Cisco Notification Alert -ASA 5500 Series NG Firewall-01-Dec-2015 17:42 GMT

Feedback Sign Up Unsubscribe         Security Advisories & Responses - ASA 5500-X Series Firewalls Title: Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability Description: A vulnerability in the DHCPv6 relay feature of Cisco Adaptive Security Appliance (ASA) software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of DHCPv6 packets. Cisco ASA Software is affected by this vulnerability only if the software is configured with the DHCPv6 relay feature. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets to an affected device. Note: Only DHCPv6 packets directed to the Cisco ASA interface where the DHCPv6 relay is enabled can be used to trigger this vulnerability. This vulnerability affects systems configured in routed or transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered only by IPv6 traffic. This vulnerability is documented in Cisco bug IDs CSCus56252 (registered customers only) and CSCus57142 (registered customers only) and have been assigned CVE ID CVE-2015-6324. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dhcp1 Date: 12-NOV-2015 Title: Cisco ASA Software VPN ISAKMP Denial of Service Vulnerability Description: A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper handling of Internet Security Association and Key Management Protocol (ISAKMP) packets. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. A successful exploit could allow the attacker to cause an affected system to reload. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. This vulnerability is documented in Cisco bug ID CSCus94026 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-6327. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-ike Date: 12-NOV-2015 Title: Cisco ASA Software DNS Denial of Service Vulnerability Description: A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a crafted request to an affected Cisco ASA device to cause it to generate a DNS request packet. The attacker would need to spoof the reply packet with a crafted DNS response. Note: This vulnerability can be exploited only by traffic that is directed to the affected device. This vulnerability affects Cisco ASA Software configured in routed or transparent firewall mode and single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. This vulnerability is documented in Cisco bug ID CSCuu07799 (registered customers only) and Common Vulnerabilities and Exposures (CVE) ID CVE-2015-6326. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns2 Date: 12-NOV-2015 Title: Cisco ASA Software DHCPv6 Relay Denial of Service Vulnerability Description: A vulnerability in the DHCPv6 relay feature of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to insufficient validation of DHCPv6 packets. Cisco ASA Software is affected by this vulnerability only if the software is configured with the DHCPv6 relay feature. An attacker could exploit this vulnerability by sending crafted DHCPv6 packets to an affected device. Note: Only DHCPv6 packets directed to the Cisco ASA interface where the DHCPv6 relay feature is enabled can be used to trigger this vulnerability. This vulnerability affects systems configured in routed or transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered only by IPv6 traffic. This vulnerability is documented in Cisco bug ID CSCur45455 (registered customers only) and has been assigned CVE ID CVE-2015-0578. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150115-asa-dhcp Date: 12-NOV-2015 Title: Cisco ASA Software DNS Denial of Service Vulnerability Description: A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a request to an affected Cisco ASA appliance to cause it to generate a DNS request packet. The attacker would need to spoof the reply packet with a crafted DNS response. Note: Only traffic directed to the affected device can be used to exploit this vulnerability. This vulnerability affects Cisco ASA Software configured in routed or transparent firewall mode and single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. This vulnerability is documented in Cisco bug ID CSCut03495 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2015-6325. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns1 Date: 12-NOV-2015 Title: Multiple Vulnerabilities in OpenSSL (June 2015) Affecting Cisco Products Description: On June 11, 2015, the OpenSSL Project released a security advisory detailing six distinct vulnerabilities, and another fix that provides hardening protections against exploits as described in the Logjam research. Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or corrupt portions of OpenSSL process memory. This advisory will be updated as additional information becomes available. Cisco will release software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl Date: 13-NOV-2015 Find additional information in Cisco Security Advisories & Responses Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5510 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5580 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5550 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: ASA for Application Centric Infrastructure (ACI) Device Package Release Version: 1.2.3.15 Alert Type: New File File Name: asa-device-pkg-1.2.3.15.zip File Description: Cisco ASA Device Package 1.2(3.15) for Cisco APIC 1.1(4e) File Release Date: 12-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5512-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5585-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5540 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5555-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5520 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5505 Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5525-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.1.112 Alert Type: New File File Name: asdm-751-112.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 11-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Device Manager Release Version: 7.5.2 Alert Type: New File File Name: asdm-752.bin File Description: Cisco Adaptive Security Device Manager for ASA 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, 9.2, 9.3, 9.4, and 9.5. File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5515-X Adaptive Security Appliance Software Type: Adaptive Security Appliance REST API Plugin Release Version: 1.2.2 Alert Type: New File File Name: asa-restapi-122-lfbff-k8.SPA File Description: Rest API package for ASA File Release Date: 30-NOV-2015 Find additional information in Software Downloads index. Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.4.2 Interim Alert Type: New File File Name: asa942-3-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.2 Alert Type: New File File Name: asa952-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 30-NOV-2015 Software Updates for ASA 5500-X Series Firewalls Product Name: ASA 5545-X Adaptive Security Appliance Software Type: Adaptive Security Appliance (ASA) Software Release Version: 9.5.1 Interim Alert Type: New File File Name: asa951-5-smp-k8.bin File Description: Cisco Adaptive Security Appliance Software for the ASA 5512-x, 5515-x, 5525-x, 5545-x, 5555-x, 5585-x, and ASASM. Please read the Release Note prior to downloading this release. File Release Date: 10-NOV-2015 Find additional information in Software Downloads index. Known Bugs - ASA 5500-X Series Firewalls Alert Type: Updated * Bug Id: CSCuw39685 Title: filter sfr traffic may cause memory corruption Status: Fixed Severity: 1 Catastrophic Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFR module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFR module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFR module - Disable URL filtering (websense) Further Problem Description: Last Modified: 01-DEC-2015 Known Affected Releases: 9.4(1.6) Known Fixed Releases: * 100.14(0.85), 100.15(0.100), 100.16(0.12), 9.4(1.190), 96.1(1.7), 99.2(2.29) Alert Type: Updated * Bug Id: CSCuu84085 Title: DHCP-DHCP Proxy thread traceback shortly after failover and reload Status: Fixed Severity: 1 Catastrophic Description: Symptom: Crash as soon as the standby unit becomes primary Conditions: DHCP configured on ASA running 9.1(6)5 or 9.1(6)6. Workaround: Downgrade to 9.1(6)4 Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.14(0.16), 100.14(0.30), 100.14(0.42) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCus94026 Title: Cisco ASA ISAKMP Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper handling of Internet Security Association and Key Management Protocol (ISAKMP) packets. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. A successful exploit could allow the attacker to cause an affected system to reload. Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-ike Conditions: See Cisco Security Advisory Workaround: See Cisco Security Advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/6.4: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-6327 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 03-NOV-2015 Known Affected Releases: 100.13(0.31), 9.3(2.2) Known Fixed Releases: * 100.11(0.56), 100.12(0.114), 100.13(0.38), 100.13(20.11), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.5), 100.14(11.5), 100.14(2.5) Alert Type: Updated * Bug Id: CSCuv05916 Title: Need to prevent traceback in js_parser_print_rest Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in Unicorn Proxy Thread Conditions: Workaround: none identified Further Problem Description: Last Modified: 03-NOV-2015 Known Affected Releases: 9.3(2), 9.3(3) Known Fixed Releases: * 100.12(0.142), 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37) Alert Type: Updated * Bug Id: CSCta55072 Title: ASA traceback in Thread Name: Dispatch Unit, Abort: Assert Failure Status: Fixed Severity: 2 Severe Description: Symptom: ASA intermittent crash at Thread Name: Dispatch Unit, Abort: Assert Failure Conditions: Running 8.2.1version. The ASA5505 box has a basic license with Inside hosts limit. When the total number of inside hosts exceeds the limit, it may trigger the crash. If there is no limit for inside hosts with the license, the crash won't be triggered. Workaround: No workaround PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 04-NOV-2015 Known Affected Releases: 8.2(1) Known Fixed Releases: * 100.3(0.3), 100.4(0.7), 100.4(0.9), 8.1(2.31), 8.1(2.32), 8.2(1.10), 8.2(4), 8.3(0.0) Alert Type: Updated * Bug Id: CSCut40770 Title: Interface TLV to SFR is corrupt when frame is longer than 2048 bytes Status: Fixed Severity: 2 Severe Description: Symptom: Some configured ASA interfaces missing or not displayed from Firesight Management Center Conditions: Interface TLV ethernet frame greater than 2048 bytes. Usually occurs with multiple interfaces and sub-interfaces configured with lengthy names for each interface. Workaround: Enable jumbo-frame reservation on ASA. Further Problem Description: Last Modified: 10-NOV-2015 Known Affected Releases: 9.3(1.221) Known Fixed Releases: * none Alert Type: Updated * Bug Id: CSCup47885 Title: ASA: Page fault traceback in DATAPATH when DNS inspection is enabled Status: Fixed Severity: 2 Severe Description: Symptom: An ASA may generate a traceback and reload in the DATAPATH thread while processing DNS traffic when DNS inspection is enabled. Conditions: The ASA must be running 9.1.5.7 or higher. This issue will trigger when we do DNS reverse loop up with DNS inspection enabled. When a customer do reverse look up on IP addresses and receives a PTR Reply with more number of records they will hit this issue. This issue will not be seen without reverse loop up Workaround: There is no known workaround at this time. Further Problem Description: Last Modified: 12-NOV-2015 Known Affected Releases: 9.1(5.7), 9.2(2) Known Fixed Releases: * none Alert Type: Updated * Bug Id: CSCux01549 Title: Crash happened on Standby ASA after FO sync in Multimode Status: Fixed Severity: 2 Severe Description: * $$IGNORE Symptom: Crash happened in secondary ASA (playing the role of Standby Unit). This happened when traffic routed in Primary ASA. This issue specific to 100.15.0.67 image, this issue didn't occur in 916.3 image. Conditions: FO setup in multimode. Workaround: Test in 916.3 image will fix the issue Further Problem Description: NA Last Modified: 16-NOV-2015 Known Affected Releases: 100.15(0.67) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCus09629 Title: ASA page fault in CP Crypto Result Processing,rip ssl3_get_message Status: Other Severity: 2 Severe Description: * Symptom: ASA traceback in CP Crypto Result Processing Conditions: n/a Workaround: none Further Problem Description: Last Modified: 17-NOV-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux15203 Title: * ASA Traceback in SSL_free and ctm_nlite_ssl_destroy_context functions Status: Open Severity: * 2 Severe Description: * Symptom: ASA Traceback in SSL_free and ctm_nlite_ssl_destroy_context functions Conditions: not known Workaround: None Further Problem Description: Last Modified: 17-NOV-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuw22130 Title: ASA crashed when removing dynamic PAT statement from cluster Status: Fixed Severity: 2 Severe Description: Symptom: Master ASA in clustering running code 9.3.3.2 presented a DATAPATH-1-1958 resulted by Address not mapped fault. Statement removed was: no nat (visitors,outside) source dynamic Guest_network PAT-Guest-Pool Conditions: > ASA running code 9.3.3.2 > Individual (L3) mode > Removing Dynamic PAT rule Workaround: None Further Problem Description: Last Modified: 17-NOV-2015 Known Affected Releases: 9.3(3.2) Known Fixed Releases: * 100.15(0.94), 9.5(1.107) Alert Type: Updated * Bug Id: CSCux05081 Title: RSA 4096 key generation causes failover Status: Fixed Severity: 2 Severe Description: Symptom: After applying command crypto key generate rsa modulus 4096 causes ASA failover ASA will not generate key 4096 Conditions: Restrictive polltime (non defailut is configured) as per example failover polltime unit msec 200 holdtime msec 800 failover polltime interface msec 750 holdtime 5 ASA runs software 9.4 or 9.5 Workaround: Generate key modulus 2048 or downgrade to 9.3 train Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 9.4, 9.5 Known Fixed Releases: * 100.15(0.92), 100.15(20.20), 100.16(0.10), 100.16(1.40), 99.2(2.24) Alert Type: Updated * Bug Id: CSCuv94338 Title: ASA traceback in Thread Name: CP Crypto Result Processing. Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashing in Thread Name: CP Crypto Result Processing. Conditions: N/A Workaround: No workaround Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.81), 100.15(0.67), 100.15(17.30), 100.15(20.10), 100.15(8.22), 100.16(0.5), 100.16(1.13) Alert Type: Updated * Bug Id: CSCuw02009 Title: ASA - SSH sessions stuck in CLOSE_WAIT causing ASA to send RST Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may not properly terminate SSH processes in some situations which can cause the ASA to come into a state where it believes that all 5 sessions for a given context are already in use. This will result in failed SSH management sessions to that context as the ASA will send a RST packet to the client. The condition is present when "show resource usage | inc SSH" shows the number of sessions in use is at the limit. Another indication of the state where all ASA ssh server sessions are in use is indicated by a syslog message similar to: "Nov 17 2015 13:55:42: %ASA-7-710004: TCP connection limit exceeded from 10.86.94.135/58845 to mgmt:10.86.94.140/22 (current connections/connection limit" is issued. Note the /22 indicates the ssh port. Also, when an ASA ssh client session and is started and the resource limit has been reached, a syslog similar to: "Nov 14 2015 15:31:12: %ASA-5-321001: Resource 'SSH Client' limit of 5 reached for context 'single_vf'" is issued. Conditions: This problem can occur when network monitoring tools remotely connect to the ASA via SSH then use the SCP protocol via a command similar to "copy running-config scp://1.2.3.4/tmp" to copy information off of the ASA device, yet this SCP connection never gets established. Workaround: Currently, the only known workaround is to either remove and re-add the context config-url in the system context (to essentially restart the context) or reload the entire ASA device. If acceptable, temporarily use a simpler protocol such as tftp instead of scp. Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.1(5.21), 9.1(6), 9.2(4), 9.3(3) Known Fixed Releases: * 100.15(20.23), 9.1(6.107), 9.2(4.3), 96.1(1.2) Alert Type: Updated * Bug Id: CSCuc11186 Title: ARP: Proxy IP traffic is hijacked. Status: Fixed Severity: 2 Severe Description: $$IGNORE Symptom: Conditions: Workaround: Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 8.2(4) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.15(8.32), 100.16(0.9), 100.16(1.36), 100.16(15.1), 100.16(15.5), 100.8(40.105) Alert Type: Updated * Bug Id: CSCur07369 Title: SXP Version Mismatch Between ASA & N7K with clustering Status: Fixed Severity: 2 Severe Description: Symptom: SXP connection cannot be established when ASA cluster is interacting with a SXP peer running SXP version 1 protocol. Conditions: (1) ASA is running cluster with 2 or more units and (2) SXP peer is running SXP version 1 protocol and (3) SXP peer hash the SXPv1 request from the SXP peer to reach the slave unit of the ASA instead of the master unit. Workaround: - Upgrade SXP peer to run SXP version 2 or above, or - Change the IP address used for establishing SXP connection so that the hash algorithm may direct the SXPv1 request from the SXP peer to the master unit of the ASA cluster instead of the slave unit. Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.143), 100.13(0.95), 100.14(0.71), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuw36853 Title: ASA: ICMP error loop on cluster CCL with Interface PAT Status: Fixed Severity: 2 Severe Description: Symptom: Elevated CPU may be observed on 2 or more units of an ASA cluster. Packet captures on the cluster control link will show ICMP error packets looping continuously between the units displaying high CPU conditions. Conditions: 1. ASA in Layer-2 cluster mode. 2. PAT configured. 3. ICMP error packet is received on a unit where that unit is the directory for embedded payload flow. 4. Embedded payload of the ICMP error packet matches an existing xlate entry but doesn't match any connections. The owner of the PAT address of the xlate is a different unit than the one where the packet is received. Workaround: With Interface PAT, workaround is to deny ICMP on the ASA's interface using the 'icmp' command. With a PAT pool, workaround is to deny ICMP error packets on the interface ACL. Or just add xlate per-session configuration. Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.4(1.3), 9.5(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuv50709 Title: Standby ASA inside IP not reachable after Anyconnect disconnect Status: Fixed Severity: 2 Severe Description: * Symptom: After Anyconnect VPN is disconnected, standby inside IP is not reachable from active unit or from LAN hosts. In order to make it reachable again, issue write standby or reconnect VPN again Conditions: ASA pair in failover with Anyconnect VPN connecting to the outside interface Workaround: write standby or reconnect VPN again Further Problem Description: the standby ASA becomes unreachable (inside ip) after disconnecting Anyconnect VPN Client. Reconnecting VPN or ?wr standby? resolves the issue. When customer disconnects Anyconnect Client session with the outside interface of the ASA, the inside interface of ASA starts dropping traffic with following logs : Jun 10 12:49:14 192.168.5.21 %ASA-4-113019: Group = XXXX, Username = XXXX, IP = x.x.x.x, Session disconnected. Session Type: SSL, Duration: 0h:20m:55s, Bytes xmt: 0, Bytes rcv: 110890, Reason: User Requested Jun 10 12:49:14 192.168.5.21 %ASA-4-737032: IPAA: Unable to remove x.x.x.x from standby: address not found Jun 10 12:49:14 192.168.5.21 %ASA-4-106023: Deny icmp src inside:x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0] Jun 10 12:49:19 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0] Jun 10 12:49:24 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0] Jun 10 12:49:29 192.168.5.21 %ASA-4-106023: Deny icmp src inside::x.x.x.x dst inside:y.y.y.y (type 8, code 0) by access-group "inside_access_in" [0x0, 0x0] ACL lookup should not happen for self traffic but even if we add an ACL line to permit the traffic then drop reason is packet tracer is Drop-reason: (fo-standby) Dropped by standby unit Pings work under normal conditions from active to standby and from lan hosts. >> Pings work also when anyconnect client is connected. ASA# sh vpn-sessiondb anyconnect Session Type: AnyConnect Username : xxxx Index : 147 Assigned IP : 44.22.254.154 Public IP : 194.98.70.113 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256 Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1 Bytes Tx : 13276 Bytes Rx : 96649 Group Policy : xxxx Tunnel Group : xxxx Login Time : 14:08:02 CEDT Thu Jun 11 2015 Duration : 0h:07m:18s Inactivity : 0h:00m:00s VLAN Mapping : N/A VLAN : none Audt Sess ID : c0a805130009300055797a22 Security Grp : none syhana-validation/pri/act# ping 192.168.5.21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.5.21, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms >> After Anyconnect is disconnected, standby ip becomes unreachable. syhana-validation/pri/act# sh vpn-sessiondb anyconnect INFO: There are presently no active sessions syhana-validation/pri/act# syhana-validation/pri/act# syhana-validation/pri/act# syhana-validation/pri/act# ping 192.168.5.21 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.5.21, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) If Anyconnect VPN is connected again, standby is reachable. Customer has tried with 2 simultaneous Anyconnect clients. Disconnected first. Standby is reachable. Disconnected second VPN. Standby is Unreachable The ide Last Modified: 20-NOV-2015 Known Affected Releases: 9.2 Known Fixed Releases: * 100.11(0.63), 100.12(0.148), 100.13(0.107), 100.14(0.76), 100.15(0.34), 100.15(16.8), 100.15(17.12), 100.15(3.60), 100.15(8.15), 100.16(0.2) Alert Type: Updated * Bug Id: CSCuw28735 Title: Cisco ASA Software Version Information Disclosure Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the SSL VPN code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to obtain information about the Cisco ASA Software version. This information could be used for reconnaisance attacks. The vulnerability is due to a verbose output returned when a specific URL is submitted to the affected system. An attacker could exploit this vulnerability by browsing a specific URL. SSL VPN feature needs to be enabled for a system to be vulnerable. Conditions: SSL VPN needs to be configued on the system. Workaround: None Further Information: Credit: Cisco would like to thank Sergey Ozernikov from Lateral Security (IT) Services Ltd. for reporting this vulnerability. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2014-3398 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.1(3), 9.1(6), 9.3(2.2) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.109), 100.14(0.77), 100.8(40.102), 9.1(6.100), 9.2(4.3), 9.4(2.1), 99.1(2.252), 99.1(3.178) Alert Type: Updated * Bug Id: CSCus16416 Title: Share licenses are not activated on failover pair after power cycle Status: Fixed Severity: 2 Severe Description: Symptom: The Share/Combine licenses are not activated on failover pair after power cycle the failover pair. Both active and standby units turns off power and boots up the standby unit only, the Shared/Combined licenses on standby unit will be lost. Conditions: Failover environments. Workaround: Execute once the 'reload command' on failover pair. Further Problem Description: None Last Modified: 20-NOV-2015 Known Affected Releases: 9.0, 9.1(5.19) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(15.1), 100.16(15.5), 100.8(40.105), 9.1(6.105), 9.2(4.3) Alert Type: Updated * Bug Id: CSCuv66333 Title: ASA picks incorrect trustpoint to verify OCSP Response Status: Fixed Severity: 2 Severe Description: Symptom: ASA may fail to verify a valid OCSP response during OCSP revocation check for VPN clients. Conditions: Revocation check is enabled under the trustpoint using OCSP and an override using cert-map is not configured Workaround: None Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.15(0.48), 100.15(17.20), 100.15(3.71), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCtx43501 Title: CPU hog due to snmp polling of ASA memory pool information Status: Fixed Severity: 2 Severe Description: Symptom: The ASA provides access to three different memory pools via SNMP. 1) The "System memory" pool (which is a superset of 2 and 3 below) 2) The MEMPOOL_DMA pool 3) The MEMPOOL_GLOBAL_SHARED pool If the MEMPOOL_GLOBAL_SHARED pool information is queried via SNMP, a CPU hog might occur. The ASA's CPU may be held by the SNMP process for too long before yielding the CPU to other processes. If the data rate is high enough through the ASA, packets might be dropped. If an ASA is experiencing this problem, it could generate syslogs that look like this: %ASA-4-711004: Task ran for 374 msec, Process = snmp, PC = 12229dc, Call stack = 0x00000000012229dc 0x000000000122175c 0x000000000121e45a 0x0000000001221247 0x00000000011fba3a 0x00000000011fa1ca 0x00000000004245a5 Also, the output of 'show process cpu-hog' will show entries for SNMP: Process: snmp, PROC_PC_TOTAL: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Process: snmp, NUMHOG: 9443, MAXHOG: 13, LASTHOG: 12 LASTHOG At: 12:47:00 CST Jan 23 2012 PC: 8c45b98 (suspend) Call stack: 8b6aac3 8b4ae5d 8b49bbc 8063b33 Conditions: To encounter this problem, memory information for the "Global Shared" pool must be queried via SNMP. Workaround: Avoid polling the memory information for the Global Shared pool: Exclude: .1.3.6.1.4.1.9.9.48.1.1.1.X.7 - "MEMPOOL_GLOBAL_SHARED" where X is the integer corresponding to a particular statistic about the pool. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4/3.8: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:P/E:F/RL:U/RC:C&version=2.0 CVE ID CVE-2012-4664 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 8.1(2.23), 8.2(3.6), 8.4(2.8), 8.4(3.8), 8.4(4), 9.1(2) Known Fixed Releases: * 100.11(0.62), 100.12(0.140), 100.12(0.144), 100.12(0.145), 100.13(0.95), 100.13(0.96), 100.13(0.98), 100.14(0.70), 100.14(0.71), 100.15(0.24) Alert Type: Updated * Bug Id: CSCuw17930 Title: Improper S2S IPSec Datapath Selection for Remote Overlapping Networks Status: Fixed Severity: 2 Severe Description: Symptom: Traffic may be sent to a wrong tunnel when overlapping Conditions: - S2S IPSec VPN - Remote network which partially overlaps Workaround: Removing and re-applying crypto map to the interface when issue is happening or deny statement on the crypto map for part of the network which overlaps Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.0(4), 9.1(5.21), 9.1(6.8) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.41), 100.15(17.15), 100.15(3.64), 100.15(8.16), 100.16(0.2), 100.16(1.4) Alert Type: Updated * Bug Id: CSCuv87150 Title: ASA traceback in Thread Name: fover_parse (ak47/ramfs) Status: Fixed Severity: 2 Severe Description: Symptom: ASA 5525 running version 9.5(1) crashing in Thread Name: fover_parse (ramfs) Conditions: ASA is in failover pair. Workaround: No workaround Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.4(1.5), 9.5(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.110), 100.14(0.78), 100.14(5.34), 100.15(0.45), 100.15(17.20), 100.15(3.69), 100.15(8.17), 100.16(0.3) Alert Type: Updated * Bug Id: CSCuw14334 Title: Trace back with Thread Name: IP Address Assign Status: Fixed Severity: 2 Severe Description: Symptom: Traceback Thread Name: IP Address Assign and assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMPOOL_MAX_TYPE" failed: file "slib_malloc.c" Conditions: IPv6 addresses assigned via username attributes or via external AAA server. Workaround: Use IPv6 address pools instead of username attributes or external AAA server. Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.3(3.2), 9.4(2) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.69), 100.15(17.31), 100.15(20.11), 100.15(8.22), 100.16(0.6), 100.16(1.18) Alert Type: Updated * Bug Id: CSCuv92384 Title: ASA TCP Normalizer sends PUSH ACK for invalid ACK for half-open CONNS Status: Fixed Severity: 2 Severe Description: Symptom: When a connection entry on ASA is in half-open state and an invalid ACK (sequence and acknowledgement numbers out of sequence ) is received for that connection, ASA is dropping the invalid ACK received but it is responding to the TCP peer with a packet containing flags PUSH ACK and with correct sequence and acknowledgement numbers that ASA is expecting from the peer. As per the RFC below, ASA is not supposed to respond with TCP PUSH ACK flags for invalid ACK segments when the connection is half-open state. It should instead respond with a segment containing RESET flag. https://tools.ietf.org/html/rfc793#section-3.5 Information from the RFC link above : 2. If the connection is in any non-synchronized state (LISTEN, SYN-SENT, SYN-RECEIVED), and the incoming segment acknowledges something not yet sent (the segment carries an unacceptable ACK), or if an incoming segment has a security level or compartment which does not exactly match the level and compartment requested for the connection, a reset is sent. Conditions: ASA working as TCP normalizer. Workaround: Configure TCP state bypass. http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.151), 100.13(0.114), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.3), 100.15(8.18), 100.16(0.4) Alert Type: Updated * Bug Id: CSCuw16607 Title: ASA EIGRP does not send poison reverse for neighbors to remove route Status: Fixed Severity: 2 Severe Description: Symptom: When redistributing a static route from the ASA and then learning a better route for the same route., redistributing ASA is not sending poison reverse towards neighbors. Causing neighbors to have stale topology entries on the EIGRP topology table, this sometimes causes routing to not take the correct path, Conditions: Example: R1 ----{BGP }--- R2---{EIGRP}----ASA-----R3 R1 is advertising a defualt route via BGP to R2. R2 is redistributing the default route from BGP into EIGRP ASA has a floating AD 180 default route that is redistributing into EIGRP towards R2. When BGP goes out the ASA's route is advertised to the network, but when BGP route is learned again, ASA removes the floating static from routing table thus not advertising anymore the static towards R2. The problem is that R2 still holds the topology entry for the floating static because ASA is never sending the poison reverse message marking the route with infinite metric so that R2 removes it from the topology table. This sometimes causes the BGP route to take over until the redistribution from the ASA is removed and reapplied. This can also be seen if the floating static route is deleted from the ASA, R1 still keeps the topology entry for that route even though it does not exist on the ASA anymore. This happens in 9.1.6 8.4.7 and 8.2.5 Workaround: Remove redistribution from ASA and add it again. Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 8.0, 9.1(1.3) Known Fixed Releases: * 100.11(0.64), 100.12(0.152), 100.13(0.117), 100.14(0.80), 100.15(0.64), 100.15(17.28), 100.15(19.3), 100.15(20.8), 100.15(8.21), 100.16(0.5) Alert Type: Updated * Bug Id: CSCuw87910 Title: PCP 10.6 Clientless VPN Access is Denied when accessing Pages Status: Fixed Severity: 2 Severe Description: Symptom: When customer goes to user provisioning, selects a user and tries to provision a new service it has a pop-up that states Access is Denied. Conditions: PCP 10.6 sp2 using the below setup and using clientless vpn prime vm >> asa firewall >> client vpn >> client machine After reviewing the console logs from the browser it states browser does not support ajax. Ipt user mode=false script unspecified error [wap] - Error: Access is Denied SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPageScripts.js Workaround: Instead of using Clientless vpn use Cisco Anyconnect on the end client Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.88), 100.15(20.17), 100.15(8.32), 100.16(0.9), 100.16(1.36), 100.16(15.1), 100.16(15.5), 100.8(40.105) Alert Type: Updated * Bug Id: CSCuv92371 Title: ASA traceback: SSH Thread: many users logged in and dACLs being modified Status: Fixed Severity: 2 Severe Description: Symptom: The ASA may reload when multiple users are logged into the ASA running show commands and the ACLs are being added/deleted Conditions: This was observed under the following condition 1) there were multiple users logged into the ASA 2) One user was trying to run show running-config or show access-list 3) downloadable ACLs were being added and removed based on user logins in auth proxy Workaround: If show access-list issued on one session don't issue "clear config access-list " from another session, let the "sh access-list" display all elements from that session Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.1(2), 9.1(6), 9.3(2) Known Fixed Releases: * 100.11(0.63), 100.12(0.150), 100.13(0.111), 100.14(0.78), 100.15(0.50), 100.15(17.21), 100.15(3.72), 100.15(8.17), 100.16(0.3), 100.16(1.7) Alert Type: Updated * Bug Id: CSCuo08193 Title: Traceback in Thread Name: DATAPATH-1-1382 while processing nat-t packet Status: Fixed Severity: 2 Severe Description: Symptom: ASA may traceback in Thread Name: DATAPATH-1-1382 Conditions: ASA Version 8.4 and 9.x configured to terminate IPSecVPN. In rare circumstances, the ASA may reload while processing an inbound nat-t packet. Workaround: None Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 8.4(7.15), 9.0(4.30) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.77), 100.15(20.13), 100.15(8.24), 100.16(0.8), 100.16(1.26), 100.8(40.103) Alert Type: Updated * Bug Id: CSCuv38654 Title: rewriter returns 302 for a file download Status: Fixed Severity: 2 Severe Description: Symptom: CLientless rewriter returns 302 error code erronously Conditions: Downloading a file from a rewritten page Workaround: Unknown, none Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.4(1.4) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.91), 100.13(29.28), 100.14(0.68), 100.14(16.4), 100.14(5.27), 100.15(0.22), 100.15(1.42), 100.15(10.4) Alert Type: Updated * Bug Id: CSCuw41548 Title: DNS Traceback in channel_put() Status: Fixed Severity: 2 Severe Description: Symptom: ASA reloads and generates a corefile Conditions: Multiple simultaneous DNS queries with retries Workaround: disable DNS Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.3(3.225) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.109), 100.14(0.77), 100.15(0.43), 100.15(17.18), 100.15(3.66), 100.15(8.16), 100.16(0.2), 100.16(1.5) Alert Type: Updated * Bug Id: CSCuv05386 Title: Clientless webvpn on ASA does not display asmx files Status: Fixed Severity: 2 Severe Description: Symptom: Clientless user selects bookmark from webportal. The page does not display correctly, there is a portion of the page that is garbled or is missing text Conditions: -Clientless user authenticates to the webportal, then selects bookmark that points to internal HTTP site. -The user see's garbled or incomplete text returned from the ASA. Workaround: Smart Tunnel resolves the issue. Using the stand alone AC client resolves the issue. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.68), 100.14(16.8), 100.14(5.32), 100.15(0.22), 100.15(1.42), 100.15(10.4), 100.15(15.4) Alert Type: Updated * Bug Id: CSCut95793 Title: ASA: Anyconnect IPv6 Traceroute does not work as expected Status: Fixed Severity: 2 Severe Description: Symptom: Traceroute does not work as expected while connected with anyconnect vpn client to ASA running software version 9.0(4)30. Traceroute completes but does not show intermediate hops, rather we see aestrick "*" for intermediate hops. Conditions: Anyconnect 3.1.05170 ASA 9.0.4(30), 9.1(4) Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.0(4.30) Known Fixed Releases: * 100.11(0.61), 100.12(0.137), 100.13(0.93), 100.14(0.69), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.49), 100.15(15.11), 100.15(16.1) Alert Type: Updated * Bug Id: CSCuu10284 Title: ASA Dataplane captures dont capture packets when using match/access-list Status: Fixed Severity: 2 Severe Description: Symptom: ASA Dataplane captures dont show any packet captured even though the condition matches the flow Conditions: ASA dataplane captures applied with a match or access-list command Workaround: use the dataplane captures without the match/access-list command Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.20), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.10) Alert Type: Updated * Bug Id: CSCut75983 Title: ASA Traceback in PPP Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ppp_timer_thread. Conditions: ASA under heavy traffic. ASA is already dropping VPN tunnels.(Over-subscription of the ASA) Workaround: none Further Problem Description: ASA reloaded on its own. Last Modified: 21-NOV-2015 Known Affected Releases: 8.4(7) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu36639 Title: ASA 5506X: ESP Packet drop due to crypto accelerator ring timeout Status: Fixed Severity: 2 Severe Description: Symptom: Intermittently ESP packets are dropped on the ASA due to Crypto Accelerator issues. Crypto Hardware accelerator on ASA crashes with the message %ASA-4-402125: CRYPTO: The ASA Crypto hardware accelerator IPsec ring timed out There is traffic loss over the tunnel when the crash happens and the below message is also seen. %ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Unknown Error, code= 0x7F) while executing the command Process IPSec Inbound Packet (0x30) Conditions: ASA 5506-X acting as IKEv1 or IKEv2 IPSec Termination point such as L2L VPN end-point. Workaround: NA Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2.2), 9.3(3), 9.4(1) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.13(29.28), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCuv12884 Title: Unable to authenticate with remove aaa-server from different context Status: Fixed Severity: 2 Severe Description: Symptom: Authentication error on a context when he removed aaa-server config from different context. Conditions: -Some contexts is using same LDAP server. Workaround: ASA reload Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.6(1), 9.1(5), 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.89), 100.14(0.67), 100.14(16.8), 100.14(5.32), 100.15(0.21), 100.15(1.38), 100.15(10.4), 100.15(15.2) Alert Type: Updated * Bug Id: CSCuu91304 Title: Immediate FIN from client after GET breaks scansafe connection Status: Fixed Severity: 2 Severe Description: Symptom: Connections through the ASA to a scansafe tower may fail if the client sends a FIN packet immediately following a GET packet. This hangs the TCP connection and causes the transaction to fail. Conditions: This is seen if the CLIENT sends a TCP FIN packet before any data comes back from the TOWER. Workaround: None at this time Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.71), 100.15(17.32), 100.15(20.11), 100.15(8.23), 100.16(0.6), 100.16(1.19) Alert Type: Updated * Bug Id: CSCuu82229 Title: ikev2 with DH 19 and above fails to pass traffic after phase2 rekey Status: Fixed Severity: 2 Severe Description: Symptom: after rekey fails to pass traffic Conditions: after rekey using DH 19 or above Workaround: use lower DH (1,2,5,14) Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4, 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.113), 100.14(0.79), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9), 9.4(2.1), 9.5(1.99) Alert Type: Updated * Bug Id: CSCut88287 Title: ASA Traceback in vpnfol_thread_msg Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback in vpnfol_thread_msg Conditions: ASA device running in Active/Standby HA Pair. Workaround: NONE Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.79), 100.13(29.28), 100.14(0.42), 100.14(16.1), 100.14(5.20), 100.14(7.39), 100.15(0.16), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuu07799 Title: Cisco ASA DNS Denial of Service Vulnerability Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the DNS code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected system to reload. The vulnerability is due to improper processing of DNS packets. An attacker could exploit this vulnerability by sending a crafted request to an affected Cisco ASA device to cause it to generate a DNS request packet. The attacker would need to spoof the reply packet with a crafted DNS response. Note: This vulnerability can be exploited only by traffic that is directed to the affected device. This vulnerability affects Cisco ASA Software configured in routed or transparent firewall mode and single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-asa-dns2 Conditions: See Security Advisory Workaround: See Security Advisory Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.1/5.9: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6.3) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.74), 100.13(21.13), 100.13(29.28), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.36), 100.14(7.30) Alert Type: Updated * Bug Id: CSCuu84697 Title: ASA Traceback in Thread Name ssh/client Status: Fixed Severity: 2 Severe Description: Symptom: ASA Traceback in Thread Name: ssh/client Conditions: There are two known crashes: The first one is ASA using "copy scp://" CLI to communicate with an external SSH v1 server. SSH v1 is not a supported protocol when using scp on the ASA. The second one is when multiple simultaneous "copy scp://" CLI are issued on the ASA. There is a timing factor here. The crash can only be seen if two "copy scp://" CLI are issued on the ASA more or less at the same time. This can only be done through an automated script. Workaround: For the first crash, make sure that the external SSH server is running SSH v2. For the second crash, it can be avoided if the automated script used does not start multiple concurrent "copy scp://" CLI on the ASA at the same tme. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6), 9.1(6.1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.87), 100.14(0.66), 100.14(16.3), 100.14(5.26), 100.15(0.20), 100.15(1.34), 100.15(10.4), 100.15(2.73) Alert Type: Updated * Bug Id: CSCuu78835 Title: Webvpn rewrite issues for Confluence - by atlassian on latest v6.4.5 Status: Fixed Severity: 2 Severe Description: Symptom: On the latest atlassian version of 6.4.5 for Confluence, we have following issues when using it over clientless SSL: 1. For a new "create content" page, only the title of the page can be added, the body of the page is not editable. 2. When trying to add a comment, the body of the comment is missing, so cannot add anything. Conditions: Using Atlassian version 6.4.5 for Confluence Workaround: Use the older versions of Atlassian Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.8(40.67), 9.2(2), 9.3(2), 9.3(3.229), 9.4(1) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.57), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuv10258 Title: ASA5505 permanent base license, temp secplus, failover, vlan count issue Status: Fixed Severity: 2 Severe Description: Symptom: Show version display 3 VLANs license instead of 20 if base license, timebased for security plus license are combined on ASA5505 platform after failover is enabled Conditions: Three combined condition: 1. Permanent base license 2. Timebased Security Plus License 3. Failover is enabled Workaround: No known workaround Further Problem Description: The problem exhibit itself after a reboot. Looks like a variant of CSCtf91862 Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.34), 100.15(2.73), 100.15(3.17) Alert Type: Updated * Bug Id: CSCuv10938 Title: 'redistribute' cmds under 'router eigrp' removed on deleting any context Status: Fixed Severity: 2 Severe Description: Symptom: 'redistribute' commands under 'router eigrp' removed from unrelated contexts when deleting any context with EIGRP configured and redistribution enabled. Error of following format is seen on ASA's console: ERROR: unable to locate route-map Conditions: 1. ASA is multiple context mode. 2. More than one context on the ASA has EIGRP enabled with redistribution configured. 3. Issue seen on deleting any of the contexts that meet the criteria in point 2 above using command "no context ". Workaround: None apart from re-adding all those commands back manually. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1.3) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.2), 100.14(5.25), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.62) Alert Type: Updated * Bug Id: CSCuu88437 Title: ASA5506-X:copy file operations fail with jumbo-frame-reservation config Status: Other Severity: 2 Severe Description: Symptom: Copy file operations fail with error when running these images (9.4.1.1, 9.4.1.2) on a ASA-5506-X, when the config is enabled for "jumbo-frame reservation". The error displayed is as below: "Error writing disk0:/ (Cannot allocate memory)" It doesn't matter what file you operate on , an asdm or an lfbff image , and whether you are copying ftp/tftp to disk0 or just simply copying a file on disk0://file to disk0://file1. I used asdm-732.bin image for this operation: "copy disk0:/asdm-732.bin disk0:/asdm1", which errors out with above error. Conditions: Copying file operations to disk0 on a ASA5506-X. Workaround: Remove the "jumbo-frame reservation" CLI config, reboot, and then copy operations succeed.Re-enable the CLI after copy operations are complete. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.14(0.47) Known Fixed Releases: * 100.13(0.81), 100.14(0.48), 100.14(0.49), 100.14(0.66), 100.14(16.1), 100.14(16.3), 100.14(5.23), 100.14(5.26), 100.14(7.42), 100.15(0.17) Alert Type: Updated * Bug Id: CSCut92194 Title: ASA traceback in Thread Name: CP Processing Status: Fixed Severity: 2 Severe Description: Symptom: ASA running version 9.3.2 is crashing intermittently on Thread Name: CP Processing. Conditions: ASA is configured for Websense url filtering. Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuu27334 Title: ASA: Traceback with Thread Name - AAA Status: Fixed Severity: 2 Severe Description: Symptom: ASA device Traceback with Thread Name:- AAA Conditions: ASA device running ASA 9.1(4) version Workaround: Upgrade to 9.1.6.4 or later. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(4) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.18), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53) Alert Type: Updated * Bug Id: CSCuv12564 Title: Memory leak @regcomp_unicorn with APCF configured Status: Fixed Severity: 2 Severe Description: Symptom: WebVPN portal page access is denied because of low availability of the memory due to memory leak. Conditions: APCF should be configured and it should be executed very frequently. One example is to configure APCF to block the portal navigation toolbar. Workaround: Remove APCF from the configuration. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) Alert Type: Updated * Bug Id: CSCuu83280 Title: Evaluation of OpenSSL June 2015 Status: Fixed Severity: 2 Severe Description: Symptoms: This product includes Third-party Software that is affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs: CVE-2015-1790 CVE-2015-1791 This bug was opened to address the potential impact on this product. Conditions: Device with default configuration. Workaround: Not currently available. Further Problem Description: Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The highest Base and Temporal CVSS scores of all vulnerabilities tracked by this bug as of the time of evaluation are 7.8: https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:L/Au:N/C:N/I:N/A:C/E:ND/RL:OF/RC:C The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product. CVE ID CVE-2015-1790 CVE-2015-1791 have been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 7.2(1), 8.2(1), 8.2(5), 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.0(1), 99.1 Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.13(0.82), 100.14(0.51), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.17), 100.15(0.18) Alert Type: Updated * Bug Id: CSCuu45858 Title: ASA Traceback in cp_syslog Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash in Datapath thread Conditions: ASA running on 9.4.1, with syslogs configured. Workaround: N/A Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13), 100.15(1.15), 100.15(2.47) Alert Type: Updated * Bug Id: CSCut71095 Title: ASA WebVPN clientless cookie authentication bypass Status: Fixed Severity: 2 Severe Description: Symptom: In some instances, the ASA WebVPN clientless session ID is included the URL. Session ID's should only be stored in cookies and transmitted over secure channels. Conditions: -- WebVPN Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 9.1, 9.4(1) Known Fixed Releases: * 100.11(0.64), 100.12(0.130), 100.12(0.153), 100.13(0.118), 100.13(0.80), 100.13(29.28), 100.14(0.44), 100.14(0.82), 100.14(16.1), 100.14(5.21) Alert Type: Updated * Bug Id: CSCuu73716 Title: Traceback in Thread CP Processing Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes in thread name CP processing . Conditions: ASA5585-SSP-60 running version 932-smp-k8.bin Workaround: None at this time. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.134), 100.13(0.85), 100.14(0.66), 100.14(16.8), 100.14(5.32), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.63), 100.15(3.16) Alert Type: Updated * Bug Id: CSCuu61573 Title: 9.5.2 Gold Setup - Traceback in DATAPATH-6-2596 snp_fp_get_frag_chain Status: Fixed Severity: 2 Severe Description: Symptom: Traceback on slave unit in cluster after running large amounts of fragmented traffic through the device. Conditions: Cisco ASA running release 9.1.6 in a 4-node cluster configure for L2 mode. Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.13(0.31), 100.15(1.11), 9.0(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.144), 100.13(0.96), 100.14(0.71), 100.15(0.24), 100.15(1.77), 100.15(16.3), 100.15(17.1), 100.15(3.45), 100.15(6.29) Alert Type: Updated * Bug Id: CSCuu31751 Title: ASA OSPF database not reflect changes Status: Fixed Severity: 2 Severe Description: Symptom: shut down interface from R3 did not reflect routing table on R#1 as ASA ospf database did not reflect changes. but routing table on ASA reflect properly. seeing same issue only in 9.2 or 9.3 but not in 9.1 R#1 <-ospf area 2--> ASA <--ospf area 0---> R#3 sh route ospf O 10.20.20.0 255.255.255.0 [110/11] via 192.168.1.97, 00:32:33, backbone ASA# sh ospf database 10.30.30.0 Summary Net Link States (Area 1) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 Summary Net Link States (Area 2) Link ID ADV Router Age Seq# Checksum 10.30.30.0 1.1.1.1 1939 0x80000001 0xa245 R1#sh ip route 10.30.30.0 Routing entry for 10.30.30.0/24 Known via "ospf 10", distance 110, metric 12, type inter area Last update from 192.168.1.50 on GigabitEthernet0/0/0, 00:29:13 ago Routing Descriptor Blocks: * 192.168.1.50, from 1.1.1.1, 00:29:13 ago, via GigabitEthernet0/0/0 Route metric is 12, traffic share count is 1 Conditions: Only seeing 9.2.x or 9.3.x (tested on 9.2(3), 9.2(3)4 and 9.3(3)) but it works fine on 9.1 (tested 9.1(5)21 and 9.1(6)1 Workaround: clear ospf x process Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 108.2(0.7) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.28), 100.14(0.18), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12) Alert Type: Updated * Bug Id: CSCuv07106 Title: ASATraceback in ssh whilst adding new line to extended ACL Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback in ssh whilst adding an extended ACL Conditions: Making a change to an ACL that is part of class-map which is then applied under policy-map Workaround: 1. Remove any ethertype ACL if any configured. e.g. no access-list bpdu-deny ethertype deny bpdu 2. Do modification/add new ACE to ACL associated with class-map 3. Reapply ethertype removed and with its relevant configuration Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.4(7.22), 8.4(7.27), 8.4(7.28) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuu66218 Title: ASA is not correctly handling errors on AES-GCM ICV Status: Fixed Severity: 2 Severe Description: Symptom: A vulnerability in the AES-GCM code of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted IPSec or IKEv2 packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the ICV is not checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA and then forwarded to their destination, without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the security association. This vulnerability does NOT impact SSL/TLS traffic originated or destined to the ASA. Conditions: An IKEv2 or an IPSec policy using any of the following algorithms for data encryption: aes-gcm, aes-gcm-192, aes-gcm-256. This vulnerability only applies to the following ASA models: ASA5506-X (all hardware models), ASA5508-X, and ASA5516-X. Workaround: There is no workaround for customers whose security policy requires the use of AES-GCM. For customers that can use an alternative encryption algorith, IKE or IPSec policies using AES-GCM could be changed to use instead AES. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4550 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(3), 9.4(1.1) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 9.3(3.2), 9.4(1.2) Alert Type: Updated * Bug Id: CSCuu87823 Title: ASAv traceback in DATAPATH when used for WebVPN Status: Fixed Severity: 2 Severe Description: Symptom: ASAv traceback in DATAPATH when used for WebVPN Conditions: ASAv running release 9.4.1 and configured for WebVPN Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.143), 100.13(0.95), 100.13(29.28), 100.14(0.71), 100.14(16.5), 100.14(5.30), 100.15(0.24), 100.15(1.68), 100.15(16.3) Alert Type: Updated * Bug Id: CSCuu45812 Title: asa Traceback with Thread Name idfw_proc Status: Fixed Severity: 2 Severe Description: Symptom: asa Traceback with Thread Name idfw_proc Conditions: Workaround: no workaround available currently Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.13(29.28), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.54) Alert Type: Updated * Bug Id: CSCut86523 Title: ASA: Silently Drops packets with SFR Module installed. Status: Fixed Severity: 2 Severe Description: Symptom: Traffic through ASA with SFR module Redirection enabled is dropped Conditions: Destination MAC address of the Packet begins with the following. 00:23 00:20 00:0d Workaround: Change the destination MAC address of the Packet to begin with something other than 00:23, 00:20,00:0d Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20) Alert Type: Updated * Bug Id: CSCuu39636 Title: Cert Auth fails with 'max simultaneous-login restriction' error Status: Fixed Severity: 2 Severe Description: Symptom: VPN Clients connections with Certificate Authentication fail with the following error: [IKEv1]Group = , IP = X.X.X.X, Session terminated due to 'X' max simultaneous-login restriction. Conditions: VPN Cients with Certificate Authentication ASA running 9.1.6 or later Workaround: Use PSK and X-Auth for authentication Downgrade to a non-affected version Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.37), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu32905 Title: ASA WebVPN: Javascript fails to execute when accessing internal portal Status: Fixed Severity: 2 Severe Description: Symptom: On an ASA running WebVPN, when a user clicks on internal portal page, java console logs the error "function expected" in cte.js. Conditions: Issue was seen an replicated on ASA 9.1(5.21) and 9.1(6). Workaround: None. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.8(40.67), 9.1(6) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.26), 100.14(10.23), 100.14(5.17), 100.14(7.32), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu39615 Title: eglibc 2.18 is missing upstream fix #15073 Status: Fixed Severity: 2 Severe Description: Symptom: ASA could crash due to heap corruption Conditions: Heavy memory allocation Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2), 9.3(2.2) Known Fixed Releases: * 100.12(0.127), 100.13(0.77), 100.13(21.16), 100.13(29.28), 100.14(0.30), 100.14(16.1), 100.14(5.19), 100.14(7.38), 100.15(0.13), 100.15(1.18) Alert Type: Updated * Bug Id: CSCuu02848 Title: Disable ECDSA SSL Ciphers When Manually Configuring RSA Cert for SSL Status: Fixed Severity: 2 Severe Description: Symptom: -Starting in 9.4(x) releases, by default the ASA will attempt to negotiate an ECDSA cipher for TLSv1.2 and offer the ASA temporary self-signed ECDSA certificate to the client -If an RSA certificate is specified in the configuration, it will only be used if an RSA cipher is decided upon -This means that if we wish to use a explicitly configured RSA certificate, we must manually disable the ECDSA ciphers as discussed in the 9.4(x) release notes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html#pgfId-116497 -This enhancement is to change this behavior and make SSL deployment easier -Ideally, the ECDSA ciphers should be automatically disabled when an RSA certificate is specified in the configuration. Conditions: -ASA running 9.4(x) or newer which has support for ECDSA certificate usage with SSL -SSL services configured (SSLVPN, ASDM, HTTPS, etc;) -RSA certificate for SSL ("ssl trust-point SSL_CERT_TRUSTPOINT") -Default settings for SSL ciphers ("show ssl ciphers") Workaround: -Disable ECDSA ciphers for TLSv1.2, as discussed in the ASA 9.4(x) release notes -Choose to use an ECDSA certificate for SSL rather than an RSA certificate Further Problem Description: N/A Last Modified: 21-NOV-2015 Known Affected Releases: 9.4, 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.113), 100.14(0.79), 100.15(0.58), 100.15(17.25), 100.15(19.2), 100.15(20.4), 100.15(8.18), 100.16(0.4), 100.16(1.10), 9.4(2.1) Alert Type: Updated * Bug Id: CSCuu45813 Title: ASA Name Constraints dirName improperly verified Status: Fixed Severity: 2 Severe Description: Symptom: When performing the SCEP enrollment to the CA that contains Name Constraints x509 extension with a dirName constraint, the ASA fails with the error: CERT-C: I pkixpath.c(2726) : Error #751h CRYPTO_PKI:Invalid certificate received (status = 1873) CRYPTO_PKI:Invalid RA certificate received Conditions: Workaround: Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(1), 9.1(2), 9.3(1), 9.4(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.127), 100.13(0.77), 100.13(21.15), 100.13(29.28), 100.14(0.27), 100.14(10.23), 100.14(5.17), 100.14(7.38), 100.15(0.13) Alert Type: Updated * Bug Id: CSCuu63656 Title: ASA not generating PIM register packet for directly connected sources Status: Fixed Severity: 2 Severe Description: Symptom: Topology ------------ Sender ---> ASA(DR) ----> RP -----> Receiver Running 9.2.1 or later on the ASA and the Sender is directly connected to the ASA (DR) Sender is behind ASA RP is in front of ASA ASA not sending PIM Register packet to RP Conditions: running 9.2.1 or later Workaround: downgrade to code 9.1.5 Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(1), 9.3(2), 9.4 Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.45), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.54), 100.15(3.8), 100.15(4.12) Alert Type: New Bug Id: CSCuj33496 Title: Cisco ASA ASDM Privilege Escalation Vulnerability Status: Fixed Severity: 2 Severe Description: Symptoms: Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-asa Conditions: See published Cisco Security Advisory Workaround: See published Cisco Security Advisory Further Problem Description: See published Cisco Security Advisory PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 8.5/7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-2126 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 25-NOV-2015 Known Affected Releases: 8.4(6), 8.4(6.1), 8.4(6.2), 8.4(6.3), 8.4(6.4), 8.4(6.5), 8.4(6.6), 8.4(7), 9.1(3) Known Fixed Releases: 100.10(0.22), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(13.117), 100.7(6.124), 100.8(38.47), 100.8(40.31), 100.8(45.5), 100.8(46.11) Alert Type: New Bug Id: CSCux30780 Title: GTPv1 traceback in gtpv1_process_msg Status: Open Severity: 2 Severe Description: Symptom: Traceback will happen on slave unit. Conditions: Workaround: Further Problem Description: Last Modified: 26-NOV-2015 Known Affected Releases: 9.5(1.170) Known Fixed Releases: Alert Type: New Bug Id: CSCux29929 Title: ASA 9.4.2 traceback in DATAPATH Status: Open Severity: 2 Severe Description: Symptom: ASA may traceback. Conditions: Regular operation. Workaround: No known workarounds. Further Problem Description: Last Modified: 26-NOV-2015 Known Affected Releases: 9.4(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux07002 Title: ASA: assertion "pp->pd == pd" failed: file "main.c", line 192 Status: Fixed Severity: 2 Severe Description: Symptom: ASA crash Conditions: ASA running 9.4(1) in multicontext failover pair Workaround: Further Problem Description: Last Modified: 27-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.16(1.51), 100.8(40.107), 99.2(2.28) Alert Type: Updated * Bug Id: CSCus53126 Title: ASA traffic not sent properly using 'traffic-forward sfr monitor-only' Status: Fixed Severity: 2 Severe Description: Symptom: After using 'traffic-forward sfr monitor-only', traffic is forwarded from MGMT0/0 interface instead of forwarding from selected interface. It is also causing lack of IP connectivity to the ASA through MGMT0/0 Conditions: Running ASA in transparent mode. Issuing the command for any ASA built-in ports (G0/0, G0/1 etc). When using blade ports (G1/0, G1/1 etc.) the command works as described in the manual. Workaround: unknown Further Problem Description: Last Modified: 27-NOV-2015 Known Affected Releases: 9.2(2.4) Known Fixed Releases: * 100.16(1.51), 99.2(2.28) Alert Type: Updated * Bug Id: CSCuw19671 Title: ASA crashes while restoring backup configuration from ASDM Status: Fixed Severity: 2 Severe Description: Symptom: ASA crashes in Thread Name: Unicorn Admin Handler while restoring backup configuration through ASDM. Conditions: ASA in failover running 9.4(1). Workaround: Further Problem Description: None Last Modified: 27-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.8(40.107), 96.1(1.5), 99.2(2.28) Alert Type: Updated * Bug Id: CSCux16427 Title: PBR incorrect route selection for deny clause Status: Fixed Severity: 2 Severe Description: * Symptom: PBR deny clause is not getting installed, since we get a warning. WARNING: Route-map Fed_PBR with sequence number 10 does not have any set actions defined. Not installing PBR datapath rules for this route-map entry Conditions: Hardware : ASA5545 Software : 9.4.2 Route map deny clause, not installed due to warning. ciscoasa# show run route-map ! route-map Fed_PBR deny 10 match ip address Fed_PBR >>>>> Match condition for the access-list entries which do not need to be PBR'd ! route-map Fed_PBR permit 20 set ip next-hop 192.168.10.2 Workaround: None Further Problem Description: Last Modified: 27-NOV-2015 Known Affected Releases: 9.4(2) Known Fixed Releases: * 99.2(2.28) Alert Type: Updated * Bug Id: CSCuu77207 Title: ASA - URL filter - traceback on thread name uauth_urlb clean Status: Fixed Severity: 2 Severe Description: Symptom: ASAs running URL filtering (Websense) and traffic redirection to the SFr module may experience a crash on the thread name uauth_urlb clean process. Conditions: - Seen on 9.4.1 ASA code - URL filtering configured and being used - Higher amounts of traffic (500+ mbps) - Traffic redirection to the SFr module Workaround: Possible temporary workarounds: - Disable of the traffic redirection to SFr module - Disable URL filtering (websense) Further Problem Description: Last Modified: 01-DEC-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuv49446 Title: * ASA traceback on Standby device during config sync in thread DATAPATH Status: Fixed Severity: 2 Severe Description: Symptom: ASA traceback on Standby device in thread DATAPATH Standby ASA crashes during failover synchronization. There are cases where the ASA crashed multiple times and then got stabilized. Conditions: Workaround: Further Problem Description: Last Modified: 01-DEC-2015 Known Affected Releases: 9.3(3) Known Fixed Releases: * 100.14(0.84), 100.15(0.95), 100.15(20.22), 100.16(0.10), 100.16(1.50), 100.8(40.106), 9.1(6.107), 9.2(4.3), 99.2(2.25) Alert Type: Updated * Bug Id: CSCto40061 Title: ssl lib error no shared cipher - VPN LB webvpn conn - missing ID cert Status: Fixed Severity: 3 Moderate Description: Symptom: ssl lib error - no shared cipher syslog falsely displayed due to missing certificate. Conditions: Seen in a VPN LB config, the ASA should be serving up it's automatically generated self-signed SSL cert but isn't. Workaround: Renroll the trustpoint that is missing a certificate, or simply remove the "ssl trustpoint " setting. Last Modified: 07-NOV-2015 Known Affected Releases: 100.7(9.18), 8.2(4.102), 8.2(5.5) Known Fixed Releases: * none Alert Type: Updated * Bug Id: CSCuj43339 Title: Add X-Frame-Options: SAMEORIGIN to ASDM HTTP response Status: Fixed Severity: 3 Moderate Description: Symptom: This is a request to add the X-Frame-Options: SAMEORIGIN to the HTTP Headers sent back when loading ASDM on an ASA Firewall. This will help prevent Cross Frame Scripting concerns with the ASDM portal page. Conditions: This is being requested for all current versions of the ASDM portal page. Workaround: None at this time. Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 11-NOV-2015 Known Affected Releases: 8.4(7), 9.0(3), 9.1(2) Known Fixed Releases: * 100.10(0.26), 100.10(1.21), 100.10(2.1), 100.10(9.1), 100.7(6.124), 100.8(38.59), 100.8(40.32), 100.8(45.8), 100.8(46.28), 100.8(52.4) Alert Type: Updated * Bug Id: CSCuc85781 Title: WebVPN Cookie Randomization Status: Fixed Severity: 3 Moderate Description: Symptoms: This bug is open to harden the mechanism used by the Cisco ASA to generate cookies for WebVPN connections Conditions: none Workaround: none Further Problem Description: PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 12-NOV-2015 Known Affected Releases: 7.0(80.223), 8.4, 8.4(1) Known Fixed Releases: * 100.7(6.116), 100.8(27.83), 100.8(40.1), 100.8(60.6), 100.9(0.37), 100.9(4.5), 100.9(6.16), 100.9(7.20), 8.4(6.99), 8.4(7) Alert Type: Updated * Bug Id: CSCuw62030 Title: ASA DNS doctoring not working with "any" keyword Status: Fixed Severity: 3 Moderate Description: Symptom: When ASA is configured with DNS doctoring, the DNS response from the DNS server is forwarded onto the client and not rewritten by the ASA. Conditions: ASA running 9.1.5 using the "any" keyword in the NAT statement Workaround: Use specific egress interfaces and not "any" Further Problem Description: Last Modified: 13-NOV-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.88), 100.15(20.17), 100.16(0.9), 100.16(1.35), 100.8(40.105), 99.2(2.23) Alert Type: Updated * Bug Id: CSCux12959 Title: "failover standby config-lock" is not loaded in ASA correctly Status: Open Severity: 3 Moderate Description: * Symptom: The configration "failover standby config-lock" is not loaded in ASA correctly. When the ASA is booting on failover configuration, the ASA show the following message. Reading from flash... !!Failover is not enabled or failover is not configured this command will not be executed Conditions: Setting of "failover standby config-lock" Workaround: Re-execute the command "failover standby config-lock" if ASA doesn't reflect "failover standby config-lock" after reboot. Further Problem Description: Last Modified: 16-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux09681 Title: IP Pool address is not saved to the startup-config on the slave blades Status: Fixed Severity: 3 Moderate Description: Symptom: After FMC deploys new configuration to lina, it will issue "write memory" to lina, which is supposed to copy running-config to startup-config on master and all slaves. However, the copy doesn't happen on slaves. This will not impact the running-config of slaves, slaves have right running-config thus the normal operation is not impacted. Conditions: The condition to cause real impact to customer is that after FMC deploys new policy/configuration, all blades reboot and after the reboot, the old master fails to bootup. Workaround: Write memory on slave blades or cluster exec write memory on any blade. Further Problem Description: The chance to impact customers is small. Last Modified: 19-NOV-2015 Known Affected Releases: 99.1(3.194) Known Fixed Releases: * 100.15(0.93), 100.15(20.20), 100.16(0.10), 100.16(1.40), 99.1(3.196) Alert Type: Updated * Bug Id: CSCtj56778 Title: Incorrect ARP MAC Address conversion Status: Fixed Severity: 3 Moderate Description: Symptom: ASA converts the following cli arp inside 1.2.3.4 abc.de.f to arp inside 1.2.3.4 ab0c.de00.0f00 it should convert to arp 1.2.3.4 0abc.00de.000f like IOS and IPv6 Neighbor cache Conditions: Workaround: Enter proper mac address Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 8.3(1) Known Fixed Releases: * 100.15(0.94), 100.15(20.22), 100.16(0.10), 100.8(40.106), 99.2(2.25) Alert Type: Updated * Bug Id: CSCux10403 Title: SSP3RU: Handle the IPv6 multicast MAC cache flush issue on AD Status: Fixed Severity: 3 Moderate Description: Symptom: SSP3RU: Handle the IPv6 multicast MAC cache flush issue on AD Conditions: Workaround: Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 99.1(3.189) Known Fixed Releases: * 100.15(0.92), 100.15(20.20), 100.16(0.10), 100.16(1.40), 99.1(3.195) Alert Type: Updated * Bug Id: CSCux07478 Title: Session Manager debugs missing identifiers and logoff oldest wrap issue Status: Fixed Severity: 3 Moderate Description: Symptom: vpn-session debugs inconsistent and are missing session/tunnel IDs. This makes it difficult to isolate a single connection. Conditions: debug vpn-session multiple sessions being established Workaround: None Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 9.1 Known Fixed Releases: * 100.15(0.92), 100.15(20.20), 100.16(0.10), 100.16(1.40), 100.8(40.105), 9.1(6.105), 99.2(2.24) Alert Type: Updated * Bug Id: CSCuw97445 Title: clustering nat : Observing crash on blade after disabling cluster on uut Status: Fixed Severity: 3 Moderate Description: Symptom: Observing blade crash after disabling cluster on uut with clustering nat Conditions: Observing blade crash after disabling cluster on uut with clustering nat Workaround: no workaround Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 1.1(2) Known Fixed Releases: * 100.15(0.94), 100.15(20.22), 100.15(8.33), 100.16(0.10), 100.8(40.106), 9.5(1.107), 9.5(1.193), 99.2(2.25) Alert Type: Updated * Bug Id: CSCus34033 Title: ASA fails to pass ipv6 address to anyconnect client when using RADIUS Status: Fixed Severity: 3 Moderate Description: Symptom: when ip address assignment is done using RADIUS and not local pool,anyconnect does not get ipv6 address from Radius debugs on anyconnect/webvpn show below message webvpn_cstp_accept_ipv6_address: No IPv6 Address Conditions: when using Radius for assigning ipv6 address to anyconnect client Workaround: 1. use local pool for ipv6 address assignment 2. downgrade to 9.2.1 as issue was seen on 9.2.2.4 Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 9.2, 9.3(2) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.22), 100.13(19.9), 100.13(20.10), 100.13(21.7), 100.14(0.2), 100.14(1.2), 100.14(12.1), 100.14(2.1) Alert Type: Updated * Bug Id: CSCuu81932 Title: ASA tunnel-group-map cannot contain spaces Status: Fixed Severity: 3 Moderate Description: Symptom: ASA can not use spaces in tunnel-group-map even though tunnel group can use it. Conditions: spaces are used in tunnel-group-map such as tunnel-group-map TEST 5 "TEST CISCO" Workaround: NOT use spaces at now Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.4(5) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCut75202 Title: PKI: potential pki session handle leak in IKEv2 L2L configurations Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA may become unable to establish certificate enabled LAN-to-LAN IKEv2 tunnels due to the exhaustion of pki session handles Conditions: In IKEv2/IPSec L2L configurations that are secured with digital certificates, the ASA may leak pki session handles as connections are established. This will only occur in rare conditions where both tunnel peers initiate the tunnel at effectively the same time. Connection failures will occur when 1000 session handles are either leaked or in use. Leaked handles can be recovered by rebooting the ASA. Workaround: The problem can be worked around by converting the LAN-to_LAN tunnel configurations to IKEv1 Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.4(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuu99349 Title: ASA-3-317012 and "No route to host" errors even though the route exists Status: Fixed Severity: 3 Moderate Description: Symptom: Certain sequence of configuration steps can lead to errors: %ASA-3-317012: Interface IP route counter negative - Management0/0 and No route to host when traffic is sent from the ASA to a remote IP address and a valid route exists to reach the destination. Conditions: This was found in transparent firewall mode in 9.3(2). Workaround: This is a rare situation. Reboot the ASA. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) Alert Type: Updated * Bug Id: CSCuu08031 Title: ASA QoS Priority Queue tx-ring-limit 512 causes high impact to LLQ Status: Fixed Severity: 3 Moderate Description: Symptom: There is very big difference between tx-ring-limit 512 vs tx-ring-limit 511. More specifically we see that with tx-ring-limit 512 packets the LLQ traffic is having packet loss, while we don't see any Tail Drops for BE traffic. With tx-ring-limit 512, the bigger the average packet size for BE traffic, the bigger the packet loss for LLQ traffic. With tx-ring-limit 511 packets, LLQ traffic has no packet loss anymore while we start seeing many Tail Drops for BE traffic which is actually expected. Conditions: Workaround: Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.4(7.26) Known Fixed Releases: * 100.12(0.132), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuu54660 Title: ASA Remote Access - Phase 1 terminated after xauth Status: Fixed Severity: 3 Moderate Description: Symptom: IPSEC remote access clients are intermittently not able to connect. The user is prompted for password and then the connection fails. From the ASA debugs we can see the Phase 1 and X-auth + config mode are passing fine. Then the ASA deletes the Phase 1, sends delete information to the client and discards QM1 packet sent by the client. Conditions: MacOS / iOS bult in IPSEC VPN client. Clients behind NAT. More detailed triggers unknown. Workaround: Reload the ASA. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.12(0.128), 100.13(0.78), 100.13(21.16), 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuv09538 Title: ASA: CLI commands not showing help(?) options for local authorization Status: Fixed Severity: 3 Moderate Description: Symptom: ASA: CLI commands not showing help(?) options for local authorization in configuration mode Conditions: ASA device configured with LOCAL authorization Workaround: Do not use LOCAL authorization Type the complete command without using the (?) symbol Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37), 100.15(6.21) Alert Type: Updated * Bug Id: CSCuu54046 Title: All Static routes not removed on adding zone membership to an interface Status: Fixed Severity: 3 Moderate Description: Symptom: out of the previously configured static routes, static routes are deleted one by one from the config on adding zone membership to the interface Conditions: 1) zone membership is added to an interface AND 2) static routes configured on that interface Workaround: 1) re-add the zone membership to the interface OR 2) manually clear the routes from the config Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.12(0.134), 100.13(0.87), 100.14(0.67), 100.15(0.21), 100.15(1.37), 100.15(10.4), 100.15(15.2), 100.15(2.75), 100.15(4.23), 100.15(5.27) Alert Type: Updated * Bug Id: CSCuv02304 Title: EEM action not executed on absolute time when NTP is configured Status: Fixed Severity: 3 Moderate Description: Symptom: EEM action is not executed on exact time of "absolute time" configured when NTP is configured. Command is executed with some delay or earlier than configured. On the following configuration, action should be executed on 10:30:00. But actually, it is not executed on time.(for example 10:29:58) event manager applet eem-test event timer absolute time 10:30:00 action 0 cli command "show xxxxx" output file new ntp server x.x.x.x Conditions: When NTP server is configured or if the clock time is changed. Workaround: Re-configure the EEM applet absolute timer if NTP is configured or the time is changed by any other means (e.g. via the 'clock set' command if NTP is disabled). This will cause the timer to be re-synced with the current clock time. Further Problem Description: The time difference is due to the internal clock drift. It is typically a few seconds. Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCuu25430 Title: Object nat rule is not matched Status: Fixed Severity: 3 Moderate Description: Symptom: Object rule is not matched Conditions: There is object nat configured transactional commit model object network NAT_X.X.X.X host X.X.X.X nat (inside,outside) static Y.Y.Y.Y ASA runs 9.3.3 Transactional commit model for nat rule engine is enabled : asp rule-engine transactional-commit nat Workaround: Downgrade to 9.3.2 or disable transactional commit model for nat rule engine and reload ASA no asp rule-engine transactional-commit nat Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.15(5.18), 100.15(5.6), 9.1(6), 9.3(3), 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) Alert Type: Updated * Bug Id: CSCuu92632 Title: ASA sets non-zero FA in OSPF for anyconnect redistrubuted network Status: Fixed Severity: 3 Moderate Description: Symptom: Re-distribution of anyconnect static routes on ASA 9.x doesn't work. The output of the command "show ospf database external" shows the forward address being set to non-zero/incorrect value. ciscoasa# show ospf database external 10.0.103.161 OSPF Router with ID (172.16.10.1) (Process ID 1) Type-5 AS External Link States LS age: 1503 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 10.0.103.161 (External Network Number ) Advertising Router: 172.16.10.1 LS Seq Number: 80000001 Checksum: 0xfff4 Length: 36 Network Mask:255.255.255.255 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 172.16.10.10 <---------------- External Route Tag: 0 Conditions: - ASA with OSPF enabled - redistributing Anyconnect VPN static addresses into OSPF - Anyconnect VPN terminates on the same interface where distribution is performed Workaround: Route redistributed network to the Null0 interface Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.134), 100.13(0.86), 100.14(0.66), 100.15(0.20), 100.15(1.33), 100.15(10.3), 100.15(2.65), 100.15(3.16), 100.15(4.20) Alert Type: Updated * Bug Id: CSCut92373 Title: ASA 9.0.3 not logging permitted UDP traffic Status: Fixed Severity: 3 Moderate Description: Symptom: Permitted UDP traffic not getting logged. We dont see the below log when the connection is permitted,%ASA-6-106100: access-list permitted UDP -> Conditions: Issue consistently seen whenever there is a Change made to the ACL or during Bulk ACL compilation. Workaround: Reload of the ASA Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.0(3), 9.4(1) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuu96492 Title: 'terminal pager' does not clear when authorization auto-enable is used Status: Fixed Severity: 3 Moderate Description: Symptom: Terminal pager lines will not re-initiates the pager value from the running config even after the sessions terminates, unless we use a login or enable in the EXEC mode. But when this is used along with aaa authorization, the user will not be prompted for the password when entering privileged EXEC mode. aaa authorization exec authentication-server auto-enable So, if any of the user enters the terminal pager command, it is affecting other user sessions when logged in using aaa with privilege credentials. Conditions: terminal pager is used and the following command is enabled. aaa authorization exec authentication-server auto-enable Workaround: We can clear the terminal pager instead of logging in with enable or login command. clear terminal pager Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5.240) Known Fixed Releases: * 100.13(0.85), 100.14(0.66), 100.15(0.20), 100.15(1.32), 100.15(10.3), 100.15(2.63), 100.15(3.16), 100.15(4.20), 100.15(5.23), 9.4(1.99) Alert Type: New Bug Id: CSCuv13998 Title: ASA : Unable to save configuration or copy files on ASA flash Status: Fixed Severity: 3 Moderate Description: Symptom: Issues with copying or saving files on ASA flash instead of enough available space on flash Conditions: You must be reaching the limit of 255 files on the root directory Workaround: No workaround for this issue. NOTE:- Even after the upgrade to pick up the fix , ASA flash needs to be formatted for the changes to take effect. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.15(2.49) Known Fixed Releases: 100.13(0.90), 100.14(0.68), 100.15(0.22), 100.15(1.43), 100.15(15.4), 100.15(2.76), 100.15(3.26), 100.15(4.25), 100.15(8.9), 9.4(1.99) Alert Type: Updated * Bug Id: CSCuu74823 Title: Cryptomaps lose trustpoint when syncing configuration from cluster unit Status: Fixed Severity: 3 Moderate Description: Symptom: When the ASA is in a cluster(master/slave) setup, replication of crypto map trustpoint configuration may not be accepted/synced properly. Conditions: ASA Cluster Crypto map trustpoint configured Workaround: Manually re-add the crypto map set trustpoint configuration Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.12(0.131), 100.13(0.81), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.53), 100.15(3.9) Alert Type: Updated * Bug Id: CSCuu75675 Title: kenton: For ASA5516, ASAOS should support SSLVPN of 300 instead of 250 Status: Fixed Severity: 3 Moderate Description: Symptom: For ASA5516, ASAOS supports 250 SSLVPN sessions, based on marketing data, it should increase to 300 sessions. Conditions: ASA5516 Workaround: none Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.13(0.81), 100.14(0.49), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(19.1), 100.15(2.54), 100.15(3.9) Alert Type: Updated * Bug Id: CSCuu52976 Title: ASA not checking the MAC of the TLS records Status: Fixed Severity: 3 Moderate Description: Symptom: A vulnerability in the Transport Layer Security (TLS) code on the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to modify the contents of an encrypted TLS packet, and for those modifications not to be detected. The vulnerability is due to an error on the firmware of the Cavium Networks cryptographic module. Due to this vulnerability, the Message Authentication Code (MAC) on a TLS packet is not being checked. An attacker could exploit this vulnerability by intercepting encrypted packets in transit and modifying their contents. Such packets would be decrypted by the ASA without the modification being detected. Please note that this vulnerability does NOT allow an attacker to decrypt the packets in transit, nor obtain information about the session keys being used for the TLS connection. Conditions: Default configuration. Only the following hardware platforms are affected by this vulnerability: * Cisco ASA 5505 Adaptive Security Appliance * Cisco ASA 5510 Adaptive Security Appliance * Cisco ASA 5520 Adaptive Security Appliance * Cisco ASA 5540 Adaptive Security Appliance * Cisco ASA 5550 Adaptive Security Appliance No other Cisco ASA hardware platforms are affected by this vulnerability. The following releases are affected by this vulnerability: * 9.1(2) * 9.1(3) * 9.1(4) * 9.1(5) * 9.1(6) * 9.2 Workaround: There are no workarounds Further Problem Description: This vulnerability was reported to Cisco by Mr. Yngve Nysaeter Pettersen from TLS Prober Labs. We greatly appreciate the opportunity to work with researchers and welcome the opportunity to review and assist with any research that may involve Cisco products. We would like to thank Mr. Pettersen for working with us on this issue. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:N/I:P/A:N/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2015-4458 has been assigned to document this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5.21) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.39), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuu88607 Title: Doubling counting flow bytes for decrypted packets Status: Fixed Severity: 3 Moderate Description: Symptom: Some of statistics and syslogs related to flow bytes may be inflated due to the double counting of decrypted packets. Conditions: Traffic involving decrypted packets. Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(5.20) Alert Type: Updated * Bug Id: CSCuu07462 Title: Cannot bootup ASAv-KVM when deployed via RHEL (7.1) / OpenStack (Juno) Status: Fixed Severity: 3 Moderate Description: Symptom: The ASAv attempts to verify its image during bring up, but ends up failing with a console message of... The digital signature of the booted image file did not verify successfully. 57 (Unable to get the platform key storage size or key is corrupted) Rebooting now... Conditions: Failure occurs when deploying the ASAv on a KVM hypervisor with a host that is running with a RHEL OS distribution. The problem was noticed on RHEL version 7.1 and OpenStack (Juno). Workaround: A workaround to reach the ASAv CLI prompt is to remove the virt-install variable setting --cpu host. You can also set the variable to --cpu none. However, setting --cpu to 'none' may have an impact on the performance characteristics of the ASAv. Further Problem Description: A case has been opened with Red Hat (https://access.redhat.com/support/cases/#/case/01431506). As a workaround you can update /etc/nova/release file from the compute node and restart openstack-nova-compute service: [root@compute]# cat /etc/nova/release [Nova] vendor = Red Hat <=== product = OpenStack package = 19.el7ost Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.12(0.124), 100.13(0.71), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu48813 Title: WebVpn: portal is not displayed after re-login Status: Fixed Severity: 3 Moderate Description: Symptom: When logging in to webvpn after once logging out from it, ASA goes to access a different page than the portal. Conditions: It started to happen after 9.1(5)16 and up Workaround: 1. Roll back to 9.1(5), if acceptable. 2. Restart the browser after logging out and before logging-in again. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5.160), 9.1(5.190), 9.1(6) Known Fixed Releases: * 100.12(0.131), 100.13(0.82), 100.14(0.54), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.24), 100.15(2.57), 100.15(3.12) Alert Type: Updated * Bug Id: CSCut88196 Title: Conn teardown syslogs and show conn output use 32-bit byte counts Status: Fixed Severity: 3 Moderate Description: Symptom: The output of 'show conn' and syslogs resulting from the teardown of connection (ASA-6-302014, ASA-6-302016, etc) use 32-bit counters for the bytes transferred on a connection. This provides incorrect data to network administrators and may cause confusion. Conditions: This is seen on multiple versions of ASA code when hosts transfer more than 2^32 bytes of data on a connection. Workaround: None at this time. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2.2) Known Fixed Releases: * 100.14(0.71), 100.15(0.25), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.54), 100.15(8.14), 9.5(1.99) Alert Type: Updated * Bug Id: CSCuu88548 Title: Ampersand (&) not encoded in packet tracer phase 'extra' field Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM is unable to run packet tracer when traffic traverses and interface with an ampersand (&) in the name. ASDM will show an error indicating 'Error while forming XML' Conditions: This is seen when the packet path traverses an interface with an ampersand character in the name. Workaround: Change the interface name to not include an ampersand. Further Problem Description: This is caused by the ASA not encoding the ampersand as & when generating the XML payload. You can verify you are hitting this issue by running the packet tracer command on the CLI and looking for an unencoded ampersand character. For example: ASA# packet-tracer input inside tcp 192.168.100.200 12345 10.10.0.100 80 xml ::output truncated:: 2 ROUTE-LOOKUP Resolve Egress Interface ALLOW found next-hop 10.10.10.254 using egress ifc DMZ&Servers <<<< Unencoded ampsersand Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2), 9.4(1) Known Fixed Releases: * 100.12(0.130), 100.13(0.80), 100.14(0.44), 100.14(16.1), 100.14(5.21), 100.14(7.41), 100.15(0.16), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCuv11963 Title: TP Auth fails when sub CA using RSA keys is signed by root using ECDSA Status: Fixed Severity: 3 Moderate Description: Symptom: The ASA fails to validate the Anyconnect client certificate issued by the intermediate CA under below conditions. Conditions: 1. ASA running 9.3.3.1, should be configured for certificate authentication. 2. Root CA cert must have ECDSA Signature algorithm and ECDSA public key 3.Intermediate CA cert must have ECDSA signature algorithm with RSA public key. 4.ASA ID cert must have RSA signature algorithm with RSA public key. 5.Client cert must have RSA signature algorithm with RSA public key. Workaround: NONE Further Problem Description: When we connect to ASA from Anyconnect client machine, we see the client is sending its ID cert and ASA fails to verify the cert chain with below debug. CRYPTO_PKI: Verify chain of certs, Getting public key from signersCert. CRYPTO_PKI:Failed to set key info for get public key obj, status: 542, keylen: 294 CRYPTO_PKI: Verify chain of certs failed to get pubkey from signer. Root, intermediate and ID certs are installed in separate Trustpoints in ASA. We have also tried installing intermediate and ID cert in single Trustpoint which results in same failure. Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(3.1), 9.4(1), 9.5(1) Known Fixed Releases: * 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.2), 100.15(3.50), 100.15(6.33), 100.15(8.13), 9.4(1.112) Alert Type: Updated * Bug Id: CSCut80316 Title: Ikev2 Session with bogus assigned IP address stays on ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Ikev2 EAP-TLS Connection with Win 8.1 Phone Conditions: Ikev2 EAP-TLS Connection with Win 8.1 Phone with continuous connect/disconnect Workaround: - Remove bogus externally assigned IP address to avoid issue /or - Wait for sometime before connecting again as address becomes available again Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1.230) Known Fixed Releases: * 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.24), 100.14(7.23), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu73087 Title: Standalone AnyConnect fails to connect due to empty DAP user message Status: Fixed Severity: 3 Moderate Description: Symptom: Standalone AnyConnect client fails with the following message: 'The VPN configuration received from the secure gateway is invalid. Please contact your network administrator.' Conditions: 1) The AnyConnect client version 2.5.6005 or lower is referenced on the ASA. 2) The DAP record being hit - not the Default DAP record - has no user message. 3) ASA version is 9.3.2 and above. Workaround: 1) Configure a User Message for the DAP record. 2) Use the AnyConnect client version 3.0.x/3.1.x/4.x on the ASA. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2), 9.3(3.1), 9.4(1) Known Fixed Releases: * 100.12(0.129), 100.13(0.79), 100.14(0.41), 100.14(16.1), 100.14(5.20), 100.14(7.38), 100.15(0.15), 100.15(1.20), 100.15(2.53), 100.15(3.8) Alert Type: Updated * Bug Id: CSCut85049 Title: Issue with downloading images from Sharepoint Status: Fixed Severity: 3 Moderate Description: Symptom: Image cannot be downloaded from Sharepoint Conditions: After cookies and cache are cleared from browser Workaround: Right click on the image and do a 'Save As' and select local disk Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.14(3.8), 9.4(1.112) Known Fixed Releases: * 100.12(0.137), 100.13(0.93), 100.14(0.13), 100.14(10.23), 100.14(5.15), 100.14(6.7), 100.14(7.6), 100.15(0.11), 100.15(1.12), 100.15(1.2) Alert Type: Updated * Bug Id: CSCuu02635 Title: Remove demo and eval warning for sfr monitor-only Status: Fixed Severity: 3 Moderate Description: Symptom: A warning is produced when configuring the SFR module to monitor-only mode. Example: ciscoasa(config)# policy-map global_policy ciscoasa(config-pmap)# class sfr ciscoasa(config-pmap-c)# sfr fail-open monitor-only WARNING: Monitor-only mode should be used for demonstrations and evaluations only. This mode prevents SFR from denying or altering traffic. Conditions: This policy map sfr monitor-only mode is supported for production which makes the "should be used for demonstrations and evaluations only" incorrect and confusing. Workaround: None. Ignore the "should be used for demonstrations and evaluations only" portion of the warning. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.9) Alert Type: Updated * Bug Id: CSCuu31281 Title: AAA Authorization HTTP sends username in password field of authorization Status: Fixed Severity: 3 Moderate Description: Symptom: ASDM access may be denied to all users even if their passwords are correct, and they are in the correct groups for authorization. This occurs because after a change in asdm authorization in 9.4.1, administrators must configure a new command, "aaa authorization http console" to authorize HTTP/ASDM logins (this was not the case in pre-9.4 code). With that command entered, the ASA sends a second packet to the authentication server but the attempt causes a failure because the ASA puts the username in the password field of the packet. Conditions: - ASA 9.4.1 or greater - "aaa authorization http console aaa-group" configured for ASDM authorization - Has been observed with the LDAP protocol and the RADIUS protocol, but may apply to others as well Workaround: - Disable HTTP authorization by removing "aaa authorization http console" command from configuration (NOTE: This will allow all users to login to ASDM if their credentials are valid) - Downgrade to 9.3 or lower Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.13(0.76), 100.13(21.14), 100.14(0.19), 100.14(10.20), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3) Alert Type: Updated * Bug Id: CSCut96928 Title: ASA : Password creation date is decrementing by one with every reboot Status: Fixed Severity: 3 Moderate Description: Symptom: ASA " Local User" password creation date is decrementing by one day with every reboot Conditions: ASA configured with Command : password-policy lifetime Workaround: No workaround Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(3) Known Fixed Releases: * 100.11(0.58), 100.12(0.124), 100.13(0.72), 100.13(21.13), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.23), 100.14(7.22), 100.15(0.9) Alert Type: Updated * Bug Id: CSCuu02761 Title: DNS should perform IPv4 lookups if IPv6 address is not reachable Status: Fixed Severity: 3 Moderate Description: Symptom: DNS returns IPv6 addresses which are not reachable by ASA Conditions: IPv6 is enabled on at least one ASA interface. DNS lookups are configured. Hosts are accessed by name rather than IP or IPv6 address. Workaround: Options: 1. If this is a manual operation (e.g. ping), then specify the IP or IPv6 address. 2. disable IPv6 on all interfaces. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5) Known Fixed Releases: * 100.11(0.58), 100.12(0.123), 100.13(0.69), 100.13(21.13), 100.14(0.10), 100.14(10.14), 100.14(26.11), 100.14(5.14), 100.14(6.16), 100.14(7.16) Alert Type: Updated * Bug Id: CSCuv02619 Title: Standby ipv6 address setting is not replicated to standby Status: Fixed Severity: 3 Moderate Description: Symptom: Replicating of standby ipv6 settings is not replicated correctly. Conditions: In L2 firewall mode and multiple context mode. Workaround: 'write standby' twice on the active unit. Further Problem Description: none Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6.6) Known Fixed Releases: * 100.11(0.61), 100.12(0.136), 100.13(0.90), 100.14(0.67), 100.15(0.21), 100.15(1.40), 100.15(10.4), 100.15(15.4), 100.15(4.24), 100.15(8.9) Alert Type: Updated * Bug Id: CSCuu18527 Title: ASA WebVPN: HTTP 302 Location URL rewritten incorrectly Status: Fixed Severity: 3 Moderate Description: Symptom: In some corner conditions, if the Backend Server responds with HTTP "302 Found" where in the Location URL the fqdn and the URI are not separated by "/", but are separated instead by a "?", ASA appends the same URI prefix as the one it got redirected from resulting in a "HTTP 404" condition. For example: Client Performs: GET /abcd/login.php Backend Server Responds with HTTP 302 Found: Location: http://server.company.com?email=bsg73kdpo1098 At this stage, ASA rewrites this HTTP header as: HTTP 302 Found: Location: http://server.company.com/abcd/?email=bsg73kdpo1098 Here, notice that the ASA appends /abcd/ from the original URI Conditions: ASA acting as Clientless SSLVPN Server, and the users access Intranet Websites through the WebVPN portal. The WebSites are served through ASA's Rewriter engine Workaround: Use Smart-Tunnel feature Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(3.1) Known Fixed Releases: * 100.11(0.59), 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.14(0.17), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu76651 Title: Traps are not sent after hyperlite bootsup with all data interfaces shut Status: Fixed Severity: 3 Moderate Description: Symptom: SNMP traps are not transmitted from the ASA Conditions: Saleen and Kenton platforms. The ASA boots with all of its data interfaces administratively shutdown. Workaround: admin-up a data interface. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.13(29.11) Known Fixed Releases: * 100.12(0.132), 100.13(0.84), 100.13(29.101), 100.13(29.34), 100.14(0.63), 100.14(16.2), 100.14(5.24), 100.14(7.46), 100.15(1.29), 100.15(10.3) Alert Type: Updated * Bug Id: CSCuu93339 Title: Cisco ASA Poodle TLS Variant Status: Fixed Severity: 3 Moderate Description: Symptoms: Cisco ASA models 5506-X 5508-X and 5516-X include a version of SDK which is vulnerable to a variant of POODLE TLS where the first byte of the padding is not checked. Additional information about this issue can be found at: https://vivaldi.net/en-US/blogs/entry/there-are-more-poodles-in-the-forest Conditions: The Cisco ASA Software is affected by this vulnerability if a feature which use TLS is enabled. The exposure will be confined to that feature only. Examples of feature using TLS are, HTTP Secure server for Management, Clientless and AnyConnect SSL VPN, TLS Proxy, Phone Proxy etc... Workaround: There are no workaround for this issue other then disabling the affected feature. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C&version=2.0 CVE-2015-4595 has been assigned to this issue. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(3.2), 9.4(1.3) Known Fixed Releases: * 100.12(0.130), 100.13(0.81), 100.13(29.28), 100.14(0.48), 100.14(16.1), 100.14(5.23), 100.14(7.42), 100.15(0.17), 100.15(1.22), 100.15(2.54) Alert Type: Updated * Bug Id: CSCut67779 Title: Investigate impact of jumbo-frame reservation on low-end ASA platforms Status: Fixed Severity: 3 Moderate Description: Symptom: Low-end ASA models, like ASA5512-X or ASA5515-X may fail to boot if Jumbo frames are enabled (jumbo-frame reservation) and additional interface card, like ASA-IC-6GE-CU-A card is present in the chassis. Conditions: This issue was seen in 9.2(3) and 9.3(1) software. Workaround: Try to load 9.3(2) software, run "no jumbo-frame reservation" and reload. Further Problem Description: Even though 9.3(2) software boots up, the ASA cannot service ASDM connections if Jumbo frames are enabled. This happens due to low volume of free DMA memory. Use "show memory detail" command to check. Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(3), 9.3(1) Known Fixed Releases: * 100.11(0.62), 100.12(0.139), 100.13(0.94), 100.14(0.70), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86), 100.15(3.31), 100.15(6.19) Alert Type: Updated * Bug Id: CSCuu09302 Title: ASAv: RSA key pair needs to be automatically generated with 2048 bits Status: Fixed Severity: 3 Moderate Description: Symptom: RSA keys generated automatically on ASAv use 1024-bit length. Conditions: Workaround: crypto key generate rsa general-keys modulus 2048 Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.13(21.11), 100.14(5.10), 9.4(1) Known Fixed Releases: * 100.13(0.71), 100.13(21.13), 100.13(29.28), 100.14(0.11), 100.14(10.16), 100.14(5.15), 100.14(6.21), 100.14(7.20), 100.15(0.9), 100.15(1.3) Alert Type: Updated * Bug Id: CSCuu00733 Title: ASA: ECMP stopped working after upgrade to 9.3.2 Status: Fixed Severity: 3 Moderate Description: Symptom: After upgrade to 9.3.2, ASA for equal cost routes via the same interface: O IA 172.25.225.0 255.255.255.0 [110/4012] via 172.22.247.4, 12:12:19, outside [110/4012] via 172.22.247.3, 12:12:19, outside send most of the traffic via first (sometimes second) gateway, instead of load balancing. Conditions: Equal cost routes via the same interface on ASA Workaround: Downgrade to 9.3.1 Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.12(0.124), 100.12(0.125), 100.13(0.73), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.28), 100.14(7.28), 100.15(0.10) Alert Type: Updated * Bug Id: CSCuu99902 Title: Saleen Alarm LED lit when BMC SEL log is full Status: Fixed Severity: 3 Moderate Description: Symptom: Alarm LED turned on Conditions: SEL in BMC is full Workaround: None Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 8.6(1) Known Fixed Releases: * 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.58), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.18), 100.15(1.25), 100.15(2.57) Alert Type: Updated * Bug Id: CSCuu33321 Title: Two Dynamic PAT with and without block-allocation Status: Fixed Severity: 3 Moderate Description: Symptom: Was able to configure wrong NAT CLI Conditions: ASA allows Two or more dynamic PAT which has same Mapped address should have same "block-allocation" option either enable all disable all. Workaround: Delete and re add the wrong rule. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.14(6.29), 100.15(5.4) Known Fixed Releases: * 100.14(0.19), 100.14(10.23), 100.14(5.16), 100.14(7.30), 100.15(0.12), 100.15(1.10), 100.15(2.35), 100.15(3.3), 100.15(4.5), 100.15(5.6) Alert Type: Updated * Bug Id: CSCuu88412 Title: When > 510 characters entered in CLI, context switches to admin/system Status: Fixed Severity: 3 Moderate Description: Symptom: When user exceeded 510 characters from the CLI and is not within the admin/system context, user is unintentionally switched into the "admin/system" context. This issues was observed when running the command on ASASM after first logging into the 6500 switch and performing a "session" connection to the module. Conditions: ASASM with v9.1.6.1 Workaround: none Further Problem Description: none Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.118), 100.14(0.81), 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20) Alert Type: Updated * Bug Id: CSCut83833 Title: USB device hot plug not supported in running ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Hot plug of USB stick not working as expected on 5506, 5506H, 5506W, 5508, 5516 and follow on models Conditions: After unit is started, unable to plug in a drive and have it recognized. Workaround: Boot with USB stick inserted. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 100.13(11) Known Fixed Releases: * 100.12(0.126), 100.13(0.76), 100.13(21.14), 100.13(29.8), 100.14(0.21), 100.14(10.23), 100.14(5.16), 100.14(7.32), 100.15(0.12), 100.15(1.15) Alert Type: Updated * Bug Id: CSCuu07308 Title: "ssh scopy enable" deleted from configuration Status: Fixed Severity: 3 Moderate Description: Symptom: "ssh scopy enable" deleted from configuration Conditions: Seen in multi context ASA ssh scopy enable is turned on. Command may be removed when making ASA system context changes. Confirmed command will disappear after deleting a context. Workaround: simply re-add command to configuration to continue use of ssh scopy Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.3(2) Known Fixed Releases: * 100.11(0.59), 100.12(0.125), 100.13(0.75), 100.13(21.13), 100.14(0.12), 100.14(10.19), 100.14(5.15), 100.14(6.37), 100.14(7.30), 100.15(0.11) Alert Type: Updated * Bug Id: CSCuu61981 Title: http servershows as enable in running config while not Status: Fixed Severity: 3 Moderate Description: Symptom: When configuration command "http server enable" fails due to port usage conflict with AAA with error message ERROR: Port 443 is being used on interface public by an aaa authentication listener", the configuration is incorrectly updated to include "http server enable". Conditions: When configuration "http server enable [port-number] is attempted but the designated port is already in use (e.g., by AAA). Workaround: remove the conflict configuration before "http server enable" Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.11(0.63), 100.12(0.149), 100.13(0.108), 100.14(0.77), 100.15(0.54), 100.15(17.23), 100.15(3.76), 100.15(8.18), 100.16(0.4), 100.16(1.9) Alert Type: Updated * Bug Id: CSCuw61252 Title: * Variation in UDP PPS NDR tests Status: Open Severity: 3 Moderate Description: * Symptom: ASA has small interface buffer overrun once in a while causing UDP PPS NDR test to have variation. Conditions: Running UDP 64 bytes 1000 flows packet per second no drop rate test. Workaround: None Further Problem Description: None Last Modified: 24-NOV-2015 Known Affected Releases: 100.15(0.48), 100.15(0.72), 100.15(8.22), 100.16(1.11), 100.16(1.39), 100.16(1.6), 9.3(2), 9.4(2), 9.4(2.1), 9.5(1.101) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux25240 Title: Adding NP_SECONDARY_NO_PARENT_CHILD_TRACKING for gtp secondary conn Status: Fixed Severity: 3 Moderate Description: * Symptom: ASA will send gtp traffic to different snort engine Conditions: When GTP traffic is redirected to snort. Workaround: Disable redirecting traffic to snort engine. Further Problem Description: Last Modified: 24-NOV-2015 Known Affected Releases: 9.5(1) Known Fixed Releases: * 100.15(0.97), 9.5(1.111) Alert Type: Updated * Bug Id: CSCux22635 Title: diameter inspection should be tied to GTP/Carrier license Status: Fixed Severity: 3 Moderate Description: * Symptom: The class-map and policy-map clis are accepted even the Carrier license is disabled. Expected Behavior: ASA should not accept the config Conditions: ASA 9.5.2 image with Carier license disabled Workaround: Workaround Further Problem Description: Last Modified: 24-NOV-2015 Known Affected Releases: 9.5(1.109) Known Fixed Releases: * 100.15(0.97), 100.16(0.11), 9.5(1.111), 96.1(1.4) Alert Type: Updated * Bug Id: CSCuw82198 Title: Default inspection engines enabled on Standby but not on Active ASA Status: Fixed Severity: 3 Moderate Description: Symptom: Standby ASA can have some default inspection engines running on custom contexts while the same are not enabled on the Active unit. Conditions: > Pair of ASA units running in Failover pair (Act/Stb or Act/Act) Steps to reproduce: > Load context configuration file ONLY into Primary ASA flash memory > Initialize the context on Primary configuring the context statements and point the config-url with the file loaded on the Primary flash > Run the "write mem all" or "write memory" on the context created > Check the file with the context config on the Secondary ASA flash using the command "more disk0:/ | b policy-map" > Default inspection engines should be displayed. Workaround: Running the "write standby" command on Active unit of affected context fixes the problem. Further Problem Description: Last Modified: 25-NOV-2015 Known Affected Releases: 9.1(6.8), 9.4(1.6) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.86), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 9.5(1.193), 9.5(1.99), 99.2(2.23) Alert Type: Updated * Bug Id: CSCuw88405 Title: BGP not working when admin context is in transparent mode Status: Fixed Severity: 3 Moderate Description: Symptom: BGP not working when admin context is in transparent mode Working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config-router)# show run router router bgp 1 bgp log-neighbor-changes ! Non-working: ! ciscoasa# show context Context Name Class Interfaces Mode URL *admin default Management0/0 Transparent disk0:/admin.cfg USER1 default GigabitEthernet0/0 Transparent disk0:/USER1.txt USER2 default GigabitEthernet0/1 Routed disk0:/USER2.txt ! ciscoasa(config)# router bg? ERROR: % Unrecognized command Conditions: When Admin is in transparent mode Workaround: Make admin in routed mode Further Problem Description: Last Modified: 26-NOV-2015 Known Affected Releases: 9.3 Known Fixed Releases: * 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(0.78), 100.15(20.14), 100.15(8.24), 100.16(0.8), 100.16(1.27), 9.5(1.99), 99.2(2.21) Alert Type: Updated * Bug Id: CSCux26443 Title: DAP URL-List Command Says It Supports 491 Characters; Only Supports 245 Status: Fixed Severity: 3 Moderate Description: Symptom: Currently, the ASA states that dynamic-access-policy-record url-lists can be 491 characters; however, the URL-list actually can actually only be 245 characters in length. If you add a list greater than 245 characters long, it gets instantly removed from the configuration. Conditions: First reported on ASA 9.1(5). Workaround: Change the name of your URL-List Entries to make the entire list less than 245 characters in length. Further Problem Description: Last Modified: 01-DEC-2015 Known Affected Releases: 9.1(6) Known Fixed Releases: * 99.2(2.29) Alert Type: Updated * Bug Id: CSCui20213 Title: 5585 interface counters show 0 for working interfaces and console errors Status: Fixed Severity: 4 Minor Description: Symptom: The output of 'show interface' could show counters that have not incremented and are all stuck at 0, even though the interface is actively passing traffic (the input and output packet rates are non-zero). Example: Interface GigabitEthernet0/0 "outside", is up, line protocol is up Hardware is bcm56801 rev 01, BW 1000 Mbps, DLY 10 usec Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps) Input flow control is unsupported, output flow control is off MAC address xxxx.xxxx.xxxx, MTU 1500 IP address 10.0.0.2, subnet mask 255.255.255.224 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 pause/resume input 0 L2 decode drops 0 switch ingress policy drops 0 packets output, 0 bytes, 0 underruns 0 pause/resume output 0 output errors, 0 collisions, 0 interface resets 0 late collisions, 0 deferred 0 rate limit drops 0 switch egress policy drops 0 input reset drops, 0 output reset drops Traffic Statistics for "outside": 7535042 packets input, 8722096534 bytes 8312179 packets output, 5806296169C3SR-Preview for 5806296169 bytes 6413 packets dropped 1 minute input rate 12208 pkts/sec, 14102277 bytes/sec 1 minute output rate 13488 pkts/sec, 9085510 bytes/sec 1 minute drop rate, 6 pkts/sec 5 minute input rate 12883 pkts/sec, 15164633 bytes/sec 5 minute output rate 13085 pkts/sec, 8124951 bytes/sec 5 minute drop rate, 8 pkts/sec Control Point Interface States: Interface number is 6 Interface config status is active Interface state is active Additionally, the following messages might be seen on the console of the ASA: 8841: Message #1162 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8842: Message #1163 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8843: Message #1164 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8844: Message #1165 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 8845: Message #1166 : bcm_esw_clear_stats: bcm_stat_sync failed for unit 0, error -12 Conditions: Only the ASA 5585 platforms are affected by this problem. The 'bcmCNTR.0' process will not be present in the output of 'show process'. Example: Note the bcmCNTR.0 is not listed in the output below: ciscoasa/pri/stby# show proc | inc bcm Mwe 0x0000000001d94c98 0x00007ffaa8510748 0x00007ffad2bf43d0 0 0x00007ffaa8508960 32224/32768 bcmXGS3AsyncTX Mwe 0x0000000001d94c98 0x00007ffaa93e6b08 0x00007ffad2bec100 0 0x00007ffaa93ded00 32256/32768 bcmTX Msi 0x00000000021e6b25 0x00007ffaa9523e98 0x0000000005bad7d0 523950 0x00007ffaa951c000 30136/32768 bcmPOLL Mwe 0x0000000001d94cde 0x00007ffad8badaf8 0x00007ffad2beb650 8688473 0x00007ffad8ba5d20 28568/32768 bcmLINK.0 Mwe 0x0000000001d94c98 0x00007ffaa7a62aa8 0x00007ffaa7a5ac10 0 0x00007ffaa7a5ac80 32288/32768 bcmDPC Mwe 0x0000000001d94cde 0x00007ffaa94b43e8 0x00007ffad2beb6c0 4251733 0x00007ffaa94ac600 29416/32768 bcmCNTR.0 Mwe 0x0000000001d5cdaa 0x00007ffaa7a5a7f8 0x00007ffaa7a27fb8 0 0x00007ffaa7a52980 32368/32768 bcm_esw_surprise_reset.0 Msi 0x0000000001d65998 0x00007ffad8bb5bf8 0x0000000005bad7d0 211236 0x00007ffad8badd70 30008/32768 bcm_esw_poll Mwe 0x0000000001d63468 0x00007ffad8bbdc08 0x0000000005b11590 4 0x00007ffad8bb5dc0 29496/32768 bcm_esw_ioctl_task_handler ciscoasa/pri/stby# Workaround: Rebooting the ASA should restore the interface statistic information. Further Problem De Last Modified: 07-NOV-2015 Known Affected Releases: 100.8(53.2), 100.9(7.27), 8.4(7), 9.1(4) Known Fixed Releases: * none Alert Type: New Bug Id: CSCux10668 Title: Saving SSLVPN customization changes results in "file not found" message Status: Open Severity: 4 Minor Description: Symptom: Saving ASA SSLVPN customization changes via ASDM results in "file not found" message. Conditions: ASA 8.2(5), ASDM 7.1(3) Workaround: Export, modify, and import the xml files which contain the customization parameters. Further Problem Description: Last Modified: 11-NOV-2015 Known Affected Releases: 8.2(5.51) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCur80711 Title: dhcprelay enabled interface pops memory message when address is assigned Status: Open Severity: * 4 Minor Description: * Symptom: dhcprelay enable interface when enabled pops memory message "No memory for DHCP interface '' Conditions: ASA in multicontext mode. Workaround: None, but this is a benign message Further Problem Description: Last Modified: 14-NOV-2015 Known Affected Releases: 9.1(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCua66518 Title: Help arp SYNTAX section misses "permit-nonconnected" entry Status: Fixed Severity: 4 Minor Description: Symptom: Help arp misses permit-nonconnected entry in SYNTAX section. Conditions: Workaround: Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 8.4(4), 8.4(4.2) Known Fixed Releases: * 100.13(0.120), 100.14(0.83), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18), 100.15(8.29), 100.16(0.10), 100.16(0.9), 100.16(1.34) Alert Type: Updated * Bug Id: CSCua71394 Title: ARP debug messages output raw milliseconds values Status: Fixed Severity: 4 Minor Description: Symptom: ARP debug messages output raw millisecond counts, which don't make much sense for users. Conditions: Workaround: Further Problem Description: Last Modified: 20-NOV-2015 Known Affected Releases: 8.4(4.2) Known Fixed Releases: * 100.15(20.23), 100.8(40.106), 99.2(2.26) Alert Type: Updated * Bug Id: CSCuu60391 Title: Activation key info printed at bootup on ASAv Status: Fixed Severity: 4 Minor Description: Symptom: During initialization an ASAv will attempt to read an activation key from license storage: Verify the activation-key, it might take a while... Failed to retrieve permanent activation key. Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 Since the ASAv does not support the traditional ASA PAK-enabled there is no reason to attempt to retrieve licensing activation keys. The act of retrieving the activation key does not have a negative impact on the operation of the ASAv. Conditions: Normal operation. Workaround: None. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1.200) Known Fixed Releases: * 100.14(0.33), 100.14(5.17), 100.14(7.35), 100.15(0.14), 100.15(1.20), 100.15(2.53), 100.15(3.8), 100.15(4.12), 100.15(5.15), 100.15(8.3) Alert Type: Updated * Bug Id: CSCuw16103 Title: ASA: Remarks being deleted/duplicated using object with range keyword Status: Fixed Severity: 4 Minor Description: Symptom: Duplicate Remark created using object with range keyword in the "show acces-list" output ASA-FPW-54# show run object id range-object object network range-object range 10.10.10.128 10.10.10.159 ASA-FPW-54# ASA-FPW-54# show run access-list test-remark access-list test-remark extended permit tcp object range-object host 1.1.1.1 eq ldap access-list test-remark remark ## test description ASA-FPW-54# ASA-FPW-54# show access-list test-remark access-list test-remark; 1 elements; name hash: 0x41c85d1e access-list test-remark line 1 extended permit tcp object range-object host 1.1.1.1 eq ldap (hitcnt=0) 0xa9c10cbe access-list test-remark line 1 extended permit tcp range 10.10.10.128 10.10.10.159 host 1.1.1.1 eq ldap (hitcnt=0) 0xa9c10cbe access-list test-remark line 2 remark ## test description access-list test-remark line 3 remark ## test description ASA-FPW-54# Conditions: You must be using the Object with range keyword and have a remark after the configured object. Workaround: You have to manually remove the remark using the "show run access-list" output. ASA-FPW-54#no access-list test-remark remark ## test description ASA-FPW-54# - or - An extra ACL can be created between the remark and the ACL using object. ASA-FPW-54# access-list test-remark line 2 permit ip host 10.10.10.10 host 10.10.10.11 Further Problem Description: Last Modified: 27-NOV-2015 Known Affected Releases: 9.1(6.4), 9.1(6.8), 9.4(1.5), 9.5(1) Known Fixed Releases: * 100.16(1.51), 99.2(2.28) Alert Type: Updated * Bug Id: CSCuu99716 Title: CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex 1st/last entries should be 0 Status: Fixed Severity: 5 Cosmetic Description: Symptom: The first and last entries in the CISCO-PROCESS-MIB::cpmCPUTotalPhysicalIndex table are '1'. They should be zero. Conditions: all Workaround: none Further Problem Description: The first entry corresponds to the context-average. The last entry corresponds to the system average. Since these represent more than one physical entity and are not represented in the ENTITY-MIB, according to the definition of the cpmCPUTotalPhysicalIndex from CISCO-PROCESS-MIB.my, the values for cpmCPUTotalPhysicslIndex should be zero. Last Modified: 21-NOV-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: * 100.14(0.51), 100.14(16.1), 100.14(5.23), 100.14(7.43), 100.15(0.17), 100.15(1.24), 100.15(2.57), 100.15(3.12), 100.15(5.20), 100.15(8.5) Alert Type: New Bug Id: CSCux25236 Title: ASA dropping SNMP request and prints special character Status: Open Severity: 5 Cosmetic Description: Symptom: ASA deployed in multiple context mode when using SNMPv3 walk for information poll the ASA sometimes generates a log message : %ASA-3-212006: Dropping SNMP request from 10.77.100.53/9719 to Management-CX:10.73.31.109/snmp because: user not found: ?????? The user not found is followed by a unrecognised character which does not match with any usernames that are being used in SNMP walk Conditions: NA Workaround: We can configure the ASA to suppress the log generated Further Problem Description: Last Modified: 22-NOV-2015 Known Affected Releases: 9.2(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCux16484 Title: DOC : Document the correct usage of Standard ACL in distribute lists Status: Open Severity: 5 Cosmetic Description: * Symptom: Add documentation about usage of standard ACL in Distribute List for route filtering. Conditions: Route Filtering with Distribute lists. Workaround: None as this is only a documentation defect. Further Problem Description: Last Modified: 01-DEC-2015 Known Affected Releases: 9.4(1) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCua37902 Title: Some syslogs lost when using TCP based syslogging Status: Fixed Severity: 6 Enhancement Description: * Symptom: If TCP syslogging is configured on the ASA, not all messages are sent to the syslog server if there is sufficient load as well as some connectivity issues between the ASA and the Syslog Server. Conditions: The issue is seen only when using TCP based syslogging and a high rate of syslogs. Workaround: Use UDP syslogging instead of TCP syslogging. PSIRT Evaluation: The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html Further Problem Description: Last Modified: 06-NOV-2015 Known Affected Releases: 8.4, 8.4(3), 8.4(3.130), 9.1(5) Known Fixed Releases: none Alert Type: Updated * Bug Id: CSCte84561 Title: ENH: Needs ability to manage ASA standby device via VPN tunnel Status: Open Severity: 6 Enhancement Description: * Symptom: Add the ability to access the standby unit via the L2L and Anyconnect VPN. Conditions: ASA running in Active/Standby failover mode and inside interface is used for management traffic or management access (ssh/telnet/ASDM) via VPN tunnel terminated on the ASA. Workaround: You can use the "failover exec" command for accessing the Standby Unit from the primary Further Problem Description: Last Modified: 19-NOV-2015 Known Affected Releases: 8.2(2) Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuv19728 Title: Allow user to select SSH Encryption Cipher Mode on ASA Status: Fixed Severity: 6 Enhancement Description: Symptom: The SSH encryption ciphers are not configurable. It is desired to make them configurable so the admin can customize the ciphers to be consistent with the required security level and to inter-operability requirements. Conditions: All Workaround: None Further Problem Description: This issue is addressed in 9.1(7) with the introduction of the "ssh cipher encryption" config command. Last Modified: 21-NOV-2015 Known Affected Releases: 9.2(3.4) Known Fixed Releases: * 100.11(0.64), 100.12(0.153), 100.13(0.119), 100.14(0.82), 100.15(20.13), 100.15(8.24), 100.16(0.8), 100.16(1.26), 100.8(40.103), 9.1(6.102) Alert Type: Updated * Bug Id: CSCuu22517 Title: ASA - SNMPv3 Traps not Generated for PC Link State in Multi-Context Mode Status: Fixed Severity: 6 Enhancement Description: Symptom: On an ASA running in multi-context mode with port-channels allocated to individual contexts, SNMP traps will not be generated when member interfaces of the port-channel go down although the following syslogs are seen in the context itself: %ASA-6-426002: PORT-CHANNEL:Interface GigabitEthernet0/2 unbundled from EtherChannel interface Port-channel1 %ASA-6-426001: PORT-CHANNEL:Interface GigabitEthernet0/2 bundled into EtherChannel interface Port-channel1 Conditions: 1. Must be using an ASA in multi-context mode 2. Must have port-channels allocated to contexts with at least two member interfaces 3. Must be attempting to monitor the status of the member interfaces via SNMPv3 within the context Workaround: it is possible to generate traps via the syslogs by using the 'snmp-server enable traps syslog' in conjunction with the 'logging history informational' command, however this causes a very large amount of traps to be generated. There is an ongoing investigation to determine if there are other, more suitable workarounds. Further Problem Description: Last Modified: 21-NOV-2015 Known Affected Releases: 9.1(5), 9.2(2.4) Known Fixed Releases: * 100.12(0.146), 100.13(0.98), 100.14(0.73), 100.15(0.26), 100.15(1.83), 100.15(16.4), 100.15(17.3), 100.15(3.50), 100.15(6.33), 100.15(8.13) Alert Type: New Bug Id: CSCux24667 Title: DOC: ASA 9.1 Release Notes Should Reflect Max MTU Change Status: Open Severity: 6 Enhancement Description: Symptom: n/a (See Summary) Conditions: n/a (See Summary) Workaround: n/a (See Summary) Further Problem Description: Release notes for ASA 9.1 (http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/release/notes/asarn91.html) must be amended to indicate that the maximum MTU supported for ASA interfaces has been reduced from 9216 bytes to 9198 bytes. This comes about as a result of the fix for defect CSCum63417. Originally, users were allowed to configure an MTU size to 9198 bytes (the maximum size for a 'jumbo' frame), but since the configured MTU only accounts for the size of the L3 header, adding an additional 14 bytes of L2 (Ethernet) header plus a possible additional 4 bytes for a dot1q VLAN tag would cause the frame to be fragmented if the maximum MTU size was configured. So, in ASA minor release 9.1, the maximum configurable MTU was reduced by 18 bytes so that it would be impossible to induce this kind of fragmentation. The release notes do not specify this change, and must be corrected to include it. Last Modified: 21-NOV-2015 Known Affected Releases: 9.1 Known Fixed Releases: Alert Type: Updated * Bug Id: CSCuc82575 Title: * ASA certificate enrollment needs to support adding EKU and KU to cert. Status: Open Severity: 6 Enhancement Description: Symptom: when connecting with Anyconnect client using IPSEC/IKEv2 due to no EKU in the self-signed certificate generated on the ASA, the identity certificate is considered not trusted. Conditions: Using Anyconnect client 3.0.10057 or 3.1.0495 with IPSEC IKEv2 connection the certificate presented by ASA for authentication is not trusted. Dart logs will show: EXTENDED_KEY_USAGE not present in certificate, No Extended Key Usage found Description: CERTIFICATE_ERROR_VERIFY_KEYUSAGE_NOT_FOUND:No Key Usages were found in the certificate Workaround: use third party certificate tool such as openssl to generate CSR with correct attributes and have the certificate signed by trusted CA. Last Modified: 24-NOV-2015 Known Affected Releases: * 9.5(1) Known Fixed Releases: Find additional information in Bug Search index.   2015 Cisco and/or its affiliates. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks