proxy Thread, in http_header_by_name |
|
ASA: Protocol and Status showing UP without connecting the interface |
|
After some time flash operations fail and configuration can not be saved |
|
ASA generates unexpected syslog messages with mcast routing disabled |
|
L2TP over IPSec can not be connected after disconnection from client. |
|
Unicorn Proxy Thread causing CP contention |
|
Duplicate link-local address observed after failover |
|
AnyConnect DTLS on-demand DPDs are not sent intermittently |
|
OSPF multicast filter rules missing in cluster slave |
|
ASA ASSERT traceback in DATAPATH due to sctp inspection |
|
ASA: SIP Call Drops with PAT when same media port used in multiple calls |
|
OSPFv3/IPv6 flapping every 30 min between ASA cluster and 4500 |
|
Traceback on CP Process with H323 inspection, rip h323_service_early_msg |
|
ASA traceback in CLI thread while making MPF changes |
|
IKEv2 RA cert auth. Unable to allocate new session. Max sessions reached |
|
Unable to relay DHCP discover packet from ASA when NAT is matched |
|
ASA negotiates TLS1.2 when server in tls-proxy |
|
failover descriptor is not updated in Port Channel interfaces |
|
ICMP error packets in response to reply packets are dropped |
|
ASA : Enabling IKEv1/IKEv2 opens RADIUS ports |
|
ASR9000 BGP Graceful Restart doesnt work as expected |
|
AnyConnect Sessions Cannot Connect Due to Stuck L2TP Uauth Sessions |
|
ASA Cluster DHCP Relay doesn't forward the server replies to the client |
|
ASA 5585-60 dropping out of cluster with traceback |
|
Enqueue failures on DP-CP queue may stall inspected TCP connection |
|
SIP: Address from Route: header not translated correctly |
|
H.323 inspection causes Traceback in Thread Name: CP Processing |
|
Internal ATA Compact Flash size is incorrectly shown in "show version" |
|
ASA Page fault traceback in Thread Name: DATAPATH |
|
ASA Traceback in thread name CP Processing due to DCERPC inspection |
|
ASA 9.1.7-9 crash in Thread Name: NIC status poll |
|
IPv6 DNS packets getting malformed when DNS inspection is enabled. |
|
Webvpn rewriter failing on matterport.com |
|
Stale VPN Context entries cause ASA to stop encrypting traffic despite fix for CSCup37416 |
|
ASA may generate DATAPATH Traceback with policy-based routing enabled |
|
ASA Multiple Context SNMP PAT Interface Missing |
|
Cisco ASA Signature Verification Misleading Digital Signing Text On Boot |
|
Cisco ASA Remove Mis-leading Secure Boot commands on non-SB hardware |
|
ASA PKI OCSP failing - CRYPTO_PKI: failed to decode OCSP response data. |
|
Lower NFS throughput rate on Cisco ASA platform |
|
nlp information seen in ipv6 commands |
|
ASA not sending Authen Session End log if user logs out manually |
|
GTPv2 Dropping instance 1 handoffs |
|
ASA Traceback in Checkheaps Thread |
|
ASA traceback with Thread Name aaa_shim_thread |
|
Cisco ASA Software and Cisco FTD Software TCP Normalizer Denial of Service Vulnerability |
|
ASA traceback observed on auto-update thread. |
|
Evaluation of pix-asa for Openssl September 2016 |
|
Delete Bearer Req fails to delete second default bearer after v2 Handoff callflow. |
|
Traceback triggered by CoA on ASA when sending/receiving to/from ISE |
|
IKEv2: It is NOT cleaning the sessions after disconnected from the client. |
|
ASA traceback at Thread Name: rtcli |
|
RADIUS authorization request does not send Called-Station-ID attribute |
|
Lina core during failover with sip traffic |
|
viewer_dart.js file not loading correctly |
|
OSPF continuously flaps after master change (L2 cluster, multi-ctx) |
|
VPN tunnels are lost after failover due to OSPF route issue |
|
ASA Traceback Thread Name: emweb/https |
|
ASA : Discrepancy in used memory calculation for Multiple context firewall |
|
GARP flood done by ASAs in multi-site cluster using the site-ip address |
|
EIGRP: Need to add large number error handling when getting scaled bandwidth |
|
Object-group-search redundant service group objects are incorrectly removed |
|
9.6.2 TCP connection doesn't work through L2TP |
|
AAA session handle leak with IKEv2 when denied due to time range |
|
ASA-SM traceback with Thread : fover_parse during upgrade OS 9.1.6 to 9.4.3 |
|
ASA fairly infrequently rewrites the dest MAC address of multicast packet for client |
|
webvpn_state cookie information disclosure in url |
|
ASA traceback at Thread Name: IKE Daemon. |
|
SCP fails in 962 |
|
ASA dropping traffic with TCP syslog configured in multicontext mode |
|
ASA - ACL remark displayed incorrectly in the Packet Tracer tool's XML output |
|
EZVPN NEM client can't reconnect after "no vpnclient enable" is entered |
|
4GE-SSM RJ45 interface may drop traffic due to interface "rate limit drops" |
|
v1 PDP may get deleted on parse IE failure |
|
ASA: Stuck uauth entry rejects AnyConnect connection despite fix for CSCuu48197 |
|
webvpn-l7-rewriter: 5515 9.1.6 Content Rewrite Problem for ASA Web Bookmark |
|
WebVPN: Internal page login button not working through rewriter |
|
Inconsistent Upper Bounds for Failover Replication Rate Limiting |
|
ASA drops DNS PTR Reply with reason Label length exceeded during rewrite |
|
Cluster ASA drops to-the-box ICMP replies with reason "inspect-icmp-seq-num-not-matched" |
|
ASA matches incorrect ACL with object-group-search enabled |
|
ASA SIP inspection may delay transmission of 200 OK when embedded with NOTIFY |
|
ASA IKEv2 RA VPN does not clearly communicate "No License" status to AnyConnect user |
|
Incorrect behaviour when SNMP polling is done on virtual IP of an ASA cluster. |
|
ASA : memory leak due to ikev2 |
|
RDP Plugin Connection failed with error |
|
PLR: ASAv generates invalid reservation code |
|
ASA DHCP relay is incompatible with intercept-dhcp feature |
|
ASA cluster TCP/SSL ports are not displayed on LISTEN state |
|
ASA unable to add multiple attribute entries in a certificate map |
|
Implement detection and auto-fix capability for scheduler corruption problems |
|
ASAv may crash when running webvpn |
|
Pre-fill feature extracts username from wrong cert (cert 1-machine) for double cert vs.(cert 2-user) |
|
ASA fails SSL VPN session establishment with EC under load |
|
9.6.2 - Traceback during AnyConnect IKEv2 Performance Test |
|
ASA multicontext disallowing new conns with TCP syslog unreachable and logging permit-hostdown set |
|
ASA-SM 9.5.2 inspect-sctp licensing breaks existing deployments |
|
ASA traceback at Thread Name: sch_syslog |
|
DSCP Markings Not Copied to Outer IP Header With IPsec Encapsulation |
|
Cisco ASA Heap Overflow in Webvpn CIFS |
|
MIB object cempMemPoolHCUsed disappeared |
|
ASA: OspfV3 routes are not getting installed |
|
ASA portal reveals that multiple context is configured when anyconnect is deployed. |
|
Error synchronizing the SNMPv3 user after rebooting a cluster unit |
|
ASA memory leak in CloneOctetString when using SNMP polling |
|
Implement speed improvements for ACL and NAT table compilation |
|
Firepower Threat Defense (FTD) IKEv2 NAT-T gets disabled after reboot |
|
SSL connection hangs between ASA and backend server in clientless WebVPN |
|
ASA with FirePOWER module generates traceback and reloads or causes process not running |
|
Anyconnect address assignment fails using external DHCP server when ASA is in Multi-context Mode |
|
ASA clustering: mac-address cmd is ignored on spanned port-channel interface in 9.6.2 |
|
FTD Cluster 9K block depletion with fragmented Traffic |
|
ASA not update access-list dynamically when forward-reference enable is configured |
|
Webvpn portal not displayed corrrectly for connections landing on default webvpn group. |
|
ASA inspection-MPF ACL changes are not getting ordered correctly in the ASP Table |
|
ASA may traceback with Thread Name: Unicorn Admin Handler |
|
Reloading Active unit in Active/Standby ASA failover pair is not triggering a failover. |
|
ASA: IPSec SA failed to come up |
|
ikev2 handles get leaked in a L2L setup |
|
ASA incorrectly processing negative numbers in wrappers, resulting in graphical webvpn issue |
|
SIP: 200 OK messages with multiple seqments not reassembled correctly |
|
ASA L3 Cluster: DHCP relay drops DHCPOFFER in case of asymmetric routing |
|
CTP after failed attempt sends the domain along with the username |
|
RDP plugin activex Full Screen option is not available with ASA 9.6.2 version |
|
Tracking route is up while the reachability is down |
|
Traceback in ASA Cluster Thread Name: qos_metric_daemon |
|
Traceback observed on gtpv2_process_msg on cluster |
|
BGP's BFD support code opens tcp/udp 3784 and 3785 to bypass access-lists |
|
ASA may traceback in network_tcpmod_close_conn with AnyConnect IPv6 DTLS stress scenario |
|
ASA watchdog traceback during cluster config sync with rest-api enabled |
|
ASA nat pool not getting updated correctly. |
|
Unable to configure ssh public auth for script users |
|
mac-address auto command uses default prefix of 1 on ASA5585-X |
|
ASA traceback in threadname Datapath |
|
ASA does not respond to IPv6 MLD Query. |
|
Traceback: ASA 9.5(2)11 crash Active |
|
ASA traceback and Reload on Config Sync Failure |
|
ASA Clustering IDFW not updating user mappings |
|
1550-byte block depletion seen due to Radius Accounting packets |
|
ASA BFD echo function fails if RPF is enabled first. |
|
Unable to delete Configured Auto NAT from FMC |
|
ASA(9.1.7.12):Connection entries created for multicast streams through standby ASA. |
|
Deployment fails when management-only enabled on port-channel interface |
|
L2TP connects only sometimes when DHCP used |
|
ASAv Goes Unresponsive / VPN fails to function after restart |
|
Unable to configure SSH public key auth for non-system contexts |
|
SNMPv3 linkup/linkdown should be generated through admin context |
|
Slow Memory leak in ASA |
|
ACL last hit-cnt counter shows incorrect time |
|
asymetric path icmp traffic fails through distributed clustering |
|
ASA using TACACS authentication and configured 'password-policy lifetime' will deny access |
|
asav-aws: In AWS, excessive console output causes reload CLI to fail |
|
ASA traceback in thread name DATAPATH |
|
ASA IKEv1: Always accept NAT-T encapsulation mode in transform payload |
|
5585 does not unbundle its data intfs for 30 seconds after leaving cluste |
|
Cannot delete port-object once created under the Service object group in ASA 944 |
|
ASA w/ RRI and OSPF : Fails to flush route from ASP routing table |
|
ASA may traceback when copying capture out using tftp |
|
ASA may traceback while loading a large context config during bootup |
|
ASA drops web traffic when IM inspection is enabled. |
|
SNMP lists same Hostname for all Firepower Threat Defense managed devices |
|
ASA: PBR Memory leak for ICMP traffic |
|
Cluster C-Hash table is updated with one more unit despite the new unit didn't join the setup |
|
Scheduler Queue Corruption leads to connectivity failures or failover problems after 9.6(2) |
|
CRL must be signed by certificate containing cRLSign key usage |
|
ASA traceback while doing in-service upgrade |
|
Traceback when trying to save/view access-list with giant object groups (display_hole_og) |
|
RT#687120: Bookmark Issue with clientless VPN - SAML |
|
ASA FirePOWER module data plane down after reload of module |
|
Traceback in Thread Name: dhcp_daemon |
|
Default "global_policy" service-policy removed after reboot |
|
DCERPC inspection drops packets and breaks communication |
|
ASA traceback in Thread Name: accept/http when ASDM is displaying "Access Rules" |
|
ASA-FP9300 Crashed in thread name IPSEC MESSAGE HANDLER |
|
ASA May crash when changing a NAT related object to fqdn |
|
ASA may generate an assert traceback while modifying access-group |
|
ARP functions fail after 213 days of uptime, drop with error 'punt-rate-limit-exceeded' |
End-User License Agreement
For information on the end-user license agreement, go to http://www.cisco.com/go/warranty.
Related Documentation
For additional information on the ASA, see Navigating the Cisco ASA Series Documentation.