| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv69235 | Title: | HTTP chunked data causing watchdog |
|
Status: | Fixed |
|
Severity: | 1 Catastrophic |
Description: | Symptom:
A watchdog traceback may occur on the ASA as it is processing HTTP traffic from WebVPN client connections.
Conditions:
Cisco ASA running release 9.3.2 and later with WebVPN configured.
Workaround:
None.
Further Problem Description:
|
|
Last Modified: | 03-DEC-2015 |
|
Known Affected Releases: | 9.3(2), 9.5(1) |
|
Known Fixed Releases: * | 100.12(0.140), 100.13(0.95), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.60), 100.15(16.1), 100.15(17.1), 100.15(3.32) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux59122 | Title: | ASA L7 policy-map comes into affect only if the inspection is re-applied |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA L7 policy-map comes into affect only after the inspection is re-applied.
Conditions:
1. L7 policy map configured but is not working
2. The inspection was applied previously without L7 pmap and it was added later
Eg. Initially the configuration is:
policy-map global_policy
class inspection_default
inspect dcerpc
Later L7 pmap was added:
policy-map type inspect dcerpc MSRPC-MAP
parameters
endpoint-mapper lookup-operation
policy-map global_policy
class inspection_default
inspect dcerpc MSRPC-MAP
Workaround:
Remove the inspection and re-apply:
conf t
policy-map global_policy
class inspection_default
no inspect dcerpc MSRPC-MAP
inspect dcerpc MSRPC-MAP
Further Problem Description:
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: | 9.5(2) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 96.1(1.33) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCul25236 | Title: | 'Pre-login Page URL' is not accepted for External Portal |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms:
On Cisco Adaptive Security Appliance (ASA) when the external portal is configured with ''pre-login-page-url''
the user gets a warning that tag is not supported.
Conditions:
Device running with default configuration running an affected version of software.
Workaround:
None.
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 9.1(3) |
|
Known Fixed Releases: | 100.10(0.52), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.79), 100.8(40.52), 100.8(46.53), 100.8(51.14), 100.8(56.1), 100.8(56.10) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj27966 | Title: | ASAs in failover pair crash after doing a "clear conf event manager" |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: * | Symptom:
ASA crashes when removing/deleting event manager (EEM) related configuration off it.
Conditions:
The crash is observed if the EEM configuration has a syslog check with the "occurs" or "period" specifier. eg:
# config t
# event manager applet XYZ
# description "Check for XYZ..."
# event syslog id 444xxx period 300 <<<<------
Workaround:
To disable EEM from continuing it's operations, delete the 'actions' configured under it; do not issue "clear config event manager" or "no event manager applet ..."
Further Problem Description:
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 100.8(47.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw59388 | Title: | Unable to load ASDM to a Context in Multiple Context Mode |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Unable to load ASDM to a context when ASA is in Multiple Context Mode.
Conditions:
ASA Running In multiple Context
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 100.15(0.72), 9.5(1.53), 99.1(3.147), 99.1(3.182), 99.1(3.95) |
|
Known Fixed Releases: * | 100.15(0.73), 100.15(17.33), 100.15(20.12), 100.15(8.23), 100.16(0.7), 100.16(1.20), 9.5(1.99), 99.1(3.186) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv45756 | Title: | ASA may tracebeck when displaying packet capture with trace option |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA traceback.
Conditions:
ASA running 9.4(1) displaying captures with trace detail option.
Workaround:
Avoid using trace detail option in captures.
Further Problem Description:
|
|
Last Modified: | 10-DEC-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: * | 100.11(0.62), 100.12(0.140), 100.13(0.94), 100.14(0.70), 100.14(16.8), 100.14(5.32), 100.15(0.23), 100.15(1.56), 100.15(16.1), 100.15(2.86) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux48213 | Title: | Traceback in thread name: NIC status poll |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: * | Symptom:
Conditions:
>> ASA running 9.2.4
>> Failover configured with RIP.
Workaround:
Further Problem Description:
|
|
Last Modified: | 10-DEC-2015 |
|
Known Affected Releases: | 9.2(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut03981 | Title: | ASA SSLVPN Client cert validation failure - SSL Lib error: Bad RSA Sig |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Intermittently, some of the AnyConnect clients fail to establish the SSL session with the hub due to ASA failing to validate the Client Certificate, and the error that shows up in the syslog is:
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CERT_VERIFY Reason: bad rsa signature
The clients may end up establishing SSL sessions successfully after a couple of retries
Conditions:
ASA on 9.3(2) acting as SSLVPN Server for AnyConnect Clients.
These clients authenticate using Certificates.
Workaround:
None. The issue is not observed in ASA 9.2(1)
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: * | 9.3(2), 9.4(1) |
|
Known Fixed Releases: | 100.12(0.154), 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.2), 100.15(17.1), 100.15(3.37) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua98019 | Title: | Cisco script injected in html tags, JS conditional comments |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
When accessed through WebVPN, some pages are giving Javascript errors and are not rendered properly.
The errors seen are:
ncaught ReferenceError: CSCO_seppuku is not defined
Uncaught ReferenceError: CSCO_WebVPN is not defined
CSCOGet_location is not defined
Conditions:
The ASA is running version 8.4.4 or 8.4.4.1
Workaround:
Use Smart-tunnel.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4) |
|
Known Fixed Releases: * | 100.7(13.94), 100.7(6.90), 100.8(0.210), 100.8(11.33), 100.8(27.19), 100.8(33.16), 100.8(34.1), 100.8(36.2), 100.9(0.1), 100.9(3.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus53126 | Title: | ASA traffic not sent properly using 'traffic-forward sfr monitor-only' |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
After using 'traffic-forward sfr monitor-only', traffic is forwarded from MGMT0/0 interface instead of forwarding from selected interface. It is also causing lack of IP connectivity to the ASA through MGMT0/0
Conditions:
Running ASA in transparent mode. Issuing the command for any ASA built-in ports (G0/0, G0/1 etc). When using blade ports (G1/0, G1/1 etc.) the command works as described in the manual.
Workaround:
unknown
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.2(2.4) |
|
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.14(0.85), 100.15(0.99), 100.16(0.12), 100.16(1.51), 100.16(15.7), 96.1(1.6), 96.1(6.1), 99.2(2.28) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub05748 | Title: | ASA: Page fault traceback in DATAPATH thread with IPsec traffic |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Under rare conditions, an ASA may generate a traceback and reload while processing IPsec traffic.
Conditions:
This has been seen on ASA 8.4.4.1. Other software versions may also be affected.
Workaround:
There is no known workaround at this time.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4.1) |
|
Known Fixed Releases: * | 100.7(13.94), 100.7(6.90), 8.4(4.6), 8.4(4.99), 8.4(5), 8.7(1.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub09280 | Title: | ASA Content rewrite HTML content was treated as ajax response |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
On ASA 8.4.4, HTML content was treated as ajax response and bypassed rewrite engine when the request was a redirect from an original ajax request. This caused the webpage to be displayed improperly and some buttons were missing
Conditions:
ASA running software version 8.4.4
Workaround:
Use smart tunnel for the webpage or homepage. If you have webtype access control list configured, ensure you permit smart tunnel in the web type access control list
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4 |
|
Known Fixed Releases: * | 100.7(13.94), 100.7(6.90), 100.8(0.213), 100.8(11.33), 100.8(27.19), 8.4(4.6), 8.4(4.99), 8.4(5), 8.7(1.2), 9.0(0.99) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub10537 | Title: | 4096 byte block depletion due to ak47_np_read |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The ASA may run out of 4096 byte blocks per the show block output. It is unclear if this has a functional impact at the time of this bug filing.
Conditions:
ASA5585 running 8.4.3. The "show block queue history detail" will include an entry for a 4096 byte block depletion, indicating ak47_np_read as holding the most blocks.
Workaround:
None
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: * | 100.7(13.94), 100.7(6.90), 100.8(0.211), 100.8(11.33), 100.8(27.19), 100.8(33.17), 100.8(34.1), 100.8(36.2), 100.9(0.1), 100.9(3.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub19714 | Title: | Unable to remove nested service object-group from parent object-group |
|
Status: | Other |
|
Severity: | 2 Severe |
Description: * | Symptom:
Nested object-group cannot be removed from parent object-group once any nested object-group has been removed then reapplied
Removing obj from object-group (parent_object_group) failed;
obj does not exist in this group
Conditions:
Nested object-groups
Workaround:
Reload the ASA to remove the nested object-group.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4), 8.4(4.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub23840 | Title: | ASA traceback due to nested protocol object-group used in ACL |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
In the rare circumstances, after issuing "clear conf all" ASA will crash.
In the case of failover setup, the crash might be triggered if:
- "write standby" is executed on the active unit. Standby unit will crash.
- After one of the units is reloaded
Conditions:
The root cause of this crash is the ASA not being able to delete even
single level nested protocol object-group that are used by ACL.
For example, the following configuration is sufficient to cause the
crash when issuing "clear conf all"
---------------------------------------------------
object-group protocol test
protocol-object 55
object-group protocol test2
group-object test
access-list acl permit object-group test2 any any
Workaround:
Don't use nested protocl object-group.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(3) |
|
Known Fixed Releases: * | 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw22130 | Title: | ASA traceback when removing dynamic PAT statement from cluster |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Master ASA in clustering running code 9.3.3.2 presented a DATAPATH-1-1958 resulted by Address not mapped fault.
Statement removed was:
no nat (visitors,outside) source dynamic Guest_network PAT-Guest-Pool
Conditions:
> ASA running code 9.3.3.2
> Individual (L3) mode
> Removing Dynamic PAT rule
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.3(3.2) |
|
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.14(0.84), 100.15(0.94), 100.15(20.22), 100.15(8.33), 100.16(0.10), 100.16(1.50), 100.16(15.7), 100.8(40.106) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux35538 | Title: | Traceback in ctm_ssl_generate_key with SSL VPN scaled test |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA may traceback in ctm_ssl_generate_key with VPN scaled test and DHE ciphers.
Conditions:
ASA VPN AnyConnect and Clientless SSL VPN scaled test.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.1(6.107), 9.1(6.111) |
|
Known Fixed Releases: * | 9.1(6.113) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub28198 | Title: | ASA Webvpn rewriter compression not working |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Images not loading properly on webpages opened through the Webvpn portal
Conditions:
ASA 5585 running 8.4.(4)
Workaround:
use smart-tunnels.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4) |
|
Known Fixed Releases: * | 100.7(13.97), 100.7(6.94), 100.8(0.231), 100.8(11.35), 100.8(27.19), 100.8(33.20), 100.8(34.1), 100.8(37.12), 100.8(39.1), 100.9(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo78285 | Title: * | ASA Traceback during failover config sync |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A firewall may cause a traceback and reload when trying to clear a portion or all of the configuration. This likely manifests during a configuration sync from an Active firewall. The first step of an config sync is to clear the existing local configuration in preparation for the re-sync of policies from the existing Active firewall. The Standby firewall will reload and attempt to re-sync its configuration from the Active resulting in another crash, thus starting a crash loop on the Standby firewall.
Conditions:
In a failover pair this may affect the Standby Firewall during config replication or it may affect the Active firewall if active removal of interface configuration is being done. From initial analysis it appears to be related to very large configurations with significant amounts of NAT configured.
Workaround:
None at this time.
Further Problem Description:
|
|
Last Modified: | 18-DEC-2015 |
|
Known Affected Releases: | 100.11(3.11), 100.11(3.14), 9.1(5.10), 9.2(2) |
|
Known Fixed Releases: | 100.10(17.1), 100.10(2.21), 100.10(7.10), 100.11(0.9), 100.11(3.15), 100.11(5.13), 100.11(6.1), 100.8(40.74), 9.1(5.13), 9.2(1.108) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCuv31964 | Title: | Update Windriver OS to RCPL 21 |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptoms:
Cisco Adaptive Security Appliance (ASA) Software includes a version of Windriver OS that is affected by the vulnerabilities identified by the
following Common Vulnerability and Exposures (CVE) IDs:
CVE-2015-3331,CVE-2015-1819
This bug was opened to address the potential impact on this product.
Conditions:
Device with default configuration.
Workaround:
Not currently available.
Further Problem Description:
Additional details about the vulnerabilities listed above can be found at http://cve.mitre.org/cve/cve.html
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 9.3/7.7:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-3331,CVE-2015-1819 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 18-DEC-2015 |
|
Known Affected Releases: | 1.1(2), 1.1(3), 6.0, 8.4(1), 8.5(1), 8.6(1), 8.7(1), 9.0, 9.1(1), 99.1 |
|
Known Fixed Releases: | 100.15(1.45), 100.15(10.3), 100.15(15.6), 100.15(16.1), 100.15(2.77), 100.15(3.26), 100.15(8.10), 9.5(1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud32111 | Title: | Deny rules in crypto acl blocks inbound traffic after tunnel formed |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Inbound traffic that was supposed to be VPN exempted by 'deny' rule in crypto map is dropped by ipsec-tunnel-flow rule
Conditions:
When using deny rule in crypto map to exempt some overlapping traffic.
This is similar to CSCuc97552
Workaround:
None
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 8.2(5.29), 8.4(4), 9.0(1) |
|
Known Fixed Releases: * | 100.7(13.109), 100.7(6.105), 100.8(27.31), 100.8(38.10), 100.8(50.16), 100.9(0.21), 100.9(4.1), 100.9(7.1), 100.9(9.1), 8.4(5.5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux58483 | Title: | Deadlock in gtp_lu_process_pdpmcb_info |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Deadlock soft trace will be seen on the console and the reliability will be impacted
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: * | 100.15(0.105), 100.16(0.15), 100.16(1.76), 96.1(1.26), 96.1(5.4), 96.1(6.4) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCup55926 | Title: | ASA Traceback in Thread Name: Logger |
|
Status: | Terminated |
|
Severity: | 2 Severe |
Description: * | Symptom:
ASA crash with "Thread Name: Logger".
Conditions:
unknown
Workaround:
There is no workaround at this time.
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 8.4(7.15) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCus76632 | Title: | assertion "mh->mh_mem_pool > MEMPOOL_UNDEFINED && mh->mh_mem_pool < MEMP |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
During HA/cluster device synchronization it will lead to crash due to memory corruption.
Conditions:
HA/Cluster device synchronization process in multimode context.
Workaround:
Step 1. Load ASA with working image.
Step 2. Do 'clear configuration all'
Step 3. Load new image or the image in which issue is seen
Step 4. Do configuration to up the Master unit
Step 5. Do 'write memory all'
Step 6. Before adding a new unit, first clear its configuration 'clear configuration all'
Step 7. Then do required cluster configuration on new unit to add it to a cluster
Further Problem Description:
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 100.13(0.23), 100.13(0.26), 9.0(4.29), 9.0(4.33), 9.3(2.100), 9.4(0.111), 99.1(2.97) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.115), 100.13(0.36), 100.13(0.48), 100.13(19.9), 100.13(20.11), 100.13(21.7), 100.13(21.8), 100.14(0.3), 100.14(1.2) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux62229 | Title: | ASA: IPSEC failover not encrypting IP Protocol 8 packets after failover |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: * | Symptom:
ASA configured with IPSEC HA not replicating connections after a failover event
Conditions:
ASA configured with IPSEC HA configuration.
Workaround:
Disable Failover IPSEC HA configuration
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.4(1.1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux66302 | Title: | ASA 9.1(5)21 crash in Thread Name: Dispatch Unit |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA 9.1(5)21 crash in Thread Name: Dispatch Unit
Conditions:
running ASA 9.1(5)21
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 9.1(5.21) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuo58823 | Title: | A traceback may happen while processing crypto commands |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
A traceback may occur while executing some crypto commands
Conditions:
Crypto hardware operations cannot return hardware failure in certain rare circumstances. A hardware failure in this case refers to invalid use of
the crypto hardware, rather than invalid input.
Workaround:
None.
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: * | 100.8(40.71), 9.1(5.21) |
|
Known Fixed Releases: | 100.10(0.97), 100.10(12.8), 100.10(17.1), 100.10(2.19), 100.10(6.0.40), 100.10(7.9), 100.11(0.7), 100.11(3.10), 100.11(5.4), 100.11(6.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux43978 | Title: | DHCP Relay fails for cluster ASAs with long interface names |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
DHCP relay is enabled in a cluster environment. Some interfaces that are configured as relay work properly and some do not work as a relay.
Conditions:
When the interface name on the ASA exceeds 24 characters, the issue is seen on that interface.
Workaround:
The user can configure an interface with less than 24 characters.
Further Problem Description:
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: * | 100.15(0.104), 100.16(0.14), 100.16(1.70), 96.1(1.16), 96.1(5.4), 96.1(6.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux07881 | Title: | SSP3RU-Cluster :Module 2 crash after Power cycle all security module |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Powerup may fail to initialize and device may be unoperational
Conditions:
Initial powerup sequence of a Firepower 9300 device.
Workaround:
None. Device will automatically reboot. No interaction is required, the device will become operational after the successful boot attempt.
Further Problem Description:
|
|
Last Modified: | 24-DEC-2015 |
|
Known Affected Releases: * | 99.1(3), 99.1(3.158), 99.1(3.174), 99.1(3.193) |
|
Known Fixed Releases: | 100.15(0.96), 100.15(20.24), 100.16(0.11), 100.16(1.51), 100.16(15.7), 96.1(1.4), 96.1(6.1), 99.1(3.197) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux58016 | Title: | AnyConnect sessions fail due to IPv6 address assignment failure. |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
When an AnyConnect client connects, a message is sent from webvpn to the ip address assignment code to request an IPv6 address. In some cases, the IPAA code does not return an IPv6 address. This causes the client session to fail.
Conditions:
This can occur when IPv6 address assignment is enabled.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 24-DEC-2015 |
|
Known Affected Releases: | 9.0(4) |
|
Known Fixed Releases: * | 9.0(4.213), 9.1(6.115) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw09578 | Title: | ASA 9.3.3.224 traceback in ak47_platform.c with WebVPN stress test |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA 5585-20 in Failover Active/Standby assembly Traceback
Conditions:
Workaround:
none
Further Problem Description:
|
|
Last Modified: | 29-DEC-2015 |
|
Known Affected Releases: | 9.3(3.224) |
|
Known Fixed Releases: * | 100.11(0.63), 100.12(0.148), 100.13(0.105), 100.14(0.76), 100.14(5.34), 100.15(0.32), 100.15(16.7), 100.15(17.11), 100.15(3.57), 100.15(8.15) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur87011 | Title: | ASA low DMA memory on low end ASA-X -5512/5515 devices |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
ASA stops accepting new SSL connections - ASDM / webvpn / AnyConnect
Conditions:
The issue is seen when the following conditions are met :
1) ASA next generation devices - ASA 5512 , ASA 5515
2) SFP module installed on the ASA
3) ASA software 9.2.x or 9.3.1
4) WebVPN configured on an interface
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: * | 9.0, 9.2(1), 9.3(1), 9.3(3.2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus10787 | Title: | Transactional ACL commit will bypass security policy during compilation |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
Traffic can bypass the security policy when transactional-commit access list is configured. This can happen only when a new ASA is added to a
cluster and the access-list configuration is newly applied. The bypass can happen only during the compilation time.
Additionally interface security policy will still be respected so no traffic will be passed from an interface with lower security level to an
interface with higher security level.
Conditions:
Cisco ASA Software is affected by this issue if the transactional-commit access list feature is enabled. This can be determined by using the show
running-config asp rule-engine transactional-commit access-group command and verifying that it returns output.
The following example shows a Cisco ASA configured with transactional-commit feature:
ciscoasa# show running-config asp rule-engine transactional-commit access-grou$
asp rule-engine transactional-commit access-group
Note: Transactional-commit feature is not configured by default.
Workaround:
There is no workaround other then disabling the feature
Further Problem Description:
A vulnerability in the transactional-commit access list feature of Cisco Adaptive Security Appliance (ASA) Software could allow an
unauthenticated, remote attacker to bypass interfaces access control policies and send traffic through the affected system.
The vulnerability is due to improper implementation of the feature. . An attacker could exploit this vulnerability by sending traffic through the
affected system while the system boot for the first time or while an affected system join a cluster. Additionally interface security policy will
still be respected so no traffic will be passed from an interface with lower security level to an interface with higher security level. An
exploit could allow the attacker to send traffic through the system bypassing the interfaces access control policies.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 2.6/2.1:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C&version=2.0
No CVE ID has been assigned to this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 100.8(40.111), 9.1(6.104), 9.1(6.112), 9.1(6.180), 9.1(6.181), 9.1(6.182) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux70784 | Title: | ASA Crash while viewing large ACL |
|
Status: | Open |
|
Severity: | 2 Severe |
Description: | Symptom:
An ASA may crash and reload when viewing an ACL that has a lot of remarks in the configuration. In testing, this appears to happen when running a command such as 'show access-list'
Conditions:
This has been seen with a configuration with over 150k remarks present in the configuration.
Workaround:
Do not use many remarks or clean up the existing remark to avoid significant numbers of remarks.
Further Problem Description:
|
|
Last Modified: | 01-JAN-2016 |
|
Known Affected Releases: | 9.4(1), 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc11186 | Title: | ARP: Proxy IP traffic is hijacked. |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
In certain conditions, ASA doesn't check the source of the ARP request or GARP packets for addresses it performs NAT translation for.
Proxy-arp cache may thus get polluted and cause traffic hijacking for addresses ASA does NAT for.
Conditions:
Configured NAT on the ASA for which it performs proxy-arp.
Workaround:
None
Further Problem Description:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.8/4.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:L/Au:N/C:N/I:P/A:P/E:F/RL:U/RC:C&version=2.0
CVE ID CVE-2012-5010 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 8.2(4) |
|
Known Fixed Releases: * | 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.15(8.32), 100.16(0.9), 100.16(1.36), 100.16(15.1), 100.16(15.5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCus16416 | Title: | Share licenses are not activated on failover pair after power cycle |
|
Status: | Fixed |
|
Severity: | 2 Severe |
Description: | Symptom:
The Share/Combine licenses are not activated on failover pair after power cycle the failover pair.
Both active and standby units turns off power and boots up the standby unit only, the Shared/Combined licenses on standby unit will be lost.
Conditions:
Failover environments.
Workaround:
Execute once the 'reload command' on failover pair.
Further Problem Description:
None
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 9.0, 9.1(5.19) |
|
Known Fixed Releases: * | 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.89), 100.15(20.17), 100.16(0.9), 100.16(15.1), 100.16(15.5), 100.8(40.105), 9.1(6.105) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq21426 | Title: | Inspect-DNS: PTR Query failed when DNS-Doctoring enabled |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
revDNS response going through ASA is received for different IP address than original query.
Conditions:
ASA has nat configured with 'dns' keyword and there is revDNS query for mapped IP address used in this translation.
Workaround:
1. remove 'dns' keyword from NAT statement,
2. query for real IP address
Further Problem Description:
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 9.0(4.18) |
|
Known Fixed Releases: * | 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.15(0.87), 100.15(20.17), 100.15(8.29), 100.16(0.9), 100.16(1.34), 100.8(40.104), 9.1(6.105) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw32493 | Title: | ASA BGP peering flaps with password and ikev2 tunnel. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
BGP adjacency flaps between active/idle state when password is configured for the neighbors. BGP Open message is sent over a L2L tunnel with ikev2-only encryption.
513E-C-R167-ASA5500-14(config)# show bgp summary
BGP router identifier 10.201.174.75, local AS number 64514
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 64515 0 0 1 0 0 never Active
513E-C-R167-ASA5500-14# show bgp summary
BGP router identifier 10.201.174.75, local AS number 64514
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.10.2 4 64515 0 0 1 0 0 never Idle
Debugs show the other end can't read the OPEN message:
BGP: nbr global 10.10.10.2 Active open failed - open timer running
BGP: nbr global 10.10.10.2 Active open failed - open timer running
Conditions:
ASA 5515 pair in lab environment.
Code: 9.4(1)5
Interesting traffic ACL is configured for the neighbor's IP only.
No other traffic going through the firewall.
Workaround:
Remove the neighbor x.x.x.x password command
Use ikev1 for tunnel authentication
Further Problem Description:
BGP peering fails to establish when neighbor is password authenticated and the TCP/179 communication is sent through an IPsec tunnel using ikev2 only.
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 9.4(1.5) |
|
Known Fixed Releases: * | 100.11(0.64), 100.12(0.152), 100.12(0.154), 100.13(0.116), 100.13(0.120), 100.14(0.80), 100.14(0.83), 100.15(0.63), 100.15(0.87), 100.15(17.27) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv09538 | Title: | ASA: CLI commands not showing help(?) options for local authorization |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASA: CLI commands not showing help(?) options for local authorization in configuration mode
Conditions:
ASA device configured with LOCAL authorization
Workaround:
Do not use LOCAL authorization
Type the complete command without using the (?) symbol
Further Problem Description:
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: * | 100.12(0.154), 100.13(0.95), 100.14(0.71), 100.14(16.8), 100.14(5.32), 100.15(0.24), 100.15(1.68), 100.15(16.3), 100.15(17.1), 100.15(3.37) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCte90958 | Title: | during validation of client cert, ASA may use wrong trustpoint policy |
|
Status: * | Terminated |
|
Severity: | 3 Moderate |
Description: * | Symptom:
It is possible that the ASA may use the revocation check policy of the wrong trustpoint if the ASA is configured with rekeyed CA certs. Rekeyed CA certs resulting in two trustpoints with the same DN. This involves cases where client cert authentication is enabled and the client is sending a cert chain to bring up an SSL VPN connection.
Conditions:
If the ASA is configured where it tries to validate the client cert using the CA cert that did NOT sign the client cert, it could use the policy of this trustpoint. If this trustpoint doesn't have revocation checking it might allow the connection to complete with a revoked connection.
Workaround:
The workaround would include the following:
1. Make sure the trustpoint policies related to revocation checking are the same for both trustpoints.
Further Problem Description:
|
|
Last Modified: | 03-DEC-2015 |
|
Known Affected Releases: | 8.2(2.5), 8.3(0.22) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux37076 | Title: | EEM: Remove access to early-access eem feature in 9.0.x / 9.1.x |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The EEM feature is unstable in 9.0.x / 9.1.x
Conditions:
EEM feature is disabled by default. It must be enabled with a hidden command.
Workaround:
Don't enable EEM
Upgrade to 9.2.1 where EEM is enabled in full and supported.
Further Problem Description:
|
|
Last Modified: | 04-DEC-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: * | 100.8(40.108), 9.1(6.109) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux41849 | Title: | Can't add an access-list to the specified line on multiple context mode |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Can't add an access-list to the specified line on the multiple context mode correctly, when the same line access-list entry is existed. The new line is added under the existed line.
Conditions:
Add an access-list to the specified line on the security context.
Workaround:
N/A
Further Problem Description:
|
|
Last Modified: | 07-DEC-2015 |
|
Known Affected Releases: * | 9.1(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux07142 | Title: | Issues with smart license expired, revoked and invalid tokens |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When an ASAv tries to register with a bad idtoken, the registration process is locked for 15 minutes or more. Expired tokens, revoked tokens, and mis-typed tokens all fall in the category of "bad tokens".
Conditions:
This issue occurs when an attempt to register the ASAv with the license server is attempted and then reloaded.
Workaround:
First issue the 'license smart deregister' command to clear the condition that cause registration attempts to hang. Then attempt to register the ASAv.
Further Problem Description:
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 100.15(8.27) |
|
Known Fixed Releases: * | 100.15(8.41) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu25430 | Title: | Object nat rule is not matched |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | Symptom:
Object rule is not matched
Conditions:
There is object nat configured transactional commit model
object network NAT_X.X.X.X
host X.X.X.X
nat (inside,outside) static Y.Y.Y.Y
ASA runs 9.3.3
Transactional commit model for nat rule engine is enabled : asp rule-engine transactional-commit nat
Workaround:
Downgrade to 9.3.2
or disable transactional commit model for nat rule engine and reload ASA
no asp rule-engine transactional-commit nat
Further Problem Description:
None.
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 100.15(5.18), 100.15(5.6), 9.1(6), 9.3(3), 9.4(1) |
|
Known Fixed Releases: | 100.11(0.61), 100.12(0.132), 100.13(0.82), 100.14(0.61), 100.14(16.1), 100.14(5.24), 100.14(7.45), 100.15(1.26), 100.15(19.1), 100.15(2.58) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw71195 | Title: | Initial Smart Licensing message fails due to 'SCH not ready' |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
During boot up an ASAv will fail to send a Smart Licensing entitlement authorization renewal message:
%ASA-3-444303: %SMART_LIC-3-COMM_FAILED:Communications failure with Cisco licensing cloud: Communication message send response error
Conditions:
The ASAv is configured with a Failover mate but there is no mate present.
Workaround:
If the ASAv remains in an Unlicensed state due to this condition, the user can force the re-authorization of the ASAv platform license by issuing the license smart renew auth command.
Further Problem Description:
|
|
Last Modified: | 08-DEC-2015 |
|
Known Affected Releases: | 9.3(2) |
|
Known Fixed Releases: * | 100.15(8.41) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux22635 | Title: | diameter inspection should be tied to GTP/Carrier license |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
The class-map and policy-map clis are accepted even the Carrier license is disabled.
Expected Behavior:
ASA should not accept the config
Conditions:
ASA 9.5.2 image with Carier license disabled
Workaround:
Workaround
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.5(1.109) |
|
Known Fixed Releases: * | 100.15(0.97), 100.15(8.35), 100.16(0.11), 100.16(1.50), 100.16(15.7), 9.5(1.111), 9.5(1.194), 96.1(1.4), 96.1(6.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua75298 | Title: | RADIUS Class attribute in accounting stop is missing after ASA failover |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | # Release-note
Symptom:
RADIUS class attribute in accounting stop is missing after ASA failovered.
The same Class attribute as the one in the accounting start should exist in the accounting stop
even after ASA failovered.
Workaround:
none.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4 |
|
Known Fixed Releases: * | 100.8(0.242), 100.8(0.243), 100.8(11.42), 100.8(11.43), 100.8(27.20), 100.8(33.27), 100.8(34.1), 100.8(38.1), 100.8(38.3), 100.8(39.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub17664 | Title: | ASA 5585 8.4.4.1 duplicated log when tengiga interface up/down |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When do a "show logging", we will see two same entries regarding the interfaces up/down
Conditions:
This would happen always when interfaces state change
Workaround:
No workaround.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4) |
|
Known Fixed Releases: * | 100.7(13.98), 100.7(24.1), 100.7(6.95), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCub52102 | Title: | ASA 8.3.2 'name' command is not mapped to 'show crypto ipsec sa' output |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In ASA 'name' command is not mapped to 'show crypto ipsec sa' output even though it is configured.
Conditions:
ASA Software Version 8.3.2 or 8.4.4(1)
Workaround:
None
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.3(2) |
|
Known Fixed Releases: * | 100.7(13.99), 100.7(24.2), 100.7(6.96), 100.8(0.237), 100.8(11.39), 100.8(27.20), 100.8(33.23), 100.8(34.1), 100.8(38.1), 100.8(39.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux26443 | Title: | DAP URL-List Command Says It Supports 491 Characters; Only Supports 245 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Currently, the ASA states that dynamic-access-policy-record url-lists can be 491 characters; however, the URL-list actually can actually only be 245 characters in length. If you add a list greater than 245 characters long, it gets instantly removed from the configuration.
Conditions:
First reported on ASA 9.1(5).
Workaround:
Change the name of your URL-List Entries to make the entire list less than 245 characters in length.
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.1(6) |
|
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.15(0.101), 100.16(0.13), 100.16(1.70), 100.8(40.108), 9.1(6.109), 96.1(1.8), 96.1(6.1), 99.2(2.29) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux25240 | Title: | Adding NP_SECONDARY_NO_PARENT_CHILD_TRACKING for gtp secondary conn |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASA will send gtp traffic to different snort engine
Conditions:
When GTP traffic is redirected to snort.
Workaround:
Disable redirecting traffic to snort engine.
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: * | 100.15(0.97), 100.15(8.35), 100.16(0.12), 100.16(1.51), 100.16(15.7), 9.5(1.111), 9.5(1.194), 96.1(1.5), 96.1(6.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui74278 | Title: | Wrong IP is displayed in buffered logging of ASA-6-737015 |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Wrong IP is addressed in buffered logging in ASA
Conditions:
External DHCP Servers should be configured for assigning IP addresses to VPN clients.
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: * | 100.8(40.20), 100.8(60.38), 9.0(4), 9.1(2) |
|
Known Fixed Releases: | 100.11(0.40), 100.11(5.50), 100.11(6.15), 100.12(0.25), 100.12(1.24), 100.12(10.9), 100.12(15.6), 100.12(6.1), 100.12(9.5), 100.8(40.82) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur99221 | Title: | NetFlow incorrect reporting for PPTP VPN over GRE |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: * | <B>Symptom:</B>
ASA reports via NetFlow incorrectly transferred data for PC client which connects to the remote
PPTP VPN over GRE traffic through the ASA
<B>Conditions:</B>
<B>Workaround:</B>
<B>Further Problem Description:</B>
|
|
Last Modified: | 18-DEC-2015 |
|
Known Affected Releases: | 9.2(1) |
|
Known Fixed Releases: | 100.11(0.56), 100.12(0.114), 100.13(0.39), 100.13(20.12), 100.13(21.7), 100.14(0.3), 100.14(1.2), 100.14(10.5), 100.14(11.5), 100.14(2.5) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux35272 | Title: | ASA TCP normalizer checksum verification cannot be disabled |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
When ASA processes traffic that is L7 inspected or has to be redirected to a module (e.g. IPS, CX, SFR etc) there is need to normalize it first.
One of the things that is checked during the normalization process is TCP checksum verification.
If a packet has a wrong TCP header checksum the normalizer will drop it. This will be shown in the ASA ASP drops as 'bad-tcp-cksum'.
Theoretically the ASA can be configured to ignore bad TCP checksums. Here is an example:
tcp-map IGNORE_TCP_CHECKSUM
no checksum-verification
!
policy-map SFR_PMAP
class SFR_CMAP
sfr fail-open
set connection advanced-options IGNORE_TCP_CHECKSUM
service-policy SFR_PMAP interface NET1
This defect is filed since even if the ASA is configured to ignore TCP checksum verification it is still doing it and the packet with the bad checksum is getting dropped with drop-reason: (bad-tcp-cksum).
Conditions:
L7 inspection or redirection to module is enabled so that TCP normalizer is on.
Workaround:
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.5(1.5) |
|
Known Fixed Releases: * | 100.16(0.15), 100.16(1.76), 96.1(1.26), 96.1(5.4), 96.1(6.4) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCur19070 | Title: | PBR:Route-map is accepting interface which is not configured with nameif |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Route-map is accepting interface name substring after giving ambiguous command error while configuring
Conditions:
Configure two nameif interface with name test1 and test2, now when calling out interface "test" under route-map set interface, ASA is complaining ambiguous command but configured "test1" in route-map
Workaround:
No Workaround
Further Problem Description:
|
|
Last Modified: | 21-DEC-2015 |
|
Known Affected Releases: | 100.13(12.13), 9.4(1) |
|
Known Fixed Releases: * | 100.16(0.15), 100.16(1.74), 100.16(1.76), 100.16(12.2), 96.1(1.21), 96.1(1.26), 96.1(5.4), 96.1(6.1), 96.1(6.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw86358 | Title: | 9.5.2/main: Traceback in tmatch during AnyConnect IPv6 TPS w/ SSP |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Traceback on SSP 3RU platforms when large number Anyconnect IPv6 VPN sessions are disconnected from the device.
Conditions:
Disconnecting a large number of Anyconnect IPv6 VPN sessions (close to 20K users) on SSP 3RU platforms
Workaround:
None
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 100.15(0.67) |
|
Known Fixed Releases: * | 100.15(0.105), 100.16(0.15), 100.16(1.76), 96.1(1.24), 96.1(5.4), 96.1(6.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw83793 | Title: | When dc fails, ASA not joining domain. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
KCD domain join fails during initial configuration
Conditions:
aaa-server configuration includes a server that is currently down and cannot be reached and all aaa-servers are in the same subnet
Workaround:
The system will recover automatically in 5 minutes due to automatic attempts to rejoin
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 100.15(0.62) |
|
Known Fixed Releases: * | 100.15(0.105), 96.1(1.28) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuc97552 | Title: | Deny rules in crypto acl blocks inbound traffic after tunnel formed |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
In 8.2.5(29) code and higher, "deny" entries on IPSEC are processed incorrectly if they overlap with traffic included in a subsequent "permit" statement. For instance with the following access-list
definition for an ipsec LAN to LAN (L2L) tunnel:
access-list 130 extended deny ip host 192.168.100.1 host 192.168.200.1
access-list 130 extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
Traffic between hosts 192.168.100.1 and 192.168.200.1 will work correctly until the tunnel is
formed between the 192.168.100.0/24 and the 192.168.200.0/24 networks. At this point, the traffic between these hosts will fail.
See also CSCud32111.
Conditions:
Issue is observed in 8.2.5(29) and later codes. It is only seen in crypto maps that contain
deny statements that overlap with permit statements. Issue not observed in same environment running 8.2.5(19) code and earlier.
Workaround:
Downgrade to 8.2.5(28) code or 8.2.5(19) code and earlier
or
Restructure the crypto access-lists to not require deny statements
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 8.2(5.29), 8.4(4) |
|
Known Fixed Releases: * | 100.7(13.108), 100.7(6.104), 100.8(11.49), 100.8(27.25), 100.8(34.1), 100.8(38.3), 100.8(50.4), 100.9(0.12), 100.9(4.1), 8.2(5.36) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuw03367 | Title: | ASA not installing external LSA with recursive forwarding address |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
OSPF routes sent to ASA can fail to install to the routing table if the forwarding address is covered by the route that is received, even if there is a more specific route that already exists in the routing table. IOS allows this condition to install the route, but ASA does not.
Debugs show:
OSPF: Start processing Type 5 External LSA 192.168.1.0, mask 255.255.224.0, adv 192.168.200.245, age 1045, seq 0x80001158, metric 1, metric-type 1, fw-addr 192.168.1.1
OSPF: external LSA with recursive forwarding address, ignoring
Conditions:
ASA receives an LSA with a forwarding address that falls within the scope of the route, for instance a route for the subnet 192.168.1.0/23 with an OSPF fw-addr of 192.168.1.1. This condition should fail UNLESS the ASA already has a more specific route that covers the fw-addr, but even if that condition is met, the route fails to add.
Workaround:
None at this time.
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.4(1) |
|
Known Fixed Releases: * | 100.11(0.63), 100.12(0.146), 100.13(0.100), 100.14(0.74), 100.15(0.26), 100.15(1.92), 100.15(16.5), 100.15(17.7), 100.15(3.51), 100.15(8.14) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux63990 | Title: | ASA - Peak Concurrent sessions more than available addresses in pool |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
Peak concurrent sessions are greater than available IP addresses within the pool
Conditions:
ASA 9.1(6)10
Workaround:
NA
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.1(6.10) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCud74941 | Title: | ASA LDAP Mapping should not map 0 to values with no match |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
LDAP Group mapping in ASA code will return a "0" for attribute maps that are found but do not
have a matching value defined. This behavior can be problematic for values expected to be
encountered multiple times within a given record (such as memberOf).
This results in multiple matches for a given map-name, but only the first one is used
(even if not explicitly defined in the mapping).
Conditions:
LDAP mapping is defined for an attribute expected to have multiple instances
Workaround:
Authenticate to a Radius or TACACS server that authenticates to the LDAP server.
Define mappings within the Radius or TACACS server rather than on the ASA.
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 8.2(5) |
|
Known Fixed Releases: * | 100.7(13.110), 100.7(6.106), 100.8(27.31), 100.8(38.4), 100.8(50.18), 100.9(0.21), 100.9(4.1), 100.9(7.1), 100.9(9.1), 8.2(5.39) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux41432 | Title: | PLR: ASAv clone produces an error when requesting a new request token |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
If you clone an ASAv licensed in PLR (in KVM or VMWare) the clone comes up with information about being licensed. If you issue a 'license smart reservation request' the ASAv thinks it is licensed. The show license commands verify that the ASAv is not licensed.
Conditions:
ASAv was licensed in PLR before cloning.
Workaround:
The workaround is to issue a 'license smart reservation return' to generate a return code. This allow the ASAv to be licensed with PLR.
Further Problem Description:
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 100.15(8.39) |
|
Known Fixed Releases: * | 100.15(8.45) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux65786 | Title: | ASA crash in Thread Name: ci/console |
|
Status: * | Other |
|
Severity: * | 3 Moderate |
Description: | Symptom:
ASA crashed in Thread Name: ci/console
Conditions:
ASA crashed when RSA's keys were regenerated by running command "crypto key generate RSA".
Workaround:
No workaround
Further Problem Description:
|
|
Last Modified: | 24-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv50968 | Title: | CRL download functionality seems to be broken on ASA |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Fetching CRL fails.
Conditions:
HTTP is used to get a CRL.
Workaround:
unknown
Further Problem Description:
|
|
Last Modified: | 25-DEC-2015 |
|
Known Affected Releases: | 100.15(4.23) |
|
Known Fixed Releases: * | 100.14(0.69), 100.15(0.23), 100.15(1.51), 100.15(15.13), 100.15(16.1), 100.15(2.82), 100.15(3.27), 100.15(6.19), 100.15(6.20), 100.15(8.10) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux69220 | Title: | WebVPN 'enable outside' command missing when ASA boots up |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
WebVPN 'enable outside' command is missing when ASA reboots
Conditions:
ASA running 9.5.2 image
Outside interface is configured for DHCP address assignment
WebVPN is configured
Workaround:
Use static IP address assignment
Further Problem Description:
|
|
Last Modified: | 28-DEC-2015 |
|
Known Affected Releases: | 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCut14223 | Title: | Cisco ASA Management Interface XML Parser DoS Vulnerability |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptoms:
Cisco ASA may be running out of memory or crash when processing a crafted XML file.
Conditions:
Cisco ASA may process a crafted XML file if the file is passed through the management interface or when performing activities with the auto
update servcer AUS.
In all cases a valid authentication on the device or a valid AUS server would need to be used in order to provide an XML file.
Workaround:
none
Further Problem Description:
A vulnerability in XML parser of the management interface of Cisco ASA
Software could allow an authenticated, remote attacker to cause system
instability and possibly a crash of the affected system.
The vulnerability is due to insufficient hardening of the XML parser
code. An attacker could exploit this vulnerability by triggering a read
operation of a crafted XML file from the affected component.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 6.8/5.6:
http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:N/AC:L/Au:S/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0
CVE ID CVE-2015-6379 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
|
|
Last Modified: | 29-DEC-2015 |
|
Known Affected Releases: * | 8.4, 8.6(0), 9.0(1), 9.1, 9.2(2), 9.3(2) |
|
Known Fixed Releases: | 100.11(0.57), 100.12(0.115), 100.13(0.45), 100.13(20.12), 100.13(21.7), 100.13(29.28), 100.14(0.3), 100.14(1.3), 100.14(10.6), 100.14(11.6) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux29453 | Title: | IPv6: ASA denies IPv6-ICMP request to the ASA when failover |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
After execute the no failover active command on active unit, during IPv6 Ping(ICMP-Request) to the ASA, the ping to the new active ASA will keep drop without recover.
Conditions:
- Only IPv6 ping to the ASA has this issue , IPv4 does not occur this issue.
- same-security-traffic permit intra-interface command is enabled.
- after failover.
Workaround:
Stop the ping, and ping again .
Further Problem Description:
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: | 9.1(6), 9.3(2), 9.5(1.5) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.8(40.111), 96.1(1.33) |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux69987 | Title: | ASA: Crash on ASA device after adding FQDN objects in NAT rule |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASA device crash after adding FQDN objects in NAT rules
Conditions:
ASA device configured with NAT rule referencing FQDN objects
Workaround:
We should not use FQDN objects in NAT statements
Further Problem Description:
|
|
Last Modified: | 30-DEC-2015 |
|
Known Affected Releases: | 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuv35050 | Title: | ASA - slow NFSv3 transfer with sunrpc inspection |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASA 9.1.x - slow NFSv3 transfer.
Conditions:
ASA running 9.1.x with sunrpc inspection enabled.
Workaround:
Disable inspection or configure TCP state bypass, decrease sunrcp timeout to much lower value so that secondary data connection times out.
Further Problem Description:
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: | 9.1(3) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 96.1(1.34) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtq84922 | Title: | ASA admin context memory usage is invalid |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Invalid values (100%) are displayed by "show memory" command when it's executed in admin context, while the actual memory usage which can be confirmed in system context, could be much lower. At the same time, "show blocks" also have extremely large values (the same as total memory on the ASA).
Conditions:
Possible requirement: failover setup running in multiple context mode.
Workaround:
No known workaround. However, the issue appears to be cosmetic and not service impacting.
|
|
Last Modified: | 31-DEC-2015 |
|
Known Affected Releases: | 8.2(5) |
|
Known Fixed Releases: * | 100.7(13.84), 100.7(21.9), 100.7(6.83), 100.8(0.167), 100.8(11.26), 100.8(27.19), 100.8(33.10), 100.8(34.1), 100.8(35.1), 100.9(0.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux50234 | Title: | asa fails to format disk1 USB drive |
|
Status: | Open |
|
Severity: | 3 Moderate |
Description: | Symptom:
asa rejects disk1 as an argument to the format command
Conditions:
this is a problem with newer asa versions
Workaround:
drop back to 9.1.7, do the formatting and then upgrade back to the faulty version
Further Problem Description:
|
|
Last Modified: | 01-JAN-2016 |
|
Known Affected Releases: | 9.4(1.204) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 96.1(1.33) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux09040 | Title: | ASA not denying initial SYN to non gateway of host |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
ASA completes 3-way handshake for Telnet/SSH control traffic (to-the-box) when initial SYN should be denied.
Conditions:
Tested on ASA running 9.2.3.4 and 9.3.1 images.
SSH/Telnet enabled
Client sends control traffic to non gateway interface
Workaround:
create specific denies for control plane traffic via ACL
disable SSH/Telnet
upgrade to 9.4.1
Further Problem Description:
|
|
Last Modified: | 01-JAN-2016 |
|
Known Affected Releases: | 9.2(3.4), 9.3(1) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.106), 100.16(0.16), 100.16(1.82), 96.1(1.33) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux41622 | Title: | "set connection timeout idle" is not applied. |
|
Status: | Fixed |
|
Severity: | 3 Moderate |
Description: | Symptom:
Custom TCP connection idle timeout does not work until service-policy is removed and re-applied.
Conditions:
Custom TCP idle connection timeout should be configured.
Workaround:
We need to remove and re-apply the service-policy for the traffic to match the associated class-map.
Further Problem Description:
|
|
Last Modified: | 01-JAN-2016 |
|
Known Affected Releases: | 9.1(6.10) |
|
Known Fixed Releases: * | 100.13(0.121), 100.15(0.105), 100.16(0.16), 100.16(1.82), 100.8(40.111), 96.1(1.27) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua71394 | Title: | ARP debug messages output raw milliseconds values |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
ARP debug messages output raw millisecond counts, which don't make much sense for users.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(4.2) |
|
Known Fixed Releases: * | 100.11(0.65), 100.12(0.154), 100.14(0.84), 100.15(0.96), 100.15(20.23), 100.16(0.11), 100.16(1.53), 100.16(15.7), 100.8(40.106), 96.1(1.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux68913 | Title: | Failover reason misleading on FTD |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: | Symptom:
FTD running in HA, when the command "show failover history" is issued from sensor CLI, in case of failover the device reports the message "Service card failure".
Considering that this is a virtual device and there is no module present, the failover reason of "Service card failure" would be very misleading.
Conditions:
FTD running in HA
Workaround:
Further Problem Description:
|
|
Last Modified: | 29-DEC-2015 |
|
Known Affected Releases: * | DULCE_VIDA |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCul32746 | Title: | L2TP/IPsec authentication failure results in freeing IPAA error syslog |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
IPAA syslog generated after username/password authentication failure for L2TP/IPsec client.
%ASA-4-737013: IPAA: Error freeing address 0.0.0.0, not found
Conditions:
User authentication failure for L2TP/IPsec client.
Workaround:
None
Further Problem Description:
This is benign because address is not assigned until after a successful user authentication.
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 8.4(5.6) |
|
Known Fixed Releases: * | 100.10(0.43), 100.10(1.21), 100.10(2.3), 100.10(3.1), 100.10(9.1), 100.8(38.70), 100.8(40.46), 100.8(46.41), 100.8(51.9), 100.9(10.17) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsr38578 | Title: | Cert groups are visible when webvn and client-cert-auth use diff ports |
|
Status: | Open |
|
Severity: * | 4 Minor |
Description: |
Symptom:
If the ASA is configured to use webvpn on a port different from client certificate auth (such as 555) and client cert authentication is configured to use a different port from webvpn (such as 443); the group list presented to the user will incorrectly include the groups configured with certificate authentication. The user should only see the groups that are configured with "authentication aaa".
Conditions:
The condition only occurs if webvpn is using a different port that is specified for "ssl certificate authentication".
Workaround:
Add the port used for the webvpn connection to the "ssl certificate authentication interface port " command.
Further Problem Description:
|
|
Last Modified: | 03-DEC-2015 |
|
Known Affected Releases: | 8.0(3.31) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux38613 | Title: | DOC: Correct the "show mem detail" output description |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
DOC: Correct the show memory detail command description in the command reference
Conditions:
This is only to change the command reference documentation.
Workaround:
This is a documentation defect
Further Problem Description:
|
|
Last Modified: | 10-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq44666 | Title: | ASA: "Resource 'asdm' limit of 5 reached" unexpected log message |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
ASA denies ASDM connections or displays error 'lost connection to firewall' in dashboard.
In logs we can see following messages: %ASA-5-321001: Resource 'asdm' limit of 5 reached for context 'admin'
Conditions:
The issue can be observed when _actively_ using more than 1 (but still less than configured limit) ASDM session. It may also happen with only one active session (and limit of 5).
Workaround:
1. increase limit in multicontext mode:
class default
limit-resource ASDM 20
2. increase limit in single context mode:
quota management-session
Further Problem Description:
|
|
Last Modified: | 10-DEC-2015 |
|
Known Affected Releases: | 9.1(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux38633 | Title: | PLR: ASAv10 uses an ASAv30 entitlement |
|
Status: | Open |
|
Severity: * | 4 Minor |
Description: | Symptom:
When licensing an ASAv with PLR after switching between ASAv models, an ASAv10 can sometimes reserve an ASAv30 license.
Conditions:
Begin with a licensed ASAv10 that is in PLR mode.
Return the ASAv license entitlement
Change the ASAv10 to an ASAv30 in the VMWare settings
Load the ASAv30
Check the ASAv VM status by issuing 'show vm' to verify it is an ASAv30
Power down the ASAv30, and change settings back to an ASAv10
Check the ASAv VM status by issuing 'show vm' to verify it is an ASAv10
License the ASAv10 again with PLR.
It sometimes reserves an ASAv30 license.
Workaround:
After changing models and booting up with a new model, reboot before issuing PLR commands.
Return the PLR license and re-license.
Further Problem Description:
|
|
Last Modified: | 09-DEC-2015 |
|
Known Affected Releases: | 100.15(8.38) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCua66518 | Title: | Help arp SYNTAX section misses "permit-nonconnected" entry |
|
Status: | Fixed |
|
Severity: | 4 Minor |
Description: | Symptom:
Help arp misses permit-nonconnected entry in SYNTAX section.
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 02-DEC-2015 |
|
Known Affected Releases: | 8.4(4), 8.4(4.2) |
|
Known Fixed Releases: * | 100.12(0.154), 100.13(0.120), 100.14(0.83), 100.14(0.84), 100.15(0.87), 100.15(0.90), 100.15(20.17), 100.15(20.18), 100.15(8.29), 100.16(0.10) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux58972 | Title: | "ssl cipher default custom "<ciphers>" is affecting the inbound conn |
|
Status: | Open |
|
Severity: * | 4 Minor |
Description: | Symptom:
"ssl cipher default custom "" command is affecting the inbound connections
Conditions:
configure "ssl cipher default custom "" and reload the ASA
Workaround:
remove the configured "ssl cipher default custom ""
Further Problem Description:
|
|
Last Modified: | 24-DEC-2015 |
|
Known Affected Releases: | 9.3(3), 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux64747 | Title: | Update content on ASA Webvpn net-access-hlp.htm file |
|
Status: | Open |
|
Severity: | 4 Minor |
Description: * | Symptom:
Anyconnect Help page on WebVPN does not show support dor Windows 10, Windows 8 and new Mac OSX.
Conditions:
Customer logged in via Webvpn Portal.
ASA configured for Anyconnect.
Workaround:
Customize the Help File as explained in the below document:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/webvpn-customizing.html#ID-2275-00000be1
Further Problem Description:
|
|
Last Modified: | 23-DEC-2015 |
|
Known Affected Releases: | 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuj21086 | Title: | Logging level 1 Alert messages sent for minor IPS events |
|
Status: | Terminated |
|
Severity: | 4 Minor |
Description: * | Symptom:
ASA sends Alert Level 1 syslogs for for minor IPS events:
ASA-1-505013 Module ASA5585-SSP-IPS10 in slot 1, application reloading "IPS", version "7.1(7)E4" Config Change
ASA-1-323006 Module ASA5585-SSP-IPS10 in slot 1 experienced a data channel communication failure, data channel is DOWN.
ASA-1-505011 Module ASA5585-SSP-IPS10 in slot 1 data channel communication is UP.
ASA-1-505015 Module ASA5585-SSP-IPS10 in slot 1, application up "IPS", version "7.1(7)E4" Normal Operation
Conditions:
ASA with IPS modules
Workaround:
Disregard if no failure of IPS occurred
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 8.2(5), 9.1(2.6) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux40372 | Title: | DOC - CSCuv50968 is not included in 9.5.2 release-note |
|
Status: | Open |
|
Severity: | 5 Cosmetic |
Description: | Symptom:
CSCuv50968 is not included in 9.5.2 release-note.
Conditions:
n/a
Workaround:
n/a
Further Problem Description:
|
|
Last Modified: | 04-DEC-2015 |
|
Known Affected Releases: | 9.5(2) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCui18793 | Title: | ASA displays Failover cluster licensed feature in show ver |
|
Status: | Terminated |
|
Severity: | 5 Cosmetic |
Description: * | Symptom:
ASA including only base license displays "Failover cluster licensed features".
Conditions:
SW : 8.4(6)
HW : ASA5505
Workaround:
Unknown
Further Problem Description:
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 8.4 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux69494 | Title: | ENH: Ability to clear the stateful HA counters |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
Ability to clear stateful failover counter/statistics
Conditions:
ASA HA with stateful failover enabled
Workaround:
NONE
Further Problem Description:
|
|
Last Modified: | 29-DEC-2015 |
|
Known Affected Releases: | 9.5(1) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuh27112 | Title: | RDP plugin support for Windows 2012 |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
RDP plugin should be updated to support Windows 2012.
Conditions:
Fails via clientless SSL VPN.
Works on Windows 2003/2008
Workaround:
Native RDP client via Anyconnect works.
Native RDP client using Smart tunnel for mstsc.exe
Further Problem Description:
|
|
Last Modified: | 28-DEC-2015 |
|
Known Affected Releases: | 8.4(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCtf09840 | Title: | ENH: Enable Flow Control (Sending Pause Frames) on 1GE Interfaces |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
This is an Enhancement Request to add the ability to send Pause Frames as described by IEEE 802.3x to Gigabit Ethernet interfaces on Adaptive Security Appliance (ASA).
|
|
Last Modified: | 28-DEC-2015 |
|
Known Affected Releases: * | 8.0, 8.2, 8.3 |
|
Known Fixed Releases: * | 100.7(13.10), 100.7(14.1), 100.7(15.1), 100.7(6.40), 100.7(9.33), 100.8(0.14), 100.8(10.6), 100.8(12.15), 100.8(19.36), 100.8(2.1) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCsk84573 | Title: | ENH: ASA: Show tech should give state of external SSM interface status |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: * |
Symptom:
Having the information on the ethernet interface of the SSM card in 'show module' and thus is 'show tech' would be most helpful.
For the ASA itself it should show the 'management' interface information if this interface has been described with management-only or if a ma0/0 interface exists.
Desired output:
gw5# show module
Mod Card Type Model Serial No.
--- -------------------------------------------- ------------------ -----------
0 ASA 5540 Adaptive Security Appliance ASA5540 JMX0921L05E
1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 JAB095203D9
Mod MAC Address Range Hw Version Fw Version Sw Version
--- --------------------------------- ------------ ------------ ---------------
0 0012.808c.34bf to 0012.808c.34c3 1.0 1.0(10)0 8.0(2)
1 0013.c482.5482 to 0013.c482.5482 1.0 1.0(10)0 6.0(3)E1
Mod SSM Application Name Status SSM Application Version
--- ------------------------------ ---------------- --------------------------
1 IPS Up 6.0(3)E1
Mod Status Data Plane Status Compatibility
--- ------------------ --------------------- -------------
0 Up Sys Not Applicable
1 Up Up
Mod Interface state Speed Ip address
---- ------------------ ------- --------------
0 Up A100_AFULL 192.168.1.20
1 Up 100_FULL 192.168.1.21
Conditions:
Workaround:
Further Problem Description:
|
|
Last Modified: | 27-DEC-2015 |
|
Known Affected Releases: | 98.2 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti10892 | Title: | Changing interface to same name with different char case has no effect |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Changing the Interface name with the nameif command does not change if using the same name with different character case. See example below:
asa(config-if)# sh run int e0/1
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
asa(config-if)# nameif inside
asa(config-if)# sh run int e0/1
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
Conditions
Occurs when changing interface name though nameif command to same name with different character case from command line or Cisco Security Manager (CSM). CSM will retain the changed interface name although it is not changed on the security appliance.
Conditions:
Workaround:
Remove the interface name with the "no nameif" command. Any commands referencing that interface such as nat or access-group will need to be reapplied.
Further Problem Description:
|
|
Last Modified: | 27-DEC-2015 |
|
Known Affected Releases: | 7.2(4) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCti25331 | Title: | EC:LACP Not working on 4GE Card-ASA5550 |
|
Status: | Terminated |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
Bundling multiple links of 4GE ports on ASA5550 into Etherchannel doesn't work.
Conditions:
Multiple 4GE ports (with single port, we can bundle), single/multi(system context) mode.
Workaround:
No workaround at this time.
4GE-SSM firmware has issues like it broadcasts all the LACP multicast traffic on all the 4 ports. Which will conflict the LACP state-machine and individual link aggregation.
For single port, it is not a problem, when multiple links are tried to be bundled, then these broadcasts will cause issues.
Further Problem Description:
|
|
Last Modified: | 27-DEC-2015 |
|
Known Affected Releases: | 100.7(0.36) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux70783 | Title: | ENH : ASA SNMP for WCCP Service Status |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
When an Web Cache/WCCP service is lost, the ASA generates "%ASA-1-332004: Web Cache IP_address / service_ID lost" ; however, there is no way to poll via SNMP.
Conditions:
SNMP
WCCP
Workaround:
Monitor syslogs.
Further Problem Description:
|
|
Last Modified: | 01-JAN-2016 |
|
Known Affected Releases: | 8.0, 9.0 |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCux46195 | Title: | Hyperlite Support for SD Card |
|
Status: | Fixed |
|
Severity: | 6 Enhancement |
Description: | Symptom:
SD Card Play and Play would not work. SD card plag and play would work fine in all other devices with HW Version greater or equal to 2.1
Conditions:
Cisco SKU (ISA3000-4C, ISA3000-2C2F) with HW Version less than 2.1 as seen in output "show modules".
Workaround:
None. Box needs to be RMA-ed so that SD card Microcontroller firmware can be upgraded.
Further Problem Description:
|
|
Last Modified: | 21-DEC-2015 |
|
Known Affected Releases: | 100.15(21.12) |
|
Known Fixed Releases: * | 96.1(1.28), 96.1(5.2), 96.1(5.3) |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuu01586 | Title: | ASA sends ARP when reverse DNS lookup request is sent for BVI subnet |
|
Status: | Open |
|
Severity: * | 6 Enhancement |
Description: | Symptom:
When ASA operates in transparent mode, it generates an ARP request for any reverse DNS lookup IP which is in the same subnet as of BVI.
This happens only when DNS inspection is enabled.
Conditions:
- Transparent firewall
- DNS inspect enabled
- Reverse DNS query for any IP in BVI subnet.
Workaround:
- Disable the DNS inspect
- Static arp binding to avoid the ARP requests.
Further Problem Description:
|
|
Last Modified: | 17-DEC-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | Updated * |
Bug Id: | CSCuq31132 | Title: | ASA Clustering: No code doc for ASP drops w/ reason 'cluster-no-msgp' |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: * | Symptom:
In the event of oversubscribing an ASA cluster by pushing it beyond its maximum connection per second build rate, it may drop packets with an ASP drop reason of ''cluster-no-msgp'. While the dropped packets are expected in this scenario, this description is not helpful in diagnosing the problem.
Conditions:
Exceeding maximum connections per second (CPS) on an ASA cluster and attempting to diagnose the packet drops by viewing the 'show asp drops' output
Workaround:
This is an enhancement that is intended to provide additional detail for troubleshooting purposes. The only workaround would be to avoid oversubscribing the ASA cluster.
Further Problem Description:
|
|
Last Modified: | 09-DEC-2015 |
|
Known Affected Releases: | 9.1(5) |
|
Known Fixed Releases: | |
|
|
| |
| |
|
Alert Type: | New |
Bug Id: | CSCux65085 | Title: | ENH: Change default idle timeout when configuring DCD on ASA via CLI |
|
Status: | Open |
|
Severity: | 6 Enhancement |
Description: | Symptom:
ASA holds maximum idle value 1193:00:00 when configuring DCD:
firewall(config)# policy-map global_policy
firewall(config-pmap)# class DCD
firewall(config-pmap-c)# set connection timeout dcd 0:15:00 5
firewall(config-pmap-c)# sh run all policy-map global_policy
!
policy-map global_policy
class DCD
set connection timeout idle 1193:00:00 dcd 0:15:00 5 embryonic 0:00:30 half-closed 0:10:00
DCD: enabled, retry-interval 0:15:00, max-retries 5
DCD: client-probe 0, server-probe 0, conn-expiration 0
Conditions:
When configuring dead connection detection (DCD) on ASA
Workaround:
Change Idle value:
firewallconfig)# policy-map global_policy
firewall(config-pmap)# class DCD
firewall(config-pmap-c)# set connection timeout dcd 0:15:00 5 idle 1:00:00
Further Problem Description:
This is an enhancement request to change the default idle timeout 1193:00:00 which is present on ASA software
|
|
Last Modified: | 22-DEC-2015 |
|
Known Affected Releases: | 9.2 |
|
Known Fixed Releases: | |
|
|
| |
:
2015 Cisco and/or its affiliates. All rights reserved. 
没有评论:
发表评论