Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Oct-2015 16:50 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Next-Generation Firewalls Title: OpenSSL Alternative Chains Certificate Forgery Vulnerability (July 2015) Affecting Cisco Products Description: On July 9, 2015, the OpenSSL Project released a security advisory detailing a vulnerability affecting applications that verify certificates, including SSL/Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) clients and SSL/TLS/DTLS servers using client authentication. Multiple Cisco products incorporate a version of the OpenSSL package affected by this vulnerability that could allow an unauthenticated, remote attacker to cause certain checks on untrusted certificates to be bypassed, enabling the attacker to forge "trusted" certificates that could be used to conduct man-in-the-middle attacks. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address this vulnerability. Workarounds that mitigate this vulnerability may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl Date: 16-SEP-2015 Title: Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products Description: Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service condition or perform a man-in-the-middle attack. On January 8, 2015, the OpenSSL Project released a security advisory detailing eight distinct vulnerabilities. The vulnerabilities are referenced in this document as follows: CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service Vulnerability CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message Processing Denial of Service Vulnerability CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference Vulnerability CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade Vulnerability CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade Vulnerability CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation Authentication Bypass Vulnerability CVE-2014-8275: OpenSSL Certificate Fingerprint Validation Vulnerability CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical Results Issue Cisco will release software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl Date: 22-SEP-2015 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.4 Alert Type: New File File Name: asa-device-pkg-1.2.3.4.zip File Description: Cisco ASA Device Package 1.2(3.4) for Cisco APIC 1.2.2(I) File Release Date: 01-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580-x and ASA5585-x. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5580 and ASA5585. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.2.5 Interim Alert Type: New File File Name: asa825-58-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 8.4.7 Interim Alert Type: New File File Name: asa847-29-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and 5550. Please read the Release Note prior to downloading this release. File Release Date: 17-SEP-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Alert Type: New File File Name: asa942-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 24-SEP-2015 Software Updates for ASA 5500-X Series Next-Generation Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.1.6 Interim Alert Type: New File File Name: asa916-10-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5580-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 18-SEP-2015 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Next-Generation Firewalls Alert Type: Updated * Bug Id: CSCuf31658 Title: Linux Kernel nfs_readdata_release() and nfs_writedata_release() Functi Status: Fixed Severity: 1 Catastrophic Description: Symptom: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-4325 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:L/Au:N/C:N/I:N/A:C/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-4325 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0(1), 9.1(1), 9.2(1), 9.3(1), 99.1(1) Known Fixed Releases: * 100.11(0.61), 100.8(40.100), 9.2(4.1) Alert Type: Updated * Bug Id: CSCuu84085 Title: DHCP-DHCP Proxy thread traceback shortly after failover and reload Status: Fixed Severity: 1 Catastrophic Description: Symptom: Crash as soon as the standby unit becomes primary Conditions: DHCP configured on ASA running 9.1(6)5 or 9.1(6)6. Workaround: Downgrade to 9.1(6)4 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.14(0.16), 100.14(0.30), 100.14(0.42) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCuv69235 Title: HTTP chunked data causing watchdog Status: Fixed Severity: 1 Catastrophic Description: Symptom: A watchdog traceback may occur on the ASA as it is processing HTTP traffic from WebVPN client connections. Conditions: Cisco ASA running release 9.3.2 and later with WebVPN configured. Workaround: None. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: * 9.3(2), 9.5(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.32) Alert Type: Updated * Bug Id: CSCut67965 Title: CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASA running 9.4.1 stops accepting IKEv2 connections. Conditions: ASA5545 running 9.4.1 with certificate authentication for Windows Mobile phones. The ASA may print a pki debug message "CRYPTO_PKI: ERROR: Unable to allocate new session. Max sessions reached". Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.28), 100.14(10.23), 100.14(5.17), 100.14(7.33), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCut10078 Title: Standby ASA does not apply OSPF route after config replication Status: Fixed Severity: 2 Severe Description: Symptom: Standby unit was not following the OSPF routes that were replicated from the Active unit and installed in its routing table. For example, when trying to ping 10.202.7.135 from the Standby unit the ASA claimed it had no route to the host: Conditions: OSPF configured on active/standby ASA 5555 pair running 9.1.5.21 Workaround: A 'write standby' from the Active unit to force a bulk sync fixes the problem, though the routing table doesn't seem to change. I was able to reproduce the problem several times Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuq57307 Title: ASA 8.4 Memory leak due to duplicate entries in ASP table Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may experience a memory leak each time a VPN tunnel is built and torn down. Conditions: The ASA must be configured with a QoS policy that matches on per-flow destination addresses for a particular tunnel-group. For example: class-map vpn-class match flow ip destination-address <<<<<<<<<<<<< match tunnel-group 10.38.110.250 ! policy-map outside-policy class vpn-class police output 30000000 Workaround: Temporarily disable the QoS policy Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.11(0.57), 100.11(0.58), 100.12(0.116), 100.12(0.121), 100.13(0.52), 100.13(0.63), 100.13(21.13), 100.13(21.9), 100.13(28.2), 100.13(29.28) Alert Type: Updated * Bug Id: CSCtz98516 Title: Observed Traceback in SNMP while querying GET BULK for 'xlate count' Status: Fixed Severity: 2 Severe Description: Symptom: An ASA firewall may crash when being polled by SNMP in rare circumstances. Conditions: This has been seen primarily in the 8.4.x ASA code train. The first fix is in ASA interim code 8.4.4.2. To trigger the bug, the ASA must be queried via SMP for GETBULK of the xlate OID: 1.3.6.1.4.1.9.10.77.1.2.1 Workaround: Stop polling the ASA firewall via SNMP until an upgrade to the fixed code can be performed or modify the OID's being polled by your SNMP monitor station to not include the affected OIDs. Last Modified: 24-SEP-2015 Known Affected Releases: 100.7(22.1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(28.2), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCut92194 Title: ASA traceback in Thread Name: CP Processing Status: Fixed Severity: 2 Severe Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuu78835 Title: Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 Status: Fixed Severity: 2 Severe Description: Symptom: On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL: 1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable. 2. When trying to add a comment, the body of the comment is missing, so cannot add anything. Conditions: Using Atlassian version 6.4.5 for Confluence Workaround: Use the older versions of Atlassian Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.8(40.67), 9.2(2), 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: New Bug Id: CSCuw38734 Title: ASA: Traceback in Thread Name Unicorn Admin Handler Status: Open Severity: 2 Severe Description: Symptom: ASA device traceback with the Thread Name:- Conditions: ASA device configured with the Threat Detection enabled Workaround: None at this time Further Problem Description: None. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus62884 Title: ASA 9.1.5 does not always drop connections after receiving RST+ACK flag Status: Fixed Severity: 2 Severe Description: Symptom: ASA does not always drop connections after receiving RST+ACK flag Conditions: Verify that the problem occurs when the server receives duplicate packets from the client to the server and replies to both SYN Example Server packets client -> server SYN (seq=3922308568) ------> 1st SYN client -> server SYN (seq=3922308568) --------> 2nd SYN client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ACK (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN Firewall packets client -> server SYN (seq=3922308568) client <- server SYN+ACK (seq=3220609139 ACK=3922308569) ------> reply for 1st SYN client <- server RST+ack (seq=0 ACK=3922308569) ----------> reply for the 2nd SYN, which the Firewall doesn't have it In the working and not working scenario the Firewall always sends one SYN packet. Workaround: TCPbypass Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.46), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Alert Type: Updated * Bug Id: CSCti05769 Title: Migration of max_conn/em_limit to MPF is completely wrong in 8.3 Status: Fixed Severity: 2 Severe Description: Symptom: Migration to Modular Policy Framework may yield an incorrect configuration. This may result in loss of TCP Intercept protection against SYN floods coming from the outside as MPF limits are configured in incorrect direction. Protection against server overloading may also be lost because the migrated configuration incorrectly limits the number of outbound established connections from the server to the outside. Conditions: Workaround: Configuration, created by migration process, must be removed and limits must be set manually via MPF and in proper direction. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCut49034 Title: ASA: High CPU on standby due to RDP conn to AC client from CL SSL portal Status: Fixed Severity: 2 Severe Description: Symptom: CPU on standby ASA spikes to 100% Conditions: Host (connecting through clientless VPN with RDP plugin)rdp to a host connected through anyconnect VPN. Stateful failover configured on an active-standby failover pair. Workaround: None Further Problem Description: High CPU on standby ASA unit due to a specific connection on the ASA from a host connecting to clientless VPN when stateful failover is enabled. Host (connecting through clientless VPN )rdp to a host connected through anyconnect VPN. When this particular connection goes through the ASA, we find that the active ASA builds a single connection. standby ASA builds numerous connections with same source and destination ports. Connection on the primary/active: act/pri/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:00, bytes 4131029, flags UO Connections on secondary:(close to 2500) stby/sec/alan3usv01# sh conn all add 66.241.60.197 | i 3389 TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:05, bytes 4131029, flags UO TCP outside 10.145.44.253:3389 NP Identity Ifc 66.241.60.197:62481, idle 0:00:06, bytes 4131029, flags UO We see a lot of connection teardown on the standby for this connection. Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554151 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:02 bytes 252687 TCP Reset-O Mar 18 2015 22:12:34: %ASA-6-302014: Teardown TCP connection 27554254 for outside:10.145.44.253/3389(LOCAL\statiajj) to identity:66.241.60.197/10994 duration 0:05:01 bytes 252687 TCP Reset-O We also see a lot of reset packets in asp drops in the standby ASA. 1: 19:00:25.358578 0000.0000.0000 0000.0000.0000 0x0800 Length: 54 66.241.60.197.62481 > 10.145.44.253.3389: R [tcp sum ok] 0:0(0) ack 0 win 0 (ttl 255, id 52738) Drop-reason: (mp-svc-no-channel) SVC Module does not have a channel for reinjection The interesting thing is the source MAC and the destination MAC is 0 in this ASP drop. We see overruns on the failover interface of the standby unit. stby/sec/alan3usv01# show int gig0/3 Interface GigabitEthernet0/3 "failover1", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off Description: LAN/STATE Failover Interface MAC address 5475.d091.518f, MTU 1500 IP address 10.99.101.114, subnet mask 255.255.255.248 432217782 packets input, 556229026142 bytes, 0 no buffer Received 556 broadcasts, 0 runts, 0 giants 204523310 input errors, 0 CRC, 0 frame, 204523310 overrun, 0 ignored, 0 abort And we see a lot of packets being transferred from active to standby ASA. In the failover debugs we only find the following messages in the debugs of fover rx. lu_rx: HA TRANS: receive message for client vpnfo, length 48 lu_rx: HA TRANS: receive message for client vpnfo, length 72 lu_rx: HA TRANS: receive message for client vpnfo, length 72 The CPU profiler points that the high CPU on the standby ASA is due to LU updates when we decode the CPU profile output from the standby ASA. Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(2), 9.1(5.21) Known Fixed Releases: * 100.11(0.62), 100.12(0.142), 100.12(0.148), 100.13(0.106), 100.13(0.95), 100.14(0.71), 100.14(0.76), 100.14(16.8), 100.14(5.32), 100.14(5.33) Alert Type: Updated * Bug Id: CSCut27332 Title: ASA traceback in aaa_shim_thread / command author done for dACL install Status: Fixed Severity: 2 Severe Description: Symptom: 1. ASA traceback in aaa_shim_thread 2. ASA performs command authorization for downloadable ACL install. The VPN user is authenticated and authorized, but the dynamic ACL installation fails. Conditions: 1. - ASA running 9.3.2, - High load with AnyConnect 3.0 or newer, - Heavy DAP or dynamic ACL usage with large aggregate ACLs, - Failover configuration, 2. - VPN users have dynamic ACLs assigned, - command authorization is enabled - "aaa authorization command TACACS-Server" Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.13(29.28), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6) Alert Type: Updated * Bug Id: CSCut12513 Title: ASA allows citrix ICA connection without authentication Status: Fixed Severity: 2 Severe Description: Symptom: Cisco ASA Clientless SSL VPN integration with Citrix includes the download of a .ica file from the Citrix server and serving this to the client. The .ica file includes a session token to connect to the Citrix server. This file is stored on the client pc and deleted by the Citrix client once the session with Citrix is terminated. If this file is copied on a different machine, it is possible to reuse this file to connect to the Citrix server via the Clientless SSL VPN feature without requiring authentication as far as the session of the user that initially authenticated to the Clientless SSL VPN Portal is still active. Conditions: The file needs to be copied from the initial pc and the authenticated user session should still be active. Workaround: none PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.13(29.28), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15) Alert Type: Updated * Bug Id: CSCur20322 Title: ASA 9.2.1 - DATAPATH Traceback in L2 cluster environment Status: Fixed Severity: 2 Severe Description: Symptom: ASA in an L2 cluster environment causes a DATAPATH traceback. The unit comes back up but will not join the cluster and results in an RPC_SYSTEMERROR failure. Manual joining into the cluster causes an immediate crash after entering "enable". Conditions: ASA operating in 9.2.1 code and in multi-context. ASA in a cluster L2 environment. Workaround: No workaround at this time. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13), 100.14(26.5) Alert Type: Updated * Bug Id: CSCuv27197 Title: ASA SSLVPN RDP Plugin session freezes under heavy load with activex Status: Fixed Severity: 2 Severe Description: Symptom: RDP session freezes when a video is played over the session. Conditions: 9.4.1 Plugins tested: RDP1 2014 RDP2 2009 win7 process intensive applications in the RDP session like a High definition video either played locally on the RDP machine or via youtube Problem can be reproduced rather more consistently with Activex We have also observed TCP window size filling up and TCP ZeroWindow in the packet capture that was taken between the RDP server and ASA Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.99), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.81), 100.15(16.3), 100.15(17.1), 100.15(3.49), 100.15(6.31) Alert Type: Updated * Bug Id: CSCuv05386 Title: Clientless webvpn on ASA does not display asmx files Status: Fixed Severity: 2 Severe Description: Symptom: Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text Conditions: -Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site. -The user see's garbled or incomplete text returned from the ASA. Workaround: Smart Tunnel resolves the issue. Using the stand alone AC client resolves the issue. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.14(16.8), 100.14(5.32), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4) Alert Type: Updated * Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Status: Fixed Severity: 2 Severe Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.143), 100.13(0.95), 100.13(29.28), 100.14(0.71), 100.14(16.5), 100.14(5.30), 100.15(0.24), 100.15(1.68), 100.15(16.3) Alert Type: Updated * Bug Id: CSCuv42413 Title: Dynamic Route Not Installed After Failover Status: Fixed Severity: 2 Severe Description: Symptom: Dynamically learned routes that are not directly connected to the ASA are not installed in the routing table after failover to the standby ASA. Conditions: - ASAs configured in failover pair - ASA configured for dynamic routing using OSPF - Network statements configured under the OSPF process for networks that are not directly connected Workaround: Removing the network statements under the OSPF process for non-directly connected networks prevents this issue. The issue is also resolved by manually clearing the OSPF process on the ASA (using the command: clear ospf process) after failover. Further Problem Description: This issue was also observed using EIGRP as the dynamic routing protocol. Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3), 9.3(3.2) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(15.4) Alert Type: Updated * Bug Id: CSCut95793 Title: ASA: Anyconnect IPv6 Traceroute does not work as expected Status: Fixed Severity: 2 Severe Description: Symptom: Traceroute does not work as expected while connected with anyconnect vpn client to ASA running software version 9.0(4)30. Traceroute completes but does not show intermediate hops, rather we see aestrick "*" for intermediate hops. Conditions: Anyconnect 3.1.05170 ASA 9.0.4(30), 9.1(4) Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0(4.30) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.93), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) Alert Type: Updated * Bug Id: CSCuv45756 Title: ASA may tracebeck when displaying packet capture with trace option Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback. Conditions: ASA running 9.4(1) displaying captures with trace detail option. Workaround: Avoid using trace detail option in captures. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86) Alert Type: Updated * Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Status: Fixed Severity: 2 Severe Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCur99653 Title: Codenomicon HTTP-server suite may cause crash Status: Fixed Severity: 2 Severe Description: Symptom: Codenomicon HTTP-server suite may cause crash Conditions: Codenomicon server testing Workaround: none Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.12(0.108), 100.13(1.10), 9.3(1.113) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCus63993 Title: ASA - Traceback in thread name: CERT API Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback with thread name CERT API when trying to connect to ASA with AnyConnect Client. Conditions: NA Workaround: NA Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(2.4), 9.2(3) Known Fixed Releases: * 100.11(0.56), 100.12(0.115), 100.13(0.44), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6) Alert Type: Updated * Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Status: Fixed Severity: 2 Severe Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 108.2(0.7) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: New Bug Id: CSCuw41374 Title: ASA: Distribute ACL not matching prefix correctly for filtering routes Status: Open Severity: 2 Severe Description: Symptom: Route Filtering not working and distribute ACL not matching prefix correctly Conditions: Distribute list using standard ACL configured for filtering routes Workaround: None at this time Further Problem Description: Last Modified: 26-SEP-2015 Known Affected Releases: 9.1(6.8) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus27650 Title: * Cut Through proxy not working correctly with TLS1.2 Status: Fixed Severity: 2 Severe Description: Symptom: Cut Through Proxy and TLS Proxy may fail to function when using TLS1.2. Conditions: Workaround: None Further Problem Description: Last Modified: 28-SEP-2015 Known Affected Releases: 100.13(1.32), 9.3(2) Known Fixed Releases: 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.43), 100.14(16.1), 100.14(5.20), 100.14(7.40), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuw42801 Title: ASA standby node crashing continuously Status: Open Severity: 2 Severe Description: * Symptom: ASA standby failover pair running 8.2.5.7 in multiple-context is crashing continuously with Stack Trace function. Conditions: ASA standby failover pair running 8.2.5.7 in multiple-context Workaround: None. Further Problem Description: Last Modified: 28-SEP-2015 Known Affected Releases: 8.2(5.7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw26991 Title: ASA: Traceback in Thread Unicorn Admin Handler due to Threat Detection Status: Fixed Severity: 2 Severe Description: Symptom: ASA device traceback in Unicorn Admin Handler possibly due to Threat Detection configured on the ASA device Conditions: ASA device configured with Threat Detection Workaround: Disabling the Threat Detection is a possible workaround for this issue Further Problem Description: Last Modified: 28-SEP-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv87150 Title: ASA crash in Thread Name: fover_parse (ak47/ramfs) Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs) Conditions: ASA is in failover pair. Workaround: No workaround Further Problem Description: Last Modified: 28-SEP-2015 Known Affected Releases: 9.4(1.5), 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv96011 Title: OSPF over IKEv2 L2L tunnel is broken on ASA with 9.2.1 onwards Status: Fixed Severity: 2 Severe Description: Symptom: OSPF over IKEv2 L2L tunnel is broken on ASA in 9.2(1) onwards. Routes are installed into OSPF database successfully, but they are absent in the main routing table. Conditions: -IKEv2 L2L configured to propagate routes over OSPF on ASA running 9.2.1 or above. Workaround: -Downgrade the ASA to 9.1(5), if an option. -Use IKEv1 tunnel Further Problem Description: None Last Modified: 29-SEP-2015 Known Affected Releases: 9.2(1), 9.3(3), 9.4(1), 9.5(1) Known Fixed Releases: * 100.12(0.148), 100.13(0.104), 100.14(0.76), 100.15(0.29), 100.15(1.95), 100.15(16.7), 100.15(17.10), 100.15(3.55), 100.15(8.15), 9.2(4.1) Alert Type: Updated * Bug Id: CSCus10787 Title: Transactional ACL commit will bypass security policy during compilation Status: Fixed Severity: 2 Severe Description: Symptoms: Traffic can bypass the security policy when transactional-commit access list is configured. This can happen only when a new ASA is added to a cluster and the access-list configuration is newly applied. The bypass can happen only during the compilation time. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. Conditions: Cisco ASA Software is affected by this issue if the transactional-commit access list feature is enabled. This can be determined by using the show running-config asp rule-engine transactional-commit access-group command and verifying that it returns output. The following example shows a Cisco ASA configured with transactional-commit feature: ciscoasa# show running-config asp rule-engine transactional-commit access-grou$ asp rule-engine transactional-commit access-group Note: Transactional-commit feature is not configured by default. Workaround: There is no workaround other then disabling the feature Further Problem Description: A vulnerability in the transactional-commit access list feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to bypass interfaces access control policies and send traffic through the affected system. The vulnerability is due to improper implementation of the feature. . An attacker could exploit this vulnerability by sending traffic through the affected system while the system boot for the first time or while an affected system join a cluster. Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. An exploit could allow the attacker to send traffic through the system bypassing the interfaces access control policies. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0 No CVE ID has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 9.1(6.180), 9.1(6.181), 9.1(6.182), 9.1(6.183) Alert Type: Updated * Bug Id: CSCuu61573 Title: 9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain Status: Fixed Severity: 2 Severe Description: Symptom: Traceback on slave unit in cluster after running large amounts of fragmented traffic through the device. Conditions: Cisco ASA running release 9.1.6 in a 4-node cluster configure for L2 mode. Workaround: None Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 100.13(0.31), 100.15(1.11), 9.0(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.29) Alert Type: Updated * Bug Id: CSCuv80223 Title: ASA Rest-API fails to start with command authorization enabled Status: Terminated Severity: 2 Severe Description: * Symptom: REST-API will show as enabled but calls will fail with an internal error. Conditions: ASA configured with REST-API agent and command authorization also enabled. Workaround: Further Problem Description: If "aaa authorization command" is configured, the REST Agent requires that an "enable_1" user with privilege 15 is present on the ASA. This is the account the REST Agent is using to communicate with the ASA, when it attempts to load and parse the ASA's configuration initially, and whenever the ASA's configuration changes. Last Modified: 01-OCT-2015 Known Affected Releases: 9.3, 9.4 Known Fixed Releases: Alert Type: New Bug Id: CSCuw44744 Title: Traceback in WebVPN rewriter Status: Fixed Severity: 2 Severe Description: Symptom: Traceback while processing WebVPN connections in the rewriter Conditions: ASA 5585 running special release 9.3.3.225. Workaround: None. Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.3(3.225) Known Fixed Releases: Alert Type: New Bug Id: CSCuw45910 Title: Traceback during SMBFS unmount Status: Open Severity: 2 Severe Description: Symptom: Traceback during SMBFS unmount Conditions: Cisco ASA running special release 9.3.3.225 Workaround: None. Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.3(3.225) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv66333 Title: ASA picks incorrect trustpoint to verify OCSP Response Status: Fixed Severity: 2 Severe Description: Symptom: ASA may fail to verify a valid OCSP response during OCSP revocation check for VPN clients. Conditions: Revocation check is enabled under the trustpoint using OCSP and an override using cert-map is not configured Workaround: None Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.13(0.110), 100.15(0.48), 99.2(2.3) Alert Type: Updated * Bug Id: CSCus78450 Title: * ASA cert validation fails when suitable TP is above the resident CA cert Status: Fixed Severity: 2 Severe Description: * Symptom: When a client tries to authenticate by sending the cert chain, in this case Client-ID and Sub-CA certificate, because the Sub-CA TP has "no validation-usage" configured, ASA picks up Root-CA TP to validate the certificate chain. When such a condition occurs, where the validating trustpoint is higher in the hierarchy compared to the highest CA certificate [sent by the client in the certificate chain] resident on the ASA. Conditions: ASA running on a version that contains the fix for CSCuq53421 such as 9.1(5)15, 9.3(2), 9.4(1). Also, the client certificate is issued at least by a first level Sub-ordinate CA. i.e the client certificate hierarchy should be at least 3 levels: Root -- Sub --- Client-ID ASA is configured to authenticate clients using their ID certificate. ASA would have Sub and Root CA loaded. ASA should end up picking Root CA TP in order to validate the client cert chain. For example: the Sub-CA TP could have "no validation-usage" configured Workaround: Make sure the validating trustpoint is the same as the highest CA in the client certificate chain Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.1(5.16) Known Fixed Releases: 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: New Bug Id: CSCsd74902 Title: webVPN native browsing can't browse some pages Status: Fixed Severity: 2 Severe Description: ASA webvpn native browsing.Browse to some links failed. Version 7.1(1) and 7.0(4) has been tested,all have problem. ################################################################################# I opened this bug 9 years ago when I was in TAC. I'm not working in TAC or support ASA now. Not sure if this problem still happens. Could you please help to close this bug? Symptom:Client from outside can browse server,but on certain page,when set per page lines to 19,failed to browse further;if set per page 18 lines or lower,can browse.Client from inside can browse the server without problem. The symptom is consistent. Conditions:Tested with set the server's Nic mtu to very low(393) and also "sysopt conn tcpmss 1000". Workaround:No. Last Modified: 01-SEP-2015 Known Affected Releases: 7.1(1) Known Fixed Releases: 7.1(2), 7.2(1) Alert Type: Updated * Bug Id: CSCus11465 Title: ASA teardown connection after receiving same direction fins Status: Fixed Severity: 2 Severe Description: * Symptom: ASA version 9.2.2.4 or 9.3.1 will teardown tcp connection after it receiving fin ack fin ack of the same direction Conditions: ASA version 9.2.2.4 or 9.3.1 receiving fin ack fin ack of the same direction Workaround: using tcp bypass PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 08-SEP-2015 Known Affected Releases: 9.2(2), 9.3(1) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Alert Type: Updated * Bug Id: CSCup94968 Title: ASA Traceback in Thread Name: IP Address Assign Status: Terminated Severity: 2 Severe Description: * Symptom: ASA reloads with a traceback in thread name IP Address Assign Conditions: Workaround: Further Problem Description: Last Modified: 08-SEP-2015 Known Affected Releases: 9.1(5.10) Known Fixed Releases: Alert Type: New Bug Id: CSCtq43504 Title: ASA: Traceback in SSH thread when removing manual NAT rule Status: Terminated Severity: 2 Severe Description: Symptoms When removing a manual NAT rule from the ASA's configuration, the ASA may crash and reload with a traceback in the SSH thread. Conditions: The user must be removing a manual NAT rule from the configuration with the following characteristics: 1. The destination portion of the rule must contain an object with a large range of addresses and 2. The rule must contain a service object Workaround: This issue is no longer reproducible on 8.4.4.1 and higher. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 08-SEP-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCur81376 Title: ASA traceback in Thread Name: ci/console, assertion "snp_sp_action.c" Status: Fixed Severity: 2 Severe Description: ASA tracebacks in Thread Name: ci/console or Thread Name: Unicorn Admin Handler, assertion "snp_sp_action.c" while configuring dns inspection. <B>Conditions:</B> So far this has only been observed while making changes dns inspect related configuration. <B>Workaround:</B> N/A <B>Further Problem Description:</B> PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 08-SEP-2015 Known Affected Releases: 9.1(5.100), 9.3(1) Known Fixed Releases: 100.11(0.55), 100.12(0.111), 100.13(0.15), 100.13(1.36), 100.13(19.9), 100.13(21.6), 100.13(23.4), 100.13(24.4), 100.8(40.94), 9.0(4.31) Alert Type: New Bug Id: CSCuv72094 Title: XMLSoft libxml2 XPath Evaluation Remote Denial of Service Vulnerabilit Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2821 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:W/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2821 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72091 Title: XMLSoft libxml2 String Substitutions Remote Denial of Service Vulnerab Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2013-0338 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2013-0338 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72093 Title: XMLSoft libxml2 XPath Handling Denial of Service Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-2834 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:UC The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-2834 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72045 Title: Info-ZIP Unzip Uncompressed Extra Fields Integer Underflow Vulnerabili Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8140 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:W/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-8140 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72044 Title: Info-ZIP UnZip Zip64 Files Buffer Overflow Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-8141 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.3: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:U/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-8141 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72102 Title: Linux Kernel TCP Sequence Number Generator Packet Injection Vulnerabil Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2011-3188 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2011-3188 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72054 Title: Linux Kernel EXT4 Filesystem Denial of Service Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0275 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 4.4: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:N/I:N/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-0275 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 1.1(2), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 99.1 Known Fixed Releases: Alert Type: New Bug Id: CSCuv72048 Title: Info-ZIP UnZip Uncompressed Extra Fields Buffer Overflow Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9636 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:W/RC:UR The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9636 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuv72050 Title: Linux Kernel XFS Attribute Handling Privilege Escalation Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-0274 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 6.9: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-0274 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 1.1(2), 9.3(2), 9.3(2.200), 9.4(1), 9.5(1.200), 9.5(2), 99.1 Known Fixed Releases: Alert Type: New Bug Id: CSCuv72104 Title: Linux Kernel shmid_ds Structure Local Information Disclosure Vulnerabi Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2010-4072 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 1.5: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:L/AC:M/Au:S/C:P/I:N/A:N/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2010-4072 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 9.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCun45787 Title: Duplicated CHILD SAs in 1 IKEv2 SA, traffic dropped vpn-overlap-conflict Status: Fixed Severity: 2 Severe Description: Symptom: When the below condition matches, ASA may end-up creating multiple SPI-sets for a single proxy-id set. i.e. Multiple IPSec SAs or Child-SAs are created for the same local and remote Subnets/Idents. Note that this only occurs for the second or the subsequent Child-SA negotiations, barring the first Child-SA created during IKE-AUTH. When this occurs, ASA drops the traffic over this SA with "vpn-overlap-conflict" asp drop reason [show asp drop]. Conditions: ASA acting as IKEv2 L2L End-point, where we have more than one IPSec SAs negotiated. IKEv2 SA goes down, and re-negotiates due to an external comm-failure. Workaround: Clear the SA and make sure that the race condition does not occur Further Problem Description: Note that there are no duplicate crypto acl entries [aka procy-identities], and if it exists, this scenario does not apply and it is not supported Last Modified: 09-SEP-2015 Known Affected Releases: * 100.12(30.8), 9.1(4) Known Fixed Releases: 100.11(0.54), 100.12(0.98), 100.12(23.4), 100.12(24.3), 100.12(30.2), 100.13(0.11), 100.13(1.3), 100.13(11.19), 100.13(12.40), 100.13(16.18) Alert Type: New Bug Id: CSCuv72064 Title: Network Time Protocol Daemon Authentication Bypass Vulnerability Status: Open Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2014-9296 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 5.0: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2014-9296 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 09-SEP-2015 Known Affected Releases: 1.1(2), 99.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv11566 Title: ASA LDAP CRL query baseObject DN string is malformed Status: Fixed Severity: 2 Severe Description: Symptom: In the following example configuration, notice that the LDAP DN String for CRL query is: CN=TAC CA KRK 10,o=VPN TAC,c=Pl Instead the ASA sends: CN=TAC CA KRK 10,o 20TAC,c,c=Pl Since the LDAP Query is malformed, the CRL check will fail Conditions: ASA 9.3 and above configured to perform CRL validation of Peer certificates using LDAP. Example: crypto ca trustpoint Praveen revocation-check crl policy static url 1 ldap://10.48.62.208:389/CN=TAC%20CA%20KRK%2010,o=VPN%20TAC,c=Pl Workaround: None. CRL check using HTTP continues to work Further Problem Description: This issue occurs when the LDAP query url contains white-spaces encoded as %20 PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 10-SEP-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.12(0.137), 100.13(0.91), 100.14(0.68), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4), 100.15(2.75), 100.15(3.20), 100.15(4.25) Alert Type: New Bug Id: CSCuw19520 Title: ASA cluster crash with Thread Name: ci/console on show int ip br Status: Other Severity: 2 Severe Description: Symptom: ASA in cluster crash with Thread Name: ci/console on issuing command show int ip br within a context. Conditions: L2 clustering should be enabled on the ASA. This happens when nameif is not applied on a L3 interface while it has cluster pool IP and IP address configured. Workaround: To work-around the issue, apply the nameif to the interface. Further Problem Description: Last Modified: 11-SEP-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur45455 Title: ASA crashes in DHCPV6 Relay agent feature Functionality Status: Fixed Severity: 2 Severe Description: Symptoms: ASA may crash in thread name DHCPv6 Relay Conditions: This can be triggered by malformed DHCPv6 packet when DHCPv6 relay is configured. To verify whether this feature is configured, use the show run ipv6 dhcprelay and confirm that the feature is enabled on at least one interface. The following example shows DHCPv6 relay feature enabled on the outside interface: asa#show run ipv6 dhcprelay ipv6 dhcprelay enable outside Workaround: Further Problem Description: A vulnerability in the DHCP relay function of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause a reload of the affected system. The vulnerability is due to insufficient validation of crafted DHCP packets. Only Cisco ASA configured as DHCP version 6 relay are affected by this vulnerability. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets through the affected system. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-0578 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0578 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 16-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.54), 100.12(0.103), 100.12(24.5), 100.12(30.2), 100.13(0.12), 100.13(1.13), 100.13(11.23), 100.13(16.22), 100.13(19.6), 100.13(20.3) Alert Type: Updated * Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuv70576 Title: ASA: 1550 block depletion to due to L2L VPN traffic Status: Fixed Severity: 2 Severe Description: Symptom: ASA device 1550 Block depletion due to the L2L VPN Traffic Conditions: ASA device configured with L2L VPN configuration Workaround: NONE Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1) Alert Type: Updated * Bug Id: CSCuu73395 Title: Auth-prompt configured in one context appears in another context Status: Fixed Severity: 2 Severe Description: Symptom: Auth-prompt configured in one context appears in another context. Conditions: ++ Device in multiple context. ++ More than one context. ++ More than on context with cut through proxy configured. ++ Only one context with custom auth-prompt. Workaround: If auth-prompt is configured in all the contexts then there is no issue seen. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0(4.24), 9.1(4), 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(1.51), 100.15(15.11) Alert Type: Updated * Bug Id: CSCuu84697 Title: ASA Traceback in Thread Name ssh/client Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: ssh/client Conditions: There are two known crashes: The first one is ASA using "copy scp://" CLI to communicate with an external SSH v1 server. SSH v1 is not a supported protocol when using scp on the ASA. The second one is when multiple simultaneous "copy scp://" CLI are issued on the ASA. There is a timing factor here. The crash can only be seen if two "copy scp://" CLI are issued on the ASA more or less at the same time. This can only be done through an automated script. Workaround: For the first crash, make sure that the external SSH server is running SSH v2. For the second crash, it can be avoided if the automated script used does not start multiple concurrent "copy scp://" CLI on the ASA at the same tme. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6), 9.1(6.1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(10.4), 100.15(2.73) Alert Type: Updated * Bug Id: CSCuu04160 Title: snmpwalk causes slow memory leak on ASA Status: Fixed Severity: 2 Severe Description: Symptom: Free memory declines on ASA slowly over time. Free memory leaks Conditions: ASA configured to allow SNMP polling. NMS is snmp walking the ASA Workaround: Disable SNMP on the ASA Stop SNMP walking the ASA Reboot the ASA to clear up the memory leak Further Problem Description: This may also cause a cpu-hog in qos_metric_daemon after some time. Last Modified: 24-SEP-2015 Known Affected Releases: 100.13(30.7), 9.4(1) Known Fixed Releases: * 100.13(0.72), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.25), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCut15570 Title: Anyconnect SSL VPN certificate authentication fails o ASA Status: Fixed Severity: 2 Severe Description: Symptom: Anyconnect SSL VPN certifcate authentication fails o ASA Conditions: -- certificate authentication -- in debug crypto ca the following error is observed: CERT-C: I pkixpath.c(1170) : Error #72 Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuv88785 Title: RA validation failed when CA/subCA contains name constraints Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension ASA fails with the error: CRYPTO_PKI: Found a subject match - inserting the following cert record into certList CERT-C: I pkixpath.c(2728) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received CRYPTO_PKI: Unable to read CA/RA certificates.Error processing auth response. Unable to send PKI request CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! Conditions: Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1), 9.4(1.100), 9.4(1.201) Known Fixed Releases: * 100.13(0.100), 100.14(0.74), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuv12884 Title: Unable to authenticate with remove aaa-server from different context Status: Fixed Severity: 2 Severe Description: Symptom: Authentication error on a context when he removed aaa-server config from different context. Conditions: -Some contexts is using same LDAP server. Workaround: ASA reload Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.6(1), 9.1(5), 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.89), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.21), 100.15(1.38), 100.15(10.4), 100.15(15.2) Alert Type: Updated * Bug Id: CSCuu56912 Title: ASA change non-default port to 443 for https traffic redirected to CWS Status: Fixed Severity: 2 Severe Description: Symptom: ASA change non-default port to 443 for https traffic redirected to CWS When user type in web browser url htts://X.X.X.X:YYYY debug scansafe generates ... Complete Connect Method (513) CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 ... For traffic captured on outside interface towards CWS tower in 'Follow TCP Stream' statistic Wireshark display CONNECT X.X.X.X:443 HTTP/1.0 HOST: X.X.X.X:443 Conditions: ASA is configured to redirect non-default port for https traffic to CWS. Workaround: NONE Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0, 9.1, 9.4 Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.13(29.28), 100.14(0.39), 100.14(16.1), 100.14(5.19), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuv25327 Title: bgp ipv6 neighborship fails with ASA after hard reset on router Status: Fixed Severity: 2 Severe Description: Symptom: bgp ipv6 neighborship fails with ASA after hard reset on router Conditions: ASA with 9.5.1 or above has this issue. Workaround: Reset connection on ASA using clear ip bgp * command. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.14(0.61) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuu32905 Title: ASA WebVPN: Javascript fails to execute when accessing internal portal Status: Fixed Severity: 2 Severe Description: Symptom: On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js. Conditions: Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6). Workaround: None. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.8(40.67), 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCze96017 Title: Active ftp-data is blocked by Firepower on Chivas Beta on 5512 Status: Fixed Severity: 2 Severe Description: Symptom: The system incorrectly processes data channels matching applied access control, intrusion, and network discovery policies. Conditions: Configure an ASA FirePOWER module running Version 5.0 or later with network address translation (NAT). Workaround: 1. Create a policy to allow ftp-data traffic from Server to Client or 2. Use passive FTP Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20) Alert Type: Updated * Bug Id: CSCuq10239 Title: Windows 8 with new JRE, IE is not gaining access to smart tunnel Status: Fixed Severity: 2 Severe Description: Symptom: IE on windows 8 with java start is not gaining access to smart tunnel Conditions: user is starting smart tunnel with java, UAC is turned on Workaround: turn UAC off or use active-x to start smart tunnel Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCut49111 Title: ASA traceback because of TD tcp-intercept feature Status: Fixed Severity: 2 Severe Description: Symptom: Multiple crash has been observed on ASA with threat-detection statistics tcp-intercept enabled Conditions: When threat-detection statistics tcp-intercept is enabled Workaround: Disabling TD for tcp intercept statistics stops crash. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.17), 100.14(5.15), 100.14(6.27), 100.14(7.26) Alert Type: Updated * Bug Id: CSCuu66218 Title: ASA is not correctly handling errors on AES-GCM ICV Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association. This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA. Conditions: An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256. This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X. Workaround: There is no workaround for customers whose security policy requires the use of AES-GCM. For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3), 9.4(1.1) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2) Alert Type: Updated * Bug Id: CSCuv01177 Title: ASA: traceback in IDFW AD agent Status: Fixed Severity: 2 Severe Description: Symptom: ASA5585 in failover pair may traceback in IDFW process. Conditions: ASA running IDFW features. Workaround: Disable IDFW. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCut28217 Title: Active ASA in failover setup reboots on its own Status: Fixed Severity: 2 Severe Description: Symptom: Active ASA in failover setup reboots on its own. Conditions: Active ASA in failover setup reboots on its own. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.11(0.58), 100.12(0.120), 100.13(0.62), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuu97304 Title: SSL connection failing to WebVPN portal Status: Fixed Severity: 2 Severe Description: Symptom: access to webvpn portal broken Conditions: try to access the webvpn portal via a browser Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.12(0.130), 100.14(0.39), 100.14(0.43), 100.14(0.46) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.13(29.28), 100.14(0.56), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12), 100.15(4.15) Alert Type: Updated * Bug Id: CSCuu48626 Title: ASA - access list address argument changed from host 0.0.0.0 to host :: Status: Fixed Severity: 2 Severe Description: Symptom: ASA changes the configured access-list address argument from "host 0.0.0.0" to "host ::" Conditions: ASA version 9.3.2 and 9.3.3 Workaround: The check can be bypassed by using an object in the ACL: 1. Create a network object for host 0/0 object network HOST-0 host 0.0.0.0 2. Use this network-object in an extended access-list: access-list NAME extended permit ip object HOST-0 any Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.3(3) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCut37974 Title: EIGRP authentication not working with simple pasword Status: Fixed Severity: 2 Severe Description: Symptom: Routes are not learning after authentication MD5 in EIGRP, and EIGRP authentication key does not work with 16 char key Conditions: ASA(9.1.3) running EIGRP with authentication Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.14(2.10), 100.14(4.12), 9.2(3.4), 9.4(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCus84220 Title: ASA crashes for the OSPFv2 packets from codenomicon Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco ASA crashes in thread name OSPF-3 Conditions: OSPFv2 configured and crafted packets are sent to the ospf interface Workaround: none Further Problem Description: A vulnerability in OSPFv2 code of Cisco ASA Software could allow an unauthenticated, adjacent attacker to cause the reload of the affected system. The vulnerability is due to improper handling of OSPFv2 packets . An attacker could exploit this vulnerability by sending crafted packets to the affected system PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.1/5: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4239 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 100.13(0.21), 9.3(2.243) Known Fixed Releases: * 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8), 100.14(26.3), 100.14(3.4) Alert Type: Updated * Bug Id: CSCus32005 Title: ASA - Traceback in thread name SSH while applying BGP show commands Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in thread name SSH during performing BGP show commands. Conditions: ASA running 9.2.2.4 Workaround: not known Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.13(29.28), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12) Alert Type: Updated * Bug Id: CSCus47259 Title: Cisco ASA XAUTH Bypass Vulnerability Status: Fixed Severity: 2 Severe Description: Symptoms: Due to a vulnerability in the IKEv1 code is it possible to bypass XAUTH authentication by sending crafted IKE messages Conditions: This applies only to deployment configured with Remote VPN and IKEv1. The knowledge of the PSK or a valid certificate is needed to perform the attack. This vulnerabilities affects only the following trains: - 7.x - 8.0 - 8.1 - 8.2 prior to 8.2.2.13 This issue has been fixed as part of another bug: CSCtg28821 Workaround: none Further Problem Description: A vulnerability in IKE version 1 code of Cisco ASA Software could allow an authenticated, remote attacker to bypass x-auth authentication and successfully login via IPsec remote VPN. The vulnerability is due to improper implementation of the logic of the x-auth code . An attacker could exploit this vulnerability by sending crafted IKEv1 packets to the affected system. The attacker would need to know the tunnel group pre-shared-key or have a valid certificate in order to exploit this vulnerability. This vulnerability affects only Cisco ASA Software configured for IKEv1 IPSec remote access and IKEv1 IPSec Lan-to-Lan. An exploit could allow the attacker to bypass the authentication and gain access to the network via remote VPN. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-0760 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 8.0(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.13(29.28), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.14) Alert Type: Updated * Bug Id: CSCuv87744 Title: traceback in Thread Name: fover_parse Status: Other Severity: 2 Severe Description: * Symptom: ASA reloads in Thread Name: fover_parse Conditions: ASA running 9.4.1.5 code. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu63656 Title: ASA not generating PIM register packet for directly connected sources Status: Fixed Severity: 2 Severe Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1), 9.3(2), 9.4 Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) Alert Type: Updated * Bug Id: CSCut56198 Title: Clustering: Traceback in DATAPATH with transparent FW Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback occurred on one of the slave units in a 4 node cluster in the DATAPATH thread. Stack trace indicates that the ASA was doing a transparent firewall operation. Conditions: Cisco ASA running release 9.2.1.213 and configured as a cluster slave with multi-context configuration which included mixed-mode contexts. Workaround: None Further Problem Description: Please see Eng-note. Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1.213), 9.3(2.108) Known Fixed Releases: * 100.11(0.57), 100.11(0.58), 100.12(0.120), 100.12(0.121), 100.13(0.61), 100.13(21.12), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.7) Alert Type: Updated * Bug Id: CSCuu88437 Title: ASA5506-X:copy file operations fail with jumbo-frame-reservation config Status: Other Severity: 2 Severe Description: Symptom: Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below: "Error writing disk0:/ (Cannot allocate memory)" It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1. I used asdm-732.bin image for this operation: "copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error. Conditions: Copying file operations to disk0 on a ASA5506-X. Workaround: Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.14(0.47) Known Fixed Releases: * 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.14(0.66), 100.14(16.1), 100.14(16.3), 100.14(5.23), 100.14(5.26), 100.14(7.42), 100.15(0.17) Alert Type: Updated * Bug Id: CSCus92856 Title: ASA traceback in DATAPATH Thread due to Double Block Free Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads and generates crashinfo inThread DATAPATH Issue is specific to cluster with multi-context and interface sharing. Issue was exposed by fragmentation happening in shared interface Conditions: Clustering is enabled on ASA Workaround: Avoid using loopback/shared interface Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23) Alert Type: Updated * Bug Id: CSCus70693 Title: ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO: Status: Fixed Severity: 2 Severe Description: After upgrade to 9.3.2 SSL VPNs stop working. Symptom: SSL (either Web or AnyConnect cannot be establish) with the error from AnyConnect: "Could not connect to server. Please verify Internet connectivity and server address." In the DART: Type : Error Source : acvpnui Description : Function: ConnectMgr::run File: .\ConnectMgr.cpp Line: 674 Invoked Function: ConnectMgr::initiateConnect Return Code: -29622263 (0xFE3C0009) Description: CONNECTMGR_ERROR_UNEXPECTED This errors are seen: "%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)." These errors are seen while debugs enabled: RC4-SHA / RC4-MD5 error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2838 AES256-SHA / AES128-SHA / DES-CBC3-SHA error:1415FFA5:SSL routines:SSL_accept:pkp error@ssl_engine.c:2639 Tests: + AnyConnect 3.1.05160 uses TLS 1.0 - fails + AnyConnect 4.0.00057 uses TLS 1.2 - fails + with IE TLS 1.0 - fails + with IE TLS 1.1/1.2 - fails + with Mozilla Firefox TLS 1.0 - fails but + Mozilla Firefox TLS 1.1/1.2 - work ok + Chrome also uses TLS 1.2 - works ok. Conditions: ASA running 9.3.2 (the issue is not seen on the 9.3.1) Certificate with: - RSA keys size: 2048 bits - Signature Algorithm: sha256RSA - Signature Hash Algorithm: sha256 It is not happening for all certificates, it has to be something specific in the certificate which hasn't been identified yet. Workaround: + Downgrade + try to regenerate the certificate + for WebVPN use Firefox/Chrome and TLS 1.2 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCuu77207 Title: ASA - URL filter - crash on thread name uauth_urlb clean Status: Fixed Severity: 2 Severe Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFr module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4.1 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFr module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFr module - Disable URL filtering (websense) Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuv10938 Title: 'redistribute' cmds under 'router eigrp' removed on deleting any context Status: Fixed Severity: 2 Severe Description: Symptom: 'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console: ERROR: unable to locate route-map Conditions: 1. ASA is multiple context mode. 2. More than one context on the ASA has EIGRP enabled with redistribution configured. 3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ". Workaround: None apart from re-adding all those commands back manually. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuq99821 Title: ASA/ASASM drops SIP invite packets with From field containing "" and \ Status: Fixed Severity: 2 Severe Description: Symptom: ASASM running version 9.1.4.6 with SIP inspection turned on, silently drops SIP INVITES that has the similar value in the from field: "\"210*******\"" ;tag=SD7osu201-gK0d0f565b Conditions: ASA/ASASM running 9.1.4.6 with SIP inspection turned on. Workaround: disable SIP inspection. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(4.6) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.67), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.41) Alert Type: Updated * Bug Id: CSCus53692 Title: ASA traceback in Thread Name: fover_parse Status: Fixed Severity: 2 Severe Description: Symptom: ASA may generate a traceback during failover synchronization in thread name fover_parse. Conditions: This issue has been seen on ASA 5500x running 9.1(3), other versions may also be affected. WCCP ACL configured with either users, user group, or a fully qualified domain name object which is not supported. Workaround: Remove ACL with users, user group, or a fully qualified domain name object from WCCP configuration. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(3) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.51), 100.13(21.8), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.7), 100.14(11.7), 100.14(2.8) Alert Type: Updated * Bug Id: CSCut39985 Title: Per-session PAT RST sent to incorrect direction after closing session Status: Fixed Severity: 2 Severe Description: Symptom: When Per-session PAT is configured, RST,ACK is sent to Non close initiator side after closing TCP session. It should be sent to close initiator side(The device which send FIN first). xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Conditions: Per-session PAT is configured like below xlate per-session permit tcp any4 any4 no xlate per-session deny tcp any4 any4 Workaround: Disable Per-session PAT xlate per-session deny tcp any4 any4 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1 Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCuw00971 Title: ASA truncates url-redirect at 160 chars for ra vpn clients (ISE 1.3+) Status: Fixed Severity: 2 Severe Description: Symptom: --- URL redirect is not working for clients connected via ra vpn clients The url redirect feature is used to support some ISE posture assessment flows Conditions: --- ISE using the posture assessment feature ------ ISE 1.3 is more likely to require long url-redirect attributes --- ASA 9.2.1 and above (ISE posture assessment not supported on ASA versions <9.2.1) --- RA vpn client Workaround: --- Use Anyconnect SSL VPN client Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1), 9.5(2) Known Fixed Releases: * 100.11(0.62), 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.14(16.8), 100.14(5.32), 100.15(0.26), 100.15(1.79), 100.15(16.3), 100.15(17.1) Alert Type: Updated * Bug Id: CSCuu53928 Title: ASA does not set forward address or p-bit in OSPF redistrubution in NSSA Status: Fixed Severity: 2 Severe Description: Symptom: ASA can advertise OSPF routes to a peer with the p-bit disabled, and with a null forward address when in a Not so Stubby Area. This can cause the peer device to be unable to translate this LSA and forward it on to the rest of the topology. OSPF Router with ID (10.0.0.50) (Process ID 1) Type-7 AS External Link States (Area 100) LS age: 23 Options: (No TOS-capability, No Type 7/5 translation, DC) <--- LS Type: AS External Link Link State ID: 192.168.0.0 (External Network Number ) Advertising Router: 10.0.0.50 LS Seq Number: 80000001 Checksum: 0x791e Length: 36 Network Mask:255.255.0.0 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 <--- External Route Tag: This condition occurs if the route that is advertised is directly connected, and that link comes up before the link that contains the OSPF neighborship. Conditions: - ASA in an OSPF Not So Stubby Area - Redistributing Connected Routes - Observed in single and multiple context - Observed in failover mode or standalone mode Workaround: - Clear OSPF Process on ASA with command "clear ospf process" - Bounce link of connected route that is being advertised incorrectly Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(1), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuv39775 Title: ASA cluster-Incorrect "current conns" counter in service-policy Status: Fixed Severity: 2 Severe Description: Symptom: Incorrect "currents conns" counter on service-policy ASA cluster. Does not match up with the current connection "show connection count" on the unit, will lead to traffic drops in the service-policy once the limit is hit in the service-policy. Conditions: 1) ASA in a cluster setup. 2) Applies to both single or multiple mode. 3) Typical config : class connection_limit set connection conn-max 500000 embryonic-conn-max 2000 per-client-max 200 per-client-embryonic-max 50 Workaround: None. Further Problem Description: CLSTR1-Primary/ASAFW# cluster exec show service-policy | i conns CLSTR1-Primary(LOCAL):************************************************ current embryonic conns 3, current conns 5732, drop 0 CLSTR1-Secondary:******************************************************* current embryonic conns 1, current conns 88720, drop 0 <<<< CLSTR1-Primary/ASAFW# cluster exec show conn count CLSTR1-Primary(LOCAL):************************************************ 5823 in use, 36602 most used Cluster stub connections: 3300 in use, 30142491 most used CLSTR1-Secondary:******************************************************* 3270 in use, 120262 most used <<<<<<<<<<<<<<Cluster stub connections: 5794 in use, 5288523 most used Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(2), 9.2(2.4), 9.3(3.2) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) Alert Type: Updated * Bug Id: CSCus56590 Title: ASA - Traceback in Thread Name: fover_parse Status: Fixed Severity: 2 Severe Description: Symptom: Standby ASA would enter a boot loop after attempting to replicate the configuration from the Active member, generating a Trace back with the name : fover_parse Standby ASA finishes the bulk sync in failover but never gives "sync config finished " message to active, this is the point where it reloads. Conditions: ASA with failover Versions : 9.3.2 and 9.4.1 Workaround: Go in to version 9.3.1, 9.3.2.104 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.4(1), 9.4(1.170), 9.4(1.175) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.58), 100.13(21.11), 100.13(29.28), 100.14(0.5), 100.14(1.4), 100.14(10.9), 100.14(11.9), 100.14(2.13) Alert Type: Updated * Bug Id: CSCus97061 Title: ASA Cluster member traceback in DATAPATH Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashed with DATAPATH thread. Conditions: -> ASA5585 units running Clustering -> Release 9.2.3.2 Workaround: -> Crash is not experienced when transit interfaces have their MTU set as 9198. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3.2), 9.4(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.120), 100.13(0.61), 100.13(21.12), 100.13(28.2), 100.13(29.28), 100.14(0.7), 100.14(1.6), 100.14(10.10), 100.14(11.11) Alert Type: Updated * Bug Id: CSCuu28909 Title: ASA cluster: ICMP loop on CCL for ICMP packet destined to the VPN tunnel Status: Fixed Severity: 2 Severe Description: Symptom: In ASA cluster we may see a packet loop on the cluster control link. The loop is formed when we have ICMP error packet that should be going via a site to site VPN tunnel. Such packet may go into a loop and cause elevate CPU utilization on the ASA. Conditions: +ASA cluster +site to site VPN tunnel configured +ICMP error packets destined to the VPN tunnel Workaround: +deny icmp erros using an access-list on the data interfaces Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6.1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuv57389 Title: ASA PKI: cert auth fails after upgrade to 9.1(6.4) / 9.1(6.6) / 9.1(6.8) Status: Fixed Severity: 2 Severe Description: Symptom: An ASA running running 9.1(6.4) or 9.1(6.6) releases will fail to authenticate IKEv2/IPSec sessions using RSA-SIG for authentication. The following error is generated in the IKEv2 debugs: IKEv2-PROTO-2: (1): Verify peer's authentication data IKEv2-PLAT-1: (1): Failed to verify signature IKEv2-PROTO-1: (1): Failed to compute or verify a signature Conditions: ASA running 9.1(6.4) or 9.1(6.6) and authenticating IKEv2/IPSec sessions using RSA-SIG. This has only been observed when talking to an IOS Lan-to-Lan peer. Tests show IKEv2 Cert Auth with AnyConnect and ASA Lan-to-Lan peers is successful. Workaround: A downgrade to 9.1(6.1) or 9.1(6) corrects the behavior. Preshared keys can also be used. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6.4), 9.1(6.6), 9.1(6.8) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.14(16.8), 100.14(5.32), 100.15(0.25), 100.15(16.3), 100.15(17.1), 100.15(3.44), 100.15(6.29) Alert Type: Updated * Bug Id: CSCuv10258 Title: ASA5505 permanent base license, temp secplus, failover, vlan count issue Status: Fixed Severity: 2 Severe Description: Symptom: Show version display 3 VLANs license instead of 20 if base license, timebased for security plus license are combined on ASA5505 platform after failover is enabled Conditions: Three combined condition: 1. Permanent base license 2. Timebased Security Plus License 3. Failover is enabled Workaround: No known workaround Further Problem Description: The problem exhibit itself after a reboot. Looks like a variant of CSCtf91862 Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17) Alert Type: Updated * Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Status: Fixed Severity: 2 Severe Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCus91636 Title: Adding subnet(s) to the object group for NAT causes high CPU Status: Fixed Severity: 2 Severe Description: Symptom: The CPU spikes on an ASA when we add an object to an object group that is being used in NAT command. Conditions: ASA 5585 running 8.4 and above code with a huge number of object groups configured and passing heavy traffic. Workaround: None known yet. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.40), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.5), 100.14(11.5) Alert Type: New Bug Id: CSCuw02702 Title: ASA - Traceback in thread name aaa_shim_thread Status: Other Severity: 3 Moderate Description: Symptom: ASA traceback in thread name aaa_shim_thread Conditions: ASA 9.2.3.4 Workaround: Further Problem Description: Last Modified: 01-SEP-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuq27723 Title: WebVPN Citrix client browser couldn't save Java Client as preferred Status: Fixed Severity: 3 Moderate Description: Symptom: - As a remote access user - On the Citrix client accessed through the browser - When the client preference option in settings is changed from default native client to Java client and saved - It's not showing up the new change when the settings is visited again. Conditions: Access XenApp server using web-browser through Clientless SSL VPN This happens on Mac OS X v10.9 with FireFox 30 and Safari v7.x This also happens on Windows 7 with FireFox v28 and Internet Explorer 9 Workaround: None Further Problem Description: Last Modified: 02-SEP-2015 Known Affected Releases: 9.2(1.102) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.54), 100.15(15.15), 100.15(16.1), 100.15(2.85), 100.15(3.29) Alert Type: Updated * Bug Id: CSCut67779 Title: Investigate impact of jumbo-frame reservation on low-end ASA platforms Status: Fixed Severity: 3 Moderate Description: Symptom: Low-end ASA models, like ASA5512-X or ASA5515-X may fail to boot if Jumbo frames are enabled (jumbo-frame reservation) and additional interface card, like ASA-IC-6GE-CU-A card is present in the chassis. Conditions: This issue was seen in 9.2(3) and 9.3(1) software. Workaround: Try to load 9.3(2) software, run "no jumbo-frame reservation" and reload. Further Problem Description: Even though 9.3(2) software boots up, the ASA cannot service ASDM connections if Jumbo frames are enabled. This happens due to low volume of free DMA memory. Use "show memory detail" command to check. Last Modified: 02-SEP-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19) Alert Type: Updated * Bug Id: CSCtf06209 Title: Dynamic-filter config corrupted when removing classify-list from enable Status: * Terminated Severity: 3 Moderate Description: * Symptom: If you remove the classify-list of a "dynamic-filter enable" command while "object-group-search access-control" is enabled, it will corrupt the config and give you something similar to: dynamic-filter enable classify-list ????D O???????????????????????????X??????'?????XO6 O????????? Conditions: Removing a classify list while ACL optimization is enabled. Workaround: Clear the dynamic-filter config and issue it again Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 8.3(0.17) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv60724 Title: Cisco ASA Unicast Reverse Path Forwarding (uRPF) Bypass Vulnerability Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in the Unicast Reverse Path Forwarding (uRPF) feature in the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to bypass the uRPF validation checks. The vulnerability is due to incorrect uRPF validation where IP packets from an outside interface whose IP address is both in the ASA routing table and associated with an internal interface are not dropped. An attacker could exploit this vulnerability by sending spoofed IP packets to the ASA in a subnet range which should be dropped. An exploit could allow the attacker to bypass uRPF validation on the ASA and the packet will be incorrectly forwarded on the internal network. Conditions: The ASA has the command ''ip verify reverse-path interface '' configured on an outside interface which has a default route. Workaround: None. Further Problem Description: This problem was introduced by ASA software version 9.3(3). PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2015-4321 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 03-SEP-2015 Known Affected Releases: 9.3(1.50), 9.3(2.100), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.32), 100.15(6.19), 100.15(6.20) Alert Type: Updated * Bug Id: CSCuv86227 Title: ASA sending incorrect ACL hash for ASDM TopN ACL statistics on a cluster Status: Fixed Severity: 3 Moderate Description: Symptom: Error message under firewall dashboard "n/a config out of sync" for ASDM supporting ASA cluster. Conditions: Running ASA cluster on ASDM with threat detection statistics turned on. Workaround: None Further Problem Description: Last Modified: 05-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13) Alert Type: Updated * Bug Id: CSCuw02696 Title: ASA - Traceback in IKE Daemon Status: Terminated Severity: 3 Moderate Description: * Symptom: ASA traceback in thread name IKE Daemon Conditions: Workaround: Upgrade past 9.3.3 Further Problem Description: Last Modified: 07-SEP-2015 Known Affected Releases: 9.2(3), 9.2(3.4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv71763 Title: ASAv does not increment broadcast packet count Status: Open Severity: 3 Moderate Description: * Symptom: The "broadcasts" counter is not getting incremented correctly in the ASAV "show interface" command Conditions: Only occurs on virtual platforms, first observed on 9.3.2 Workaround: None Further Problem Description: Last Modified: 08-SEP-2015 Known Affected Releases: 100.14(5.26), 9.3(2), 9.4(1.200) Known Fixed Releases: Alert Type: New Bug Id: CSCur56038 Title: RPC error in request config after replicated a large configuration Status: Fixed Severity: 3 Moderate Description: Symptoms: RPC error when configuration is replicated in a cluster environment Conditions: ASA configured for firewall cluster Workaround: none PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 08-SEP-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: 100.11(0.55), 100.11(0.57), 100.12(0.111), 100.12(0.118), 100.13(0.17), 100.13(0.58), 100.13(19.9), 100.13(21.11), 100.13(21.6), 100.14(0.1) Alert Type: Updated * Bug Id: CSCsl74827 Title: Error messages on console due to QoS configuration Status: Fixed Severity: 3 Moderate Description: Symptom: Due to QoS configuration on the ASA, errors like below might be seen on the console: Message #941 : ERROR: Problem with interface 8 Message #942 : ERROR: Problem with interface 9 Message #943 : ERROR: Problem with interface 10 It is believed that these errors are cosmetic, and do not indicate a problem with the operational state of the ASA. Conditions: QoS must be configured to encounter this problem Workaround: None known Further Problem Description: Last Modified: 09-SEP-2015 Known Affected Releases: 8.0(2), 8.1(0.135), 9.4(1.3) Known Fixed Releases: * 100.12(0.146), 100.13(0.100), 100.14(0.73), 100.15(0.26), 99.1(2.235) Alert Type: Updated * Bug Id: CSCuw15152 Title: Fix broken gcov build in dublin/main Status: Fixed Severity: 3 Moderate Description: Symptom: Fix broken gcov build in dublin/main Conditions: Fix broken gcov build in dublin/main Workaround: Further Problem Description: Last Modified: 10-SEP-2015 Known Affected Releases: 100.12(0.145) Known Fixed Releases: * 100.13(0.102), 100.15(1.92), 100.15(16.5), 100.15(17.7), 99.1(2.238) Alert Type: Updated * Bug Id: CSCuv95320 Title: ASA User Ident MAC mismatch remove command not applied Status: Fixed Severity: 3 Moderate Description: Symptom: -"no user-identity action mac-address-mismatch remove-user-ip" will be applied in the running-config -Users will disappear from CDA (if in use) -When users query whoami.scansafe.net, they may return their IP address where their username should be -When "debug user-ident user" and "debug user-ident ad-agent" are applied, the following log messages will appear: Dispatch Unit: NP IDFW: mac addr changed since last request for ip 192.168.17.102 Dispatch Unit: NP IDFW: remove ip 192.168.17.102 from user JoeUser domain=1 uid=164 import=0 useripcnt=1 hashcnt=223 Dispatch Unit[0]: IP-User mapping 192.168.17.102(0)<->unity\JoeUser removed Conditions: Unknown. First ASA found with this issue is a ASA5510 running asa915-k8.bin. Workaround: Reloading the ASA has been shown to resolve the issue in previous lab testing. re-apply user-identity action mac-address-mismatch remove-user-ip no user-identity action mac-address-mismatch remove-user-ip Further Problem Description: Last Modified: 10-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.102), 100.15(1.92), 100.15(16.5), 100.15(17.7), 99.1(2.238) Alert Type: Updated * Bug Id: CSCuw03407 Title: DHCPD Search domain shorter than 10 characters is corrupted Status: Fixed Severity: 3 Moderate Description: Symptom: When the ASA is acting as a DHCPD server, it may corrupt the DHCP OFFER and DHCP ACK packets if the domain name configured in the DHCPD section is shorter than 10 characters long. Conditions: This is seen when the DHCPD cofiguration has an interface specific DNS search suffix that is less than 10 characters long: dhcpd address 192.168.1.40-192.168.1.40 guest dhcpd dns 10.0.0.100 interface guest dhcpd domain abc.ca interface guest <<<<<<<<<<<<<<<< dhcpd enable guest This will result in the DNS search domain being sent out as a combination of the configured domain and 'cisco.com'. This can be checked using packet captures of the DHCP traffic. In the above example, the ASA will pad the configured domain with the letters from cisco.com to reach 'abc.caom'. Workaround: Do not configure this field or use a longer domain if feasible. Further Problem Description: Last Modified: 10-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.99), 100.14(0.73), 100.15(0.26), 100.15(1.81), 100.15(16.3), 100.15(17.1), 100.15(3.49), 100.15(6.31), 100.15(8.13), 99.1(2.232) Alert Type: Updated * Bug Id: CSCta03382 Title: SQLNET query via inspection cause communication errors Status: Fixed Severity: 3 Moderate Description: Symptom: With SQLNET inspection Oracle database connection drops errors with -ORA-12569 TNS packet checksum failure -ORA-03106 fatal two-task communication protocol error if a specific query sent. Also, the following syslog may be printed: %ASA-4-507003: tcp flow from dmz:172.20.1.1/65000 to inside:172.16.1.1/1521 terminated by inspection engine, reason - proxy inspector drop reset. Conditions: ASA with SQLNET inspection Workaround: Disabling SQLNET inspection is an option as long as they are not doing NAT. Last Modified: 11-SEP-2015 Known Affected Releases: * 7.2(4.21), 8.0(4.28), 8.2(1) Known Fixed Releases: * 7.0(8.9), 7.2(4.42), 8.0(4.43), 8.0(5), 8.1(2.32), 8.2(1.10), 8.2(4), 8.3(0.0) Alert Type: Updated * Bug Id: CSCut88196 Title: Conn teardown syslogs and show conn output use 32-bit byte counts Status: Fixed Severity: 3 Moderate Description: Symptom: The output of 'show conn' and syslogs resulting from the teardown of connection (ASA-6-302014, ASA-6-302016, etc) use 32-bit counters for the bytes transferred on a connection. This provides incorrect data to network administrators and may cause confusion. Conditions: This is seen on multiple versions of ASA code when hosts transfer more than 2^32 bytes of data on a connection. Workaround: None at this time. Further Problem Description: Last Modified: 13-SEP-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: * 100.14(0.71), 100.15(0.25), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.54), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuu79657 Title: Pin hole creation failed on 3RU cluster. libc_functions.mmap failure Status: Fixed Severity: 3 Moderate Description: Symptom: Logs: ciscoSSPasa# pinhole-peek : proto-17 management:0.0.0.0/68 -> 255.255.255.255/67 pinhole-peek : proto-17 management:192.168.1.1/67 -> 255.255.255.255/68 pinhole-peek : proto-6 inside:192.168.127.7/43577 -> 10.100.127.7/21 flow: requesting PH_SNORT_INSPECT - mapped inside:192.168.127.7/0 -> mapped inside:10.100.127.7/53489 emb_time_out:110 est_time_out:0 map_sock_opt:0x8 flow_opts:0x1000000fuser_data_len:0 conn_flags:0x0 nat: rewriting real outside:10.100.127.7/53489, hint 10.100.127.7/0, dest inside:192.168.127.7/0 (rdip 192.168.127.7) nat: rewriting real inside:192.168.127.7/0, hint 0.0.0.0/0, dest outside:10.100.127.7/53489 (rdip 10.100.127.7) libc_fnctions.mmap(addr=0x0000000000000000, len=1073741824, prot=3, flag=8001, fd=1483, off=0) returned -1 errno=12! libc_fnctions.mmap(addr=0x0000000000000000, len=2097152, prot=3, flag=8001, fd=1483, off=0) returned -1 errno=12! flow: failed to allocate hole PH_SNORT_INSPECT src inside:192.168.127.7/0 Conditions: Cluster setup on 3RU and ftp initiated connection Workaround: NA Further Problem Description: Last Modified: 13-SEP-2015 Known Affected Releases: 99.1(3), 99.1(8.11) Known Fixed Releases: * 100.15(1.86), 100.15(16.4), 100.15(17.3), 100.15(3.54), 100.15(6.16), 100.15(8.14), 99.1(3.138), 99.1(8.12) Alert Type: Updated * Bug Id: CSCuu13345 Title: Drop reasons missing from asp-drop capture Status: Fixed Severity: 3 Moderate Description: Symptom: Drop reasons missing from asp-drop capture. Conditions: Viewing capture with "show capture -or- Downloading via HTTP with https:///capture/ Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0 Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.12(0.128), 100.13(0.77), 100.13(0.78), 100.13(21.15), 100.13(21.16), 100.14(0.27), 100.14(0.35), 100.14(10.23) Alert Type: Updated * Bug Id: CSCut80316 Title: Ikev2 Session with bogus assigned IP address stays on ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Ikev2 EAP-TLS Connection with Win 8.1 Phone Conditions: Ikev2 EAP-TLS Connection with Win 8.1 Phone with continuous connect/disconnect Workaround: - Remove bogus externally assigned IP address to avoid issue /or - Wait for sometime before connecting again as address becomes available again Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1.230) Known Fixed Releases: * 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu81932 Title: ASA tunnel-group-map cannot contain spaces Status: Fixed Severity: 3 Moderate Description: Symptom: ASA can not use spaces in tunnel-group-map even though tunnel group can use it. Conditions: spaces are used in tunnel-group-map such as tunnel-group-map TEST 5 "TEST CISCO" Workaround: NOT use spaces at now Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuv02304 Title: EEM action not executed on absolute time when NTP is configured Status: Fixed Severity: 3 Moderate Description: Symptom: EEM action is not executed on exact time of "absolute time" configured when NTP is configured. Command is executed with some delay or earlier than configured. On the following configuration, action should be executed on 10:30:00. But actually, it is not executed on time.(for example 10:29:58) event manager applet eem-test event timer absolute time 10:30:00 action 0 cli command "show xxxxx" output file new ntp server x.x.x.x Conditions: When NTP server is configured or if the clock time is changed. Workaround: Re-configure the EEM applet absolute timer if NTP is configured or the time is changed by any other means (e.g. via the 'clock set' command if NTP is disabled). This will cause the timer to be re-synced with the current clock time. Further Problem Description: The time difference is due to the internal clock drift. It is typically a few seconds. Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut23991 Title: PPPoE session state timer does not initialize properly Status: Fixed Severity: 3 Moderate Description: Symptom: The value of "Last Chg" always showed 4294967 secs after execute "show vpdn session pppoe state". Conditions: The value of "Last Chg" remains at its maximum value once the max value(4294967) is reached. The pppoe connection will not be effected if the value of "Last Chg" remains reaches the maximum value. Workaround: Reboot device. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.2(3), 8.4(6), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.54), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4) Alert Type: Updated * Bug Id: CSCut85049 Title: Issue with downloading images from Sharepoint Status: Fixed Severity: 3 Moderate Description: Symptom: Image cannot be downloaded from Sharepoint Conditions: After cookies and cache are cleared from browser Workaround: Right click on the image and do a 'Save As' and select local disk Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.14(3.8), 9.4(1.112) Known Fixed Releases: * 100.12(0.137), 100.13(0.93), 100.14(0.13), 100.14(10.23), 100.14(5.15), 100.14(6.7), 100.14(7.6), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCut67315 Title: ASA :Top 10 Users status is not getting enabled from ASDM. Status: Fixed Severity: 3 Moderate Description: Symptom: Top 10 Users status is not getting enabled from ASDM. Conditions: ASA running code 9.3.2 Workaround: Downgrade ASA to 9.1.5 to get this feature working. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(1), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.66), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13) Alert Type: Updated * Bug Id: CSCut04182 Title: NFS connections not timing out after failover Status: Fixed Severity: 3 Moderate Description: Symptom: NFS connections are not timing out correctly after a failover. The show conn detail output shows a timeout value of "timeout -". Conditions: Cisco ASAs running release 9.1.5.10 in a failover configuration with SunRPC inspection disabled and after a failover has occurred. Workaround: None. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.10) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.42), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.5), 100.14(11.5), 100.14(2.7) Alert Type: Updated * Bug Id: CSCus83476 Title: More than 255 messages in multicast packet with jumbo frames Status: Fixed Severity: 3 Moderate Description: Symptom: PIM join messages are lost after passing through the ASA. Conditions: 1. ASA has jumbo-frames enabeld and has an MTU of 5134 or higher 2. Multicast routing is enabled on ASA and there are more than 255 (*/S,G) groups on it Workaround: Disable jumbo frames or use MTU lower than 5134 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(6) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.47), 100.13(21.8), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.8) Alert Type: Updated * Bug Id: CSCuu88548 Title: Ampersand (&) not encoded in packet tracer phase 'extra' field Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM is unable to run packet tracer when traffic traverses and interface with an ampersand (&) in the name. ASDM will show an error indicating 'Error while forming XML' Conditions: This is seen when the packet path traverses an interface with an ampersand character in the name. Workaround: Change the interface name to not include an ampersand. Further Problem Description: This is caused by the ASA not encoding the ampersand as & when generating the XML payload. You can verify you are hitting this issue by running the packet tracer command on the CLI and looking for an unencoded ampersand character. For example: ASA# packet-tracer input inside tcp 192.168.100.200 12345 10.10.0.100 80 xml ::output truncated:: 2 ROUTE-LOOKUP Resolve Egress Interface ALLOW found next-hop 10.10.10.254 using egress ifc DMZ&Servers <<<< Unencoded ampsersand Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu92632 Title: ASA sets non-zero FA in OSPF for anyconnect redistrubuted network Status: Fixed Severity: 3 Moderate Description: Symptom: Re-distribution of anyconnect static routes on ASA 9.x doesn't work. The output of the command "show ospf database external" shows the forward address being set to non-zero/incorrect value. ciscoasa# show ospf database external 10.0.103.161 OSPF Router with ID (172.16.10.1) (Process ID 1) Type-5 AS External Link States LS age: 1503 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.0.103.161 (External Network Number ) Advertising Router: 172.16.10.1 LS Seq Number: 80000001 Checksum: 0xfff4 Length: 36 Network Mask:255.255.255.255 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 172.16.10.10 <---------------- External Route Tag: 0 Conditions: - ASA with OSPF enabled - redistributing Anyconnect VPN static addresses into OSPF - Anyconnect VPN terminates on the same interface where distribution is performed Workaround: Route redistributed network to the Null0 interface Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(10.3), 100.15(2.65), 100.15(3.16), 100.15(4.20) Alert Type: Updated * Bug Id: CSCuv62204 Title: "show ipv6 neighbor" command not available in system space Status: Fixed Severity: 3 Moderate Description: Symptom: "show ipv6 neighbor" command is not available in the system execution space Conditions: ASA in multiple mode. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.13(0.97), 100.15(0.25), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30), 100.15(8.13), 9.4(1.107), 9.4(2) Alert Type: Updated * Bug Id: CSCut08663 Title: Both ASAs in failover use the same MAC address Status: Fixed Severity: 3 Moderate Description: Symptom: - If manually configured the "mac-address mac_address [ standby mac_address ]" within the physicall interface, bot ASAs active and standby will use the same active MAC address disrupting the traffic. - If the "mac-address" command is used within the subinterface then both ASAs will negotiate properly the MAC address based on the failover state. Conditions: ASAs in failover with an interface using subinterfaces. Workaround: Do not configure the "mac-address mac_address [ standby mac_address ]" into the physical interface, instead configure it within the sub interface. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(7), 9.0(4), 9.1(2), 9.1(4), 9.1(5.21), 9.1(6), 9.3(2) Known Fixed Releases: * 100.11(0.58), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(29.28), 100.14(0.9), 100.14(10.12), 100.14(11.13), 100.14(26.10), 100.14(4.38) Alert Type: Updated * Bug Id: CSCus92570 Title: 'client-services' is not accepted if the interface has no IP addr Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA does not accept a configuration below when the interface (OUTSIDE) has no IP address. The ASA can accept the command after the interface gets IP address. ciscoasa(config)# crypto ikev2 enable OUTSIDE client-services port 443 The following messages shows after issuing the command. ERROR: Failed to start client services listener Only 'crypto ikev2 enable OUTSIDE' is seen on the result of 'show run' after that. This symptom is not seen on ASA 8.4(7) Conditions: The interface is configured as PPPoE or DHCP client. The command issued before PPPoE or DHCP assigns IP address Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(2) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.7) Alert Type: Updated * Bug Id: CSCuu73087 Title: Standalone AnyConnect fails to connect due to empty DAP user message Status: Fixed Severity: 3 Moderate Description: Symptom: Standalone AnyConnect client fails with the following message: 'The VPN configuration received from the secure gateway is invalid. Please contact your network administrator.' Conditions: 1) The AnyConnect client version 2.5.6005 or lower is referenced on the ASA. 2) The DAP record being hit - not the Default DAP record - has no user message. 3) ASA version is 9.3.2 and above. Workaround: 1) Configure a User Message for the DAP record. 2) Use the AnyConnect client version 3.0.x/3.1.x/4.x on the ASA. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2), 9.3(3.1), 9.4(1) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: New Bug Id: CSCuw10189 Title: Alpha:Getting: LU allocate connection failed syslog on standby Status: Open Severity: 3 Moderate Description: Symptom: On standby unit of ASA in active/standby failover setup, below syslog observed %ASA-3-210005: LU allocate connection failed for TCP connection from STG-WIRELESS-DATA-VLAN1:192.168.2.110/63205 to outside:108.168.245.114/443 Conditions: ScanSafe re-direction is enabled. Workaround: Although there is no functional impact, we can filter-out the Syslog ASA-3-210005 or disable the scansafe inspect would do. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1.109) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu54046 Title: All Static routes not removed on adding zone membership to an interface Status: Fixed Severity: 3 Moderate Description: Symptom: out of the previously configured static routes, static routes are deleted one by one from the config on adding zone membership to the interface Conditions: 1) zone membership is added to an interface AND 2) static routes configured on that interface Workaround: 1) re-add the zone membership to the interface OR 2) manually clear the routes from the config Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.134), 100.13(0.87), 100.14(0.67), 100.15(0.21), 100.15(1.37), 100.15(10.4), 100.15(15.2), 100.15(2.75), 100.15(4.23), 100.15(5.27) Alert Type: Updated * Bug Id: CSCut92373 Title: ASA 9.0.3 not logging permitted UDP traffic Status: Fixed Severity: 3 Moderate Description: * Symptom: Permitted UDP traffic not getting logged. We dont see the below log when the connection is permitted,%ASA-6-106100: access-list permitted UDP -> Conditions: Issue consistently seen whenever there is a Change made to the ACL or during Bulk ACL compilation. Workaround: Reload of the ASA Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0(3), 9.4(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuu99902 Title: Saleen Alarm LED lit when BMC SEL log is full Status: Fixed Severity: 3 Moderate Description: Symptom: Alarm LED turned on Conditions: SEL in BMC is full Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.6(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCus14568 Title: seamless upgrade on spyker A floods error messages to both asa units Status: Fixed Severity: 3 Moderate Description: Symptom: The following error message floods the console of both the primary during step of a seamless upgrade operation from any build 9.3.1 or older to 9.3.2 and newer: Number of interfaces on Active and Standby are not consistent. If the problem persists, you should disable and re-enable failover on the Standby. Conditions: There is a phase in the seamless upgrade operation when the primary asa has a different image on it than the secondary. During this phase, a stream of debug messages will continually get generated to the console. It appears as though these messages are only a nuisance and they will subside once both units are returned to a state where they are both running the same image. The event stream is somewhat of a flood but not bad enough to prevent basic control of the seamless upgrade procedure. Workaround: No work around is needed because all operations remain functional throughout the process Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.13(1.24), 9.3(2) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.66), 100.15(16.1), 100.15(17.1), 100.15(3.35), 100.15(6.21), 100.15(8.12) Alert Type: Updated * Bug Id: CSCus98309 Title: Duplicate IPv6 address is configurable in 1 ASA or context Status: Fixed Severity: 3 Moderate Description: Symptom: Duplicate IPv6 address is configurable in 1 ASA or context. In case of L2 transparent mode, a duplicate ipv6 address for 2 BVI interfaces in 1 context is configurable by configuring 'ipv6 address' first and 'bridge-group' later. In case of L3 routed mode, duplicate ipv6 address is configurable for multiple interfaces by configuring the 'ipv6 address' is first and 'nameif' later. Conditions: IPv6 environments Workaround: 'bridge-group' configures first for L2 transparent mode. 'nameif' configures first for L3 routed mode. Further Problem Description: none Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.12) Known Fixed Releases: * 100.11(0.57), 100.12(0.115), 100.13(0.47), 100.13(21.8), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6), 100.14(2.8), 100.14(26.2) Alert Type: Updated * Bug Id: CSCut37042 Title: Secondary ASA stuck in config sync while upgrading to 8.4.x Status: Fixed Severity: 3 Moderate Description: Symptom: In a situation where we are doing a "zero-downtime upgrade" of the firewall from 8.2(5)48 to 8.4.x, we see the following repeated messages appear on the console of the secondary unit (the primary has not yet been upgraded). Even after waiting for several hours the logs keep on appearing. WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 10.0.0.0 255.0.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 172.20.0.0 255.252.0.0 eq 9998 log WARNING: MIGRATION: ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing poli permit tcp host 155.16.54.36 192.168.0.0 255.255.0.0 eq 9998 log : : Conditions: While upgrading to 8.4(6) or 8.4(7)3 or 8.4(7)23. Workaround: The issue does not occur for standalone ASA. Manually upgrade (no zero-downtime upgrade) wherein we can arrange a downtime to upgrade the primary and secondary at the same time so that they don't get into syncing configuration. Further Problem Description: If we refer the flow towards getting these warning messages, it looks like this starts occurring when at the "replication" phase than the "upgrade" phase (upgrade occurs successfully). Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(6), 8.4(7), 8.4(7.230) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.16), 100.14(26.6) Alert Type: Updated * Bug Id: CSCui37201 Title: Misleading error msg for pat-pool with mapped object Status: Fixed Severity: 3 Moderate Description: Symptom: Wrong error message thrown while configuring dynamic PAT Conditions: Issue is seen with dynamic PAT. Workaround: None. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(2.5) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.56), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuv35243 Title: ASA: Not able to remove ACE with "log default" keyword Status: Fixed Severity: 3 Moderate Description: Symptom: ASA: Unable to remove ACE with "log default" keyword enabled Conditions: "log default" should be added at the end of the ACE Workaround: Do not use the "log default" keyword at the end of the ACE. In case of CSM , use the ACL Parameter as "traffic" rather than "speed" Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.66), 100.15(16.1), 100.15(17.1), 100.15(3.35), 100.15(6.22) Alert Type: Updated * Bug Id: CSCuc16662 Title: HTML/Java File Browser- created file or folder shows 9 months offset Status: Fixed Severity: 3 Moderate Description: Symptom: Create a new folder or file on the FTP or CIFS server over webvpn, the date created shown has 9 months offset. Conditions: 1. Create a new folder or file on the FTP or CIFS server. 2. The date has 9 months offset. 3. Checked the date on the share server it looks fine. 4. Could be a display issue Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.3(1), 9.0(0.113) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCut05676 Title: Handling esmtp default parameters for TLS Status: Fixed Severity: 3 Moderate Description: Symptom: In multi-mode, when migrated from one version to another. Each context should have TLS behavior based on it config-url file's version. It should not be with respect to startup configuration version. Conditions: When migration happen in Multimode where a context's config-url contains a old version followed by next context which contains new version. Workaround: Can use user-defined esmtp policymap instead depending on default-esmtp policymap. Or Do 'write memory all' in multimode before migrating to a new version. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.6), 100.14(3.5), 100.14(4.25) Alert Type: Updated * Bug Id: CSCua32157 Title: Remove Code for Type 0 Routing Headers Status: Fixed Severity: 3 Moderate Description: Symptom: This is a modification on the product to adopt new secure code best practices to enhance the security posture and resiliency of the product. Conditions: Device configured with default configuration. Workaround: Not applicable or available. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.54), 100.15(8.14) Alert Type: Updated * Bug Id: CSCuv11963 Title: TP Auth fails when sub CA using RSA keys is signed by root using ECDSA Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA fails to validate the Anyconnect client certificate issued by the intermediate CA under below conditions. Conditions: 1. ASA running 9.3.3.1, should be configured for certificate authentication. 2. Root CA cert must have ECDSA Signature algorithm and ECDSA public key 3.Intermediate CA cert must have ECDSA signature algorithm with RSA public key. 4.ASA ID cert must have RSA signature algorithm with RSA public key. 5.Client cert must have RSA signature algorithm with RSA public key. Workaround: NONE Further Problem Description: When we connect to ASA from Anyconnect client machine, we see the client is sending its ID cert and ASA fails to verify the cert chain with below debug. CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert. CRYPTO_PKI:Failed to set key info for get public key obj, status: 542, keylen: 294 CRYPTO_PKI: Verify chain of certs failed to get pubkey from signer. Root, intermediate and ID certs are installed in separate Trustpoints in ASA. We have also tried installing intermediate and ID cert in single Trustpoint which results in same failure. Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3.1), 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.2), 100.15(3.50), 100.15(6.33), 100.15(8.13), 9.4(1.112) Alert Type: Updated * Bug Id: CSCuu76651 Title: Traps are not sent after hyperlite bootsup with all data interfaces shut Status: Fixed Severity: 3 Moderate Description: Symptom: SNMP traps are not transmitted from the ASA Conditions: Saleen and Kenton platforms. The ASA boots with all of its data interfaces administratively shutdown. Workaround: admin-up a data interface. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.13(29.11) Known Fixed Releases: * 100.12(0.132), 100.13(0.84), 100.13(29.101), 100.13(29.34), 100.14(0.63), 100.14(16.2), 100.14(5.24), 100.14(7.46), 100.15(1.29), 100.15(10.3) Alert Type: Updated * Bug Id: CSCuu18527 Title: ASA WebVPN: HTTP 302 Location URL rewritten incorrectly Status: Fixed Severity: 3 Moderate Description: Symptom: In some corner conditions, if the Backend Server responds with HTTP "302 Found" where in the Location URL the fqdn and the URI are not separated by "/", but are separated instead by a "?", ASA appends the same URI prefix as the one it got redirected from resulting in a "HTTP 404" condition. For example: Client Performs: GET /abcd/login.php Backend Server Responds with HTTP 302 Found: Location: http://server.company.com?email=bsg73kdpo1098 At this stage, ASA rewrites this HTTP header as: HTTP 302 Found: Location: http://server.company.com/abcd/?email=bsg73kdpo1098 Here, notice that the ASA appends /abcd/ from the original URI Conditions: ASA acting as Clientless SSLVPN Server, and the users access Intranet Websites through the WebVPN portal. The WebSites are served through ASA's Rewriter engine Workaround: Use Smart-Tunnel feature Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3.1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu16983 Title: ASA: failover logging messages appear in user context Status: Fixed Severity: 3 Moderate Description: Symptom: Failover syslog messages should appear in the admin context, but they appear in user context. Conditions: ASA in multi-context mode. Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.19), 9.2(2.8) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuu02635 Title: Remove demo and eval warning for sfr monitor-only Status: Fixed Severity: 3 Moderate Description: Symptom: A warning is produced when configuring the SFR module to monitor-only mode. Example: ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only WARNING: Monitor-only mode should be used for demonstrations and evaluations only. This mode prevents SFR from denying or altering traffic. Conditions: This policy map sfr monitor-only mode is supported for production which makes the "should be used for demonstrations and evaluations only" incorrect and confusing. Workaround: None. Ignore the "should be used for demonstrations and evaluations only" portion of the warning. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCup89922 Title: ASA DNS lookups always prefer IPv6 response Status: Fixed Severity: 3 Moderate Description: Symptom: A DNS server configured on the ASA will always use IPv6 DNS requests (type=AAAA) if any of the interfaces are configured with IPv6. There is no way to prevent this behaviour, or make the ASA prefer and sending type=A requests. Conditions: This only occurs if IPv6 is enabled on any interface of the ASA, even if no Globally Unique Address is assigned. If IPv6 is enabled, then the ASA only makes Type=AAAA DNS requests. This will always result in an IPv6 DNS response, and potentially cause features that depend on DNS to fail (ie. Smart Call Home). Workaround: Disable all IPv6 addresses on the ASA. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(0.2), 9.1(1), 9.1(5) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.14(0.24), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu96492 Title: 'terminal pager' does not clear when authorization auto-enable is used Status: Fixed Severity: 3 Moderate Description: Symptom: Terminal pager lines will not re-initiates the pager value from the running config even after the sessions terminates, unless we use a login or enable in the EXEC mode. But when this is used along with aaa authorization, the user will not be prompted for the password when entering privileged EXEC mode. aaa authorization exec authentication-server auto-enable So, if any of the user enters the terminal pager command, it is affecting other user sessions when logged in using aaa with privilege credentials. Conditions: terminal pager is used and the following command is enabled. aaa authorization exec authentication-server auto-enable Workaround: We can clear the terminal pager instead of logging in with enable or login command. clear terminal pager Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.240) Known Fixed Releases: * 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.63), 100.15(3.16), 100.15(4.20), 100.15(5.23), 9.4(1.99) Alert Type: Updated * Bug Id: CSCus37840 Title: AnyConnect upgrade from AC 2.5 to AC 3.1 fails Status: Fixed Severity: 3 Moderate Description: Symptom: AnyConnect upgrades fail from 2.5.X to 3.1.Y. Conditions: ASA 9.2(1), AC upgrade from client 2.5.6005 to 3.1.5170. In general, any upgrades from AC 2.5 to 3.1 fail. Failure here means that the new version is not able to resume the tunnel initiated by the old version. The new version is still downloaded and installed. Workaround: None. Have client manually reconnect with the new version. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2 Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20) Alert Type: Updated * Bug Id: CSCut48571 Title: Incorrect cert chain sent to connecting IPSec clients Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA might not send the correct certificate chain to connecting IPSec clients. Conditions: This may occur if the ASA has more than one version (same DNs, but different public keys) of any one of the chain certificates in its configuration. Workaround: It may be possible to work around this by repositioning the affected certificates and trustpoints in the configuration Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.7), 100.14(3.5), 100.14(4.25) Alert Type: Updated * Bug Id: CSCut69675 Title: Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. Status: Fixed Severity: 3 Moderate Description: Symptom: Radius Acct-Terminate-Cause for L2TP over IPSec session is incorrect. The value in Accounting-Request always be User-Request even if the disconnected reason is loss of service Note: The session-timeout,idle-timeout, etc. was covered by (CSCus88626), now in verified state. Conditions: none Workaround: none Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(7.23), 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.12(0.122), 100.13(0.66), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(0.9), 100.14(1.7), 100.14(10.11) Alert Type: Updated * Bug Id: CSCua32176 Title: IPv6 Complete Packet Fragment Reassembly Check Bypass Status: Fixed Severity: 3 Moderate Description: Symptom: It is possible for a crafted IPv6 packet to bypass the fragment reassembly check of the Cisco Adaptive Security Appliance (ASA). Conditions: Cisco ASA configured for IPv6. Workaround: None. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/4.3: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:U/RC:C&version=2.0 CVE ID CVE-2012-5736 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.2(4.5) Known Fixed Releases: * 100.11(0.62), 100.12(0.143), 100.12(0.146), 100.13(0.100), 100.13(0.95), 100.14(0.71), 100.14(0.73), 100.15(0.24), 100.15(0.26), 100.15(1.68) Alert Type: Updated * Bug Id: CSCut83833 Title: USB device hot plug not supported in running ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Hot plug of USB stick not working as expected on 5506, 5506H, 5506W, 5508, 5516 and follow on models Conditions: After unit is started, unable to plug in a drive and have it recognized. Workaround: Boot with USB stick inserted. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.13(11) Known Fixed Releases: * 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.8), 100.14(0.21), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCut26062 Title: xszASA 9.2.1 Eigrp Authentication does not work with 16 character key Status: Fixed Severity: 3 Moderate Description: Symptom: ASA 9.2.1 Eigrp Authentication does not work with 16 character key. ASA not able to read 16th character of the key-string. Conditions: ASA running 9.2 software version and using Eigrp Authentication key of 16 characters. Workaround: This issue has not been observed in 8.2 and 9.1 all releases Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.116), 100.13(0.53), 100.13(21.10), 100.14(0.4), 100.14(1.4), 100.14(10.7), 100.14(11.7), 100.14(2.10), 100.14(26.4) Alert Type: Updated * Bug Id: CSCuv90156 Title: All Remarks in ACLs are pushed to the end of each ACL after upgrade Status: Fixed Severity: 3 Moderate Description: Symptom: All remarks in a ACLs are bundled together and pushed to the end of each ACL after running an upgrade Conditions: This happens when the command "object-group-search access-control" is present in the configuration when you upgrade Workaround: Remove the "object-group-search access-control" command before the upgrade and re-apply it after the upgrade. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3, 9.4, 9.5 Known Fixed Releases: * 100.12(0.145), 100.13(0.98), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13), 9.4(1.107) Alert Type: Updated * Bug Id: CSCut49711 Title: show cluster mem indicates incorrect values Status: Fixed Severity: 3 Moderate Description: Symptom: "show cluster memory" will indicate incorrect values of Free & Used memory in both summary and individual node output. Conditions: When executing "show cluster memory" from Master or slave node in the cluster Workaround: Issue "show memory" on individual nodes or "cluster exec unit show mem" to fetch correct values. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0, 9.3(2.103), 9.4(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.59), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.15), 100.14(26.6) Alert Type: Updated * Bug Id: CSCuv09640 Title: ASA: "Auto-Enable" feature not working with SSH configured with PKF Status: Fixed Severity: 3 Moderate Description: Symptom: "Auto-enable" feature does not work with ASA device configured with the SSH PKF feature Conditions: ASA SSH configured with the PKF feature Workaround: Don't use the "auto-enable" command with SSH PKF feature Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.90), 100.14(0.68), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4), 100.15(2.75), 100.15(3.20), 100.15(4.25), 100.15(8.9) Alert Type: Updated * Bug Id: CSCuu31281 Title: AAA Authorization HTTP sends username in password field of authorization Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM access may be denied to all users even if their passwords are correct, and they are in the correct groups for authorization. This occurs because after a change in asdm authorization in 9.4.1, administrators must configure a new command, "aaa authorization http console" to authorize HTTP/ASDM logins (this was not the case in pre-9.4 code). With that command entered, the ASA sends a second packet to the authentication server but the attempt causes a failure because the ASA puts the username in the password field of the packet. Conditions: - ASA 9.4.1 or greater - "aaa authorization http console aaa-group" configured for ASDM authorization - Has been observed with the LDAP protocol and the RADIUS protocol, but may apply to others as well Workaround: - Disable HTTP authorization by removing "aaa authorization http console" command from configuration (NOTE: This will allow all users to login to ASDM if their credentials are valid) - Downgrade to 9.3 or lower Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3) Alert Type: Updated * Bug Id: CSCuu93339 Title: Cisco ASA Poodle TLS Variant Status: Fixed Severity: 3 Moderate Description: Symptoms: Cisco ASA models 5506-X 5508-X and 5516-X include a version of SDK which is vulnerable to a variant of POODLE TLS where the first byte of the padding is not checked. Additional information about this issue can be found at: https://vivaldi.net/en-US/blogs/entry/there-are-more-poodles-in-the-forest Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There are no workaround for this issue other then disabling the affected feature. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C&version=2.0 CVE-2015-4595 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3.2), 9.4(1.3) Known Fixed Releases: * 100.12(0.130), 100.13(0.81), 100.13(29.28), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuv85752 Title: Group-lock value can be set with space in a tunnel-group name Status: Fixed Severity: 3 Moderate Description: Symptom: Group-lock setting does not get deleted from group-policy attributes and causes AnyConnect connections to fail for a given tunnel-group. Conditions: Standard AnyConnect configuration plus group-lock in the group-policy. Workaround: Reapply the group-lock without space after a tunnel-group name. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.2, 9.1, 9.1(4), 9.3, 9.3(2), 9.4, 9.4(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.145), 100.13(0.97), 100.15(0.25), 100.15(1.78), 100.15(16.3), 100.15(17.1), 100.15(3.46), 100.15(6.30), 100.15(8.13) Alert Type: Updated * Bug Id: CSCuu41142 Title: IPv6 local host route fail when setting link-local/Global simultaneously Status: Fixed Severity: 3 Moderate Description: Symptom: When configuring link local address and global address simultaneously by copy&paste from text editor, IPv6 local host route cannot be seen on "show ipv6 route". For example, assume trying to set 2001:1111:1111:111::1/128 as IPv6 address on interface, local host routing table of 2001:1111:1111:111::1/128 should be set but was not set in certain situation. ciscoasa/C1(config-if)# sh ipv6 route IPv6 Routing Table - 3 entries Codes: C - Connected, L - Local, S - Static O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 C 2001:1111:1111:111::/64 [0/0] via ::, outside L fe80::/10 [0/0] via ::, outside L ff00::/8 [0/0] via ::, outside The following local host routing should be set. L 2001:1111:1111:111::1/128 [0/0] via ::, outside Conditions: The symptom only occurs when changing link local address and global address simultaneously. Therefore, symptom does not occur when not changing link local address or configuring link local address and global address 1 line by 1 line. Workaround: - Configure link local address and global address 1 line by 1 line(Do not use copy&paste multiple lines) - Not change link local address when configuring global address Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCut39169 Title: WebVPN:Rewrite issue with 'eval' expressions inside JS on Peoplesoft app Status: Fixed Severity: 3 Moderate Description: Symptom: Some content on a Peoplesoft based application may fail to be displayed or accessible through clientless webvpn Conditions: The application is processed by the webvpn rewriter Workaround: Use Smart-tunnel Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.119), 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.17), 100.14(26.7) Alert Type: Updated * Bug Id: CSCuu08031 Title: ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ Status: Fixed Severity: 3 Moderate Description: Symptom: There is very big difference between tx-ring-limit 512 vs tx-ring-limit 511. More specifically we see that with tx-ring-limit 512 packets the LLQ traffic is having packet loss, while we don't see any Tail Drops for BE traffic. With tx-ring-limit 512, the bigger the average packet size for BE traffic, the bigger the packet loss for LLQ traffic. With tx-ring-limit 511 packets, LLQ traffic has no packet loss anymore while we start seeing many Tail Drops for BE traffic which is actually expected. Conditions: Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(7.26) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut58935 Title: WebVPN: Tsweb fails to work through clientless portal Status: Fixed Severity: 3 Moderate Description: Symptom: TSweb access through clientless VPN may fail when using a customized TSWeb portal. Users will see a blank window instead of the server logon screen Conditions: ASA running 9.1.5.10 or later releases Workaround: Use the rdp plugin or smart-tunnel the terminal services client. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5.10), 9.1(5.19), 9.1(5.21), 9.2(2.4), 9.3(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.13(29.28), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12) Alert Type: Updated * Bug Id: CSCuu07308 Title: "ssh scopy enable" deleted from configuration Status: Fixed Severity: 3 Moderate Description: Symptom: "ssh scopy enable" deleted from configuration Conditions: Seen in multi context ASA ssh scopy enable is turned on. Command may be removed when making ASA system context changes. Confirmed command will disappear after deleting a context. Workaround: simply re-add command to configuration to continue use of ssh scopy Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuv32789 Title: ASA using IKEv2 rejects more than 10 NAT_DETECTION_SOURCE_IP payloads Status: Fixed Severity: 3 Moderate Description: Symptom: Acting as the IKEv2 responder, ASA receives initial IKEv2 packet that contains more than 10 payloads for NAT_DETECTION_SOURCE_IP from initiator. ASA rejects the connection, enumarates 10 payloads and prints "INVALID_SYNTAX" afterwards. Conditions: -ASA acts as IKEv2 responder. -ASA receives more than 10 payloads for "NAT_DETECTION_SOURCE_IP" from the initator. Workaround: Use IKEv1 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(2.8) Known Fixed Releases: * 100.11(0.62), 100.12(0.141), 100.13(0.95), 100.14(0.70), 100.15(0.24), 100.15(1.62), 100.15(16.1), 100.15(17.1), 100.15(3.36), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuu02761 Title: DNS should perform IPv4 lookups if IPv6 address is not reachable Status: Fixed Severity: 3 Moderate Description: Symptom: DNS returns IPv6 addresses which are not reachable by ASA Conditions: IPv6 is enabled on at least one ASA interface. DNS lookups are configured. Hosts are accessed by name rather than IP or IPv6 address. Workaround: Options: 1. If this is a manual operation (e.g. ping), then specify the IP or IPv6 address. 2. disable IPv6 on all interfaces. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.69), 100.13(21.13), 100.14(0.10), 100.14(10.14), 100.14(26.11), 100.14(5.14), 100.14(6.16), 100.14(7.16) Alert Type: Updated * Bug Id: CSCuu54660 Title: ASA Remote Access - Phase 1 terminated after xauth Status: Fixed Severity: 3 Moderate Description: Symptom: IPSEC remote access clients are intermittently not able to connect. The user is prompted for password and then the connection fails. From the ASA debugs we can see the Phase 1 and X-auth + config mode are passing fine. Then the ASA deletes the Phase 1, sends delete information to the client and discards QM1 packet sent by the client. Conditions: MacOS / iOS bult in IPSEC VPN client. Clients behind NAT. More detailed triggers unknown. Workaround: Reload the ASA. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu19489 Title: ASA inspection-MPF ACL changes not inserted into ASP table properly Status: Fixed Severity: 3 Moderate Description: Symptom: New ACL changes not taking effect for inspection policies. When adding new rules to the top of an existing ACL which is mapped to an inspection policy, the ASA installs this rule incorrectly at the bottom of its ASP table. This is applicable for any inspection policy that has an ACL bound to it. Conditions: There should be an ACL bound to an inspection policy. Workaround: Remove and re-apply the service-policy or remove and re-apply the effected class-map in the policy-map. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCut24490 Title: L2TP/IPSec Optimal MSS is not what it's supposed to be Status: Fixed Severity: 3 Moderate Description: Symptom: This is a bug to clarify how to calculate the optimal MSS for L2TP/IPSec Conditions: ASA terminating IPSec/L2TP For Windows 7, MTU on IPSec/L2TP virtual adaptor is 1300. Because 1300 is small enough, MSS configuration may not be required. However, it is not always the case for Android. Workaround: TAC lab test indicates the following formula can be used to calculate MSS. MSS = MTU - 156 e.g. when MTU is 1500: MSS = 1500 - 156 = 1344 Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(2), 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.121), 100.13(0.63), 100.13(21.13), 100.13(28.2), 100.14(0.8), 100.14(1.7), 100.14(10.11), 100.14(11.12), 100.14(2.23) Alert Type: Updated * Bug Id: CSCut96928 Title: ASA : Password creation date is decrementing by one with every reboot Status: Fixed Severity: 3 Moderate Description: Symptom: ASA " Local User" password creation date is decrementing by one day with every reboot Conditions: ASA configured with Command : password-policy lifetime Workaround: No workaround Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuw40468 Title: DHCP proxy overrites chosen DHCP server in multiple DHCP server scenario Status: Fixed Severity: 3 Moderate Description: Symptom: Anyconncet clients stop connecting to the ASA because they are no longer able to get an address from the DHCP server. Conditions: - multiple DHCP servers configured on the ASA - either DHCP server is behaving incorrectly where it sees the REQUEST (with the other server's IP) and still replies with an OFFER, or the OFFER was sent by the non-selected DHCP server before it sees the REQUEST Workaround: configure only one DHCP server Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.15(0.44), 100.15(17.18), 100.15(3.68), 100.16(0.2), 100.16(1.5), 99.1(2.254) Alert Type: Updated * Bug Id: CSCuw24668 Title: Multi-Node Service Graph produces mac-flap with l3out as consumer Status: Open Severity: 3 Moderate Description: Symptom: traffic from an l3 out to a Service Device in a Multi-Node service chain is dropped after the EP is aged out in the fabric. Conditions: mac flapping is occurring on the ASA causing the ARP response to be dropped and thus the EP database and ARP entry on the leaf never gets updated. Workaround: n/a Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: * 8.1(2.7) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw32125 Title: ASA stacktrace in vpn client disconnect that had dACL applied Status: Fixed Severity: 3 Moderate Description: Symptom: On the console of an ASA, the following stacktrace is seen. Aug 12 14:54:50 10.0.7.81 %ASA-0-711001: -Traceback: 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 It decodes to the following: Version:arsenal/9.0.4.17 Image Type: asa Executable: smp Symbol File: smp.sort 000000000042A63E 0000000001187B31 00000000011A7195 00000000011A75B3 00000000011AFBDD 00000000011B1738 0000000000531469 0000000000532D1E 0000000000540F86 0000000000531F1F 00000000004286D5 The stack trace decode suggest that it occurs when a client disconnects that had a dACL applied. Conditions: ASA 5580-40 running version asa904-17-smp-k8 Workaround: None Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 9.0(4) Known Fixed Releases: * 100.15(0.45), 100.15(3.69), 99.2(2.2) Alert Type: Updated * Bug Id: CSCuv76342 Title: ISA3000 crashed while generating crypto rsa keys Status: Fixed Severity: 3 Moderate Description: Symptom: ISA3000 can produce back-trace after executing "crypto key generate rsa usage-keys label usage_key modulus 4096" command. Conditions: After the unit is installed with not much initial configuration issue the command 'crypto key generate rsa label Key1_4096 modulus 4096' Try the same command manually 7-8 times. The ISA can crash and produce back trace around 8th iteration. However the issue cannot be reproduced consistently. Workaround: ISA should reload after the back trace Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 100.13(29.28), 9.4(1) Known Fixed Releases: * 100.13(0.104), 100.13(29.101), 100.13(29.36), 100.14(0.75), 100.15(0.29), 100.15(0.42), 100.15(1.94), 100.15(16.7), 100.15(17.18), 100.15(17.9) Alert Type: Updated * Bug Id: CSCuw33713 Title: IKEv2: crypto iskamp identity auto doesn't work - DN not IKE ID but IP. Status: Fixed Severity: 3 Moderate Description: Symptom: Despite the "crypto isakmp identity auto" the ASA does not send DN as IKE ID. It consistently sends IPv4 address. As a result the peer identity verification fails. Conditions: 1. IKEv2 L2L VPN 2. Certificate hierarchy: ECDSA key root ECDSA key sub ECDSA key identity OR RSA key root ECDSA key sub ECDSA key identity 3. "crypto isakmp identity auto" enabled Workaround: Disable peer id validation under the tunnel group: tunnel-group x.x.x.x ipsec-attributes peer-id-validate nocheck Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 9.4(1), 9.5(1) Known Fixed Releases: * 100.15(0.45), 100.15(3.69), 99.2(2.2) Alert Type: Updated * Bug Id: CSCut18736 Title: ASA crashes after clear configure all command Status: Fixed Severity: 3 Moderate Description: Symptom: ASA crashes after "clear configure all" command is configured Conditions: Workaround: Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.3(2.202) Known Fixed Releases: * 100.15(0.48), 99.2(2.4) Alert Type: Updated * Bug Id: CSCus88626 Title: Radius Acct-Terminate-Cause for L2TP over IPSec is incorrect. Status: Fixed Severity: 4 Minor Description: Symptom: Radius Acct-Terminate-Cause for L2TP over IPSec session is incorrect. The value in Accounting-Request always be User-Request even if the disconnected reason is session-timeout,idle-timeout, etc. (Loss of service is covered under defect under CSCut69675) Conditions: none Workaround: none Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(7.23), 9.1(5) Known Fixed Releases: * 100.11(0.57), 100.12(0.118), 100.13(0.56), 100.13(21.10), 100.14(0.5), 100.14(1.4), 100.14(10.8), 100.14(11.8), 100.14(2.12), 100.14(26.4) Alert Type: Updated * Bug Id: CSCty30899 Title: fqdn command option is removed when deleting RSA key Status: Fixed Severity: 4 Minor Description: Symptom: If both fqdn and keypair commands are configured in trustpoint, and RSA key which is associated with the trustpoint is removed by crypto key zeroize, fqdn command's option is unexpectedly removed and remains blank. Conditions: Both fqdn and keypair commands are configured in trustpoint. Workaround: Reconfigure fqdn command with option in trustpoint configuration mode. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.2, 8.4 Known Fixed Releases: * 100.13(0.60), 100.13(21.11), 100.13(28.2), 100.14(0.6), 100.14(1.5), 100.14(10.9), 100.14(2.18), 100.14(26.7), 100.14(3.6), 100.14(4.26) Alert Type: New Bug Id: CSCtf65922 Title: Misleading ACL drop flow denied reason shown for NAT failure Status: Open Severity: 4 Minor Description: Symptom: An object outside interface PAT (for SSH) configured for a specific inside host and manual outside interface PAT defined for the entire inside network. Outside interface ACL configured to permit all traffic Conditions: When an outside host attempt SSH to the static PATed address of the inside host, the connection attempt fails "show asp drop" indicates the drop reason to be : Frame drop: Flow is denied by configured rule (acl-drop) But the drop is not due to any implicit or user configured ACL. Workaround: n/a Further Problem Description: The reason the flow is dropped is because of the manual NAT having priority over the object NAT - and NAT failure causes the flow to be dropped But there is no indication of NAT failure - no Syslog/debug/error is shown So there is no indication to the user as to why the connection failed Last Modified: 09-SEP-2015 Known Affected Releases: 8.3(1), 9.1(5) Known Fixed Releases: Alert Type: New Bug Id: CSCuw09324 Title: DOC:ASA 9.2 & later config guide not updated with OSPF distribute-list Status: Open Severity: 4 Minor Description: Symptom: This is a Document bug to add an example for ospf route filtering using distribute-list command used under the router OSPF configuration mode in ASA Config Guide 9.2 and later. Conditions: N/A Workaround: N/A Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuo05238 Title: 'show activation-key' command does not display the flash key correctly Status: Fixed Severity: 4 Minor Description: Symptom: Contents of the flash permanent activation key is not displayed correctly in the output of the 'show activation-key' command. Conditions: An ASA with a running permanent activation key that is different from the flash permanent activation key. Workaround: None. When the ASA is reloaded, and the flash permanent activation key becomes the running permanent activation key, its contents are displayed correctly. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 100.8(38.131) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuw16103 Title: ASA: Duplicate Remark created using object with range keyword Status: Open Severity: * 4 Minor Description: Symptom: Duplicate Remark created using object with range keyword in the "show acces-list" output Conditions: You must be using the Object with range keyword Workaround: You have to manually remove the remark using the "show run access-list" output Further Problem Description: Last Modified: 11-SEP-2015 Known Affected Releases: 9.4(1.5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCua71298 Title: Help arp in context shows arp permit-nonconnected Status: Fixed Severity: 4 Minor Description: * Symptom: Help arp in admin and user contexts shows arp permit-nonconnected entry, which is only available in system context. Conditions: Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.4(4.2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur83911 Title: IPv6 DHCPRelay is not working in 100th Context in multimode Status: Open Severity: * 4 Minor Description: Symptom: IPv6 DHCPRelay is not working in 100th Context in multimode Conditions: ASA in multimode Workaround: Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 100.13(11.19), 9.1(2.8) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu07393 Title: "sysopt traffic detailed-statistics" is removed after ASA reload Status: Fixed Severity: 4 Minor Description: Symptom: ASA command "sysopt traffic detailed-statistics" turns off automatically after reload Conditions: 1. ASA is configured with 'sysopt traffic detailed-statistics' 2. The ASA is reloaded Workaround: None Further Problem Description: Last Modified: 01-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(3.37), 100.15(6.21), 100.15(8.12), 99.1(2.221) Alert Type: Updated * Bug Id: CSCth38471 Title: Error message recommends using deprecated cach-fs command Status: Terminated Severity: 4 Minor Description: * Symptom: ASA Error when attempting to configure Anyconnect image: rtpvpnoutbound6(config-webvpn)# anyconnect image flash:/anyconnect-macosx-i386$ ERROR: Unable to load Anyconnect image - extraction failed Conditions: The 'cache-fs' comand was added in 8.0(2) and deprecated in 8.0(3). Subsequent versions do not support this command. Workaround: Upgrade to version 8.2.5 or later. New versions allocate memory differently when loading SVC images and should not encounter this error. Further Problem Description: Last Modified: 08-SEP-2015 Known Affected Releases: 8.2(6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv62112 Title: show version and show tech show "BIOS Flash unknown" Status: Fixed Severity: 4 Minor Description: Symptom: You may see "BIOS Flash unknown @ 0x0, 0KB" in the show version and show tech outputs Conditions: Affects ASA5506 appliances. Looking for bios flash information in show version or show tech output. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.137), 100.13(0.94), 100.14(0.69), 100.15(0.23), 100.15(1.53), 100.15(15.15), 100.15(16.1), 100.15(2.83), 100.15(3.32), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuo72103 Title: ASA multi-context - SMTP logging not generating from system Status: Fixed Severity: 4 Minor Description: Symptom: SMTP logging is not sending log messages generated within the system execution space. For example, the failover log messages when a failover occurs. Other messages related to clustering are not sent either. For example, messages like these are sent via email: %ASA-1-104001: (Secondary) Switching to ACTIVE %ASA-1-104002: (Primary) Switching to STANDBY Messages pertaining to the clustering operation are not sent via SMTP logging: 747003 747004 747005 747024 These messages are seen and sent to the syslog server. Conditions: - ASA firewall in a multi-context configuration. - SMTP logging configured with messages being logged in the admin context. - Messages that are generated within the system execution space. Workaround: Use syslogs to see the messages which are generated in the system execution space. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(2), 9.1(4), 9.1(5) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuv29505 Title: EEM Action Sometimes Executed Multiple Times Status: Fixed Severity: 4 Minor Description: Symptom: Sometimes an event manager absolute time (time-of-day) applet can run multiple times. Conditions: NTP is configured, or the system clock has been manually modified. Workaround: None Further Problem Description: This happens if the actual system time-of-day is earlier than the configured absolute time when the event manager applet runs. When that happens, the applet is then re-armed and will execute again that day at the expected time. The applet execution time can get out-of-sync due to automatic time adjustments done by NTP, or if the system clock is manually changed via the "clock set" CLI command. The fix for CSCuv02304 "EEM action not executed on absolute time when NTP is configured" reduced the likelihood of this happening, but there is still a possibility that it could occur. Last Modified: 24-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.133), 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62), 100.15(3.16), 100.15(4.20), 100.15(5.23) Alert Type: Updated * Bug Id: CSCuq09430 Title: ASA "debug webvpn anyconnect 255" not showing empty certificate issue Status: Fixed Severity: 4 Minor Description: Symptom: "debug webvpn anyconnect 255" should be much more in situations of empty certificate being sent Conditions: Empty cert sent Workaround: Troubleshoot the problem using capture on different end. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.65), 100.13(21.13), 100.14(0.9), 100.14(10.11), 100.14(11.13), 100.14(26.10), 100.14(4.38), 100.14(5.13), 100.14(6.9), 100.14(7.8) Alert Type: Updated * Bug Id: CSCua66557 Title: arp permit-nonconnected not indented in help arp multiplei mode Status: Fixed Severity: 5 Cosmetic Description: Symptom: Help arp in multiple mode has incorrect indentation for "arp permit-nonconnected" entry. Conditions: Workaround: Further Problem Description: Last Modified: 05-SEP-2015 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.30) Alert Type: Updated * Bug Id: CSCus22893 Title: Extra space after newline in some syslogs Status: Fixed Severity: 5 Cosmetic Description: Symptom: There is an extra whitespace character after the newline character in syslogs: 733104 733105 734001 717012 717011 717010 717009 717008 717007 717006 717005 717004 717003 Conditions: This is seen in all versions of ASA code. Refer to the bug details for more information on fixed version. Workaround: None, this is purely cosmetic. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(5), 9.2(3), 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Alert Type: Updated * Bug Id: CSCut39154 Title: Cluster trace message misspelled Status: Fixed Severity: 5 Cosmetic Description: Symptom: The cluster message Mar 05 17:51:54.425 [DBUG]Send CCP message to id 3: CCP_MSG_QUIT from IFW-5585-CL-02 to IFW-5585-CL-04 for reason CLUSTER_QUIT_REASON_CLUSTER_TREADOWN has the reason misspelled. It should be CLUSTER_QUIT_REASON_CLUSTER_TEARDOWN Conditions: Cisco ASA running release 9.1.4.5 with clustering enabled. Issue occurs in the show cluster info trace output. Workaround: None Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(4.5) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.68), 100.13(21.13), 100.14(0.10), 100.14(10.13), 100.14(26.11), 100.14(5.14), 100.14(6.13), 100.15(0.8) Alert Type: Updated * Bug Id: CSCut06553 Title: ASA - PBR Debug Output Shows HEX representation of DSCP Value w/o '0x' Status: Fixed Severity: 5 Cosmetic Description: Symptom: The ASA policy-based routing debug output shows the HEX representation value and not the decimal value. This causes confusion since it looks like a decimal value due to the fact that the '0x' header is omitted. This is a cosmetic bug to modify the output so that the '0x' is printed in the output so that it's obvious that it is a HEX representation of the DSCP value. Conditions: Using 'debug policy-route' to verify functionality of PBR on an ASA and viewing DSCP values Workaround: N/A - this is a cosmetic issue. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.22), 100.15(8.13), 9.4(1.107) Alert Type: New Bug Id: CSCur91985 Title: ASA 5585 9.1.5.16 bcm_stat_sync errors on reboot Status: Terminated Severity: 5 Cosmetic Description: Symptom: ASA 5585 running 9.1.5.16. During reload, following errors are seen on the console bcm_esw_clear_stats: bcm_stat_sync failed for unit 1, error -12 bcm_esw_clear_stats: bcm_stat_sync failed for unit 1, error -12- Interface counters reflecting current status Conditions: ASA 5585 platform. Errors are on unit 1. No running 'bcmCNTR.1' process in the show process output. njASA5585-1/act# sh proc | i bcm Mwe 0x0000000001da2b88 0x00007ffecdde6168 0x00007ffed6182610 0 0x00007ffecddde380 32224/32768 bcmXGS3AsyncTX Mwe 0x0000000001da2b88 0x00007ffecddde138 0x00007ffed61815a0 0 0x00007ffecddd6330 32256/32768 bcmTX Msi 0x00000000021f4bc5 0x00007ffeceda4518 0x0000000005bc4010 384 0x00007ffeced9c680 31784/32768 bcmPOLL Mwe 0x0000000001da2bce 0x00007ffedb15f3a8 0x00007ffedb107e60 13462 0x00007ffedb1575d0 29400/32768 bcmLINK.1 Mwe 0x0000000001da2bce 0x00007ffedb1437f8 0x00007ffed61809b0 4447 0x00007ffedb13ba20 29656/32768 bcmLINK.0 Mwe 0x0000000001da2b88 0x00007ffecd49cd78 0x00007ffecd494ee0 0 0x00007ffecd494f50 32288/32768 bcmDPC Mwe 0x0000000001da2bce 0x00007ffeced26538 0x00007ffed6180ae0 2228 0x00007ffeced1e750 29976/32768 bcmCNTR.0 Workaround: None Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: New Bug Id: CSCui86305 Title: Add Remote Access VPN capability with firewall Clustering Status: Open Severity: 6 Enhancement Description: Symptom: This enhancement request is to track feature support for Remote access VPN terminating on an ASA running in a cluster. This applies to both AnyConnect (using SSL and IKEV2) and IPSEC VPN clients (using IKEV1) Conditions: ASA in clustering and Remote access VPN Workaround: Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.1(3.53) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCui67623 Title: SNMP: entPhySensorUnitsDisplay returns wrong data Status: Fixed Severity: 6 Enhancement Description: Symptom: According to the Cisco SNMP Navigator at http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.2.1.99.1.1.1.6#oidContent the entPhySensorUnitsDisplay OID is supposed to return "A textual description of the data units that should be used in the display of entPhySensorValue." Instead it appears to return something like a description. Conditions: Cisco ASA running release 8.6.1.10 with SNMP enabled. Workaround: To get this information you can query the show inventory and show environment CLI. Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 8.6(1.10) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.55), 100.13(21.10), 100.14(0.13), 100.14(0.4), 100.14(1.4), 100.14(10.23), 100.14(10.8), 100.14(11.8) Alert Type: Updated * Bug Id: CSCur55645 Title: Saleen: Add support for CISCO-ENTITY-SENSOR-EXT-MIB Status: Fixed Severity: 6 Enhancement Description: Symptom: ASA does not update or return the correct values for CISCO-ENTITY-SENSOR-EXT-MIB OIDs. This support was never added for the Saleen platforms Conditions: Cisco ASA running release 9.2.1 Workaround: None within SNMP but you can get some of the values via the CLI Further Problem Description: Last Modified: 24-SEP-2015 Known Affected Releases: 9.2(1) Known Fixed Releases: * 100.11(0.57), 100.12(0.117), 100.13(0.55), 100.13(21.10), 100.14(0.13), 100.14(0.4), 100.14(1.4), 100.14(10.23), 100.14(10.8), 100.14(11.8) Alert Type: Updated * Bug Id: CSCui93331 Title: ASA Policy-Based Routing (PBR) support Status: Fixed Severity: 6 Enhancement Description: * Symptom: ASA doesn't support Policy-Based Routing (PBR) Conditions: - Workaround: Note that the following workarounds can achieve PBR-like behavior, but are not fully tested. Please use them taking into account the introduced risk Pre-8.3 code We can manipulate the traffic to use another link, but only for specific destination/service not source IP/service. nat (INSIDE) 1 0.0.0.0 0.0.0.0 ! global (ISP2) 1 interface global (ISP1) 1 interface ! route ISP1 0 0 192.168.1.250 <-- Default route pointing to ISP1 route ISP2 0 0 192.168.2.250 2 <-- Floating default route (Metric 2) via ISP2 ! nat (INSIDE) 1 0 0 global (ISP1) 1 interface !all the traffic destined to any address on port 80 will be forcibly sent to ISP2 static (ISP2,INSIDE) tcp 0.0.0.0 80 0.0.0.0 80 If I want, I can sent to ISP1 traffic that goes to specific hosts for port TCP 80 static (ISP1,INSIDE) tcp 192.168.100.100 80 192.168.100.100 80 ASA codes 8.3.1 - 8.4.4.1 The NAT code in these releases doesn't have CSCtq47028 implemented. This creates problems achieving PBR-like behavior ASA codes between 8.4.4.2 - 8.4.6.4, 9.0.1 - 9.0.3, 9.1.1 - 9.1.2.5 By specifying the destination service in a Twice NAT rule can 'force' the traffic to exit different interface. At the same time the source IP is checked so we have a PBR-like behavior. route ISP1 0.0.0.0 0.0.0.0 192.168.0.121 1 route ISP2 0.0.0.0 0.0.0.0 192.168.27.2 2 <-- backup default route ! object service WWW service tcp destination eq www ! object network HOST_10.10.10.11 <-- the host that you want to do PBR for host 10.10.10.11 ! !PAT host 10.10.10.11 to the IP of the interface ISP2 when accessing WWW nat (INSIDE,ISP2) source dynamic HOST_10.10.10.11 interface service WWW WWW ! !PAT the rest of the traffic to ISP1 interface IP nat (INSIDE,ISP1) source dynamic any interface Note: All IP addresses are private due to security reasons. Further Problem Description: Last Modified: 27-SEP-2015 Known Affected Releases: 8.4, 9.0(1), 9.1 Known Fixed Releases: 100.13(1.7), 100.13(11.23), 100.13(12.1), 100.13(12.2), 100.13(12.5), 100.13(12.8), 99.1(5.1) Alert Type: Updated * Bug Id: CSCur69271 Title: 5506-5508: "show file info lfbff-k8.SPA" missing version and wrong size Status: Open Severity: * 6 Enhancement Description: Symptom: show file info for lfbff-k8.SPA images doesn;t display version and the file size is wrong: show file information disk0:/asa932-lfbff-k8.SPA show file information disk0:/asa-restapi-101-lfbff-k8.SPA Conditions: show file info for lfbff-k8.SPA images doesn;t display version and the file size is wrong. Workaround: Verify correct size of the image files via dir commands . Further Problem Description: Last Modified: 28-SEP-2015 Known Affected Releases: 100.12(0.96) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut78380 Title: ASA IPv6 ECMP routing does not load balance traffic Status: * Other Severity: * 6 Enhancement Description: Symptom: ASA is not load balancing IPv6 traffic Equal Cost Multi Path (ECMP) routes. Captures show that through the ASA traffic is not load balanced. Conditions: ASA configured with Equal Cost Multi Path (ECMP) routes. Workaround: None at this time. Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 9.1(2), 9.3(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtc26917 Title: ENH: Tracking Packet Count on Per-Connection Basis Through Netflow Status: Fixed Severity: 6 Enhancement Description: * Symptom: This is an enhancement request to add support for per-connection packet count tracking and export through Netflow on Adaptive Security Appliance (ASA). Conditions: Workaround: Further Problem Description: Last Modified: 29-SEP-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: 100.15(18.1) Alert Type: Updated * Bug Id: CSCud90235 Title: SSH: ASA default config should support only SSHv2 Status: Open Severity: * 6 Enhancement Description: Symptoms: The ASA default configuration should only support SSHv2 connections. The use of SSHv1 is not recommended for security reasons and, with this change, a user must explicitly enable it to allow a client to connect with any version other than SSHv2. Conditions: ASA configured for SSH access. Workaround: None PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 29-SEP-2015 Known Affected Releases: 100.12(0.65), 8.4(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw21330 Title: ASA 9.4: ICMP Timeout of 2 seconds not applied for ICMP connections. Status: Open Severity: * 6 Enhancement Description: Symptom: A minimal delay is observed for the 2 second timeout to be applied for ICMP connections. Conditions: Underlying dynamic routing changes preventing ICMP reply to be received by inspection engine. All subsequent packets matching same tuple (IP, ID, SEQ) will match the existing connection. Problem is not seen on the operating systems using ID randomization for ICMP packets. Problem is seen on IOS, where the ICMP echos have exactly the same ID. Workaround: Relay on ICMP inspection closing the connection after the ICMP reply is received. Use an ICMP timeout of 3 seconds. Further Problem Description: Problem reproduced locally. Packets below are matching the same connection: 1: 11:21:20.506779 10.10.0.2 > 10.0.0.2: icmp: echo request 2: 11:21:22.506886 10.10.0.2 > 10.0.0.2: icmp: echo request 3: 11:21:24.507008 10.10.0.2 > 10.0.0.2: icmp: echo request 4: 11:21:26.507114 10.10.0.2 > 10.0.0.2: icmp: echo request 5: 11:21:28.507236 10.10.0.2 > 10.0.0.2: icmp: echo request 6: 11:21:30.507343 10.10.0.2 > 10.0.0.2: icmp: echo request Timeout is applied based on a packet queue, which may cause a delay. Last Modified: 18-SEP-2015 Known Affected Releases: 9.4(1.5) Known Fixed Releases: Alert Type: New Bug Id: CSCuw29769 Title: Certificate map match on SubjectAltName URL component is not working Status: Open Severity: 6 Enhancement Description: Symptom: ASA certificate map is failing to parse Subject alternative name URI component . This can be seen in this message : CRYPTO_PKI: Match of subject-alt-name field to map FAILED. Peer cert field: IP addr: 0.0.0.0, FQDN: , user FQDN: , User Principal Name(UPN): , map rule: alt-subject-name co scheme:unmanaged. // no URI info is included here . This is causing anyconnect client not to land on the correct tunnel group . Conditions: None Workaround: Use the cert map to match on one of the following : IP address FQDN UPN Further Problem Description: We can use the subject alternative name in crypto ca certificate maps .But looks like the ASA fails to match on the URI field which is a valid one as per the RFC : id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } OtherName ::= SEQUENCE { type-id OBJECT IDENTIFIER, value [0] EXPLICIT ANY DEFINED BY type-id } EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString OPTIONAL, partyName [1] DirectoryString } Last Modified: 18-SEP-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: Alert Type: New Bug Id: CSCuw20109 Title: VMA: Updating source_event parameters Status: Open Severity: 6 Enhancement Description: Symptom: Updating source_event API parameters from chars to predefined enums. Conditions: Updating source_event API parameters from chars to predefined enums. Workaround: None Further Problem Description: None Last Modified: 11-SEP-2015 Known Affected Releases: 100.15(14.1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCtw47633 Title: ASA PKI needs to support IPv6 Status: Open Severity: 6 Enhancement Description: Symptom: Currently there are no IPv6 support for any PKI feature on ASA Conditions: ISSUE-1. IPv6 addresses that you enter to "enrollment url" gets truncated. crypto ca trustpoint bxbdevipv6 enrollment url http://[fd90:5000/certsrv/mscep/mscep.dll ISSUE-2. In a case of dual stack deployments both A and AAAA record would be provided to resolve domain name, but according to rfc6555 "If the host's policy is unknown or not attainable, implementations MUST prefer IPv6 over IPv4.". The following message is provided: %ASA-ca-4-717026: Name lookup failed for hostname bxb2008dev-root during PKI operation. Workaround: To use IPv4 addresses instead of domain names for dual stack deployments More Info: Last Modified: 11-SEP-2015 Known Affected Releases: * 100.8(0.40), 9.0(1), 9.1(2), 9.4(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuw20102 Title: VMA: Update parameters for source_event API Status: Open Severity: 6 Enhancement Description: Symptom: Updating parameters to use predefined enums instead of chars Conditions: Updating parameters to use predefined enums instead of chars Workaround: Further Problem Description: Last Modified: 11-SEP-2015 Known Affected Releases: 100.15(14.1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsh24794 Title: CS: PocketPC is unable to download p12 file - popups not supported Status: * Terminated Severity: 6 Enhancement Description: * Symptom: Attempting to enroll a Pocket PC device with the ASA Local CA may not be able to download and save the certificate file because PocketPC verison of Internet Explorer doesn't support popups. Conditions: Workaround: None Further Problem Description: Last Modified: 10-SEP-2015 Known Affected Releases: 8.0(0.159) Known Fixed Releases: Alert Type: New Bug Id: CSCuw16807 Title: ENH: To make sysopt connection timewait value as user changeable Status: Open Severity: 6 Enhancement Description: Symptom: TCP connection Timewait is disabled by default on ASA. Following command needs to be run to enable TCP Timewait which will make the ASA to retain the connection information for 15 seconds after the TCP CLOSE. sysopt connection time wait http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s17.html#pgfId-1572802 Opening this enhancement to provide the option to change the timewait value from default 15 seconds to custom value. Conditions: TCP timewait enabled on ASA sysopt connection time wait Workaround: na Further Problem Description: Last Modified: 09-SEP-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: New Bug Id: CSCuw16361 Title: Implement support for PingOne IdP for SAML 2.0 Status: Open Severity: 6 Enhancement Description: Symptom: Currently we only qualified four IdPs oracle OAM, MS ADFS, Sales force and oneLogin for SAML 2.0 authentication. Customer is trying to utlize PingOne and ran into issue. Hence they would like support for PingOne IdP for SAML 2.0 authentication. Conditions: Workaround: None. Enhancement Request Further Problem Description: Last Modified: 08-SEP-2015 Known Affected Releases: 9.5(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCsm90809 Title: DNS inspection support for DNS over TCP Status: Fixed Severity: 6 Enhancement Description: Symptom: DNS queries using TCP may be dropped from TCP inspections on the ASA Conditions: DNS inspection Workaround: use UDP queries with DNS inspection Further Problem Description: DNS inspection does not support TCP yet. The Modular Policy Framework class-map should not direct TCP DNS packets to the inspection engine. If it does, the packets may be dropped by the inspection engine Last Modified: 05-SEP-2015 Known Affected Releases: 7.2(3) Known Fixed Releases: * 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.31), 100.15(6.19), 100.15(6.20), 100.15(8.13) Alert Type: New Bug Id: CSCuw12459 Title: ASA ENH Support for VPN Radius Attribute IE-Proxy-Method = Use pac Status: Open Severity: 6 Enhancement Description: Symptom: ASA does support the following radius authorization attributes when setting up vpn session: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1546973 This enhancement is to support the new value for attribute IE-Proxy-Method: 5 - Use PAC That can already be configured via CLI ("msie-proxy method use-pac") Conditions: Workaround: Further Problem Description: Last Modified: 05-SEP-2015 Known Affected Releases: 9.4(1.230) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw02001 Title: ASA 9.5.1 self-signed cert is applied instead of ssl trust-point defined Status: * Other Severity: * 6 Enhancement Description: Symptom: --- ASA ssl certificate is not applied correctly, when accessing ASA via https self-signed certificate is presented Conditions: --- ASA 9.5.1; --- identity + ca certificates are installed and applied via ssl trust-point command; --- show ssl shows self-signed certs instead: BSNS-ASA5515-11# sh ssl Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater Start connections using TLSv1 and negotiate to TLSv1 or greater SSL DH Group: group2 (1024-bit modulus) SSL ECDH Group: group19 (256-bit EC) SSL trust-points: Self-signed (RSA 2048 bits RSA-SHA256) certificate available Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available Interface outside: EXAMPLE (RSA 1024 bits RSA-SHA1) VPNLB interface outside: EXAMPLE (RSA 1024 bits RSA-SHA1) Certificate authentication is not enabled Workaround: --- Downgrade, ASA 9.2.4 works fine. Further Problem Description: Last Modified: 04-SEP-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCut09778 Title: ASA : PAT round-robin replacing an existing pool based NAT fails to work Status: Open Severity: 6 Enhancement Description: * Symptom: PAT round-robin replacing an existing pool based NAT does not work properly. The new connections continue to use the first IP unless the pool is exhausted Conditions: 1. ASA configure with a NAT statement having pat-pool: nat (inside,outside) source dynamic PAT_SOURCE pat-pool PAT_POOL 2. This pat-pool NAT is replaced by a round-robin NAT: nat (inside,outside) source dynamic PAT_SOURCE pat-pool PAT_POOL round-robin Workaround: 1. Remove the existing round-robin NAT statement 2. Clear xlate 3. Re-add the NAT statement Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu19594 Title: Non-existent bridge id is assigned to interface is accepted Status: Open Severity: * 6 Enhancement Description: Symptom: Assigning the non-existent bridge id to the interface , there was no error message regarding bridge id . Conditions: ASA Version : 9.4.1 Rest-Api Version:asa-restapi-111-lfbff-k8.SPA Workaround: Non-existent bridge id can be assigned to interface, but it doesn't impact the behavior . Later we can create an bvi interface with same id. Manually we need to check while assigning the bridge id to interface . Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 9.4(1.49) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu35854 Title: The engine ID goes out of sync during upgrade of the ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: The SNMP stops working for a FO pair when doing a zero-downtime upgrade. The engine-ID of the ASAs goes out of sync causing the SNMP to fail. Conditions: Zero-downtime upgrade being performed on an ASA FO pair. Workaround: None known. Further Problem Description: Last Modified: 03-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.62), 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.22) Alert Type: New Bug Id: CSCuw06253 Title: Enh: Privilege levels or command author should work in system context Status: Open Severity: 6 Enhancement Description: Symptom: Local/remote command authorization cannot be done in system context. This is an enhancement request to get this feature implemented. Conditions: - Multi-Context ASA - Any version of ASA. Workaround: Further Problem Description: Last Modified: 02-SEP-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: Alert Type: New Bug Id: CSCuw06126 Title: ENH - syslog generated for captures that are running on ASA Status: Open Severity: 6 Enhancement Description: Symptom: This is an Enhancement request to create/generate a syslog(Severity 2 ? Critical conditions) after a specific threshold is exceeded: Conditions: Workaround: Further Problem Description: Last Modified: 02-SEP-2015 Known Affected Releases: 9.1, 9.2 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuu02219 Title: * ASAv Smart licensing timers shoud be user configurable Status: Open Severity: 6 Enhancement Description: * Symptom: ASAv failes to get Smart License for long time due to messageing delay or packet drop Conditions: N/A Workaround: manually retry with "license smart register idtoken force" Further Problem Description: Last Modified: 01-SEP-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: Alert Type: New Bug Id: CSCuw48547 Title: ENH: Add Clientless VPN Support-Remote Access VPN in Multi-Context Mode Status: Open Severity: 6 Enhancement Description: Symptom: This is an enhancement request. Add support for Clientless VPN Remote For Access VPN in Multi-Context Mode. Conditions: ASA is in mupltiple context Workaround: Use AnyConnect Further Problem Description: Last Modified: 01-OCT-2015 Known Affected Releases: 9.5(1.53) Known Fixed Releases: Alert Type: New Bug Id: CSCuw02683 Title: ASA DOC - Need for a routing entry when using "set interface" in PBR Status: Open Severity: 6 Enhancement Description: Symptom: When using Policy Based Routing with "set interface" action, it is mandatory to have a route for the destination which can be routed via the interface configured by "set interface" command. Conditions: ASA 9.4 when using PBR Workaround: Further Problem Description: Last Modified: 01-SEP-2015 Known Affected Releases: 9.4 Known Fixed Releases: Alert Type: New Bug Id: CSCuw02556 Title: ASA ENH - Adding log message to track packets of closed connections Status: Open Severity: 6 Enhancement Description: Symptom: This enhancement was created to add additional log message to inform about packets that arrived on ASA interfaces after the connection was already closed. Conditions: ASA logging Workaround: Further Problem Description: Last Modified: 01-SEP-2015 Known Affected Releases: 9.2 Known Fixed Releases: Find additional information in Bug Search index.   2013 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks