Cisco Notification Alert -ASA 5500 Series NG Firewall-01-May-2016 16:53 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Firewalls Title: Multiple Cisco Products libSRTP Denial of Service Vulnerability Description: Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) library (libSRTP), which addresses a denial of service (DoS) vulnerability. Multiple Cisco products incorporate a vulnerable version of the libSRTP library. The vulnerability is in the encryption processing subsystem of libSRTP and could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device. The impact of this vulnerability on Cisco products may vary depending on the affected product. Details about the impact on each product are outlined in the "Conditions" section of each Cisco bug for this vulnerability. The bug IDs are listed at the top of this advisory and in the table in "Vulnerable Products." This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp Date: 20-APR-2016 Title: Cisco Adaptive Security Appliance Software DHCPv6 Relay Denial of Service Vulnerability Description: A vulnerability in the DHCPv6 relay feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of DHCPv6 packets. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets to an affected device, resulting in a denial of service (DoS) condition. This vulnerability affects systems configured in routed firewall mode and in single or multiple context mode. Cisco ASA Software is affected by this vulnerability only if the software is configured with the DHCPv6 relay feature. The vulnerability is triggered only by IPv6 traffic. This vulnerability affects Cisco ASA Software release 9.4.1 only. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-asa-dhcpv6 Date: 20-APR-2016 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-31-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.2.4 Interim Alert Type: New File File Name: asa924-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 20-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.7 Interim Alert Type: New File File Name: asa917-6-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5580, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.3 Alert Type: New File File Name: asa943-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 25-APR-2016 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.0.4 Interim Alert Type: New File File Name: asa904-39-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 08-APR-2016 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Firewalls Alert Type: Updated * Bug Id: CSCuw39685 Title: filter sfr traffic may cause memory corruption Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFR module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFR module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFR module - Disable URL filtering (websense) Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.6) Known Fixed Releases: * 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.100), 100.16(0.12), 100.16(1.70), 100.16(14.1), 9.3(3.171), 9.3(3.8), 9.4(1.190) Alert Type: Updated * Bug Id: CSCux37303 Title: Port-Channel Config on Gi 0/0 causes Boot Loop - FIPS related Status: Fixed Severity: 1 Catastrophic Description: * Symptom: Boot Loop - Following the port-channel configuration utilizing gi0/0 and any other port. using CLI Note: The customer mentioned using a "Fips Enable" command which I was unable to give that command, but still cause my test equipment to go into the boot loop. This is easily repeatable. Conditions: Brand new out of the box with a clean configuration running version 9.1.2 and the same problem was observed after upgrading to 9.1.4 and 9.1.6. I think the customer even able to recreate the same problem using a 9.2.x version. Breaking in during boot up and going into ROMMON mode was the only way to stop the loop. After that he removed the configurations for port-channel on the gi0/0 and the ASA returned to normal use with out a problem. Workaround: I told the customer to use some other ports to configure his port-channel and leave the gi0/0 as a single vanilla port. The customer was able to do this and the lab testing was a success. He confirmed his design and configurations with the AS team and it was approved for use by his engineering team. Further Problem Description: The Crash Info file pointed to a FIPS problem. Last Modified: 26-APR-2016 Known Affected Releases: 9.1(2), 9.1(4), 9.1(6), 9.2(4) Known Fixed Releases: * 100.11(0.67), 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.99) Alert Type: Updated * Bug Id: CSCux29978 Title: Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability Status: Fixed Severity: 1 Catastrophic Description: * Symptom: A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike Conditions: see security advisory Workaround: see security advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 10/8.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2016-1287 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-APR-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: 8.2(5.59), 8.4(7.30), 8.7(1.18), 9.0(4.38), 9.1(6.11), 9.1(6.140), 9.1(7), 9.2(4.5), 9.3(3.171), 9.3(3.7) Alert Type: Updated * Bug Id: CSCuz08625 Title: ASA crashes with traceback in SSH thread Status: Fixed Severity: 2 Severe Description: * Symptom: A issue in the displaying of captures network trace files over a Secure Shell (SSH) connection with the Cisco Adaptive Security Appliance (ASA) Software could the SSH process to unexpectedly restart. The issue is due to lack of proper input validation of certain captured UDP packets. Conditions: The default configuration of the affected device. Workaround: None. Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-APR-2016 Known Affected Releases: 9.4(2.3), 9.5(2) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.5(2.7), 9.6(1.1), 96.2(0.4), 96.2(11.11) Alert Type: Updated * Bug Id: CSCuz01658 Title: Traceback in gtp_remove_request with duplicate requests Status: Fixed Severity: 2 Severe Description: Symptom: ASA may crash if a race condition is hit. ASA needs to be configured with clustering and crashed unit is slave. Conditions: Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.6(0.128) Known Fixed Releases: * 100.15(0.113), 9.5(2.7), 9.6(1.1), 96.1(1.87), 96.2(1.169), 96.2(11.4), 97.1(0.9), 97.1(1.11), 97.1(2.8), 97.1(3.4) Alert Type: Updated * Bug Id: CSCuy51918 Title: Buffer overflow in RAMFS dirent structure causing traceback Status: Fixed Severity: 2 Severe Description: Symptom: When this condition is hit, the customer will see a crash with the following information displayed: "ASA:Traceback in Thread Name: Unicorn Proxy Thread". Conditions: This can occur when processing Clientless VPN sessions. Workaround: Disabling Clientless VPN access. Further Problem Description: This issue is not easy to identify from the crash signature alone and typically requires a core file for confirmation. Last Modified: 29-APR-2016 Known Affected Releases: 100.8(40.113) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.132), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.9), 9.4(2.103), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy78802 Title: orignial master not defending all GARP packets after cluster split brain Status: Fixed Severity: 2 Severe Description: Symptom: - inter site cluster, ASA1 as master, ASA2 and ASA3 as slaves. - When connectivity is down for ASA3 CCL link, it will become master, and then sends GARP for the cluster IP and the physical IP pointing to its own MAC address - This GARP from ASA3 updates the table on the next hop router, traffic will start flowing through ASA3. - Also, this will reach ASA1. From ASA1 point of view, it is still the master and still holds the cluster IP, so it will respond to this packet with arp-defense sending a GARP for itself, correcting the ARP entries in the next hop router, debugs appears as follows: ! the old Master receives GARP from the new Master (5.5.5.10 is the Cluster IP): arp-in: request at inside from 5.5.5.10 f4cf.e200.30b3 for 5.5.5.10 f4cf.e200.30b3 having smac f4cf.e200.30b3 dmac ffff.ffff.ffff ! the old Master replies with GARP arp-send: arp request built from 5.5.5.1 f4cf.e200.3053 for 5.5.5.10 at 4146420 arp-defense: Sent gratuitous arp in response to arp collision on interface inside - the interesting part here is that ASA3 sends 6 GARP messages, and ASA1 reacts to them all execpt the 2nd one. - With the above, the next hop router and any other devices in this VLAN will get back to ASA1. - It doesn't matter how long we wait, ASA3 will stay as master and won't detect any failure - Once the CCL connectivity is back, ASA3 will move to disabled and then come back up as slave, again, this will not affect any traffic flowing through the original master which is ASA1 - in the case of CCL recovery before the 3rd GARP is sent, although the chance is very low, the surrounding devices will have the MAC address of ASA3, causing an outage. - another thing to note, 2nd GARP from ASA3 is sent in a very short time, less than 1 msec Conditions: ASA cluster Workaround: - clear ARP entries on the switch or set a small ARP expiration timeout - switch the cluster master to another unit and back Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux96716 Title: Crash when unit joins cluster Status: Fixed Severity: 2 Severe Description: Symptom: Traceback seen when a node is added back to cluster Conditions: NAT64 configured in a user context and traffic is sent to hit the NAT configuration. With the NAT configuration disable cluster in the ASA and enable it to rejoin the cluster causes the crash. Workaround: Avoid NAT configuration in clustering/HA environment Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 100.15(0.87), 96.1(1.54) Known Fixed Releases: * 100.15(0.114), 9.5(2.7), 9.6(0.99), 9.6(1.1), 96.1(1.65), 96.1(1.88), 96.2(1.118), 96.2(1.175), 96.2(11.6), 97.1(0.10) Alert Type: Updated * Bug Id: CSCux82835 Title: Nat pool exhausted observed when enabling asp transactional-commit nat Status: Fixed Severity: 2 Severe Description: Symptom: Syslogs observed: %ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0 %ASA-3-202010: NAT pool exhausted. Unable to create ICMP connection from inside:90.90.90.2/0 to outside:4.2.2.2/0 %ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80 %ASA-3-202010: NAT pool exhausted. Unable to create TCP connection from inside:90.90.90.2/49167 to outside:10.105.130.1/80 Also noticing udp section is missing for nat pool: ciscoasa# show nat pool TCP PAT pool outside, address 10.105.130.199, range 1-511, allocated 1 TCP PAT pool outside, address 10.105.130.199, range 512-1023, allocated 0 TCP PAT pool outside, address 10.105.130.199, range 1024-65535, allocated 0 ciscoasa# show run all xlate xlate per-session permit tcp any4 any4 xlate per-session permit tcp any4 any6 xlate per-session permit tcp any6 any4 xlate per-session permit tcp any6 any6 xlate per-session permit udp any4 any4 eq domain xlate per-session permit udp any4 any6 eq domain xlate per-session permit udp any6 any4 eq domain xlate per-session permit udp any6 any6 eq domain xlate block-allocation size 512 xlate block-allocation maximum-per-host 4 Conditions: 1. asp rule-engine transactional-commit nat is enabled on the ASA. 2. At least one static nat rule is created for port forwarding for the same public pool IP. Workaround: Disable asp transactional commit and then reload the ASA. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux08838 Title: ASA: Traceback in Checkheaps Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in Checkheaps Conditions: Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6.8) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.133), 100.15(0.112), 100.8(40.115), 9.1(6.130), 9.1(7.5), 9.2(4.9), 9.4(2.104), 9.4(3) Alert Type: Updated * Bug Id: CSCuy45475 Title: ASA : Configuration not replicated on mate if standby IP is missing Status: Fixed Severity: 2 Severe Description: Symptom: Failover to an ASA running on code 9.5.2 and above leading to Webvpn , http and ssh issues/outages. Configuration related to webvpn ,SSH ,http configured on an interface which does not have a standby IP is not synchronised. For e.g. Software : 9.5.2 interface GigabitEthernet0/1 nameif outside security-level 0 ip address 11.11.11.1 255.255.255.0 ! Enabling webvpn on an interface with no standby address . act/pri(config-webvpn)# sh run webvpn webvpn enable outside anyconnect-essentials cache disable error-recovery disable stby/sec# sh run webvpn webvpn anyconnect-essentials cache disable error-recovery disable Conditions: ASA failover pair running on code 9.5.2 onwards. Standby IP address not configured for interfaces on which features such as Webvpn , SSH, HTTP are enabled. Workaround: Configure standby IP address. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2), 9.5(2.2) Known Fixed Releases: * 100.15(0.112), 9.5(2.7), 9.6(1.1), 96.2(1.152), 96.2(11.1), 97.1(0.4), 97.1(1.4), 97.1(2.2), 97.1(3.2), 97.1(4.1) Alert Type: Updated * Bug Id: CSCus37458 Title: ASA traceback in Thread name DATAPATH when handling multicast packet Status: Fixed Severity: 2 Severe Description: Symptom: ASA or ASASM traceback in Thread name DATAPATH Conditions: ASASM/ASA running software version 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2). Other versions can be affected as well. Workaround: We believe that the issue is not present in the 9.3(1.1) release, but downgrade to this release is not recommended due to various reasons, including security reasons (PSIRT issues) and limited support lifetime of the 9.3(1) release train. Further Problem Description: The crash happens during forwarding of multicast packets. So far the crash was observed for the following protocols: WS-Discovery (UDP/3702), Service Location Protocol (UDP/427), Simple Service Discovery Protocol (UDP/1900). One possible workaround would be to block multicast traffic for these protocols on neighboring routers/switches so that it doesn't reach ASA, or block all multicast traffic and allow only production multicast traffic. Last Modified: 29-APR-2016 Known Affected Releases: 9.3(2), 9.4(2.6), 9.5(1), 9.5(2.2) Known Fixed Releases: * 100.13(0.137), 100.15(0.115), 9.5(2.7), 9.6(1.1), 96.1(1.89), 96.2(1.179), 96.2(11.9), 97.1(0.12), 97.1(1.24), 97.1(3.6) Alert Type: Updated * Bug Id: CSCuy87597 Title: ASA - Traceback in CP Processing Thread During Private Key Decryption Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may crash and reload unexpectedly during TLS operations Conditions: 1. Observed in ASA releases 9.4 and 9.5 but may affect other versions as well. 2. Must be utilizing the TLS proxy feature to bridge encrypted connections Workaround: Downgrade to the latest ASA 9.1 release or disable the TLS Proxy feature. There are currently no other known workarounds in affected versions. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(2.4), 9.3(2.2), 9.4(3), 9.5(2), 9.5(2.5), 9.5(2.6) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.5(2.7), 96.2(0.8), 96.2(11.12), 97.1(0.13), 97.1(1.26) Alert Type: Updated * Bug Id: CSCux59122 Title: ASA L7 policy-map comes into affect only if the inspection is re-applied Status: Fixed Severity: 2 Severe Description: Symptom: ASA L7 policy-map comes into affect only after the inspection is re-applied. Conditions: 1. L7 policy map configured but is not working 2. The inspection was applied previously without L7 pmap and it was added later Eg. Initially the configuration is: policy-map global_policy class inspection_default inspect dcerpc Later L7 pmap was added: policy-map type inspect dcerpc MSRPC-MAP parameters endpoint-mapper lookup-operation policy-map global_policy class inspection_default inspect dcerpc MSRPC-MAP Workaround: Remove the inspection and re-apply: conf t policy-map global_policy class inspection_default no inspect dcerpc MSRPC-MAP inspect dcerpc MSRPC-MAP Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.112), 9.1(7.5), 9.2(4.6) Alert Type: Updated * Bug Id: CSCux08783 Title: CWS: ASA does not append XSS headers Status: Fixed Severity: 2 Severe Description: Symptom: User intermittently receive "access denied" messages when browsing through the Cisco Cloud Web Security service. Conditions: ASA Connector redirection to CWS. Workaround: Adding static egress IP(s) as Scanning IPs in the ScanCenter portal will prevent users from seeing the "access denied" messages, but user/group information will not be passed to the service, so policies will not be applied. Further Problem Description: This message does not reflect the default block page from CWS. Last Modified: 26-APR-2016 Known Affected Releases: 9.2(4), 9.4(1) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.4(2.101), 9.4(3), 9.5(2.6) Alert Type: Updated * Bug Id: CSCux72610 Title: ASA TACACS+: process tacplus_snd uses large percentage of CPU Status: Fixed Severity: 2 Severe Description: Symptom: process tacplus_snd consuming the CPU up to 85% when we have pending requests or timeouts. Conditions: ASA configured with a TACACS server, when a number of requests (authentication, authorization or accounting) times out, the issue will happen Workaround: None, but tacplus_snd is consuming a high percentage of the CPU because there are no other process requesting to use the CPU. As general system load increases, the tacplus_snd load will decrease. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2(5), 9.1(5), 9.1(6) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.108), 100.16(0.19), 100.16(1.97), 100.16(14.1), 100.8(40.113), 9.1(7.5), 9.2(4.6) Alert Type: Updated * Bug Id: CSCuw59382 Title: Rewriter errors when access IEEE website search feature through portal Status: Fixed Severity: 2 Severe Description: Symptom: Search feature does not work when the following Internet page is opened through WebVPN: http://ieeexplore.ieee.org/Xplore/home.jsp Conditions: When the page is opened and any keyword is searched Workaround: Use smart-tunnel Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.100), 9.4(2), 9.4(2.1), 9.5(0.191), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) Alert Type: Updated * Bug Id: CSCuy32321 Title: Traceback in ldap_client_thread with ldap attr mapping and pw-mgmt Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in thread name ldap_client_thread Conditions: VPN authentication with ldap attribute mapping and the "password-management password-expire-in-days" feature. Workaround: Disable the password-mangement feature, or at least the password-expire-in-days warning. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2.6) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.7), 9.2(4.9), 9.4(2.101), 9.4(2.8) Alert Type: Updated * Bug Id: CSCuv49446 Title: ASA traceback on Standby device during config sync in thread DATAPATH Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback on Standby device in thread DATAPATH Standby ASA crashes during failover synchronization. There are cases where the ASA crashed multiple times and then got stabilized. Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.95), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) Alert Type: Updated * Bug Id: CSCux28324 Title: The copy command does not verify the integrity of the image Status: Fixed Severity: 2 Severe Description: Symptoms: Starting from release 9.3.2 the copy command was not validating the integrity of an ASA image downloaded through this method, although the command output would mention that the verification succeeded. Conditions: none Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.157), 100.13(0.128), 100.15(0.112), 9.3(3.171), 9.3(3.8), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.63) Alert Type: Updated * Bug Id: CSCur87011 Title: ASA low DMA memory on low end ASA-X -5512/5515 devices Status: Fixed Severity: 2 Severe Description: Symptom: ASA stops accepting new SSL connections - ASDM / webvpn / AnyConnect Conditions: The issue is seen when the following conditions are met : 1) ASA next generation devices - ASA 5512 , ASA 5515 2) SFP module installed on the ASA 3) ASA software 9.2.x or 9.3.1 4) WebVPN configured on an interface Workaround: None Further Problem Description: Memory was not sufficient, so we increased DMA memory Last Modified: 26-APR-2016 Known Affected Releases: 9.0, 9.2(1), 9.3(1), 9.3(3.2), 9.5(2.2) Known Fixed Releases: * 100.12(0.155), 100.13(0.122), 100.15(0.107), 100.16(0.18), 100.16(1.97), 100.16(14.1), 9.3(3.171), 9.3(3.8), 9.4(2.5), 9.4(2.99) Alert Type: Updated * Bug Id: CSCut71095 Title: ASA WebVPN clientless cookie authentication bypass Status: Fixed Severity: 2 Severe Description: Symptom: In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over secure channels. Conditions: -- WebVPN Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 9.1, 9.4(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.130), 100.12(0.153), 100.13(0.118), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(0.82), 100.14(16.1), 100.14(5.21) Alert Type: Updated * Bug Id: CSCuv94338 Title: ASA traceback in Thread Name: CP Crypto Result Processing. Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashing in Thread Name: CP Crypto Result Processing. Conditions: N/A Workaround: No workaround Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCuw22130 Title: ASA traceback when removing dynamic PAT statement from cluster Status: Fixed Severity: 2 Severe Description: Symptom: Master ASA in clustering running code 9.3.3.2 presented a DATAPATH-1-1958 resulted by Address not mapped fault. Statement removed was: no nat (visitors,outside) source dynamic Guest_network PAT-Guest-Pool Conditions: > ASA running code 9.3.3.2 > Individual (L3) mode > Removing Dynamic PAT rule Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.15(8.33), 100.16(0.10), 100.16(1.50), 100.16(14.1) Alert Type: Updated * Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Status: Fixed Severity: 2 Severe Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Last Modified: 26-APR-2016 Known Affected Releases: 100.7(22.1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.12(0.156), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9) Alert Type: Updated * Bug Id: CSCux37442 Title: Cisco signed certificate expired for WebVpn Port Forward Binary on ASA Status: Fixed Severity: 2 Severe Description: Symptom: When the port forwarding component begins on the end host, a warning pops up stating the Cisco signed certificate has expired. For users that have policy set to not allow expired certificates, this is causing the functionality to break. The user has to modify their workstation Java security settings in order to proceed by accepting the risk. Conditions: The issue occurs in default setting of IE or Firefox. Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(7), 9.1(6.10), 9.5(2) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 100.8(40.111), 9.1(6.117), 9.1(6.240) Alert Type: Updated * Bug Id: CSCtx43501 Title: CPU hog due to snmp polling of ASA memory pool information Status: Fixed Severity: 2 Severe Description: Symptom: The ASA provides access to three different memory pools via SNMP. 1) The "System memory" pool (which is a superset of 2 and 3 below) 2) The MEMPOOL_DMA pool 3) The MEMPOOL_GLOBAL_SHARED pool If the MEMPOOL_GLOBAL_SHARED pool information is queried via SNMP, a CPU hog might occur. The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough through the ASA, packets might be dropped. If an ASA is experiencing this problem, it could generate syslogs that look like this: %ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a 0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca 0x00000000004245a5 Also, the output of 'show process cpu-hog' will show entries for SNMP: Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33 Conditions: To encounter this problem, memory information for the "Global Shared" pool must be queried via SNMP. Workaround: Avoid polling the memory information for the Global Shared pool: Exclude: .1.3.6.1.4.1.9.9.48.1.1.1.X.7 - "MEMPOOL_GLOBAL_SHARED" where X is the integer corresponding to a particular statistic about the pool. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-4664 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.1(2.23), 8.2(3.6), 8.4(2.8), 8.4(3.8), 8.4(4), 9.1(2), 9.2(2.4) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.12(0.144), 100.12(0.145), 100.13(0.95), 100.13(0.96), 100.13(0.98), 100.14(0.70), 100.14(0.71), 100.15(0.24) Alert Type: Updated * Bug Id: CSCux81683 Title: ASA Traceback on Thread Name: Unicorn Admin Handler Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashed after nat config change Conditions: TCM enabled for NAT, and object static PAT being edited Workaround: Turn off the TCM for NAT and reload Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171), 9.3(3.8) Alert Type: Updated * Bug Id: CSCuc11186 Title: ARP: Proxy IP traffic is hijacked. Status: Fixed Severity: 2 Severe Description: Symptom: In certain conditions, ASA doesn't check the source of the ARP request or GARP packets for addresses it performs NAT translation for. Proxy-arp cache may thus get polluted and cause traffic hijacking for addresses ASA does NAT for. Conditions: Configured NAT on the ASA for which it performs proxy-arp. Workaround: None Further Problem Description: NOTE: The fix for this issue may cause the ASA to not reply to ARP requests if the Source IP in the ARP request overlaps with a NAT rule on the ASA. This may occur when the nat configuration line is overly broad (such as an all zeros configuration, or any. To workaround this, add the keyword "no-proxy-arp" to the nat config line. The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.8/4.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5010 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 8.2(4) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.15(8.32), 100.16(0.9), 100.16(1.36), 100.16(14.1) Alert Type: Updated * Bug Id: CSCuy36897 Title: Can't navigate to OWA 2013 due to ssl errors Status: Fixed Severity: 2 Severe Description: Symptom: OWA 2013 login page is not shown Conditions: - TLSv1.2 is enabled - EC certificate is used by OWA 2013 Workaround: - Use TLSv1 or TLSv1.1 Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.13(0), 9.6(1) Known Fixed Releases: * 100.13(0.132), 100.15(0.112), 9.4(2.103), 9.4(3), 96.1(1.83), 96.2(1.144), 96.2(11.1), 97.1(0.4) Alert Type: Updated * Bug Id: CSCuw87331 Title: ASA: Traceback in Thread name DATAPATH-7-1918 Status: Fixed Severity: 2 Severe Description: Symptom: ASA may unexpectedly reload and generate a traceback in Thread Name Datapath Conditions: n/a Workaround: Disable threat detection tcp intercept statistics. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.109), 100.16(0.19), 100.16(1.98), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171) Alert Type: Updated * Bug Id: CSCuy22561 Title: VPN Load-Balancing does not send load-balancing cert for IPv6 Address Status: Fixed Severity: 2 Severe Description: Symptom: ASA does not send load-balancing certificate for initial client access to load-balancing IPv6 address. * It works fine when connecting to the IPv4 address. Conditions: Configuing separate certificate for load-balancing-IP and real-IP, and configure both ipv4 and ipv6 address for load-balancing address. Workaround: Using a Unified Client Certificate(UCC) or Wildcard. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.157), 100.13(0.130), 100.15(0.112), 9.4(2.101), 9.4(3), 9.5(2.6), 9.6(0.104), 96.1(1.78), 96.2(1.130), 97.1(0.1) Alert Type: Updated * Bug Id: CSCux85863 Title: FIPS: Continuous RNG test can mistakenly report an error Status: Fixed Severity: 2 Severe Description: Symptom: The FIPS Continuous RNG test can incorrectly fail and reset the ASA. Conditions: This condition appears to be triggered by a race condition under load. Workaround: Disabling FIPS mode will prevent the issue; however, that may not be a feasible option in some cases. There is currently no other workaround. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.53) Alert Type: Updated * Bug Id: CSCuv21478 Title: Cisco ASA tunnel group parameter validation Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco ASA configured for webvpn does not perform validation of the of the tgroup paramter. In some cases this can be used to pass additional parameters to the internal resources that are being proxied via the webvpn service. Conditions: Clientless SSL VPN should be configured Workaround: None Further Problem Description: This is not an issue on the ASA itself, however additional hardening have been implemented to avoid this problem. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 8.4(2), 8.4(7.2), 8.4(7.27), 8.4(7.28), 9.3(1) Known Fixed Releases: * 100.11(0.63), 100.11(0.64), 100.12(0.150), 100.12(0.151), 100.13(0.111), 100.13(0.114), 100.14(0.78), 100.14(0.79), 100.15(0.50), 100.15(0.56) Alert Type: Updated * Bug Id: CSCuw19671 Title: ASA traceback while restoring backup configuration from ASDM Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes in Thread Name: Unicorn Admin Handler while restoring backup configuration through ASDM. Conditions: ASA in failover running 9.4(1). Workaround: Further Problem Description: None Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.53), 100.16(14.1), 100.16(15.7), 100.8(40.107) Alert Type: Updated * Bug Id: CSCux71197 Title: "show resource usage" gives wrong number of routes after shut/no sh Status: Fixed Severity: 2 Severe Description: Symptom: when running in multiple context mode, shut/no shut on the interface will update the route resource usage, the ASA does not reset the counter, but add new routes, resulting in reaching the limit when there is high network fluctuation, route resource will eventually deplete and the ASA will fail to add routes, resulting in an outage Conditions: none Workaround: reload the ASA Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.8(40.111), 9.2(1), 9.2(4.8), 9.3(3.8), 9.4(2.165), 9.5(1), 9.5(2), 96.1(1.71) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 9.2(4.9), 9.4(2.102), 9.4(3), 9.5(2.6), 9.6(0.109), 96.1(1.80) Alert Type: Updated * Bug Id: CSCuv39775 Title: ASA cluster-Incorrect "current conns" counter in service-policy Status: Fixed Severity: 2 Severe Description: Symptom: Incorrect "currents conns" counter on service-policy ASA cluster. Does not match up with the current connection "show connection count" on the unit, will lead to traffic drops in the service-policy once the limit is hit in the service-policy. Conditions: 1) ASA in a cluster setup. 2) Applies to both single or multiple mode. 3) Typical config : class connection_limit set connection conn-max 500000 embryonic-conn-max 2000 per-client-max 200 per-client-embryonic-max 50 Workaround: None. Further Problem Description: CLSTR1-Primary/ASAFW# cluster exec show service-policy | i conns CLSTR1-Primary(LOCAL):************************************************ current embryonic conns 3, current conns 5732, drop 0 CLSTR1-Secondary:******************************************************* current embryonic conns 1, current conns 88720, drop 0 <<<< CLSTR1-Primary/ASAFW# cluster exec show conn count CLSTR1-Primary(LOCAL):************************************************ 5823 in use, 36602 most used Cluster stub connections: 3300 in use, 30142491 most used CLSTR1-Secondary:******************************************************* 3270 in use, 120262 most used <<<<<<<<<<<<<< Last Modified: 26-APR-2016 Known Affected Releases: 9.1(2), 9.2(2.4), 9.3(3.2) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) Alert Type: Updated * Bug Id: CSCuu48197 Title: ASA: Stuck uauth entry rejects AnyConnect user connections Status: Fixed Severity: 2 Severe Description: Symptom: Intermittently, the User VPN sessions fail to establish due to a stuck uauth entry associated with the same Pool/to-be-Assigned IP address of the new User. Syslog: %ASA-5-722010: Group User IP SVC Message: 16/ERROR: Detected internal error in SSL connection.. %ASA-4-113019: Group = , Username = , IP = , Session disconnected. Session Type: SSL, Duration: 00:00m:12s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested - While debugging, we see the following: debug webvpn anyconenct: webvpn_cstp_accept_address: 192.168.1.10/255.255.255.0 ''snip'' vpn_put_uauth failed! webvpn_cstp_send_error: 503 Service Unavailable sh ip local pool : shows that the address 192.168.1.10 is available. debug pix uauth: vpn_putuauth: ERR: uxlate collision for ip 192.168.1.10 user USER-B on interface OUTSIDE show uauth: remote access VPN user 'USER-A' at 192.168.1.10, authenticated <<< Stuck entry for "another user" show vpn-sessiondb anyconnect filter name USER-A : no entries here, notice that the address that is being assigned to USER-B is 192.168.1.10, and this is available in the local pool I.e. This address was assigned to another user [USER-A] in the past. This user does not show up in the vpn-sessiondb indicating that he has already logged off. Conditions: ASA running on OS version [Ex: 9.2(1)] that has the fix for: CSCuh08432 Anyconnect sessions do not connect due to uauth failure This ASA is acting as AnyConnect SSLVPN Server. Workaround: None. Either reload the ASA or failover to the standby ASA. Or Start using a new IP address pool for the Connection entry Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.109), 9.1(6.109), 9.1(7) Alert Type: Updated * Bug Id: CSCun21186 Title: ASA traceback when retrieving idfw topn user from slave Status: Fixed Severity: 2 Severe Description: Symptom: Slave unit crashes when trying to join the master. This happens in configuration replication. Conditions: After configuring a Context on an active cluster the Slave disables clustering. When correcting differences in context configuration try to have slave rejoin. The slave will crash. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(2) Known Fixed Releases: * 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(38.121), 100.8(40.62), 100.8(56.26), 100.8(64.3), 100.8(65.3), 100.8(66.4), 100.8(67.1) Alert Type: Updated * Bug Id: CSCuv86500 Title: Webvpn: JS parser may crash if the underlying connection is closed Status: Fixed Severity: 2 Severe Description: Symptom: Traceback when WebVPN client connected and ASA is processing JavaScript. Conditions: ASA running release 9.3.3.221. Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.221) Known Fixed Releases: * 100.12(0.145), 100.13(0.98), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.91), 100.15(16.5), 100.15(17.6), 100.15(3.51) Alert Type: Updated * Bug Id: CSCux36112 Title: PBR: Mem leak in cluster mode due to policy based route Status: Fixed Severity: 2 Severe Description: Symptom: Memory usage on ASA increases over a period of time Conditions: 1. Policy Based Routing is applied on an interface. 2. ASA is configured in cluster mode and there are two or more units in the cluster. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.128), 100.15(0.112), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.63), 96.2(1.116) Alert Type: Updated * Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Status: Fixed Severity: 2 Severe Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.143), 100.13(0.95), 100.13(29.28), 100.14(0.71), 100.14(16.5), 100.14(5.30), 100.15(0.24), 100.15(1.68), 100.15(16.3) Alert Type: Updated * Bug Id: CSCuy96391 Title: ASA clientless rewriter failure at 'CSCOPut_hash' function Status: Fixed Severity: 2 Severe Description: Symptom: When clicking on bookmark within webportal, the resulting page does not display. Conditions: This issue was observed with the following: -ASA 9.2.2.4 -Issue seen with clientless only, not with AnyConnect Workaround: Use AnyConnect instead of clientless Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.2(4.9), 9.4(2.112), 9.4(3), 9.6(1.1), 96.1(1.88), 96.2(1.177) Alert Type: Updated * Bug Id: CSCuz38180 Title: ASA: Page Fault traceback in DATAPATH on standby ASA after booting up Status: Open Severity: 2 Severe Description: * Symptom: ASA may generate a traceback and reload in the DATAPATH thread just after it boots up and joins failover with an already active ASA.This may make the ASA go into a boot loop. Conditions: The reload happens just after the ASA boots up and joins failover with an already active ASA Workaround: Force the ASA to skip the config using config-register. Clear the startup config. Configure failover again and let the ASA join the failover. Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: 9.1(6.10), 9.1(7.6) Known Fixed Releases: Alert Type: New Bug Id: CSCuz25410 Title: Traceback due to SNMP Notify Thread Status: Open Severity: 2 Severe Description: Symptom: Traceback due to SNMP polling Conditions: ASA configured with SNMP polling Workaround: Disable SNMP or stop polling the ASA with SNMP Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: 9.5(2.5) Known Fixed Releases: Alert Type: New Bug Id: CSCuz42390 Title: ASA Stateful failover for DRP does not work intermittently Status: Open Severity: 2 Severe Description: Symptom: On the ASA routes learned by dynamic routing protocols are synchronized from the active to the standby unit. During failover traffic through the ASA should still be forwarded, although 1-2 seconds drop is expected, because ASA disables and re-enables routing on its interfaces and flushes local subnet and local host routes. We found that routes learned by dynamic routing protocols can sometimes be lost during failover and traffic is interrupted, until dynamic routing protocol repopulates ASA routing table. Conditions: This issue was found in version 9.5(2). Other versions can be affected as well. Workaround: Use IETF NSF, although this defect is not directly related to NSF. NSF should minimize traffic loss. Further Problem Description: Last Modified: 28-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy54567 Title: Evaluation of pix-asa for OpenSSL March 2016 Status: Open Severity: 2 Severe Description: Symptom: Cisco Adaptive Security Appliance (ASA) includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 CVE-2016-0705 CVE-2016-0798 CVE-2016-0797 CVE-2016-0799 CVE-2016-0702 CVE-2016-0703 CVE-2016-0704 And disclosed in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. Cisco has reviewed and concluded that this product is affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0797 - BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption CVE-2016-0799 - Fix memory issues in BIO_*printf functions CVE-2016-0702 - Side channel attack on modular exponentiation CVE-2016-0705 - Double-free in DSA code This product is not affected by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0800 - Cross-protocol attack on TLS using SSLv2 (DROWN) CVE-2016-0703 - Divide-and-conquer session key recovery in SSLv2 CVE-2016-0704 - Bleichenbacher oracle in SSLv2 CVE-2016-0798 - Memory leak in SRP database lookups Workaround: Not available. Further Problem Description: Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base CVSS score as of the time of evaluation is: 4.3 https://tools.cisco.com/security/center/cvssCalculator.x?version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:ND The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html Last Modified: 28-APR-2016 Known Affected Releases: * 6.0, 8.0, 9.1(2), 9.2(1), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 9.6(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtz56314 Title: ASA5500-X Chassis Serial Number Not Visible from CLI Status: Fixed Severity: 2 Severe Description: * Symptom: Adaptive Security Appliance (ASA) 5500-X models do not display the chassis serial number using the expected Command Line Interface (CLI) outputs; an internal board serial number is displayed instead. This may create difficulties in opening support requests with Cisco Technical Assistance Center (TAC) that requires the chassis serial number to provide support. Workaround: 1. Read the chassis serial number from the sticker on the device. or 2. Reload the ASA5500-X into ROMMON mode and retrieve the chassis serial number from the show idprom output. It is important to keep in mind that the ASA activation keys should continue to be issued against the internal serial number displayed in the output of show version command. Last Modified: 28-APR-2016 Known Affected Releases: 8.6(1) Known Fixed Releases: 100.8(0.137), 100.8(11.21), 100.8(27.7), 100.8(33.5), 100.8(34.1), 100.8(36.1), 100.9(0.1), 100.9(2.1), 8.6(1.2), 9.0(0.99) Alert Type: New Bug Id: CSCuz44486 Title: ASA: Traceback on the ASA unit with Thread Name Track Status: Open Severity: 2 Severe Description: Symptom: ASA Unit Traceback with Thread Name track Conditions: ASA device configured with SLA Monitor configuraton Workaround: None related to this tracback Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy73652 Title: Traceback in thread name idfw when modifying object-group having FQDN Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in thread name idfw when modifying object-group having FQDN Conditions: Modifying an object-group having FQDN. Workaround: Restrict using FQDN objects, if possible Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux58483 Title: Deadlock in gtp_lu_process_pdpmcb_info Status: Fixed Severity: 2 Severe Description: Symptom: Deadlock soft trace will be seen on the console and the reliability will be impacted Conditions: Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.5(1.171), 9.5(2.7), 9.6(0.99), 96.1(1.26), 96.1(5.4), 96.1(6.4) Alert Type: Updated * Bug Id: CSCum70304 Title: FIPS self test power on fails - fipsPostDrbgKat Status: Fixed Severity: 2 Severe Description: Symptom: ERROR: FIPS Self-Test failure, fipsPostDrbgKat [1:0:-1:-1:0] *** *** --- SHUTDOWN NOW --- *** *** Message to all terminals: *** *** ERROR: FIPS Self-Test failure, fipsPostDrbgKat [1:0:-1:-1:0] Process shutdown finished Rebooting.... Conditions: upgrade to 9.1.2 Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.6), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz09394 Title: infinite loop in JS rewriter state machine when return followed by var Status: Fixed Severity: 2 Severe Description: Symptom: after clicking on a bookmark, the page seems to load(there's a spinning icon) and then after a while the spinning icon stops spinning but the page stays blank. Conditions: Page has a js file that can result in an infinte loop for the webvpn rewriter Workaround: Use APCF Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 9.5(2.7), 9.6(1.1), 96.2(0.3), 96.2(1.183), 96.2(11.11), 97.1(0.12), 97.1(1.21) Alert Type: Updated * Bug Id: CSCuy01438 Title: ASA crash with SIP inspection and SFR enabled in 9.5.2 Status: Fixed Severity: 2 Severe Description: Symptom: Crash seen in 9.5.2 with SIP enabled Conditions: SIP and SFR enabled on the ASA after 9.5.2 Workaround: NA Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.112), 9.5(2.7), 9.6(1.1), 96.1(1.86), 96.2(1.158), 96.2(11.2), 97.1(0.6), 97.1(1.8), 97.1(2.5), 97.1(3.3) Alert Type: Updated * Bug Id: CSCuy21206 Title: Crash when drop is enabled. Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash while replicating flow Conditions: Configure NAT in ASA which is part of clustering. While an xlate is created, then xlate is updated to the other cluster units, which triggers this crash. Workaround: Avoid NAT configuration in clustering/HA environment Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 96.1(1.68) Known Fixed Releases: * 100.15(0.114), 9.5(2.7), 9.6(0.99), 9.6(1), 96.1(1.74), 96.1(1.88), 96.2(1.124), 96.2(1.175), 96.2(11.6), 97.1(0.10) Alert Type: Updated * Bug Id: CSCuy49902 Title: inspect ip-option is not allowing "NOP" even when allowed Status: Fixed Severity: 2 Severe Description: Symptom: ASA is dropping the traffic with a drop reason as "IP option "Noop" in the syslog. We configured the child policy of type inspect ip-options and allowed both option "NOP" and "EOOL" based on the captures. Applying this child policy to the inspect ip-options" has made no change and ASA is still dropping traffic with same error message. In fact when we look at the service-policy, it is showing no counter increment. Suspected CSCux59122, however, we did perform this workaround. We also tried removing and applying the service-policy several times. Problem remains same. Conditions: The IP option inspection Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(2.5), 9.5(2) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.132), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.9), 9.4(2.103), 9.4(3), 9.5(2.160) Alert Type: Updated * Bug Id: CSCuz10371 Title: ASA Traceback and reload by strncpy_sx.c Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload unexpectedly. The output of 'show crash' may indicate that the thread that caused the crash is labelled as 'idfw_proc' and the faulting action is unknown. This is different than bug CSCuy03024 in which the faulting action is Page Fault. Conditions: - First observed in ASA running code 9.5.2 and then also in 9.5.2.5 - The crash was triggered during the synchronization from active to passive unit in fail over pair. The passive unit when receiving the configuration crashed. Workaround: N/A Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2), 9.5(2.5) Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.2(4.9), 9.4(2.111), 9.4(3), 9.5(2.7), 9.6(1.1), 96.1(1.88) Alert Type: Updated * Bug Id: CSCuy07753 Title: Smart tunnel does not work since Firefox 32bit version 43 Status: Fixed Severity: 2 Severe Description: Symptom: Smart tunnel functionality does not work with Firefox 43 or newer. There is no prompt if the user wishes to forward the browser traffic via the smart tunnel. Instead, browser tries to forward the traffic locally. Conditions: Firefox 43 or newer. Workaround: Use different browser or downgrade Firefox browser. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4 Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.106), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuz41152 Title: Address the OpenSSL December 2015 vulnerabilities for certification Status: Fixed Severity: 2 Severe Description: Symptom: Cisco Adaptive Security Appliance (ASA) includes a version of OpenSSL that is affected by the vulnerability identified by one or more of the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-3194 , CVE-2015-3195 and CVE-2015-3196 And disclosed in http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl This bug has been opened to address the potential impact on this product. Conditions: Exposure is not configuration dependent. Cisco has reviewed and concluded that this product is affected by one or more of these vulnerabilities. Cisco Adaptive Security Appliance (ASA) is affected by: - CVE-2015-3194 Certificate verify crash with missing PSS parameter o ASA dosen't use OpenSSL for cert verification but it does verify other RSA signatures during the exchange. o Versions 9.2 and later are affected - CVE-2015-3195 X509_ATTRIBUTE memory leak o Versions 8.4 and later are affected - CVE-2015-3196 Race condition handling PSK identify hint o Versions 9.2 and later are affected Cisco Adaptive Security Appliance (ASA) is not affected by: - CVE-2015-3193 BN_mod_exp may produce incorrect results on x86_64 - CVE-2015-1794 Anon DH ServerKeyExchange with 0 p parameter Workaround: Not available. Further Problem Description: Additional details about those vulnerabilities can be found at http://cve.mitre.org/cve/cve.html PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/3.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-APR-2016 Known Affected Releases: 9.4(1.10) Known Fixed Releases: * 9.4(1.11), 9.4(1.207) Alert Type: Updated * Bug Id: CSCuy11281 Title: ASA: Assert traceback in version 9.4.2 Status: Fixed Severity: 2 Severe Description: Symptom: ASAs in failover pair running version 9.4.2 crashes with the following message. assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE" failed: file "slib_malloc.c", line 6024 Conditions: ASA in failover and SIP inspection enabled. Workaround: NONE. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 100.13(0.135), 100.15(0.112), 9.4(2.107), 9.4(3), 9.5(2.7), 9.6(1.1), 96.1(1.86), 96.2(1.160), 96.2(11.2), 97.1(0.6) Alert Type: Updated * Bug Id: CSCuv47191 Title: 9.5.1 - Crash in bcm_esw_init thread Status: Fixed Severity: 2 Severe Description: Symptom: The ASA crashed in the bcm_esw_init thread and reloaded during boot. Conditions: This crash was seen while booting a 5585-60. Workaround: None. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(0.108), 96.1(1.31) Known Fixed Releases: * 100.13(0.129), 100.15(0.112), 9.4(2.101), 9.4(3), 9.5(2.7), 9.6(0.99), 96.1(1.73), 96.2(1.123) Alert Type: Updated * Bug Id: CSCuy95543 Title: High CPU usage due to Threat-Detection Status: Fixed Severity: 2 Severe Description: Symptom: High CPU usage on ASA Conditions: 1. Threat-detection statistics host is enabled. If 'threat-detection statistics' is configured, then 'threat-detection statistics host' is automatically configured. 2. ASA is on one of the following releases. 9.5 Branch: 9.5(2)6 or above 9.6 Branch: 9.6(1) or above Note: In version 9.6(1), the threat-detection related commands will not be visible in the output of "show run" or "show run all". To check if threat-detection is enabled , please run the command "show run threat-detection". Workaround: configure 'no threat-detection statistics host' Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2.6), 9.6(1) Known Fixed Releases: * 100.15(0.113), 9.5(2.7), 9.6(1.1), 96.1(1.87), 96.2(1.167), 96.2(11.4), 97.1(0.8), 97.1(1.10), 97.1(2.8), 97.1(3.4) Alert Type: Updated * Bug Id: CSCuz21068 Title: CSCOPut_hash can initiate unexepected requests Status: Fixed Severity: 2 Severe Description: Symptom: - Customer is able to access his portal. - Accessing certain tabs within his portal causes failures. The new tab will load and then disappear. - This only happens on Firefox and Chrome. Internet explorer works fine. - Entire site works when not accessed through clientless portal bookmark Conditions: - Using rewriter on clientless portal with Chrome and Firefox Workaround: - Use Internet Explorer - Bypass rewriter Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 9.2(4.10), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1), 96.2(0.4), 96.2(11.11) Alert Type: Updated * Bug Id: CSCux30780 Title: GTPv1 traceback in gtpv1_process_msg Status: Fixed Severity: 2 Severe Description: Symptom: Traceback will happen on slave unit. Conditions: Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(1.170) Known Fixed Releases: * 100.15(0.108), 100.16(0.19), 100.16(1.97), 100.16(14.1), 9.5(1.172), 9.5(2.7), 9.6(0.99), 96.1(1.49) Alert Type: Updated * Bug Id: CSCur49234 Title: ASA Mgmt Session stuck on running "sh block exhaustion snapshot/history" Status: Fixed Severity: 2 Severe Description: Symptom: 1) Mgmt Session to the ASA - telnet or ssh or console stuck 2) Unable to ssh/telnet due to session limit count Conditions: 1) 2048 blocks depleted AND 2) "show blocks exhaustion history" or "show blocks exhaustion snapshot" is executed Workaround: 1) Failover to the other unit if they are in failover OR 2) reload the unit Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.70), 100.16(14.1), 9.4(2.99), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCux70998 Title: Reload in Thread Name: IKE Daemon Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads in Thread Name: IKE Daemon Conditions: ASA running 9.x version of code with certificate authentication. Workaround: None Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6.116) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.123), 100.15(0.108), 100.16(0.18), 100.16(1.97), 100.16(14.1), 100.8(40.113), 9.1(6.117), 9.1(7) Alert Type: Updated * Bug Id: CSCuy21287 Title: STBY ASA does't pass traffic via ASA-IC-6GE-SFP-B ifc after reload Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA does not pass the traffic via interface of the module ASA-IC-6GE-SFP-B after reload Conditions: ASA configured with failover - the problem does not occur on standalone unit Interface is configured with speed setting The command " sh controller GigabitEthernet 1/X display output ... General Control Registers: Device Control (CTRL) : 0x00dc0a01 Device Status (STATUS) : 0x00080781 Workaround: changing speed to "no negotiate" got it working for sometime, however, the interfaces started flapping. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(4), 9.5(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.158), 100.13(0.132), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.9), 9.4(2.103), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCuy65416 Title: assert "ctm->async_ref == 0" failed: file "ssl_common.c", line 193-part2 Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback during an SSL VPN stress test Conditions: SSL VPN stress test Workaround: none Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(2.102) Known Fixed Releases: * 100.12(0.158), 100.13(0.134), 100.15(0.112), 9.4(2.105), 9.4(2.106), 9.4(3), 9.5(2.7), 9.6(0.129), 9.6(1.1), 96.1(1.85) Alert Type: Updated * Bug Id: CSCuv42720 Title: Egress ACL with ICMP Types Misbehaving. Status: Fixed Severity: 2 Severe Description: Symptom: Configuring an ACL on the outbound port of a device may cause some traffic to be dropped even though the ACL policy permits the dropped packet(s). Conditions: The following policy applied to the outbound port will drop packets with Types 2-129. ASA5506X# show run access-list access-list unh-out extended permit icmp6 any6 any6 unreachable 0 access-list unh-out extended permit icmp6 any6 any6 unreachable 1 access-list unh-out extended permit icmp6 any6 any6 unreachable 2 access-list unh-out extended permit icmp6 any6 any6 unreachable 3 access-list unh-out extended permit icmp6 any6 any6 unreachable 4 access-list unh-out extended permit icmp6 any6 any6 unreachable 5 access-list unh-out extended permit icmp6 any6 any6 unreachable 6 access-list unh-out extended permit icmp6 any6 any6 packet-too-big 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 0 access-list unh-out extended permit icmp6 any6 any6 time-exceeded 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 0 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 1 access-list unh-out extended permit icmp6 any6 any6 parameter-problem 2 access-list unh-out extended permit icmp6 any6 any6 echo 0 %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 2, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 3, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 0) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 1) by access-group "unh-out" [0x0, 0x0] %ASA-4-106023: Deny icmp src pub:3000::2 dst priv:3001::2 (type 4, code 2) by access-group "unh-out" [0x0, 0x0] ASA5506X# show access-list unh-out access-list unh-out; 14 elements; name hash: 0x91e2c362 access-list unh-out line 1 extended permit icmp6 any6 any6 unreachable 0 (hitcnt=0) 0x4e0ab796 access-list unh-out line 2 extended permit icmp6 any6 any6 unreachable 1 (hitcnt=20) 0xa549de20 access-list unh-out line 3 extended permit icmp6 any6 any6 unreachable 2 (hitcnt=0) 0x3e3005b5 access-list unh-out line 4 extended permit icmp6 any6 any6 unreachable 3 (hitcnt=0) 0x60363c63 access-list unh-out line 5 extended permit icmp6 any6 any6 unreachable 4 (hitcnt=0) 0xeb98c4e3 access-list unh-out line 6 extended permit icmp6 any6 any6 unreachable 5 (hitcnt=0) 0x4b9b65f1 access-list unh-out line 7 extended permit icmp6 any6 any6 unreachable 6 (hitcnt=0) 0x53e45a3f access-list unh-out line 8 extended permit icmp6 any6 any6 packet-too-big 0 (hitcnt=0) 0x9b62e1db access-list unh-out line 9 extended permit icmp6 any6 any6 time-exceeded 0 (hitcnt=0) 0x5362e1e1 access-list unh-out line 10 extended permit icmp6 any6 any6 time-exceeded 1 (hitcnt=0) 0xf7a7cc36 access-list unh-out line 11 extended permit icmp6 any6 any6 parameter-problem 0 (hitcnt=0) 0x453e9232 access-list unh-out line 12 extended permit icmp6 any6 any6 parameter-problem 1 (hitcnt=0) 0x780a5e2e access-list unh-out line 13 extended permit icmp6 any6 any6 parameter-problem 2 (hitcnt=0) 0x4a0104ef access-list unh-out line 14 extended permit icmp6 any6 any6 echo 0 (hitcnt=0) 0xf50e5b9d ASA5506X# ASA5506X# show runn access-group access-group unh-out out interface priv Workaround: None Further Problem Description: N/A Last Modified: 29-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(1.36), 100.16(14.1), 100.16(15.1), 100.16(15.5), 9.4(1.7) Alert Type: Updated * Bug Id: CSCuz30425 Title: Network command disappears from BGP after reload with name Status: Fixed Severity: 2 Severe Description: Symptom: Network command disappears from BGP after reload with name Conditions: Issue is only seen when a name has been configured (name 2.2.2.0 Production-20-0) Workaround: remove name from the configuration (name 2.2.2.0 Production-20-0) Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 9.5(2.7), 96.2(0.8), 96.2(11.12), 97.1(0.13), 97.1(1.26) Alert Type: Updated * Bug Id: CSCuy85243 Title: ASA traceback when receive Radius attribute with improper variable type Status: Fixed Severity: 2 Severe Description: Symptom: If the Radius attribute IE-Proxy-Server-Policy is passed back from a Radius server to the ASA for an AnyConnect VPN client, but it has an attribute type of "string" instead of "integer" then it will cause the ASA to crash. That attribute should be an integer as per the information at: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html#32985 Conditions: ASA authenticating VPN users via Radius ISE/ACS Radius server with attribute IE-Proxy-Server-Policy tagged as a "string" type. Crash when debug crypto ikev1 or syslog message 713241 Workaround: 1) Delete the attribute from your Access Policies on your Radius server so it is no longer returned. 2) Not only does the attribute need to contain the value of an integer, but it should be tagged as an Integer type in the Radius attribute dictionary (In ISE = Policy > Policy Elements > Dictionaries). Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 8.4(7), 9.1(7) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.1(7.5), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7) Alert Type: Updated * Bug Id: CSCut10103 Title: ASA 5545x Upgrade to 9.2(2)4 causes Traceback in Thread Name SSL Status: Fixed Severity: 2 Severe Description: Symptom: Upgrade from 9.0(2) directly to 9.2(2)4 causes 5545x to traceback in thread name SSL Conditions: Using out of the box (Default Configuration) upgrade 5545x from 9.0(2) to 9.2(2)4 Workaround: none Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.2(4.9), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCuy34265 Title: ASA Access-list missing and losing elements after configuration change Status: Fixed Severity: 2 Severe Description: Symptom: After pushing a configuration change tmatch compile continues to run and the number of elements in the ACL will fall and not all elements will be loaded. Conditions: ASA running 9.1.7 with new ACL configuration applied. Workaround: none Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.2(4.9), 9.4(2.105), 9.4(2.220), 9.4(3) Alert Type: Updated * Bug Id: CSCux66866 Title: Traffic drop due to constant amount of arp on ASASM Status: Fixed Severity: 2 Severe Description: Symptom: Constant amount of ARP generating on ASA-SM and this causes partial traffic drop in user(normal) traffic, not related to ARP; outside->inside traffic (There is no packet drop if static ARP is configured on all interfaces for outside and inside.) Conditions: Customer is using ASA-SM with 200 contexts All inside interfaces are assigned to separate vlan Constant amount of ARP is generated(200-300 as per 15s rate) Workaround: Using static ARP on all interface of ASA-SM for outside/inside. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6.8) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.115), 9.1(7.5), 9.4(2.106), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCuy57644 Title: ASAv sub-interface failing to send traffic with customised mac-address Status: Fixed Severity: 2 Severe Description: Symptom: We use the command below to customise the sub-interface mac address. After applying the customised mac-address for each sub-interface, ASAv is no long able to send traffic via those sub-interfaces which has customised mac-address applied. +++ interface GigabitEthernet0/1 description ASAv_Trunk_Port no nameif no security-level no ip address ! interface GigabitEthernet0/1.102 mac-address 1021.1021.1021 vlan 102 nameif GNET security-level 100 ip address 192.168.50.2 255.255.255.0 standby 192.168.50.3 ! interface GigabitEthernet0/1.103 mac-address 1030.1030.1030 vlan 103 nameif Gov_Legacy security-level 50 ip address 192.168.51.2 255.255.255.0 standby 192.168.51.3 ! interface GigabitEthernet0/1.104 mac-address 1040.1040.1040 <<<<<< this MAC is listed as the port-group port runtime MAC. vlan 104 nameif 3rd_party security-level 50 ip address 192.168.52.2 255.255.255.0 standby 192.168.52.3 +++ Conditions: apply customised MAC address under ASAv sub-interfaces Workaround: remove customised mac-address, which is not really a workaround. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2), 99.1(3.141) Known Fixed Releases: * 100.15(0.112), 9.5(2.220), 9.5(2.7), 9.6(1.1), 96.2(1.152), 96.2(11.1), 97.1(0.4), 97.1(1.4), 97.1(2.2), 97.1(3.2) Alert Type: Updated * Bug Id: CSCux29842 Title: Primary and Secondary ASA in HA is traceback in Thread Name:DataPath Status: Fixed Severity: 2 Severe Description: Symptom: 40% of the sessions were dropped during failover due to crash. Conditions: Failover enabled. Workaround: Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(3), 9.3(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.135), 100.15(0.112), 100.8(40.116), 9.2(4.9), 9.4(2.107), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCux35538 Title: Traceback in ctm_ssl_generate_key with DHE ciphers SSL VPN scaled test Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback in ctm_ssl_generate_key with VPN scaled test and DHE ciphers. Conditions: ASA VPN AnyConnect and Clientless SSL VPN scaled test. Workaround: None Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6.107), 9.1(6.111) Known Fixed Releases: * 100.11(0.69), 100.12(0.158), 100.13(0.134), 100.15(0.112), 100.8(40.114), 9.1(6.113), 9.1(7), 9.1(7.5), 9.2(4.9), 9.4(2.106) Alert Type: Updated * Bug Id: CSCun17627 Title: OSPFv2 neighborship flaps from Exstart to Down Status: Fixed Severity: 2 Severe Description: Symptom: ASA clustered firewalls OSPFv2 Neighborship flaps between ASA and Router. Node is stuck in Extstart with neighbor router Conditions: Mode : L2 clustering + 2 node -or- L3 Clustering + 4 Node Perform a "cluster remove unit on Master node or failover to slave unit. ASA peering with other OSPF device. Workaround: Use static routing -or- Use the command 'osfp mtu-ignore' Further Problem Description: Last Modified: 12-APR-2016 Known Affected Releases: 100.8(56.19), 9.2(2.4) Known Fixed Releases: * 100.8(56.30), 9.2(4.9) Alert Type: New Bug Id: CSCuz20387 Title: ASA : Traceback in Thread name: Session manager Status: Terminated Severity: 2 Severe Description: Symptom: Traceback in Thread Name : Session Manager Conditions: ASA is configured with webvpn. Workaround: None as of now. Further Problem Description: Last Modified: 15-APR-2016 Known Affected Releases: 9.4(2.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw44038 Title: Watchdog traceback in ldap_client_thread with large number of ldap grps Status: Fixed Severity: 2 Severe Description: Symptom: ASA running 9.1.6.8 in failover pair crashing with Thread Name: ldap_client_thread. Conditions: If a user is linked to more than 250 ldap groups and ldap mapping is performed on the memberOf attribute, the ASA reloads with a watchdog error when the user connects if the user connects a VPN connection. Workaround: Do not use the same username that is linked to more than 250 ldap groups. Disable ldap mapping for the memberOf attribute in deployments using a large number of ldap groups. DAP may offer an alternative solution, depending on the use case. Further Problem Description: Last Modified: 15-APR-2016 Known Affected Releases: * 9.1(6.8), 9.4(2.11) Known Fixed Releases: 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.109), 9.1(7.5), 9.2(4.6) Alert Type: Updated * Bug Id: CSCue03220 Title: * Anyconnect MTU configured on ASA is not taking effect at client Status: Fixed Severity: 2 Severe Description: Symptom: Anyconnect mtu config at the ASA will not take effect at the Anyconnect clients running 2.5.6005 (issue not seen in anyconnect 3.x). this could cause some users (who require lower anyconnect mtu setting) not to be able to connect. Conditions: ASA 9.1.1 Workaround: 1.downgrade to 8.6 or 8.4 or lower 2. upgrade anyconnect client to 3.0.x or 3.1.x Further Problem Description: If in case clients have been upgraded to AC 3.1 or later and we have only 2.5.x package present on ASA, then we will still face mtu issue where the configured value will never be assigned to the client. In order to resolve this we need to upload 3.1 AC package on ASA as well. Last Modified: 20-APR-2016 Known Affected Releases: 9.1(1) Known Fixed Releases: 100.8(27.33), 100.8(50.21), 100.9(0.22), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 9.0(2.100), 9.0(2.4), 9.0(3) Alert Type: Updated * Bug Id: CSCuv79785 Title: Traceback at inspect http filter when URL filtering and SFR are enabled Status: Terminated Severity: 2 Severe Description: * Symptom: ASA reload in Thread Name: CP Processing Conditions: All ASA platforms with 9.3 or greater code. Both Websense URL filtering and a service-policy sending traffic to SourceFire need to be enabled. Workaround: Disable Websense URL filtering. Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 100.13(0.81), 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz14875 Title: ASA RIP crashes when using address-family subconfiguration Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes every time when configuring the address-family under the RIP process: router rip address-family ipv4 ! Conditions: ASA running 9.6(1) code. Workaround: Not use address-family type of configuration Further Problem Description: Last Modified: 22-APR-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 96.2(0.2), 96.2(1.181), 96.2(11.10), 97.1(0.12), 97.1(1.21), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCuc98398 Title: ASA writes past end of file system then can't boot Status: Fixed Severity: 2 Severe Description: * Symptom: After upgrading the ASA OS the device does not boot successfully, and will continually loop the unsuccessful boot sequence. The following will be seen on the console of the ASA (The ASA and image file will vary): ----------------------------------------------------------------------------------- Evaluating BIOS Options ... Launch BIOS Extension to setup ROMMON Cisco Systems ROMMON Version (1.0(12)13) #0: Thu Aug 28 15:55:27 PDT 2008 Platform ASA5505 Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Launching BootLoader... Boot configuration file contains 1 entry. Loading disk0:/asa844-9-k8.bin... Booting... Platform ASA5505 Loading... IO memory blocks requested from bigphys 32bit: 9672 ## APPLIANCE REBOOTS AUTOMATICALLY HERE ## ----------------------------------------------------------------------------------- Conditions: Cisco ASA where the disk (Compact Flash) is already close to full or is fragmented from frequent use and a new version of the OS is saved on the disk (without removing any files) and the new file is made the boot file in the configuration. Workaround: Delete the bad file from flash, as well as any other images that are no longer in use to free up more space on the flash. Then, re-download the new file to flash - or - 1) Copy all the files off of the ASA's disk 2) Perform an erase disk command from ROMMON 3) Format the disk: 4) Copy the files back onto the disk, starting with the OS image you wish the ASA to boot. The second procedure (involving the re-format) is the preferred workaround, as it places the ASA image towards the beginning of the filesystem, making the chances of encountering this problem much less. Further Problem Description: Last Modified: 23-APR-2016 Known Affected Releases: 100.7(6), 8.4(2.8), 8.4(4.1), 8.4(5), 8.4(6), 9.1(7.4) Known Fixed Releases: 100.7(13.111), 100.7(6.108), 100.8(27.63), 100.8(50.25), 100.9(0.27), 100.9(4.1), 100.9(7.1), 100.9(8.1), 100.9(9.1), 8.4(5.6) Alert Type: Updated * Bug Id: CSCuw00971 Title: ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) Status: Fixed Severity: 2 Severe Description: Symptom: --- URL redirect is not working for clients connected via ra vpn clients The url redirect feature is used to support some ISE posture assessment flows Conditions: --- ISE using the posture assessment feature ------ ISE 1.3 is more likely to require long url-redirect attributes --- ASA 9.2.1 and above (ISE posture assessment not supported on ASA versions <9.2.1) --- RA vpn client Workaround: --- Use Anyconnect SSL VPN client Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(1), 9.5(2) Known Fixed Releases: * 100.11(0.62), 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.79), 100.15(16.3), 100.15(17.1) Alert Type: Updated * Bug Id: CSCuw41548 Title: DNS Traceback in channel_put() Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads and generates a corefile Conditions: Multiple simultaneous DNS queries with retries Workaround: disable DNS Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.109), 100.14(0.77), 100.15(0.43), 100.15(17.18), 100.15(3.66), 100.15(8.16), 100.16(0.2), 100.16(1.5) Alert Type: New Bug Id: CSCuz34427 Title: standby device in failover : page fault crash in DATAPATH, Status: Other Severity: 2 Severe Description: Symptom: ASA crashed under thread name DATAPATH-0-2039 Conditions: ASA running in failover standby unit may crash under thread name : DATAPATH-0-2039 Workaround: none at this time Further Problem Description: NA Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux46192 Title: ASA coredumped after enable,disable webvpn on interface Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback/coredump after enabling/disabling webvpn interface with VPN session load. Conditions: SSL VPN (WebVPN) Workaround: none Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.111) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.104), 100.16(0.15), 100.16(1.72), 100.16(12.1), 100.16(14.1), 100.8(40.110), 9.1(6.112) Alert Type: Updated * Bug Id: CSCuy11905 Title: ASA 5585 traceback when the User name is mentioned in the Access list Status: Fixed Severity: 2 Severe Description: Symptom: When the user Identity is configured in the access list the ASA crashes Below is the configuration made object-group network CSM_INLINE_dst_rule_365072238634 description Generated by CS-Manager from dst of UnifiedFirewallRule# 13 (Local) network-object object CAERPDBP-N2 network-object object CAERPDBP-N1 access-list outside_access_in line 24 remark Permit - BI Team to ERP servers for management JK 1-24-15 access-list outside_access_in line 25 extended permit tcp user asm\jeff.kreinest any4 object-group Conditions: Whenever the User Identity is configured the ASA crashes. When total number of users created exceeds the maximum number of the system. Workaround: NA Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 99.1(1.91) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8), 9.4(2.101) Alert Type: Updated * Bug Id: CSCuv92371 Title: ASA traceback: SSH Thread: many users logged in and dACLs being modified Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may reload when multiple users are logged into the ASA running show commands and the ACLs are being added/deleted Conditions: This was observed under the following condition 1) there were multiple users logged into the ASA 2) One user was trying to run show running-config or show access-list 3) downloadable ACLs were being added and removed based on user logins in auth proxy Workaround: If show access-list issued on one session don't issue "clear config access-list " from another session, let the "sh access-list" display all elements from that session Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(2), 9.1(6), 9.3(2), 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.111), 100.14(0.78), 100.15(0.50), 100.15(17.21), 100.15(3.72), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuw51576 Title: SSH connections are not timed out on Standby ASA (stuck in rtcli) Status: Fixed Severity: 2 Severe Description: Symptom: ssh connections are stuck and not able to open a new ssh connection to the Stanby ASA Conditions: ASA running software version 9.1.5.21 Workaround: Temporary workaround: reload the ASA Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8), 9.4(2.101) Alert Type: Updated * Bug Id: CSCuu73395 Title: Auth-prompt configured in one context appears in another context Status: Fixed Severity: 2 Severe Description: Symptom: Auth-prompt configured in one context appears in another context. Conditions: ++ Device in multiple context. ++ More than one context. ++ More than on context with cut through proxy configured. ++ Only one context with custom auth-prompt. Workaround: If auth-prompt is configured in all the contexts then there is no issue seen. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(4.24), 9.1(4), 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(1.51), 100.15(15.11) Alert Type: Updated * Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Status: Fixed Severity: 2 Severe Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuw33860 Title: RA-VPN transactions are shown as 0 in PRSM Dashboard Status: Fixed Severity: 2 Severe Description: Symptom: PRSM Dashboard does not populate data for VPN transactions in both 'User devices' section and 'Traffic by location' with ASA 932 and above. Events generated for vpn traffic also shows 'remote device' field set to 'No' This issue is not seen with ASA verison 912 and 915(21) Conditions: Using ASA 932 and above, VPN transactions will not in seen in the dashboard of PRSM ASA 9.3.2 ASA-Cx: 9.3.4.1 (11) Workaround: Issue will not be seen in ASA version 912 and 915(21) Further Problem Description: - Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.77), 100.15(20.14), 100.15(8.24), 100.16(0.8), 100.16(1.27), 100.16(14.1), 9.3(3.171) Alert Type: Updated * Bug Id: CSCus08239 Title: ASDM upload causes traceback, OCTEON_CRYPTO: SG buffers exceeds limit Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes on thread name DATAPATH-0-1570 Conditions: Cisco ASA running release in 9.4.1, 9.4.1.1 and 9.5.1. Uploading ASA image file. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.12(0.106), 9.4(1), 9.4(1.3), 9.5(1) Known Fixed Releases: * 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.54), 100.15(15.15), 100.15(16.1), 100.15(2.85) Alert Type: Updated * Bug Id: CSCuv88785 Title: RA validation failed when CA/subCA contains name constraints Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension ASA fails with the error: CRYPTO_PKI: Found a subject match - inserting the following cert record into certList CERT-C: I pkixpath.c(2728) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received CRYPTO_PKI: Unable to read CA/RA certificates.Error processing auth response. Unable to send PKI request CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1), 9.4(1.100), 9.4(1.201) Known Fixed Releases: * 100.13(0.100), 100.14(0.74), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuv51649 Title: SSL : Unable to Join nodes in Cluster Status: Fixed Severity: 2 Severe Description: Symptom: ASA slave is unable to join cluster and fails with the error "cluster_ccp_make_rpc_call failed to clnt_call. msg is CCP_MSG_REGISTER". Debugs with "debug ssl 255" show the error message - error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 error:14080FA3:SSL routines:SSL3_ACCEPT:setup crypto context failed@s3_srvr.c:460 Conditions: Attempting to join the cluster on ASA slave using "enable" command fails with an rpc error message Workaround: Remove the RC4 cipher using either of the following commands - ssl cipher default custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" ssl cipher tlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA" OR use the older version of the same command - ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 Then, attempt to join the cluster again Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.15(3.19) Known Fixed Releases: * 100.11(0.66), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.33), 100.15(6.19) Alert Type: Updated * Bug Id: CSCux09181 Title: http-form authentication fails after 9.3.2 Status: Fixed Severity: 2 Severe Description: Symptom: Authentcatiing to a http-form aaa-server stops working after an upgrade to 9.3.2 or later. Conditions: Using an aaa-server configured for http-form authentication to authenticate a user. Workaround: Downgrade to 9.2.4.x build if possible Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.3(3.171), 9.3(3.8), 9.4(2.5), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuv20449 Title: Traceback in Thread Name: ssh when using capture or continuous ping Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: ssh Conditions: The crash happens when a rare condition is hit when two things are happening simultaneously. They are: 1. An interruptible command is in progress in a SSH session. Examples are ping, traceroute, real-time captures etc. 2. ASA and SSH Client are in process of rekeying the SSH connection. This rekey would normally take place approximately after every 60 minute period in an SSH session. Workaround: Avoid running interruptible commands in a SSH session which has been active for over 50 minutes. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6), 9.1(6.1), 9.1(6.4), 9.4(1) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.127), 100.15(0.112), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuv87760 Title: Unicorn proxy thread traceback with RAMFS processing Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in Unicorn Proxy Thread while using WebVPN. Conditions: Cisco ASA running release 9.3.3.223 with WebVPN enabled. Workaround: None. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(4), 9.3(3), 9.3(3.223), 9.4(1.112), 9.4(1.5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) Alert Type: Updated * Bug Id: CSCux00686 Title: Evaluate CVE-2015-6360 for libsrtp Denial of Service (DoS) Status: Fixed Severity: 2 Severe Description: Symptom: Cisco released version 1.5.3 of the Secure Real-Time Transport Protocol (SRTP) library (libSRTP), which addresses a denial of service (DoS) vulnerability. Multiple Cisco products incorporate a vulnerable version of the libSRTP library. The vulnerability is in the encryption processing subsystem of libSRTP and could allow an unauthenticated, remote attacker to trigger a DoS condition. The vulnerability is due to improper input validation of certain fields of SRTP packets. An attacker could exploit this vulnerability by sending a crafted SRTP packet designed to trigger the issue to an affected device. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160420-libsrtp Conditions: The Cisco ASA has to be configured with the Phone Proxy feature to be vulnerable. The configuration key word to look for is ''phone-proxy''. This vulnerability can result in a system level restart of the device. The Cisco ASA Phone Proxy feature has been deprecated as of release version 9.4.1 released in March 2015. Workaround: None. Further Problem Description: Please refer to the following Cisco ASA document on the phone proxy feature for additional configuration specifics: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/unified_comm_phoneproxy.pdf PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-6360 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 8.1(0.104) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.14), 100.16(1.70), 100.16(14.1), 100.7(6.149), 100.8(40.109), 8.4(7.31) Alert Type: Updated * Bug Id: CSCux43345 Title: Allow a larger (4GB) coredump filesystem to be configured on ASA Status: Fixed Severity: 2 Severe Description: Symptom: The coredump file system maximum may be insufficient to accommodate a coredump that gets generated (currently 1500 MB max on 5585-XX platforms). Need to allow configuration up to 4GB (4000 MB) for ASA platforms that can support it. Conditions: An ASA with a long duration uptime that has had a lot of activity/load may grow the size of the core file ,that would get generated in the event of a traceback, beyond current coredump file systems limits (1500 MB). Workaround: None. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.111) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.74), 100.16(12.2), 100.16(14.1), 100.8(40.110), 9.1(6.112) Alert Type: Updated * Bug Id: CSCuv70932 Title: FO: ASAv traceback while syncing during upgrade from 9.4.1 to 9.5.1 Status: Fixed Severity: 2 Severe Description: Symptom: FO: ASAv crashed while syncing during upgrade from 9.4.1 to 9.5.1 Conditions: Upgrade from 9.4.1 to 9.5.1 with huge customer configuration. Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15) Alert Type: Updated * Bug Id: CSCux05081 Title: RSA 4096 key generation causes failover Status: Fixed Severity: 2 Severe Description: Symptom: After applying command crypto key generate rsa modulus 4096 causes ASA failover ASA will not generate key 4096 Conditions: Restrictive polltime (non defailut is configured) as per example failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 750 holdtime 5 ASA runs software 9.4 or 9.5 Workaround: Generate key modulus 2048 or downgrade to 9.3 train Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4, 9.5 Known Fixed Releases: * 100.13(0.121), 100.14(0.84), 100.15(0.92), 100.15(20.20), 100.16(0.10), 100.16(1.40), 100.16(14.1), 100.16(15.5), 9.4(2.5), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuv87150 Title: ASA traceback in Thread Name: fover_parse (ak47/ramfs) Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs) Conditions: ASA is in failover pair. Workaround: No workaround Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.5), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.14(5.34), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3) Alert Type: Updated * Bug Id: CSCus16416 Title: Share licenses are not activated on failover pair after power cycle Status: Fixed Severity: 2 Severe Description: Symptom: The Share/Combine licenses are not activated on failover pair after power cycle the failover pair. Both active and standby units turns off power and boots up the standby unit only, the Shared/Combined licenses on standby unit will be lost. Conditions: Failover environments. Workaround: Execute once the 'reload command' on failover pair. Further Problem Description: None Last Modified: 26-APR-2016 Known Affected Releases: 9.0, 9.1(5.19) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(14.1), 100.16(15.1), 100.16(15.5) Alert Type: Updated * Bug Id: CSCux33808 Title: ASA ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16] Status: Fixed Severity: 2 Severe Description: Symptom: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Conditions: ASA may reboot when FIPS is enabled with different errors displayed on console: "ERROR:FIPS Self-Test failure,fips_continuous_rng_test [-1:12:0:2:16]", ERROR: FIPS Self-Test failure, fips_continuous_rng_test [-1:12:0:2:19] Workaround: Reload ASA or must disable fips mode, 'no fips enable". Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.126), 100.15(0.111), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.58), 96.2(1.109) Alert Type: Updated * Bug Id: CSCuu82229 Title: ikev2 with DH 19 and above fails to pass traffic after phase2 rekey Status: Fixed Severity: 2 Severe Description: Symptom: after rekey fails to pass traffic Conditions: after rekey using DH 19 or above Workaround: use lower DH (1,2,5,14) Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4, 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.113), 100.14(0.79), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.1), 9.4(2.99) Alert Type: Updated * Bug Id: CSCut40770 Title: Interface TLV to SFR is corrupt when frame is longer than 2048 bytes Status: Fixed Severity: 2 Severe Description: Symptom: Some configured ASA interfaces missing or not displayed from Firesight Management Center Conditions: Interface TLV ethernet frame greater than 2048 bytes. Usually occurs with multiple interfaces and sub-interfaces configured with lengthy names for each interface. Workaround: Enable jumbo-frame reservation on ASA. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(1.221), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.11(0.67), 100.12(0.153), 100.12(0.156), 100.13(0.119), 100.13(0.127), 100.14(0.82), 100.15(0.112), 100.15(0.80), 100.15(20.14) Alert Type: Updated * Bug Id: CSCuw16607 Title: ASA EIGRP does not send poison reverse for neighbors to remove route Status: Fixed Severity: 2 Severe Description: Symptom: When redistributing a static route from the ASA and then learning a better route for the same route., redistributing ASA is not sending poison reverse towards neighbors. Causing neighbors to have stale topology entries on the EIGRP topology table, this sometimes causes routing to not take the correct path, Conditions: Example: R1 ----{BGP }--- R2---{EIGRP}----ASA-----R3 R1 is advertising a defualt route via BGP to R2. R2 is redistributing the default route from BGP into EIGRP ASA has a floating AD 180 default route that is redistributing into EIGRP towards R2. When BGP goes out the ASA's route is advertised to the network, but when BGP route is learned again, ASA removes the floating static from routing table thus not advertising anymore the static towards R2. The problem is that R2 still holds the topology entry for the floating static because ASA is never sending the poison reverse message marking the route with infinite metric so that R2 removes it from the topology table. This sometimes causes the BGP route to take over until the redistribution from the ASA is removed and reapplied. This can also be seen if the floating static route is deleted from the ASA, R1 still keeps the topology entry for that route even though it does not exist on the ASA anymore. This happens in 9.1.6 8.4.7 and 8.2.5 Workaround: Remove redistribution from ASA and add it again. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.0, 9.1(1.3) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.80), 100.15(0.64), 100.15(17.28), 100.15(19.3), 100.15(20.8), 100.15(8.21), 100.16(0.5) Alert Type: Updated * Bug Id: CSCuw66397 Title: DHCP Server Process stuck if dhcpd auto_config already enabled from CLI Status: Fixed Severity: 2 Severe Description: Symptom: DHCPD process stuck. The output of show dhcpd statistics shows no increase in the Received packets even though the captures show that the packets are being received on that interface. Conditions: DCHPD auto_config already enabled on an interface and then DHCP server is enabled on that interface Workaround: First remove the command "dhcpd auto_config" from the interface Second remove and reapply or sometimes just reapply the "dhcpd enable" command for the same interface. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6), 9.4(2), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCuv32615 Title: ASA: LDAP over SSL Authentication failure Status: Fixed Severity: 2 Severe Description: Symptom: LDAP over SSL authentication fails with the below LDAP debugs. Session Start New request Session, context 0x00007fffddc694c0, reqType = Authentication Fiber started Creating LDAP context with uri=ldaps://10.1.1.219:636 Connect to LDAP server: ldaps://10.1.1.219:636, status = Failed Unable to read rootDSE. Can't contact LDAP server. Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 Session End Can see the below errors increasing under "show asp drop" ssl-record-decrypt-error np-socket-close The "show count" output will show an increase in count SSL error. ASA5500-21# sho count | in SSL SSLERR DECRYPT_FAIL_OR_BAD_RECORD_MAC 1 Summary Conditions: LDAP over SSL used for client authentication on ASA running version 9.3(2)1 and above and TLSv1.2 is used. Workaround: Downgrade to 9.3(2) Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2.1), 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.146), 100.13(0.102), 100.14(0.75), 100.14(16.8), 100.14(5.32), 100.15(0.28), 100.15(1.92), 100.15(16.5), 100.15(17.7) Alert Type: Updated * Bug Id: CSCuw44744 Title: Traceback in WebVPN rewriter Status: Fixed Severity: 2 Severe Description: Symptom: Traceback while processing WebVPN connections in the rewriter Conditions: ASA 5585 running special release 9.3.3.225. Workaround: None. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4), 100.16(1.10) Alert Type: Updated * Bug Id: CSCuw36853 Title: ASA: ICMP error loop on cluster CCL with Interface PAT Status: Fixed Severity: 2 Severe Description: Symptom: Elevated CPU may be observed on 2 or more units of an ASA cluster. Packet captures on the cluster control link will show ICMP error packets looping continuously between the units displaying high CPU conditions. Conditions: 1. ASA in Layer-2 cluster mode. 2. PAT configured. 3. ICMP error packet is received on a unit where that unit is the directory for embedded payload flow. 4. Embedded payload of the ICMP error packet matches an existing xlate entry but doesn't match any connections. The owner of the PAT address of the xlate is a different unit than the one where the packet is received. Workaround: With Interface PAT, workaround is to deny ICMP on the ASA's interface using the 'icmp' command. With a PAT pool, workaround is to deny ICMP error packets on the interface ACL. Or just add xlate per-session configuration. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.3), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCux16427 Title: PBR incorrect route selection for deny clause Status: Fixed Severity: 2 Severe Description: Symptom: PBR deny clause is not getting installed, since we get a warning. WARNING: Route-map Fed_PBR with sequence number 10 does not have any set actions defined. Not installing PBR datapath rules for this route-map entry Conditions: Hardware : ASA5545 Software : 9.4.2 Route map deny clause, not installed due to warning. ciscoasa# show run route-map ! route-map Fed_PBR deny 10 match ip address Fed_PBR >>>>> Match condition for the access-list entries which do not need to be PBR'd ! route-map Fed_PBR permit 20 set ip next-hop 192.168.10.2 Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 100.13(0.121), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.53), 100.16(14.1), 100.16(15.7), 9.4(2.5), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCuv79552 Title: Standby traceback during config replication with customization export Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA crashes while exporting webvpn customization and replicating configuration from active device simulatenously Conditions: This only occurs in the following sequence of events: 1. On the standby ASA, execute "export webvpn customization dfltCustomization stdout" from the CLI (for any customization) but do not let the command finish, i.e. leave it waiting at the --more-- prompt. 2. Execute "write standby" on active device 3. While configuration is getting replicated, on standby cli,hit any key to continue the "export" command - this will cause the standby ASA to crash Workaround: Do not execute any command on standby CLI until the configuration is fully replicated Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(7.15), 9.1(6) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1) Alert Type: Updated * Bug Id: CSCuw14334 Title: Trace back with Thread Name: IP Address Assign Status: Fixed Severity: 2 Severe Description: Symptom: Traceback Thread Name: IP Address Assign and assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE" failed: file "slib_malloc.c" Conditions: IPv6 addresses assigned via username attributes or via external AAA server. Workaround: Use IPv6 address pools instead of username attributes or external AAA server. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.2), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.69), 100.15(17.31), 100.15(20.11), 100.15(8.22), 100.16(0.6), 100.16(1.18) Alert Type: Updated * Bug Id: CSCux20913 Title: Clustering NAT: ASA crash during NAT configuration Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes when a NAT64 rule is dynamically modified to NAT66 by converting v4 mapped object to a v4 mapped object. Conditions: Dynamic NAT modifications across IP versions (NAT64 <-> NAT66, NAT64 <-> NAT44, etc) Workaround: Remove NAT64 configuration and add NAT66 afresh. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.8(40.106) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.97), 100.16(0.12), 100.16(1.53), 100.16(14.1), 100.16(15.7), 100.8(40.107) Alert Type: Updated * Bug Id: CSCuv43902 Title: ASA: Watchdog Traceback with Thread Name:- SXP CORE Status: Fixed Severity: 2 Severe Description: Symptom: ASA device traceback in thread name:- SXP CORE Conditions: ASA device configured with the trust sec configuration. Workaround: No workaround as of now Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.12(0.138), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83) Alert Type: Updated * Bug Id: CSCuy13937 Title: ASA Watchdog traceback in CP Processing thread during TLS processing Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may crash and generate a traceback during TLS processing when TLS proxy is invoked in ASA versions 9.4(2)5 and 9.5(2) and later. Conditions: 1. ASA must be acting as a TLS proxy between two endpoints 2. Observed on ASA versions 9.4(2)5 and 9.5(2) and later releases in those trains Workaround: Downgrade to an earlier version or disable the TLS proxy feature Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2.5), 9.5(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.129), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.2(4.9), 9.3(3.171), 9.3(3.8) Alert Type: Updated * Bug Id: CSCux61257 Title: ASA: Traceback in Thread IP Address Assign Status: Fixed Severity: 2 Severe Description: Symptom: Traceback in Thread IP Address Assign after upgrade on the ASA unit Conditions: IPAA syslogging enabled Workaround: Disable IPAA syslogging (737001 - 737036) on the ASA unit Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(4.210) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.123), 100.15(0.109), 100.16(0.19), 100.8(40.113), 9.0(4.211), 9.1(6.117), 9.1(7), 9.2(4.7) Alert Type: Updated * Bug Id: CSCuv27197 Title: ASA SSLVPN RDP Plugin session freezes under heavy load with activex Status: Fixed Severity: 2 Severe Description: Symptom: RDP session freezes when a video is played over the session. Conditions: 9.4.1 Plugins tested: RDP1 2014 RDP2 2009 win7 process intensive applications in the RDP session like a High definition video either played locally on the RDP machine or via youtube Problem can be reproduced rather more consistently with Activex We have also observed TCP window size filling up and TCP ZeroWindow in the packet capture that was taken between the RDP server and ASA Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.99), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.81), 100.15(16.3), 100.15(17.1), 100.15(3.49), 100.15(6.31) Alert Type: Updated * Bug Id: CSCux87457 Title: ASA traceback in Thread Name: https_proxy Status: Fixed Severity: 2 Severe Description: Symptom: ASA failover pair crashing in Thread Name: https_proxy Conditions: Crashes were observed after upgrading ASA failover pair to 9.4.2 from 9.1.3. Cut through proxy authentication of HTTP connections is enabled. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.111), 100.8(40.113), 9.1(7.5), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.99) Alert Type: Updated * Bug Id: CSCux56111 Title: "no ipv6-vpn-addr-assign" CLI not working Status: Fixed Severity: 2 Severe Description: Symptom: When AnyConnect clients connect, they always request both IPv4 and IPv6 addresses even if IPv6 is not configured. A session will fail if the IPAA subsystem doesn't return a response to the request, even though there's no need for the request in the first place if IPv6 is not configured. Conditions: Failure can occur even when "no ipv6-vpn-addr-assign " are set. Workaround: none Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.109), 100.16(0.19), 100.8(40.111), 9.0(4.210), 9.1(6.113), 9.1(7), 9.2(4.6) Alert Type: Updated * Bug Id: CSCux21955 Title: ASA: FAILOVER not working with password encryption. Status: Fixed Severity: 2 Severe Description: Symptom: Failover not coming up after encryption key is changed. Conditions: Configure failover,verify its operational and then save it, then configure password encryption. Reload the boxes, notice that the failover will come up properly. Change the encryption key and notice that the failover key will become encrypted on both appliances, failover will still be operational. Save the config, reload the ASAs and notice that failover will not come up after a reload. Workaround: None Further Problem Description: The problem is due to the encryption keys being written at one location and being read from other location. Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 100.12(0.156), 100.13(0.128), 100.15(0.112), 9.3(3.171), 9.3(3.8), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.63) Alert Type: Updated * Bug Id: CSCux20178 Title: OSPF neighbor goes down after "reload in xx" commnad in 9.2 and later Status: Fixed Severity: 2 Severe Description: Symptom: When "reload in xx" command is executed on ASA5500-X 9.2(4) or later, ASA5500-X comes to ignore hello packets from OSPF neighbor. As a result, OSPF neighbor goes down. Conditions: OSPF configured on ASA running 9.2(4) / 9.3(3) / 9.4(2) /9.5(1). Workaround: Use 9.1 or reboot an asa. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(4), 9.3(3), 9.4(2), 9.5(1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.85), 100.15(0.100), 100.16(0.12), 100.16(1.70), 100.16(14.1), 9.2(4.6), 9.3(3.171) Alert Type: Updated * Bug Id: CSCux42936 Title: ASA 9.5.1 traceback in Threadname Datapath due to SIP Inspection Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes in the Datapath Thread Crash Info shows Lock (sip_sess_lock) is held for a long time Conditions: ASA running version 9.5.1 SIP Inspect enabled Workaround: Disable SIP Inspect Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.13(0.123), 100.15(0.107), 100.16(0.18), 100.16(1.97), 100.16(14.1), 9.4(2.5), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.56) Alert Type: Updated * Bug Id: CSCuv96011 Title: OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards Status: Fixed Severity: 2 Severe Description: Symptom: OSPF over IKEv2 L2L tunnel is broken on ASA in 9.2(1) onwards. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: -IKEv2 L2L configured to propagate routes over OSPF on ASA running 9.2.1 or above. Workaround: -Downgrade the ASA to 9.1(5), if an option. -Use IKEv1 tunnel Further Problem Description: None Last Modified: 26-APR-2016 Known Affected Releases: 9.2(1), 9.3(3), 9.4(1), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15) Alert Type: Updated * Bug Id: CSCuu61573 Title: 9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain Status: Fixed Severity: 2 Severe Description: Symptom: Traceback on slave unit in cluster after running large amounts of fragmented traffic through the device. Conditions: Cisco ASA running release 9.1.6 in a 4-node cluster configure for L2 mode. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.13(0.31), 100.15(1.11), 9.0(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.29) Alert Type: Updated * Bug Id: CSCuw28735 Title: Cisco ASA Software Version Information Disclosure Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the SSL VPN code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to obtain information about the Cisco ASA Software version. This information could be used for reconnaisance attacks. The vulnerability is due to a verbose output returned when a specific URL is submitted to the affected system. An attacker could exploit this vulnerability by browsing a specific URL. SSL VPN feature needs to be enabled for a system to be vulnerable. Conditions: SSL VPN needs to be configued on the system. Workaround: None Further Information: Credit: Cisco would like to thank Sergey Ozernikov from Lateral Security (IT) Services Ltd. for reporting this vulnerability. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2014-3398 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(3), 9.1(6), 9.3(2.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.109), 100.14(0.77), 100.15(0.112), 100.8(40.102), 9.1(6.100), 9.1(7), 9.2(4.3), 9.3(3.171) Alert Type: Updated * Bug Id: CSCux27903 Title: BOSC Runtime Buffer overflow error detected while executing OSPFV3 Tests Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA crashes with BOSC Runtime Buffer overflow error Conditions: OSPFv3 configured and crafted packets are sent to the ospf interface Workaround: None Further Problem Description: System Affected Last Modified: 26-APR-2016 Known Affected Releases: 100.16(0.7) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.127), 100.15(0.112), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.62), 96.2(1.111) Alert Type: Updated * Bug Id: CSCtg74172 Title: Can get around dynamic-filter by using caps in domain name Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA BTF feature should not be case sensitive. User can get around BTF feature with using CAP letters in domain names. Conditions: Configuring whilte and black lists for BTF Workaround: Not known PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2(2.12) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.14(16.8), 100.14(5.32), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45) Alert Type: Updated * Bug Id: CSCux43978 Title: DHCP Relay fails for cluster ASAs with long interface names Status: Fixed Severity: 2 Severe Description: Symptom: DHCP relay is enabled in a cluster environment. Some interfaces that are configured as relay work properly and some do not work as a relay. Conditions: When the interface name on the ASA exceeds 24 characters, the issue is seen on that interface. Workaround: The user can configure an interface with less than 24 characters. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.13(0.121), 100.15(0.104), 100.16(0.14), 100.16(1.70), 100.16(14.1), 9.4(2.5), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuv45756 Title: ASA may tracebeck when displaying packet capture with trace option Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback. Conditions: ASA running 9.4(1) displaying captures with trace detail option. Workaround: Avoid using trace detail option in captures. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86) Alert Type: Updated * Bug Id: CSCuy03024 Title: ASA traceback and reload citing Thread Name: idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom:An ASA may crash and reload unexpectedly. Conditions:This crash occurs in following two scenarios: 1. When there is an FQDN object in configuration and users tries executes either "show running-config" or modifies acccess-list config while FQDN object is getting resolved. 2. When user tries to access or modify access-list config, while it is being modified from another session either from telnet/ssh/csm/asdm. Both the above will lead to this crash as both the operations will result in dlist corruption. Workaround:For first, the crash requires usage of FQDN ACL entries, changing from FQDN to standard IP may help avoid this crash in case for FQDN. For second, avoid accessing and/or modifying access-list from multiple places at same time. More Info:Very similar issue was fixed under Cisco Bug CSCuq76847. This bugs covers this similar issue but in code versions after the fix for CSCuq76847 Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.3), 9.2(4.7), 9.3(3.171), 9.3(3.8), 9.4(2.101) Alert Type: Updated * Bug Id: CSCux93751 Title: Cisco ASA Linux Kernel Vulnerability - CVE-2016-0728 Status: Fixed Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2016-0728 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.2: http://tools.cisco.com/security/center/cvssCalculator.x?version=2.0&vector=AV:L/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2016-0728 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 1.1(2), 1.1(3), 1.1(4), 2.0(1), 6.0, 9.3(2), 9.3(3), 9.4(1), 9.5(2), 9.6(2) Known Fixed Releases: * 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.3(3.171), 9.3(3.8), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.63) Alert Type: Updated * Bug Id: CSCuw24664 Title: ASA:Traceback in Thread Name:- netfs_thread_init Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in netfs_thread_init Conditions: ASA device configured with SSL webvpnconfiguration Workaround: None at this time Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.113), 100.13(32.1), 100.14(0.79), 100.14(5.34), 100.15(0.53), 100.15(17.23), 100.15(3.76), 100.15(8.18) Alert Type: Updated * Bug Id: CSCux70784 Title: ASA Crash while viewing large ACL Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may crash and reload when viewing an ACL that has a lot of remarks in the configuration. In testing, this appears to happen when running a command such as 'show access-list' Conditions: This has been seen with a configuration with over 65k remarks present in the configuration. Workaround: Do not use many remarks or clean up the existing remark to avoid significant numbers of remarks. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1), 9.5(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.52) Alert Type: Updated * Bug Id: CSCuw15615 Title: Backup unknown with dynamic pat pool Status: Fixed Severity: 2 Severe Description: Symptom: PAT Pool IP's Backup shows up as unknown Conditions: Two node cluster is brought up with dynamic pat pool configs and transactional commit for NAT is enabled Workaround: Disable transactional commit for NAT Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.15(1.86), 9.4(1.100) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCur46371 Title: TLSv1.2 Client Cert Auth Connection Establishment Failure Status: Fixed Severity: 2 Severe Description: Symptom: Connection establishment failure only for TLS 1.2 using ECDSA in client mode, so ASA connecting out to an SSL server with certificate authentication configured. Conditions: ASA connecting out to an SSL server with certificate authentication configured. Workaround: Do not configure certificate authentication on the SSL web server. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.13(15.11), 9.3(2) Known Fixed Releases: * 100.13(0.112), 100.14(0.78), 100.15(0.53), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.5), 9.4(2.99) Alert Type: Updated * Bug Id: CSCus10787 Title: Transactional ACL commit will bypass security policy during compilation Status: Fixed Severity: 2 Severe Description: Symptom: Traffic can bypass the security policy when transactional-commit access list is configured. This can happen only when a new ASA is added to a cluster and the access-list configuration is newly applied. The bypass can happen only during the compilation time. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. Conditions: Cisco ASA Software is affected by this issue if the transactional-commit access list feature is enabled. This can be determined by using the show running-config asp rule-engine transactional-commit access-group command and verifying that it returns output. The following example shows a Cisco ASA configured with transactional-commit feature: ciscoasa# show running-config asp rule-engine transactional-commit access-grou$ asp rule-engine transactional-commit access-group Note: Transactional-commit feature is not configured by default. Workaround: There is no workaround other then disabling the feature Further Problem Description: A vulnerability in the transactional-commit access list feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to bypass interfaces access control policies and send traffic through the affected system. The vulnerability is due to improper implementation of the feature. . An attacker could exploit this vulnerability by sending traffic through the affected system while the system boot for the first time or while an affected system join a cluster. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. An exploit could allow the attacker to send traffic through the system bypassing the interfaces access control policies. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.111), 9.1(6.104), 9.1(6.112) Alert Type: Updated * Bug Id: CSCuy71775 Title: Coverity 114010: USE_AFTER_FREE in rt_walksubtree_ap Status: Open Severity: 3 Moderate Description: * Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 04-APR-2016 Known Affected Releases: 96.2(1.147), 97.1(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz14891 Title: secondary authentication missing with keywords "RDP" in group-url Status: Other Severity: 3 Moderate Description: * Symptom: SA group problems (group URL) w/ secondary auth credential Conditions: when "RDP" is part of the group-url the secondary authentication field will not show up. This is seen in all versions of code between 8.4.2(6) and 9.5.1 Workaround: Upgrade to 9.5.1 or 9.5.2 Further Problem Description: Last Modified: 12-APR-2016 Known Affected Releases: 8.4(6.250), 8.5(1.243), 9.4(3) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy62198 Title: If FQDN is more than 64 chars then we redirect to ip instead of FQDN Status: Fixed Severity: 3 Moderate Description: Symptom: When clicking the Start Anyconnect link, you get a certificate warning. Conditions: This happens when connecting to an ASA with a FQDN longer than 64 characters. The reason for the certificate warning is that the ASA responds with a redirect to ip instead of to FQDN causing the certificate name to not match. Workaround: Shorten the ASA FQDN to less then 64 characters Further Problem Description: Last Modified: 19-APR-2016 Known Affected Releases: 9.4(1.203) Known Fixed Releases: * 100.11(0.71), 100.12(0.158), 100.13(0.137), 100.15(0.114), 100.8(40.117), 9.4(2.109), 96.1(1.88), 96.2(1.171), 96.2(11.4), 97.1(0.9) Alert Type: Updated * Bug Id: CSCuu93339 Title: Cisco ASA Poodle TLS Variant Status: Fixed Severity: 3 Moderate Description: * Symptom: Cisco ASA models 5506-X 5508-X and 5516-X include a version of SDK which is vulnerable to a variant of POODLE TLS where the first byte of the padding is not checked. Additional information about this issue can be found at: https://vivaldi.net/en-US/userblogs/entry/there-are-more-poodles-in-the-forest Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There are no workaround for this issue other then disabling the affected feature. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C&version=2.0 CVE-2015-4595 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 19-APR-2016 Known Affected Releases: 9.3(3.2), 9.4(1.3) Known Fixed Releases: 100.12(0.130), 100.13(0.81), 100.13(29.28), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuy81417 Title: Coverity 114307: RESOURCE_LEAK in sl_ipc_send_res_disable_msg Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 97.1(1.5) Known Fixed Releases: * 96.2(1.178), 96.2(11.9), 97.1(0.11), 97.1(1.18), 97.1(3.5), 97.1(5.6) Alert Type: Updated * Bug Id: CSCuy72257 Title: Coverity 114177: CHECKED_RETURN in oct_dbg_write_csr Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 22-APR-2016 Known Affected Releases: 96.2(1.147), 97.1(1.6) Known Fixed Releases: * 96.2(0.5), 96.2(11.11), 97.1(0.12), 97.1(1.23), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCui55978 Title: ASA 8.2.5 snmpEngineTime displays incorrect values Status: Fixed Severity: 3 Moderate Description: Symptom: ASA snmpEngineTime rolls over too early, it should not roll over for 68 years. Conditions: ASA 5505, 5510, 5520, 5540, 5550 that has an uptime over 49.7 days. Workaround: none Further Problem Description: none Last Modified: 22-APR-2016 Known Affected Releases: * 8.2(2), 8.2(5), 9.1(1.1), 9.1(2) Known Fixed Releases: 100.10(0.13), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.122), 100.8(27.89), 100.8(38.31), 100.8(40.21), 100.8(41.2), 100.8(45.1) Alert Type: Updated * Bug Id: CSCur74745 Title: * SSH PKF authentication failure still allows password authentication Status: * Terminated Severity: 3 Moderate Description: * Symptom: SSH PKF authentication failure still allows password authentication Conditions: SSH configured with PKF configuration Workaround: NONE Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(2.8) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux85725 Title: ASA WebVPN: Java RDP Plugin does not launch Status: Fixed Severity: 3 Moderate Description: Symptom:Once logged in to the ASA's clientless WebVPN portal, clicking on an RDP bookmark [or URL] opens the Java RDP Plugin Page, with a note saying: Launching properJavaRDP session... Connecting to: However, the connection never succeeds. Conditions:ASA running release 9.1.6.7 or later Note: tested with JRE ver 1.8 u65 Workaround:No workaround for Java Using ActiveX based RDP [IE only] works. More Info:For customers who deploy * Clientless plug-ins (e.g. RDP, Telnet/SSH, VNC, Citrix) * Utilize Clientless VPN to access web pages that host Java applets their users may experience similar behaviors with different error messages. Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2), 96.1(1.45) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(40.114), 9.1(7.4), 9.2(4.6), 9.3(3.171), 9.3(3.8), 9.4(2.10) Alert Type: Updated * Bug Id: CSCui20213 Title: 5585 interface counters show 0 for working interfaces and console errors Status: Fixed Severity: 3 Moderate Description: Symptom: The output of 'show interface' could show counters that have not incremented and are all stuck at 0, even though the interface is actively passing traffic (the input and output packet rates are non-zero). Example: Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address xxxx.xxxx.xxxx, MTU 1500 IP address 10.0.0.2, subnet mask 255.255.255.224 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause/resume input 0 L2 decode drops 0 switch ingress policy drops 0 packets output, 0 bytes, 0 underruns 0 pause/resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 rate limit drops 0 switch egress policy drops 0 input reset drops, 0 output reset drops Traffic Statistics for "outside": 7535042 packets input, 8722096534 bytes 8312179 packets output, 5806296169C3SR-Preview for 5806296169 bytes 6413 packets dropped 1 minute input rate 12208 pkts/sec, 14102277 bytes/sec 1 minute output rate 13488 pkts/sec, 9085510 bytes/sec 1 minute drop rate, 6 pkts/sec 5 minute input rate 12883 pkts/sec, 15164633 bytes/sec 5 minute output rate 13085 pkts/sec, 8124951 bytes/sec 5 minute drop rate, 8 pkts/sec Control Point Interface States: Interface number is 6 Interface config status is active Interface state is active Additionally, the following messages might be seen on the console of the ASA: 8841: Message #1162 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8842: Message #1163 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8843: Message #1164 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8844: Message #1165 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8845: Message #1166 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 Conditions: Only the ASA 5585 platforms are affected by this problem. The 'bcmCNTR.0' process will not be present in the output of 'show process'. Example: Note the bcmCNTR.0 is not listed in the output below: ciscoasa/pri/stby# show proc | inc bcm Mwe 0x0000000001d94c98 0x00007ffaa8510748 0x00007ffad2bf43d0 0 0x00007ffaa8508960 32224/32768 bcmXGS3AsyncTX Mwe 0x0000000001d94c98 0x00007ffaa93e6b08 0x00007ffad2bec100 0 0x00007ffaa93ded00 32256/32768 bcmTX Msi 0x00000000021e6b25 0x00007ffaa9523e98 0x0000000005bad7d0 523950 0x00007ffaa951c000 30136/32768 bcmPOLL Mwe 0x0000000001d94cde 0x00007ffad8badaf8 0x00007ffad2beb650 8688473 0x00007ffad8ba5d20 28568/32768 bcmLINK.0 Mwe 0x0000000001d94c98 0x00007ffaa7a62aa8 0x00007ffaa7a5ac10 0 0x00007ffaa7a5ac80 32288/32768 bcmDPC Mwe 0x0000000001d94cde 0x00007ffaa94b43e8 0x00007ffad2beb6c0 4251733 0x00007ffaa94ac600 29416/32768 bcmCNTR.0 Mwe 0x0000000001d5cdaa 0x00007ffaa7a5a7f8 0x00007ffaa7a27fb8 0 0x00007ffaa7a52980 32368/32768 bcm_esw_surprise_reset.0 Msi 0x0000000001d65998 0x00007ffad8bb5bf8 0x0000000005bad7d0 211236 0x00007ffad8badd70 30008/32768 bcm_esw_poll Mwe 0x0000000001d63468 0x00007ffad8bbdc08 0x0000000005b11590 4 0x00007ffad8bb5dc0 29496/32768 bcm_esw_ioctl_task_handler ciscoasa/pri/stby# Workaround: Rebooting the ASA should restore the interface statistic information. Further Problem De Last Modified: 26-APR-2016 Known Affected Releases: 100.8(53.2), 100.9(7.27), 8.4(7), 9.1(4) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.80), 100.15(20.15), 100.15(8.27), 100.16(0.8), 100.16(1.30), 100.16(14.1) Alert Type: Updated * Bug Id: CSCuw65183 Title: PBR set ip next-hop lost on boot if name configured for IP argument Status: Fixed Severity: 3 Moderate Description: Symptom: "set ip next-hop" statement in ASA route-map disappears after reload Conditions: Occurs when a name to IP mapping exists for the address used as an argument in that "set ip next-hop" configuration. ie: If the "set ip next-hop" command referenced 192.168.1.1 and there was a config line of: name 192.168.1.1 WIN-PC Workaround: Delete the name to IP mapping for the IP address used in that command Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.69), 100.15(17.31), 100.15(20.11), 100.15(8.22), 100.16(0.6), 100.16(1.18) Alert Type: Updated * Bug Id: CSCux09040 Title: ASA not denying initial SYN to non gateway of host Status: Fixed Severity: 3 Moderate Description: Symptom: ASA completes 3-way handshake for Telnet/SSH control traffic (to-the-box) when initial SYN should be denied. Conditions: Tested on ASA running 9.2.3.4 and 9.3.1 images. SSH/Telnet enabled Client sends control traffic to non gateway interface Workaround: create specific denies for control plane traffic via ACL disable SSH/Telnet upgrade to 9.4.1 Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(3.4), 9.3(1) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuw88405 Title: BGP not working when admin context is in transparent mode Status: Fixed Severity: 3 Moderate Description: Symptom: BGP not working when admin context is in transparent mode Working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config-router)# show run router router bgp 1 bgp log-neighbor-changes ! Non-working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config)# router bg? ERROR: % Unrecognized command Conditions: When Admin is in transparent mode Workaround: Make admin in routed mode Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.78), 100.15(20.14), 100.15(8.24), 100.16(0.8), 100.16(1.27), 100.16(14.1), 9.4(2.99) Alert Type: Updated * Bug Id: CSCut18736 Title: ASA crashes after clear configure all command Status: Fixed Severity: 3 Moderate Description: Symptom: ASA crashes after "clear configure all" command is configured Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2.202) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.111), 100.14(0.78), 100.15(0.48), 100.15(17.20), 100.15(3.71), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuw03367 Title: ASA not installing external LSA with recursive forwarding address Status: Fixed Severity: 3 Moderate Description: Symptom: OSPF routes sent to ASA can fail to install to the routing table if the forwarding address is covered by the route that is received, even if there is a more specific route that already exists in the routing table. IOS allows this condition to install the route, but ASA does not. Debugs show: OSPF: Start processing Type 5 External LSA 192.168.1.0, mask 255.255.224.0, adv 192.168.200.245, age 1045, seq 0x80001158, metric 1, metric-type 1, fw-addr 192.168.1.1 OSPF: external LSA with recursive forwarding address, ignoring Conditions: ASA receives an LSA with a forwarding address that falls within the scope of the route, for instance a route for the subnet 192.168.1.0/23 with an OSPF fw-addr of 192.168.1.1. This condition should fail UNLESS the ASA already has a more specific route that covers the fw-addr, but even if that condition is met, the route fails to add. Workaround: None at this time. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.146), 100.13(0.100), 100.14(0.74), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuw32493 Title: ASA BGP peering flaps with password and ikev2 tunnel. Status: Fixed Severity: 3 Moderate Description: Symptom: BGP adjacency flaps between active/idle state when password is configured for the neighbors. BGP Open message is sent over a L2L tunnel with ikev2-only encryption. BGP: nbr global Active open failed - open timer running Conditions: ASA 5515 pair in lab environment. Code: 9.4(1)5 Interesting traffic ACL is configured for the neighbor's IP only. No other traffic going through the firewall. Workaround: Remove the neighbor x.x.x.x password command Use ikev1 for tunnel authentication Further Problem Description: BGP peering fails to establish when neighbor is password authenticated and the TCP/179 communication is sent through an IPsec tunnel using ikev2 only. Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.5) Known Fixed Releases: * 100.11(0.64), 100.11(0.65), 100.12(0.152), 100.12(0.154), 100.13(0.116), 100.13(0.120), 100.14(0.80), 100.14(0.83), 100.15(0.63), 100.15(0.87) Alert Type: Updated * Bug Id: CSCuw81402 Title: ASA packet-tracer and trace capture incorrect result in case of ECMP Status: Fixed Severity: 3 Moderate Description: Symptom: Both ASA packet-tracer and trace capture can print incorrect output-interface in the "Result" section in case of ECMP with traffic zones. Conditions: All ASA versions that support traffic zones are affected. Workaround: None, but this is a cosmetic issue. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.26) Alert Type: Updated * Bug Id: CSCuw40468 Title: DHCP proxy overrites chosen DHCP server in multiple DHCP server scenario Status: Fixed Severity: 3 Moderate Description: Symptom: Anyconncet clients stop connecting to the ASA because they are no longer able to get an address from the DHCP server. Conditions: - multiple DHCP servers configured on the ASA - either DHCP server is behaving incorrectly where it sees the REQUEST (with the other server's IP) and still replies with an OFFER, or the OFFER was sent by the non-selected DHCP server before it sees the REQUEST Workaround: configure only one DHCP server Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.44), 100.15(17.18), 100.15(3.68), 100.15(8.17), 100.16(0.2), 100.16(1.5) Alert Type: Updated * Bug Id: CSCuw51333 Title: ASA 9.4 - missing server authenticate-client command for tls proxy Status: Fixed Severity: 3 Moderate Description: Symptom: Starting in ASA 9.4, the tls proxy command 'server authenticate-client' is not being accepted in the CLI. Conditions: - Running ASA version 9.4.x or 9.5.1.x - Configuring TLS-proxy and planning to disable client authentication Workaround: ASA 9.3.x and earlier versions Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4, 9.5(1) Known Fixed Releases: * 100.13(0.114), 100.14(0.79), 9.4(2.99), 9.4(3), 99.1(3.184), 99.2(2.11) Alert Type: Updated * Bug Id: CSCux64134 Title: Incorrect NTP authentication behavior Status: Fixed Severity: 3 Moderate Description: Symptom: The Cisco Adaptive Security Appliance (ASA) is configured for Network Time Protocol (NTP) authentication. It is possible that the ASA will sync to an unauthenticated NTP server if the NTP key has not been previously configured for that NTP server. With no NTP authentication configured there is on authentication required even if the NTP key is configured on the NTP server. Conditions: The ASA is configured with ''ntp authentication''. Workaround: Configure NTP Authentication along with the ''ntp server ... key ...'' command so each configured NTP server has a key configured. Further Problem Description: Please refer to the Cisco ASA Command Reference Manual for more information on NTP Authentication: http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/n.html#pgfId-1814887 PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 9.2(4) Known Fixed Releases: * 100.12(0.156), 100.13(0.124), 100.15(0.108), 100.16(0.19), 100.16(1.97), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.49) Alert Type: Updated * Bug Id: CSCux22468 Title: VPN connection may fail when using an ECDSA certificate Status: Fixed Severity: 3 Moderate Description: Symptom:The ASA may fail on a signature operation using an ECDSA private key while establishing a VPN connection. Conditions:The ECDSA key pair is generated outside of the ASA and imported using the "crypto ca import pkcs12" command. The resulting trustpoint is referenced to provide a PKI identity in a VPN configuration. Workaround:The problem can be avoided by generating a new key pair on the ASA and re-acquiring the ECDSA certificate using SCEP or manual enrollment. More Info: Last Modified: 26-APR-2016 Known Affected Releases: 9.1 Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.97), 100.16(14.1), 100.8(40.108), 9.1(6.109), 9.1(7) Alert Type: Updated * Bug Id: CSCux63532 Title: webvpn cache-disabled msg is too disruptive and may cause config issues Status: Fixed Severity: 3 Moderate Description: Symptom: An new INFO message is displayed in 9.1.7 when entering webvpn config mode from console, ASDM, SSH: "INFO: Webvpn Cache is disabled by default on this release. Please refer to the documentation to enable WebVPN Cache using CLI or ASDM." It may interfere with some webvpn confiurations and is confusing/disruptive. Conditions: Configuring webvpn Workaround: none Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.107), 9.1(6.113) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.107), 100.16(0.17), 100.16(1.83), 100.16(14.1), 100.8(40.112), 9.1(6.115), 9.1(7) Alert Type: Updated * Bug Id: CSCua32176 Title: IPv6 Complete Packet Fragment Reassembly Check Bypass Status: Fixed Severity: 3 Moderate Description: Symptom: It is possible for a crafted IPv6 packet to bypass the fragment reassembly check of the Cisco Adaptive Security Appliance (ASA). Conditions: Cisco ASA configured for IPv6. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5736 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.11(0.63), 100.12(0.143), 100.12(0.146), 100.13(0.100), 100.13(0.95), 100.14(0.71), 100.14(0.73), 100.15(0.24), 100.15(0.26) Alert Type: Updated * Bug Id: CSCus65997 Title: Failover State Link Must Support Directly Connected Redundant Interface Status: Fixed Severity: 3 Moderate Description: Symptom: When using stateful failover on Adaptive Security Appliances (ASA), a reloaded failover peer may select an inactive member of the redundant interface on the failover state link. As the result, the failover state link fails. Conditions: Failover ASA units use a pair of directly connected physical ports in a redundant interface configuration for the failover state link. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(4), 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCut74139 Title: Standard Based IKEv2: Incorrect command to configure DPD Status: Fixed Severity: 3 Moderate Description: Symptom: Ikev2 remote access DPD is configured under the group policy instead of the tunnel group. Conditions: Configuring DPD's for remote access IKEv2 connections. Workaround: Configure 'anyconnect dpd-interval gateway' under the group policy webvpn config. Eg: group-policy test attributes webvpn anyconnect dpd-interval gateway 300 Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.78), 100.15(20.14), 100.15(8.25), 100.16(0.8), 100.16(1.28), 100.16(14.1), 9.4(2.99) Alert Type: Updated * Bug Id: CSCux26443 Title: DAP URL-List Command Says It Supports 491 Characters; Only Supports 245 Status: Fixed Severity: 3 Moderate Description: Symptom: Currently, the ASA states that dynamic-access-policy-record url-lists can be 491 characters; however, the URL-list actually can actually only be 245 characters in length. If you add a list greater than 245 characters long, it gets instantly removed from the configuration. Conditions: First reported on ASA 9.1(5). Workaround: Change the name of your URL-List Entries to make the entire list less than 245 characters in length. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.15(0.101), 100.16(0.13), 100.16(1.70), 100.16(14.1), 100.8(40.108), 9.1(6.109), 9.1(7) Alert Type: Updated * Bug Id: CSCuu61981 Title: http servershows as enable in running config while not Status: Fixed Severity: 3 Moderate Description: Symptom: When configuration command "http server enable" fails due to port usage conflict with AAA with error message ERROR: Port 443 is being used on interface public by an aaa authentication listener", the configuration is incorrectly updated to include "http server enable". Conditions: When configuration "http server enable [port-number] is attempted but the designated port is already in use (e.g., by AAA). Workaround: remove the conflict configuration before "http server enable" Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCuv49100 Title: ASA: Unable to ping fover IPv6 address in multiple mode Status: Fixed Severity: 3 Moderate Description: Symptom: Ping command fails when trying to ping the IPv6 address assigned to the failover lan interface. Conditions: ASA is in multiple mode with IPv6 addresses assigned to the failover lan interface. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3), 100.16(1.5) Alert Type: Updated * Bug Id: CSCuv52750 Title: Cannot change "management-only" for port-channel interfaces on 5500-X Status: Fixed Severity: 3 Moderate Description: Symptom: Once a port-channel interface is created, its management-only setting cannot be changed (enabled or disabled, whatever the initial management-only setting was when the interface was created). The following error is shown if an attempt to change the setting is made: "It is not allowed to make changes to this option for management interface on this platform" This happens only with port-channel interfaces, and this behavior is not tied to the management-only state of the member interfaces. Conditions: 5500-X models, excluding 5585-X Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.14), 100.15(16.1), 100.15(2.83), 100.15(3.30), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCux07478 Title: Session Manager debugs missing identifiers and logoff oldest wrap issue Status: Fixed Severity: 3 Moderate Description: Symptom: vpn-session debugs inconsistent and are missing session/tunnel IDs. This makes it difficult to isolate a single connection. Conditions: debug vpn-session multiple sessions being established Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1 Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.92), 100.15(20.20), 100.16(0.10), 100.16(1.40), 100.16(14.1), 100.16(15.5) Alert Type: Updated * Bug Id: CSCux29453 Title: IPv6: ASA denies IPv6-ICMP request to the ASA when failover Status: Fixed Severity: 3 Moderate Description: Symptom: After execute the no failover active command on active unit, during IPv6 Ping(ICMP-Request) to the ASA, the ping to the new active ASA will keep drop without recover. Conditions: - Only IPv6 ping to the ASA has this issue , IPv4 does not occur this issue. - same-security-traffic permit intra-interface command is enabled. - after failover. Workaround: Stop the ping, and ping again . Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6), 9.3(2), 9.5(1.5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.111), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCux41622 Title: "set connection timeout idle" is not applied. Status: Fixed Severity: 3 Moderate Description: Symptom: Custom TCP connection idle timeout does not work until service-policy is removed and re-applied. Conditions: Custom TCP idle connection timeout should be configured. Workaround: We need to remove and re-apply the service-policy for the traffic to match the associated class-map. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.10) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.16), 100.16(1.82), 100.16(14.1), 100.8(40.111), 9.1(7.5), 9.2(4.9) Alert Type: Updated * Bug Id: CSCuv05255 Title: ASA built and teardown log messages show "any" information Status: Fixed Severity: 3 Moderate Description: Symptom: ASA connection built and teardown log messages display parameter "any" such as below: Jun 19 01:55:00 172.19.32.124 %ASA-6-302015: Built outbound UDP connection 4535 for outside:4.2.2.2/53 (4.2.2.2/53) to identity:172.19.32.124/59941 (172.19.32.124/59941)(any) Jun 19 01:57:02 172.19.32.124 %ASA-6-302016: Teardown UDP connection 4535 for outside:4.2.2.2/53 to identity:172.19.32.124/59941(any) duration 0:02:01 bytes 186 May 29 15:18:11 172.19.32.124 %ASA-6-302020: Built outbound ICMP connection for faddr 10.82.32.127/0 gaddr 10.82.32.124/31615 laddr 10.82.32.124/31615(any) May 29 15:18:11 172.19.32.124 %ASA-6-302021: Teardown ICMP connection for faddr 10.82.32.127/0 gaddr 10.82.32.124/31615 laddr 10.82.32.124/31615(any) Conditions: ASA running code 9.3.3 Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.12(0.158), 100.13(0.132), 9.4(2.103), 9.4(3) Alert Type: Updated * Bug Id: CSCux99214 Title: ASA5516 SSD reports incorrect OID in Entity MIB Status: Fixed Severity: 3 Moderate Description: Symptom: Wrong OID returned for ASA5516 SSD in Entity MIB Conditions: Workaround: The bug has been resolved with the necessary fixes. A new OID has been assigned to the ASA5516 platform type. The fixes have been tested and committed to the codebase. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.133), 100.15(0.112), 9.4(2.104), 9.4(3), 96.2(1.146), 96.2(11.1), 97.1(0.4), 97.1(1.4), 97.1(2.2), 97.1(3.1) Alert Type: Updated * Bug Id: CSCua32157 Title: Remove Code for Type 0 Routing Headers Status: Fixed Severity: 3 Moderate Description: Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.54), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuq27754 Title: WebVPN client browser doesn't show all content from flash site Status: Fixed Severity: 3 Moderate Description: Symptom: When www.loreal.com is accessed through Clientless SSL VPN portal page, flash content on the www.loreal.com is not displayed. Conditions: Seen on both Mac OS X v10.9 with FireFox v28, v30 and Safari v7.x and on WIndows 7 with FireFox v28 and Internet Explorer v11 Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(1.102) Known Fixed Releases: * 100.13(0.112), 100.14(0.78), 100.15(0.51), 100.15(17.21), 100.15(3.73), 100.15(8.17), 100.16(0.3), 100.16(1.7), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCux90740 Title: "backup" command does not include anyconnect client profile files Status: Fixed Severity: 3 Moderate Description: Symptom: "backup" command via CLI does not contain AnyConnect client profile files. Conditions: backup ASA configuration via CLI Workaround: Backup ASA configuration via ASDM Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.63), 96.2(1.116) Alert Type: Updated * Bug Id: CSCut67779 Title: Investigate impact of jumbo-frame reservation on low-end ASA platforms Status: Fixed Severity: 3 Moderate Description: Symptom: Low-end ASA models, like ASA5512-X or ASA5515-X may fail to boot if Jumbo frames are enabled (jumbo-frame reservation) and additional interface card, like ASA-IC-6GE-CU-A card is present in the chassis. Conditions: This issue was seen in 9.2(3) and 9.3(1) software. Workaround: Try to load 9.3(2) software, run "no jumbo-frame reservation" and reload. Further Problem Description: Even though 9.3(2) software boots up, the ASA cannot service ASDM connections if Jumbo frames are enabled. This happens due to low volume of free DMA memory. Use "show memory detail" command to check. Last Modified: 26-APR-2016 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuv11963 Title: TP Auth fails when sub CA using RSA keys is signed by root using ECDSA Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA fails to validate the Anyconnect client certificate issued by the intermediate CA under below conditions. Conditions: 1. ASA running 9.3.3.1, should be configured for certificate authentication. 2. Root CA cert must have ECDSA Signature algorithm and ECDSA public key 3.Intermediate CA cert must have ECDSA signature algorithm with RSA public key. 4.ASA ID cert must have RSA signature algorithm with RSA public key. 5.Client cert must have RSA signature algorithm with RSA public key. Workaround: NONE Further Problem Description: When we connect to ASA from Anyconnect client machine, we see the client is sending its ID cert and ASA fails to verify the cert chain with below debug. CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert. CRYPTO_PKI:Failed to set key info for get public key obj, status: 542, keylen: 294 CRYPTO_PKI: Verify chain of certs failed to get pubkey from signer. Root, intermediate and ID certs are installed in separate Trustpoints in ASA. We have also tried installing intermediate and ID cert in single Trustpoint which results in same failure. Last Modified: 26-APR-2016 Known Affected Releases: 9.3(3.1), 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.2), 100.15(3.50), 100.15(6.33), 100.15(8.13), 9.4(1.112) Alert Type: Updated * Bug Id: CSCux12959 Title: "failover standby config-lock" is not loaded in ASA correctly Status: Fixed Severity: 3 Moderate Description: Symptom: The configration "failover standby config-lock" is not loaded in ASA correctly. When the ASA is booting on failover configuration, the ASA show the following message. Reading from flash... !!Failover is not enabled or failover is not configured this command will not be executed Conditions: Setting of "failover standby config-lock" Workaround: Re-execute the command "failover standby config-lock" if ASA doesn't reflect "failover standby config-lock" after reboot. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.121), 100.14(0.85), 100.15(0.97), 100.16(0.12), 100.16(1.50), 100.16(14.1), 100.16(15.7), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuw15152 Title: Fix broken gcov build in dublin/main Status: Fixed Severity: 3 Moderate Description: Symptom: Fix broken gcov build in dublin/main Conditions: Fix broken gcov build in dublin/main Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.12(0.145) Known Fixed Releases: * 100.12(0.147), 100.13(0.102), 100.14(0.75), 100.15(0.28), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuv72826 Title: object-group-search access-control enabled, nested object group issue Status: Fixed Severity: 3 Moderate Description: Symptom: asa denied traffic after moving an group object to another group object Conditions: object-group-search access-control enabled Workaround: reapply access-list to the interface Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6), 9.2(3), 9.4(1) Known Fixed Releases: * 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.56), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCuv80580 Title: ASA allows AC session with existing AAA assigned address after failover Status: Fixed Severity: 3 Moderate Description: Symptom: After failover, ASA allows to create AnyConnect session that uses the same Framed-IP-Address which is created and replicated before the failover, not detecting that the IP address has already been assigned by AAA. While the session with the same assigned address is created, ASA will not pass the vpn data traffic for that session. Conditions: ASA with HA setup and radius is used as address assignment. Workaround: Assuming framed-ip-address value is associated with a specific username, enable AutoReconnect so that new session is not required after failover.It is also considered a workaround to configure simultaneous login to 1 or configure vpn-idle-timeout to shorter value to push off the existing session. If these are all unacceptable, it is also possible not to use radius for address assignment. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6), 9.1(6.6) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuv86227 Title: ASA sending incorrect ACL hash for ASDM TopN ACL statistics on a cluster Status: Fixed Severity: 3 Moderate Description: Symptom: Error message under firewall dashboard "n/a config out of sync" for ASDM supporting ASA cluster. Conditions: Running ASA cluster on ASDM with threat detection statistics turned on. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13) Alert Type: Updated * Bug Id: CSCux39988 Title: Different output of BVI address in transparent mode on failover pair Status: Fixed Severity: 3 Moderate Description: Symptom: Different output of BVI ip address when execute show interface and show interface ip brief at standby unit. Conditions: ASA Failover + transparent mode Workaround: NA Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.10), 9.5(1.5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.15(0.113), 100.8(40.110), 9.4(2.99), 9.4(3), 96.1(1.87), 96.2(1.168) Alert Type: Updated * Bug Id: CSCuv60724 Title: Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in the Unicast Reverse Path Forwarding (uRPF) feature in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to bypass the uRPF validation checks. The vulnerability is due to incorrect uRPF validation where IP packets from an outside interface whose IP address is both in the ASA routing table and associated with an internal interface are not dropped. An attacker could exploit this vulnerability by sending spoofed IP packets to the ASA in a subnet range which should be dropped. An exploit could allow the attacker to bypass uRPF validation on the ASA and the packet will be incorrectly forwarded on the internal network. Conditions: The ASA has the command ''ip verify reverse-path interface '' configured on an outside interface which has a default route. Workaround: None. Further Problem Description: This problem was introduced by ASA software version 9.3(3). PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-4321 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 26-APR-2016 Known Affected Releases: 9.3(1.50), 9.3(2.100), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.32), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuz16398 Title: Incorrect modification of NAT divert table. Status: Fixed Severity: 3 Moderate Description: Symptom: NAT divert table gets modified or rather the rule gets pushed to the bottom of the nat divert table list when we add the "no-proxy-arp/route-lookup" keyword to an already existing nat statement. Conditions: Just append an existing nat rule entry with the no-proxy-arp/route-lookup keywords to the nat statement without deleting the entry. Workaround: Delete the nat statement and re-add the entry with the keyword included by specifying the line number. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(4.5) Known Fixed Releases: * 100.13(0.138), 100.15(0.116), 96.2(0.7), 96.2(11.12), 97.1(0.12), 97.1(1.25), 97.1(1.26), 97.1(3.6), 97.1(5.7) Alert Type: Updated * Bug Id: CSCuv88898 Title: WEBVPN Rewriter: Stops mangling after hex code of Period on Bookmark URL Status: Fixed Severity: 3 Moderate Description: Symptom: When the hex code of the characters on a URL is used on the bookmark for Clientless webvpn, the URL mangling stops after the Hex equivalent of "period" is seen. For example : For http://www.cisco.com we use "http://www.cisco.com" The mangled URL looks like this https://ASA IP/+CSCO+0h756767633A2F2F6A6A6A++/.cisco.com The mangling stops at . which is the Hex equivalent for "period" Conditions: HEX code is used on the Bookmark URL Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.106), 100.14(0.76), 100.15(0.39), 100.15(17.14), 100.15(3.63), 100.15(8.16), 100.16(0.2), 100.16(1.3) Alert Type: Updated * Bug Id: CSCux81075 Title: PBR "set interface" failing to use default and less preferred route Status: Fixed Severity: 3 Moderate Description: Symptom: Policy Based Routing using "set interface" option is not able to use default route or a specific route with higher distance Conditions: - ASA configured with Policy Based Routing - "set interface" option used to selectively route the traffic Workaround: Use "set ip next-hop", if possible Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.13(0.127), 100.15(0.112), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.60), 96.2(1.111) Alert Type: Updated * Bug Id: CSCut35367 Title: SVG Parser not mangling xlink:href attribute Status: Fixed Severity: 3 Moderate Description: Symptom: When loading an url with svg tag via webvpn, page is rendering correctly but the xlink:href attribute is not mangled. Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.13(16.1), 9.3(2) Known Fixed Releases: * 100.11(0.62), 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCtj56778 Title: Incorrect ARP MAC Address conversion Status: Fixed Severity: 3 Moderate Description: Symptom: ASA converts the following cli arp inside 1.2.3.4 abc.de.f to arp inside 1.2.3.4 ab0c.de00.0f00 it should convert to arp 1.2.3.4 0abc.00de.000f like IOS and IPv6 Neighbor cache Conditions: Workaround: Enter proper mac address Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.121), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.16(14.1), 100.16(15.7) Alert Type: Updated * Bug Id: CSCux50234 Title: asa fails to format disk1 USB drive Status: Fixed Severity: 3 Moderate Description: Symptom: asa rejects disk1 as an argument to the format command Conditions: this is a problem with newer asa versions Workaround: drop back to 9.1.7, do the formatting and then upgrade back to the faulty version Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.204) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuy88971 Title: ASA does not suppress EIGRP candidate default route information Status: Fixed Severity: 3 Moderate Description: Symptom: ASA does not clear the flag "Route is Candidate Default" in EIGRP updates when redistribute default route from static routes or other dynamic routing protocols. EIGRP update packets display : Route is Candidate Default: True External Data Originating RouterID: x.x.x.x(x.x.x.x) Originating A.S.: x Administrative Tag: x External Metric: x Reserved: x External Protocol ID: Static Route (3) External Flags .... ...0 = Route is External: False .... ..1. = Route is Candidate Default: True Conditions: The command "no default-information out" is configured in EIGRP Workaround: NONE Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0, 9.1, 9.2, 9.3, 9.4, 9.5 Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.114), 9.4(2.109), 9.4(3), 96.1(1.88), 96.2(1.174), 96.2(11.6), 97.1(0.10), 97.1(1.15) Alert Type: Updated * Bug Id: CSCuw82198 Title: Default inspection engines enabled on Standby but not on Active ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Standby ASA can have some default inspection engines running on custom contexts while the same are not enabled on the Active unit. Conditions: > Pair of ASA units running in Failover pair (Act/Stb or Act/Act) Steps to reproduce: > Load context configuration file ONLY into Primary ASA flash memory > Initialize the context on Primary configuring the context statements and point the config-url with the file loaded on the Primary flash > Run the "write mem all" or "write memory" on the context created > Check the file with the context config on the Secondary ASA flash using the command "more disk0:/ | b policy-map" > Default inspection engines should be displayed. Workaround: Running the "write standby" command on Active unit of affected context fixes the problem. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.8), 9.4(1.6) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.86), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 100.16(14.1), 9.4(2.99), 9.4(3) Alert Type: Updated * Bug Id: CSCux35272 Title: ASA TCP normalizer checksum verification cannot be disabled Status: Fixed Severity: 3 Moderate Description: Symptom: When ASA processes traffic that is L7 inspected or has to be redirected to a module (e.g. IPS, CX, SFR etc) there is need to normalize it first. One of the things that is checked during the normalization process is TCP checksum verification. If a packet has a wrong TCP header checksum the normalizer will drop it. This will be shown in the ASA ASP drops as 'bad-tcp-cksum'. Theoretically the ASA can be configured to ignore bad TCP checksums. Here is an example: tcp-map IGNORE_TCP_CHECKSUM no checksum-verification ! policy-map SFR_PMAP class SFR_CMAP sfr fail-open set connection advanced-options IGNORE_TCP_CHECKSUM service-policy SFR_PMAP interface NET1 This defect is filed since even if the ASA is configured to ignore TCP checksum verification it is still doing it and the packet with the bad checksum is getting dropped with drop-reason: (bad-tcp-cksum). Conditions: L7 inspection or redirection to module is enabled so that TCP normalizer is on. Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(1.5) Known Fixed Releases: * 100.11(0.66), 100.12(0.155), 100.13(0.121), 100.15(0.105), 100.16(0.15), 100.16(1.76), 100.16(14.1), 100.8(40.111), 9.1(7.5), 9.2(4.9) Alert Type: Updated * Bug Id: CSCuv85752 Title: Group-lock value can be set with space in a tunnel-group name Status: Fixed Severity: 3 Moderate Description: Symptom: Group-lock setting does not get deleted from group-policy attributes and causes AnyConnect connections to fail for a given tunnel-group. Conditions: Standard AnyConnect configuration plus group-lock in the group-policy. Workaround: Reapply the group-lock without space after a tunnel-group name. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2, 9.1, 9.1(4), 9.3, 9.3(2), 9.4, 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13) Alert Type: Updated * Bug Id: CSCuw03407 Title: DHCPD Search domain shorter than 10 characters is corrupted Status: Fixed Severity: 3 Moderate Description: Symptom: When the ASA is acting as a DHCPD server, it may corrupt the DHCP OFFER and DHCP ACK packets if the domain name configured in the DHCPD section is shorter than 10 characters long. Conditions: This is seen when the DHCPD cofiguration has an interface specific DNS search suffix that is less than 10 characters long: dhcpd address 192.168.1.40-192.168.1.40 guest dhcpd dns 10.0.0.100 interface guest dhcpd domain abc.ca interface guest <<<<<<<<<<<<<<<< dhcpd enable guest This will result in the DNS search domain being sent out as a combination of the configured domain and 'cisco.com'. This can be checked using packet captures of the DHCP traffic. In the above example, the ASA will pad the configured domain with the letters from cisco.com to reach 'abc.caom'. Workaround: Do not configure this field or use a longer domain if feasible. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.99), 100.14(0.73), 100.15(0.26), 100.15(1.81), 100.15(16.3), 100.15(17.1), 100.15(3.49), 100.15(6.31), 100.15(8.13), 9.4(2.99) Alert Type: Updated * Bug Id: CSCus08552 Title: show traffic protocol stats show large counter values-enhanced pkt stats Status: Fixed Severity: 3 Moderate Description: Symptom: show traffic protocol statistics show huge counter values after enhanced packet stats are enabled . Conditions: After enhanced packet statistics are enabled with the command "sysopt traffic detailed-statistics", some of the counter values arevery large as displayed wiht "show traffic" command. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.12(0.101), 9.3(1.108) Known Fixed Releases: * 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.59), 96.2(1.110) Alert Type: Updated * Bug Id: CSCuu88412 Title: When > 510 characters entered in CLI, context switches to admin/system Status: Fixed Severity: 3 Moderate Description: Symptom: When user exceeded 510 characters from the CLI and is not within the admin/system context, user is unintentionally switched into the "admin/system" context. This issues was observed when running the command on ASASM after first logging into the 6500 switch and performing a "session" connection to the module. Conditions: ASASM with v9.1.6.1 Workaround: none Further Problem Description: none Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) Alert Type: Updated * Bug Id: CSCuy71812 Title: Coverity 114217: NULL_RETURNS in snp_fp_action_cap_construct_key Status: Fixed Severity: 3 Moderate Description: Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 96.2(1.147), 97.1(1.5) Known Fixed Releases: * 96.2(0.7), 96.2(11.12), 97.1(0.12), 97.1(1.26), 97.1(5.7) Alert Type: Updated * Bug Id: CSCuv93407 Title: ASA Lina: fix memory leak in debug menu option 20 Status: Fixed Severity: 3 Moderate Description: Symptom: When using 'debug menu memory 20 X' troubleshooting command, with X != 1, sometimes not all the allocated memory is released. Conditions: 'debug menu memory 20 X' where X != 1 Workaround: Use 'debug menu memory 4' to release all remaining allocated memory. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.12(0) Known Fixed Releases: * 100.12(0.145), 100.13(0.97), 100.14(16.6), 100.14(5.31), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30) Alert Type: Updated * Bug Id: CSCux90767 Title: Resolve CSCtz82865 - Equivalent of "show xlate count" command Status: Fixed Severity: 3 Moderate Description: Symptom: Resolve CSCtz82865 - Equivalent of "show xlate count" command Conditions: Cisco ASA running release 9.1.4 and higher with SNMP enabled. On certain version it's not running. Workaround: none Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 100.12(0.156), 100.13(0.127), 100.15(0.112), 9.4(2.99), 9.4(3), 9.5(2.6), 9.6(0.99), 96.1(1.59), 96.2(1.110) Alert Type: Updated * Bug Id: CSCuv76342 Title: ISA3000 crashed while generating crypto rsa keys Status: Fixed Severity: 3 Moderate Description: Symptom: ISA3000 can produce back-trace after executing "crypto key generate rsa usage-keys label usage_key modulus 4096" command. Conditions: After the unit is installed with not much initial configuration issue the command 'crypto key generate rsa label Key1_4096 modulus 4096' Try the same command manually 7-8 times. The ISA can crash and produce back trace around 8th iteration. However the issue cannot be reproduced consistently. Workaround: ISA should reload after the back trace Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.13(29.28), 9.4(1) Known Fixed Releases: * 100.13(0.104), 100.13(29.101), 100.13(29.36), 100.14(0.75), 100.15(0.29), 100.15(0.42), 100.15(1.94), 100.15(16.7), 100.15(17.18), 100.15(17.9) Alert Type: Updated * Bug Id: CSCuq21426 Title: Inspect-DNS: PTR Query failed when DNS-Doctoring enabled Status: Fixed Severity: 3 Moderate Description: Symptom: revDNS response going through ASA is received for different IP address than original query. Conditions: ASA has nat configured with 'dns' keyword and there is revDNS query for mapped IP address used in this translation. Workaround: 1. remove 'dns' keyword from NAT statement, 2. query for real IP address Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.0(4.18) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.87), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 100.16(14.1) Alert Type: Updated * Bug Id: CSCub30181 Title: ASA doesn't set ACE inactive when time-range expires Status: Fixed Severity: 3 Moderate Description: Symptom: In some scenarios, after a time-range expires, an ASA does not mark the ACE as inactive. This causes traffic to be incorrectly permitted or denied after the time range is no longer valid. Conditions: This affects 8.4.1 - 8.4.4 version of ASA Workaround: Make any change to the ACL policy that will force it to re-apply the configuration. For example, move the start time of the time-range forward by 1 minute. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:W/RC:C&version=2.0 CVE ID CVE-2012-3925 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 100.7(13.93), 8.4(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.115), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuv62204 Title: "show ipv6 neighbor" command not available in system space Status: Fixed Severity: 3 Moderate Description: Symptom: "show ipv6 neighbor" command is not available in the system execution space Conditions: ASA in multiple mode. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.13(0.97), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30), 100.15(8.13), 9.4(1.107), 9.4(2) Alert Type: Updated * Bug Id: CSCuw62030 Title: ASA DNS doctoring not working with "any" keyword Status: Fixed Severity: 3 Moderate Description: Symptom: When ASA is configured with DNS doctoring, the DNS response from the DNS server is forwarded onto the client and not rewritten by the ASA. Conditions: ASA running 9.1.5 using the "any" keyword in the NAT statement Workaround: Use specific egress interfaces and not "any" Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.88), 100.15(20.17), 100.16(0.9), 100.16(1.35), 100.16(14.1), 100.8(40.105) Alert Type: Updated * Bug Id: CSCuq27723 Title: WebVPN Citrix client browser couldn't save Java Client as preferred Status: Fixed Severity: 3 Moderate Description: Symptom: - As a remote access user - On the Citrix client accessed through the browser - When the client preference option in settings is changed from default native client to Java client and saved - It's not showing up the new change when the settings is visited again. Conditions: Access XenApp server using web-browser through Clientless SSL VPN This happens on Mac OS X v10.9 with FireFox 30 and Safari v7.x This also happens on Windows 7 with FireFox v28 and Internet Explorer 9 Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(1.102) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.54), 100.15(15.15), 100.15(16.1), 100.15(2.85), 100.15(3.29) Alert Type: Updated * Bug Id: CSCuy84044 Title: Rewriter error with webworker JS Status: Fixed Severity: 3 Moderate Description: Symptom: ASA webvpn is unable to render a page with webworker javascript element Conditions: The internal page uses webworker javascript Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.11(0.70), 100.12(0.158), 100.13(0.136), 100.15(0.113), 100.8(40.117), 9.4(2.109), 9.4(3), 96.1(1.87), 96.2(1.170), 96.2(11.4) Alert Type: Updated * Bug Id: CSCuv32789 Title: ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads Status: Fixed Severity: 3 Moderate Description: Symptom: Acting as the IKEv2 responder, ASA receives initial IKEv2 packet that contains more than 10 payloads for NAT_DETECTION_SOURCE_IP from initiator. ASA rejects the connection, enumarates 10 payloads and prints "INVALID_SYNTAX" afterwards. Conditions: -ASA acts as IKEv2 responder. -ASA receives more than 10 payloads for "NAT_DETECTION_SOURCE_IP" from the initator. Workaround: Use IKEv1 Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.11(0.62), 100.12(0.141), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.62), 100.15(16.1), 100.15(17.1), 100.15(3.36), 100.15(6.21) Alert Type: Updated * Bug Id: CSCux27028 Title: L2TP/IPSec fails with Multilink PPP enabled on Win client Status: Fixed Severity: 3 Moderate Description: Symptom: L2TP/IPSec fails with Multilink PPP enabled on Win client Conditions: ASA running version 9.4 and Multilink PPP setting is enabled on Windows Client. Workaround: Disable Multilink PPP on end client - 1. Open the Network Connections folder and view available connections. 2. Right-click the L2TP connection, and then click Properties. 3. On the Options tab, click PPP Settings. 4. Uncheck the Negotiate multi-link for single-link connections check box. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1.5) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.52) Alert Type: Updated * Bug Id: CSCsh75522 Title: Increase Content-length counter from 4 to 8 byte size Status: Fixed Severity: 3 Moderate Description: Symptom: Deep inspect http (i.e. http app-fw or inspect http http-policy-map) reports the http connections as protocol-violation if the request part of "Content- Length: " value n > 268435455. ASA supports content-length value up to 0x0FFFFFFF (i.e. 268435455) only. Conditions: HTTP Requests, Content-Length : headers value should be greater than 268435455 Workaround: No workaround. Further Problem Description: One way to get rid of the issues is to disabled the connection drop or reset for protocol-violation. But this causes inspection won't be done on the http data. Last Modified: 26-APR-2016 Known Affected Releases: 7.0, 8.0(0.195) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.131), 100.15(0.112), 100.8(40.114), 9.4(2.102), 9.4(3), 96.1(1.80), 96.2(1.134), 96.2(11.1) Alert Type: Updated * Bug Id: CSCuy81416 Title: Coverity 114306: NULL_RETURNS in sctpRefreshTimerHandler Status: Other Severity: 3 Moderate Description: * Symptom: Fails Static Analysis - Created by Coverity Static Analysis Conditions: N/A Workaround: N/A Further Problem Description: This bug is fixed in the current build. Last Modified: 27-APR-2016 Known Affected Releases: 97.1(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw71195 Title: Initial Smart Licensing message fails due to 'SCH not ready' Status: Fixed Severity: 3 Moderate Description: * Symptom: During boot up an ASAv will fail to send a Smart Licensing entitlement authorization renewal message: %ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with Cisco licensing cloud: Communication message send response error Conditions: The ASAv is configured with a Failover mate but there is no mate present. Workaround: If the ASAv remains in an Unlicensed state due to this condition, the user can force the re-authorization of the ASAv platform license by issuing the license smart renew auth command. Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: 100.15(8.41), 96.2(1.120) Alert Type: Updated * Bug Id: CSCuz20742 Title: AWS: ASAv not reachable if deployed with 2 interfaces Status: Fixed Severity: 3 Moderate Description: Symptom: An ASAv deployed in from Marketplace can't be reached via SSH after deployment. Conditions: It is recommended to deploy ASAv from Marketplace with only the initial Management interface. Then, after ASAv has booted, add the additional data interfaces and reload the ASAv. However, if a 2nd interface is added during deployment dialog, the ASAv may be unreachable after initial deployment. Workaround: Deploy ASAv from Marketplace with the default Management interface. Then add additional data interfaces after ASAv has booted and reload ASAv. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2.200) Known Fixed Releases: * 96.2(0.11), 97.1(1.30) Alert Type: Updated * Bug Id: CSCux55923 Title: WebVPN: Unable to play certain online videos Status: Fixed Severity: 3 Moderate Description: Symptom: Unable to play videos through webvpn. When clicking the video to play it is simply unresponsive. Conditions: Webvpn on ASA Workaround: none Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.124), 100.15(0.109), 100.16(0.19), 100.16(1.97), 100.16(14.1), 100.8(40.113), 9.1(7.5), 9.4(2.99) Alert Type: Updated * Bug Id: CSCuw30999 Title: ASA5508 5516 Unable to communicate with 100/full configured after reboot. Status: Fixed Severity: 3 Moderate Description: Symptom: An ASA5508 5516 interface is configured as 100-full(speed 100, duplex full). After ASA5508 5516 rebooted, it was not able to communicate with another device. Conditions: Configure 100/full in interface settings on ASA5508 5516. After you reboot, this problem occurs. Workaround: Configure auto in interface settings. Shut, No Shut on the interface will also recover without having to reboot. Further Problem Description: none Last Modified: 29-APR-2016 Known Affected Releases: 9.4(1.5), 9.4(2.6) Known Fixed Releases: * 100.12(0.155), 100.13(0.121), 100.15(0.103), 100.16(0.13), 100.16(1.73), 100.16(14.1), 9.4(2.99), 9.4(3), 9.5(2.7), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuy10665 Title: HA: Number of interfaces mismatch after SFR module reload on both units Status: Fixed Severity: 3 Moderate Description: Symptom: Reload SFR service module on both units. It's observed that a lot of interface number mismatch messages as following will show up on Secondary unit. Number of interfaces on Active and Standby are not consistent. If the problem persists, you should disable and re-enable failover on the Standby. Conditions: Reproduced in the lab that we reload SFR on Active unit first, after 30 secs, reload SFR on the Secondary unit. With Active/Active failover setup with multiple contexts and huge ACL rules, the error message will show up. Workaround: write standby on Active unit or disable monitoring interface health or enable monitoring service-module Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.5(2) Known Fixed Releases: * 100.15(0.112), 9.5(2.7), 96.1(1.86), 96.2(1.158), 96.2(11.2), 97.1(0.6), 97.1(1.8), 97.1(2.4), 97.1(3.2), 97.1(4.2) Alert Type: Updated * Bug Id: CSCux83705 Title: DNS Reply Modification for Dual-Stack does not work as expected Status: Fixed Severity: 3 Moderate Description: Symptom: For DNS requests passing through an ASA which is supposed to perform DNS fixup/doctoring/reply modification (as configured in fig 27-27 of the following doc: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1090556), in a dual-stack routing environment, the ASA modifies one of the records twice (per design) and the other only once (defective behavior). The Layer 3 protocol of the DNS request is the same as the record that will be successfully modified. For example, if the client makes a DNS request over IPv4, the ASA will correctly modify the A record twice, but it will return an AAAA record which has only been modified once. If the client makes a DNS request over IPv6, then the ASA will modify the AAAA record twice, but it will only modify the A record once. Conditions: -The DNS Server, Host, and Server are on separate networks (as in fig 27-27 of the following doc: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1090556) -Dual-Stack routing is in place (IPv4 and IPv6) Workaround: No configuration workarounds are possible on the ASA. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.4(2.101), 9.4(3), 9.5(2.7), 9.6(1.1) Alert Type: Updated * Bug Id: CSCuy99280 Title: ENH: ASAv should have a different pre-loaded cert Status: Fixed Severity: 3 Moderate Description: Symptom: ASAv may fail to register to the Smart Software Licensing portal. The ASAv will present the following output: ASAv# show license registration Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Registration Status: Retry In Progress. Registration Start Time: Mar 22 13:25:46 2016 UTC Last Retry Start Time: Mar 22 13:26:32 2016 UTC. Next Scheduled Retry Time: Mar 22 13:45:31 2016 UTC. Number of Retries: 1. Last License Server response time: Mar 22 13:26:32 2016 UTC. Last License Server response message: Communication message send response error (The Last Server Response Message may also simply state "Communication Failure"). The ASA will be able to access internet resources, but ASA-3-717009 messages will be seen, indicating "No suitable trustpoints found to validate certificate serial number..." Conditions: In the output of show crypto ca certificate, the default certificate has the following information: ASAv# show crypto ca certificate CA Certificate [...] Subject Name: cn=VeriSign Class 3 Secure Server CA - G3 ou=Terms of use at https://www.verisign.com/rpa (c)10 ou=VeriSign Trust Network o=VeriSign\, Inc. c=US [...] Associated Trustpoints: _SmartCallHome_ServerCA The first line under "Subject Name" (indicating the intermediate CA) reads "cn=Symantec Class 3 Secure Server CA - G4" in the correct cert, i.e., it's signed by Symantec rather than Verisign and is G4 rather than G3. Workaround: Pre-9.5.2: Run the following command in enable mode: crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b Starting in 9.5.2: The trustpool will auto-update at 10pm local device time. If this is an initial installation, and DNS lookups and internet connectivity have not been up at that time yet, then the auto-import has not succeeded and will need to be completed manually. ### IMPORTANT NOTE #### After 9.6.1.1 is released - 1. Before upgrading the ASA, please run the following commands on ASA prompt. This removes the old cached certificate from the config. ciscoasa(config)# clear configure crypto ca trustpoint ciscoasa(config)# write memory 2. After the upgrade, the following message will appear during bootup: .Creating trustpoint "_SmartCallHome_ServerCA" and installing certificate... 3. As the old cached certificate is cleared by step 1, the new certificate will be installed in the trustpoint. This can be verified by issuing the following command and observing output. Note: the 'subject name' should match the 'issuer name'. 5545-1# show crypto ca certificates Output: CA Certificate Status: Available Certificate Serial Number: 18dad19e267de8bb4a2158cdcc6b3b4a Certificate Usage: General Purpose Public Key Type: RSA (2048 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Subject Name: cn=VeriSign Class 3 Public Primary Certification Authority - G5 ou=(c) 2006 VeriSign\, Inc. - For authorized use only ou=VeriSign Trust Network o=VeriSign\, Inc. c=US Validity Date: start date: 00:00:00 UTC Nov 8 2006 end date: 23:59:59 UTC Jul 16 2036 Associate Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.3(3), 9.4(2), 9.5(2) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1), 96.2(0.4), 96.2(11.11), 97.1(0.12) Alert Type: Updated * Bug Id: CSCuz18707 Title: Intranet page does not load via WebVPN with JavaScript errors Status: Fixed Severity: 3 Moderate Description: Symptom: Fail to load the intranet page properly via WebVPN. Conditions: Page with Java script enabled accessed via WebVPN Workaround: NA Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(7.6) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.116), 9.4(2.112), 9.4(3), 9.5(2.7), 9.6(1.1), 96.2(0.5), 96.2(11.11) Alert Type: Updated * Bug Id: CSCuv09640 Title: ASA: "Auto-Enable" feature not working with SSH configured with PKF Status: Fixed Severity: 3 Moderate Description: Symptom: "Auto-enable" feature does not work with ASA device configured with the SSH PKF feature Conditions: ASA SSH configured with the PKF feature Workaround: Don't use the "auto-enable" command with SSH PKF feature Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.134), 100.13(0.90), 100.14(0.68), 100.15(0.112), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4), 100.15(2.75), 100.15(3.20) Alert Type: Updated * Bug Id: CSCuy80058 Title: FO replication failed: cmd=no disable, when disabling webvpn-cache Status: Fixed Severity: 3 Moderate Description: Symptom: On Active unit executed "webvpn-cache-no-disable". Config changed properly to disable webvpn cache. On the Standby unit, however, config to disable-webvpn-cache was not changed and got an HA syslog: "<151>:Mar 16 23:40:54 EST: %ASA-ha-7-709001: FO replication failed: cmd=no disable returned=-3" Configs become out of s Conditions: Webvpn cache config Workaround: On active unit , execute"write standby" to syncup the configs. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.4(2.105) Known Fixed Releases: * 100.11(0.71), 100.13(0.137), 100.15(0.116), 100.8(40.117), 9.4(2.111), 9.4(3), 9.5(2.7), 96.2(0.8), 96.2(11.12), 97.1(0.13) Alert Type: Updated * Bug Id: CSCuy74362 Title: WebVPN FTP client failing with "Error contacting host" message Status: Fixed Severity: 3 Moderate Description: Symptom: When accessing FTP server via WebVPN portal, the "Error contacting host" message is produced. The issue can be intermittent. Conditions: Workaround: Specify username and password directly in the URL, for example: ftp://username:password@FTP_address Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.3(2), 9.4, 9.5 Known Fixed Releases: * 100.12(0.158), 100.13(0.135), 100.15(0.112), 9.4(2.107), 9.4(3), 9.5(2.7), 9.6(1.1), 96.1(1.86), 96.2(1.160), 96.2(11.2) Alert Type: Updated * Bug Id: CSCuz06125 Title: Active and Standby ASA use same MAC addr with only active MAC configured Status: Fixed Severity: 3 Moderate Description: Symptom: Active and Standby ASAs use the same MAC address on their interfaces. Conditions: Only active mac address is configured under that interface. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 Workaround: Configure both active and standby MAC addresses when assigning a manual MAC address. For example: interface GigabitEthernet0/0 mac-address 0000.1000.1111 standby 0000.1000.2222 Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.6(1) Known Fixed Releases: * 100.11(0.71), 100.13(0.138), 100.15(0.115), 100.8(40.117), 9.5(2.7), 9.6(1.1), 96.2(0.1), 96.2(1.180), 96.2(11.9), 97.1(0.12) Alert Type: Updated * Bug Id: CSCuy89425 Title: AAA: RSA/SDI unable to set new PIN Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrade of the ASA the users are unable to (re-)set PIN for their soft tokens. Cisco VPN client: 1. Connect 2. Provide username+token code 3. "Enter your new alphanumeric PIN.." message, PIN entered, OK 4. "Enter your new alphanumeric PIN.." message again, no place to enter PIN, just OK button. 5. User is disconnected. iPhone: 1. Connect 2. Provide username+token code 3. "Enter your new alphanumeric PIN.." message, PIN entered, OK. 4. Nothing else happens, user is disconnected. On the RSA server in the logs the following error can be seen: "Authentication method failed, passcode format error" Conditions: ASA 9.1.7 RSA authentication using SDI protocol. Client needs to set a new token PIN. Workaround: Create new PIN using RSA self service portal. Further Problem Description: Last Modified: 29-APR-2016 Known Affected Releases: 9.1(7) Known Fixed Releases: * 9.5(2.7), 96.2(0.11), 97.1(1.31) Alert Type: New Bug Id: CSCuz46174 Title: ASA 9.1.7 : lose "match header destination-option" after upgrade Status: Open Severity: 3 Moderate Description: Symptom: - In 'show runn' output, you will see that "match header destination-option" is not seen in config. In its place, you will see ""match header count gt". Conditions: + Originally seen in ASA5520 running one of the available 9.1.7 interim images - 9.1.7.4 or 9.1.7.6. Assuming the same issue should be seen on ASA5505, 5510, 5540, and ASA5550 models also, since they use the same available images as used on ASA5520. + Configure ipv6 policy inspect with "match header destination-option" i.e. policy-map type inspect ipv6 V6-Inspect parameters match header routing-type range 2 255 drop log match header ah drop log match header destination-option Workaround: - None, once ASA5520 on 9.1.7 image Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 9.1(7.4), 9.1(7.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz23576 Title: ASA in Multicontext : Allocated memory showing high (invalid) values Status: Open Severity: * 3 Moderate Description: Symptom: Allocated Memory in use showing very high ( invalid values ). Please check the output below : ------------------ show memory ------------------ Free memory: 6622859551 bytes (74%) Used memory: 28697627072 bytes (26%) ------------- ------------------ Total memory: 8988893471 bytes (100%) ------------------ show memory detail ------------------ Free memory heap: 902034752 bytes (10%) Free memory system: 6622859551 bytes (74%) Used memory: Allocated memory in use: 28183824832 bytes (314%) Reserved memory (DMA): 513802240 bytes ( 6%) Memory overhead: 0 bytes ( 0%) ----------------------------- ------------------ Total memory: 8988893471 bytes (100%) Least free memory: 0 bytes ( 0%) Most used memory: 28697630432 bytes (319%) Conditions: ASA running software version 9.5.2.6 configured in Multi context mode. Workaround: na Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy53516 Title: ASA corrupts data in TLS-Proxy with TLS version 1.2 Status: Fixed Severity: 3 Moderate Description: Symptom: Phone registration/call through TLS-Proxy on ASA doesn't work Conditions: 1. ASA is configured to do TLS-Proxy http://www.cisco.com/c/en/us/td/docs/security/asa/special/unified-communications/guide/unified-comm/unified-comm-tlsproxy.html 2. ASA establishes TLS connection with call manager on TLS version 1.2 Workaround: Force Call Manager to use TLS version 1. Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 9.3(2), 9.5(2.2) Known Fixed Releases: * 96.2(0.11), 97.1(0.14), 97.1(1.31) Alert Type: Updated * Bug Id: CSCtx68834 Title: Multiple Conns between VNMC and Virtual ASA Status: Terminated Severity: 4 Minor Description: * Symptom: Multiple Conns between VNMC and Virtual ASA Conditions: VNMC is used to manage Virtual ASA Workaround: none Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 100.7(17.11) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv93976 Title: NTP: Standby ASA sends NTP with source 0.0.0.0 if standby ip not set Status: Fixed Severity: 4 Minor Description: Symptom: A standby ASA in a failover pair may send NTP packets with a source IP of 0.0.0.0 if the interface those packets would normally leave from does not have a standby ip configured. Conditions: This is seen in failover deployments where the NTP server facing interfaces does not have a standby IP in its configuration. Workaround: Configure the standby ip address for that interface. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.67), 100.12(0.156), 100.13(0.125), 100.15(0.110), 100.16(0.20), 100.8(40.113), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.53) Alert Type: Updated * Bug Id: CSCty17794 Title: Virtual ASA: interface redundant and redundant-interface cli not blocked Status: Terminated Severity: 4 Minor Description: * Symptom: interface redundant and redundant-interface cli not blocked Conditions: trying to configure redundant interface on ducati Workaround: none Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 100.7(13.56) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCui04629 Title: Failed to read security parameters error during fn_syslog automation Status: Terminated Severity: 4 Minor Description: * Symptom: Errors are generated from the ASA when executing the 'clear config all' command. Conditions: The errors occur when running automation scripts for several hours. Workaround: Reload the ASA. Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 8.7(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuz24083 Title: DOC: ASA, sysopt connection permit-vpn ACL bypass clarification Status: Open Severity: 4 Minor Description: Symptom: "sysopt connection permit-vpn" will bypass ACLs (in and out) on interface where crypto map for that interesting traffic is enabled, along with egress ACLs of all other interfaces but not ingress ACLs (i.e access-group out <...>) on the other interfaces. Conditions: ASA with site-to-site tunnel setup and "sysopt connection permit-vpn" enabled Workaround: In order to restrict traffic coming from the remote end of the tunnel, 1. restrict it on the remote end itself 3. Or use vpn-filters 2. Or disable "sysopt connection permit-vpn" and configure access-lists on the external interface to permit VPN traffic. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.6(0.100) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy25445 Title: Master shows slave interfaces as "up" when slave rejoining Status: Fixed Severity: 4 Minor Description: Symptom: If a slave unit in a cluster reboots, while it is rejoining, the master will show its interfaces as "up" instead of "init" for a short period of time. The issue does not have functionality impacts. Conditions: Cisco ASA running release 9.0 and later. Workaround: None. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(6.184) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.130), 100.15(0.112), 100.8(40.114), 9.1(7.5), 9.4(2.101), 9.4(3), 96.1(1.77), 96.1(1.79) Alert Type: Updated * Bug Id: CSCua66518 Title: Help arp SYNTAX section misses "permit-nonconnected" entry Status: Fixed Severity: 4 Minor Description: Symptom: Help arp misses permit-nonconnected entry in SYNTAX section. Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(4), 8.4(4.2) Known Fixed Releases: * 100.11(0.65), 100.12(0.154), 100.13(0.120), 100.13(0.121), 100.14(0.83), 100.14(0.84), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18) Alert Type: Updated * Bug Id: CSCur99190 Title: show file info CLI not working for lfbff images Status: Fixed Severity: 4 Minor Description: Symptom: 'show file information' CLI does not display correct file size and version field for the lfbff.SSA type images. Conditions: Output is displayed incorrectly for lfbff type images. ASA 5506 & 5508 platforms and Rest-API images use a file type of lfbff. The output will look similar to this: disk0:/asa100-12-0-96-lfbff-k8.SSA: type is image (ASA) [] file size is 147456 bytes Other file types (cdisk.smp, zip files ) display the proper output. Workaround: The fix has been submitted to display the file size of the lfbff.SSA files correctly. So that part of the issue has been resolved. The version field will not be displayed as a part of this CLI. An alternate CLI command to get the file version is: show version Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 1.0(1), 100.12(0) Known Fixed Releases: * 100.12(0.156), 100.13(0.124), 100.15(0.108), 100.16(0.19), 100.16(1.97), 100.16(14.1), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.49) Alert Type: Updated * Bug Id: CSCur80711 Title: dhcprelay enabled interface pops memory message when address is assigned Status: Fixed Severity: 4 Minor Description: Symptom: dhcprelay enable interface when enabled pops memory message "No memory for DHCP interface '' Conditions: ASA in multicontext mode. Workaround: None, but this is a benign message Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 100.8(40.114), 9.4(2.99), 9.4(3), 9.6(0.99), 96.1(1.66), 96.2(1.118) Alert Type: Updated * Bug Id: CSCua71298 Title: Help arp in context shows arp permit-nonconnected Status: Fixed Severity: 4 Minor Description: Symptom: Help arp in admin and user contexts shows arp permit-nonconnected entry, which is only available in system context. Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.114), 100.14(0.79), 100.15(0.56), 100.15(17.24), 100.15(3.77), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCuy48004 Title: ASDM detects a config change when dACL is pushed for Anyconnect user Status: Fixed Severity: 4 Minor Description: Symptom: ASDM detects a configuration change on the ASA when an Anyconnect user connects to it pushing a dynamic ACL to the box. ASDM requires a refresh to load current config from the ASA Eg: ASDM logs show User 'aaa-acl', running 'N/A' from IP 10.1.1.2, executed 'access-list DAP-ip-user-00D02A08 extended permit icmp any4 any4' Conditions: ASA 9.4.2 ASDM 7.5.1 dACL entries does not appear in the config Workaround: Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 9.4(2) Known Fixed Releases: * 96.2(0.10), 97.1(0.14), 97.1(1.29) Alert Type: Updated * Bug Id: CSCuu07393 Title: "sysopt traffic detailed-statistics" is removed after ASA reload Status: Fixed Severity: 4 Minor Description: Symptom: ASA command "sysopt traffic detailed-statistics" turns off automatically after reload Conditions: 1. ASA is configured with 'sysopt traffic detailed-statistics' 2. The ASA is reloaded Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuv96380 Title: Failover uptime sync failure Status: Fixed Severity: 4 Minor Description: Symptom: ASAs running in Failover, Failover up time doesn't sync up to match on both the ASAs. Conditions: ASAs in failover with huge number of contexts in a multicontext setup.(108 context in my setup) Workaround: N/A Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(4), 9.1(4.5), 9.1(6) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.77), 100.15(0.36), 100.15(17.12), 100.15(3.61), 100.15(8.15), 100.16(0.2), 100.16(1.2) Alert Type: Updated * Bug Id: CSCut06553 Title: ASA - PBR Debug Output Shows HEX representation of DSCP Value w/o '0x' Status: Fixed Severity: 5 Cosmetic Description: Symptom: The ASA policy-based routing debug output shows the HEX representation value and not the decimal value. This causes confusion since it looks like a decimal value due to the fact that the '0x' header is omitted. This is a cosmetic bug to modify the output so that the '0x' is printed in the output so that it's obvious that it is a HEX representation of the DSCP value. Conditions: Using 'debug policy-route' to verify functionality of PBR on an ASA and viewing DSCP values Workaround: N/A - this is a cosmetic issue. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.22), 100.15(8.13), 9.4(1.107) Alert Type: Updated * Bug Id: CSCua66557 Title: arp permit-nonconnected not indented in help arp multiplei mode Status: Fixed Severity: 5 Cosmetic Description: Symptom: Help arp in multiple mode has incorrect indentation for "arp permit-nonconnected" entry. Conditions: Workaround: Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30) Alert Type: Updated * Bug Id: CSCuy11892 Title: ASA ICMP inspect fails to inspect multiple packets within one milisecond Status: Open Severity: * 6 Enhancement Description: Symptom: ASA ICMP inspection does not work if multiple packets are sent within one milisecond. Conditions: ASA with ICMP inspection Workaround: None Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: 9.1(6.8) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuz22604 Title: SAML:Getting Forbidden message in UI Status: Open Severity: * 6 Enhancement Description: Symptom: Connect to SAML Idp profile and it redirects to idp page .dont close the browser. Now Again reconnect to the profile and do cancel before it redirects to Idp page 2nd time. Getting Forbidden message in UI while I cancel VPN Establishment during idp redirection.(Username/pwd page) Conditions: Connect to SAML Idp profile and it redirects to idp page .dont close the browser. Now Again reconnect to the profile and do cancel before it redirects to Idp page 2nd time. Getting Forbidden message in UI while I cancel VPN Establishment during idp redirection.(Username/pwd page) Workaround: Close the existing browser Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: * 9.7(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy36536 Title: Transparent Firewall: Need ability to switch 802.2 LLC with DSAP 0xe8 Status: Open Severity: 6 Enhancement Description: Symptom: Packets with 802.2 LLC header with most LSAP are not able to traverse firewall through transparent mode. Conditions: Transparent Firewall Mode. Generic 802.2 LLC packet Workaround: None Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: EVERCLEAR Known Fixed Releases: * 96.2(0.1), 96.2(1.145), 96.2(11.1), 97.1(0.7), 97.1(1.9), 97.1(2.6), 97.1(3.4), 97.1(5.3) Alert Type: Updated * Bug Id: CSCuu54582 Title: ASA-SFR, ASA should attempt to join Cluster after SFR service module up Status: Open Severity: 6 Enhancement Description: * Symptom: With an ASA 5585 cluster configured, and with the service card health checks enabled, when the ASA and SFR are both rebooted, sometimes the slave ASA is booted out of the cluster, since it attempts to join the cluster when the SFR is not finished booting, and therefore fails the health check. On the master, the following messages are seen: Cluster unit EDGE2 transitioned from DISABLED to SLAVE Asking slave unit EDGE2 to quit due to Security Service Card health check failure, and its Security Service Card state is CLUSTER_SSM_DOWN FROM EDGE2: Unit is kicked out from cluster because of SSM card health check failure. Conditions: With ASA 5585 clustering enabled, and both ASA and SFR are booting up at the same time, if the SFR takes longer to boot than the ASA. Workaround: Manually add the ASA into the cluster once the SFR is finished booting. Check when SFR is ready by running 'show module' and ensuring that both the control and data plane for SFR are up. # conf t # cluster group # enable Further Problem Description: Last Modified: 30-APR-2016 Known Affected Releases: 100.14(0.22) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus85257 Title: ASA Connector - Provide Higher Layer Health Checks for CWS Tower Status: Fixed Severity: 6 Enhancement Description: Symptom: The ASA may not failover to the backup CWS tower when the CWS tower is in a degraded state but remains responsive to ASA TCP health checks. This may cause traffic interruption in the network environment when the ASA continues to redirect web traffic to the degraded tower. This is an enhancement request to provide more granular health checking between the ASA and the CWS tower. Conditions: This can occur if the CWS tower is degraded (not down) but is still able to complete the 3-way TCP handshake with the CWS tower. Workaround: Manually point the ASA to the backup CWS tower Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.68), 100.12(0.157), 100.13(0.128), 100.15(0.112), 9.2(3.160), 9.2(3.161), 9.2(4.6), 9.4(2.99), 9.4(3), 9.6(0.99) Alert Type: Updated * Bug Id: CSCuz19763 Title: FTD inline set need delay to avoid port flap with link state propagation Status: Fixed Severity: 6 Enhancement Description: Symptom: With Inline set configured in FTD, if the neighboring device takes a while to bring the link up after the FTD has brought it up, the FTD can bring the link down before that and that can lead to a forever loop of link coming up and going down. this is an enhancement request being filed to introduce a configure delay timer before deciding a link is down especially with link state propagation enabled. Conditions: None. Workaround: NA Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: DULCE_VIDA Known Fixed Releases: * 7.3(0)TSH(0.99), 96.2(11.12), 97.1(0.12), 97.1(1.25), 97.1(3.6), 97.1(5.6) Alert Type: Updated * Bug Id: CSCtz82865 Title: SNMP MIB: Equivalent of "show xlate count" command Status: Fixed Severity: 6 Enhancement Description: Symptom: Need SNMP MIB support to allow polling to get the equivalent to the "show xlate count" command. Conditions: Cisco ASA running release 8.4.4 with SNMP enabled. Workaround: None. Additional Information: Will add cnatAddrBindNumberOfEntries and cnatAddrBindSessionCount OID's to support xlate_count and max_xlate_count. Last Modified: 26-APR-2016 Known Affected Releases: 100.7(6.77), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.12(0.156), 100.13(0.127), 100.13(0.58), 100.13(28.2), 100.13(29.28), 100.14(0.13), 100.14(0.5), 100.14(1.4) Alert Type: Updated * Bug Id: CSCtw80509 Title: add "show resource usage summary count all 1" to show tech Status: Fixed Severity: 6 Enhancement Description: Symptom: Add "show resource usage summary count all 1" to the show tech. Conditions: This is a request to add "show resource usage summary count all 0" to the show tech output so more information regarding xlates, conns, inspects, syslogs, etc can be evaluated as part of the show tech snapshot. This information would also be helpful in diagnosing performance issues and would be useful to have as part of the show tech portion of the show crashinfo. Workaround: None Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.2 Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuq38206 Title: ENH: ASA show tech should include 'dir all-filesystems' Status: Fixed Severity: 6 Enhancement Description: Symptom: Enhancement to add 'dir all-filesystems' to show tech output Conditions: n/a Workaround: n/a Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.15(0.31), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuu22517 Title: ASA - SNMPv3 Traps not Generated for PC Link State in Multi-Context Mode Status: Fixed Severity: 6 Enhancement Description: Symptom: On an ASA running in multi-context mode with port-channels allocated to individual contexts, SNMP traps will not be generated when member interfaces of the port-channel go down although the following syslogs are seen in the context itself: %ASA-6-426002: PORT-CHANNEL:Interface GigabitEthernet0/2 unbundled from EtherChannel interface Port-channel1 %ASA-6-426001: PORT-CHANNEL:Interface GigabitEthernet0/2 bundled into EtherChannel interface Port-channel1 Conditions: 1. Must be using an ASA in multi-context mode 2. Must have port-channels allocated to contexts with at least two member interfaces 3. Must be attempting to monitor the status of the member interfaces via SNMPv3 within the context Workaround: it is possible to generate traps via the syslogs by using the 'snmp-server enable traps syslog' in conjunction with the 'logging history informational' command, however this causes a very large amount of traps to be generated. There is an ongoing investigation to determine if there are other, more suitable workarounds. Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 8.4(2), 9.1(5), 9.2(2.4) Known Fixed Releases: * 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.15(0.116), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.3), 100.15(3.50), 100.15(6.33) Alert Type: New Bug Id: CSCuz39475 Title: ENH: ASA: memory size of FirePOWER software module is slightly decreased Status: Open Severity: 6 Enhancement Description: Symptom: After ASA software upgrades to 9.5(2) or later, by the change of ASA memory system, assigned memory size for FirePOWER software module will be slightly decreased. For example, URL filtering feature of particular model(e.g. ASA5515) will be affected by this assigned memory size change. This is enhancement request of adding capability what customer can change to assign more memory size to software module. Conditions: This issue is seen when upgrading ASA software version from 9.4 to 9.5(2) or later. ASA5500-X with FirePOWER software module will be affected. Workaround: One of the followings. 1. Use 9.4 train latest ASA software version which supports FirePOWER version 5.4 or 6.0 2. Replace to more high memory model Further Problem Description: Last Modified: 27-APR-2016 Known Affected Releases: 9.5(2), 9.6(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuz34836 Title: ASA does not show the reason for certificate installation failure Status: Open Severity: 6 Enhancement Description: Symptom: ASA does not show the reason for certificate installation failure. Only a generic fingerprint message about the failure is displayed. Conditions: Failing to install a certificate (both in ASDM and CLI). Workaround: Further Problem Description: -- Last Modified: 26-APR-2016 Known Affected Releases: 9.1(7), 9.4(3), 9.6(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuz24909 Title: ENH: Add optional restart timer for NSF in regards to OSPF Status: Open Severity: 6 Enhancement Description: Symptom: Manually configure the restart timer via NSF for OSPF, but unable to do so if using "nsf cisco" Conditions: Using "nsf cisco" for OSPF Workaround: use "nsf ietf" Further Problem Description: Last Modified: 26-APR-2016 Known Affected Releases: 9.3(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuz34821 Title: Lacking documentation of ASA requirements for certificates Status: Open Severity: 6 Enhancement Description: Symptom: There is no comprehensive document that deals with the ASA X.509 behavior / requirements. The focus should be here on the practical view of the ASA X.509, what are the expected fields and data types in them. Supported algorithms for signatures etc. should also be listed. Information should be give for various implementations of certificates: - LAN-2- VPNs - AnyConnect SSL and IPSec - Certificates for Management Access ( ASDM, SSH, .. ) Conditions: ASA usage. Workaround: None. Further Problem Description: -- Last Modified: 26-APR-2016 Known Affected Releases: 9.1(7), 9.6(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux03842 Title: Implement SAML support Phase 2 Status: Fixed Severity: 6 Enhancement Description: Symptom: * Clientless WebVPN can not use SAML Identity Provider for authentication if it is in a private network. Conditions: Workaround: none Further Problem Description: Last Modified: 25-APR-2016 Known Affected Releases: 100.16(11) Known Fixed Releases: * 100.16(1.36), 100.16(14.1), 100.16(15.1), 100.16(15.5), 100.16(6.1), 96.2(0.1), 97.1(5.1) Alert Type: Updated * Bug Id: CSCua37902 Title: Some syslogs lost when using TCP based syslogging Status: Open Severity: 6 Enhancement Description: Symptom: If TCP syslogging is configured on the ASA, not all messages are sent to the syslog server if there is sufficient load as well as some connectivity issues between the ASA and the Syslog Server. Conditions: The issue is seen only when using TCP based syslogging and a high rate of syslogs. Workaround: Use UDP syslogging instead of TCP syslogging. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 21-APR-2016 Known Affected Releases: 8.4, 8.4(3), 8.4(3.130), 9.1(5) Known Fixed Releases: * 100.16(1.75), 100.16(1.81), 100.16(14.1), 9.1(2.220), 9.1(6.170), 96.1(6.1), 96.1(6.7), 96.2(0.1), 96.2(1.178), 96.2(11.8) Alert Type: Updated * Bug Id: CSCur30827 Title: Placeholder to commit CLNS compiled files Status: Fixed Severity: 6 Enhancement Description: Symptom: Placeholder to commit CLNS compiled files Conditions: Workaround: Further Problem Description: Last Modified: 19-APR-2016 Known Affected Releases: 9.0 Known Fixed Releases: * 100.15(11.1), 100.16(1.8), 100.16(12.1), 9.6(0.99), 96.1(1.29), 96.1(1.57), 96.2(0.1), 96.2(1.107) Alert Type: New Bug Id: CSCuz16861 Title: ASA: Trustpoint fqdn command limited to 64 characters should be 255 Status: Open Severity: 6 Enhancement Description: Symptom: Enhancement to increase the fqdn field to 255 characters. ASA1(config)# crypto ca trustpoint TP1 ASA1(config-ca-trustpoint)# fqdn ? crypto-ca-trustpoint mode commands/options: LINE < 65 char fully-qualified domain name none do not include fully-qualified domain name ASA1(config-ca-trustpoint)# fqdn Conditions: None Workaround: Create a certificate outside of the box and import via a pcks12. Further Problem Description: Last Modified: 14-APR-2016 Known Affected Releases: 9.1(7.160) Known Fixed Releases: Alert Type: New Bug Id: CSCuz16102 Title: ASA:Incorrect memory and high memory overhead output in show mem detail Status: Other Severity: 6 Enhancement Description: Symptom: High Free Memory in global shared pool High memory overhead in "show memory detail" Incorrect "Free memory" usage in show memory Conditions: High Free memory in Global Shared Pool due to fragmentation Workaround: use "show memory detail" to find bytes allocated and Free memory available under each pool. Further Problem Description: Last Modified: 13-APR-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuy84013 Title: FIPS SSH parameters not replicated to standby ASA Status: Other Severity: * 6 Enhancement Description: Symptom: In FIPS mode, some SSH parameters (ssh cipher encryption fips and ssh cipher integrity fips) are not automatically replicated to standby ASA. Even performing "write standby" on the active ASA the config is not synchroniuzed. 5585-40/sec/act# show run ssh ... ssh cipher encryption fips <------ not replicatd to standby ASA ssh cipher integrity fips <----- not replicated to standby ASA ssh key-exchange group dh-group14-sha1 5585-40/sec/act# Conditions: ASA fips mode: "fips enable" Workaround: Manually add the commands to the configuration , when the standby ASA becomes active to restore SSH admin access when in FIPS mode. Further Problem Description: Last Modified: 13-APR-2016 Known Affected Releases: 9.5(2.6) Known Fixed Releases: Find additional information in Bug Search index.   2015 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks