Security Advisories & Responses - ASA 5500-X Series Firewalls
| | Title: | Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability | Description: | A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic.
Cisco has released software updates that address this vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike | Date: | 16-FEB-2016 | |
|
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5515-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested  : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 7.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa725-15-k8.bin | File Description: | Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-22-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-13-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5510 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5510 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-52-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-13-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 7.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa725-15-k8.bin | File Description: | Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5520 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 7.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa725-15-k8.bin | File Description: | Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-49-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-13-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5505 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5512-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-37-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 7.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa725-15-k8.bin | File Description: | Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-13-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5540 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5555-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5512-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580-20 and ASA5580-40. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-13-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.26 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5580 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5580 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-46-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.26 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-13-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-58-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5585-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5585-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5540 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5555-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5520 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5505 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5525-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5525-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa825-58-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-22-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.22 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-55-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-57-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-13-k8.bin | File Description: | Cisco Adaptive Security Appliance Software version 8.2.5.13 for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-46-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-49-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-50-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-52-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-41-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-48-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-26-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | | Alert Type: | New File | File Name: | asa825-59-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 13-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa825-51-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 13-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-33-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-37-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.3.2 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa832-42-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the 5505, 5510, 5520, 5540, and 5550. Note 5505-5540 may require memory upgrades prior to loading 8.3.2 image. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 7.2.5 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa725-15-k8.bin | File Description: | Cisco Adaptive Security Appliance Software. Read Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5550 Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 8.4.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa847-30-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. | File Release Date: | 10-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5550 Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2.153
| |
| |
Alert Type: | New File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | File Release Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Device Manager | Release Version: | 7.5.2
| |
| |
Alert Type: | Obsolete File | File Name: | asdm-752-153.bin | File Description: | Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. | Obsolete Date: | 04-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5515-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance REST API Plugin | Release Version: | 1.2.2
| |
| |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2.200
| |
| |
Alert Type: | Obsolete File | File Name: | asa952-203-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASAv. Includes support for VMware, KVM, AWS, and Hyper-V. Please read the Release Note prior to downloading this release. | Obsolete Date: | 02-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.0.4 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa904-37-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-33-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa904-35-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.3.3 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa933-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-2-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa933-1-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa951-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa951-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7 Interim
| |
| |
Alert Type: | New File | File Name: | asa917-4-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 19-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.2.4 Interim
| |
| |
Alert Type: | New File | File Name: | asa924-8-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 26-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.6 Interim
| |
| |
Alert Type: | New File | File Name: | asa916-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 16-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa942-11-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.5.2 Interim
| |
| |
Alert Type: | New File | File Name: | asa952-5-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | File Release Date: | 23-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.4.1 Interim
| |
| |
Alert Type: | Obsolete File | File Name: | asa941-6-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | | Alert Type: | Obsolete File | File Name: | asa941-7-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 12-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
Product Name: | ASA 5545-X Adaptive Security Appliance | Software Type: | Adaptive Security Appliance (ASA) Software | Release Version: | 9.1.7.SMP
| |
| |
Alert Type: | Obsolete File | File Name: | asa917-smp-k8.bin | File Description: | Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. | Obsolete Date: | 22-FEB-2016 | | | | |
Software Updates for ASA 5500-X Series Firewalls
| ASA 5545-X Adaptive Security Appliance |
| | Adaptive Security Appliance (ASA) Software |
| | Suggested : | | Previously Suggested: | |
|
Known Bugs - ASA 5500-X Series Firewalls
| | |
Alert Type: | Updated * | Bug Id: | CSCuu84085 | Title: | DHCP-DHCP Proxy thread traceback shortly after failover and reload | |
Status: | Fixed | |
Severity: | 1 Catastrophic | Description: | Symptom:
Crash as soon as the standby unit becomes primary
Conditions:
DHCP configured on ASA running 9.1(6)5 or 9.1(6)6.
Workaround:
Downgrade to 9.1(6)4
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 100.14(0.16), 100.14(0.30), 100.14(0.42) | |
Known Fixed Releases: * | 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur87011 | Title: | ASA low DMA memory on low end ASA-X -5512/5515 devices | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA stops accepting new SSL connections - ASDM / webvpn / AnyConnect
Conditions:
The issue is seen when the following conditions are met :
1) ASA next generation devices - ASA 5512 , ASA 5515
2) SFP module installed on the ASA
3) ASA software 9.2.x or 9.3.1
4) WebVPN configured on an interface
Workaround:
None
Further Problem Description:
Memory was not sufficient, so we increased DMA memory
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.0, 9.2(1), 9.3(1), 9.3(3.2) | |
Known Fixed Releases: * | 100.12(0.155), 100.13(0.122), 100.15(0.107), 100.16(0.18), 100.16(1.97), 100.16(14.1), 9.3(3.8), 9.4(2.5), 9.4(2.99), 9.6(0.52) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy32321 | Title: | Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traceback in thread name ldap_client_thread
Conditions:
VPN authentication with ldap attribute mapping and the "password-management password-expire-in-days" feature.
Workaround:
Disable the password-mangement feature, or at least the password-expire-in-days warning.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(2.6) | |
Known Fixed Releases: * | 100.13(0.131), 9.2(4.7), 9.4(2.101), 9.4(2.8), 9.6(0.109), 96.1(1.80), 96.2(1.133), 97.1(1.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv50709 | Title: | Standby ASA inside IP not reachable after Anyconnect disconnect | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
After Anyconnect VPN is disconnected, standby inside IP is not reachable from active unit or from LAN hosts.
In order to make it reachable again, issue write standby or reconnect VPN again
Conditions:
ASA pair in failover with Anyconnect VPN connecting to the outside interface
Workaround:
write standby or reconnect VPN again
Further Problem Description:
the standby ASA becomes unreachable (inside ip) after disconnecting Anyconnect VPN Client. Reconnecting VPN or ?wr standby? resolves the issue.
When customer disconnects Anyconnect Client session with the outside interface of the ASA, the inside interface of ASA starts dropping traffic with following logs :
Jun 10 12:49:14 192.168.5.21 %ASA-4-113019: Group = XXXX, Username = XXXX, IP = x.x.x.x, Session disconnected. Session Type: SSL, Duration: 0h:20m:55s, Bytes xmt: 0, Bytes rcv: 110890, Reason: User Requested
Jun 10 12:49:14 192.168.5.21 %ASA-4-737032: IPAA: Unable to remove x.x.x.x from standby: address not found
Jun 10 12:49:14 192.168.5.21 %ASA-4-106023: Deny icmp src inside:x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]
Jun 10 12:49:19 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]
Jun 10 12:49:24 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]
Jun 10 12:49:29 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0]
ACL lookup should not happen for self traffic but even if we add an ACL line to permit the traffic then drop reason is packet tracer is Drop-reason: (fo-standby) Dropped by standby unit
Pings work under normal conditions from active to standby and from lan hosts.
>> Pings work also when anyconnect client is connected.
ASA# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : xxxx Index : 147
Assigned IP : 44.22.254.154 Public IP : 194.98.70.113
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 13276 Bytes Rx : 96649
Group Policy : xxxx Tunnel Group : xxxx
Login Time : 14:08:02 CEDT Thu Jun 11 2015
Duration : 0h:07m:18s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : c0a805130009300055797a22
Security Grp : none
syhana-validation/pri/act# ping 192.168.5.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>> After Anyconnect is disconnected, standby ip becomes unreachable.
syhana-validation/pri/act# sh vpn-sessiondb anyconnect
INFO: There are presently no active sessions
syhana-validation/pri/act#
syhana-validation/pri/act#
syhana-validation/pri/act#
syhana-validation/pri/act# ping 192.168.5.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.21, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
If Anyconnect VPN is connected again, standby is reachable.
Customer has tried with 2 simultaneous Anyconnect clients. Disconnected first. Standby is reachable.
Disconnected second VPN. Standby is Unreachable
The ide
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2 | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv87760 | Title: | Unicorn proxy thread traceback with RAMFS processing | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traceback in Unicorn Proxy Thread while using WebVPN.
Conditions:
Cisco ASA running release 9.3.3.223 with WebVPN enabled.
Workaround:
None.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(4), 9.3(3), 9.3(3.223), 9.4(1.112), 9.4(1.5) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu61573 | Title: | 9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traceback on slave unit in cluster after running large amounts of fragmented traffic through the device.
Conditions:
Cisco ASA running release 9.1.6 in a 4-node cluster configure for L2 mode.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.13(0.31), 100.15(1.11), 9.0(1) | |
Known Fixed Releases: * | 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.29) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv87150 | Title: | ASA traceback in Thread Name: fover_parse (ak47/ramfs) | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs)
Conditions:
ASA is in failover pair.
Workaround:
No workaround
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1.5), 9.5(1) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.14(5.34), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv42720 | Title: | Egress ACL with ICMP Types Misbehaving. | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Configuring an ACL on the outbound port of a device may cause some traffic to be dropped even though the ACL policy permits the dropped packet(s).
Conditions:
The following policy applied to
the outbound port will drop packets with Types 2-129.
ASA5506X# show run access-list
access-list unh-out extended permit icmp6 any6 any6 unreachable 0
access-list unh-out extended permit icmp6 any6 any6 unreachable 1
access-list unh-out extended permit icmp6 any6 any6 unreachable 2
access-list unh-out extended permit icmp6 any6 any6 unreachable 3
access-list unh-out extended permit icmp6 any6 any6 unreachable 4
access-list unh-out extended permit icmp6 any6 any6 unreachable 5
access-list unh-out extended permit icmp6 any6 any6 unreachable 6
access-list unh-out extended permit icmp6 any6 any6 packet-too-big 0
access-list unh-out extended permit icmp6 any6 any6 time-exceeded 0
access-list unh-out extended permit icmp6 any6 any6 time-exceeded 1
access-list unh-out extended permit icmp6 any6 any6 parameter-problem 0
access-list unh-out extended permit icmp6 any6 any6 parameter-problem 1
access-list unh-out extended permit icmp6 any6 any6 parameter-problem 2
access-list unh-out extended permit icmp6 any6 any6 echo 0
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 2, code 0) by access-group "unh-out" [0x0, 0x0]
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 0) by access-group "unh-out" [0x0, 0x0]
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 1) by access-group "unh-out" [0x0, 0x0]
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 0) by access-group "unh-out" [0x0, 0x0]
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 1) by access-group "unh-out" [0x0, 0x0]
%ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 2) by access-group "unh-out" [0x0, 0x0]
ASA5506X# show access-list unh-out
access-list unh-out; 14 elements; name hash: 0x91e2c362
access-list unh-out line 1 extended permit icmp6 any6 any6 unreachable 0 (hitcnt=0) 0x4e0ab796
access-list unh-out line 2 extended permit icmp6 any6 any6 unreachable 1 (hitcnt=20) 0xa549de20
access-list unh-out line 3 extended permit icmp6 any6 any6 unreachable 2 (hitcnt=0) 0x3e3005b5
access-list unh-out line 4 extended permit icmp6 any6 any6 unreachable 3 (hitcnt=0) 0x60363c63
access-list unh-out line 5 extended permit icmp6 any6 any6 unreachable 4 (hitcnt=0) 0xeb98c4e3
access-list unh-out line 6 extended permit icmp6 any6 any6 unreachable 5 (hitcnt=0) 0x4b9b65f1
access-list unh-out line 7 extended permit icmp6 any6 any6 unreachable 6 (hitcnt=0) 0x53e45a3f
access-list unh-out line 8 extended permit icmp6 any6 any6 packet-too-big 0 (hitcnt=0) 0x9b62e1db
access-list unh-out line 9 extended permit icmp6 any6 any6 time-exceeded 0 (hitcnt=0) 0x5362e1e1
access-list unh-out line 10 extended permit icmp6 any6 any6 time-exceeded 1 (hitcnt=0) 0xf7a7cc36
access-list unh-out line 11 extended permit icmp6 any6 any6 parameter-problem 0 (hitcnt=0) 0x453e9232
access-list unh-out line 12 extended permit icmp6 any6 any6 parameter-problem 1 (hitcnt=0) 0x780a5e2e
access-list unh-out line 13 extended permit icmp6 any6 any6 parameter-problem 2 (hitcnt=0) 0x4a0104ef
access-list unh-out line 14 extended permit icmp6 any6 any6 echo 0 (hitcnt=0) 0xf50e5b9d
ASA5506X#
ASA5506X# show runn access-group
access-group unh-out out interface priv
Workaround:
None
Further Problem Description:
N/A
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1) | |
Known Fixed Releases: * | 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(1.36), 100.16(14.1), 100.16(15.1), 100.16(15.5), 9.4(1.7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw92005 | Title: | Thread Name: DATAPATH-17-3095: Unit reboots when joining cluster | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA running 9.4.2 may reboot when attempting to join a cluster
Conditions:
ASA configured for Cluster
Workaround:
None at this time
Further Problem Description:
| |
Last Modified: | 01-MAR-2016 | |
Known Affected Releases: | 9.4(2), 9.5(1) | |
Known Fixed Releases: * | 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.109), 100.16(0.19), 100.8(40.113), 9.2(4.6), 9.3(3.8), 9.4(2.191), 9.4(2.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux29929 | Title: | ASA 9.4.2 traceback in DATAPATH | |
Status: | Fixed | |
Severity: | 2 Severe | Description: * | Symptom:
Traceback within a tcp keepalive timeout.
Conditions:
One piece of a TLS or DTLS connection hits a DPD timeout.
Then a second piece of the connection hits a TCP Keepalive timeout.
Timing between the two events matters, more time that passing increases the likelihood of hitting this crash.
Workaround:
Increase DPD timeouts.
Further Problem Description:
| |
Last Modified: | 01-MAR-2016 | |
Known Affected Releases: * | 9.1(6), 9.2(3), 9.4(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu02848 | Title: | Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
-Starting in 9.4(x) releases, by default the ASA will attempt to negotiate an ECDSA cipher for TLSv1.2 and offer the ASA temporary self-signed ECDSA certificate to the client
-If an RSA certificate is specified in the configuration, it will only be used if an RSA cipher is decided upon
-This means that if we wish to use a explicitly configured RSA certificate, we must manually disable the ECDSA ciphers as discussed in the 9.4(x) release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116497
-This enhancement is to change this behavior and make SSL deployment easier
-Ideally, the ECDSA ciphers should be automatically disabled when an RSA certificate is specified in the configuration.
Conditions:
-ASA running 9.4(x) or newer which has support for ECDSA certificate usage with SSL
-SSL services configured (SSLVPN, ASDM, HTTPS, etc;)
-RSA certificate for SSL ("ssl trust-point SSL_CERT_TRUSTPOINT")
-Default settings for SSL ciphers ("show ssl ciphers")
Workaround:
-Disable ECDSA ciphers for TLSv1.2, as discussed in the ASA 9.4(x) release notes
-Choose to use an ECDSA certificate for SSL rather than an RSA certificate
Further Problem Description:
N/A
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4, 9.4(1), 9.5(1) | |
Known Fixed Releases: * | 100.13(0.113), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4), 100.16(1.10), 9.4(2.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy09689 | Title: | ASA stops processing DHCP Offers in an IKEv1 based RAVPN setup | |
Status: | Open | |
Severity: | 2 Severe | Description: * | Symptom:
Even though DHCP Offers reach the ASA, these are not processed and thus IPSec VPN session negotiation fails for the entire defined user base. Failure occurs during IKE MODE_CFG and the following syslog message is logged: %ASA-ipaa-7-737001: IPAA: Received message 'UTL_IP_DHCP_INVALID_ADDR'
Conditions:
ASA IKEv1 based RA IPSec VPN solution using external DHCP servers for address allocation.
A network scope attribute is defined in the group policy.
ASA SW 9.1.6
Workaround:
Either : replace the value of the dhcp-network-scope in the group-policy with another one
or, replace the value of the dhcp-network-scope in the group-policy with another one and then set it back to the original value. Both options are valid workarounds.
Further Problem Description:
| |
Last Modified: | 03-FEB-2016 | |
Known Affected Releases: | 9.1(6.6) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus78450 | Title: | ASA cert validation fails when suitable TP is above the resident CA cert | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
When a client tries to authenticate by sending the cert chain, in this case Client-ID and Sub-CA certificate, because the Sub-CA TP has "no validation-usage" configured, ASA picks up Root-CA TP to validate the certificate chain.
When such a condition occurs, where the validating trustpoint is higher in the hierarchy compared to the highest CA certificate [sent by the client in the certificate chain] resident on the ASA.
Conditions:
ASA running on a version that contains the fix for CSCuq53421 such as 9.1(5)15, 9.3(2), 9.4(1).
Also, the client certificate is issued at least by a first level Sub-ordinate CA. i.e the client certificate hierarchy should be at least 3 levels:
Root -- Sub --- Client-ID
ASA is configured to authenticate clients using their ID certificate.
ASA would have Sub and Root CA loaded.
ASA should end up picking Root CA TP in order to validate the client cert chain.
For example:
the Sub-CA TP could have "no validation-usage" configured
Workaround:
Make sure the validating trustpoint is the same as the highest CA in the client certificate chain
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(5.16) | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus30833 | Title: | ASA: Page fault traceback in SXP CORE thread | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
An ASA configured for CTS may generate a traceback and reload. The traceback will contain the following strings:
Thread Name: SXP CORE
Page fault: Unknown
Conditions:
The ASA must be configured to receive and process SXP packets from one or more devices. For example:
cts sxp enable
cts sxp connection peer 192.168.110.100 password none mode peer speaker
Workaround:
There is no known workaround at this time.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.3(2) | |
Known Fixed Releases: * | 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.38), 100.13(19.9), 100.13(21.6), 100.13(23.5), 100.13(24.4), 100.8(40.94), 9.1(6.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus64082 | Title: | ASA fails to sync objects with name ANY after upgrade from 8.4 to 9.x | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Standby ASA fails to sync objects with name ANY used in ACE after the zero downtime upgrade from 8.4.x/8.6.x to 9.x.
The below errors are seen on the console during the configuration replication:
ERROR: specified object does not exist
ERROR: object () does not exist.
Due to missing configuration the standby ASA may enter into a boot loop.
Conditions:
ASA configured with object name ANY and that object is used in an access-list.
object network ANY
subnet 0.0.0.0 0.0.0.0
access-list outside-in extended permit tcp object ANY host
Workaround:
1. Use any other object name apart from 'ANY'
2. Rather than using object name 'ANY' use keyword 'any' in ACL configuration
3. Upgrade both the ASAs at the same time
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(2), 9.1(5) | |
Known Fixed Releases: * | 100.11(0.56), 100.8(40.95), 9.0(4.31), 9.1(6.2), 9.1(6.99), 9.1(7), 9.2(3.101), 9.2(4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut44075 | Title: | Traceback in snp_cluster_get_buffer | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traceback in snp_cluster_get_buffer
Conditions:
Single or two node cluster
Workaround:
none
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.0, 9.3(2.101), 9.4(0.117) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut30741 | Title: | ASA redirection to Scansafe tower fails with log id "775002" in syslog | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA redirection to Scansafe tower fails with log id "775002" in syslog even when the platform limit for connections was not reached.
Conditions:
Was noticed in version 9.0(2) but could affect any release.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.0(2) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.116), 100.13(0.52), 100.13(21.9), 100.13(29.28), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus51289 | Title: | ASA: Traceback when removing manual NAT rule | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA: Traceback when removing manual NAT rule
Conditions:
The user must be removing a manual NAT rule from the configuration with the following characteristics:
1. The destination portion of the rule must contain an object with a large range of addresses
and
2. The rule must contain a service object
An example rule that may trigger this crash is:
object network src
host 192.168.10.1
object network dest
range 10.0.0.0 10.255.255.255
object service port
service tcp source eq 80
nat (inside,outside) source static src src destination static dest dest service port port
no nat (inside,outside) source static src src destination static dest dest service port port
Workaround:
None
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 8.4(5), 9.1(6) | |
Known Fixed Releases: * | 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCsw20002 | Title: | Cmd replication gets out of sync if config t is executed in sub-menu. | |
Status: | Terminated | |
Severity: | 2 Severe | Description: |
Symptom:
Standby ASA parser command out of sync with active ASA
Conditions:
ASA running failover. Active ASA already in the sub-command mode when
standby ASA join the HA cluster, or Active ASA did not issue exit cmd
to get out of sub-command mode.
Workaround:
Always start with main mode when standby ASA just joined the ASA cluster.
If standby ASA is stuck in the sub-mode, use exit cmd to bring it back to
main mode.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: * | 100.7(0.29), 7.0(7), 9.5(0.106), 96.1(1.59) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux98895 | Title: * | ASA traceback in Thread Name: IPv6 ND | |
Status: | Terminated | |
Severity: | 2 Severe | Description: | Symptom:
ASA crash in Thread Name: IPv6 ND
Conditions:
IPV6 Address configured on the ASA .
Workaround:
No workaround
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 9.0(4) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux82835 | Title: | Nat pool exhausted observed when enabling asp transactional-commit nat | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Syslogs observed:
%ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0
%ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0
%ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80
%ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80
Also noticing udp section is missing for nat pool:
ciscoasa# show nat pool
TCP PAT pool outside, address 10.105.130.199, range 1-511, allocated 1
TCP PAT pool outside, address 10.105.130.199, range 512-1023, allocated 0
TCP PAT pool outside, address 10.105.130.199, range 1024-65535, allocated 0
ciscoasa# show run all xlate
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
xlate block-allocation size 512
xlate block-allocation maximum-per-host 4
Conditions:
1. asp rule-engine transactional-commit nat is enabled on the ASA.
2. At least one static nat rule is created for port forwarding for the same public pool IP.
Workaround:
Disable asp transactional commit and then reload the ASA.
Further Problem Description:
| |
Last Modified: | 18-FEB-2016 | |
Known Affected Releases: | 9.5(2) | |
Known Fixed Releases: * | 96.1(1.65), 96.2(1.117) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut10078 | Title: | Standby ASA does not apply OSPF route after config replication | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Standby unit was not following the OSPF routes that were replicated from the Active unit and installed in its routing table. For example, when trying to ping 10.202.7.135 from the Standby unit the ASA claimed it had no route to the host:
Conditions:
OSPF configured on active/standby ASA 5555 pair running 9.1.5.21
Workaround:
A 'write standby' from the Active unit to force a bulk sync fixes the problem, though the routing table doesn't seem to change. I was able to reproduce the problem several times
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(5.21) | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu86195 | Title: | conn-max counter is not decreased accordingly | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Problem description:
- after the maximum number of TCP connections for a class-map are exceeded the counter for the active connections("current conns") starts to decrease into negative values
- all the new connections that are matching our configured policy are dropped even if we are not exceeding the number of configured connections
%ASA-3-201011: Connection limit exceeded -36/30 for input packet from 10.100.48.4/54675 to 172.29.41.10/8443 on interface in
Similar scenarios:
- legitimate connections are dropped when the counter:
- "current conns" is decreased into negative values; Ex: -36/30
- "current conns" is not dropping to zero(after all the connections are closed) and is stuck to a random value; Ex: 26/30 --> just 4 new connectios are allowed
- "current conns" is going over the maximum value and is not dropping to zero(after all the connections are closed); Ex: 32/30
Conditions:
issue observed in ASA software version 9.2.2 and 9.2.24(tested versions) just for TCP traffic
Workaround:
N/A
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.2(2), 9.2(2.4) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv12884 | Title: | Unable to authenticate with remove aaa-server from different context | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Authentication error on a context when he removed aaa-server config from different context.
Conditions:
-Some contexts is using same LDAP server.
Workaround:
ASA reload
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 8.6(1), 9.1(5), 9.2(3) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.136), 100.13(0.89), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.21), 100.15(1.38), 100.15(10.4), 100.15(15.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut15570 | Title: | Anyconnect SSL VPN certificate authentication fails o ASA | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Anyconnect SSL VPN certifcate authentication fails o ASA
Conditions:
-- certificate authentication
-- in debug crypto ca the following error is observed:
CERT-C: I pkixpath.c(1170) : Error #72
Workaround:
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(1) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw00971 | Title: | ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
--- URL redirect is not working for clients connected via ra vpn clients
The url redirect feature is used to support some ISE posture assessment flows
Conditions:
--- ISE using the posture assessment feature
------ ISE 1.3 is more likely to require long url-redirect attributes
--- ASA 9.2.1 and above (ISE posture assessment not supported on ASA versions <9.2.1)
--- RA vpn client
Workaround:
--- Use Anyconnect SSL VPN client
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.2(1), 9.5(2) | |
Known Fixed Releases: * | 100.11(0.62), 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.79), 100.15(16.3), 100.15(17.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur09141 | Title: | RRI static routing changes not updated in routing table | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Clearing the crypto config for a S2S tunnel does not remove the static reverse route from the routing table. We can see stuck route in the routing table.
Conditions:
RRI being used with static crypto map for a S2S tunnel. The crypto map config is removed using the clear config command.
Workaround:
None.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.12(0.131), 100.13(0.81), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.53), 100.15(3.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv01177 | Title: | ASA: traceback in IDFW AD agent | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA5585 in failover pair may traceback in IDFW process.
Conditions:
ASA running IDFW features.
Workaround:
Disable IDFW.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.2(3) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut12513 | Title: | ASA allows citrix ICA connection without authentication | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Cisco ASA Clientless SSL VPN integration with Citrix includes the download of a .ica file from the Citrix server and serving this to the client.
The .ica file includes a session token to connect to the Citrix server.
This file is stored on the client pc and deleted by the Citrix client once the session with Citrix is terminated.
If this file is copied on a different machine, it is possible to reuse this file to connect to the Citrix server via the Clientless SSL VPN
feature without requiring authentication as far as the session of the user that initially authenticated to the Clientless SSL VPN Portal is still
active.
Conditions:
The file needs to be copied from the initial pc and the authenticated user session should still be active.
Workaround:
none
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.13(29.28), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu78835 | Title: | Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL:
1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable.
2. When trying to add a comment, the body of the comment is missing, so cannot add anything.
Conditions:
Using Atlassian version 6.4.5 for Confluence
Workaround:
Use the older versions of Atlassian
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 100.8(40.67), 9.2(2), 9.3(2), 9.3(3.229), 9.4(1) | |
Known Fixed Releases: * | 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCti05769 | Title: | Migration of max_conn/em_limit to MPF is completely wrong in 8.3 | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN
floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost
because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside.
Conditions:
Workaround:
Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 8.3(1) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv38654 | Title: | rewriter returns 302 for a file download | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
CLientless rewriter returns 302 error code erronously
Conditions:
Downloading a file from a rewritten page
Workaround:
Unknown, none
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.4(1.4) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.137), 100.13(0.91), 100.13(29.28), 100.14(0.68), 100.14(16.4), 100.14(5.27), 100.15(0.22), 100.15(1.42), 100.15(10.4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu27334 | Title: | ASA: Traceback with Thread Name - AAA | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA device Traceback with Thread Name:- AAA
Conditions:
ASA device running ASA 9.1(4) version
Workaround:
Upgrade to 9.1.6.4 or later.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(4) | |
Known Fixed Releases: * | 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu45813 | Title: | ASA Name Constraints dirName improperly verified | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error:
CERT-C: I pkixpath.c(2726) : Error #751h
CRYPTO_PKI:Invalid certificate received (status = 1873)
CRYPTO_PKI:Invalid RA certificate received
Conditions:
Workaround:
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(1), 9.1(2), 9.3(1), 9.4(1) | |
Known Fixed Releases: * | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut95793 | Title: | ASA: Anyconnect IPv6 Traceroute does not work as expected | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traceroute does not work as expected while connected with anyconnect vpn client to ASA running software version 9.0(4)30. Traceroute completes but does not show intermediate hops, rather we see aestrick "*" for intermediate hops.
Conditions:
Anyconnect 3.1.05170
ASA 9.0.4(30), 9.1(4)
Workaround:
None
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.0(4.30) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.137), 100.13(0.93), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut01856 | Title: | ASA dropping traffic with TCP syslog configured in multicontext mode | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA dropping traffic in multiple-context mode with TCP syslog server unreachable.
Conditions:
-ASA in multiple context mode
-TCP syslog server configured on one of the contexts.
-"no logging permit host-down" configured on a context.
Workaround:
On removing and adding the context , which is having the issue,back the issue goes away.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.2(2.8) | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv45756 | Title: | ASA may tracebeck when displaying packet capture with trace option | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA traceback.
Conditions:
ASA running 9.4(1) displaying captures with trace detail option.
Workaround:
Avoid using trace detail option in captures.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.4(1) | |
Known Fixed Releases: * | 100.11(0.62), 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv10938 | Title: | 'redistribute' cmds under 'router eigrp' removed on deleting any context | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console:
ERROR: unable to locate route-map
Conditions:
1. ASA is multiple context mode.
2. More than one context on the ASA has EIGRP enabled with redistribution configured.
3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ".
Workaround:
None apart from re-adding all those commands back manually.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.4(1.3) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu46569 | Title: | ASA CA certificate import fails with different types of Name Constraints | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a URI or DNS constraint, the ASA fails with the error:
CERT-C: I pkixpath.c(2726) : Error #751h
CRYPTO_PKI:Invalid certificate received (status = 1873)
CRYPTO_PKI:Invalid RA certificate received
Conditions:
Workaround:
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(1), 9.1(2), 9.3(1), 9.4(1) | |
Known Fixed Releases: * | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13), 100.15(1.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu56912 | Title: | ASA change non-default port to 443 for https traffic redirected to CWS | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA change non-default port to 443 for https traffic redirected to CWS
When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates
...
Complete Connect Method (513)
CONNECT X.X.X.X:443 HTTP/1.0
HOST: X.X.X.X:443
...
For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display
CONNECT X.X.X.X:443 HTTP/1.0
HOST: X.X.X.X:443
Conditions:
ASA is configured to redirect non-default port for https traffic to CWS.
Workaround:
NONE
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.0, 9.1, 9.4 | |
Known Fixed Releases: * | 100.12(0.129), 100.13(0.79), 100.13(29.28), 100.14(0.39), 100.14(16.1), 100.14(5.19), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut39985 | Title: | Per-session PAT RST sent to incorrect direction after closing session | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
When Per-session PAT is configured, RST,ACK is sent to Non close initiator side after closing TCP session. It should be sent to close initiator side(The device which send FIN first).
xlate per-session permit tcp any4 any4
no xlate per-session deny tcp any4 any4
Conditions:
Per-session PAT is configured like below
xlate per-session permit tcp any4 any4
no xlate per-session deny tcp any4 any4
Workaround:
Disable Per-session PAT
xlate per-session deny tcp any4 any4
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1 | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.121), 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv05386 | Title: | Clientless webvpn on ASA does not display asmx files | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text
Conditions:
-Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site.
-The user see's garbled or incomplete text returned from the ASA.
Workaround:
Smart Tunnel resolves the issue.
Using the stand alone AC client resolves the issue.
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.1(6) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.14(16.8), 100.14(5.32), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtg74172 | Title: | Can get around dynamic-filter by using caps in domain name | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names.
Conditions:
Configuring whilte and black lists for BTF
Workaround:
Not known
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
| |
Last Modified: | 23-FEB-2016 | |
Known Affected Releases: | 8.2(2.12) | |
Known Fixed Releases: * | 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.14(16.8), 100.14(5.32), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCti76899 | Title: | rtcli: traceback in rtcli async executor process, eip ci_set_mo | |
Status: | Fixed | |
Severity: | 2 Severe | Description: * | Symptom:
ASA crash
Conditions:
export ... stdout" CLI commands that were issued on the Active and Standby as a part of backup procedure
Workaround:
none
| |
Last Modified: | 24-FEB-2016 | |
Known Affected Releases: | 8.0(5.9) | |
Known Fixed Releases: | 100.5(5.45), 100.7(0.65), 100.7(6.10), 100.7(8.1), 8.0(5.21), 8.1(2.49), 8.2(4.2), 8.2(5), 8.3(2.8), 8.4(0.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw55813 | Title: | Standby ASA traceback in Thread Name: EIGRP-IPv4 | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Standby ASA crashing in Thread Name: EIGRP-IPv4
Conditions:
ASA failover pair running EIGRP.
Workaround:
no workaround
Further Problem Description:
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 9.5(1) | |
Known Fixed Releases: * | 100.13(0.130), 9.3(3.8), 9.4(2.101), 9.6(0.101), 96.1(1.76), 96.2(1.128) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy46176 | Title: | ASA Crashed during transition to active during upgrade with traceback | |
Status: | Open | |
Severity: | 2 Severe | Description: | Symptom:
Customer was in the process of upgrading a pair of our customer's firewalls from 9.1.6 to 9.1.7. They first reloaded the standby firewall into the new code without issue. However, once making the standby firewall active, it would immediately crash and generate the below traceback.
fw/sec/act# failover active
Switching to Active
fw/sec/act#
fw/sec/act#
fw/sec/act#
Thread Name: Dispatch Unit
Page fault: Address not mapped
vector 0x0000000e
edi 0x111d8f86
esi 0x00000000
ebp 0x73f49c88
esp 0x73f49bf0
ebx 0x7b3f395c
edx 0x00000000
ecx 0x6d925b40
eax 0x00000000
error code 0x00000004
eip 0x08a1c247
cs 0x00000073
eflags 0x00013246
CR2 0x0000002c
Conditions:
It crash when ASA running 91.7 and customer try to make it active.
Workaround:
No Workarounds
Further Problem Description:
Na
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 9.1(7) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy47428 | Title: | ASA reload in Thread Name: websns_rcv_tcp | |
Status: | Open | |
Severity: | 2 Severe | Description: | Symptom:
ASA reloads in Thread Name: websns_rcv_tcp when configuring WebSense url-server server
Conditions:
ASA version 9.1.6.8
Workaround:
NA
Further Problem Description:
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 9.1(6) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux81683 | Title: | ASA Traceback on Thread Name: Unicorn Admin Handler | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA crashed after nat config change
Conditions:
TCM enabled for NAT, and object static PAT being edited
Workaround:
Turn off the TCM for NAT and reload
Further Problem Description:
| |
Last Modified: | 26-FEB-2016 | |
Known Affected Releases: | 9.5(2) | |
Known Fixed Releases: * | 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.2(4.6), 9.3(3.8), 9.4(2.99), 96.1(1.54) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux08783 | Title: | CWS: ASA does not append XSS headers | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
User intermittently receive "access denied" messages when browsing through the Cisco Cloud Web Security service.
Conditions:
ASA Connector redirection to CWS.
Workaround:
Adding static egress IP(s) as Scanning IPs in the ScanCenter portal will prevent users from seeing the "access denied" messages, but user/group information will not be passed to the service, so policies will not be applied.
Further Problem Description:
This message does not reflect the default block page from CWS.
| |
Last Modified: | 28-FEB-2016 | |
Known Affected Releases: | 9.2(4), 9.4(1) | |
Known Fixed Releases: * | 100.13(0.131), 9.4(2.101), 9.6(0.109), 96.2(1.133) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux71197 | Title: | "show resource usage" gives wrong number of routes after shut/no sh | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
when running in multiple context mode, shut/no shut on the interface will update the route resource usage, the ASA does not reset the counter, but add new routes, resulting in reaching the limit
when there is high network fluctuation, route resource will eventually deplete and the ASA will fail to add routes, resulting in an outage
Conditions:
none
Workaround:
reload the ASA
Further Problem Description:
| |
Last Modified: | 28-FEB-2016 | |
Known Affected Releases: | 100.8(40.111), 9.5(2), 96.1(1.71) | |
Known Fixed Releases: * | 100.13(0.131), 9.6(0.109), 96.2(1.134) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy50264 | Title: | VPN-LB L2L "cluster encryption" is failing | |
Status: | Open | |
Severity: | 2 Severe | Description: | Symptom:
VPN-Load Balacing L2L (cluster encryption) fails to establish. Get IKE/ipsec error:
"Can't load an IPSec SA! The corresponding IKE SA contains an invalid logical ID."
Conditions:
VPN-LB secure (custer encryption) L2L between ASAs.
Workaround:
Disable VPN-LB cluster encryption (no cluster encryption).
Further Problem Description:
| |
Last Modified: | 28-FEB-2016 | |
Known Affected Releases: | 9.4(2.101) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy11084 | Title: | ASA standby unit may traceback while running EEM script | |
Status: | Terminated | |
Severity: | 2 Severe | Description: | Symptom:
The EEM script , a list of ASA CLIs, is replicated to the standby ASA, just like any other configuration CLI. Depending on the CLI, it may cause unwanted behavior, including causing the ASA to traceback. For example, operationally, it makes no sense to add/import a Clientless SSL VPN bookmark on active and standby units simultaneously. The Failover HA synchronization will conflict with the import operation in this case and cause an unstable condition, including a traceback.
Conditions:
Running Embedded Event Manager on ASA, with action-config-based CLIs on the Failover-standby ASA.
Workaround:
Limit monitoring-based CLIs (show) in the EEM script executing on the ASA standby unit.
Remove action-based-config and execution commands from the Standby ASA EEM script.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: * | 9.4(2.100), 96.1(1.62) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv96011 | Title: | OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
OSPF over IKEv2 L2L tunnel is broken on ASA in 9.2(1) onwards. Routes are installed into OSPF database successfully, but they are absent in the main routing table.
Conditions:
-IKEv2 L2L configured to propagate routes over OSPF on ASA running 9.2.1 or above.
Workaround:
-Downgrade the ASA to 9.1(5), if an option.
-Use IKEv1 tunnel
Further Problem Description:
None
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(1), 9.3(3), 9.4(1), 9.5(1) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut40770 | Title: | Interface TLV to SFR is corrupt when frame is longer than 2048 bytes | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Some configured ASA interfaces missing or not displayed from Firesight Management Center
Conditions:
Interface TLV ethernet frame greater than 2048 bytes. Usually occurs with multiple interfaces and sub-interfaces configured with lengthy names for each interface.
Workaround:
Enable jumbo-frame reservation on ASA.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(1.221), 9.4(2) | |
Known Fixed Releases: * | 100.11(0.64), 100.11(0.67), 100.12(0.153), 100.12(0.156), 100.13(0.119), 100.13(0.127), 100.14(0.82), 100.15(0.80), 100.15(20.14), 100.15(20.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy43839 | Title: | ASA reloads in thread name: DATAPATH while encrypting L2L packet | |
Status: | Open | |
Severity: * | 2 Severe | Description: | Symptom:
ASA reloads in DATAPATH thread
Conditions:
ASA running 9.2.4.5 reloads in DATAPATH thread after upgrade from 9.2.4. IPSec L2L is configured. Other branches may be affected.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(4.5) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu48197 | Title: | ASA: Stuck uauth entry rejects AnyConnect user connections | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Intermittently, the User VPN sessions fail to establish due to a stuck uauth entry associated with the same Pool/to-be-Assigned IP address of the new User.
Syslog:
%ASA-5-722010: Group User IP SVC Message: 16/ERROR: Detected internal error in SSL connection..
%ASA-4-113019: Group = , Username = , IP = , Session disconnected. Session Type: SSL, Duration: 00:00m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
- While debugging, we see the following:
debug webvpn anyconenct:
webvpn_cstp_accept_address: 192.168.1.10/255.255.255.0
''snip''
vpn_put_uauth failed!
webvpn_cstp_send_error: 503 Service Unavailable
sh ip local pool :
shows that the address 192.168.1.10 is available.
debug pix uauth:
vpn_putuauth: ERR: uxlate collision for ip 192.168.1.10 user USER-B on interface OUTSIDE
show uauth:
remote access VPN user 'USER-A' at 192.168.1.10, authenticated <<< Stuck entry for "another user"
show vpn-sessiondb anyconnect filter name USER-A :
no entries
here, notice that the address that is being assigned to USER-B is 192.168.1.10, and this is available in the local pool I.e. This address was assigned to another user [USER-A] in the past. This user does not show up in the vpn-sessiondb indicating that he has already logged off.
Conditions:
ASA running on OS version [Ex: 9.2(1)] that has the fix for:
CSCuh08432 Anyconnect sessions do not connect due to uauth failure
This ASA is acting as AnyConnect SSLVPN Server.
Workaround:
None.
Either reload the ASA or failover to the standby ASA.
Or Start using a new IP address pool for the Connection entry
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(1) | |
Known Fixed Releases: * | 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.109), 9.1(6.109), 9.1(7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu82229 | Title: | ikev2 with DH 19 and above fails to pass traffic after phase2 rekey | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
after rekey fails to pass traffic
Conditions:
after rekey using DH 19 or above
Workaround:
use lower DH (1,2,5,14)
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4, 9.4(1), 9.5(1) | |
Known Fixed Releases: * | 100.13(0.113), 100.14(0.79), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.1), 9.4(2.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur46371 | Title: | TLSv1.2 Client Cert Auth Connection Establishment Failure | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Connection establishment failure only for TLS 1.2 using ECDSA in client mode, so ASA connecting out to an SSL server with certificate authentication configured.
Conditions:
ASA connecting out to an SSL server with certificate authentication configured.
Workaround:
Do not configure certificate authentication on the SSL web server.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.13(15.11), 9.3(2) | |
Known Fixed Releases: * | 100.13(0.112), 100.14(0.78), 100.15(0.53), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.5), 9.4(2.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv43902 | Title: | ASA: Watchdog Traceback with Thread Name:- SXP CORE | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA device traceback in thread name:- SXP CORE
Conditions:
ASA device configured with the trust sec configuration.
Workaround:
No workaround as of now
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(3) | |
Known Fixed Releases: * | 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut71095 | Title: | ASA WebVPN clientless cookie authentication bypass | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over
secure channels.
Conditions:
-- WebVPN
Workaround:
none
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1, 9.4(1) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.130), 100.12(0.153), 100.13(0.118), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(0.82), 100.14(16.1), 100.14(5.21) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut49034 | Title: | ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
CPU on standby ASA spikes to 100%
Conditions:
Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN.
Stateful failover configured on an active-standby failover pair.
Workaround:
None
Further Problem Description:
High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled.
Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN.
When this particular connection goes through the ASA, we find that the active ASA builds a single connection.
standby ASA builds numerous connections with same source and destination ports.
Connection on the primary/active:
act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO
Connections on secondary:(close to 2500)
stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO
TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO
We see a lot of connection teardown on the standby for this connection.
Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O
Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O
We also see a lot of reset packets in asp drops in the standby ASA.
1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54
66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738)
Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection
The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop.
We see overruns on the failover interface of the standby unit.
stby/sec/alan3usv01# show int gig0/3
Interface GigabitEthernet0/3 "failover1", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address 5475.d091.518f, MTU 1500
IP address 10.99.101.114, subnet mask 255.255.255.248
432217782 packets input, 556229026142 bytes, 0 no buffer
Received 556 broadcasts, 0 runts, 0 giants
204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort
And we see a lot of packets being transferred from active to standby ASA.
In the failover debugs we only find the following messages in the debugs of fover rx.
lu_rx: HA TRANS: receive message for client vpnfo, length 48
lu_rx: HA TRANS: receive message for client vpnfo, length 72
lu_rx: HA TRANS: receive message for client vpnfo, length 72
The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(2), 9.1(5.21) | |
Known Fixed Releases: * | 100.11(0.62), 100.11(0.63), 100.12(0.142), 100.12(0.148), 100.13(0.106), 100.13(0.95), 100.14(0.71), 100.14(0.76), 100.14(16.8), 100.14(16.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv66333 | Title: | ASA picks incorrect trustpoint to verify OCSP Response | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA may fail to verify a valid OCSP response during OCSP revocation check for VPN clients.
Conditions:
Revocation check is enabled under the trustpoint using OCSP and an override using cert-map is not configured
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.0, 9.2(3) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.48), 100.15(17.20), 100.15(3.71), 100.15(8.17), 100.16(0.3), 100.16(1.7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus10787 | Title: | Transactional ACL commit will bypass security policy during compilation | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Traffic can bypass the security policy when transactional-commit access list is configured. This can happen only when a new ASA is added to a
cluster and the access-list configuration is newly applied. The bypass can happen only during the compilation time.
Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an
interface with higher security level.
Conditions:
Cisco ASA Software is affected by this issue if the transactional-commit access list feature is enabled. This can be determined by using the show
running-config asp rule-engine transactional-commit access-group command and verifying that it returns output.
The following example shows a Cisco ASA configured with transactional-commit feature:
ciscoasa# show running-config asp rule-engine transactional-commit access-grou$
asp rule-engine transactional-commit access-group
Note: Transactional-commit feature is not configured by default.
Workaround:
There is no workaround other then disabling the feature
Further Problem Description:
A vulnerability in the transactional-commit access list feature of Cisco Adaptive Security Appliance (ASA) Software could allow an
unauthenticated, remote attacker to bypass interfaces access control policies and send traffic through the affected system.
The vulnerability is due to improper implementation of the feature. . An attacker could exploit this vulnerability by sending traffic through the
affected system while the system boot for the first time or while an affected system join a cluster. Additionally interface security policy will
still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. An
exploit could allow the attacker to send traffic through the system bypassing the interfaces access control policies.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.111), 9.1(6.104), 9.1(6.112) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCun21186 | Title: | ASA traceback when retrieving idfw topn user from slave | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Slave unit crashes when trying to join the master. This happens in configuration replication.
Conditions:
After configuring a Context on an active cluster the Slave disables clustering.
When correcting differences in context configuration try to have slave rejoin. The slave will crash.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.0(2) | |
Known Fixed Releases: * | 100.13(0.128), 100.8(38.121), 100.8(40.62), 100.8(56.26), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1), 9.0(4.8), 9.1(5.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus16416 | Title: | Share licenses are not activated on failover pair after power cycle | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
The Share/Combine licenses are not activated on failover pair after power cycle the failover pair.
Both active and standby units turns off power and boots up the standby unit only, the Shared/Combined licenses on standby unit will be lost.
Conditions:
Failover environments.
Workaround:
Execute once the 'reload command' on failover pair.
Further Problem Description:
None
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.0, 9.1(5.19) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(14.1), 100.16(15.1), 100.16(15.5) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy50752 | Title: | ASA 5585 9.2.4 crash | |
Status: | Other | |
Severity: | 2 Severe | Description: | Symptom:
ASA crashed with Thread Name: DATAPATH-1-2076
Conditions:
ASA-SSP-40 running version 9.2.4
Workaround:
none
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(4) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv49446 | Title: | ASA traceback on Standby device during config sync in thread DATAPATH | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA traceback on Standby device in thread DATAPATH
Standby ASA crashes during failover synchronization.
There are cases where the ASA crashed multiple times and then got stabilized.
Conditions:
Workaround:
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(3) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.95), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuo08193 | Title: | Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA may traceback in Thread Name: DATAPATH-1-1382
Conditions:
ASA Version 8.4 and 9.x configured to terminate IPSecVPN. In rare circumstances, the ASA may reload while processing an inbound nat-t packet.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.4(7.15), 9.0(4.30) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.77), 100.15(20.13), 100.15(8.24), 100.16(0.8), 100.16(1.26), 100.16(14.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuc11186 | Title: | ARP: Proxy IP traffic is hijacked. | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
In certain conditions, ASA doesn't check the source of the ARP request or GARP packets for addresses it performs NAT translation for.
Proxy-arp cache may thus get polluted and cause traffic hijacking for addresses ASA does NAT for.
Conditions:
Configured NAT on the ASA for which it performs proxy-arp.
Workaround:
None
Further Problem Description:
NOTE: The fix for this issue may cause the ASA to not reply to ARP requests if the Source IP in the ARP request overlaps with a NAT rule on the ASA. This may occur when the nat configuration line is overly broad (such as an all zeros configuration, or any. To workaround this, add the keyword "no-proxy-arp" to the nat config line.
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.8/4.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-5010 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.2(4) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.15(8.32), 100.16(0.9), 100.16(1.36), 100.16(14.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus53126 | Title: | ASA traffic not sent properly using 'traffic-forward sfr monitor-only' | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
After using 'traffic-forward sfr monitor-only', traffic is forwarded from MGMT0/0 interface instead of forwarding from selected interface. It is also causing lack of IP connectivity to the ASA through MGMT0/0
Conditions:
Running ASA in transparent mode. Issuing the command for any ASA built-in ports (G0/0, G0/1 etc). When using blade ports (G1/0, G1/1 etc.) the command works as described in the manual.
Workaround:
unknown
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(2.4) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.51), 100.16(14.1), 100.16(15.7), 9.2(4.6) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtz98516 | Title: | Observed Traceback in SNMP while querying GET BULK for 'xlate count' | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
An ASA firewall may crash when being polled by SNMP in rare circumstances.
Conditions:
This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To
trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID:
1.3.6.1.4.1.9.10.77.1.2.1
Workaround:
Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the
OID's being polled by your SNMP monitor station to not include the affected OIDs.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.7(22.1) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.118), 100.12(0.156), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv58559 | Title: | Traceback in Thread Name: DATAPATH on modifying "set connection" in MPF | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASA Traceback in Thread Name: DATAPATH
Conditions:
1) While modifying the "set connection" config under MPF.
2) Live traffic is passing through both units matching the MPF connection policy.
Workaround:
Do not modify the connection MPF policy while live traffic is inspected through it.
Further Problem Description:
Sample config :
policy-map global_policy
class conn-test
set connection conn-max 4000 embryonic-conn-max 2500
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(3.2) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut10103 | Title: | ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Upgrade from 9.0(2) directly to 9.2(2)4 causes 5545x to traceback in thread name SSL
Conditions:
Using out of the box (Default Configuration) upgrade 5545x from 9.0(2) to 9.2(2)4
Workaround:
none
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(2.4) | |
Known Fixed Releases: * | 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.4(2.99), 9.6(0.99), 96.1(1.26) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu91304 | Title: | Immediate FIN from client after GET breaks scansafe connection | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
Connections through the ASA to a scansafe tower may fail if the client sends a FIN packet immediately following a GET packet. This hangs the TCP connection and causes the transaction to fail.
Conditions:
This is seen if the CLIENT sends a TCP FIN packet before any data comes back from the TOWER.
Workaround:
None at this time
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(5.21) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.71), 100.15(17.32), 100.15(20.11), 100.15(8.23), 100.16(0.6), 100.16(1.19) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu06081 | Title: | ASAv licesing enforcement should not be CLI parser based | |
Status: | Fixed | |
Severity: | 2 Severe | Description: | Symptom:
ASAv doesn't accept CLI commands without proper license in place.
Conditions:
NA
Workaround:
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(2) | |
Known Fixed Releases: * | 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2), 100.16(1.2), 9.4(1.203), 9.5(1.201), 9.5(1.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCup93708 | Title: | Error when same-security-traffic is deleted and added | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:Below mentioned error is seen whenever same-security-traffic permit intra-interface command is cleared and configured.
Error:
ciscoasa(config)# same-security-traffic permit intra-interface
ERROR: Unable to install security ruleson NP
Conditions:When the command is entered for the first time there is no error seen. If the command is reconfigured or if it is deleted and re-added then the error will pop up and the command will not be accepted.
Workaround:No Workaround
| |
Last Modified: | 01-FEB-2016 | |
Known Affected Releases: | 100.12(1.17) | |
Known Fixed Releases: * | 100.12(10.30), 100.12(21.1), 100.8(40.113) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux36742 | Title: | ASA: Neighbor command not being removed on clearing interface config | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Neighbor command not being removed on clearing interface configuration under the eigrp configuration.
Conditions:
ASA configured with eigrp configuration using the static neighbor commands.
Workaround:
Remove the complete router configuration or configure the interface again with the nameif and then remove the neighbor command
Further Problem Description:
| |
Last Modified: | 01-FEB-2016 | |
Known Affected Releases: | 9.1(6.10) | |
Known Fixed Releases: * | 100.8(40.113) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu19489 | Title: | ASA inspection-MPF ACL changes not inserted into ASP table properly | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
New ACL changes not taking effect for inspection policies.
When adding new rules to the top of an existing ACL which is mapped to an inspection policy, the ASA installs this rule incorrectly at the bottom of its ASP table. This is applicable for any inspection policy that has an ACL bound to it.
Conditions:
There should be an ACL bound to an inspection policy.
Workaround:
Remove and re-apply the service-policy or remove and re-apply the effected class-map in the policy-map.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.0(4) | |
Known Fixed Releases: * | 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus83476 | Title: | More than 255 messages in multicast packet with jumbo frames | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
PIM join messages are lost after passing through the ASA.
Conditions:
1. ASA has jumbo-frames enabeld and has an MTU of 5134 or higher
2. Multicast routing is enabled on ASA and there are more than 255 (*/S,G) groups on it
Workaround:
Disable jumbo frames or use MTU lower than 5134
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 8.4(6) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.115), 100.13(0.47), 100.13(21.8), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.8) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur21069 | Title: | Cisco ASA Failover Command Injection Vulnerability | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities:
Cisco ASA Failover Command Injection Vulnerability
Cisco ASA DNS Memory Exhaustion Vulnerability
Cisco ASA VPN XML Parser Denial of Service Vulnerability
Successful exploitation of the Cisco ASA Failover Command Injection Vulnerability would allow an attacker to submit failover commands to the failover units, which may result in an attacker taking full control of the systems.
Successful exploitation of the Cisco ASA DNS Memory Exhaustion Vulnerability may result in system instability and dropped traffic.
Successful exploitation of the Cisco ASA VPN XML Parser Denial of Service Vulnerability may result in a crash of the WebVPN process, which may lead to the reset of all SSL VPN connections, system instability, and a reload of the affected system.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for the Cisco ASA Failover Command Injection Vulnerability and Cisco ASA DNS Memory Exhaustion Vulnerability. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-asa
Note: The resolution of the vulnerability in the Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability, cisco-sa-20150408-cxfp, released on the 8th of April may require an upgrade of the Cisco ASA Software release. Cisco ASA customers should review cisco-sa-20150408-cxfp before deciding which Cisco ASA Software release to upgrade to.
The Cisco Security Advisory Cisco ASA FirePOWER Services and Cisco ASA CX Crafted Packets Denial of Service Vulnerability is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-cxfp
Conditions:
See published Cisco Security Advisory
Workaround:
See published Cisco Security Advisory
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS sscores as of the time of evaluation are 8.3/6.9:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0675 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.2(0.1) | |
Known Fixed Releases: * | 100.11(0.55), 100.11(0.56), 100.12(0.108), 100.12(0.114), 100.13(0.13), 100.13(0.40), 100.13(1.22), 100.13(16.26), 100.13(19.7), 100.13(20.3) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu16983 | Title: | ASA: failover logging messages appear in user context | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Failover syslog messages should appear in the admin context, but they appear in user context.
Conditions:
ASA in multi-context mode.
Workaround:
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(5.19), 9.2(2.8) | |
Known Fixed Releases: * | 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu02761 | Title: | DNS should perform IPv4 lookups if IPv6 address is not reachable | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
DNS returns IPv6 addresses which are not reachable by ASA
Conditions:
IPv6 is enabled on at least one ASA interface.
DNS lookups are configured.
Hosts are accessed by name rather than IP or IPv6 address.
Workaround:
Options:
1. If this is a manual operation (e.g. ping), then specify the IP or IPv6 address.
2. disable IPv6 on all interfaces.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.123), 100.13(0.69), 100.13(21.13), 100.14(0.10), 100.14(10.14), 100.14(26.11), 100.14(5.14), 100.14(6.16), 100.14(7.16) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCup89922 | Title: | ASA DNS lookups always prefer IPv6 response | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
A DNS server configured on the ASA will always use IPv6 DNS requests
(type=AAAA) if any of the interfaces are configured with IPv6. There is
no way to prevent this behaviour, or make the ASA prefer and sending
type=A requests.
Conditions:
This only occurs if IPv6 is enabled on any interface of the ASA, even if no Globally Unique Address is assigned. If IPv6 is enabled, then the ASA only makes Type=AAAA DNS requests. This will always result in an IPv6 DNS response, and potentially cause features that depend on DNS to fail (ie. Smart Call Home).
Workaround:
Disable all IPv6 addresses on the ASA.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(0.2), 9.1(1), 9.1(5) | |
Known Fixed Releases: * | 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuc16228 | Title: | Can't use an object-group for NAT which was used for pat-pool earlier | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Same object-group cannot be used in NAT when it was used in PAT earlier
Conditions:
PAT configured, followed by removal of NAT or clear-conf-nat, New NAT rule try to use that object-group as now NAT pool
Workaround:
No workaround
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 8.4(2), 8.4(4.3), 8.4(4.8) | |
Known Fixed Releases: * | 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus03141 | Title: | ipsec-datapath:TFW management connection via VPN takes a few minutes | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Telnet/ssh access via IPsec VPN takes a few minutes on transparent ASA.
Conditions:
- Connect to a transparent ASA using telnet/ssh via IPsec VPN
- ASA 8.4.4.1 or later
Workaround:
Do not use IPsec for management access.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 8.4(4.1), 8.6(1.2), 9.1(4), 9.1(5) | |
Known Fixed Releases: * | 100.11(0.55), 100.12(0.109), 100.13(0.14), 100.13(1.27), 100.13(16.28), 100.13(19.8), 100.13(20.4), 100.13(21.5), 100.13(23.2), 100.13(24.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuj59405 | Title: | Current IP on Standby not updated if standby IP is not configured | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
A standby firewall may continue to 'show' that it has a STANDBY IP address configured if a standby was one configured, but then removed from the configuration.
Conditions:
This is seen when an interface has a standby IP address configured and then removed:
asa(config)# interface Ethernet0/1
asa(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
The standby shows that it has IP 192.168.1.2 assigned to its interface, now simply re-apply the 'ip address' command again without the standby address
asa(config-if)# ip address 192.168.1.1 255.255.255.0
The standby will continue to show it is using 192.168.1.2
Workaround:
Completely remove the IP address entry prior to re-adding it:
asa(config-if)# no ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
asa(config-if)# ip address 192.168.1.1 255.255.255.0
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 100.8(38.31), 9.1, 9.1(6.10) | |
Known Fixed Releases: * | 100.10(0.37), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.63), 100.8(40.41), 100.8(45.8), 100.8(46.28), 100.8(51.5) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut64327 | Title: | L2TP/IPsec traffic dropped due to "vpn-overlap-conflict" | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
After upgrading the code from 911 to 912/916 l2tp/Ipsec users are not able to access inside resources.
Inside hosts can reach connected l2tp/Ipsec client fine
Set up:
*******
10.48.100.0/24-----[inside] ASA [outside]---------ISP---------------Site-to-Site-VPN-peer----10.48.0.0/16 ( contains multiple subnets in 10.48.x.0/24 range, so it has been summarized to /16)
|
|
|------------------l2tp/ipsec-vpn user (10.48.252.128-10.48.252.254)
NOTE: VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map a deny entry has been added.
*************
access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0
access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0
*************
Presence of either of two ACE shown above causes the drop/"vpn-overlap-conflict", only removal of both fixes the traffic issue and l2tp/Ipsec client can reach inside resources fine.
'sh asp drop' shows huge increments in 'vpn-overlap-conflict' counter.
Conditions:
VPN pool falls under remote site to site network /16 range, to prevent it from matching static crypto map; a deny entry has been added to static map ACL.
access-list test line 1 extended deny ip 10.48.100.0 255.255.255.0 10.48.252.0 255.255.255.0 //** Deny vpn pool
access-list test line 3 extended permit ip 10.48.100.0 255.255.255.0 10.48.0.0 255.255.0.0 //** site to site vpn ACE
Workaround:
Use a different range/subnet for RA users.
Further Problem Description:
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(1), 9.1(6) | |
Known Fixed Releases: * | 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus06165 | Title: | ASA:Dataplane capture doesn't capture packets From Service module to ASA | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
ASA Data plane capture does not capture packets From Service module to ASA.
Conditions:
This works fine till 9.1.2.8 (It captures packets in both directions) and is broken in all images after that.
Workaround:
Downgrade to 9.1.2.8 or lower.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(3) | |
Known Fixed Releases: * | 100.11(0.56), 100.12(0.113), 100.13(0.35), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.4), 100.14(11.4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCum28756 | Title: | ASA: Auth failures for SNMPv3 polling after unit rejoins cluster | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When SNMPv3 is enabled on an ASA cluster, polling will fail if the master unit leaves and then rejoins the cluster. SNMP requests will be dropped with the following syslog:
%ASA-3-212006: Dropping SNMP request from 10.1.110.100/7330 to inside:10.1.103.32/snmp because: authentication algorithm failure for user: myuser
This occurs because the hash for the user's auth/priv string is not correctly re-hashed against the physical unit's engine ID after it rejoins the cluster. Since engine IDs are not synced between members of the cluster, the hash on each physical unit should be different:
ASA1:
Engine ID: 80000009fe5d4579a9207e3747684083e2f4c5d427fc8c165b
snmp-server user myuser mygroup v3 encrypted auth sha f7:a2:da:02:3e:89:9f:42:a6:b7:e8:f4:24:8f:23:b9:aa:d6:a0:60 priv aes 128 f7:a2:da:02:3e:89:9f:42:a6:b7:e8:f4:24:8f:23:b9
ASA2:
Engine ID: 80000009fee3fa40539e73ff2d3b3c29eeca4794c9ccb3ada7
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5
In a broken state, the hashes will be in sync. This means that authentication attempts to that physical unit will fail since a hash against the engnie ID yields a mismatched result:
ASA1: <<<<< SNMPv3 authentication against this physical unit will fail since it is configured with a hash from ASA2
Engine ID: 80000009fe5d4579a9207e3747684083e2f4c5d427fc8c165b
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5
ASA2:
Engine ID: 80000009fee3fa40539e73ff2d3b3c29eeca4794c9ccb3ada7
snmp-server user myuser mygroup v3 encrypted auth sha ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5:85:2c:a7:2c priv aes 128 ff:c3:34:8a:3c:1a:1e:62:7f:19:10:27:6e:29:a8:d5
Conditions:
This issue only occurs if the unit leaves and rejoins the cluster. If the SNMPv3 user is configured while the units are still members of the cluster, the auth/priv strings will be hashed correctly.
Workaround:
Removing and re-configuring the SNMPv3 user will cause the hashes to get recalculated against the respective engine IDs correctly. For example:
clear config snmp-server user
snmp-server user v3 auth md5 priv aes 128
Note that the clear-text strings are provided here and the 'encrypted' keyword is specifically left out of the command. This ensures the ASA will recalculate new encrypted hashes based on the clear-text strings and appropriate engine ID.
Further Problem Description:
After this bug-fix, you will notice the following behavior change introduced:
SNMPv3 "snmp-server user" CLI will no longer replicate be replicated in the cluster units.
It is recommended that the customers clear existing SNMPv3 "snmp-server user" CLI from cluster configurations and, after this fix, re-add in the "snmp-server user" CLI on the master using the clear text passwords. The clear text passwords would then be localized on each host (a "write memory" should be executed on each host to make sure the localized versions get saved). Configuring this on the master after the cluster has been fully established means that the customer only has to run this CLI once per user.
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 9.1(3) | |
Known Fixed Releases: * | 100.11(4.1), 100.8(38.114), 100.8(40.60), 100.8(56.20), 100.8(62.2), 100.8(64.1), 100.8(65.3), 100.8(66.4), 100.8(67.1), 9.1(6.100) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtb71323 | Title: | Cisco ASA Webtype ACL By-Pass Vulnerability | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
On ASA web type access-list''s do not honor case sensitivity and hence it does not
allow us to configure two access-list entries as below:
access-list abcd webtype permit url http://cisco/TEST
access-list abcd webtype permit url http://cisco/test
INFO: Specified entry already exists in access-list ''abcd''
Conditions:
ASA Software version 9.1(2)
Workaround:
None
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 3.5/3.3:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
| |
Last Modified: | 08-FEB-2016 | |
Known Affected Releases: * | 100.5(0.26), 100.8(38), 8.2(1), 8.4 | |
Known Fixed Releases: | 100.10(0.76), 100.10(2.8), 100.10(6.1), 100.10(7.1), 100.10(9.1), 100.11(4.1), 100.8(38.112), 100.8(40.59), 100.8(56.17), 100.8(63.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux41432 | Title: | PLR: ASAv clone produces an error when requesting a new request token | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
If you clone an ASAv licensed in PLR (in KVM or VMWare) the clone comes up with information about being licensed. If you issue a 'license smart reservation request' the ASAv thinks it is licensed. The show license commands verify that the ASAv is not licensed.
Conditions:
ASAv was licensed in PLR before cloning.
Workaround:
The workaround is to issue a 'license smart reservation return' to generate a return code. This allow the ASAv to be licensed with PLR.
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 100.15(8.39) | |
Known Fixed Releases: * | 100.15(8.45), 96.2(1.120) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux07142 | Title: | Issues with smart license expired, revoked and invalid tokens | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When an ASAv tries to register with a bad idtoken, the registration process is locked for 15 minutes or more. Expired tokens, revoked tokens, and mis-typed tokens all fall in the category of "bad tokens".
Conditions:
This issue occurs when an attempt to register the ASAv with the license server is attempted and then reloaded.
Workaround:
First issue the 'license smart deregister' command to clear the condition that cause registration attempts to hang. Then attempt to register the ASAv.
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 100.15(8.27) | |
Known Fixed Releases: * | 100.15(8.41), 96.2(1.120) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCsi43680 | Title: | lots of cpu-hog events with failover enabled | |
Status: | Terminated | |
Severity: | 3 Moderate | Description: * | Symptom:
There are many CPU hog events displayed on the ASA 5550 right after a reload.
The CPU hoggers are various failover threads.
Conditions:
Cisco ASA 5550 running release 8.0. The device has been booted or reloaded
and user inputs show proc cpu command. cpu-hog events are
displayed.
Workaround:
No workaround avaible.
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 8.0(1.3) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux14937 | Title: | PLR: number of connections not correct on ASAv30 when licensed | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
The number of connections on the ASAv30 is not reporting correctly. It is showing the default value of 100. It should be 500,000. Issue is not present on ASAv5 and ASAv10 models.
Configuration last modified by enable_15 at 13:31:12.619 UTC Fri Nov 13 2015
ciscoasa(config)# sho resource usage resource conns
Resource Current Peak Limit Denied Context
Conns 0 1 100 0 System
ciscoasa(config)# sho license status
Conditions:
Permanent License Reservation mode
ASAv30
Workaround:
none
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 100.15(8.31) | |
Known Fixed Releases: * | 100.15(8.39), 9.5(1.194), 96.2(1.120) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux20680 | Title: | PLR: Day0-config with SL token on ESXi does not license ASAv properly | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
An ASAv deployed with a Day 0 configuration with commands for unattended licensing fails to license itself.
Conditions:
An ASAv deployed with a day0-config file or deployed in VMware with the licensing information provided in the VM deployment dialog.
Workaround:
The workaround is to manually re-enter part of the Smart Licensing entitlement configuration after the ASAv is up and running. The can be accomplished by entering configuration mode using the configure terminal command, entering Smart Licensing configuration mode using the configure terminal command and re-configuring the Feature Tier using the feature tier standard command.
Performing the steps above will cause the ASAv to initiated a license request for the configured license entitlement.
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: | 9.5(1.193) | |
Known Fixed Releases: * | 100.15(8.43), 96.2(1.120) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtj57256 | Title: | L2TP/IPSec connection from Android doesn't establish to the ASA55xx | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: * | Symptom:L2TP/IPSec connection from Android doesn't establish to the ASA55xx VPN gateway appliance.
Conditions:
Workaround:
| |
Last Modified: | 12-FEB-2016 | |
Known Affected Releases: | 8.2(3) | |
Known Fixed Releases: * | 100.5(5.48), 100.7(0.66), 100.7(6.12), 100.7(8.1), 8.2(4.101), 8.2(4.6), 8.2(5), 8.3(2.12), 8.3(2.180), 8.4(0.99) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtw82147 | Title: | ASA lets static NAT mapped IP to be same as standby address on interface | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
ASA lets one to configure static NAT with mapped IP same as standby (failover) IP address on the mapped interface. For example:
ciscoasa(config)# sh run int e0/0
!
interface Ethernet0/0
nameif vm
security-level 0
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
ciscoasa(config)# sh run nat
!
object network obj-10.76.76.160
nat (tftp,vm) static 192.168.10.2
!
The above static NAT configuration will never work as intended.
Conditions:
Mapped interface configured with standby IP address.
Workaround:
Do not configure static 1:1 NAT with mapped IP same as standby IP address.
| |
Last Modified: | 17-FEB-2016 | |
Known Affected Releases: | 8.4 | |
Known Fixed Releases: * | 100.7(13.59), 100.7(18.10), 100.7(19.9), 100.8(0.65), 100.8(11.10), 100.8(14.9), 100.8(24.35), 100.8(30.6), 100.8(32.5), 100.9(0.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu18527 | Title: | ASA WebVPN: HTTP 302 Location URL rewritten incorrectly | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
In some corner conditions, if the Backend Server responds with HTTP "302 Found" where in the Location URL the fqdn and the URI are not separated by "/", but are separated instead by a "?", ASA appends the same URI prefix as the one it got redirected from resulting in a "HTTP 404" condition.
For example:
Client Performs: GET /abcd/login.php
Backend Server Responds with HTTP 302 Found: Location: http://server.company.com?email=bsg73kdpo1098
At this stage, ASA rewrites this HTTP header as: HTTP 302 Found: Location: http://server.company.com/abcd/?email=bsg73kdpo1098
Here, notice that the ASA appends /abcd/ from the original URI
Conditions:
ASA acting as Clientless SSLVPN Server, and the users access Intranet Websites through the WebVPN portal. The WebSites are served through ASA's Rewriter engine
Workaround:
Use Smart-Tunnel feature
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.3(3.1) | |
Known Fixed Releases: * | 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.15) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus34033 | Title: | ASA fails to pass ipv6 address to anyconnect client when using RADIUS | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
when ip address assignment is done using RADIUS and not local pool,anyconnect does not get ipv6 address from Radius
debugs on anyconnect/webvpn show below message
webvpn_cstp_accept_ipv6_address: No IPv6 Address
Conditions:
when using Radius for assigning ipv6 address to anyconnect client
Workaround:
1. use local pool for ipv6 address assignment
2. downgrade to 9.2.1 as issue was seen on 9.2.2.4
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.2, 9.3(2) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut85049 | Title: | Issue with downloading images from Sharepoint | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Image cannot be downloaded from Sharepoint
Conditions:
After cookies and cache are cleared from browser
Workaround:
Right click on the image and do a 'Save As' and select local disk
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 100.14(3.8), 9.4(1.112) | |
Known Fixed Releases: * | 100.12(0.137), 100.13(0.93), 100.14(0.13), 100.14(10.23), 100.14(5.15), 100.14(6.7), 100.14(7.6), 100.15(0.11), 100.15(1.12), 100.15(1.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCut54218 | Title: | ASA tunnel-group"password-expire-in-days"not prompting a password change | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
"password-expire-in-days" option of "password-management" is not prompting the users for password change
Conditions:
Use of anyconnect remote access and WebVPN tunnel-group "password-management"
Workaround:
Revert to version 9.3.1
Further Problem Description:
| |
Last Modified: | 19-FEB-2016 | |
Known Affected Releases: | 9.3(2) | |
Known Fixed Releases: * | 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11), 100.14(2.21) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCui43057 | Title: | WebVPN: IPv6 address is padded with zeros in FF browser 3.6 | |
Status: | Terminated | |
Severity: | 3 Moderate | Description: * | Symptom:
Redirection not working
Conditions:
IPv6 address is used to login to ASA on FF 3.6
Workaround:
Using Google Chrome may be an option
Further Problem Description:
| |
Last Modified: | 22-FEB-2016 | |
Known Affected Releases: | 9.1(2.4) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuj04699 | Title: | ASA WebVPN: Java Signer Certificate chain is incomplete with >3 CA Certs | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When the SSLVPN client accesses the Java plugins, ASA signs the plugin using the Java Signer Certificate, however the Certificate chain sent by the ASA does not include the entire chain. As per the standards, ASA should at least send Intermediate CA-1 + Intermediate CA-2 + Java Signer Certificate
Instead we see the following chain:
Intermediate CA-2 + Java Signer Certificate
On PCs which have only Root-CA certificate installed in the Java Signer Store or OS Certificate store, Java flags the publisher as UNKNOWN
Conditions:
ASA is acting as SSLVPN Server with Java Trust-point configured to sign the Java plugins with a valid 3rd party Signer Certificate. And the Java signer certificate is issued by an Intermediate CA, which has two or more issuers in the hierarchy. In other words, we have:
Root -- Intermediate CA-1 -- Intermediate CA-2 -- Java Signer Certificate
Workaround:
Install the whole CA Chain in the End PC's Certificate store or Java Signer CA Store. i.e. in this case the store should contain at least Root CA and Intermediate CA-1 Certificates.
Further Problem Description:
| |
Last Modified: | 23-FEB-2016 | |
Known Affected Releases: | 8.2(5.41), 9.1(6) | |
Known Fixed Releases: * | 100.11(0.62), 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv11963 | Title: | TP Auth fails when sub CA using RSA keys is signed by root using ECDSA | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
The ASA fails to validate the Anyconnect client certificate issued by the intermediate CA under below conditions.
Conditions:
1. ASA running 9.3.3.1, should be configured for certificate authentication.
2. Root CA cert must have ECDSA Signature algorithm and ECDSA
public key
3.Intermediate CA cert must have ECDSA signature algorithm with RSA public key.
4.ASA ID cert must have RSA signature algorithm with RSA public key.
5.Client cert must have RSA signature algorithm with RSA public key.
Workaround:
NONE
Further Problem Description:
When we connect to ASA from Anyconnect client machine, we see the client is sending its ID cert and ASA fails to verify the cert chain with below debug.
CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert.
CRYPTO_PKI:Failed to set key info for get public key obj, status: 542, keylen: 294
CRYPTO_PKI: Verify chain of certs failed to get pubkey from signer.
Root, intermediate and ID certs are installed in separate Trustpoints in ASA. We have also tried installing intermediate and ID cert in single Trustpoint which results in same failure.
| |
Last Modified: | 23-FEB-2016 | |
Known Affected Releases: | 9.3(3.1), 9.4(1), 9.5(1) | |
Known Fixed Releases: * | 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.2), 100.15(3.50), 100.15(6.33), 100.15(8.13), 9.4(1.112) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy43841 | Title: | AnyConnect sessions stuck in vpn-sessiondb after logoff all | |
Status: | Open | |
Severity: | 3 Moderate | Description: | Symptom:
Performed "vpn-session logoff all" on several AnyConnect SSL VPN sessions
"show vpn-sessiondb" still showed a few AnyConnect sessions as being established still on Active ASA
Standby ASA correctly showed all sessions logged off
New VPN sessions could be established on the the Active unit, however.
Conditions:
SSL VPN sessions and logoff from ASA
Workaround:
Perform a soft- failover "failover active " on the standby ASA to become active. The vpn-sessiondb correctly shows all session as having been cleared.
Further Problem Description:
| |
Last Modified: | 24-FEB-2016 | |
Known Affected Releases: | 9.4(2.101) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux43460 | Title: | http://ASDM fails to redirect to https://ASDM:non-default-server-port | |
Status: | Terminated | |
Severity: | 3 Moderate | Description: | Symptom:
Attempting to access the management/ASDM interface on the ASA, by entering an URL such as http://ASDM-Mngt in the browser, fails to redirect to https://ASDM-Mgt:
Expected behavior with the below sample http server and redirect config:
When entering in a browser http://ASDM-IP should be redirected to https://ASDM-IP:60000
ASAt# show run http
http server enable 60000
http 0.0.0.0 0.0.0.0 asdm-mngt-net
http redirect asdm-mngt--net 80
Note:The urls are only examples to be replaced by each specific network configuration.
Conditions:
Workaround:
1.use https insteads of http , no redirect, in the browser address, https://ASDM-IP-or-FQDN
2.use the default http/ASDM server port, SSL (443) , "http server enable" . Redirect works in this case.
Further Problem Description:
| |
Last Modified: | 24-FEB-2016 | |
Known Affected Releases: * | 9.0(0.1), 9.1(5), 9.1(6), 9.1(6.108), 9.2(4), 9.4(2.101) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy43857 | Title: | ASA WebVPN: Java Exception with Kronos application | |
Status: | Open | |
Severity: | 3 Moderate | Description: | Symptom:
When a Kronos based application is used with the WebVPN rewriter, parts of the portal which use Java may fail with a 'ClassNotFound' exception or 'NoClassDefFound' error.
Conditions:
Application accessed using ASA WebVPN rewriter
Workaround:
None
Further Problem Description:
| |
Last Modified: | 24-FEB-2016 | |
Known Affected Releases: | 9.4(1), 9.4(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCux90767 | Title: | Resolve CSCtz82865 - Equivalent of "show xlate count" command | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Resolve CSCtz82865 - Equivalent of "show xlate count" command
Conditions:
Cisco ASA running release 9.1.4 and higher with SNMP enabled. On certain version it's not running.
Workaround:
none
Further Problem Description:
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 9.4(2) | |
Known Fixed Releases: * | 100.12(0.156), 100.13(0.127), 9.4(2.99), 96.1(1.59), 96.2(1.110) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtk35575 | Title: | Debug trace for mps_shash_release with logging. | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Seeing debug trace related to mps_shash_release with logging
Conditions:
mps_shash_release attempted to process_suspend but failed because
tmatch_release_actual acquired a lock. The syslog reported such failure.
But in fact, the process_suspend is not needed in this particular case, because
the we have removed all elements in the hash table before releasing it.
Workaround:
The original intention for the process_suspend here is to prevent watchdog in
mps_shash_release when many elements are still in there.
In other words, the syslogs I saw is a false alarm.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.4(0.106) | |
Known Fixed Releases: * | 9.6(0.99), 96.1(1.65), 96.2(1.118) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu88412 | Title: | When > 510 characters entered in CLI, context switches to admin/system | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When user exceeded 510 characters from the CLI and is not within the admin/system context, user is unintentionally switched into the "admin/system" context. This issues was observed when running the command on ASASM after first logging into the 6500 switch and performing a "session" connection to the module.
Conditions:
ASASM with v9.1.6.1
Workaround:
none
Further Problem Description:
none
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(6) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuq21426 | Title: | Inspect-DNS: PTR Query failed when DNS-Doctoring enabled | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
revDNS response going through ASA is received for different IP address than original query.
Conditions:
ASA has nat configured with 'dns' keyword and there is revDNS query for mapped IP address used in this translation.
Workaround:
1. remove 'dns' keyword from NAT statement,
2. query for real IP address
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.0(4.18) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.87), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 100.16(14.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv76342 | Title: | ISA3000 crashed while generating crypto rsa keys | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
ISA3000 can produce back-trace after executing "crypto key generate rsa usage-keys label usage_key modulus 4096" command.
Conditions:
After the unit is installed with not much initial configuration issue the command 'crypto key generate rsa label Key1_4096 modulus 4096'
Try the same command manually 7-8 times. The ISA can crash and produce back trace around 8th iteration. However the issue cannot be reproduced consistently.
Workaround:
ISA should reload after the back trace
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.13(29.28), 9.4(1) | |
Known Fixed Releases: * | 100.13(0.104), 100.13(29.101), 100.13(29.36), 100.14(0.75), 100.15(0.29), 100.15(0.42), 100.15(1.94), 100.15(16.7), 100.15(17.18), 100.15(17.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCsh75522 | Title: | Increase Content-length counter from 4 to 8 byte size | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Deep inspect http (i.e. http app-fw or inspect http http-policy-map) reports
the http connections as protocol-violation if the request part of "Content-
Length: " value n > 268435455.
ASA supports content-length value up to 0x0FFFFFFF (i.e. 268435455) only.
Conditions:
HTTP Requests, Content-Length : headers value should be greater than
268435455
Workaround:
No workaround.
Further Problem Description:
One way to get rid of the issues is to disabled the connection drop or reset
for protocol-violation. But this causes inspection won't be done on the http
data.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 7.0, 8.0(0.195) | |
Known Fixed Releases: * | 100.13(0.131), 96.1(1.80), 96.2(1.134), 97.1(1.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv72826 | Title: | object-group-search access-control enabled, nested object group issue | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
asa denied traffic after moving an group object to another group object
Conditions:
object-group-search access-control enabled
Workaround:
reapply access-list to the interface
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(6), 9.2(3), 9.4(1) | |
Known Fixed Releases: * | 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.56), 100.15(8.15), 100.16(0.2), 100.16(1.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv49100 | Title: | ASA: Unable to ping fover IPv6 address in multiple mode | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Ping command fails when trying to ping the IPv6 address assigned to the failover lan interface.
Conditions:
ASA is in multiple mode with IPv6 addresses assigned to the failover lan interface.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1.3) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3), 100.16(1.5) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCub30181 | Title: | ASA doesn't set ACE inactive when time-range expires | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
In some scenarios, after a time-range expires, an ASA does not mark the ACE as inactive. This causes traffic to be incorrectly permitted or
denied after the time range is no longer valid.
Conditions:
This affects 8.4.1 - 8.4.4 version of ASA
Workaround:
Make any change to the ACL policy that will force it to re-apply the configuration. For example, move the start time of the time-range forward by
1 minute.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0
CVE ID CVE-2012-3925 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.7(13.93), 8.4(1) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.151), 100.13(0.115), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy49315 | Title: | Default route on outside interface breaks DNS on management interface | |
Status: | Open | |
Severity: * | 3 Moderate | Description: * | Symptom:
DNS name resolution fails on the Management interface when a default route is present on another interface.
Conditions:
ASAv with default route configured on the Management 0/0 interface and on another interface. DNS is configured to use management interface but name-server is not:
dns domain-lookup management
DNS server-group DefaultDNS
name-server 10.11.12.13
Workaround:
Explicitly configure name-server command with the interface option set to management:
dns domain-lookup management
DNS server-group DefaultDNS
name-server 10.11.12.13 management
Further Problem Description:
| |
Last Modified: | 01-MAR-2016 | |
Known Affected Releases: | 9.5(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv88898 | Title: | WEBVPN Rewriter: Stops mangling after hex code of Period on Bookmark URL | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When the hex code of the characters on a URL is used on the bookmark for Clientless webvpn, the URL mangling stops after the Hex equivalent of "period" is seen.
For example :
For http://www.cisco.com we use "http://www.cisco.com"
The mangled URL looks like this
https://ASA IP/+CSCO+0h756767633A2F2F6A6A6A++/.cisco.com
The mangling stops at . which is the Hex equivalent for "period"
Conditions:
HEX code is used on the Bookmark URL
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1.3) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.106), 100.14(0.76), 100.15(0.39), 100.15(17.14), 100.15(3.63), 100.15(8.16), 100.16(0.2), 100.16(1.3) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus74398 | Title: | Cisco ASA PIM Multicast Registration Vulnerability | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: * | Symptom:
A vulnerability in Protocol Independent Multicast (PIM) application of the Cisco Adaptive Security
Appliance (ASA) could allow an unauthenticated, remote attacker to disrupt the multicast traffic
forwarding on the affected device via a denial-of-service (DoS) attack.
The vulnerability is due to an inconsistency in how the PIM Registration is implemented for multicast
forwarding. An attacker could exploit this vulnerability by sending a crafted multicast packet to the affected
device. An exploit could allow the attacker to disrupt the multicast forwarding via a DoS attack.
Conditions:
The ASA is configured for PIM multicast configuration running an affected version of software. To determine if PIM
Multicast is configured on this device the following command can be used:
1. This will verify if the PIM Rendezvous Point (RP) is configured.
ciscoasa# show running-config | in pim
pim rp-address 192.128.1.1
2. The command ''show pim interface'' to verify that multicast is properly configured on the interface.
Workaround:
None.
Further Problem Description:
None
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-0742 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.13(0.21), 100.13(20.3), 100.14(1.1), 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115) | |
Known Fixed Releases: | 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuu61981 | Title: | http servershows as enable in running config while not | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
When configuration command "http server enable" fails due to port usage conflict with AAA with error message ERROR: Port 443 is being used on interface public by an aaa authentication listener", the configuration is incorrectly updated to include "http server enable".
Conditions:
When configuration "http server enable [port-number] is attempted but the designated port is already in use (e.g., by AAA).
Workaround:
remove the conflict configuration before "http server enable"
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtj56778 | Title: | Incorrect ARP MAC Address conversion | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
ASA converts the following cli
arp inside 1.2.3.4 abc.de.f
to
arp inside 1.2.3.4 ab0c.de00.0f00
it should convert to
arp 1.2.3.4 0abc.00de.000f
like IOS and IPv6 Neighbor cache
Conditions:
Workaround:
Enter proper mac address
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.3(1) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur19070 | Title: | PBR:Route-map is accepting interface which is not configured with nameif | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
Route-map is accepting interface name substring after giving ambiguous command error while configuring
Conditions:
Configure two nameif interface with name test1 and test2, now when calling out interface "test" under route-map set interface, ASA is complaining ambiguous command but configured "test1" in route-map
Workaround:
No Workaround
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.13(12.13), 9.4(1) | |
Known Fixed Releases: * | 100.15(0.105), 100.16(0.15), 100.16(1.74), 100.16(1.76), 100.16(12.2), 100.16(14.1), 9.6(0.99), 96.1(1.21), 96.1(1.26), 96.1(5.4) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus08552 | Title: | show traffic protocol stats show large counter values-enhanced pkt stats | |
Status: | Fixed | |
Severity: | 3 Moderate | Description: | Symptom:
show traffic protocol statistics show huge counter values after enhanced packet stats are enabled
.
Conditions:
After enhanced packet statistics are enabled with the command "sysopt traffic detailed-statistics", some of the counter values arevery large as displayed wiht "show traffic" command.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.12(0.101), 9.3(1.108) | |
Known Fixed Releases: * | 100.12(0.156), 100.13(0.127), 9.4(2.99), 9.6(0.99), 96.1(1.59), 96.2(1.110) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy25445 | Title: | Master shows slave interfaces as "up" when slave rejoining | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
If a slave unit in a cluster reboots, while it is rejoining, the master will show its interfaces as "up" instead of "init" for a short period of time.
The issue does not have functionality impacts.
Conditions:
Cisco ASA running release 9.0 and later.
Workaround:
None.
Further Problem Description:
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 9.1(6.184) | |
Known Fixed Releases: * | 100.13(0.130), 9.4(2.101), 96.1(1.77), 96.1(1.79), 96.2(1.129), 96.2(1.131), 97.1(0.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur42057 | Title: | Smart Licensing: License config warning needs message classification | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
Incomplete smart licensing config will be reported as an error by ASDM.
Conditions:
User configures only one part of smart licensing. There are two parts: feature tier and throughput. If the user specifies only one and then exits, the message that is displayed will be interpreted as an error by ASDM.
Workaround:
Configure both parts of smart licensing before exiting smart licensing config.
Further Problem Description:
This should be displayed as a warning by ASDM. The code should be modified to prepend "WARNING:" so that ASDM properly displays it as a warning.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.12(6.24) | |
Known Fixed Releases: * | 100.16(0.20), 9.6(0.99), 96.1(1.56), 96.2(1.107) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCua66518 | Title: | Help arp SYNTAX section misses "permit-nonconnected" entry | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
Help arp misses permit-nonconnected entry in SYNTAX section.
Conditions:
Workaround:
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.4(4), 8.4(4.2) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.13(0.121), 100.14(0.83), 100.14(0.84), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCua71298 | Title: | Help arp in context shows arp permit-nonconnected | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
Help arp in admin and user contexts shows arp permit-nonconnected entry, which is only available in system context.
Conditions:
Workaround:
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.4(4.2) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.149), 100.13(0.114), 100.14(0.79), 100.15(0.56), 100.15(17.24), 100.15(3.77), 100.15(8.18), 100.16(0.4), 100.16(1.9) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCur80711 | Title: | dhcprelay enabled interface pops memory message when address is assigned | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
dhcprelay enable interface when enabled pops memory message "No memory for DHCP interface ''
Conditions:
ASA in multicontext mode.
Workaround:
None, but this is a benign message
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(2) | |
Known Fixed Releases: * | 100.13(0.128), 9.6(0.99), 96.1(1.66), 96.2(1.118) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuo65775 | Title: | Cisco ASA Information Disclosure Vulnerability | |
Status: | Fixed | |
Severity: | 4 Minor | Description: * | Symptom:
A vulnerability in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated,
remote attacker to disclose sensitive data which includes the ASA software version. This information
could be used for reconnaissance
attacks.
The vulnerability is due to insufficient protections of sensitive data before authentication with the
AnyConnect client. An attacker could exploit this vulnerability by attempting to authenticate to the
device with AnyConnect which could disclose the sensitive information.
Conditions:
Device running with IKE/WVPN enabled on an interface on an affected version of software using the AnyConnect client.
The AnyConnect client can be running any version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2016-1295 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 24-FEB-2016 | |
Known Affected Releases: | 8.4, 9.1, 9.3, 9.4 | |
Known Fixed Releases: | 100.11(0.47), 100.12(0.48), 100.12(6.7), 100.13(0.3), 100.13(11.2), 100.13(12.3), 100.13(13.1), 100.13(14.2), 100.13(15.1), 100.13(16.1) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus14480 | Title: | ASA sends DNS query with type AAAA even when only IPv4 config on mgmt | |
Status: | Open | |
Severity: * | 4 Minor | Description: | Symptom:
ASAv may not be able to license if DNS server returns IPv6 address for the Licensing server "tools.cisco.com" and there is no route to reach the server using IPv6 address.
Conditions:
When only IPv6 and IPv4 addresses are present on the inside/outside interfaces, but management is configured with only IPv4 address, ASAv sends DNS query for "tools.cisco.com' over management interface. In this case, DNS server responds with IPv6 address of the Licensing sever. But since IPv6 route is not present, ASAv cannot reach "tools.cisco.com" over IPv6.
Workaround:
Need to change the Smart Call Home url ("show run call-home"), for CiscoTAC-1 and License profile to hardcode ipv4 address of "tools.cisco.com".e.g. destination address http https://72.163.4.38/its/service/oddce/services/DDCEService. Assumption is that there a IPv4 route configured to reach 72.163.4.38 over management interface.
Further Problem Description:
| |
Last Modified: | 15-FEB-2016 | |
Known Affected Releases: | 9.2(2.109), 9.3(1.111) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy09302 | Title: | inspect-http: "show service-policy" only returns a max of 64 entries | |
Status: | Open | |
Severity: | 4 Minor | Description: * | Symptom:
'show service-policy interface' will return up to 64 entries/rules
Conditions:
a class-map configured with more than 64 match lines
Workaround:
none
Further Problem Description:
| |
Last Modified: | 15-FEB-2016 | |
Known Affected Releases: | 9.5(1) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw75736 | Title: | ASA 9.4 - The source of CoA packet does not match tunnel-group config | |
Status: | Fixed | |
Severity: | 4 Minor | Description: | Symptom:
-- change in configuration order resulted in failed CoA NAK, with the following error:
"The source of CoA packet does not match tunnel-group config."
Conditions:
non-working configuration
======================
sh run aaa-
aaa-server ACCT protocol radius
accounting-mode simultaneous
interim-accounting-update
reactivation-mode timed
aaa-server ACCT (inside) host 172.16.1.13
key *****
aaa-server ACCT (inside) host 172.16.1.14
key *****
aaa-server ISE protocol radius
authorize-only
interim-accounting-update
dynamic-authorization
aaa-server ISE (inside) host 172.16.1.13
key *****
Workaround:
working configuration
======================
sh run aaa-
aaa-server ISE protocol radius
authorize-only
interim-accounting-update
dynamic-authorization
aaa-server ISE (inside) host 172.16.1.13
key *****
aaa-server ACCT protocol radius
accounting-mode simultaneous
interim-accounting-update
reactivation-mode timed
aaa-server ACCT (inside) host 172.16.1.13
key *****
aaa-server ACCT (inside) host 172.16.1.14
key *****
Further Problem Description:
N/A
| |
Last Modified: | 03-FEB-2016 | |
Known Affected Releases: | 9.4(1.5) | |
Known Fixed Releases: * | 100.11(0.67), 100.12(0.156), 100.13(0.127), 96.1(1.58), 96.2(1.110) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus83799 | Title: | Debug menu ike-common couters not getting incremented | |
Status: | Open | |
Severity: | 5 Cosmetic | Description: | Symptom:
Conditions:
Workaround:
N/A
Further Problem Description:
| |
Last Modified: | 09-FEB-2016 | |
Known Affected Releases: * | 9.4(2.212) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv10516 | Title: | Security alert:Python JSON Module Vulnerability | |
Status: | Other | |
Severity: | 6 Enhancement | Description: | Symptoms:
This product includes Third-party Software that is affected by the
vulnerabilities identified by the following Common Vulnerability and
Exposures (CVE) IDs:
CVE-2014-4616
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found
at http://cve.mitre.org/cve/cve.html.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2
score. The highest Base and Temporal CVSS scores of all vulnerabilities
tracked by this bug as of the time of evaluation are 5.0:
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C
The Cisco PSIRT has assigned this score based on information obtained
from multiple sources. This includes the CVSS score assigned by the
third-party vendor when available. The CVSS score assigned may not
reflect the actual impact on the Cisco Product.
CVE ID CVE-2014-4616 have been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be
found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
| |
Last Modified: | 01-FEB-2016 | |
Known Affected Releases: * | 1.1(2), 1.1(3), 1.1(4), 6.0, 9.5(2), 9.5(2.200), 96.2(1), 99.1, 99.1(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy30152 | Title: | ENH: Do not require "no rest-api image" to upgrade REST API | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
User is unable to configure a new REST API image unless they remove the old image first. The user will receive the following error:
ERROR: REST API image is already installed. Please uninstall the old image before installing a new one.
Conditions:
-There is already a REST API image installed on an ASA
-Attempting to upgrade to a new version of the REST API image
Workaround:
Use the "no" command to un-configure the old image:
no rest-api image oldimage.bin
rest-api image newimage.bin
Further Problem Description:
| |
Last Modified: | 16-FEB-2016 | |
Known Affected Releases: | 9.6(0.56) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv00272 | Title: | ASA: PBR policies should be applied for output route-lookup | |
Status: | Open | |
Severity: | 6 Enhancement | Description: * | Symptom:
ASA doesn't check Policy Based Routing (PBR) configuration for next-hop determination if egress interface is selected either by an exitsing connection or destination NAT lookup.
ASA 951 Beta Ticket:
https://stg-beta-tickets.cisco.com/Ticket/Display.html?id=684080
Conditions:
ASA configured for PBR.
Workaround:
None.
Further Problem Description:
| |
Last Modified: | 18-FEB-2016 | |
Known Affected Releases: | 9.4(1), 9.5(1) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw37752 | Title: | FTP data conn scaling fails with dynamic PAT | |
Status: | Open | |
Severity: * | 6 Enhancement | Description: | Symptom:
FTP connections cannot be full scaled in cluster environment with dynamic PAT configured.
Conditions:
Cluster deployment with dynamic PAT configured for FTP.
Workaround:
Replace dynamic PAT with dynamic NAT or change the L2/L3 load balancing such that all control and data conns belonging to an FTP session are handled by a single node.
Further Problem Description:
| |
Last Modified: | 20-FEB-2016 | |
Known Affected Releases: | 100.8(40), 9.4(2), 9.5(1), 9.5(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv19728 | Title: | Allow user to select SSH Encryption Cipher Mode on ASA | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
The SSH encryption ciphers are not configurable. It is desired to make them configurable so the admin can customize the ciphers to be consistent with the required security level and to inter-operability requirements.
Conditions:
All
Workaround:
None
Further Problem Description:
This issue is addressed in 9.1(7) with the introduction of the "ssh cipher encryption" config command.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(3.4) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.104), 100.15(0.98), 100.15(20.13), 100.15(8.24), 100.16(0.12), 100.16(0.14) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy47373 | Title: | DOC: ASA Syslog Message ASA-1-103001 Code = 6 | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
Currently we only list codes 1-5 for syslog 103001. There is a 6th code that is not listed in the following guide:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-4768587
Conditions:
Failover
Syslog
Workaround:
N/A
Further Problem Description:
| |
Last Modified: | 25-FEB-2016 | |
Known Affected Releases: | 8.0, 9.0 | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv83951 | Title: | ASA webvpn: Citrix SSO for Storefront 2.6 does not work | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
SSO for Citrix Storefront 2.6 does not work. This is an enhancement request to support the same.
Conditions:
Using SSO for Storefront version 2.6
Workaround:
none
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1) | |
Known Fixed Releases: * | 100.16(1.16), 100.16(14.1), 9.6(0.99), 96.1(1.54), 96.1(1.57) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw55535 | Title: | Port-security on switch is causing ASA module to set DNL/DIL bit | |
Status: | Open | |
Severity: * | 6 Enhancement | Description: | Symptom:
Unable to reach destination when packets are routed via ASA.
When ASA module dose the routing and sends the packet back to supervise the CPU is placing the packet back to original VLAN. For example:
1. Packet enters port Gi2/1/1 VLAN 33 that has port-security configured.
2. Packet is forwarding to ASA module inside Cat6k switch
3. ASA module performs routing to VLAN 38 and sends the packet back to Sup2T.
4. Sup2T doesn't have destination MAC present in mac address table, insteady flooding the packet to VLAN 38 packet is sent to the supervisor CPU.
5. CPU is receiving packet from VLAN 38, decreases TTL, overwrites the L2 information and places it back in VLAN 33. Destination MAC is again ASA MAC in VLAN 33. And this creating the loop until TTL will expire for particular packet. (NetDR example below)
F340.07.02-6500-1# debug netdr capture destination-ip-address 2.2.2.2
F340.07.02-6500-1# show netdr captured-packets
------- dump of incoming inband packet -------
l2idb Te1/2/3, l3idb NULL, routine inband_process_rx_packet, timestamp 14:14:17.967
dbus info: src_vlan 0x26(38), src_indx 0x42(66), len 0x76(118)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x5FA9(24489), CoS 0
cap1 0, cap2 0
580200C0 00260000 00420000 76000000 0001046C 0E000004 00000010 5FA9683F
destmac 00.18.BA.88.5F.C1, srcmac E8.B7.48.29.34.2C, ethertype 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 100, identifier 3727
df 0, mf 0, fo 0, ttl 255, src 1.1.1.1, dst 2.2.2.2
icmp type 8, code 0
------- dump of outgoing inband packet -------
l2idb NULL, l3idb Vl32, routine etsec_tx_pak, timestamp 14:14:17.967
dbus info: src_vlan 0x20(32), src_indx 0x380(896), len 0x82(130)
bpdu 0, index_dir 0, flood 0, dont_lrn 0, dest_indx 0x0(0), CoS 0
cap1 0, cap2 0
00020000 0020A800 03800000 82000000 00000000 00000000 00000000 00000000
destmac E8.B7.48.29.34.2C, srcmac 00.17.0F.9D.2C.00, shim ethertype CCF0
earl 8 shim header IS present:
version 0, control 0(0x0), lif 16391(0x4007), mark_enable 0,
feature_index 0, group_id 0(0x0), acos 0(0x0),
ttl 15, dti 0, dti_value 540704(0x84020)
000800E0 0003C008 4020
ethertype 0800
protocol ip: version 0x04, hlen 0x05, tos 0x00, totlen 100, identifier 3727
df 0, mf 0, fo 0, ttl 254, src 1.1.1.1, dst 2.2.2.2
icmp type 8, code 0
Conditions:
For this bug to trigger port-security needs to be configured in interface via which packets are entering the switch. Port-security on outgoing interfaces dosen't change much here.
Workaround:
- From ASA ping the destination or source IP address. Sometimes problem is fixed by pinging DST, sometimes by pinging SRC.
- Failover of ASA doesn't clear the problem
Further Problem Description:
| |
Last Modified: | 28-FEB-2016 | |
Known Affected Releases: | 8.4 | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCsf31461 | Title: | Capture type asp-drop needs to be filterable by ACL | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
Conditions:
When using a capture type asp-drop we need to be able to use an ACL to limit the
scope of the capture. Currently capture type asp-drop does not let someone use
an ACL to identify particular flows that are being dropped.
For instance, if I know a flow is being dropped because of packet inspection but I
need to capture the actual packet that fails inspection, I have to know exactly what
asp type to capture. If there is a large number of drops, it makes it difficult to find
the specific flow.
Further Problem Details:
This is needed to be able to pick out a single flow that is failling with the capture type asp-drop.
This will allow users to pinpoint the failing packets. In particular this is helpfull if the "show
asp-drop" statistics are incrementing very quickly making it difficult to narrow down the exact
drop reason.
Example:
This is how an asp-drop capture is currently configured.
capture aspcap type asp-drop all
This is what could be configured if we tied the capture to an ACL.
access-list aspcap permit ip host 10.1.1.1 host 172.16.2.2
access-list aspcap permit ip host 172.16.2.2 host 10.1.1.1
capture aspcap type asp-drop all access-list aspcap
Workaround:
Use capture of type "asp-drop all" and use an ACL in the show capture command to selectively show packets of interest.
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 100.16(1.1), 7.0, 7.1, 7.2, 8.4(1) | |
Known Fixed Releases: * | 100.16(1.32), 100.16(14.1), 96.2(1.109), 96.2(1.116), 96.2(1.138) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuu59710 | Title: | Enhance CTL to connect with CUCM10.5 | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
Need to enhance the CTL on ASA
Conditions:
When we need to use cucm10.5, we will see the major minor version compatibility issue
Workaround:
don't connect with cucm10.5
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.4(1) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCum63371 | Title: | ENH: Allow configurable HMAC and encryption algorithms on ASA SSH server | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
The Cisco ASA SSH server is not configurable as to encryption and HMAC algorithms. Since 8.4.4, certain versions are able to use the 'ssh key-exchange group' command to use different key exchange algorithms, but the encryption and HMAC algorithms are still not configurable. Some customers claim that this is causing them to fail security audits.
Conditions:
Normal operation
Workaround:
None
Further Problem Description:
This issue is addressed in 9.1(7) with the introduction of the "ssh cipher encryption" and "ssh cipher integrity" config commands.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.2(1), 9.2(3.4) | |
Known Fixed Releases: * | 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.104), 100.15(0.98), 100.15(20.13), 100.15(8.24), 100.16(0.12), 100.16(0.14) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuv50747 | Title: | ENH: HTTP redirect support for IPV6 | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
We see the logs below when we try to access ASA outside interface over IPV6 on port 80:
%ASA-7-710005: TCP request discarded from 1eee::f49a:c93c:38d9:d034/50771 to outside:1eee::1/80
%ASA-3-710003: TCP access denied by ACL from 1eee::f49a:c93c:38d9:d034/50772 to outside:1eee::1/80
ciscoasa# sh asp table socket
Protocol Socket State Local Address Foreign Address
SSL 0023fff8 LISTEN 123.123.123.1:443 0.0.0.0:*
SSL 007801a8 LISTEN 10.106.45.221:443 0.0.0.0:*
SSL 004ffff8 LISTEN [1eee::1]:443 [::]:*
DTLS 004003d8 LISTEN [1eee::1]:443 [::]:*
DTLS 004004c8 LISTEN 10.106.45.221:443 0.0.0.0:*
TCP 009003d8 LISTEN 10.106.45.221:80 0.0.0.0:* ============ > listen on port 80 for ipv4 but similar entry for ipv6 is missing.
Conditions:
The command: http redirect outside 80 is present
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.11(0.65), 100.12(0.155), 100.13(0.121), 100.15(0.102), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.108), 9.1(6.108), 9.1(7) | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy51563 | Title: | Slow downloads with WebSense URL-server | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
Slow downloads may be experienced when a WebSense URL-Server is configured.
Conditions:
ASA multi-context mode running 9.1 and above
Workaround:
Exclude IP address from URL filtering
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(6) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCus85257 | Title: | ASA Connector - Provide Higher Layer Health Checks for CWS Tower | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
The ASA may not failover to the backup CWS tower when the CWS tower is in a degraded state but remains responsive to ASA TCP health checks. This may cause traffic interruption in the network environment when the ASA continues to redirect web traffic to the degraded tower. This is an enhancement request to provide more granular health checking between the ASA and the CWS tower.
Conditions:
This can occur if the CWS tower is degraded (not down) but is still able to complete the 3-way TCP handshake with the CWS tower.
Workaround:
Manually point the ASA to the backup CWS tower
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.3(2) | |
Known Fixed Releases: * | 100.13(0.128), 9.2(3.160), 9.2(3.161), 9.2(4.6), 9.6(0.99), 96.1(1.70), 96.2(1.122) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuw93539 | Title: | RAMCP2: Virtualize AnyConnect Localisation | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: * | Symptom:
The import/export/revert and respective show commands are not available in multicontext.
Conditions:
NA
Workaround:
None. This is an enhancement.
Further Problem Description:
| |
Last Modified: | 17-FEB-2016 | |
Known Affected Releases: | 100.16(11) | |
Known Fixed Releases: | 100.16(1.29), 100.16(14.1), 96.2(1.120), 96.2(1.122) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuq38206 | Title: | ENH: ASA show tech should include 'dir all-filesystems' | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
Enhancement to add 'dir all-filesystems' to show tech output
Conditions:
n/a
Workaround:
n/a
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 9.1(5) | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtw80509 | Title: | add "show resource usage summary count all 1" to show tech | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
Add "show resource usage summary count all 1" to the show tech.
Conditions:
This is a request to add "show resource usage summary count all 0" to the show tech output so more information regarding xlates, conns, inspects, syslogs, etc can be evaluated as part of the show tech snapshot. This information would also be helpful in diagnosing performance issues and would be useful to have as part of the show tech portion of the show crashinfo.
Workaround:
None
Further Problem Description:
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.2 | |
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCsj50741 | Title: | ASA: DHCP relay does not validate the Server Identifier of a reply | |
Status: | Fixed | |
Severity: | 6 Enhancement | Description: | Symptom:
If you have multiple DHCP servers configured the ASA if configured as a DHCP relay will forward all DHCP requests to all DHCP servers.
When a client requests an address with a DHCPDISCOVER message it gets a DHCPOFFER from one server. Then it will confirm the lease with the server with the DHCPREQUEST message, this message identifies the server that offered the lease with the "Server Identifier" and only that server should reply.
The ASA relays the DHCP traffic, but stops at the first ACK, NACK or decline it receives, wthout validating the Server Identifier.
If a wrong server replies with the wrong Server Identifier then the ASA will close the relay, but the client ignore that wrong reply and will wait for the correct reply. Which the ASA will not relay anymore, because it saw a ACK.
Conditions:
- ASA configured as a DHCP relay
- multiple DHCP servers, some of which reply for messages not intended for them.
Workaround:
None. You should configure the DHCP servers to only reply to valid requests.
Further Problem Description:
If you do debug dhcprelay packet 255 and debug dhcprelay event 255 you will see:
DHCPRA: relay binding created for client 0015.5881.0e9c.
DHCPD: setting giaddr to 192.168.1.254.
dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.1.
dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.2.
dhcpd_forward_request: request from 0015.5881.0e9c forwarded to 192.168.1.3.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: relay binding found for client 0015.5881.0e9c.
DHCPRA: exchange complete - relay binding deleted for client 0015.5881.0e9c.
DHCPD: returned relay binding 192.168.1.254/0015.5881.0e9c to address pool.
DHCPRA: forwarding reply to client 0015.5881.0e9c.
DHCPRA: Received a BOOTREPLY from interface 2
DHCPRA: dhcp_relay_agent_receiver:can't find binding
| |
Last Modified: | 04-FEB-2016 | |
Known Affected Releases: | 7.2(2.22) | |
Known Fixed Releases: * | 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCtg38746 | Title: | Knob to allow h.225 traffic before h.225 setup | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
Phones fail when sending h.225 traffic before h.225 setup message
Conditions:
Phone sending h.225 before h.225 setup
h.323 inspection enabled on ASA
Syslog %ASA-4-405104: H225 message INFORMATION received from 10.122.42.221/496
to 10.11.185.8/47110 before SETUP will be trggered.
Workaround:
Disable inspection and open all neccessary ports to allow traffic.
| |
Last Modified: | 29-FEB-2016 | |
Known Affected Releases: | 8.2 | |
Known Fixed Releases: * | 100.16(1.49), 100.16(14.1), 100.16(15.7), 9.6(0.99), 96.1(1.5), 96.1(1.57), 96.1(6.1), 96.2(1.104) | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy09345 | Title: | SCH: Quick Start Configuration Guide - Transport Options | |
Status: | Open | |
Severity: | 6 Enhancement | Description: * | Symptom:
SCH: Quick Start Configuration Guide - Transport Options issue
Conditions:
For both HTTPS and HTTP, the command for configuration is same :
(cfg-call-home-profile)# destination transport-method http
Change the commands to easily differentiate both HTTPS and HTTP transport options.
Workaround:
NA
Further Problem Description:
NA
| |
Last Modified: | 03-FEB-2016 | |
Known Affected Releases: | 8.1(2.7) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy07912 | Title: | ENH: Syslog notification of trace buffer depletion | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
No notification that debug trace buffer is being depleted. Debug messages are simply missing which further impedes the troubleshooting effort.
Conditions:
Enabling debugs to troubleshoot an issue and the amount of debugs exceeds the trace buffer
Workaround:
none
Further Problem Description:
| |
Last Modified: | 01-FEB-2016 | |
Known Affected Releases: | 9.6(1) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | Updated * | Bug Id: | CSCuy27484 | Title: | ASA doesn't remove all entries in re-written ICA file | |
Status: | Open | |
Severity: * | 6 Enhancement | Description: | Symptom:
Windows user receives an error when using citrix receiver version 10 or later to connect to a Citrix server through the webvpn portal:
"The Citrix online plug-in received a corrupt ICA File. ICA File section Internet Explorer contains duplicate keys named (HttpBrowserAddress)"
The actual duplicate field name may vary.
Conditions:
Launching Citrix application through webvpn portal when using Citrix receiver version 10 or later.
Workaround:
After receiving the failure you can manually edit the ICA file, remove the duplicate entries, re-launch the file, and connect successfully.
Further Problem Description:
| |
Last Modified: | 16-FEB-2016 | |
Known Affected Releases: | 9.2(2) | |
Known Fixed Releases: | | |
|
| | | | |
Alert Type: | New | Bug Id: | CSCuy30326 | Title: | enh: Add support for ST on Mac OS X 10.10 and 10.11 | |
Status: | Open | |
Severity: | 6 Enhancement | Description: | Symptom:
smart-tunnel doesn't work for Office365 on Mac OS X 10.10 and 10.11. Tried to launch Office365 access from Safari/Firefox/Chrome, and all failed.
Conditions:
Customer is running ASA 9.3(2)2 with ST bookmark configured to Office365.
Customer Mac is running MacOS 10.11.2
Workaround:
None currently
Further Problem Description:
| |
Last Modified: | 16-FEB-2016 | |
Known Affected Releases: | 100.10(0.90), 9.1(5), 9.3(2.2) | |
Known Fixed Releases: | | |
|
| |
|
没有评论:
发表评论